Solved: Upgrade to 2.4, or 2.6?

Dustin Anderson · ‎11-11-2019

I'm upgrading our ISE deployment this weekend. I was planning to go to 2.4, but with Cisco changing the recommended to 2.6, I'm wondering if I should go to 2.6, or stick with 2.4 plan for now.

Has anyone seen major bugs in 2.6?

We use our deployment for MAB, wired, and wireless clients.

Timothy Abbott · ‎11-12-2019

We just released patch 3 for 2.6 and are very confident in the stability. At the same time, I recommend testing it in a lab environment with your current policies.

Regards,
-Tim

View solution in original post

jlpete87 · ‎11-11-2019

I just upgraded my single node lab from 2.4 patch 9 to 2.6 and after the upgrade completed, the application server is stuck in an initializing state. Not looking very promising on 2.6 so far...

Josh Morris · ‎11-12-2019

I am running 2.6 in the lab and dev with very simple policies. So far, the basics seem to work with no bugs. The only bug I've seen is that I cannot use Chrome to edit AD membership...Safari or Firefox only. My biggest concern with 2.6 is how the policy nesting is so much different than 2.2.

Damien Miller · ‎11-12-2019

Try disabling ad block plus if you have it. There is some javascript on that page that most adblocks disabled.

Josh Morris · ‎11-12-2019

Yep, you're right. Thanks!

Timothy Abbott · ‎11-12-2019

We just released patch 3 for 2.6 and are very confident in the stability. At the same time, I recommend testing it in a lab environment with your current policies.

Regards,
-Tim

Jason Kunst · ‎11-12-2019

@Timothy Abbott wrote:
We just released patch 3 for 2.6 and are very confident in the stability. At the same time, I recommend testing it in a lab environment with your current policies.

Regards,
-Tim

To add to tim's info we just made ISE 2.6 the suggested release. Thanks!

https://community.cisco.com/t5/security-news/announcing-ise-2-6-as-suggested-release/ba-p/3953488

Dustin Anderson · ‎11-12-2019

Ahh, I saw it moved to recommended, but patch 3 wasn't available at that time.

Don't suppose they have got the MAR cache to sync yet though.

Anurag Sharma · ‎11-13-2019

Hi @Dustin Anderson ,

No, unfortunately, MAR cache syncing is not feasible yet.

Straight from the Admin guide page:

The Policy Service nodes in a distributed deployment do not share their Machine Access Restriction (MAR) cache with each other. If you have enabled the MAR feature in Cisco ISE and the client machine is authenticated by a Policy Service node that fails, then another Policy Service node in the deployment handles the user authentication. However, the user authentication fails because the second Policy Service node does not have the host authentication information in its MAR cache.

Refer this .

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Dustin Anderson · ‎11-13-2019

Yeah, it was supposed to have sync'd in 2.3, so we upgraded to it, but alas it actually didn't and was removed from the feature list.