Wanted to let folks know that ISE 2.0 is available!. Details can be seen at: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html
I was coincidentally upgrading a 2 node deployment today and used the ISE 2.0 upgrade images to do that. It worked fine following the upgrade guide. I will update the forum if I hit any issues going forward.
It looks like not all of the docs are posted just yet (no 2.0 Admin Guide and there's no updated Ordering Guide). Also the device management (TACACS+) license part numbers aren't in CCW yet.
I would advise you all to thread lightly before upgrading to v2.0
I have just done the upgrade, and have encountered multiple problems.
- Lots of nodes are not able to log on anymore. Seems to be Apple products mostly.
- EAP-TLS wired 802.1x does not work anymore (the dreaded 5440 Endpoint abandoned EAP session and started new) is back!
- I now have tons of "5436 RADIUS packet already in the process" in the log, stating this:
Check whether the Average RADIUS Request Latency statistic is close to or exceeds the client's RADIUS request timeout. If so, determine whether the latency is caused by a slow external Identity Store or because this instance of ISE is being overloaded. To resolve this, increase the client's RADIUS request timeout, using a faster or additional, external Identity Stores, or reduce the load on this instance of ISE.
Nothing else is done other than upgrading the ISE nodes.
- I also have tons of "5417 Dynamic Authorization failed" messages in the log. Probably because of the introduction of Network Device profiles. All nodes are automatically set to "Cisco". Problem is, we use mostly Aerohive, and there is no profile for that.
If people are starting to have problems when they come to work tomorrow, I am probably forced to do a downgrade, which I guess means a reinstall, and then hope the backups works..
Other comments: Why v2.0 when there is so little new? And in guest management, absolutely nothing. I had at least expected we were finally allowed to use phone number as user name.
- Still no support for high resolution displays
- Still using flash, which is dead slow, even on my top notch modern workstation.
Sorry to hear of you issues, i have not seen this in my lab, i have been running the beta for a month now. You should probably make it a TAC case, sounds pretty serious.
About the new features, i think we should have been at 2.0 a long time ago, with the changes from 1.1->1.2->1.3, however for 2.0 the one major feature is TACACS support which for Cisco environments have been long awaited for years now.
The main reason right now to upgrade to 2.0 for us is TACACS support. Is there any additional licensing needed, or will I be able to upgrade to 2.0 and start configuring TACACS?
Cisco ISE requires a Device Administration license to use the TACACS+ service. The Device Administration license is a perpetual license. If you are upgrading from an earlier release to Cisco ISE, Release 2.0 and would like to enable the TACACS+ service, you must order the Device Administration license as a separate add-on license. You need one Device Administration license for the entire ISE deployment.
Can someone point me in the right direction of procuring the Device Administration license? What is the reasoning behind a license for TACACS-Is there a cost involved?
Seems counter-intuitive here since Cisco has been issuing free ACS licenses till TACACS support for ISE installs....
It's showing up in the Ordering Tool (CCW) now.
List price is US$4k so it's a good bit less than ACS - especially considering that covers unlimited devices and it's a perpetual license.
We upgraded to ISE 2.0 without issue. We are interesting by the Network Device profiles feature to be able to support some Aerohive Access Point.
Does someone has already created a profile for Aerohive (for Captive Portal)?