First Published: July 5, 2023

Last Updated: February 12, 2026

Cisco ISE upgrade overview

pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.

This document describes how to upgrade your Cisco ISE software on Cisco ISE appliances and virtual machines (VMs) to Release 3.3. (See the section "What is new in Cisco ISE Release 3.3" in the Release Notes for Cisco Identity Services Engine, Release 3.3.)

Upgrading a Cisco ISE deployment involves multiple steps and must be carried out in the specified order in this document. Use the time estimates in this document to plan an upgrade with minimum downtime. For a deployment with multiple Policy Service Nodes (PSNs) that are a part of a PSN group, there is no downtime. If endpoints are not authenticated through a PSN undergoing upgrade, the request is processed by another PSN in the node group. The endpoint is reauthenticated and granted network access after the authentication is successful.


Caution

If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime for all the authentications when the PSN is being upgraded.


Note

When upgrading to Cisco ISE release 3.2 and later, Root CA regeneration happens automatically in the upgrade process. Thus, post-upgrade Root CA regeneration is not required.

Different types of deployment

Cisco ISE deployment options include two main types:

  • Standalone Node: A single Cisco ISE node takes on the roles of Administration, Policy Service, and Monitoring.

  • Multi Node Deployment: Multiple Cisco ISE nodes are involved in a distributed deployment, with each node designated for specific tasks.

Differences in native cloud deployments of Cisco ISE

Cisco ISE instances deployed natively on cloud platforms do not support the upgrade workflow. Only new installations are supported. You can back up and restore configuration data. Cloud platforms that allow native deployment of Cisco ISE include:

  1. Amazon Web Services (AWS)

  2. Microsoft Azure Cloud

  3. Oracle Cloud Infrastructure (OCI)

To upgrade the release on AWS from Cisco ISE release 3.2 to Cisco ISE release 3.3 :

  1. Back up the configuration data from the Cisco ISE release 3.2 AWS instance.

  2. Reconfigure the AWS instance with Cisco ISE release 3.3.

  3. Restore configuration data on the newly created Cisco ISE release 3.3 instance.

Root CA chain regeneration

If any of these events occur, you must regenerate the root CA chain:

  • Change the domain name or hostname of your Primary Administration Node (PAN) or PSN.

  • Restore a backup on a new deployment.

  • Promote the old primary PAN to a new primary PAN after an upgrade.

Regeneration process

Follow these steps to regenerate the root CA chain:

  1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Certificates > Certificate Management > Certificate Signing Request.

  2. Click Generate Certificate Signing Request (CSR).

  3. From the Certificate(s) will be used for drop-down list, choose ISE Root CA.

  4. Click Replace ISE root CA Certificate Chain.

Upgrade path

There are two ways to upgrade to Cisco ISE release 3.3:

  • Single-step upgrade

  • Two-step upgrade

Single-step upgrade

You can directly upgrade to Cisco ISE release 3.3 from these releases:

  • Cisco ISE release 3.0

  • Cisco ISE release 3.1

  • Cisco ISE release 3.2

Two-step upgrade

Use this procedure to perform a two-step upgrade.

  1. If you are currently using a version earlier than Cisco ISE release release 3.0, you must first upgrade to Cisco ISE release 3.0, 3.1 or 3.2.

  2. After that, upgrade to Cisco ISE release 3.3.

Supported OS for VM

Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADE-OS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE release 3.3, ADE-OS is based on RHEL 8.4.

This table shows the RHEL versions used in different versions of Cisco ISE.

Table 1. RHEL versions for different Cisco ISE releases

Cisco ISE release

RHEL version

Cisco ISE release 3.1

RHEL 8.2

Cisco ISE release 3.2

RHEL 8.4

Cisco ISE release 3.3

RHEL 8.4

Note

RHEL 8.2 and later support these VMware ESXi versions:

  • VMware ESXi 6.7

  • VMware ESXi 6.7 U1

  • VMware ESXi 6.7 U2

  • VMware ESXi 6.7 U3

  • VMware ESXi 7.0

  • VMware ESXi 7.0 U1

  • VMware ESXi 7.0 U2

  • VMware ESXi 7.0 U3

In addition to those previously mentioned, RHEL 8.4 supports newer compatible VMware ESXi versions.

Cisco ISE release 3.3 is the last release to support VMware ESXi 6.7.

For Cisco ISE release 3.1 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.

In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.

After upgrading Cisco ISE nodes on VMware VMs, turn off the VM to change the Guest OS to the supported RHEL version, then turn on the VM again.


Note

If you select Guest OS RHEL 8 and Firmware EFI, ensure that the Enable UEFI Secure Boot option is disabled in the VM Options tab. This option is enabled by default for Guest OS RHEL 8 VM. Ensure that you disable the Enable UEFI Secure Boot option for the Cisco ISE VM.

Upgrading Cisco ISE with the RHEL OS may take longer than usual due to possible changes in the Oracle database version, which require installing a new Oracle package during the upgrade.

Licensing information

This section provides licensing information for Cisco ISE release 3.3.

For more information on activating licenses in the Cisco ISE GUI, see Licensing.

Virtual appliance licenses

Cisco ISE release 3.1 and later supports the Cisco ISE VM license. This license replaces the VM Small, VM Medium, and VM Large licenses from earlier releases. The new ISE VM license covers Cisco ISE VM nodes for both on-premises and cloud deployments.

For more information, see "Cisco ISE Licenses" in the chapter "Licensing" in the Cisco ISE Administrator Guide, Release 3.3.

Specific license reservation

Specific license reservation is a smart licensing method for managing licenses in situations where security requirements prevent a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific license reservation allows you to reserve licenses on a Cisco ISE node.

You can create a specific license reservation by defining the type and number of licenses you need to reserve. Then, activate the reservation on a Cisco ISE node. The Cisco ISE node, where you register and enable the reservation, tracks license usage and enforces license compliance.

For more information, see "Specific license reservation" in the chapter "Licensing" in the Cisco ISE Administrator Guide, Release 3.3.