10-16-2015 08:24 AM - edited 03-10-2019 11:09 PM
Wanted to let folks know that ISE 2.0 is available!. Details can be seen at: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html
10-16-2015 08:28 PM
I was coincidentally upgrading a 2 node deployment today and used the ISE 2.0 upgrade images to do that. It worked fine following the upgrade guide. I will update the forum if I hit any issues going forward.
It looks like not all of the docs are posted just yet (no 2.0 Admin Guide and there's no updated Ordering Guide). Also the device management (TACACS+) license part numbers aren't in CCW yet.
10-19-2015 06:56 AM
I've asked our account team for an eval image, but apparently that's not out yet either. Hopefully soon, it's time to move on from ACS!
10-19-2015 12:52 PM
Eval image is out, it's the NFR image thats not available yet.
10-22-2015 08:11 AM
The Device Admin license SKU is L-ISE-TACACS=. I have been told is now available on CCW
10-22-2015 08:24 AM
It's not visible in CCW just yet (as of 1115 EST 22 October 2015).
We're told it should show up sometime later today.
10-19-2015 02:45 PM
I would advise you all to thread lightly before upgrading to v2.0
I have just done the upgrade, and have encountered multiple problems.
- Lots of nodes are not able to log on anymore. Seems to be Apple products mostly.
- EAP-TLS wired 802.1x does not work anymore (the dreaded 5440 Endpoint abandoned EAP session and started new) is back!
- I now have tons of "5436 RADIUS packet already in the process" in the log, stating this:
Check whether the Average RADIUS Request Latency statistic is close to or exceeds the client's RADIUS request timeout. If so, determine whether the latency is caused by a slow external Identity Store or because this instance of ISE is being overloaded. To resolve this, increase the client's RADIUS request timeout, using a faster or additional, external Identity Stores, or reduce the load on this instance of ISE.
Nothing else is done other than upgrading the ISE nodes.
- I also have tons of "5417 Dynamic Authorization failed" messages in the log. Probably because of the introduction of Network Device profiles. All nodes are automatically set to "Cisco". Problem is, we use mostly Aerohive, and there is no profile for that.
If people are starting to have problems when they come to work tomorrow, I am probably forced to do a downgrade, which I guess means a reinstall, and then hope the backups works..
Other comments: Why v2.0 when there is so little new? And in guest management, absolutely nothing. I had at least expected we were finally allowed to use phone number as user name.
- Still no support for high resolution displays
- Still using flash, which is dead slow, even on my top notch modern workstation.
10-19-2015 03:25 PM
Sorry to hear of you issues, i have not seen this in my lab, i have been running the beta for a month now. You should probably make it a TAC case, sounds pretty serious.
About the new features, i think we should have been at 2.0 a long time ago, with the changes from 1.1->1.2->1.3, however for 2.0 the one major feature is TACACS support which for Cisco environments have been long awaited for years now.
10-19-2015 03:09 PM
The main reason right now to upgrade to 2.0 for us is TACACS support. Is there any additional licensing needed, or will I be able to upgrade to 2.0 and start configuring TACACS?
Cisco ISE requires a Device Administration license to use the TACACS+ service. The Device Administration license is a perpetual license. If you are upgrading from an earlier release to Cisco ISE, Release 2.0 and would like to enable the TACACS+ service, you must order the Device Administration license as a separate add-on license. You need one Device Administration license for the entire ISE deployment.
Can someone point me in the right direction of procuring the Device Administration license? What is the reasoning behind a license for TACACS-Is there a cost involved?
Seems counter-intuitive here since Cisco has been issuing free ACS licenses till TACACS support for ISE installs....
10-22-2015 05:02 PM
Yea- what I feared charging for TACACS.
10-22-2015 05:45 PM
It's showing up in the Ordering Tool (CCW) now.
List price is US$4k so it's a good bit less than ACS - especially considering that covers unlimited devices and it's a perpetual license.
10-22-2015 05:48 PM
Understood- The price isn't the problem, just delays migration for a bit.
Thanks for update guys.
11-11-2015 03:48 AM
Hello,
We upgraded to ISE 2.0 without issue. We are interesting by the Network Device profiles feature to be able to support some Aerohive Access Point.
Does someone has already created a profile for Aerohive (for Captive Portal)?
Thks.
Regards,
Lionel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide