ISE 1.2 to 1.3 upgrade

Similar Messages

• ISE Application won't start after upgrading to 1.2

  Hi,
  we have a customer which is using a ISE-3315 Hardware appliance running 1.1.4.218 Patch 1. He needed to upgrade to 1.2 Patch 2 to support iOS7. There is no secondary appliance so this is a standalone deployment.
  We did the upgrade according to Cisco documents (backup, patching the current to the latest patch, performing the upgrade). This all seems to have successfully gone through. I can access the CLI via SSH but the application services are not going to start. I tried to stop and start the services (application stop ise/ application start ise) but I get the following message:
  ise/admin# application start ise
  Waiting up to 20 seconds for lock: APP_START to complete
  Database is still locked by lock: APP_START. Aborting. Please try it later
  % Error: Another ISE DB process (APP_START) is in progress, cannot perform Application Start at this time
  I waited for half a day but it stayed the same. Also commands like application configure or application config-reset do not work. restarting the ISE did not work aswell.
  Has anyone encountered this problem and solved it? My next Idea would be a clean re install of ISE 1.2 and then restoring the backup.
  regards,
  Patrick

  Hi Everyone
  The we have the same problem - it doesn't seems if Cisco cares to solve this obius prblem with new upgrade images on CCO...
  After 4 Hours of update of a stand-alone-VM the processes failed to start even waiting for 12 hours.
  The Update seems to have successfully gone through, we can access the CLI via SSH,
  but the application services are not going to start.
  We also tried to stop and start the services (application stop ise/ application start ise) but I get the following message:
  ise/admin# application start ise
  Waiting up to 20 seconds for lock: APP_START to complete
  Database is still locked by lock: APP_START. Aborting. Please try it later
  % Error: Another ISE DB process (APP_START) is in progress, cannot perform Application Start at this time
  I'ts really anoying with the poor software quality from Cisco!

• CIsco ISE 1.2 to 1.3 upgrade

  I am planning for an ISE upgrade from version 1.2 to 1.3. I have two nodes (primary admin, secondary monitoring (ISE 3355) in one box and secondary admin, primary monitoring in the other (3315).) and 8 PSNs (all 3315).
  My question is after upgrading when we are testing for failover of the HA pairs in both the nodes…are we going to face any technical complications because of the different model numbers. All nodes (2 +8= 10) are in different locations.

  You must first upgrade the secondary Administration node to Release 1.3. For example, if you have a deployment set up as shown in the following figure, with one primary Administration node (node A), one secondary Administration node (node B), one Inline Posture node (IPN) (node C), and four Policy Service nodes (PSNs) (node D, node E, node F, and node G), one primary Monitoring node ( node H), and one secondary Monitoring node (node I), you can proceed with the following upgrade procedure.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_chapter_01.html#ID20
  Before You Begin : http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter_011.html

• ISE 1.2 to 1.3 upgrade clarification question

  I am looking to upgrade from ISE version 1.2 to version 1. 3 and am reading through the upgrade guide. The basic steps they outline are to create a repository pointing to disk: and then run the application upgrade prepare using the new repository. They say the prepare should copy the file to the local repository and list the MD5 and SHA256 checksum.
  Do I not need to "copy" the file to the server before the prepare or is there a different format for specifying the file on the prepare step? It seems this is looking for a local copy instead on on my FTP server but any format I use to try to specify my FTP server is not working.
  The documentation simply gives application upgrade prepare {filename} {repository}.
  Brent

  Hi Brent,
  To prepare upgrade you need to get the support bundle on the local disk.
  conf t
  repository local
  url disk:/
  exit
  exit
  copy ftp://<repository_url>/ ise-upgradebundle-1.2.x-to-1.3.0.###.x86_64.tar.gz disk:/
  To upgrade using this file, use the following command:
  application upgrade ise-upgradebundle-1.2.x-to-1.3.0.###.x86_64.tar.gz local
  You can use prepare to put the file in local repository that you created and then use proceed to upgrade.
  Also, visit this link for upgrade details:
  https://supportforums.cisco.com/blog/12341806/upgrading-identity-services-engine-ise-13
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Ise node is not reachable after upgrading 1.2

                     Hi, I was using beta version of ISE with 1.2.834 code. and now the official release came out so I upgraded it.
  after that, the ISE is not communicating with AD, and when I go to download logs, It says node is not reachable even though it is STANDALONE mode.
  does anyone know how to work around this ?
  should I just delete everything and go from scratch ?

  The ISE is not communicating to the AD, So, you have to rejoin the domain. For this purpose please follow the following actions:
  Go to Administration > Identity Management > External Identity Stores and select Active Directory from the left-hand pane.
  Click Join at the bottom of the configuration page:
  Also please check the LDAP port

• Cisco ISE 1.2 to 1.3 Upgrade Failed - Old Certificates in Cert Store, but can't remove

  Hello guys,
  My attempt an upgrade bombed out pretty quick due to an expired certificate in the certificate store. However, these certs are disabled because I've never been able to delete them due to the below error as I can not find what they would be attached to.  I've looked in SCEP, but I'm not sure where else one should look.  This is a distributed deployment, fyi.
  Thanks,
  Raun

  Open a TAC case and for the procedure to remove the certificate.

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Upgraded ISE NFR to 1.2 - now I cant apply patch 1 or 2

  I have upgraded my ISE NFR to 1.2.  Upgrade went fine, authz/authn config still in place and works with switch and WLC.  The problem is now trying to apply a patch to 1.2.
  If I try to apply patch1 or patch2, the CLI says its already installed.  They definately arent!
  Anyone seen this in an NFR or normal license upgrade?
  I am facing my first customer upgrade iminently and I something like being unable to patch it afterwards isnt going to go down well!             

  Have you attempted your patch from both the CLI and the GUI?  I had a customer who had issues upgrading their ISE from the GUI and the CLI worked fine, only issue was that each ISE node had to be patched from the CLI, as the patches didn't get pushed as they would from the GUI.  If that's not working for you, I still wouldn't worry much about it, I've successfully patched in your exact scenerio so perhaps you have an isolated incedent.

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• ISE 1.2 scheduled backup not working

  Hi all,
  I have clean installation of ISE 1.2 (HA) Patch1  and tried to create scheduled backup from GUI. I can create it without problems but it does not start.
  I have created manual backups which are working fine, so there is no problem with FTP server. I have checked CLI and there is no kron job in CLI as I would expect it from version 1.1.x.
  Any idea or do you think its TAC case?
  Thanks,
  ML           

  There is known defect whereby if the timezone has more than 3 characters. Could you please check the timezone on the ISE CLI with "show timezone"
  CSCui44324    ISE 1.2 scheduled backup can't be configured
  Symptom:
  Backup task can't be configured in ISE 1.2 UI
  Conditions:
  Install/Upgrade ISE to v.1.2
  Login via GUI and try configure backup task under "Administration -> System -> Backup and restore".
  ISE timezone shortname is more than 3 characters (e.g. CEST).
  Workaround:
  N/A
  Further Problem Description:
  Looks like patch 2 would fix this defect.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Ise 1.2, cannot access guest portal

  I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
  any idea?

  I had attached the steps to configure the guest portal and hope will address the problem.
  Configuring the Guest Portal
  Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
  You can add a new Guest portal or edit an existing one.
  Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
  Step 2Click Add.
  Step 3Update the fields on each of these tabs:
  •General—enter a portal name and description and choose a portal type.
  •Operations—enable the customizations for the specific portal
  •Customization—choose a language template for displaying the Guest portal with localized content
  •File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •Authentication—indicate how users should be authenticated during guest login.
  Step 4Click Submit.
  Specifying Ports and Ethernet Interfaces for End-User Portals
  You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
  You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
  Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
  Step 4Click Save.
  If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Tips for Assigning Ports and Ethernet Interfaces
  •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
  •You must assign the Blacklist portal to use a different port than the other end-user portals.
  •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
  •You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
  Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
  You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
  Before You Begin
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
  •Default Sponsor Portal FQDN
  •Default My Devices Portal FQDN
  Step 3Enter a fully qualified domain name.
  Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

• Cisco ISE 1.3 failed to authenticate wireless endpoint

  Dear all,
  I recently have a big problem of my ISE after upgraded from version 1.2 to 1.3, the original plan is follow for wireless laptop authenticate to our network.
  There are 2 SSID, REG and INT, when the user and laptop first time use the WIFI, they need to request a user certificate from CA, and they need to login to the REG SSID with AD username and password. The Wireless controller 2504 will pass the packet to ISE, the use will use 802.1x authen method with PEAP to request for cert. if the authentication successful, the user need to open a web browser and the NSP page of ISE will shown up for user to register, and the CA will generate the user cert to user. Then the SSID will switch to INT and using EAP/TLS to authenticate the user cert with the CA.
  That was fine when working in ISE 1.2. However, after upgrade to 1.3 because of the proxy setting in 1.3 allow to input username and password which our proxy server required and cannot be changed. Under 1.3 the authentication failed even in the first step of authentication policy of ISE, the policy will check if the laptop using 802.1x and login by AD account, then it will pass to authorization policy. But when I check the log, there is always have the error message 5411 Supplicant stopped responding to ISE , 12930 Supplicant stopped responding to ISE after sending it the first PEAP message , 5440 Endpoint abandoned EAP session and started new
  I have search long time in the Internet but without any help, appreciate if any expert can help me. I have also upload the debug message from our ISE for reference.
  Thank you
  Best Regards,
  Terry Chow

  Hi Terry,
  Just wondering if you got an answer to your problem?
  I am deploying a new solution with ISE 1.3 and I was having a similar problem with my wireless users when I tried to enable it last night
  Cheers,
  John

• Determining which NAC Agent to use for ISE

  We are planning an upgrade to our ISE environment from 1.1.4 to 1.2. I have downloaded the agent that is recommended for 1.2 (NAC Agent 4.9.4.3) to begin testing with it. Unfortunately the first test I run is using that client against our ISE 1.1.4 servers. It doesn't work! It runs sporadically at best, taking up to 3 minutes to pop up and posture the system. Other times, I give up, after 20 minutes of waiting, and it never runs. This is quite a spot, I do not want to upgrade the ISE system to 1.2, then run into an issue and have to mass upgrade over 2000 clients all at once to get them running. My hope was to upgrade to the NAC Agent prior to the ISE upgrade but unfortunately that has been short circuited.
  So my question is, has anyone run ISE 1.2 with NAC Agent 4.9.1.6? That is what we are currently using, as it runs well against both ISE 1.1.4, and NAC 4.9.1 (which is still used for our wired environment). We need to find an agent we can use to bridge us from the time we upgrade ISE to 1.2, and the time we bring our wired environment into the ISE fold and remove NAC appliance. I should note, ironically, that 4.9.4.3 NAC Agent runs flawlessly against the NAC 4.9.1 appliance. The issue is running that NAC Agent against ISE 1.1.4. That is ecactly the opposite of what I would have guessed! Please help!
  Jeff

  Yes sir, I am aware of that recommendation, however once I downloaded and started testing several clients with that version, none of them run well, if at all, against 1.1.4 which is the current production version we run in our environment. So I would have to either upgrade all 2000 clients immediately after we upgrade or ISE system to 1.2, or take a chance that our current agent (4.9.1.6) will run against ISE 1.2. I was hoping to find a recommendation of an agent version that runs well against both ISE 1.1.4 and ISE 1.2 so we could upgrade the clients at a controlled rate prior to upgrading ISE to 1.2

• Creating optional ports in a custom IP core

  Using ISE 14.3 (I'll be upgrading to 14.7 soon hopefully) for a Spartan6.
  I'm writing a VHDL core that has some optional outputs, via the following generic and port:
  C_OUTPUTS : natural range 0 to 32 := 4;
  output_pin : out std_logic_vector(C_OUTPUTS-1 downto 0);
  In the MPD file, this is specified as follows:
  PARAMETER C_OUTPUTS = 0, DT = NATURAL, RANGE = (0:32)
  PORT output_pin = "", DIR = O, VEC = [(C_OUTPUTS-1):0], ISVALID = (C_OUTPUTS > 0)
  This works fine in both synthesis and simulation for any number of outputs.  It also works fine in EDK/XPS for any non-zero number of outputs.  But it fails in EDK/XPS when specifying zero outputs.
  The specific problem is that the wrapper VHDL generated by platgen specifies output_pin as std_logic_vector(-1 to 0), which is illegal, instead of std_logic_vector(-1 downto 0), which is valid (as a null vector) and would have worked.  (It similarly declares the component further down with std_logic_vector((C_OUTPUTS-1) to 0) instead of correctly using downto.)
  Has this been resolved in a later version of ISE/platgen?
  Is there some other/better way to define optional ports?

  For now, I've worked around this by adding a boolean C_HAS_OUTPUTS parameter as well, limiting C_OUTPUTS to a minimum value of 1, and using eg. C_HAS_OUTPUTS instead of C_OUTPUTS > 0.
  On a related note, the 14.7 SDK does not seem to generate the C headers for boolean parameters correctly (it should use TRUE/FALSE in uppercase).
  PARAMETER C_HAS_OUTPUTS = false, DT = BOOLEAN
  PARAMETER C_OUTPUTS = 1, DT = INTEGER, RANGE = (1:32), ISVALID = C_HAS_OUTPUTS
  PORT output_pin = "", DIR = O, VEC = [(C_OUTPUTS-1):0], ISVALID = C_HAS_OUTPUTS
  This works, but it's a bit uglier.

• Machine authenticatiion not working after upgrade to ISE 1.2

  After upgrading to ISE 1.2.0.899 patch 14 we have a problem running machine authentication for a few hosts (30 of about 3000).
  Although we can see on the switch that the host presents the hostname, in ISE Operations all we get is the MAC address (for both the Identity and Endpoint ID fields). 
  On the switch:
  show auth sessions int FastEthernet0/1
   Interface:  FastEthernet0/1
   MAC Address:  3c97.0eed.afbc
   IP Address:  Unknown
   User-Name:  host/xxxxxxxxxx
   Status:  Running
   Domain:  UNKNOWN
   Oper host mode:  multi-auth
   Oper control dir:  both
   Session timeout:  N/A
   Idle timeout:  N/A
   Common Session ID:  0AF19F16000138DC11B59C9D
   Acct Session ID:  0x000292EA
   Handle:  0x01000BCA
  Runnable methods list:
         Method   State
         mab      Failed over
         dot1x    Running
  In ISE we see the contents of the attached file.
  The workaround we found was to move the host in a different switch, where it will authenticate, and then move it back on the initial switch where it will work now. I know it doesn't make sense but it worked...
  Shut / no shut on the switch port or clearing the auth session doesn't work.
  Does anybody have any idea about this problem?
  Thanks in advance!
  Update:
  The issue seems to be related with how the policy servers cache the sessions/auth requests from the network devices. If we point the network device that hosts the problematic machines to another radius server the auth runs as expected. A number of machines have problems with a certain policy server (not always the same) while most machines authenticate correctly. The problem is that if, for whatever reason,a machine fails to auth, that policy server could "decide" to hang to that failed auth result for susequent tries.

  On which switch does the reauthentication work?
  Either way, it looks like you need to update the switch software:
  This is from the ISE 1.2 Compatibility Matrix which can be found here:
  https://supportforums.cisco.com/sites/default/files/attachments/discussion/4500.png
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton