cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2603
Views
15
Helpful
12
Replies
Rising star

ISE 2.0 is available on CCO

Wanted to let folks know that ISE 2.0 is available!. Details can be seen at: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html

12 REPLIES 12
Hall of Fame Guru

I was coincidentally

I was coincidentally upgrading a 2 node deployment today and used the ISE 2.0 upgrade images to do that. It worked fine following the upgrade guide. I will update the forum if I hit any issues going forward.

It looks like not all of the docs are posted just yet (no 2.0 Admin Guide and there's no updated Ordering Guide). Also the device management (TACACS+) license part numbers aren't in CCW yet.

Beginner

I've asked our account team

I've asked our account team for an eval image, but apparently that's not out yet either. Hopefully soon, it's time to move on from ACS!

Rising star

Eval image is out, it's the

Eval image is out, it's the NFR image thats not available yet.

Rising star

The Device Admin license SKU

The Device Admin license SKU is L-ISE-TACACS=.  I have been told is now available on CCW

Hall of Fame Guru

It's not in CCW just yet (as

It's not visible in CCW just yet (as of 1115 EST 22 October 2015).

We're told it should show up sometime later today.

dal Participant
Participant

I would advise you all to

I would advise you all to thread lightly before upgrading to v2.0

I have just done the upgrade, and have encountered multiple problems.

- Lots of nodes are not able to log on anymore. Seems to be Apple products mostly.

- EAP-TLS wired 802.1x does not work anymore (the dreaded 5440 Endpoint abandoned EAP session and started new) is back!

- I now have tons of "5436 RADIUS packet already in the process" in the log, stating this:

Check whether the Average RADIUS Request Latency statistic is close to or exceeds the client's RADIUS request timeout. If so, determine whether the latency is caused by a slow external Identity Store or because this instance of ISE is being overloaded. To resolve this, increase the client's RADIUS request timeout, using a faster or additional, external Identity Stores, or reduce the load on this instance of ISE.
Nothing else is done other than upgrading the ISE nodes.

- I also have tons of "5417 Dynamic Authorization failed" messages in the log. Probably because of the introduction of Network Device profiles. All nodes are automatically set to "Cisco". Problem is, we use mostly Aerohive, and there is no profile for that.

 

If people are starting to have problems when they come to work tomorrow, I am probably forced to do a downgrade, which I guess means a reinstall, and then hope the backups works..

 

Other comments: Why v2.0 when there is so little new? And in guest management, absolutely nothing. I had at least expected we were finally allowed to use phone number as user name.

- Still no support for high resolution displays

- Still using flash, which is dead slow, even on my top notch modern workstation.

 

Rising star

Sorry to hear of you issues,

Sorry to hear of you issues, i have not seen this in my lab, i have been running the beta for a month now. You should probably make it a TAC case, sounds pretty serious.

About the new features, i think we should have been at 2.0 a long time ago, with the changes from 1.1->1.2->1.3, however for 2.0 the one major feature is TACACS support which for Cisco environments have been long awaited for years now.

Beginner

The main reason right now to

The main reason right now to upgrade to 2.0 for us is TACACS support. Is there any additional licensing needed, or will I be able to upgrade to 2.0 and start configuring TACACS?

 

Cisco ISE requires a Device Administration license to use the TACACS+ service. The Device Administration license is a perpetual license. If you are upgrading from an earlier release to Cisco ISE, Release 2.0 and would like to enable the TACACS+ service, you must order the Device Administration license as a separate add-on license. You need one Device Administration license for the entire ISE deployment.

 

Can someone point me in the right direction of procuring the Device Administration license? What is the reasoning behind a license for TACACS-Is there a cost involved?

 

Seems counter-intuitive here since Cisco has been issuing free ACS licenses till TACACS support for ISE installs....

Beginner

Yea- what I feared charging

Yea- what I feared charging for TACACS. 

Hall of Fame Guru

It's showing up in the

It's showing up in the Ordering Tool (CCW) now.

List price is US$4k so it's a good bit less than ACS - especially considering that covers unlimited devices and it's a perpetual license.

Beginner

Understood- The price isn't

Understood- The price isn't the problem, just delays migration for a bit.

 

Thanks for update guys.

Highlighted
Beginner

Hello,

Hello,

We upgraded to ISE 2.0 without issue. We are interesting by the Network Device profiles feature to be able to support some Aerohive Access Point.

Does someone has already created a profile for Aerohive (for Captive Portal)?

Thks.

Regards,

Lionel