Upgrade Cisco ISE

Cisco ISE Upgrade Overview

This document describes how to upgrade your Cisco Identity Services Engine (ISE) software on Cisco ISE appliances and virtual machines to Release 2.4. (See the section "What is New in Cisco ISE, Release 2.4" in Release Notes for Cisco Identity Services Engine, Release 2.4.)


Note

Cisco ISE, Release 2.3 and later offer a new and enhanced Policy Sets window that replaces all the existing network access policies and policy sets. When you upgrade from an earlier release to Release 2.3 or later, all the network access policy configurations (including authentication and authorization conditions, rules, policies, profiles, and exceptions) are migrated to the new Policy Sets window in the Cisco ISE GUI. For more information on the new policy model, see the "New Policy Model" section in Cisco Identity Services Engine Administrator Guide, Release 2.3

Upgrading a Cisco ISE deployment is a multistep process and must be performed in the order that is specified in this document. Use the time estimates provided in this document to plan for an upgrade with minimum downtime. For a deployment with multiple Policy Service Nodes (PSNs) that are part of a PSN group, there is no downtime. If there are endpoints that are authenticated through a PSN that is being upgraded, the request is processed by another PSN in the node group. The endpoint is reauthenticated and granted network access after the authentication is successful.


Note

If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime for all authentications when the PSN is being upgraded.

Different Types of Deployment

  • Standalone Node—A single Cisco ISE node assuming the Administration, Policy Service, and Monitoring persona.

  • Multi-Node Deployment—A distributed deployment with several ISE nodes. The procedure to upgrade a distributed deployment is discussed in the following listed references.

Upgrade Path

Single-step Upgrade

You can directly upgrade to Release 2.4, from any of the following releases:

  • Cisco ISE, Release 2.0

  • Cisco ISE, Release 2.0.1

  • Cisco ISE, Release 2.1

  • Cisco ISE, Release 2.2

  • Cisco ISE, Release 2.3

Two-step Upgrade

If you are on a version earlier than Cisco ISE, Release 2.0, you must first upgrade to one of the releases that are listed above and then upgrade to Release 2.4.

You can download the upgrade bundle from Cisco.com. The following upgrade bundle is available for Release 2.4:

ise-upgradebundle-2.x-to-2.4.0.xxx.SPA.x86_64.tar.gz: Use this bundle to upgrade from Release 2.0, 2.0.1, 2.1, 2.2, or 2.3 to 2.4

Supported Operating System for Virtual Machines

Cisco ISE, Release 2.4 supports Red Hat Enterprise Linux (RHEL) 7.0.

If you are upgrading Cisco ISE nodes on VMware virtual machines, after upgrade is complete, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.

In general, Cisco ISE upgrades with RHEL (Red Hat Enterprise Linux) OS upgrades (later version of Red Hat) take longer time per ISE instance. Additionally, if there are changes in the Oracle Database version in ISE, the new Oracle package is installed during OS upgrade. This may take more time to upgrade. To minimize the time for upgrades, you need to know if the underlying OS is upgraded during ISE upgrades.

The following table shows if OS upgrade happens when upgrading Cisco ISE. In the following table Yes indicates that underlying OS will upgrade during ISE upgrade and - indicates the absence of OS upgrade during ISE upgrade. ISE upgrades that includes OS upgrades can easily be perceived from the size of the upgrade bundle in Cisco’s software download center for ISE.

Table 1.

Upgrading From

Upgarding to ISE 1.3

Upgarding to ISE 1.4

Upgarding to ISE 2.0

Upgarding to ISE 2.0.1

Upgarding to ISE 2.1

Upgarding to ISE 2.2

Upgarding to ISE 2.3

Upgarding to ISE 2.4

Upgrading to ISE 2.6

ISE 1.3

-

No

No

Yes

Yes

-

-

-

-

ISE 1.4

-

-

No

Yes

Yes

Yes

Yes

-

-

ISE 2.0

-

-

-

-

Yes

Yes

Yes

Yes

Yes

ISE 2.0.1

-

-

-

-

Yes

Yes

Yes

Yes

Yes

ISE 2.0

-

-

-

-

-

No

Yes

Yes

Yes

ISE 2.1

-

-

-

-

-

-

-

Yes

Yes

ISE 2.2

-

-

-

-

-

-

-

Yes

Yes

ISE 2.3

-

-

-

-

-

-

-

Yes

Yes

ISE 2.4

-

-

-

-

-

-

-

Yes

Yes

Licensing Changes

Device Administration Licenses

For Cisco ISE 2.3 and earlier versions, a perpetual Device Administration license is required per deployment, regardless of the number of device administration nodes in the deployment. From Cisco ISE, Release 2.4, the number of Device Administration licenses must be equal to the number of device administration nodes (PSNs configured for the device administration service) in a deployment.

If you are currently using a Device Administration license and plan to upgrade to Release 2.4 or above, TACACS+ features will be supported for 50 Device Administration nodes in Release 2.4 and above.

If you install a PAK generated from a new PID, Device Administration license count is displayed as per the quantity available in the PAK file. You can add multiple Device Administration licenses to your deployment based on the number of Device Administration nodes that you require. Evaluation license supports one Device Administration node.

Licenses for VM nodes

Cisco ISE is also sold as a virtual appliance. For Release 2.4 and above, it is recommended that you install appropriate VM licenses for the VM nodes in your deployment. You must install the VM licenses based on the number of VM nodes and each VM node's resources such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys in Release 2.4 and above, however, the services are not interrupted.

VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using 3595 equivalent VM node with 8 cores and 64-GB RAM, you might need a Medium category VM license, if you want to replicate the same capabilities on the VM. You need to install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are Infrastructure licenses, therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

After installing or upgrading to Release 2.4 or above, if there is any mismatch between the number of deployed VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet for every 14 days. Alarms are also displayed if there are any changes in the VM node’s resources or whenever a VM node is registered or deregistered.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification dialog box.

If you have not purchased any ISE VM license before, refer to the ISE Ordering Guide to choose the appropriate VM license to be purchased. If you have purchased ISE VM licenses with no Product Authorization Key (PAK) associated, you can request VM PAKs by reaching out to licensing@cisco.com with Sales Order numbers that reflect the ISE VM purchase. This request will be processed to provide one medium VM license key for each ISE VM purchase you made in the past.

The following table shows the minimum VM resources by category:

VM Category

RAM Range

Number of CPUs

Small

16 GB

12 CPUs

Medium

64 GB

16 CPUs

Large

256 GB

16 CPUs

For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide.