Upgrade Cisco ISE

Cisco ISE upgrade overview


Note

Cisco ISE Release 3.5 and the corresponding guides are available in a phased rollout. Until the software becomes generally available, contact your Cisco account manager to request this release. Upon completion of the phased rollout, Cisco ISE Release 3.5 and the corresponding guides will be made generally available to all customers.

From Cisco Identity Services Engine (Cisco ISE) Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.

pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.

This document describes how to upgrade your Cisco ISE software on Cisco ISE appliances and virtual machines (VMs) to Release 3.5. (See the section "What is new in Cisco ISE Release 3.5" in the Release Notes for Cisco Identity Services Engine, Release 3.5.)

Upgrading a Cisco ISE deployment involves multiple steps and must be carried out in the specified order in this document. Use the time estimates in this document to plan an upgrade with minimum downtime. For a deployment with multiple Policy Service Nodes (PSNs) that are a part of a PSN group, there is no downtime. If endpoints are not authenticated through a PSN undergoing upgrade, the request is processed by another PSN in the node group. The endpoint is reauthenticated and granted network access after the authentication is successful.


Caution

If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime for all the authentications when the PSN is being upgraded.


Note

When upgrading to Cisco ISE Release 3.2 and later, Root CA regeneration happens automatically in the upgrade process. Thus, post-upgrade Root CA regeneration is not required.

Different types of deployment

Cisco ISE deployment options include two main types:

  • Standalone Node: A single Cisco ISE node takes on the roles of Administration, Policy Service, and Monitoring.

  • Multi-Node Deployment: Multiple Cisco ISE nodes are involved in a distributed deployment, with each node designated for specific tasks.

Differences in native cloud deployments of Cisco ISE

Cisco ISE instances deployed natively on cloud platforms do not support the upgrade workflow. Only new installations are supported. You can back up and restore configuration data. Cloud platforms that allow native deployment of Cisco ISE include:

  1. Amazon Web Services (AWS)

  2. Microsoft Azure Cloud

  3. Oracle Cloud Infrastructure (OCI)

To upgrade the Cisco ISE release versions on AWS, from 3.4 to Release 3.5:

  1. Back up the configuration data from the Cisco ISE release 3.4 AWS instance.

  2. Reconfigure the AWS instance with Cisco ISE Release 3.5.

  3. Restore configuration data on the newly created Cisco ISE Release 3.5 instance.

Regenerate the root CA chain

If any of these events occur, you must regenerate the root CA chain:

  • Change the domain name or hostname of your PAN or PSN.

  • Restore a backup on a new deployment.

  • Promote the old primary PAN to a new primary PAN after an upgrade.

To regenerate the root CA chain

To regenerate the root CA chain:

  1. In the Cisco ISE GUI, click the Menu icon () and choose Choose Administration > System > Certificates > Certificate Management > Certificate Signing Request.

  2. Click Generate Certificate Signing Request (CSR).

  3. From the Certificate(s) will be used for drop-down list, choose ISE Root CA.

  4. Click Replace ISE root CA Certificate Chain.

Upgrade path

Single-step upgrade

You can directly upgrade to Cisco ISE, release 3.5 from the following releases:

  • Cisco ISE, release 3.2

  • Cisco ISE, release 3.3

  • Cisco ISE, release 3.4

Two-step upgrade

If you are currently using a version earlier than Cisco ISE, release 3.2, you must first upgrade to one of the previously listed releases. After that, upgrade to release 3.4.

Supported operating system for virtual machines

Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADE-OS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE release 3.5, ADE-OS is based on RHEL 8.10.

Table 1 shows the RHEL versions used in different versions of Cisco ISE.

Table 1. RHEL releases

Cisco ISE release

RHEL release

Cisco ISE 1.3

RHEL 6.4

Cisco ISE 1.4

RHEL 6.4

Cisco ISE 2.0

RHEL 7.0

Cisco ISE 2.1

RHEL 7.0

Cisco ISE 2.2

RHEL 7.0

Cisco ISE 2.3

RHEL 7.0

Cisco ISE 2.4

RHEL 7.3

Cisco ISE 2.6

RHEL 7.5

Cisco ISE 2.7

RHEL 7.6

Cisco ISE 3.0

RHEL 7.6

Cisco ISE 3.1

RHEL 8.2

Cisco ISE 3.2

RHEL 8.4

Cisco ISE 3.3

RHEL 8.4

Cisco ISE 3.4

RHEL 8.8

Cisco ISE 3.5

RHEL 8.10

Note

RHEL 8.2 and above support these VMware ESXi versions:

  • VMware ESXi 6.7

  • VMware ESXi 6.7 U1

  • VMware ESXi 6.7 U2

  • VMware ESXi 6.7 U3

  • VMware ESXi 7.0

  • VMware ESXi 7.0 U1

  • VMware ESXi 7.0 U2

  • VMware ESXi 7.0 U3

In addition to those previously mentioned, RHEL 8.4 would also support newer compatible VMware ESXi versions.

Cisco ISE release 3.3 is the last release to support VMware ESXi 6.7.

For Cisco ISE release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.

In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.

After upgrading Cisco ISE nodes on VMware virtual machines (VMs), turn off the VM to change the Guest operating system to the supported RHEL version, then turn on the VM again.


Note

If you have selected Guest OS RHEL 8 and Firmware EFI, ensure that the Enable UEFI Secure Boot option is disabled in the VM Options tab. This option is enabled by default for Guest operating system RHEL 8 VM. Ensure that you disable the Enable UEFI Secure Boot option for the Cisco ISE VM.

Upgrading Cisco ISE with the RHEL operating system may take longer than usual due to possible changes in the Oracle database version, which require installing a new Oracle package during the upgrade.

Licensing information

This section provides the licensing information for the Cisco ISE release 3.5.

For more information on activating licenses in the Cisco ISE GUI, see Licensing.

Virtual appliance licenses

Cisco ISE release 3.1 and later supports the ISE VM license. This license replaces the VM Small, VM Medium, and VM Large licenses from earlier releases. The new ISE VM license covers Cisco ISE VM nodes for both on-premises and cloud deployments.

For more information, see "Cisco ISE Licenses" in the chapter "Licensing" in the Cisco ISE Administrator Guide for your release.

Specific license reservation

Specific license reservation is a smart licensing method for managing licenses in situations where security requirements prevent a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific license reservation allows you to reserve licenses on a Cisco ISE node.

You can create a specific license reservation by defining the type and number of licenses you need to reserve. Then, activate the reservation on a Cisco ISE node. The Cisco ISE node, where you register and enable the reservation, tracks license usage and enforces license compliance.

For more information, see "Specific license reservation" in the chapter "Licensing" in the Cisco ISE Administrator Guide, release 3.5.

Communications, services, and additional information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.

Documentation feedback

To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.