09-14-2020 01:02 PM - edited 09-14-2020 01:17 PM
Hi!
I am looking at upgrading ISE from 2.4 to 2.6 and wanted to know what the recommended patch would be in 2.6.
Ideally I am looking for the patch with the least issues in terms of 802.1x auth using the native windows supplicant and tacacs authentication.
Cheers,
Waqas
Solved! Go to Solution.
09-14-2020 01:26 PM - edited 09-14-2020 01:26 PM
2.4 to 2.6 straight upgrade. - download from Cisco Download ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz
I did the below steps :
1. Config back if any
2. download Filezilla ftp server
3. copy the image to FTP Server make username and password (make a folder as root)
4. login to ISE - make FTP repository
# config t
repository ftp
url ftp://ipaddress
usename bbandi password plain my password <-- change this as per requirement.
exit
check the repository
show repository ftp
you can view the files from FTP server.
check any certificates expired in ISE, because upgrade fails after spending hours or so, so make sure no certificate expired, have atlease 20-50GB Free space before you start below :
5. application install ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz ftp
09-14-2020 01:26 PM - edited 09-14-2020 01:26 PM
2.4 to 2.6 straight upgrade. - download from Cisco Download ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz
I did the below steps :
1. Config back if any
2. download Filezilla ftp server
3. copy the image to FTP Server make username and password (make a folder as root)
4. login to ISE - make FTP repository
# config t
repository ftp
url ftp://ipaddress
usename bbandi password plain my password <-- change this as per requirement.
exit
check the repository
show repository ftp
you can view the files from FTP server.
check any certificates expired in ISE, because upgrade fails after spending hours or so, so make sure no certificate expired, have atlease 20-50GB Free space before you start below :
5. application install ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz ftp
09-14-2020 01:34 PM
Thanks Balaji,
We have 2 ISE nodes for redundancy, should we do the primary or secondary first?
09-14-2020 02:25 PM
The secondary should go first if you are doing an in place inline upgrade.
I will add two things you should look at with the process above.
Also, any reason you are looking to upgrade to 2.6 versus Cisco's current "gold star" recommendation of 2.7? Not to say 2.6 isn't a fine release, just not where most are looking to go right now. I know you're asking for the most stable and problem free release for 802.1x, upgrading comes with risks, 2.4p13 is the most mature release in that regard and still supported. Most risk adverse customers don't upgrade unless support is ending for their current release train or they require a specific feature only found in a new release.
09-14-2020 02:37 PM
Hey Damien, how's it going?
The reason for this upgrade is partly because most of our users are working from home so we have an opportunity to do this with minimal disruption.
Also there is possibility for a DNAC implementation in the near future. The minimum ISE needs to be on for that is 2.5, which you probably know. The reason we didn't go with 2.7 is because of the long term support on the even numbered releases. Also I have heard of some environments having issues in 2.7.
Thanks,
Waqas
09-14-2020 07:39 PM
As of ISE 2.7, there are no longer 'long-live' vs. 'short-live' releases. All releases from 2.7 are considered 'long-live' and subject to this Release Lifecyle.
As @Damien Miller stated, ISE 2.7 is currently the Recommended version by the Cisco BU based on stability and support lifecycle. There have been 2 patches released to resolve known bugs/vulnerabilities as documented in the Release Notes but, as with any software product, we recommend regression testing in a non-Prod environment if possible before rolling out to Production.
09-15-2020 06:21 AM
@waqas gondal For the future since you mentioned DNAC use the following for compatibility purposes:
If you have issues or concerns with versioning engage TAC and/or your rep because if you are running DNAC and ISE versions that are not depicted as supported you may encounter some difficulties should you face issues where you need TAC to engage. HTH!
09-15-2020 12:05 AM
Secondary First. then So on, any issue arises you have primary running as expected.
09-20-2020 08:07 AM
I don’t understand why 2.6
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide