First Published: October 31, 2022

Cisco ISE Upgrade Overview

From Cisco Identity Services Engine (Cisco ISE) Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.

pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.

This document describes how to upgrade your Cisco ISE software on Cisco ISE appliances and virtual machines (VMs) to Release 3.1. (See the section "What is New in Cisco ISE, Release 3.1" in the Release Notes for Cisco Identity Services Engine, Release 3.1.)

Upgrading a Cisco ISE deployment is a multistep process and must be performed in the order that is specified in this document. Use the time estimates provided in this document to plan for an upgrade with minimum downtime. For a deployment with multiple Policy Service Nodes (PSNs) that are a part of a PSN group, there is no downtime. If no endpoints are authenticated through a PSN that is being upgraded, the request is processed by another PSN in the node group. The endpoint is reauthenticated and granted network access after the authentication is successful.


Caution

If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime for all the authentications when the PSN is being upgraded.


Note

When upgrading to Cisco ISE Release 3.2 and above, Root CA regeneration happens automatically in the upgrade flow. Thus, post-upgrade Root CA regeneration is not required.

Different Types of Deployment

  • Standalone Node: A single Cisco ISE node assuming the Administration, Policy Service, and Monitoring persona.

  • Multi-Node Deployment: A distributed deployment with several ISE nodes.

Differences in Native Cloud Deployments of Cisco ISE

Cisco ISE upgrade workflow is not available in Cisco ISE on AWS. Only fresh installs are supported. However, you can carry out backup and restore of configuration data. When you restore the data in a Cisco ISE AWS instance, the data is upgraded to the Cisco ISE Release 3.1 version.

Regenerate the Root CA Chain

In case of the following events, you must regenerate the root CA chain:

  • Changing the domain name or hostname of your PAN or PSN.

  • Restoring a backup on a new deployment.

  • Promoting the old Primary PAN to new Primary PAN after upgrade.

To regenerate the root CA chain:

  1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Certificates > Certificate Management > Certificate Signing Request.

  2. Click Generate Certificate Signing Request (CSR).

  3. From the Certificate(s) will be used for drop-down list, choose ISE Root CA.

  4. Click Replace ISE root CA Certificate Chain.

Upgrade Path

Single-Step Upgrade

You can directly upgrade to Cisco ISE, Release 3.1 from any of the following releases:

  • Cisco ISE, Release 2.6

  • Cisco ISE, Release 2.7

  • Cisco ISE, Release 3.0

  • Cisco ISE, Release 3.1

Two-Step Upgrade

If you are currently using a version earlier than Cisco ISE, Release 2.6, you must first upgrade to one of the releases that are listed above and then upgrade to Release 3.1.

Supported Operating System for Virtual Machines

Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADE-OS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE 3.1, ADE-OS is based on RHEL 8.2.

The following table shows the RHEL versions used in different versions of Cisco ISE.

Table 1. RHEL Releases

Cisco ISE Release

RHEL Release

Cisco ISE 1.3

RHEL 6.4

Cisco ISE 1.4

RHEL 6.4

Cisco ISE 2.0

RHEL 7.0

Cisco ISE 2.1

RHEL 7.0

Cisco ISE 2.2

RHEL 7.0

Cisco ISE 2.3

RHEL 7.0

Cisco ISE 2.4

RHEL 7.3

Cisco ISE 2.6

RHEL 7.5

Cisco ISE 2.7

RHEL 7.6

Cisco ISE 3.0

RHEL 7.6

Cisco ISE 3.1

RHEL 8.2

Cisco ISE 3.2

RHEL 8.4

Note

RHEL 8.2 and later supports the following VMware ESXi versions:

  • VMware ESXi 6.5

  • VMware ESXi 6.5 U1

  • VMware ESXi 6.5 U2

  • VMware ESXi 6.5 U3

  • VMware ESXi 6.7

  • VMware ESXi 6.7 U1

  • VMware ESXi 6.7 U2

  • VMware ESXi 6.7 U3

  • VMware ESXi 7.0

  • VMware ESXi 7.0 U1

  • VMware ESXi 7.0 U2

  • VMware ESXi 7.0 U3

In addition to those mentioned above, RHEL 8.2 would also support newer compatible VMware ESXi versions.

If you are upgrading the Cisco ISE nodes on VMware virtual machines (VMs) after the upgrade, you must change the Guest operating system to the supported version of RHEL. To do this, you must power down the VM, change the Guest operating system to the supported RHEL version, and power on the VM.


Note

If you have selected Guest OS RHEL 8 and Firmware EFI, ensure that the Enable UEFI Secure Boot option is disabled in the VM Options tab. This option is enabled by default for Guest operating system RHEL 8 VM. Ensure that you disable the Enable UEFI Secure Boot option for the Cisco ISE VM.

Cisco ISE upgrades with RHEL operating system upgrade might take a longer time than the normal upgrade process. Additionally, if there are changes in the Oracle database version, it might take more time to upgrade because the new Oracle package is installed during the operating system upgrade.

Licensing Changes

This section highlights the licensing changes in Cisco ISE Release 3.1.

See the following resources for more information on Cisco ISE licenses:

See Licensing for information on activating licenses in the Cisco ISE GUI.

Virtual Appliance Licenses

Cisco ISE Release 3.1 and later supports the ISE VM license, which replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases prior to Release 3.1. The new ISE VM license covers the Cisco ISE VM nodes in both on-premises and cloud deployments.

For more information, see "Cisco ISE Licenses" in the Chapter "Licensing" in the Cisco ISE Administrator Guide, Release 3.1.

Specific License Reservation

Specific License Reservation is a smart licensing method that helps you manage your smart licensing when your organization's security requirements do not allow a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific License Reservation allows you to reserve specific license entitlements on a Cisco ISE node.

You can create a Specific License Reservation by defining the type and number of licenses you need to reserve, and then activate the reservation on a Cisco ISE node. The Cisco ISE node on which you register and enable the reservation then tracks license usage and enforces license consumption compliance.

For more information, see "Specific License Reservation" in the Chapter "Licensing" in Cisco ISE Administrator Guide, Release 3.1.

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.

Documentation Feedback

To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.