Ise Upgrade Guide Chapter 01

Upgrading Cisco ISE

Cisco Identity Services Engine (ISE) supports application upgrades only from the command-line Interface(CLI). You can upgrade Cisco ISE from any previous release to the next release. A previous release canhave patches installed on it, or it can be any maintenance release.

Instructions for Upgrading to Cisco ISE, Release 1.2.1, page 1

Important Notes To Read Before You Upgrade, page 2

Obtain a Backup Before Upgrade to Prevent Any Data Loss, page 5

Cisco ISE 1.2 Upgrade Process, page 9

Cisco ISE 1.2 Supported Upgrade Paths, page 10

Downloading the Upgrade Software, page 10

Upgrade CLI Command, page 11

Upgrade Methods for Different Types of Deployments, page 11

Verifying the Upgrade Process, page 12

Post-Upgrade Tasks, page 12

Known Upgrade Issues, page 13

Instructions for Upgrading to Cisco ISE, Release 1.2.1You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:

Cisco ISE, Release 1.1.0.665 with patch 5 or later


Cisco ISE, Release 1.1.2 with patch 10 or later




Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 1

The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twicewhen you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but onlyonce when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.

The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options.You can use:

CleanupTo clean a previously prepared upgrade bundle on a node locally. You can use this optionif:

The application upgrade prepare command was interrupted for some reason

The application upgrade prepare command was run with an incorrect upgrade bundle

The upgrade failed for some reason

PrepareTo download and extract an upgrade bundle locally. You can use this command followed bythe application upgrade proceed command.

ProceedTo upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. Youcan use this option after preparing an upgrade bundle instead of using the application upgradeise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.

If upgrade is successful, this option removes the upgrade bundle.

If upgrade fails for any reason, this option retains the upgrade bundle.

Important Notes To Read Before You Upgrade Ensure that you do not accidently delete system default sponsor groups and sponsor group policies whenyou upgrade Cisco ISE, Release 1.0.4.573 to higher versions (for example, Cisco ISE, Release 1.1, 1.1.x,and 1.2) or restore from the Cisco ISE, Release 1.0.4.573 backup to higher versions. Upgrade fails, ifsystem default sponsor groups and sponsor group policies are missing in Cisco ISE.

Ensure that you uncheck the Disable user account after days if password was not changed (validrange 1 to 3650) option here: Administration > Identity Management > Setttings > User PasswordPolicy page. Users are disabled, if the password expires after the default setting (60 days) when youupgrade to Cisco ISE, Release 1.2 and restore the Cisco ISE, Release 1.1.x backup.

You can upgrade only Administration, Policy Service, andMonitoring nodes. Upgrades are not supportedfor Inline Posture Nodes (IPNs). For IPNs, you must reimage your appliance and perform a freshinstallation.

We strongly recommend that you copy the upgrade bundle to a local repository on all the nodes. Havingthe upgrade bundle in the local repository significantly reduces the time it takes to download it from thenetwork during the upgrade process.

1 Create a local repository for disk:/ from the Cisco ISE UI.

2 Copy the upgrade bundle to the local disk using the copy command from the Cisco ISE CLI: copyftp-filepath ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk:/

Again, after you copy the upgrade bundle to the local disk, check to ensure that the size of the upgradebundle in your local disk is the same as it is in the repository. Use the dir command to verify thesize of the upgrade bundle in the local disk.

Cisco Identity Services Engine Upgrade Guide, Release 1.22 OL-27087-01

Upgrading Cisco ISEImportant Notes To Read Before You Upgrade

Verify the MD5sum of the upgrade bundle. After you download the upgrade bundle to a repository suchas FTP or SFTP, check and verify that the MD5sum is correct. You can use themd5sum command inLinux or themd5 command in MAC OSX.

Ensure that you have read the VMware VirtualMachine Settings, on page 4 section if you are upgradingCisco ISE on a virtual machine. These recommendations are useful when you choose to reimage somenodes, in case of replacing nodes with new VMs or appliances and also if there are any secondary nodeupgrade failures where remediation is not possible.

Firewall Ports That Must be Open for CommunicationIf you have a firewall deployed between your primary Administration node and any other node, the followingports must be open before you upgrade:

TCP 1528For communication between the primary administration node and monitoring nodes.

TCP 443For communication between the primary administration node and all other secondary nodes.

TCP 12001For global cluster replication.

TCP 7800 and 7802(Applicable only if the policy service nodes are part of a node group) For PSNgroup clustering.

For a full list of ports that Cisco ISE uses, see theCisco Identity Services Engine Hardware Installation Guide.

Other Preupgrade ConsiderationsRead the following information carefully, and record these configurations (back up, export, obtain screenshots)wherever possible before you begin an upgrade:

Read the Data Restoration Guidelines from the Cisco Identity Services Engine User Guide, Release 1.2before you restore data on your newly upgraded node.

Perform a backup of Cisco ISE configuration data from the primary Administration node, which includesthe Cisco Application Deployment Engine (ADE) configuration data.

Perform a backup of the Cisco ISE operational data from the primary Monitoring node.

Export the certificates, including the private key, from all the nodes in the deployment and save themin a local system. Ensure that the Common Name (CN) or SAN in the HTTPS and EAP certificates foreach of your Cisco ISE node matches the Fully Qualified Domain Name of that node.

Obtain a backup of the running configuration using the copy running-config destinationcommand fromthe Cisco ISE CLI, where destination is a url such as ftp, sftp, or disk:

Ensure that you have the Active Directory credentials if you are using Active Directory as your externalidentity source. After an upgrade, you might lose Active Directory connections. If this happens, youmust rejoin Cisco ISE with Active Directory.

Export the default profiler policies to a file and import them after an upgrade if you have edited andcustomized the default profiler policies. The upgrade process overwrites the default profiler policies.

Record the customization that you have done to the default language templates. After upgrade, you mustedit the default language templates if you have customized them in the old deployment.


Upgrading Cisco ISEFirewall Ports That Must be Open for Communication

Record the alarm, e-mail settings, report customization, favorite reports, monitoring data backup schedules,and data purge settings. You must reconfigure these settings after upgrade.

Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable themafter upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled andonboarded again.

Record the SNMP profiler probe settings. You must reconfigure the profiler SNMP polling from theprimary Administration node after upgrade if you are using it for profiling.

Disable the console timeout temporarily from the Cisco ISE CLI for remote upgrades. Use the followingcommand from the Cisco ISE CLI: terminal session-timeout 0. After you disable the console timeout,log out and log in to the Cisco ISE CLI. After upgrade is complete, ensure that the terminal sessiontimeout is set to its original value. The default value is 30 minutes.

We strongly recommend that you delay any deployment configuration changes such as changing nodepersonas, system synchronization, and node registration or deregistration until all the nodes in yourdeployment are completely upgraded. One exception to this recommendation, however, involves stepsthat are required to recover from a failed upgrade.

The Monitoring node's database size is reduced after you upgrade to Release 1.2 because of databasedesign and schema changes in Release 1.2, which optimizes disk space utilization and offers betterperformance.

The upgrade process from Cisco ISE 1.1.x to 1.2 includes the operating system and application binaryupgrade from a 32-bit to a 64-bit system. During upgrade, the node is rebooted twice following thedatabase and operating system upgrade. After the second reboot, the 64-bit application binaries areinstalled and the database is migrated to the 64-bit system. During this process, you can monitor theprogress of the upgrade from the CLI using the show application status ise command. The followingmessage appears: "% NOTICE: Identity Services Engine upgrade is in progress..."

Related Topics

Cisco Identity Services Engine User Guide, Release 1.2

Cisco Identity Services Engine CLI Reference Guide, Release 1.2

VMware Virtual Machine Settings

If you are upgrading nodes on virtual machines, ensure that you read the following statements carefully. Youshould make these changes before you upgrade to Release 1.2.

You must power down the virtual machine before you make the following changes, and power it back onafter the changes are done.

Note

Cisco ISE, Release 1.2, is a 64-bit system. Ensure that your virtual machine's hardware is compatiblewith 64-bit systems. See the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2for more information. Enable BIOS settings that are required for 64-bit systems. Refer to the VMwareKnowledge Base for hardware and firmware requirements for 64-bit guest operating systems. After youupgrade to Release 1.2, choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5(64-bit) as the version. See the VMware Knowledge Base for more information.


Upgrading Cisco ISEVMware Virtual Machine Settings

You can also increase the CPU and memory size of the virtual machine. Refer to Cisco Identity ServicesEngine Hardware Installation Guide, Release 1.2 for deployment sizing and scaling recommendationsfor the SNS 3400 Series appliances. If you increase the disk size of a virtual machine, you cannot upgradeso you must do a fresh installation of Release 1.2. After you install Release 1.2, you can check the CPUand memory size using the show inventory command from the Cisco ISE CLI.

Upgrade Time Estimation

Upgrade Time Estimation

The following table provides an estimate of the amount of time it might take to upgrade Cisco ISE nodes.Actual time taken for upgrade varies depending on a number of factors. Your production network continuesto function without any downtime during the upgrade process. The data presented here is from a deploymentwith 25000 users and 250,000 endpoints.

Time Taken for UpgradeNode PersonaType of Deployment

1 hour 20 minutesAdministration, Policy Service,Monitoring

Standalone (2000 endpoints)

2 hoursSecondary AdministrationDistributed (25,000 users and250,000 endpoints)

1.5 hoursMonitoring

Factors That Affect Upgrade Time

Number of endpoints in your network

Number of users and guest users in your network

Profiling service, if enabled

Cisco ISE nodes on virtual machines might take a longer time to upgrade than physical appliances.Note

Obtain a Backup Before Upgrade to Prevent Any Data LossTo prevent any data loss, you should perform an on-demand backup of the Cisco ISE Configuration andMonitoring (operational) data before upgrade.

Performing an On-Demand Backup from the Cisco ISE User InterfaceIn the Cisco ISE user interface, you can perform an on-demand backup of the primary Administration node.You must perform a backup of the Cisco ISE application and ADE-OS configuration data and monitoring(operational) data. For backup and restore operations, the following repository types are not supported:CD-ROM, HTTP, HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does


Upgrading Cisco ISEUpgrade Time Estimation

not support file listing. In a distributed deployment, if the primary Administration and primary Monitoringpersonas run on the same node (appliance or virtual machine), then you can use the local repository for thebackup. If they run on separate nodes (appliances or virtual machines), the local repository cannot be usedfor the backup. You can use the CLI and GUI to create repositories, but for Cisco ISE, Release 1.2, it isrecommended to use the GUI due to the following reasons:

Repositories that are created through the CLI are saved locally and do not get replicated to the otherdeployment nodes. These repositories do not get listed in the repository GUI page.

Repositories that are created on the primary Administration node through the GUI get replicated to theother deployment nodes.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.

Before you perform this task, you should have a basic understanding of the type of data that can bebacked up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration andMonitoring data.

Before you perform this task, ensure that you have configured repositories. Refer to Cisco IdentityServices Engine User Guide, Release 1.2 for more details.

When you perform a backup, do not change the role of a node or promote a node. Changing node roleswill shut down all the processes and might cause some inconsistency in data if a backup is runningconcurrently. Wait for the backup to complete before you make any node role changes.

Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISEserver startup configuration. You can use this startup configuration when you restore or troubleshootyour Cisco ISE application from the backup and system logs. For more information about copying therunning configuration to the startup configuration, see the copy command in the Cisco Identity ServicesEngine CLI Reference Guide, Release 1.2.

Operational (Monitoring data) backup can be obtained only from the primary and secondary Monitoringnodes.

Note

Procedure

Step 1 Log in to the Cisco ISE administrative user interface.Step 2 Choose Administration > System > Maintenance.Step 3 Choose Data Management > Administration Node > Full Backup On Demand.

Choose Monitoring Node if you want to back up monitoring data.

Step 4 Enter the values as required to perform a backup.Step 5 Click Backup Now.Step 6 Verify that the backup completed successfully.

Cisco ISE appends the backup filename with the timestamp and stores this file in the specified repository.Check if your backup file exists in the repository that you have specified.


Upgrading Cisco ISEPerforming an On-Demand Backup from the Cisco ISE User Interface

Performing a Backup from the Cisco ISE CLITo perform a backup of the Cisco ISE configuration or operational data from the Cisco ISE CLI and placethe backup in a repository, enter the backup command in EXEC mode.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.

Before you perform this task, you should have a basic understanding of the type of data that can bebacked up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration andMonitoring data.

Before you perform this task, ensure that you have configured repositories. Refer to Cisco IdentityServices Engine User Guide, Release 1.1.x for more details.

When you perform a backup, do not change the role of a node or promote a node. Changing node roleswill shut down all the processes and might cause some inconsistency in data if a backup is runningconcurrently. Wait for the backup to complete before you make any node role changes.

Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISEserver startup configuration. You can use this startup configuration when you restore or troubleshootCisco ISE from the backup and system logs. Formore information about copying the running configurationto the startup configuration, see the copy command in Cisco Identity Services Engine CLI ReferenceGuide, Release 1.1.x.

Operational backups can be obtained only from the primary and secondary Monitoring nodes.

For backup and restore operations, the following repository types are not supported: CD-ROM, HTTP,HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does not supportfile listings.

In a distributed deployment, if the primary Administration and primary Monitoring personas run on thesame node (appliance or virtual machine), then you can use the local repository for the backup. If theyrun on separate nodes (appliances or virtual machines), the local repository cannot be used for the backup.

Note

Procedure

To obtain Cisco ISE configuration data, enter the backup command with the ise-config command operatorparameter in the CLI of the primary Administration node in your old deployment. To obtain Cisco ISEoperational (monitoring and troubleshooting) data, enter the backup command with the ise-operationalcommand operator parameter in the CLI of the primary or secondaryMonitoring node in your old deployment.CLI command to obtain a Cisco ISE configuration backup.

backup backup-name repository repository-name ise-config encryption-key{hash | plain}encryption-keyname

CLI command to obtain a Cisco ISE operational backup.


Upgrading Cisco ISEPerforming a Backup from the Cisco ISE CLI

backup backup-name repository repository-name ise-operational encryption-key{hash | plain}encryption-keyname

The following table provides the syntax description:

Name of the backup file. Supports up to 100alphanumeric characters.

backup-name

Specifies the repository to store the backup file.repository

Name and location of the repository where the filesshould be backed up to. Supports up to 80alphanumeric characters.

repository-name

(Optional) Backs up Cisco ISE configuration data(includes Cisco ISE ADE-OS configuration data).

ise-config

(Optional) Backs up only Cisco ISE operational(monitoring and troubleshooting) data. You can onlyspecify this command operator parameter on theprimary and secondary Monitoring nodes.

ise-operational

Specifies an encryption key to protect the backup.encryption-key

Specifies a hashed encryption key to protect thebackup.

hash

Specifies a plaintext encryption key to protect thebackup. Specifies an unencrypted plaintext encryptionkey that follows. Supports up to 15 characters inlength. for backup.

plain

Name of the encryption key in hash | plain format.Supports up to 40 characters for hashed encryptionand 15 characters for plaintext encryption.

encryption-key name

The backup command performs a backup of the Cisco ISE and ADE-OS configuration data and monitoringdata and places the backup in a repository with an encrypted (hashed) or unencrypted plaintext password.

You can encrypt and decrypt the backup by using a user-defined encryption key.

ise/admin# backup mybackup repository myrepository ise-config encryption-key plain Lab12345% Creating backup with timestamped filename: backup-111125-1252.tar.gpgise/admin#

ise/admin# backup mybackup repository myrepository ise-operational encryption-key plainLab12345% Creating backup with timestamped filename: backup-111125-1235.tar.gpgise/admin#

Related Topics

Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x


Upgrading Cisco ISEPerforming a Backup from the Cisco ISE CLI

Cisco ISE 1.2 Upgrade ProcessYou can upgrade to Cisco ISE, Release 1.2, only from the Cisco ISE command-line interface (CLI). Forinstructions on upgrading standalone or two-node deployments, see "Chapter 2, Upgrading Standalone andTwo-Node Deployments to Release 1.2". For instructions on upgrading a distributed deployment, see "Chapter3, Upgrading a Distributed Deployment to Cisco ISE, Release 1.2".

The upgrade process for a standalone node is different than the one for upgrading nodes in a deployment.When you run the application upgrade command from the Cisco ISE CLI, the following tasks are performedin the background in each of the nodes:

1 Downloads the upgrade bundle and extracts it.

2 Performs a backup of the configuration database (for automatic rollback in case of recoverable failures).

3 Upgrades the configuration database or downloads a dump of the upgraded configuration database (in thecase of a standalone node).

4 Upgrades the monitoring database.

5 Upgrades the operating system and application binary files.

6 Migrates the database from a 32-bit to a 64-bit system.

7 After a successful upgrade, prompts the user to log in to Cisco ISE, Release 1.2.

For distributed deployments, the upgrade process follows a Split Deployment model. After you upgrade thesecondary Administration node to the new release, Cisco ISE creates a new deployment. The secondaryAdministration node from the old deployment becomes the primaryAdministration node in the new deployment.When you upgrade the rest of the nodes in the old deployment, they join the new deployment.

When you upgrade the secondary Administration node from the old deployment, it saves the old deploymentconfiguration and also notifies the primary Administration node of the upgrade. The primary Administrationnode in the old deployment notifies the other nodes about the upgrade. After upgrade, the nodes from the olddeployment join the primary Administration node in the new deployment. The upgrade process retains licensesand certificates. You do not have to reinstall or reimport them. Cisco ISE, Release 1.2, supports license fileswith two-node unique device identifiers (UDIs). You can request for a new license with the UDI of both theprimary and secondary Administration nodes. See the Cisco Identity Services Engine Hardware InstallationGuide for details.

To upgrade to Cisco ISE, Release 1.2, you do not have to deregister the nodes from the deployment andregister them to the new deployment as was the case in previous releases. When you run the applicationupgrade command from the CLI, the upgrade software deregisters the node and registers it to the newdeployment automatically.

Note

The upgrade fails if you make any node persona changes in the old deployment after you start the upgradeon the secondary Administration node.

You must first upgrade the secondary Administration node. Then, upgrade the primary Monitoring node,followed by the Policy Service nodes and Inline Posture nodes, respectively. Next, upgrade the secondaryMonitoring node (if you have one in your old deployment). Finally, upgrade the primary Administration nodefrom your old deployment. For Policy Service nodes, the database schema is not upgraded. Instead, the PolicyService nodes get a copy of the new database from the primary Administration node in the new deployment.


Upgrading Cisco ISECisco ISE 1.2 Upgrade Process

Cisco ISE 1.2 Supported Upgrade PathsYou can upgrade to Cisco ISE, Release 1.2, from any of the following releases:

Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)

Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)

Cisco ISE, Release 1.1.2, with the latest patch applied



The following table lists the Cisco ISE versions and what you need to do to upgrade to Cisco ISE, Release1.2, from those versions.

Table 1: Upgrade Roadmap

Upgrade PathFrom Version

1 Upgrade to Cisco ISE, Release 1.1.0.

2 Apply the latest patch for Cisco ISE, Release 1.1.0.

3 Upgrade to Cisco ISE, Release 1.2.

Cisco ISE, Release 1.0 or 1.0.x

1 Apply the latest patch for Cisco ISE, Release 1.1.0.


Cisco ISE, Release 1.1

1 Apply the latest patch for Cisco ISE, Release 1.1.x.


Cisco ISE, Release 1.1.x

Downloading the Upgrade SoftwareTo download the upgrade bundle (ise-upgradebundle-x.x.x.x.i386.tar.gz) from Cisco.com:

Procedure

PurposeCommand or Action

Go to http://www.cisco.com/go/ise. Youmust already have valid Cisco.com logincredentials to access this link.

Step 1


Upgrading Cisco ISECisco ISE 1.2 Supported Upgrade Paths

PurposeCommand or Action

Click Download Software for thisProduct.

Step 2

Downloadise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz

Download the upgrade bundle.Step 3

to upgrade from Release 1.1.x to Release 1.2.Downloadise-upgradebundle-1.2.0.899.x86_64.tar.gz toupgrade from the Limited Availability Release toRelease 1.2.

Upgrade CLI CommandYou can upgrade directly from the Cisco ISE CLI. This option allows you to install the new Cisco ISE softwareon the appliance and simultaneously upgrade configuration and monitoring information databases.

To use the application upgrade command from the Cisco ISE CLI, enter:

application upgrade application-bundle repository-name

application-bundle is the name of the application bundle to upgrade the Cisco ISE application.

repository-name is the name of the repository.

When you upgrade or restore Cisco ISE Monitoring nodes from the older versions of Cisco ISE to Release1.2, the active sessions are not retained and are reset to 0.

Related Topics

Upgrading a Two-Node Deployment

Performing a Backup to Prevent Data Loss During Upgrade

Upgrade Methods for Different Types of DeploymentsBefore you proceed with an upgrade, we recommend that you review the following chapters in this documentfor information about how to perform an upgrade on the following different types of deployments:

Standalone and two-node deployments

Distributed deployments

Related Topics

Upgrading a Two-Node Deployment

Upgrading a Distributed Deployment


Upgrading Cisco ISEUpgrade CLI Command

Verifying the Upgrade ProcessTo verify if an upgrade is successful, do one of the following:

Check the ade.log file for the upgrade process. To display the ade.log file, enter the following commandfrom the Cisco ISE CLI: show logging system ade/ADE.log

Enter the show version command to verify the build version.

Enter the show application status ise command to verify that all the services are running.

If upgrade fails because of configuration database issues, the changes are rolled back automatically. Refer toChapter 4, "Recovering from Cisco ISE Upgrade Failures" for more information.

Post-Upgrade Tasks

If you have recently upgraded to Cisco ISE 1.3, perform the post-upgrade tasks listed in the Cisco IdentityServices Upgrade Guide, Release 1.3.

Note

Refer to Cisco Identity Services Engine User Guide, Release 1.2, for details about each of these tasks.

Check if the local and Certificate Authority (CA) certificates are available. Reimport them, if necessary.

Reconfigure your backup schedules (configuration and operational). Scheduled backups configured inthe old deployment are lost during upgrade.

Join Cisco ISE with Active Directory again, if you use Active Directory as your external identity sourceand connection to Active Directory is lost.

Reset the RSA node secret if you use RSA SecurID server as your external identity source.

Perform a posture update from the primary Administration node after upgrade if you have enabled thePosture service.

Check and import custom profiler policies. If you changed the default profiler policies, the upgradeprocess overwrites the changes.

Check profiling probe configurations and reconfigure them, if necessary.

Customize default language templates after upgrade. If you had customized the default language templatesin the old deployment, the upgrade process overwrites the changes.

Reconfigure profiler SNMP polling. This configuration is lost during an upgrade.

After upgrade, the OUI entries might be missing in the database, which might result in the endpointsmatching incorrect authorization policies. Run the feed service to update the OUI.

In previous releases of Cisco ISE, guest user records were available in the Internal Users database. CiscoISE, Release 1.2 introduces a Guest Users database, which is different than the Internal Users database.If you have added the Internal Users database to your identity source sequence, the Guest Users databasealso becomes part of your identity source sequence. If guest user login is not applicable, remove theGuest Users database from the identity source sequence.


Upgrading Cisco ISEVerifying the Upgrade Process

Reconfigure e-mail settings, favorite reports, and data purge settings.

Check the threshold and/or filters for specific alarms that you need. All the alarms are enabled by defaultafter an upgrade.

Customize reports based on your needs. If you had customized the reports in the old deployment, theupgrade process overwrites the changes that you made.

The operational (monitoring and troubleshooting) data purge has changed in Cisco ISE, Release 1.2.Purge settings default to 90 days. Some of the logs are purged within 24 hours of upgrading to the newdeployment. Check the dashboard to see if you are viewing data for the previous 24 hours. You can alsocheck the reports and live logs as well. Ensure that you obtain a backup of all the monitoring (operational)data that you need.

Known Upgrade IssuesThis section lists some of the known upgrade issues with workarounds. Refer to the Open Caveats section inthe Release Notes for Cisco Identity Services Engine, Release 1.2 for more details.

Upgrading Secondary Nodes From Limited Availability Release to Release 1.2Fails

Problem This issue occurs only when you upgrade secondary nodes from the Limited Availability Release toCisco ISE, Release 1.2.

Possible Cause This issue is seen when you have backup schedules configured in Cisco ISE.

Solution Disable or cancel the backup schedules before you upgrade to Release 1.2.

Scheduled Backup Configurations Are LostProblem This issue occurs after you upgrade to Release 1.2 from earlier releases. Even though you backed upthe configuration data before upgrade and restored it in Cisco ISE, Release 1.2, the scheduled backupconfigurations are lost.

Solution You must reconfigure the scheduled backups in Cisco ISE, Release 1.2.

Browser Cache IssuesProblem This issue occurs if you are using the same browser to access Cisco ISE before and after the upgrade.

Solution You must clear your browser cache after upgrade to access Cisco ISE, Release 1.2.


Upgrading Cisco ISEKnown Upgrade Issues

Active Directory Join IssuesProblem If you use Active Directory as your external identity store, after you upgrade to Release 1.2, CiscoISE will no longer be joined to the Active Directory domain.

Solution You must rejoin the nodes to the Active Directory domain from the Active Directory pages of theCisco ISE user interface.

RSA Connection Is LostProblem If you use RSA SecurID Server as your external identity source, the RSA SecurID server connectionmight be lost after an upgrade.

Solution Reset the RSA node secret from the primary Administration node. Refer to Cisco Identity ServicesEngine User Guide, Release 1.2, for more details.

New Users or Endpoints Added to the Old Deployment During Upgrade AreLost

Problem Guest users or endpoints that are added to the old deployment when the new deployment is formedare lost.

Solution Ensure that you disable services such as Guest, Profiler, Device Onboarding, and so on before anupgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devicesmust be profiled and onboarded again.

Profiler SNMP Polling Configuration Is LostProblem Profiler SNMP polling configuration is lost after an upgrade.

Solution Youmust reconfigure profiler SNMP polling from the Cisco ISE, Release 1.2 primary Administrationnode after an upgrade. Refer to the Cisco Identity Services Engine User Guide, Release 1.2, for moreinformation.

Default Language Template Customization Is LostProblem If you have edited the default language templates, the changes that you have made are lost after anupgrade.

Solution Customize the default language templates again after the upgrade.


Upgrading Cisco ISEActive Directory Join Issues

CLI Password Policy is Lost During UpgradeProblem This issue occurs when you upgrade to Cisco ISE, Release 1.2.

Possible Cause In Cisco ISE, Release 1.2, the GUI and CLI password policies are unified and replicatedto all nodes.

Solution After you upgrade to Release 1.2, configure the password policy from the Cisco ISE Admin portal(Administration > System > Admin Access > Password Policy).

Posture Updates Are OverwrittenProblem During an upgrade, the operating system list for posture is updated, which might affect posture rules.

Solution After upgrade, from the primary Administration user interface, choose Administration > System >Settings > Posture > Updates. Check the Cisco supported OS version. If it is set to 0.0.0.0, perform a postureupdate.

Manifest Error While Running UpgradeProblem You might see a "manifest error" when you try to upgrade ISE with an application bundle that wasdownloaded using Apple Safari web browser from Cisco.com.

Possible Cause The upgrade file is decompressed after the download. By default, the Apple Safari webbrowser opens "safe files" after a download. This setting decompresses the upgrade bundle after downloadand causes the manifest error during upgrade.

Solution Uncheck the "open safe files after downloading" option under Preferences in the Apple Safari webbrowser.


Upgrading Cisco ISECLI Password Policy is Lost During Upgrade


Upgrading Cisco ISEManifest Error While Running Upgrade

Upgrading Cisco ISEInstructions for Upgrading to Cisco ISE, Release 1.2.1Important Notes To Read Before You UpgradeFirewall Ports That Must be Open for CommunicationOther Preupgrade ConsiderationsVMware Virtual Machine SettingsUpgrade Time Estimation

Obtain a Backup Before Upgrade to Prevent Any Data LossPerforming an On-Demand Backup from the Cisco ISE User InterfacePerforming a Backup from the Cisco ISE CLI

Cisco ISE 1.2 Upgrade ProcessCisco ISE 1.2 Supported Upgrade PathsDownloading the Upgrade SoftwareUpgrade CLI CommandUpgrade Methods for Different Types of DeploymentsVerifying the Upgrade ProcessPost-Upgrade TasksKnown Upgrade IssuesUpgrading Secondary Nodes From Limited Availability Release to Release 1.2 FailsScheduled Backup Configurations Are LostBrowser Cache IssuesActive Directory Join IssuesRSA Connection Is LostNew Users or Endpoints Added to the Old Deployment During Upgrade Are LostProfiler SNMP Polling Configuration Is LostDefault Language Template Customization Is LostCLI Password Policy is Lost During UpgradePosture Updates Are OverwrittenManifest Error While Running Upgrade

Documents

Ise Upgrade Guide Chapter 01