cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
840
Views
0
Helpful
7
Replies

ISE recommeded release and patch?

pdenorie
Cisco Employee
Cisco Employee

Hi all,

 

My customer just acquired ISE to be used as TACACS+ authentication (2 PAN/Mnt + 2 PSN) in two new data centers.

 

Which ISE version and patch are now the recommended ones? ISE 2.4 is long term, but I've seen a catastrophic bug (CSCvm93698) on patch4. If we go for 2.4, what patch should we install?

 

Moreover, what OVAs would you recommend taking into account that only TACACs will be used?

1) PSN 3515 and PAN 3595?

2) PSN and PAN 3595?

Medium or large versions?

 

Thanks

1 Accepted Solution

Accepted Solutions

You should always go with the latest patch assuming you've gone over the latest release notes and checked that no open caveat is a deal breaker.

Having read "Resolved Caveats in Cisco ISE Release 2.4.0.35- Cumulative Patch 4", I would advise to pick patch 3 only if AD joining is a deal breaker and that there is no bug existing in patch 3 that you can't live with.

Keep in mind that if you're just looking for TACACS authorizations, you really don't need AD joining. You could just use LDAP and make your policies work with external LDAP groups. AD joining is important for certain kinds of authentications such as MS-CHAP v1/v2, but not for TACACS+. The "Manage Users and External Identity Sources" chapter has a table that details when AD joining is necessary.

View solution in original post

7 Replies 7

Nadav
Level 7
Level 7

Hi,

 

1) Keep in mind that the bug you mentioned is only for multi-forest domains (says so in the Bug Search Tool). If you are joined to a single forest, you should be fine. If you're unsure of this you should ask someone you work with who is a domain admin.

 

2) It's really a matter of authentications per second, you can calculate this in any number of ways such as existing TACACS reports, or peak daily packets-per-second according to netflow. You'll need to use the following post for reference:

 

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId--621954601

 

Keep in mind that the numbers are per PSN. A 3515 is a "small appliance", a 3595 is a "medium appliance".

 

The same link above also notes what the sizing of PAN/MnT affects. Take note that the total number of nodes is directly affected by sizing of PAN/MnT, which will be important for your deploying Device Administration PSNs across your network.

Hi Nadav,

 

Regarding the software recommendation:

- In case the customer does not have multiforest, is ISE 2.4 patch 4 the recommended one?

- In case they do have multiforest, would be ISE 2.4 patch 3?

 

Many thanks for your reply

You should always go with the latest patch assuming you've gone over the latest release notes and checked that no open caveat is a deal breaker.

Having read "Resolved Caveats in Cisco ISE Release 2.4.0.35- Cumulative Patch 4", I would advise to pick patch 3 only if AD joining is a deal breaker and that there is no bug existing in patch 3 that you can't live with.

Keep in mind that if you're just looking for TACACS authorizations, you really don't need AD joining. You could just use LDAP and make your policies work with external LDAP groups. AD joining is important for certain kinds of authentications such as MS-CHAP v1/v2, but not for TACACS+. The "Manage Users and External Identity Sources" chapter has a table that details when AD joining is necessary.

Thanks Nadav!

Happy to help :)

I have recently deployed two new customer deployments on ISE 2.4 patch 4 and both of them use AD.  Works just fine.  They have a single forest with multiple domains within.  Having said that, the Microsoft definition of a Forest is not a simple 2 minute explanation.

I'm hoping we get some more clarity on that bug too. I provided a support bundle with tracing enabled, going through joining and testing AD. I just looked at the bug tracker and it's up to 19 cases associated with it now. That's 8 new cases in 9 days, one of which was mine, people are still getting burnt by it.

The other piece here for the original poster....The release notes are updated when the most recent patch is released, so any bugs that the most recent patch includes are not reflected in the release notes until the next patch comes out. You have to scour the bug tracker to find open caveats impacting the most recent patches. 

So the most recent patch always looks great on paper when it comes out. The release notes will not accurately reflect bugs in the most recent patch, just what was fixed from the previous.