Contributors: Magnus Mortensen, Jay Johnston, Jesse Dubois, Aaron Woland
Posting Date: July 16, 2013
Description: Jesse Dubois, TAC engineer, and Aaron Woland, Identity Services Engine (ISE) Technical Marketing Engineer, discuss version 1.2 of the ISE solution. Discussion focuses on new features, the upgrade process, and tips and tricks to get the most out of your ISE deployment.
Read the Data Restoration Guidelines from the Cisco Identity Services Engine User Guide, Release 1.2 before you restore data on your newly upgraded node.
Perform a backup of Cisco ISE configuration data from the primary Administration node, which includes the Cisco Application Deployment Engine (ADE) configuration data.
Perform a backup of the Cisco ISE operational data from the primary Monitoring node.
Export the certificates from all the nodes in the deployment and save them in a local system. Ensure that the Common Name (CN) or SAN in the HTTPS and EAP certificates for each of your Cisco ISE node matches the Fully Qualified Domain Name of that node.
Obtain a backup of the running configuration using the copy running-config destinationcommand from the Cisco ISE CLI, where destination is a url such as ftp, sftp, or disk:
Ensure that you have the Active Directory credentials if you are using Active Directory as your external identity source. After an upgrade, you might lose Active Directory connections. If this happens, you must rejoin Cisco ISE with Active Directory.
Export the default profiler policies to a file and import them after an upgrade if you have edited and customized the default profiler policies. The upgrade process overwrites the default profiler policies.
Record the customization that you have done to the default language templates. After upgrade, you must edit the default language templates if you have customized them in the old deployment.
Record the alarm, e-mail settings, report customization, favorite reports, monitoring data backup schedules, and data purge settings. You must reconfigure these settings after upgrade.
Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and onboarded again.
Record the SNMP profiler probe settings. You must reconfigure the profiler SNMP polling from the primary Administration node after upgrade if you are using it for profiling.
Disable the console timeout temporarily from the Cisco ISE CLI for remote upgrades. Use the following command from the Cisco ISE CLI: terminal session-timeout 0. After you disable the console timeout, log out and log in to the Cisco ISE CLI. After upgrade is complete, ensure that the terminal session timeout is set to its original value. The default value is 30 minutes.
We strongly recommend that you delay any deployment configuration changes such as changing node personas, system synchronization, and node registration or deregistration until all the nodes in your deployment are completely upgraded. One exception to this recommendation, however, involves steps that are required to recover from a failed upgrade.
The Monitoring node's database size is reduced after you upgrade to Release 1.2 because of database design and schema changes in Release 1.2, which optimizes disk space utilization and offers better performance.
The upgrade process from Cisco ISE 1.1.x to 1.2 includes the operating system and application binary upgrade from a 32-bit to a 64-bit system. During upgrade, the node is rebooted twice following the database and operating system upgrade. After the second reboot, the 64-bit application binaries are installed and the database is migrated to the 64-bit system. During this process, you can monitor the progress of the upgrade from the CLI using the show application status ise command. The following message appears: "% NOTICE: Identity Services Engine upgrade is in progress..."
Post Upgrade Tasks:
Check if the local and Certificate Authority (CA) certificates are available. Reimport them, if necessary.
Reconfigure your backup schedules (configuration and operational). Scheduled backups configured in the old deployment are lost during upgrade.
Join Cisco ISE with Active Directory again, if you use Active Directory as your external identity source and connection to Active Directory is lost.
Reset the RSA node secret if you use RSA SecurID server as your external identity source.
Perform a posture update from the primary Administration node after upgrade if you have enabled the Posture service.
Check and import custom profiler policies. If you changed the default profiler policies, the upgrade process overwrites the changes.
Check profiling probe configurations and reconfigure them, if necessary.
Customize default language templates after upgrade. If you had customized the default language templates in the old deployment, the upgrade process overwrites the changes.
Reconfigure profiler SNMP polling. This configuration is lost during an upgrade.
Define the Guest User database in the identity source sequence under each portal that requires guest-user authentication.
Reconfigure e-mail settings, favorite reports, and data purge settings.
Check the threshold and/or filters for specific alarms that you need. All the alarms are enabled by default after an upgrade.
Customize reports based on your needs. If you had customized the reports in the old deployment, the upgrade process overwrites the changes that you made.
The operational (monitoring and troubleshooting) data purge has changed in Cisco ISE, Release 1.2. Purge settings default to 90 days. Some of the logs are purged within 24 hours of upgrading to the new deployment. Check the dashboard to see if you are viewing data for the previous 24 hours. You can also check the reports and live logs as well. Ensure that you obtain a backup of all the monitoring (operational) data that you need.