ISE upgrade and the impact on wired dot1x client connections

support1@lima.co.uk · ‎03-01-2023

Can anyone confirm the impact on wired dot1x client connections and current load when performing a split upgrade and whether the one ISE node can handle traffic during upgrading the other? If not how do I confirm this?

Rodrigo Diaz · ‎03-01-2023

hello support1@lima.co.uk , when upgrading there is no impact in authentications completed previously to the upgrade as the NAD are the ones that retain the session , the impact will be only in the newest authentication request coming from your NADs towards the nodes that have the PSN persona enabled.

In the scenario of split upgrade , you are correct in your statement as one PSN node can handle new radius request while another PSN is being upgraded , the key here is that you need to have redundancy configured within the NADS and point them towards the PSNs , the NAD will mark one server as dead as it will be unavailable while upgrading , so it can forward the radius traffic towards the server that is not being upgraded , and then mark as alive again to that server when the upgrade has finished , refer to the following documentation

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217509-upgrade-ise-with-full-upgrade-method.html#anc6

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_aaa_dead-server_detection.html

Let me know if that helped you .