Upgrading to Cisco ISE 1.4

ISE 1.4 was released on the 6th May 2015, this release in my opinion is a minor release. Unlike ISE 1.3 which introduced some big features, namely the Internal Certificate Authority, this release unfortunately doesn’t go as far.

ISE is still missing TACACS which will most likely be introduced in version 2.0. However some of the big ticket items in ISE 1.4 in my opinion are:

  • Periodic Guest AUP, which will force the Guest Client to accept the AUP again after a few hours to keep the guest connection alive. Great for making sure Guest Clients aren’t left alone idling.
  • Multiple MDM support – have more that one MDM configured and route users to an MDM portal based on the parameters defined
  • Deploy SourceFIRE’s Advanced Malware Protection (AMP) Endpoint to devices

The upgrade paths available are dependent on the version of ISE you already have in your network. But a direct upgrade can be done from the following ISE versions:

  • 1.2 with minimum update patch 14
  • 1.2.1 with minimum update patch 5
  • 1.3 no patches required

In my lab environment we are running ISE 1.3 with patch 1 and will execute the upgrade to 1.4. Upgrading from Version 1.2.1 or prior is a much bigger upgrade, therefore it’s worth spending some time understanding what changed from 1.2 to 1.3 first!

Let’s Begin

Grab the latest software – upgrade bundles from cisco.com

For our deployment we grabbed the following file:

  • ise-upgradebundle-
  • MD5 checksum is 35a159416afd0900c9da7b3dc6c72043

It’s always a good idea to check the MD5 checksum once downloaded to ensure the file integrity hasn’t been compromised.

Console Access to Virtual Machine

Before proceeding I highly recommend having console access (VMware console) to the machine, as opposed to using an SSH connection.

Perform a backup – It’s important to backup the following three things:

  1. Configuration Data
  2. Operational Data
  3. System Logs

The backup needs to be performed from the Primary Administration Node (PAN). The following sub-section will detail how to create a repository on the CLI and perform a backup.

Creating a repository – (FTP_BAK) from global configuration mode:

repository REPO_NAME
  url ftp://IP_ADDRESS
  user USER password plain PASS

Once you have created the backup repository perform the backup by issuing the following commands:

# Configuration Backup
backup ISE_CONFIG repository FTP_BAK ise-config encryption-key plain Dill1GaF
# Operational Backup
backup ISE_OPERATIONAL repository FTP_BAK ise-operational encryption-key plain Dill1GaF
# System Log Backup
backup-logs ISE_LOGS repository FTP_BAK encryption-key plain Dill1GaF

Insure that you perform a cleanup of any older upgrades – You can skip this step if you have never upgraded the ISE deployment from an older release

application upgrade cleanup

Okay let’s prepare the upgrade to be downloaded from our repository onto our ISE server, you will notice this is the spot where we reference our source file and our repository that contains the file.

application upgrade prepare ise-upgradebundle- FTP_BAK

The preparation will take around 30 minutes to complete, depending on the grunt of your ISE server, network links to the repository server etc. Once you have completed the preparation, go ahead and start the upgrade.

application upgrade proceed

The upgrade took around 60 minutes in my lab environment but may differ in yours. Once the upgrade has completed, it’s worth executing the following commands to check if all the services have restarted properly:

show application status ise
show application version ise

Once the upgrade has completed and you have verified that all the services have started, you must perform the following tasks post upgrade at a minimum:

  1. Perform a posture update from the Administration page
  2. Re-Join Active Directory
  3. Update the Profiler Feed Service

The upgrade scenario for this post is based on a single ISE node, the upgrade will differ for multiple nodes and you should do so only in an approved maintenance window.

Quick Note on Licensing

Currently ISE Licenses are migrated with the upgrade, so what you were entitled to before the upgrade is what you are entitled to post upgrade. However purchasing and reference of these license titles does change, just keep that in mind when reviewing what licenses you may need to get.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s