ISE 1.4 was released on the 6th May 2015, this release in my opinion is a minor release. Unlike ISE 1.3 which introduced some big features, namely the Internal Certificate Authority, this release unfortunately doesn’t go as far.
ISE is still missing TACACS which will most likely be introduced in version 2.0. However some of the big ticket items in ISE 1.4 in my opinion are:
- Periodic Guest AUP, which will force the Guest Client to accept the AUP again after a few hours to keep the guest connection alive. Great for making sure Guest Clients aren’t left alone idling.
- Multiple MDM support – have more that one MDM configured and route users to an MDM portal based on the parameters defined
- Deploy SourceFIRE’s Advanced Malware Protection (AMP) Endpoint to devices
The upgrade paths available are dependent on the version of ISE you already have in your network. But a direct upgrade can be done from the following ISE versions:
- 1.2 with minimum update patch 14
- 1.2.1 with minimum update patch 5
- 1.3 no patches required
In my lab environment we are running ISE 1.3 with patch 1 and will execute the upgrade to 1.4. Upgrading from Version 1.2.1 or prior is a much bigger upgrade, therefore it’s worth spending some time understanding what changed from 1.2 to 1.3 first!
Grab the latest software – upgrade bundles from cisco.com
For our deployment we grabbed the following file:
- MD5 checksum is 35a159416afd0900c9da7b3dc6c72043
It’s always a good idea to check the MD5 checksum once downloaded to ensure the file integrity hasn’t been compromised.
Console Access to Virtual Machine
Before proceeding I highly recommend having console access (VMware console) to the machine, as opposed to using an SSH connection.
Perform a backup – It’s important to backup the following three things:
- Configuration Data
- Operational Data
- System Logs
The backup needs to be performed from the Primary Administration Node (PAN). The following sub-section will detail how to create a repository on the CLI and perform a backup.
Creating a repository – (FTP_BAK) from global configuration mode:
repository REPO_NAME url ftp://IP_ADDRESS user USER password plain PASS
Once you have created the backup repository perform the backup by issuing the following commands:
# Configuration Backup backup ISE_CONFIG repository FTP_BAK ise-config encryption-key plain Dill1GaF # Operational Backup backup ISE_OPERATIONAL repository FTP_BAK ise-operational encryption-key plain Dill1GaF # System Log Backup backup-logs ISE_LOGS repository FTP_BAK encryption-key plain Dill1GaF
Insure that you perform a cleanup of any older upgrades – You can skip this step if you have never upgraded the ISE deployment from an older release
application upgrade cleanup
Okay let’s prepare the upgrade to be downloaded from our repository onto our ISE server, you will notice this is the spot where we reference our source file and our repository that contains the file.
application upgrade prepare ise-upgradebundle-188.8.131.52.x86_64.tar.gz FTP_BAK
The preparation will take around 30 minutes to complete, depending on the grunt of your ISE server, network links to the repository server etc. Once you have completed the preparation, go ahead and start the upgrade.
application upgrade proceed
The upgrade took around 60 minutes in my lab environment but may differ in yours. Once the upgrade has completed, it’s worth executing the following commands to check if all the services have restarted properly:
show application status ise show application version ise
Once the upgrade has completed and you have verified that all the services have started, you must perform the following tasks post upgrade at a minimum:
- Perform a posture update from the Administration page
- Re-Join Active Directory
- Update the Profiler Feed Service
The upgrade scenario for this post is based on a single ISE node, the upgrade will differ for multiple nodes and you should do so only in an approved maintenance window.
Quick Note on Licensing
Currently ISE Licenses are migrated with the upgrade, so what you were entitled to before the upgrade is what you are entitled to post upgrade. However purchasing and reference of these license titles does change, just keep that in mind when reviewing what licenses you may need to get.