As a longtime Cisco partner, we’ve been a part of many Cisco Identity Services Engine (ISE) implementations and upgrades, giving us first-hand knowledge of not only how ISE helps our customers meet enterprise mobility challenges, but also gleaned some insider tips and tricks on how best to execute upgrades.
I recently sat down Josh Gross, a OneNeck security engineer, to discuss Cisco ISE and some of the challenges he’s seeing customers face when upgrading.
What is the latest version of ISE, and what are some of the new features and benefits associated with the newest release?
The latest version of ISE is version 2.2. It offers some refinements on ISE 2.1 with an ability to detect MAC spoofing and enhancements to the migration tool for users looking to migrate to ISE from legacy TACACS. They’ve also done some interesting things with guest access, including wireless guest portal provisioning available through a wizard in the ISE console, which will even configure the wireless LAN controller. It also supports JSON for new APIs which can add new scripting functionality.
When and why would a company need to upgrade their ISE deployment?
ISE is frequently implementing new features and functionality, and our customers usually upgrade for one of those features. In the 2.0 update, they included the ability to configure TACACS access in ISE. Most ISE 1.x customers are paying licensing for a separate TACACS solution, and they frequently upgrade when they are ready to move their TACACS to ISE.
What are some key factors that could affect their upgrade time?
The primary factor in the length of time it takes to upgrade an ISE solution is the number of ISE servers deployed. For scalability, ISE can be set up in a multi-server configuration with different ISE servers providing different functions or ‘personas’ (administration, monitoring, policy service). The ISE upgrade process upgrades the servers serially to minimize downtime.
Once in flight, what are some of the challenges you’ve seen during the upgrade process?
The challenges during the upgrade processes are usually related to the ISE configuration. Frequently I see an upgrade complete successfully, but I will have to disconnect and re-connect to third-party authentication systems such as Active Directory for them to begin functioning.
Sometimes, in multi-server deployments, some servers in the infrastructure will not upgrade successfully. If that happens, you can generally rebuild the server as a new node and re-join the cluster.
Any Troubleshooting tips you might have for the most common upgrade failures?
I always ensure to take an operational backup prior to trying an upgrade. It helps if everything fails and I have to restore. If ISE is implemented using virtual machines, I recommend taking a snapshot as well. I also plan for a service outage during the upgrade, because servers usually need to be rebooted and issues occasionally occur.
Keep in mind that, in a lot of cases, you can save time rebuilding a node rather than trying to troubleshoot what failed during the upgrade. ISE should always have at least a primary and secondary node and as long as one of the nodes is functional, the others can be rebuilt and re-joined.
LEARN MORE About ISE: Healthcare Has an Identity Problem