Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
7
Replies

ISE recommeded release and patch?

Go to solution
pdenorie
Cisco Employee
Cisco Employee

‎11-02-2018 05:43 AM

Hi all,

 

My customer just acquired ISE to be used as TACACS+ authentication (2 PAN/Mnt + 2 PSN) in two new data centers.

 

Which ISE version and patch are now the recommended ones? ISE 2.4 is long term, but I've seen a catastrophic bug (CSCvm93698) on patch4. If we go for 2.4, what patch should we install?

 

Moreover, what OVAs would you recommend taking into account that only TACACs will be used?

1) PSN 3515 and PAN 3595?

2) PSN and PAN 3595?

Medium or large versions?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7
In response to pdenorie

‎11-02-2018 06:34 AM - edited ‎11-02-2018 06:35 AM

You should always go with the latest patch assuming you've gone over the latest release notes and checked that no open caveat is a deal breaker.

Having read "Resolved Caveats in Cisco ISE Release 2.4.0.35- Cumulative Patch 4", I would advise to pick patch 3 only if AD joining is a deal breaker and that there is no bug existing in patch 3 that you can't live with.

Keep in mind that if you're just looking for TACACS authorizations, you really don't need AD joining. You could just use LDAP and make your policies work with external LDAP groups. AD joining is important for certain kinds of authentications such as MS-CHAP v1/v2, but not for TACACS+. The "Manage Users and External Identity Sources" chapter has a table that details when AD joining is necessary.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Nadav
Level 7
Level 7

‎11-02-2018 06:14 AM

Hi,

 

1) Keep in mind that the bug you mentioned is only for multi-forest domains (says so in the Bug Search Tool). If you are joined to a single forest, you should be fine. If you're unsure of this you should ask someone you work with who is a domain admin.

 

2) It's really a matter of authentications per second, you can calculate this in any number of ways such as existing TACACS reports, or peak daily packets-per-second according to netflow. You'll need to use the following post for reference:

 

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId--621954601

 

Keep in mind that the numbers are per PSN. A 3515 is a "small appliance", a 3595 is a "medium appliance".

 

The same link above also notes what the sizing of PAN/MnT affects. Take note that the total number of nodes is directly affected by sizing of PAN/MnT, which will be important for your deploying Device Administration PSNs across your network.

0 Helpful

Go to solution
pdenorie
Cisco Employee
Cisco Employee
In response to Nadav

‎11-02-2018 06:19 AM

Hi Nadav,

 

Regarding the software recommendation:

- In case the customer does not have multiforest, is ISE 2.4 patch 4 the recommended one?

- In case they do have multiforest, would be ISE 2.4 patch 3?

 

Many thanks for your reply

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to pdenorie

‎11-02-2018 06:34 AM - edited ‎11-02-2018 06:35 AM

You should always go with the latest patch assuming you've gone over the latest release notes and checked that no open caveat is a deal breaker.

Having read "Resolved Caveats in Cisco ISE Release 2.4.0.35- Cumulative Patch 4", I would advise to pick patch 3 only if AD joining is a deal breaker and that there is no bug existing in patch 3 that you can't live with.

Keep in mind that if you're just looking for TACACS authorizations, you really don't need AD joining. You could just use LDAP and make your policies work with external LDAP groups. AD joining is important for certain kinds of authentications such as MS-CHAP v1/v2, but not for TACACS+. The "Manage Users and External Identity Sources" chapter has a table that details when AD joining is necessary.

0 Helpful

Go to solution
pdenorie
Cisco Employee
Cisco Employee
In response to Nadav

‎11-02-2018 07:33 AM

Thanks Nadav!

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to pdenorie

‎11-02-2018 07:35 AM

Happy to help :)
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to pdenorie

‎11-04-2018 01:49 PM

I have recently deployed two new customer deployments on ISE 2.4 patch 4 and both of them use AD.  Works just fine.  They have a single forest with multiple domains within.  Having said that, the Microsoft definition of a Forest is not a simple 2 minute explanation.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎11-04-2018 02:40 PM - edited ‎11-04-2018 02:43 PM

I'm hoping we get some more clarity on that bug too. I provided a support bundle with tracing enabled, going through joining and testing AD. I just looked at the bug tracker and it's up to 19 cases associated with it now. That's 8 new cases in 9 days, one of which was mine, people are still getting burnt by it.

The other piece here for the original poster....The release notes are updated when the most recent patch is released, so any bugs that the most recent patch includes are not reflected in the release notes until the next patch comes out. You have to scour the bug tracker to find open caveats impacting the most recent patches. 

So the most recent patch always looks great on paper when it comes out. The release notes will not accurately reflect bugs in the most recent patch, just what was fixed from the previous. 

0 Helpful
Customers Also Viewed These Support Documents