Cisco Support Community

TAC Security Podcast Episode #35 - Identity Services Engine v1.2


Show Name:TAC Security Podcast Episode #35 - Identity Services Engine v1.2

Contributors:  Magnus Mortensen, Jay Johnston, Jesse Dubois, Aaron Woland

Posting Date: July 16, 2013

Description: Jesse Dubois, TAC engineer, and Aaron Woland, Identity Services Engine (ISE) Technical Marketing Engineer, discuss version 1.2 of the ISE solution. Discussion focuses on new features, the upgrade process, and tips and tricks to get the most out of your ISE deployment.



Listen Now    (MP3 37.88 MB; 41:22 mins)


Subscribe to the Podcast in iTunes by clicking the image below:



About the Cisco TAC Security Podcast


The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each show provides an in-depth technical discussion of Cisco product  security features, with emphasis on troubleshooting.


Complete show listing and show information


Show Notes

Related Cisco Live presenstions:

     -BRKSEC-2044 - Building an Enterprise Access Control Architecture with ISE

     -BRKSEC-3045 - Advanced ISE and Secure Access Deployment

     -BRKSEC-2045 - Mobile Devices and BYOD Security - Deployment and Best Practices


TrustSec Design Guides:


ISE Product Page:


Pre-Upgrade Considerations:

  • Read the Data Restoration Guidelines from the Cisco Identity Services Engine User Guide, Release 1.2 before you restore data on your newly upgraded node.
  • Perform  a backup of Cisco ISE configuration data from the primary  Administration node, which includes the Cisco Application Deployment  Engine (ADE) configuration data.
  • Perform a backup of the Cisco ISE operational data from the primary Monitoring node.
  • Export  the certificates from all the nodes in the deployment and save them in a  local system. Ensure that the Common Name (CN) or SAN in the HTTPS and  EAP certificates for each of your Cisco ISE node matches the Fully  Qualified Domain Name of that node.
  • Obtain a backup of the running configuration using the copy running-config destinationcommand from the Cisco ISE CLI, where destination is a url such as ftp, sftp, or disk:
  • Ensure  that you have the Active Directory credentials if you are using Active  Directory as your external identity source. After an upgrade, you might  lose Active Directory connections. If this happens, you must rejoin  Cisco ISE with Active Directory.
  • Export  the default profiler policies to a file and import them after an  upgrade if you have edited and customized the default profiler policies.  The  upgrade process overwrites the default profiler policies.
  • Record  the customization that you have done to the default language templates.  After upgrade, you must edit the default language templates if you have  customized them in the old deployment.
  • Record  the alarm, e-mail settings, report customization, favorite reports,  monitoring data backup schedules, and data purge settings. You must  reconfigure these settings after upgrade.
  • Disable  services such as Guest, Profiler, Device Onboarding, and so on before  upgrade and enable them after upgrade. Otherwise, you must add the guest  users who are lost, and devices must be profiled and onboarded again.
  • Record  the SNMP profiler probe settings. You must reconfigure the profiler  SNMP polling from the primary Administration node after upgrade if you  are using it for profiling.
  • Disable  the console timeout temporarily from the Cisco ISE CLI for remote  upgrades. Use the following command from the Cisco ISE CLI: terminal session-timeout 0.  After you disable the console timeout, log out and log in to the Cisco  ISE CLI. After upgrade is complete, ensure that the terminal session  timeout is set to its original value. The default value is 30 minutes.
  • We  strongly recommend that you delay any deployment configuration changes  such as changing node personas, system synchronization, and node  registration or deregistration until all the nodes in your deployment  are completely upgraded. One exception to this recommendation, however,  involves steps that are required to recover from a failed upgrade.
  • The  Monitoring node's database size is reduced after you upgrade to Release  1.2 because of database design and schema changes in Release 1.2, which  optimizes disk space utilization and offers better performance.
  • The upgrade process from Cisco ISE 1.1.x to 1.2 includes the operating system and application binary upgrade  from a 32-bit to a 64-bit system. During upgrade, the node is rebooted  twice following the database and operating system upgrade. After the  second reboot, the 64-bit application binaries are installed and the  database is migrated to the 64-bit system. During this process, you can  monitor the progress of the upgrade from the CLI using the show application status ise   command. The following message appears: "% NOTICE: Identity Services Engine upgrade is in progress..."


Post Upgrade Tasks:

  • Check if the local and Certificate Authority (CA) certificates are available. Reimport them, if necessary.
  • Reconfigure  your backup schedules (configuration and operational). Scheduled  backups configured in the old deployment are lost during upgrade.
  • Join  Cisco ISE with Active Directory again, if you use Active Directory as  your external identity source and connection to Active Directory is  lost.
  • Reset the RSA node secret if you use RSA SecurID server as your external identity source.
  • Perform a posture update from the primary Administration node after upgrade if you have enabled the Posture service.
  • Check  and import custom profiler policies. If you changed the default  profiler policies, the upgrade process overwrites the changes.
  • Check profiling probe configurations and reconfigure them, if necessary.
  • Customize  default language templates after upgrade. If you had customized the  default language templates in the old deployment, the upgrade process  overwrites the changes.
  • Reconfigure profiler SNMP polling. This configuration is lost during an upgrade.
  • Define the Guest User database in the identity source sequence under each portal that requires guest-user authentication.
  • Reconfigure e-mail settings, favorite reports, and data purge settings.
  • Check the threshold and/or filters for specific alarms that you need. All the alarms are enabled by default after an upgrade.
  • Customize  reports based on your needs. If you had customized the  reports in the  old deployment, the upgrade process overwrites the changes that you  made.
  • The  operational (monitoring and troubleshooting) data purge has changed in  Cisco ISE, Release 1.2. Purge settings default to 90 days. Some of the  logs are purged within 24 hours of upgrading to the new deployment.  Check the dashboard to see if you are viewing data for the previous 24  hours. You can also check the reports and live logs as well. Ensure that  you obtain a backup of all the monitoring (operational) data that you  need.
Community Member

I purchased the book that was discussed in this webcast. It is excellent. I use it to study from and as a reference guide.