First Published: August 16, 2022

Last Updated: August 25, 2025

Post-upgrade settings and configurations

Perform these tasks after upgrading Cisco ISE.

Convert to new license types

Complete these steps to convert to new license types:

  • Convert your old licenses to the new license types through the Cisco Smart Software Manager (CSSM).

  • Enable the new licenses in your Cisco ISE administrator portal.

For more information on the Cisco ISE license types, see Cisco ISE Administration Guide.

Verify virtual machine settings

If you are upgrading Cisco ISE nodes on virtual machines, change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 8.4 (64-bit). To do this, first power down the VM. Change the Guest Operating System to the supported RHEL version. After making the change, power on the VM.

RHEL 7 and later support only E1000 and VMXNET3 network adapters. Change your network adapter type before you upgrade.

Rejoin Active Directory

If you use Active Directory as your external identity source and lose connection, rejoin all Cisco ISE nodes to Active Directory. Run the external identity source workflows to verify that the connection is restored after you join the nodes.

  • If you log in to the Cisco ISE user interface with an Active Directory administrator account after the upgrade, the login fails because the Active Directory join is lost during the upgrade. Log in to Cisco ISE using your internal administrator account, then rejoin Active Directory.

  • If you use certificate-based authentication for administrative access and Active Directory is your identity source, you cannot access the login page after an upgrade. This is because the join to Active Directory is lost during the upgrade.

    application start ise safe

    After Cisco ISE starts in safe mode, perform these tasks:
    1. Log in to the Cisco ISE user interface using the internal administrator account.

      Note

      If you forgot your password or your administrator account is locked, see "Administrator Access to Cisco ISE" in the Cisco ISE Administrator Guide.

    2. Join Cisco ISE with Active Directory.

Certificate attributes used with Active Directory

Cisco ISE identifies users by their attributes SAM, CN, or both, with sAMAccountName attribute used as default.

You can configure Cisco ISE to use SAM, CN, or both, depending on your environment. If both SAM and CN are used and the sAMAccountName attribute is not unique, Cisco ISE also compares the CN attribute value.

To configure attributes for Active Directory identity search:
  1. Choose Administration > Identity Management > External Identity Sources > Active Directory . In the Active Directory window, click Advanced Tools, and choose Advanced Tuning. Enter these details:

    • ISE Node: Choose the Cisco ISE node that is connecting to Active Directory.

    • Name: Enter the registry key that you are changing. To change the Active Directory search attributes, enter: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField

    • Value: Enter the attributes that Cisco ISE uses to identify a user:

      • SAM: To use only SAM in the query (this option is the default).

      • CN: To use only CN in the query.

      • SAMCN: To use CN and SAM in the query.

    • Comment: Describe what you are changing, for example: Changing the default behavior to SAM and CN.

  2. Click Update Value to update the registry.

    When the pop-up window appears, read the message and accept the change. The AD connector service in Cisco ISE restarts automatically.

Reverse DNS lookup

Configure Reverse DNS lookup for all Cisco ISE nodes in your distributed deployment on every DNS server. If you do not configure reverse DNS lookup, deployment-related issues may occur after the upgrade.

Restore certificates

This section details how to restore certificates and keys on Cisco ISE Administration Nodes to prevent authentication failures that may occur during upgrades.

Restore certificates on the PAN

When you upgrade a distributed deployment, the Primary Administration Node's (PAN) root CA certificates are not added to the Trusted Certificates store if both of these conditions are met:

  • Secondary Administration Node is promoted to be the PAN in the new deployment.

  • Session services are disabled on the Secondary Administration Node.

If the certificates are not in the store, you may see authentication failures with these errors:

  • Unknown CA in the chain during a BYOD flow

  • OCSP unknown error during a BYOD flow

You can see these messages when you click the More Details link from the Live Logs page for failed authentications.

To restore the PAN's root CA certificates, generate a new Cisco ISE Root CA certificate chain. In the Cisco ISE GUI, click the Menu icon () and choose Administration > Certificates > Certificate Signing Requests > Replace ISE Root CA certificate chain.

Restore certificates and keys to secondary administration node

If you are using a secondary administration node, obtain a backup of the Cisco ISE CA certificates and keys from the PAN, and restore it on the Secondary Administration Node. This allows the Secondary Administration Node to function as the root CA or subordinate CA of an external PKI if the primary PAN fails, and you promote the Secondary Administration Node to be the PAN.

For more information, see the "Backup and Restoration of Cisco ISE CA Certificates and Keys" section in chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide.

Regenerate the root CA chain

If your deployment matches specific upgrade scenarios, you must regenerate the root CA chain after the upgrade is complete. To regenerate the root CA chain, complete these steps:

  1. From the Cisco ISE main menu, choose Administration > System > Certificates > Certificate Management > Certificate Signing Request.

  2. Click Generate Certificate Signing Request (CSR).

  3. Choose ISE Root CA in the Certificate(s) will be used for drop-down list.

  4. Click Replace ISE root CA Certificate Chain.

Table 1. Root CA chain regeneration scenarios
Upgrade scenario Mode Root CA chain regeneration
Full upgrade process Deployment and Standalone You do not need to regenerate the root CA if your deployment does not change during the upgrade.
Split upgrade process Deployment and Standalone The system automatically regenerates the root CA chain during the upgrade process.
Configuration database restoration process Standalone The system automatically regenerates the root CA chain during restoration.
Node Promotion: Promoting a secondary PAN to primary PAN after the split upgrade process Deployment Regenerate the root CA chain.
Change in the domain name or hostname of any Cisco ISE node Standalone and Deployment Regenerate the root CA chain.

After the upgrade process, you might encounter these events:

  1. Data might not be available in live logs.

  2. You might see queue link errors.

  3. The system might show the health status as unavailable.

  4. System summary might not display data for some nodes.

To resolve queue link errors and restore system information, reset the MnT Database and replace the ISE Root CA certificate chain.

Threat-Centric NAC

If you enable the Threat-Centric NAC (TC-NAC) service, the TC-NAC adapters might not function after an upgrade. Restart the adapters from the Threat-Centric NAC pages of the Cisco ISE GUI. Select an adapter and click Restart.

SNMP Originating Policy Services Node setting

If you manually configure the Originating Policy Services Node value under SNMP settings, you lose the configuration during an upgrade. Reconfigure the SNMP settings to restore SNMP functionality.

Profiler feed service

After you upgrade, update the profiler feed service to ensure that the most up-to-date organizationally unique identifiers (OUIs) are installed.

From the Cisco ISE Admin portal:

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > FeedService > Profiler, and ensure that the profiler feed service is enabled.

Step 2

Click Update Now.

Client provisioning

Check the native supplicant profile used in the client provisioning policy. Ensure that the wireless SSID is correct. For iOS devices, if the network you are trying to connect to is hidden, check the Enable if target network is hidden check box in the iOS Settings area.

Update client provisioning resources on ISE:

Online updates

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Policy > Policy Elements > Results > Client Provisioning > Resources to configure the client provisioning resources.

Step 2

Click Add.

Step 3

Choose Agent Resources From Cisco Site.

Step 4

In the Download Remote Resources window, select the Cisco Temporal Agent resource.

Step 5

Click Save and verify that the downloaded resource appears in the Resources page.

Offline updates

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources to configure client provisioning resources.

Step 2

In the Cisco ISE GUI, click the Menu icon () and choose Policy > Policy Elements > Results > Client Provisioning > Resources to configure the client provisioning resources.

Step 3

Click Add to add a new resource.

Step 4

Choose Agent Resources from Local Disk.

Step 5

From the Category drop-down list, choose Cisco Provided Packages.

Cipher suites

If you have legacy devices, such as old IP phones, that use deprecated ciphers when authenticating against Cisco ISE, authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate legacy devices after upgrading, update the Allowed Protocols configuration.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.

Step 2

Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.

Step 3

Click Submit.

Monitor and troubleshoot

Consider these steps to monitor and troubleshoot:

  • Reconfigure your email settings.

  • Update your favorite reports.

  • Change your data purge settings.

  • Check thresholds and filters for specific alarms you need.

    Note

    By default, all alarms are enabled after an upgrade.
  • Customize reports based on your needs.

    Note

    If you customized reports during the previous deployment, your changes will be replaced during the upgrade.

Restore the MnT backup that you created before the update.

Refresh policies to Trustsec NADs

Run these commands to download the policies to Cisco TrustSec-enabled Layer 3 interfaces in your system:

  1. no cts role-based enforcement

  2. cts role-based enforcement

Update Supplicant Provisioning Wizards

The Supplicant Provisioning Wizards (SPWs) are not updated when you upgrade to a new release or apply a patch. You must manually update the SPWs. Then, create new native supplicant profiles and new client provisioning policies that reference the new SPWs. You can find new SPWs on the Cisco ISE Download page. Visit the Cisco software download site for more information.

Profiler endpoint ownership synchronization or replication

During an upgrade, the JEDIS framework requires port 6379 to be open between all nodes in the deployment to allow two-way communication.