cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3670
Views
15
Helpful
12
Replies

ISE 2.0 is available on CCO

jrabinow
Level 7
Level 7

Wanted to let folks know that ISE 2.0 is available!. Details can be seen at: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

I was coincidentally upgrading a 2 node deployment today and used the ISE 2.0 upgrade images to do that. It worked fine following the upgrade guide. I will update the forum if I hit any issues going forward.

It looks like not all of the docs are posted just yet (no 2.0 Admin Guide and there's no updated Ordering Guide). Also the device management (TACACS+) license part numbers aren't in CCW yet.

I've asked our account team for an eval image, but apparently that's not out yet either. Hopefully soon, it's time to move on from ACS!

Eval image is out, it's the NFR image thats not available yet.

The Device Admin license SKU is L-ISE-TACACS=.  I have been told is now available on CCW

It's not visible in CCW just yet (as of 1115 EST 22 October 2015).

We're told it should show up sometime later today.

dal
Level 3
Level 3

I would advise you all to thread lightly before upgrading to v2.0

I have just done the upgrade, and have encountered multiple problems.

- Lots of nodes are not able to log on anymore. Seems to be Apple products mostly.

- EAP-TLS wired 802.1x does not work anymore (the dreaded 5440 Endpoint abandoned EAP session and started new) is back!

- I now have tons of "5436 RADIUS packet already in the process" in the log, stating this:

Check whether the Average RADIUS Request Latency statistic is close to or exceeds the client's RADIUS request timeout. If so, determine whether the latency is caused by a slow external Identity Store or because this instance of ISE is being overloaded. To resolve this, increase the client's RADIUS request timeout, using a faster or additional, external Identity Stores, or reduce the load on this instance of ISE.
Nothing else is done other than upgrading the ISE nodes.

- I also have tons of "5417 Dynamic Authorization failed" messages in the log. Probably because of the introduction of Network Device profiles. All nodes are automatically set to "Cisco". Problem is, we use mostly Aerohive, and there is no profile for that.

 

If people are starting to have problems when they come to work tomorrow, I am probably forced to do a downgrade, which I guess means a reinstall, and then hope the backups works..

 

Other comments: Why v2.0 when there is so little new? And in guest management, absolutely nothing. I had at least expected we were finally allowed to use phone number as user name.

- Still no support for high resolution displays

- Still using flash, which is dead slow, even on my top notch modern workstation.

 

Sorry to hear of you issues, i have not seen this in my lab, i have been running the beta for a month now. You should probably make it a TAC case, sounds pretty serious.

About the new features, i think we should have been at 2.0 a long time ago, with the changes from 1.1->1.2->1.3, however for 2.0 the one major feature is TACACS support which for Cisco environments have been long awaited for years now.

mbuttnerMSI
Level 1
Level 1

The main reason right now to upgrade to 2.0 for us is TACACS support. Is there any additional licensing needed, or will I be able to upgrade to 2.0 and start configuring TACACS?

 

Cisco ISE requires a Device Administration license to use the TACACS+ service. The Device Administration license is a perpetual license. If you are upgrading from an earlier release to Cisco ISE, Release 2.0 and would like to enable the TACACS+ service, you must order the Device Administration license as a separate add-on license. You need one Device Administration license for the entire ISE deployment.

 

Can someone point me in the right direction of procuring the Device Administration license? What is the reasoning behind a license for TACACS-Is there a cost involved?

 

Seems counter-intuitive here since Cisco has been issuing free ACS licenses till TACACS support for ISE installs....

Yea- what I feared charging for TACACS. 

It's showing up in the Ordering Tool (CCW) now.

List price is US$4k so it's a good bit less than ACS - especially considering that covers unlimited devices and it's a perpetual license.

Understood- The price isn't the problem, just delays migration for a bit.

 

Thanks for update guys.

Lionel Gavage
Level 1
Level 1

Hello,

We upgraded to ISE 2.0 without issue. We are interesting by the Network Device profiles feature to be able to support some Aerohive Access Point.

Does someone has already created a profile for Aerohive (for Captive Portal)?

Thks.

Regards,

Lionel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: