Upgrading Cisco ISE
You can upgrade Cisco ISE from any previous release to the next release. The previous release might have patches installed on it or it can be any maintenance release.
If you are upgrading from any one of the Cisco ISE 1.0.x releases, you must follow the instructions listed in the "Obtaining a Valid License" section.
If you are currently running Cisco ISE, Release 1.0.4, then you must apply Cisco ISE 1.0.4 patch 5 before you upgrade to Cisco ISE, Release 1.1.x. Cisco ISE 1.0.4 patch 5 can be applied directly on Cisco ISE, Release 1.0.4 or any previously patched version thereof. Applying this patch ensures that your secondary Cisco Administration ISE node's license is not lost during the upgrade process.
If you are currently running Cisco ISE, Release 1.1, then you must apply Cisco ISE 1.1 patch 3 before you upgrade to Cisco ISE, Release 1.1.x. Cisco ISE 1.1 patch 3 can be applied directly on Cisco ISE, Release 1.1 or any previously patched version thereof. Applying this patch ensures that your secondary Cisco Administration ISE node's license is not lost during the upgrade process.
This chapter contains the following sections:
•Before You Begin
•Performing an Application Upgrade from the CLI
•Validating the Upgrade Process
•Known Upgrade Issues
Note When you upgrade to Cisco ISE, Release 1.1.x, you may be required to open some network ports you may not have been using in previous releases of Cisco ISE. Ensure you consult the table of required ports to open in Cisco ISE in the "Cisco ISE 3300 Series Appliance Ports Reference" appendix of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.
Before You Begin
Before you upgrade your deployment, you must do the following:
•If you are upgrading from Release 1.0, follow the instructions listed in "Obtaining a Valid License" section.
•If you are running Cisco ISE, Release 1.1, then you must apply ISE 1.1 patch 3 before you can upgrade to Cisco ISE, Release 1.1.x. Applying this patch ensures that your secondary Cisco Administration ISE node's license is not lost during the upgrade process.
•If you are performing a split deployment upgrade and you have a secondary Cisco ISE Administration node in your deployment, you must have a valid license for the secondary Cisco ISE Administration node (ISE Node B) based on its UDI.
If your secondary Admin node has been operational for more than 90 days, its license will be lost after it has been deregistered. In this case, you must obtain a valid license for the secondary Cisco ISE Administration node (ISE Node B) based on its UDI: Serial Number, Version ID, and Product ID. See Obtaining a Valid License for more information.
You cannot preinstall or install a license on the secondary Cisco ISE Administration node at runtime. You can install the license only after the node has been promoted to become the primary Cisco ISE Administration node. All licenses are applied on the primary Administration ISE node only.
•Obtain a backup of Cisco ISE configuration data and Cisco ADE operating system data. See Performing an On-Demand Backup for more information.
This section contains the following topics:
•Performing an On-Demand Backup
–Backup from the Cisco ISE UI
–Backup from the Cisco ISE CLI
Obtaining a Valid License
You can request a license from the Cisco Global Licensing Organization (GLO). GLO is staffed 24x7x365 and you can contact them when you are unable to perform the licensing activity online at:
If you have issues in obtaining the license, you can open a case with GLO in any one of the following three ways:
•The online portal at http://cisco.com/tac/caseopen. After you select the technology and subtechnology, ensure that you select Licensing from the Type of Problem list box. This option is the preferred and most efficient method for you to open severity 3 service requests.
•Call 800-553-2447 (in the US and Canada). Use the following link for global numbers:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html. This option should be used for urgent situations such as a network downtime or severe degradation to reach someone quickly.
•E-mail GLO at firstname.lastname@example.org. You must include the UDI of the secondary Admin node in the case to request a new license. You can obtain the UDI by entering the following command:
psn1/admin# show udi
You must also include the sales order number and if available, the PAK number of the original license.
Performing an On-Demand Backup
You can perform an on-demand backup of the Cisco ISE configuration data and Cisco ADE operating system data. You can do the backup in the following two ways:
•Backup from the Cisco ISE UI
•Backup from the Cisco ISE CLI
Backup from the Cisco ISE UI
Cisco ISE user interface (UI) provides an option to obtain an on-demand backup of the primary administration node. You can obtain a backup of the Cisco ISE application-specific configuration data, or application and Cisco ADE operating system data.
1. Before you perform this task, you should have a basic understanding of the Backup and Restore operations in Cisco ISE.
2. Ensure that you have configured repositories. See the "Configuring Repositories" section in the Cisco Identity Services Engine User Guide, Release 1.1.x, for more information.
3. Every Cisco ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See "Cisco ISE Admin Group Roles and Responsibilities" section in the Cisco Identity Services Engine User Guide, Release 1.1.x, for more information on the various administrative roles and the privileges associated with each of them.
Note For backup and restore operations, you cannot choose the CDROM, HTTP, or HTTPS options because these are read-only repositories.
To perform an on-demand backup, complete the following steps:
Step 1 Choose Administration > System > Maintenance.
Step 2 From the Operations navigation pane on the left, choose Data Management > Administration Node > Full Backup On Demand.
The Backup On Demand page appears.
Step 3 Enter the name of your backup file.
Step 4 Select the repository where your backup file should be saved.
You cannot enter a repository name here. You can only choose an available repository from the drop-down list. Ensure that you create the repository before you run a backup.
Step 5 Check the Application-Only Backup, Excludes OS System Data check box to obtain a Cisco ISE application data backup. Uncheck this check box if you want the Cisco ADE operating system data as well.
Step 6 Enter the Encryption Key. This key is used to encrypt and decrypt the backup file.
Step 7 Click Backup Now to run your backup.
Note In a distributed deployment, do not change the role of a node or promote a node when the backup is running. Changing node roles will shut down all the processes and might cause some inconsistency in data if backup is running concurrently. Wait for the backup to complete before you make any node role changes.
Step 8 Your page is refreshed and the following message appears in the lower right corner of the page, if you are viewing the Backup On Demand page:
Backup is done successfully.
If you have moved to other pages in the Cisco ISE user interface, to check the status of your backup, you must go to the Backup History page. See the "Viewing Backup History" for more information.
Cisco ISE appends the backup filename with the timestamp and stores this file in the specified repository. Check if your backup file exists in the repository that you have specified.
Backup from the Cisco ISE CLI
To perform a backup from the Cisco ISE CLI (including the Cisco ISE and Cisco ADE OS data) and place the backup in a repository, use the backup command in the EXEC mode. To perform a backup of only the Cisco ISE application data without the Cisco ADE OS data, use the application command.
Note Before attempting to use this backup command in the EXEC mode, you must copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISE server startup configuration. You can use this startup configuration when you restore or troubleshoot your Cisco ISE application from the backup and system logs. For more information of copying the running configuration to the startup configuration, see the "copy" command in the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x.
backup backup-name repository repository-name application application-name encryption-key hash |plain encryption-key name
The below table provides the syntax description:
The command to perform a backup the Cisco ISE and Cisco ADE OS and place the backup in a repository.
Name of backup file. Supports up to 100 alphanumeric characters.
Location where the files should be backed up to. Supports up to 80 alphanumeric characters.
Application command (application-only backup, excludes the Cisco ADE OS system data).
Application name. Supports up to 255 alphanumeric characters.
Specifies user-defined encryption key to protect the backup.
Hashed encryption key for protection of backup. Specifies an encrypted (hashed) encryption key that follows. Supports up to 40 characters.
Plaintext encryption key for protection of backup. Specifies an unencrypted plaintext encryption key that follows. Supports up to 15 characters.
Specifies encryption key in hash | plain format for backup.
This command performs a backup of the Cisco ISE and Cisco ADE OS data and places the backup in a repository with an encrypted (hashed) or unencrypted plaintext password.
You can encrypt and decrypt the backups by using user-defined encryption keys.
ise/admin# backup mybackup repository myrepository encryption-key plain Lab12345
% Creating backup with timestamped filename: backup-111125-1252.tar.gpg
ise/admin# backup mybackup repository myrepository application ise encryption-key plain
% Creating backup with timestamped filename: backup-111125-1235.tar.gpg
Performing an Application Upgrade from the CLI
The Cisco ISE provides the option of application upgrade from the Cisco ISE, Release 1.0.4 patch 5, or 1.1 patch 3 to the latest Cisco ISE Maintenance Release 1.1.x directly from the CLI. This option allows you to install the new Cisco ISE software on the appliance and simultaneously upgrade configuration and monitoring information databases.
To perform an application upgrade, from the Cisco ISE CLI, enter:
application upgrade application-bundle repository-name
•application-bundle is the name of the application bundle to upgrade the Cisco ISE application
•repository-name is the name of the repository
See the "Upgrading the Cisco ISE Standalone Node" section for more information on how the CLI transcript for a successful upgrade on a standalone node would look like.
Note If your repository is an SFTP location, the upgrade may take significantly longer time. For a secure upgrade, we recommend you to use HTTPS or CD/DVD as a repository.
Note Before proceeding, we recommend that you review all of the chapter in this document for information on how to perform an upgrade on different types of nodes.
You can use the application upgrade command from the CLI to upgrade the Cisco ISE from the previous version to the current version in the following cases:
•When upgrading the Cisco ISE on a standalone node that assumes Administration, Policy Service, and Monitoring personas. See Chapter 2 "Upgrading a Standalone Node."
•When upgrading the Cisco ISE on a two-node deployment. See Chapter 3 "Upgrading a Two-Admin Node Deployment."
•When upgrading the Cisco ISE on a distributed deployment. See Chapter 4 "Upgrading Distributed Deployment."
Note Perform an on-demand backup (manually) of the Primary administration node before upgrading the Cisco ISE. See Performing an On-Demand Backup.
Note We strongly recommend that you delay any deployment configuration changes such as changing node personas, system synchronization, node registration or deregistration (required for split deployment upgrade), and so on until all nodes in your deployment are completely upgraded. (One exception to this recommendation, however, involves steps that are required to recover from a failed upgrade, as described in Recovering from Upgrade Failures on a Standalone Node.)
Note When you upgrade or restore Cisco ISE Monitoring nodes from the older versions of Cisco ISE to Cisco ISE 1.1.x, the active sessions are not retained and are reset to "0".
Validating the Upgrade Process
To validate the upgrade process, do one of the following:
•Check the ade.log file for the upgrade process.
To view the ade.log file, issue the following command from the CLI:
show logging system
•Run the show version CLI command to verify the build version.
Known Upgrade Issues
This section covers the following upgrade issues:
•Upgrade from Cisco ISE 1.0.4 to 1.1.x with Inline Posture
•Upgrade from Cisco ISE Release 188.8.131.527
Upgrade from Cisco ISE 1.0.4 to 1.1.x with Inline Posture
In Cisco ISE, Release 1.1.x, the Inline Posture node uses certificate based authentication and cannot connect to the Administrative ISE node. Therefore you are required to disconnect the Inline Posture node from the deployment prior to starting the upgrade procedure, then reconfigure the Inline Posture node after the upgrade. To do so, follow the procedure outlined in this section.
Warning You must have the proper certificates in place for your Inline Posture deployment to mutually authenticate.
•If you are currently running Cisco ISE, Release 1.0.4, then you must apply Cisco ISE 1..0.4 patch 5 before you upgrade to Cisco ISE, Release 1.1.x. Cisco ISE 1.0.4 patch 5 can be applied directly on Cisco ISE, Release 1.0.4 or any previously patched version thereof. Applying this patch ensures that your secondary Cisco Administration ISE node's license is not lost during the upgrade process.
•Record all the configuration data for your Inline Posture node before you de-register the node. Alternatively, you can save screenshots of each of the Inline Posture tabs (in the Admin user interface) to record the data. Having this data on hand speeds up the process of re-registering the Inline Posture node to complete the following task.
To upgrade to Cisco ISE 1.1.x with Inline Posture, complete the following steps:
Step 1 From the Cisco Administration ISE node, de-register the Cisco Inline Posture node.
Note You can verify that the Inline Posture node has returned to ISE node status by going to the CLI and entering the following command: show application status ise If you discover that the node has not reverted to an ISE node, then you can enter the following at the command prompt: pep switch outof-pep However, it is recommended that you only do this as a last resort.
Step 2 Upgrade the Cisco Administration ISE node to 1.1.x, as described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.
Step 3 Import CA root certificate, generate CSR, create certificates on the Administration ISE node.
Note Certificates must have extended key usage for both client authentication and server authentication. For an example of this type of extended key usage, see the Microsoft CA Computer template.
Step 4 Perform a fresh installation of ISE 1.1.x on the ISE node (that was the former Inline Posture node), as described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.
Step 5 Import CA root certificate, generate CSR, create certificates on the ISE node (that was the former Inline Posture node), now in standalone mode.
Note Certificates must have extended key usage; client authentication and server authentication. For example, select the computer template from Microsoft CA.
Step 6 Register the newly upgraded ISE Node as an Inline Posture node.
Step 7 Reconfigure the Cisco Inline Posture node.
Upgrade from Cisco ISE Release 184.108.40.2067
There is a known issue regarding default "admin" administrator user interface access following upgrade from Cisco Identity Services Engine Release version 220.127.116.117. This issue can affect Cisco ISE customers who have not changed their default "admin" account password for administrator user interface login since first installing Cisco Identity Services Engine Release 18.104.22.1687.
Upon upgrading, administrators can be "locked out" of the Cisco ISE administrator user interface when logging in via the default "admin" account where the password has not yet been updated from the original default value.
To avoid this issue, Cisco recommends you do one or more of the following:
1. Verify they have changed password per the instructions in the "Managing Identities" chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x prior to upgrade.
2. Disable or modify the password lifetime setting in the Administration > System > Admin Access > Password Policy page of the administrator user interface prior to upgrade to ensure the upgraded policy behavior does not impact the default "admin" account.
3. Enable password lifetime setting reminders in the Administration > System > Admin Access > Password Policy page to alert admin users of imminent expiry. Administrators should change the password when notified.
Note Although the above conditions apply to all administrator accounts, the change in behavior from Cisco ISE version 22.214.171.1247 only impacts the default "admin" account.