B Ise Upgrade Guide 3 1 PDF
B Ise Upgrade Guide 3 1 PDF
1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
Short Description ?
Upgrade Path 2
Change the Name of Authorization Simple Condition if a Predefined Authorization Compound Condition
with the Same Name Exists 12
Change VMware Virtual Machine Guest Operating System and Settings 13
CA Certificate Chain 15
Delete a Certificate 15
16
Disable PAN Automatic Failover and Disable Scheduled Backups before Upgrading 16
Configure NTP Server and Verify Availability 17
Upgrade Virtual Machine 17
Record Profiler Configuration 18
Upgrade Cisco ISE Deployment Using Backup and Restore Method (Recommended) 26
Upgrade Secondary PAN and Secondary MnT Nodes to Cisco ISE, Release 2.6, 2.7 or 3.0 28
Upgrade Secondary PAN and MnT Nodes to Cisco ISE, Release 3.1 28
Join Policy Service Nodes to Cisco ISE, Release 3.1 28
29
Upgrade Process 37
Browser Setup 47
Client Provisioning 51
Online Updates 51
Offline Updates 51
Cipher Suites 51
Note From Cisco ISE Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based)
integrations will cease to work on Cisco ISE from Release 3.1 onwards.
pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend
that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential
disruptions, if any, to integrations.
Note The documentation set for this product strives to use bias-free language. For purposes of this documentation
set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial
identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be
present in the documentation due to language that is hardcoded in the user interfaces of the product software,
language used based on RFP documentation, or language that is used by a referenced third-party product.
This document describes how to upgrade your Cisco Identity Services Engine (Cisco ISE) software on Cisco
ISE appliances and virtual machines to Release 3.1.
Upgrading a Cisco ISE deployment is a multistep process and must be performed in the order that is specified
in this document. Use the time estimates provided in this document to plan for an upgrade with minimum
downtime. For a deployment with multiple Policy Service Nodes (PSNs) that are part of a PSN group, there is
no downtime. If there are endpoints that are authenticated through a PSN that is being upgraded, the request
is processed by another PSN in the node group. The endpoint is reauthenticated and granted network access
after the authentication is successful.
Note If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime
for all authentications when the PSN is being upgraded.
Upgrade Path
Single-step Upgrade
You can directly upgrade to 3.1, from any of the following releases:
• Cisco ISE, Release 2.6
• Cisco ISE, Release 2.7
• Cisco ISE, Release 3.0
Two-step Upgrade
If you are currently using a version earlier than Cisco ISE, Release 2.6, you must first upgrade to one of the
releases that are listed above and then upgrade to Release 3.1.
If you are upgrading Cisco ISE nodes on VMware virtual machines, after the upgrade is complete, ensure that
you change the Guest Operating System to supported version of RHEL. To do this, you must power down the
VM, change the Guest Operating System to the supported RHEL version, and power on the VM after the change.
Note If you have selected Guest OS RHEL 8 and Firmware EFI, ensure that the Enable UEFI Secure Boot option is
disabled in the VM Options tab. Note that Enable UEFI Secure Boot option is enabled by default for Guest OS
RHEL 8 VM, ensure that you disable this option for Cisco ISE VM.
In general, Cisco ISE upgrades with RHEL OS upgrades take longer time than the normal upgrade process.
Additionally, if there are changes in the Oracle database version, it might take more time to upgrade as the
new Oracle package is installed during OS upgrade.
If you buy or modify your license purchases, you must connect the SSM On-Prem to CSSM for the changes
to be available in your local server.
Note • If you enable the SSM On-Prem licensing solution, you will not be able to use proxy services in Cisco ISE.
You will also not be able to use any Cisco ISE services that are enabled by external CA certificates.
• ISE-PIC 2.7 and earlier does not support Smart Licensing.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Licensing.
Step 2 Click Registration Details.
Step 3 In the Registration Details area displayed, enter the registration token that you received from CSSM in the Registration
Token field.
Step 4 Choose SSM On-Prem Server from the Connection Method drop-down list.
The Certificate window in the SSM On-Prem portal displays either the IP address or the hostname (or FQDN) of the
connected SSM On-Prem server.
Step 5 Enter the configured IP address or the hostname (or FQDN) in the SSM On-Prem server Host field.
Step 6 From the Tier and Virtual Appliance areas, check the check boxes for all the licenses you need to enable. The chosen
licenses will be activated and their consumption is tracked by CSSM.
Step 7 Click Register.
Licensing Changes
Device Administration Licenses
The licenses that are used for Cisco ISE Releases 2.x, such as Base, Plus, and Apex, have been replaced with
new license types. Cisco ISE Release 3.0 uses Essentials, Advantage, and Premier licenses. See the Chapter
“Licensing” in the Cisco Identity Services Engine Administrator Guide. For more information on license migration,
see the ISE 3.0 License Migration Guide.
You must convert your existing smart or traditional licenses to the new license type through the Cisco Smart
Software Manager (CSSM), to enable license consumption in Cisco ISE Release 3.0.
From Cisco ISE, Release 2.4, the number of Device Administration licenses must be equal to the number of
device administration nodes (PSNs configured for the device administration service) in a deployment.
If you are currently using a Device Administration license and plan to upgrade to Release 2.4 or above, TACACS+
features will be supported for 50 Device Administration nodes in Release 2.4 and above.
If you install a PAK generated from a new PID, Device Administration license count is displayed as per the
quantity available in the PAK file. You can add multiple Device Administration licenses to your deployment
based on the number of Device Administration nodes that you require. Evaluation license supports one Device
Administration node.
Licenses for VM nodes
Cisco ISE is also shipped as a virtual appliance. For Release 2.4 and above, it is recommended that you install
appropriate VM licenses for the VM nodes in your deployment. You must install the VM licenses based on the
number of VM nodes and each VM node's resources such as CPU and memory. Otherwise, you will receive
warnings and notifications to procure and install the VM license keys in Release 2.4 and later, however, the
services are not interrupted.
VM licenses are Infrastructure licenses, therefore, you can install VM licenses irrespective of the endpoint
licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation,
Base, Plus, or Apex license in your deployment. However, in order to use the features enabled by the Base,
Plus, or Apex licenses, you must install the appropriate licenses.
After installing or upgrading to Release 2.4 or above, if there is any mismatch between the number of deployed
VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet for every 14 days. Alarms are
also displayed if there are any changes in the VM node’s resources or whenever a VM node is registered or
deregistered.
VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco
ISE GUI, until you check the Do not show this message again check box in the notification dialog box.
If you have not purchased any ISE VM license before, refer to the ISE Ordering Guide to choose the appropriate
VM license to be purchased. If you have purchased ISE VM licenses with no Product Authorization Key (PAK)
associated, you can request VM PAKs by reaching out to [email protected] with Sales Order numbers that
reflect the ISE VM purchase. This request will be processed to provide one medium VM license key for each
ISE VM purchase you made in the past.
For more information about the licenses, see chapter "Cisco ISE Licenses" in the Cisco Identity Services Engine
Administrator Guide.
Health Check
Ensure that you run health check for your Cisco ISE deployment prior to the upgrade process in order to identify
and resolve any critical issues that may cause upgrade downtime. For more information, see the Health Check
section in the “Troubleshooting” chapter in the Cisco ISE 3.0 Admin Guide.
Note If you are upgrading from Cisco ISE Release 2.7 Patch 4 and later releases and
have an SSM On-Prem server configured, you must disconnect the SSM On-Prem
server before you begin the upgrade process.
• We recommend that you test the upgrade in a staging environment to identify and fix any upgrade issues
before upgrading the production networks.
• All the nodes in the Cisco ISE deployment should be in the same patch level in order to exchange
data.
Note If all the nodes in your deployment are not on the same Cisco ISE version and
patch version, you will get a warning message: Upgrade cannot begin. This
message indicates that the upgrade is in a blocked state. Ensure that all the nodes
in the deployment are in the same version (including the patch version, if any)
before you begin the upgrade process.
• Based on the number of PSNs in your deployment and availibilty of personnels, you can install the
final version of Cisco ISE you need to upgrade to, apply latest patch, and keep it ready.
• In case you want to reatain the MnT logs, perform the above tasks for MnT nodes and join the new
deployment as MnT nodes. However, if you do not need to retain the operational logs, you can skip
the step by re-imaging the MnT nodes.
• Cisco ISE installation can be done in parallel if you have multi-node deployment without impact to
the production deployment. Installing ISE server’s in-parallel saves time especially when you are
using backup and restore from a previous release.
• PSN can be added to the new deployment to download the existing polices during the registration
process from the PAN. Use ISE latency and bandwidth calculator to understand the latency and
bandwidth requirement in Cisco ISE deployment.
• It is a best practice to archive the old logs and not transit them to the new deployments. This is
because operational logs restored in the MnTs are not synchronized to different nodes in case you
change the MnT roles later.
• If you have two Data Centers (DC) with full distributed deployment, upgrade the backup DC and test
the use cases before upgrading primary DC.
• Download and store the upgrade software in a local repository before upgrade to speed up the process.
• If you are currently upgarding to Cisco ISE, Release 3.0 or later, you can either use Health Check or
Upgrade Readiness Tool (URT) to run system diagnosis before you initiate the upgarde process.
• Use the Upgrade Readiness Tool (URT) to detect and fix any configuration data upgrade issues before
you start the upgrade process. Most of the upgrade failures occur because of configuration data upgrade
issues. The URT validates the data before upgrade to identify, and report or fix the issue, wherever possible.
The URT is available as a separate downloadable bundle that can be run on a Secondary Policy
Administration node or standalone node. There is no downtime to run this tool. The following video explains
how to use the URT: https://www.cisco.com/c/en/us/td/docs/security/ise/videos/urt/v1-0/cisco-urt.html
Warning Do not run the URT on the Primary Policy Administration Node. The URT tool does
not simulate MnT operational data upgrades.
• When upgrading Cisco ISE using the GUI, note that the timeout for the process is four hours. If the process
takes more than four hours, the upgrade fails. If upgrading with the Upgrade Readiness Tool (URT) will
take you more than four hours, Cisco recommends that you use CLI for this process.
• Take the backup of load balancers before changing the configuration. You can remove the PSNs from
the load balancers during the upgrade window and add them back after the upgrade.
• Disable automatic PAN Failover (if configured) and disable Heartbeat between PANs during the upgrade.
• Review the existing policies and rules and remove outdated, redundant, and stale policy and rules.
• Remove unwanted monitoring logs and endpoint data.
• You can take a backup of configuration and operations logs and restore it on a temporary server that is
not connected to the network. You can use a remote logging target during the upgrade window.
You can use the following options after the upgrade to reduce the number of logs that are sent to MnT
nodes and improve the performance:
• Use the MnT collection filters (To view this window, click the Menu icon ( ) and choose
Administration > System > Logging > Collection Filters) to filter incoming logs and avoid duplication
of entries in AAA logs.
• You can create Remote Logging Targets (To view this window, click the Menu icon ( ) and choose
Administration > System > Logging > Remote Logging Targets) and route each individual logging
category to specific Logging Target (To view this window, click the Menu icon ( ) and choose
System > Logging > Logging categories.
• Enable the Ignore Repeated Updates options. To view this window, click the Menu icon ( ) and
choose Administration > System > Settings > Protocols > RADIUS window to avoid repeated
accounting updates.
• Download and use the latest upgrade bundle for upgrade. Use the following query in the Bug Search Tool
to find the upgrade related defects that are open and fixed:
https://bst.cloudapps.cisco.com/bugsearch/search?kw=%20ISE%20upgrade&pf=prdNm&sb=anfr&mDt=4&sts=open&bt=custV
• Test all the use cases for the new deployment with fewer users to ensure service continuity.
Warning In multiple-node deployments, do not run the URT on the Primary Policy Administration Node.
You can run the URT from the Command-Line Interface (CLI) of the Cisco ISE node. The URT does the following:
1. Checks if the URT is run on a supported version of Cisco ISE. The supported versions are Releases 2.4, 2.6
and 2.7.
2. Verifies that the URT is run on a standalone Cisco ISE node or a Secondary Policy Administration Node
(secondary PAN)
3. Checks if the URT bundle is less than 45 days old—This check is done to ensure that you use the most
recent URT bundle
4. Checks if all the prerequisites are met.
The following prerequisites are checked by the URT:
• Version compatibility
• Persona checks
• Disk space
Note Verify the available disk size with Disk Requirement Size. If you are required to
increase the disk size, reinstall ISE and restore a config backup.
• NTP server
• Memory
• System and trusted certificate validation
Note If there are no patches in URT bundle then the output will return: N/A. This is an expected behaviour while
installing a hot patch.
In case the application is not installed successfully during the above execution, URT returns the cause of upgrade failure.
You need fix the issues and re-run the URT.
For a full list of ports that Cisco ISE uses, see the Cisco Identity Services Engine Hardware Installation Guide.
For a full list of ports that Cisco ISE uses, see the Cisco ISE Ports Reference.
Note When Cisco ISE runs on VMware, VMware snapshots are not supported for backing up ISE data.
VMware snapshot saves the status of a VM at a given point of time. In a multi-node Cisco ISE deployment,
data in all the nodes are continuously synchronized with the current database information. Restoring a snapshot
might cause database replication and synchronization issues. Cisco recommends that you use the backup
functionality included in Cisco ISE for archival and restoration of data.
Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to
bring up the ISE node.
You can also obtain the configuration and operational data backup from the Cisco ISE Admin Portal. Ensure
that you have created repositories for storing the backup file. Do not back up using a local repository. You
cannot back up the monitoring data in the local repository of a Remote Monitoring node. The following repository
types are not supported: CD-ROM, HTTP, HTTPS, or TFTP. This is because these repository types are all either
read-only or their protocol does not support the file listing.
1. Choose Administration > Maintenance > Backup and Restore.
2. In the Cisco ISE GUI, click the Menu icon ( ) and chooseAdministration > Maintenance > Backup and
Restore.
3. Click Backup Now.
4. Enter the values as required to perform a backup.
5. Click OK.
6. Verify that the backup completed successfully.
In a distributed deployment, do not change the role of a node or promote a node when the backup is
running. Changing node roles will shut down all the processes and might cause some inconsistency in
data if a backup is running concurrently. Wait for the backup to complete before you make any node role
changes.
Cisco ISE appends the backup filename with a timestamp and stores the file in the specified repository. In
addition to the timestamp, Cisco ISE adds a CFG tag for configuration backups and OPS tag for operational
backups. Ensure that the backup file exists in the specified repository.
Note Cisco ISE allows you to obtain a backup from an ISE node (A) and restore it on another ISE node (B), both
having the same hostnames (but different IP addresses). However, after you restore the backup on node B,
do not change the hostname of node B because it might cause issues with certificates and portal group tags.
CA Certificate Chain
Before upgrading to Cisco ISE 3.0, ensure that the internal CA certificate chain is valid.
1. In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Certificates >
Certificate Authority Certificates
2. For each node in the deployment, select the certificate with Certificate Services Endpoint Sub CA
in the Friendly Name column. Click View and check if the Certificate Status is Good message is
visible.
3. If any certificate chain is broken, you must fix the issue before upgrading Cisco ISE. To view this window,
click the Menu icon ( ) and choose Administration > System > Certificates > Certificate Management >
Certificate Signing Requests > ISE Root CA
Delete a Certificate
In order to delete an expired certificate, perform the following steps:
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Certificates > Certificate
Management > System Certificates.
Step 2 Select the expired certificate.
Step 3 Click Delete.
Step 4 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Certificates > Certificate Management
> Trusted Certificates.
Step 5 Select the expired certificate.
Step 6 Click Delete.
Step 7 Choose Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates.
Step 8 Select the expired certificate.
Step 9 Click Delete.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Certificates > Certificate Management
> System Certificates.
Step 2 Select the certificate and click Export.
Step 3 Select Export Certificates and Private Keys radio button.
Step 4 Enter the Private Key Password and Confirm Password.
Step 5 Click Export.
• All certificates from the Trusted Certificates Store of the Primary Administration Node. Record the
certificate configuration (what service the certificate was used for).
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and chooseAdministration > System > Certificates > Certificate Management
> System Certificates.
Step 2 Select the certificate and click Export.
Step 3 Click Save File to export the certificate.
Step 4 In the Cisco ISE GUI, click the Menu icon ( ) and chooseAdministration > System > Certificates > Certificate Authority
> Certificate Authority Certificates.
Step 5 Select the certificate and click Export.
Step 6 Select Export Certificates and Private Keys radio button.
Step 7 Enter the Private Key Password and Confirm Password.
Step 8 Click Export.
Step 9 Click Save File to export the certificate.
• Scheduled Backups—When planning your deployment upgrade, reschedule the backups after the upgrade.
You can choose to disable the backup schedules and recreate them after the upgrade.
Backups with a schedule frequency of once get triggered every time the Cisco ISE application is restarted.
Hence, if you have a backup schedule that was configured to run only a single time, be sure to disable it
before upgrade.
Note It is important that you use reserved resources for CPU, memory and hard disk space during the upgrade
instead of shared resources.
If you are upgrading from VM based out of 33x5 appliance, then the upgraded VM need to use more CPU core(
OVA for 3515 allocated approximately 6 Core and OVA for 3595 uses 8 Core/64GB RAM with HT enabled). Check
out the OVA requirements for ISE 2.4 for more details.
34xx series appliances are not supported in Cisco ISE, Release 2.4 and later.
Cisco ISE, Release 2.4 and later requires a minimum disk size of 300GB for virtual machines as the local disk
allocation is increased to 29GB.
Note When you download an upgrade bundle from a repository to a node, the download times out if it takes more
than 35 minutes to complete. This issue occurs because of poor Internet bandwidth.
Having the upgrade bundle in the local disk saves time during upgrade. Alternatively, you can use the application
upgrade prepare command to copy the upgrade bundle to the local disk and extract it.
Note • Ensure that you have a good bandwidth connection with the repository. When you download the upgrade
bundle (file size is around 9GB) from the repository to the node, the download times out if it takes more
than 35 minutes to complete.
• If you are using a local disk to store your configuration files, the files will be deleted when you perform
the upgrade. Hence, we recommend that you create a Cisco ISE repository and copy the files to this
repository.
You can also active collection filters (To view this window, click the Menu icon ( ) and choose Administration >
System > Logging > Collection filters) for unnecessary logs from different devices that can overwhelm your
Cisco ISE MnT.
For more information on collection filter, see "Configure Collection Filters section" in "Maintain & Monitor"
Chapter in Cisco Identity Services Engine Administrator Guide
See the ISE storage requirements under Cisco ISE performance and scalability community page. The table
lists log retention based on number of endpoints for RADIUS and number of Network devices for TACACS+.
Log retention should be calculated for both TACACS+ and/or RADIUS separately.
Note If upgrade fails during the registration of the Primary Administration node (the last node from the old deployment
that has to be upgraded), the upgrade is rolled back and the node becomes a standalone node. From the CLI,
upgrade the node as a standalone node. Register the node to the new deployment as a Secondary Administration
node.
After the upgrade, the Secondary Administration Node becomes the Primary Administration Node, and the
original Primary Administration Node becomes the Secondary Administration Node. In the Edit Node window,
click Promote to Primary to promote the Secondary Administration Node as the Primary Administration Node
(as in your old deployment), if necessary.
If the Administration Nodes also assume the Monitoring persona, then follow the sequence given in the table
below:
You will get a error message No Secondary Administration Node in the Deployment under the following
circumstances:
• There is no Secondary Administration node in the deployment.
• The Secondary Administration node is down.
• The Secondary Administration node is upgraded and moved to the upgraded deployment. Typically, this
occurs when you use the Refresh Deployment Details option after the Secondary Administration node
is upgraded.
Comparison Factors Backup and Restore Upgrade using the GUI Upgrade using CLI
(Recommended)
Comparison Synopsis Fast but more Long but less Longer and more
administration required administration required administration required
Minimum Version Cisco ISE 2.6 and later Cisco ISE 2.6 and later Cisco ISE 2.6 and later
VMs If you have enough Each PSN is upgraded Each PSN is upgraded
capacity, you can sequentially which however they can be done
pre-stage the new VMs increases the total in parallel to decrease
and join them immediately upgrade time linearly total upgrade time
to the upgraded PAN
Time Least upgrade downtime Each PSN is upgraded Each PSN is upgraded
because PSNs are imaged sequentially which however they can be done
with new version and not increases the total in parallel to decrease
upgraded upgrade time linearly total upgrade time
Rollback Requires reimaging of the Easy rollback option. Easy rollback option.
nodes.
• You can stage the nodes outside of maintenance windows, reducing the time of the upgrade during the
production.
Things to consider before upgrading Cisco ISE using Backup and Restore
Resources Required: The backup and restore upgrade process requires additional resources which can be
reserved for the ISE deployment before being released. In the case of reusing existing hardware, additional
load will need to be balanced to nodes which remain online. Hence, you need to evaluate the current load and
latency limits before the deployment begins in order to ensure that the deployment can handle an increase in
number of users per node.
Personnel Required: You will require involvement from multiple business units including network administration,
security administration, data centre, and virtualization resources to perform upgrade. In addition, you will need
to re-join the node to the new deployment, restore certificates, re-join to active directory, and wait for policy
synchronization. This can lead to multiple reloads and requires timeframe that of a net-new deployment.
Rollback Mechanism: Due to the re-imaging of the nodes, all information and configuration setting are erased
from the previous deployment. Thus, the rollback mechanism for a backup and restore upgrade is the same
procedure as re-imaging of the nodes for the second time.
Best Practice for the Backup and Restore Upgrade Process:
• Create an standalone environment or dedicate load balancers to switch Virtual IP address for RADIUS
requests.
• You can start the deployment process well before the maintenance window and point the user load
balancer to the new deployment.
For more information on the backup and restore upgrade method, see the Upgrade Cisco ISE Deployment
Using Backup and Restore Method section.
upgrade process. This procedure starts by creating configuration and operational backups of the existing
Cisco ISE deployment and then apply them to the new deployment.
Best Practice for the Backup and Restore Upgrade Process:
• Create a standalone environment or dedicate load balancers to switch Virtual IP address for RADIUS
requests.
• You can start the deployment process well before the maintenance window and point the user load
balancer to the new deployment.
The following is a broad overview of the steps involved in the Backup and Restore Upgrade method:
1. Deregister a Node
In order to remove a node from the deployment, you need to derigister the node. For more information about
node deregistration or removal, see the "Remove a Node from Deployment" section in Cisco Identity Services
Engine Administrator Guide, Release.
2. Reimage a Node
In order to reimage a node, you need to freshly install the node in the Cisco ISE deployment. For more information
about Cisco ISE installation, see the "Install Cisco ISE " chapter in the Cisco Identity Services Engine Installation
Guide, Release.
We recommend that you apply the latest patch of newly installed Cisco ISE Release.
6. Import Certificates
You need to import the system certificates to the newly deployed nodes in the Cisco ISE. For more information
about how to import system certficates to a Cisco ISE node, see the "Import a System Certificate" section in
Cisco Identity Services Engine Administrator Guide, Release .
Upgrade Secondary PAN and Secondary MnT Nodes to Cisco ISE, Release 2.6, 2.7 or 3.0
Upgrade Secondary PAN and MnT Nodes to Cisco ISE, Release 3.1
Step 1 Take a backup of Cisco ISE configuration settings and operational logs.
Step 2 De-register Secondary PAN node.
Step 3 Re-image the deregistered secondary PAN node to Cisco ISE, Release 3.1.
Step 4 Restore ISE configuration from the backup data and make this node as the Primary Node for your new deployment.
Step 5 Import ise-https-admin CA certificates from Secondary PAN unless you are using wild card certificates.
Step 6 De-register Secondary MnT node.
Step 7 Re-Image the deregistered Secondary MnT node to Cisco ISE, Release 3.1.
Step 8 Restore your current ISE operational backup and join node as Primary MnT for new deployment. This is an optional step
and needs to performed only if you need to report of the older logs.
What to do next
We recommend that you test your partially upgraded deployment at this point. You can do so by checking if
logs are present and the upgraded nodes funtion as expected.
Step 1 Reimage Primary MnT node and join as Secondary MnT to new deployment.
In case you want to preserve the data for reporting, restore a copy of the operational backup to the Secondary MnT node.
Step 2 Reimage Primary PAN node and join as Secondary PAN to new deployment.
Note The Full Upgrade method is supported for Cisco ISE 2.6 patch 10 and above, Cisco ISE 2.7 patch 4 and above,
and Cisco ISE 3.0 patch 3 and above. Only Split Upgrade method is supported for Cisco ISE 2.6 patch 9 and
below, Cisco ISE 2.7 patch 3 and below, and Cisco ISE 3.0 patch 2 and below. By default, the Split Upgrade
window is launched for these versions.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Upgrade.
Step 2 In the Upgrade Selection window, click Full Upgrade and then click Start Upgrade.
Step 3 Click Next in the Welcome window to start the upgrade workflow.
Complete all the tasks listed in the Checklist window to avoid any blockers or downtime during the upgrade process.
Figure 1: Upgrade Window Showing the Checklist
Step 4 Check the I have reviewed the checklist check box and then click Next, after you have verified the items listed in the
upgrade checklist.
The Prepare to Upgrade window appears. Cisco ISE checks all the active and functional Cisco ISE components to
proceed with the upgrade process.
Step 5 From the Repository drop-down list, choose the repository where your upgrade bundle is stored.
Step 6 From the Bundle drop-down list, choose the upgrade bundle.
All the patch releases are listed in the Patch drop-down list. We recommend that you choose the latest patch for the
Cisco ISE release you are upgrading to.
Step 7 Click Start Preparation to validate all the Cisco ISE components and to generate a report for your deployment.
Bundle Download Helps to download and prepare the upgrade bundle for all
nodes.
Config Backup Check Checks whether configuration backup was done recently.
Upgrade process runs only after the backup is completed.
Configuration Data Upgrade This check starts after the bundle download. It runs the
configuration data upgrade on the configuration database
clone and creates the upgraded data dump.
Deployment Validation Helps to check the state of the deployment node (if it is in
sync or in progress).
DNS Resolvability Checks for the forward and reverse lookup of host name
and IP address.
Trust Store Certificate Validation Checks whether the trust store certificate is valid or
expired.
System Certificate Validation Checks the system certificate validation for each node.
Disk Space Check Checks whether the hard disk has enough free space to
continue with the upgrade process.
NTP Reachability and Time Source Check Checks for the NTP configured in the system and whether
the time source is from the NTP server.
Load Average Check Checks the system load on a specified interval. The
frequency can be 1, 5, or 15 minutes.
License Validation Checks if the smart license is configured and valid. If smart
licensing is not configured and valid, a warning is displayed
to configure and validate the license.
Services or Process Failures Indicates the state of the service or application (if it is
running or in failed state).
If any of the components are inactive or failed, they are displayed in red. You will also be provided with the troubleshooting
suggestions in the box below. Based on the upgrade criticality of the component failed, you will be able to either proceed
with the upgrade process or will be notified to resolve the issue in order to proceed with the upgrade process.
The Refresh Failed Checks option will refresh only the failures highlighted in red, which need to be mandatorily rectified
before upgrade. Warnings highlighted in orange will not stop the upgrade process, however, may affect certain Cisco
ISE functionalities after the upgrade. Click the Refresh icon displayed next to each warning to refresh these checks
after resolving the issues.
Click the Expand to Show icon to see additional information about each node and its status.
You can also click the Information icon to read more about each component.
Click Download Report to get a copy of the generated reports.
You can see the estimated time taken for the staging and upgrade process. This is calculated based on the following:
• Network speed
Note All the prechecks, except the Bundle Download and Configuration Data Upgrade check will expire automatically
after four hours of initiating the system validation.
Step 8 Click Start Staging to start the staging process, after the prechecks are completed for all the nodes.
During upgrade staging, the upgraded database file is copied to all the nodes in the deployment and the configuration
files are backed up on all nodes in the deployment.
Figure 3: Upgrade Window Showing Upgrade Staging
If the upgrade staging on a node is successful, it is displayed in green. If the upgrade staging failed for a particular node,
it is displayed in red. You will also be provided with the troubleshooting suggestions in the box below.
Click the Refresh Failed Nodes icon to re-initiate the upgrade staging for the failed nodes.
Note Clicking the Exit Wizard option in this window will not allow you to view the Summary window later.
Step 12 Click Next in the Upgrade Nodes window to check whether all the nodes are upgraded successfully.
If there are any failed nodes, a popup window with information about the failed nodes will be displayed.
Step 13 Click Ok in the popup window to de-register the failed nodes from the deployment.
After the upgrade process is completed, you can view and download the diagnostic upgrade reports for your deployment
in the Summary window. You can verify and download the upgrade summary reports with relevant details for Checklist,
Prepare to Upgrade, Upgrade Report, and System Health checklist items.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Upgrade.
Step 2 In the Upgrade Selection window, click Split Upgrade and then click Start Upgrade.
The Overview tab lists all the nodes in your deployment, the personas that are enabled on them, the version of Cisco ISE
installed, and the node status (indicates whether a node is active or inactive). You can begin upgrade only if the nodes
are in the Active state.
Step 4 Check the I have reviewed the checklist check box and then click Continue.
The Download Bundle to Nodes window is displayed.
Step 5 Download the upgrade bundle from the repository to the nodes:
a) Check the check box next to the nodes to which you want to download the upgrade bundle.
b) Click Download.
The Select Repository and Bundle window appears.
c) Choose the repository.
You can select the same repository or different repositories on different nodes, but you must select the same upgrade
bundle on all the nodes.
d) Check the check box next to the bundle that you want to use for the upgrade.
e) Click Confirm.
Once the bundle is downloaded to the node, the node status changes to Ready for Upgrade.
d) Select the Secondary Monitoring Node and move it to the new deployment.
e) Finally, select the Primary Administration Node and move it to the new deployment.
Step 8 Check the Continue with upgrade on failure check box if you want to continue with the upgrade even if the upgrade fails
on any of the Policy Service Nodes in the upgrade sequence.
This option is not applicable for the Secondary Administration Node and the Primary Monitoring Node. If any one of these
nodes fail, the upgrade process is rolled back. If any of the Policy Service Nodes fail, the Secondary Monitoring Node
and the Primary Administration Node are not upgraded and remain in the old deployment.
The upgrade progress is displayed for each node. On successful completion, the node status changes to Upgrade Complete.
Note When you upgrade a node from the Admin portal, if the status does not change for a long time (and remains at
80%), you can check the upgrade logs from the CLI or the status of the upgrade from the console. Log in to the
CLI or view the console of the Cisco ISE node to view the progress of upgrade.
You can view the following upgrade logs from the CLI using the show logging application command:
• DB Data Upgrade Log
• DB Schema Log
• Post OS Upgrade Log
If you get the following warning message, click the Details link in the Upgrade window:
The node has been reverted back to its pre-upgrade state.
Address the issues that are listed in the Upgrade Failure Details window. After you fix all the issues, click Upgrade to
reinitiate the upgrade.
Note If the posture data update process is running on the Primary Administration Node in the new deployment, you
cannot register a node to the Primary Administration Node. You can either wait till the posture update process
is over (which might take approximately 20 minutes) or disable the posture auto-update feature from the Updates
window while upgrading or registering a node to the new deployment. The navigation path for this window is
Administration > System > Settings > Posture > Updates.
Step 1 Create a repository on the local disk. For example, you can create a repository called "upgrade."
Example:
ise/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# repository upgrade
ise/admin(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated
to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ise/admin(config-Repository)# exit
ise/admin(config)# exit
Step 2 From the Cisco ISE command line interface (CLI), enter application upgrade prepare command.
This command copies the upgrade bundle to the local repository "upgrade" that you created in the previous step and lists
the MD5 and SHA256 checksum.
Step 3 Note After beginning the upgrade, you can view the progress of the upgrade by logging in via SSH and using the
show application status ise command. The following message appears: % NOTICE: Identity Services Engine
upgrade is in progress...
From the Cisco ISE CLI, enter the application upgrade proceed command.
What to do next
Verify the Upgrade Process, on page 41
• If the Monitoring persona is enabled only on one of the nodes, ensure that you enable the Monitoring
persona on the other node before you proceed.
Step 3 Promote node A, now to be the primary node in the new deployment.
After the upgrade is complete, if the nodes contain old Monitoring logs, ensure that you run the application configure ise
command and choose 5 (Refresh Database Statistics) on the nodes.
What to do next
Verify the Upgrade Process, on page 41
Note Do not manually deregister the node before an upgrade. Use the application upgrade prepare and proceed
commands to upgrade to the new release. The upgrade process deregisters the node automatically and moves
it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the
license file for the Primary Administration Node before beginning the upgrade process. If you do not have the
file on hand (for example, if your license was installed by a Cisco partner vendor), contact the Cisco Technical
Assistance Center for assistance.
Step 2 Upgrade one of your Monitoring nodes (MnT1 and MnT2) to the new deployment.
We recommend that you upgrade your Primary Monitoring Node before the Secondary Monitoring Node (this is not
possible if your Primary Administration Node in the old deployment functions as your Primary Monitoring Node as well).
Your primary Monitoring node starts to collect the logs from the new deployment and you can view the details from the
Primary Administration Node dashboard.
If you have only one Monitoring node in your old deployment, before you upgrade it, ensure that you enable the Monitoring
persona on PAN, which is the Primary Administration Node in the old deployment. Node persona changes result in a Cisco
ISE application restart. Wait for PAN to come up before you proceed. Upgrading the Monitoring node to the new deployment
takes longer than the other nodes because operational data has to be moved to the new deployment.
If node B, the Primary Administration Node in the new deployment, did not have the Monitoring persona enabled in the
old deployment, disable the Monitoring persona on it. Node persona changes result in a Cisco ISE application restart.
Wait for the Primary Administration Node to come up before you proceed.
Step 3 Upgrade the Policy Service Nodes (PSNs) next. You can upgrade several PSNs in parallel, but if you upgrade all the PSNs
concurrently, your network will experience a downtime.
If your PSN is part of a node group cluster, you must deregister the PSN from the PAN, upgrade it as a standalone node,
and register it with the PAN in the new deployment.
After the upgrade, the PSNs are registered with the primary node of the new deployment SAN, and the data from the
primary node is replicated to all the PSNs. The PSNs retain their personas, node group information, and profiling probe
configurations.
Step 4 (If you have an IPN node in your deployment) Deregister the IPN node from the Primary Administration Node.
Cisco ISE, Release 2.0 and later, does not support IPN nodes.
Step 5 If you have a second Monitoring node in your old deployment, you must do the following:
a) Enable the Monitoring persona on PAN, which is the primary node in your old deployment.
A deployment requires at least one Monitoring node. Before you upgrade the second Monitoring node from the old
deployment, enable this persona on the primary node itself. Node persona changes result in a Cisco ISE application
restart. Wait for the primary ISE node to come up again.
b) Upgrade the Secondary Monitoring Node from the old deployment to the new deployment.
Except for the Primary Administration Node, you must have upgraded all the other nodes to the new deployment.
What to do next
Verify the Upgrade Process, on page 41
Perform any of the following options in order to verify whether the upgrade was successful.
• Check the ade.log file for the upgrade process. To display the ade.log file, enter the following command from the
Cisco ISE CLI: show logging system ade/ADE.log
• Enter the show version command to verify the build version.
• Enter the show application status ise command to verify that all the services are running.
back, along with an upgrade failure message. In such scenarios, you should manually reimage your system,
install Cisco ISE, and restore the configuration data and monitoring data (if the Monitoring persona is enabled).
Before you attempt to rollback or recovery, generate a support bundle by using the backup-logs command,
and place the support bundle in a remote repository.
For more information, see the "install Patch" section in the "Cisco ISE CLI Commands in EXEC Mode" chapter
in Cisco Identity Services Engine CLI Reference Guide.
You can install the required patch version directly. For example, if you are currently using Cisco ISE 2.x and
would like to install Cisco ISE 2.x patch 5, you can directly install Cisco ISE 2.x patch 5, without installing the
previous patches (in this example, Cisco ISE 2.x patches 1 – 4). To view the patch version in the CLI, use the
following CLI command:
show version
Related Topics
Software Patch Installation Guidelines, on page 44
Software Patch Rollback Guidelines, on page 45
Install a Software Patch, on page 44
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Maintenance > Patch Management
> Install.
Step 2 Click Browse and choose the patch that you downloaded from Cisco.com.
Step 3 Click Install to install the patch.
After the patch is installed on the PAN, Cisco ISE logs you out and you have to wait for a few minutes before you can log
in again.
Note When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch
Management page.
Step 4 Choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.
Step 5 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Maintenance > Patch Management
to return to the Patch Installation page.
Step 6 Click the radio button next to the patch that you have installed on any secondary node and click Show Node Status to
verify whether installation is complete.
What to do next
If you need to install the patch on one or more secondary nodes, ensure that the nodes are up and repeat the
process to install the patch on the remaining nodes.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and chooseAdministration > System > Maintenance > Patch Management.
Step 2 Click the radio button for the patch version whose changes you want to roll back and click Rollback.
Note When a patch rollback is in progress, Show Node Status is the only function that is accessible on the Patch
Management page.
After the patch is rolled back from the PAN, Cisco ISE logs you out and you have to wait a few minutes before
you can log in again.
Step 3 After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation.
Step 4 To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status.
Step 5 Click the radio button for the patch and click Show Node Status on a secondary node to ensure that the patch is rolled
back from all the nodes in your deployment.
If the patch is not rolled back from any of the secondary nodes, ensure that the node is up and repeat the process to roll
back the changes from the remaining nodes. Cisco ISE only rolls back the patch from the nodes that still have this version
of the patch installed.
While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from
the PAN GUI. The secondary nodes will be restarted after the rollback.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Operations > Reports > Audit > Operations Audit. By default,
records for the last seven days are displayed.
Step 2 Click the Filter drop-down, and choose Quick Filter or Advanced Filter and use the required keyword, for example, patch
install iniated, to generate a report containing the installed patches.
For more information on the new Cisco ISE license types, refer to the Cisco ISE Administration Guide, Release
3.0.
Browser Setup
After upgrade, clear the browser cache, close the browser, and open a new browser session, before you
access the Cisco ISE Admin portal. Also verify that you are using a supported browser, which are listed in the
release notes: https://www.cisco.com/c/en/us/support/security/identity-services-engine/
products-release-notes-list.html
• Comment—Describe what you are changing, for example: Changing the default behavior to SAM
and CN.
Restore Certificates
Restore Certificates on the PAN
When you upgrade a distributed deployment, the Primary Administration Node's root CA certificates are not
added to the Trusted Certificates store if both of the following conditions are met:
• Secondary Administration Node is promoted to be the Primary Administration Node in the new deployment.
• Session services are disabled on the Secondary Administration Node.
If the certificates are not in the store, you may see authentication failures with the following errors:
• Unknown CA in the chain during a BYOD flow
You can see these messages when you click the More Details link from the Live Logs page for failed
authentications.
To restore the Primary Administration Node's root CA certificates, generate a new Cisco ISE Root CA certificate
chain. In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > Certificates > Certificate
Signing Requests > Replace ISE Root CA certificate chain.
Restore Certificates and Keys to Secondary Administration Node
If you are using a secondary Administration node, obtain a backup of the Cisco ISE CA certificates and keys
from the Primary Administration Node, and restore it on the Secondary Administration Node. This allows the
Secondary Administration Node to function as the root CA or subordinate CA of an external PKI if the primary
PAN fails, and you promote the Secondary Administration Node to be the Primary Administration Node.
For more information about backing up and restoring certificates and keys, see:
Backup and Restore of Cisco ISE CA Certificates and Keys
In addition, you must regenerate the root CA chain in case of the following events:
• Changing the domain name or hostname of your PAN or PSN.
• Restoring a backup on a new deployment.
• Promoting the old Primary PAN to new Primary PAN post upgrade.
To regenerate the root CA chain, choose Administration > System > Certificates > Certificate Management
> Certificate Signing Request. Click Generate Certificate Signing Request (CSR). Choose ISE Root CA in the
Certificate(s) will be used for drop-down list. Click Replace ISE root CA Certificate Chain.
Post the upgrade process, you might encounter the following events :
1. No data in Live Logs
2. Queue Link Error
3. Health Status Unavailable
4. No date available in the System Summary for some nodes.
You need to reset the MnT Database and replace the ISE Root CA certificate chain to resolve the queue link
error and reinstate the information.
Threat-Centric NAC
If you have enabled the Threat-Centric NAC (TC-NAC) service, after you upgrade, the TC-NAC adapters might
not be functional. You must restart the adapters from the Threat-Centric NAC pages of the ISE GUI. Select the
adapter and click Restart to start the adapter again.
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > FeedService > Profiler. Ensure that the profiler
feed service is enabled.
Step 2 Click Update Now.
Client Provisioning
Check the native supplicant profile that is used in the client provisioning policy and ensure that the wireless
SSID is correct. For iOS devices, if the network that you are trying to connect is hidden, check the Enable if
target network is hidden check box in the iOS Settings area.
Update client provisioning resources on ISE:
Online Updates
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Policy > Policy Elements > Results > Client Provisioning >
Resources to configure the client provisioning resources.
Step 2 Click Add.
Step 3 Choose Agent Resources From Cisco Site.
Step 4 In the Download Remote Resources window, select the Cisco Temporal Agent resource.
Step 5 Click Save and verify that the downloaded resource appears in the Resources page.
Offline Updates
Step 1 Choose Policy > Policy Elements > Results > Client Provisioning > Resources to configure the client provisioning resources.
Step 2 In the Cisco ISE GUI, click the Menu icon ( ) and choose Policy > Policy Elements > Results > Client Provisioning >
Resources to configure the client provisioning resources.
Step 3 Click Add.
Step 4 Choose Agent Resources from Local Disk.
Step 5 From the Category drop-down, choose Cisco Provided Packages.
Cipher Suites
If you have legacy devices, such as old IP phones, that use these deprecated ciphers authenticating against
Cisco ISE,authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate
legacy devices after upgrading, ensure that you update the Allowed Protocols configuration as follows:
Step 1 In the Cisco ISE GUI, click the Menu icon ( ) and choose Policy > Policy Elements > Results > Authentication > Allowed
Protocols.
Step 2 Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.
Step 3 Click Submit.
Related Topics
Release Notes for Cisco Identity Services Engine
Cisco Identity Services Engine Network Component Compatibility