ISE-3415 vs ISE-3315

Hello,
two years ago I wanted to buy ISE-3315 and when we prepared order we were told we have to order following components:
- ISE-3315-K9
- L-ISE-ADV3Y-100=
Today ISE-3315 is EOS and the solution for small business is ISE-3415. The problem is we have to order following components:
- SNS-3415-K9
- SW-3415-ISE-K9 Cisco ISE Software version 1.2 for the SNS-3415-K9
- L-ISE-ADV-S-100=
The main problem is the new solution costs almost 50% more. Can someone confirm that it is correct? Or maybe I had wrong information two years ago with ISE-3315.
BTW - I need the appliance for lab and study. Do we need to buy a full license in this case?
Thank you
Hubert

Yes you can buy the appliance and then install the trial version.  just keep in mind that once the trial time has run out you must buy the license to continue to use the features that were available with the trial version.
If using VMware, you can rollback to a snapshot prior to the installation of the ISE and reinstall the trial license and continue to use it for your studies.
Of course, if you have a budget that will allow you to buy the appliance and a full license that is provided by the trial license, then go for it.  But if you want to save some money then the VMware is the way to go.
Please remember to select a correct answer and rate helpful posts

Similar Messages

  • Cisco ISE 1.2 Ise Application doesn´t install

    Hello,
    I am trying to install Cisco ISE on a VMWare Paltform, and the installation goes OK for the ADE-OS (The Os is installed, but the ISE application doesn´t install.
    Any Hint in how to solve that ?
    BR,
    Julio

    Hi all,
    Thank for your answers, the problem was that the ISO image on the Cisco software repository was corrupted. I finally did a md5 check, and downloaded the image 4 times.
    The for images download matched the md5 checksums between themselves, but not the Cisco webpage. Finally a TAC engineer had to publish the image form me, and when downloaded from this link It matched the CCO md5 and it worked fine.
    BR,
    Julio.

  • ISE - How long ISE will hold the profiled devices?

    Hi,
    After ISE profiles a device, for how long it holds that information in the endpoint identity store? Is there a purge mechanism? The reason I ask is, what if a guest comes and connects to a network and never comes back again. Will ISE hold the profiled MAC address of the device for ever?          Is there a way to purge if the MAC is not seen on the network for x days? Or is there a manual purge?
    Any help is appreciated.
    Regards,
    Mohan 

    I have an enhancement request in TAC asking for this feature. I have an ISE deployment which wants users to be statically assigned which will overwhelm the db after some time. I will have to check my notes and will forward the bug id to you.
    Thanks,
    Sent from Cisco Technical Support iPad App

  • ISE 1.2 SNS-3415 NIC Bonding / Teaming

    Hello,
    I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
    The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
    In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless  interface
    My purpose is to connect it to my twins core switches and have a full high availability deployment.
    - I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
    Themis

    ISE 1.2 does not support NIC teaming.  Especially on appliances.  There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE Application won't start after upgrading to 1.2

    Hi,
    we have a customer which is using a ISE-3315 Hardware appliance running 1.1.4.218 Patch 1. He needed to upgrade to 1.2 Patch 2 to support iOS7. There is no secondary appliance so this is a standalone deployment.
    We did the upgrade according to Cisco documents (backup, patching the current to the latest patch, performing the upgrade). This all seems to have successfully gone through. I can access the CLI via SSH but the application services are not going to start. I tried to stop and start the services (application stop ise/ application start ise) but I get the following message:
    ise/admin# application start ise
    Waiting up to 20 seconds for lock: APP_START to complete
    Database is still locked by lock: APP_START. Aborting. Please try it later
    % Error: Another ISE DB process (APP_START) is in progress, cannot perform Application Start at this time
    I waited for half a day but it stayed the same. Also commands like application configure or application config-reset do not work. restarting the ISE did not work aswell.
    Has anyone encountered this problem and solved it? My next Idea would be a clean re install of ISE 1.2 and then restoring the backup.
    regards,
    Patrick

    Hi Everyone
    The we have the same problem - it doesn't seems if Cisco cares to solve this obius prblem with new upgrade images on CCO...
    After 4 Hours of update of a stand-alone-VM the processes failed to start even waiting for 12 hours.
    The Update seems to have successfully gone through, we can access the CLI via SSH,
    but the application services are not going to start.
    We also tried to stop and start the services (application stop ise/ application start ise) but I get the following message:
    ise/admin# application start ise
    Waiting up to 20 seconds for lock: APP_START to complete
    Database is still locked by lock: APP_START. Aborting. Please try it later
    % Error: Another ISE DB process (APP_START) is in progress, cannot perform Application Start at this time
    I'ts really anoying with the poor software quality from Cisco!

  • ISE 1.2 and MDM integration.

        What kind of device information I can collect by MDM integartion with ISE.              

    Hello,
    ISE  Release 1.2 delivers integration between Identity Services Engine and  MDM platforms, which can ensure that all mobile devices are compliant  with security policy before they are allowed to access the network. This  feature enables posture compliance assessment and network access  control of mobile endpoints attempting to access the network. The  solution also performs ongoing posture checks to ensure that devices  remain compliant and that the correct network access level is  maintained. The specific posture attributes collected by MDM partner  platforms for compliance and access policy enforcement in the Identity  Services Engine are:
    • Is the mobile device registered with MDM?
    • Does the mobile device have disk encryption enabled?
    • Does the device have PIN-Lock enabled?
    • Has the device been jail-broken/rooted?
    In  terms of global compliance, posture compliance decisions may be made by  the MDM platform instead of the Identity Services Engine. In this  scenario, additional attributes such as blacklisted applications or  presence of an enterprise data container may be checked. The MDM  platform simply informs the Identity Services Engine if a device is in  compliance, then the Identity Services Engine enforces the appropriate  network access policy.
    This  integration brings great value to MDM customers as it automates to the  device registration process. As MDM solutions are network-blind, they  can't detect a new device when it connects to the wireless network, so  the administrator needs to send a notification to the users who wish to  enroll their devices. With ISE integration, device enrollment is done  automatically when users connect their device to the Wi-Fi network.
    SNS appliances are now available with ISE 1.2 in SNS-3415-K9 and SNS-3495-K9 appliances.

  • ISE 1.2 NAC solution for 12500 Persona Deployment

    i have a deployment sceniro for  NAC solution ( ISE ) must support 12500 users and must provide the ability to implement security policies onendpoints before they connect so should i order ISE-3395 with ISE -3315 or its not a workable solution please advice

    Hi Shakeeb,
    The total number of appliances needed in a deployment depends on multiple factors and not just the number of endpoints as described here :
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html
    Refer to Step 2: Estimate the Number of Appliances or Servers Needed for the Deployment
    We have a dedicated team at Cisco who deals with presales issues, I would advise you to contact them for more guidance. Here is their contact info :
    • Phone: 408 902-4872
    • Email: [email protected]
    • Live chat: http://tinyurl.com/sacise
    Thanks,
    Aastha

  • Cisco ISE Monitoring node backup size

    Hello All,
    We have a HA pair of ISE servers that have scheduled backups configured for the Admin persona (currently full weekly backup) and monitoring which is full weekly but with the addtional incremental daily backups. I've not seen any issue with the full weekly backup of the admin node however the monitor one provides unusual results in terms of file size between weekly and incremental backups.
    Given the fact that we are currently piloting this with very little radius activity i'm curious as to how the daily backups can be bigger in filesize than the weekly?
    The ISE is a ISE-3315-K9 running 1.1.3.124 and below are some examples
    -rw-r--r-- 1 tsmbackup tsmbackup 502960384 Apr 21 07:08 mntincr_1_<removed>.tar.gpg (Incremental backup)
    -rw-r--r-- 1 tsmbackup tsmbackup 459348307 Apr 21 01:04 mntdbfull_<removed>.tar.gpg (Full backup)
    Thanks in advance for any suggestions.
    M

    Hi,
    This could possibly due to ‘Data Purging’. When a purge operation triggers, if the actual used database disk space is greater than the configured threshold, the purge operation removes all data from the Monitoring database tables prior to the data retention window.
    Following link might help in your case,
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1074687

  • ISE fail over

    Hi I have 2 ise 3315 working in stanalone mode
    I have 2 sites
    ISE_1 is installed on site 1 and manage user groupe_1
    ISE_2 is installed on site 2 and manage user groupe_2
    I am plannig to use the 2 ISE in fail over
    I would like to configure
    1. ISE_1 to be primary  for user groupe_1 and secondary (backup) for user groupe_2
    2. ISE_2 to be primary  for user groupe_2 and secondary (backup) for user groupe_1
    Please how can I configure it ?
    Which midofication would I add on the switch, WLC and ISE ?
    Thanks in advance for your help

    Hello,
    In this case, you can use a simple 2-node deployment scenario, in this scenario you will have ISE-1 as: primary admin, secondary monitor, and PSN. you'll have ISE-2 as: secondary admin, primary monior, and PSN.
    Be aware of these points:
    1- If ISE-1 went down, you have to access ISE-2 GUI and promote it manually.
    2- If ISE-2 fails, no problem the monitoring persona failover happens automatically.
    3- To load balance the users you are talking about, you have to do this based on NADs. for example you have 4 switches, so do the following:
    A.make SW1 and SW2 point to ISE-1 and ISE-2 as the radius servers but give higher priority to ISE-1.
    B.make SW3 and SW4 point to ISE-1 and ISE-2 as the radius servers but give higher priority to ISE-2.
    So you have divided the job on the two nodes, if one is down the other will handle all the communications with the NADs.
    check this document for all the info you mau need regarding distributed deployments ( and yes the connection speed between the two nodes should be 1Gbps)
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf
    Message was edited by: Ahmed AboRahal to add the document link.

  • Wired Guest Using ISE Interface

    Ive scoured the forums for a solution but struck out looking for design tips. I have a centralized guest wireless using ISE with CWA on an anchor controller and it works great. Now I need to create wired guest network for my remote sites. Is this possible using an interface on my 3415 running ISE, or can the anchor controller be used some how?
    The 3415 sits in my Pennsylvania data center. It has a new dedicated interface going to the internet for guest traffic. Can this interface be used as a redirect for a guest at a remote site? If so, is there documentation detailing the basic steps to implement this?
    Thanks in advance!

    If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
    You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

  • Recurrent ISE M&T alarm

    Hi support community
    i have an ISE deployment with two 3315 appliances running ISE 1.1.1.268 with patch 5 installed. im receiving many alarms as shown in the attached image.
    The alarmas are generated principaly during idle periods (for example in weekends or during night).
    i dont know if that alarm is something  to get worried or why is happening, any information about that would be greatly appreciated.
    Many thanks in advance

    Looks like watchdog having problems with DB.
    Open up a TAC case, we need to get a bit more in depth.

  • Understand ISE Licensing

    Hello,
    I am going to Order (SNS-3415-K9) ISE product to deploy at my company, my concern is the size of license I shall order, and how to know the correct number
    I have workstations (PC’s), laptops, Printers, IP-CAM’s, and WLC with 50 AP.
    How I can determine the number of license I should get in order to have the benefits from Cisco ISE.
    Best reagrds,
    Samer Hasan

    Question:
    I am going to Order (SNS-3415-K9) ISE product to deploy at my company, my concern is the size of license I shall order, and how to know the correct number. I have workstations (PC’s), laptops, Printers, IP-CAM’s, and WLC with 50 AP. How I can determine the number of license I should get in order to have the benefits from Cisco ISE.
    Cisco Identity Services Engine (ISE) Ordering Steps
    Here’s guide which can help in finding solution of your problem
    1. Estimate the number of concurrent endpoints in the network.
    2. Estimate the number of appliances (physical or virtual) needed to support the number of concurrent endpoints
         in the network.
    3. Select the appropriate type of appliance suitable for your deployment. (Reference the appliance selection.)
    4. Select the appropriate type of license suitable for your deployment. (Reference the license selection.)
    5. Select the appropriate level of services available from Cisco Advanced Services or a Certified Partner for design,
        Deployment and sustaining services of the ISE deployment.
    Step 1: Estimate the Number of Concurrent Endpoints in the Network
    Estimating the total number of concurrent endpoints is dependent on a number of variables. An approach to consider would be to take into account:
    • Number of employees in the organization
    • Average number of devices per employee (desktop, laptop, smartphone, desk IP phone, etc.)
    • Number of switch ports currently in the organization
    • Number of access points deployed in the organization
    • Average number of devices per access point
    • Dynamic IP address range being used
    • Average number of guests expected to join the network
    • Inventory of non-user devices such as IP cameras, printers, IP-enabled projectors, etc.
    A combination of factors that includes but is not limited to the above factors could be used to determine the total number of concurrent endpoints in the network.
    Step 2: Cisco ISE Appliances and Servers* Options
    Cisco   Identity Services Engine Appliances
    Option 1: Cisco Identity Services   Engine Appliances and Servers*
    Product Number
    Endpoints Supported
    Cisco Secure Network Server 3415*
    SNS-3415-K9
    5,000
    Cisco Secure Network Server 3495*
    SNS-3495-K9
    20,000
    Step 3: Cisco Secure Network Server Support SKUs*
    Product   Number
    SMARTnet Part Number
    Description
    SNS-3415-K9*
    CON-SNT-SNS-3415
    Cisco SMARTnet support for   SNS-3415-K9 - 8x5 Next Business Day
    Step 4: Select the Type of License
    Step 5: Cisco ISE License Options
    License   Type
    Features Supported
    Deployment Type Supported
    License Prerequisite
    License Term(s)
    Base License
    AAA
    Guest Provisioning
    Link Encryption Policies
    Wired
    Wireless
    VPN
    Perpetual
    Advanced License
    Device Onboarding/Provisioning
    Device Profiling and Feed Service*
    Host Posture
    Security Group Access
    Integrated Vendor MDM Support*
    Wired
    Wireless
    VPN
    Base License
    3- and 5-Year Terms
    Wireless License
    Device Onboarding/Provisioning
    AAA
    Guest Provisioning
    Link Encryption Policies
    Device Profiling and Feed Service*
    Host Posture
    Security Group Access
    Integrated Vendor MDM Support*
    Wireless
    3- and 5-Year Terms
    Step 6. Cisco ISE Functionality-Based License Options
    License   Tiers (T)
    Number of Endpoints Supported
    Base License
    Advanced 3-Year License
    Advanced 5-Year License
    Wireless 3-Year License
    Wireless 5-Year License
    Wireless Upgrade 3-Year License
    Wireless Upgrade 5-Year License
    100
    100 Endpoints
    L-ISE-BSE-100=
    L-ISE-ADV3Y-100=
    L-ISE-ADV5Y-100=
    L-ISE-AD3Y-W-100=
    L-ISE-AD5Y-W-100=
    L-ISE-W-3UPG-100=
    L-ISE-W-UPG-100=
    250
    250 Endpoints
    L-ISE-BSE-250-
    L-ISE-ADV3Y-250=
    L-ISE-ADV5Y-250=
    L-ISE-AD3Y-W-250=
    L-ISE-AD5Y-W-250=
    L-ISE-W-3UPG-250=
    L-ISE-W-UPG-250=
    500
    500 Endpoints
    L-ISE-BSE-500=
    L-ISE-ADV3Y-500=
    L-ISE-ADV5Y-500=
    L-ISE-AD3Y-W-500=
    L-ISE-AD5Y-W-500=
    L-ISE-W-3UPG-500=
    L-ISE-W-UPG-500=
    1000
    1000 Endpoints
    L-ISE-BSE-1K=
    L-ISE-ADV3Y-1K=
    L-ISE-ADV5Y-1K=
    L-ISE-AD3Y-W-1K=
    L-ISE-AD5Y-W-1K=
    L-ISE-W-3UPG-1K=
    L-ISE-W-UPG-1K=
    1500
    1500 Endpoints
    L-ISE-BSE-1500=
    L-ISE-ADV3Y-1500=
    L-ISE-ADV5Y-1500=
    L-ISE-AD3Y-W-1500=
    L-ISE-AD5Y-W-1500=
    L-ISE-W-3UPG-1500=
    L-ISE-W-UPG-1500=
    2500
    2500 Endpoints
    L-ISE-BSE-2500=
    L-ISE-ADV3Y-2500=
    L-ISE-ADV5Y-2500=
    L-ISE-AD3Y-W-2500=
    L-ISE-AD5Y-W-2500=
    L-ISE-W-3UPG-2500=
    L-ISE-W-UPG-2500=
    3500
    3500 Endpoints
    L-ISE-BSE-3500=
    L-ISE-ADV3Y-3500=
    L-ISE-ADV5Y-3500=
    L-ISE-AD3Y-W-3500=
    L-ISE-AD5Y-W-3500=
    L-ISE-W-3UPG-3500=
    L-ISE-W-UPG-3500=
    5000
    5000 Endpoints
    L-ISE-BSE-5K=
    L-ISE-ADV3Y-5K=
    L-ISE-ADV5Y-5K=
    L-ISE-AD3Y-W-5K=
    L-ISE-AD5Y-W-5K=
    L-ISE-W-3UPG-5K=
    L-ISE-W-UPG-5K=
    10,000
    10K Endpoints
    L-ISE-BSE-10K=
    L-ISE-ADV3Y-10K=
    L-ISE-ADV5Y-10K=
    L-ISE-AD3Y-W-10K=
    L-ISE-AD5Y-W-10K=
    L-ISE-W-3UPG-10K=
    L-ISE-W-UPG-10K=
    25,000
    25K Endpoints
    L-ISE-BSE-25K=
    L-ISE-ADV3Y-25K=
    L-ISE-ADV5Y-25K=
    L-ISE-AD3Y-W-25K=
    L-ISE-AD5Y-W-25K=
    L-ISE-W-3UPG-25K=
    L-ISE-W-UPG-25K=
    50,000
    50K Endpoints
    L-ISE-BSE-50K=
    L-ISE-ADV3Y-50K=
    L-ISE-ADV5Y-50K=
    L-ISE-AD3Y-W-50K=
    L-ISE-AD5Y-W-50K=
    L-ISE-W-3UPG-50K=
    L-ISE-W-UPG-50K=
    100,000
    100K Endpoints
    L-ISE-BSE-100K=
    L-ISE-ADV3Y-100K=
    L-ISE-ADV5Y-100K=
    L-ISE-AD3Y-W-100K=
    L-ISE-AD5Y-W-100K=
    L-ISE-W-3UPG-100K=
    L-ISE-W-UPG-100K=

  • ISE 1.2 Profiler Feed Service

    Just curious if any updated device profiles have been made available for download via the feed service in ISE 1.2? 

    Just for information
          With   ISE Release 1.2, Cisco is delivering a unique feed service that   provides new and updated profiles for various IP-enabled devices when   vendors release new devices. ISE customers will be able to recognize new   devices, in addition to a multitude of other network-attached devices   such as printers, video cameras, and specialized mobile computing   devices.
    Cisco   works with various vendors, partners, and customers to profile the   multitude of IP-enabled devices that are expected to be deployed in   various customer environments and then create profiles for the devices.   These profiles are made available through the device feed service. An   ISE server that is configured to connect to the feed service establishes   a secure connection with the cloud-based service. The various profiles   on the feed service are automatically downloaded to the ISE server,   providing ISE customers the ability to detect the IP-enabled devices   that connect to their network. The feed service will be available with   ISE Release 1.2 and is part of the Advanced license.

  • ISE 1.2 with AD

                       i have starnge issue but i think it is related to windows machines , i just want to know if any one faced it in ISE deployment.
    the ISE authentication logging receive the machine name(identity) as "mac address" then when ISE ask AD for it , it will not find it and then drop the machine.
    i tried to disjoin the pc from domain and join it again the issue resolved for some time but appeared again after several days.
    Thanks,
    Ibrahim

    Configuring Active Directory as an External Identity Source:
    • Ensure that Cisco ISE hostnames are 15 characters or less in length. Active Directory does not validate hostnames
      larger than 15 characters.
    • Ensure that the Microsoft Active Directory server does not reside behind a network address translator and does not
      have a Network Address Translation (NAT) address. 
    • Ensure that the Microsoft Active Directory administrator account is valid, which is used for the join operation and it is
      not configured with Change Password on Next Login in Microsoft Active Directory. 
    • To perform the following task, you must be a Super Admin or System Admin.
    Note:
            Even when Cisco ISE is connected to Active Directory, there may still be operation issues. To identify them refer to
            the Authentication Report under Operations > Reports.
    You must complete the following tasks to configure Active Directory as an external identity source. 
    • Connecting to the Active Directory Domain 
    • Enabling Password Changes, Machine Authentications, and Machine Access Restrictions 
    • Configuring Active Directory User Groups
    Please check the below guide which may be helpful for you
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1316139

  • Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

    Need help from ISE experts/gurus in this forum.
    Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
    Scenario: 
    - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
    - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
    - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
    - node 3 is Policy service node - hostname is node3
    - node 4 is Policy service node - hostname is node4
    Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
    My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
    to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
    upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
    Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
    I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
    I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
    Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
    Propose solution: 
    step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
             Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
    step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
             to ISE node1 via the GUI,
    step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
    step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
    step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
    Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
    Propose solution:
    step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
    step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
              form a new ISE 1.2 cluster independent of the old cluster,
    step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
              Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
    step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
              Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
    step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
    step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
    step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
    step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
    step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
    Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
    Propose solution: 
    step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
             Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
    step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
             to ISE node1 via the GUI,
    step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
    step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
    step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
    does these steps make sense to you?
    Thanks in advance.

    David,
    A few answers to your questions -
    Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
    https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
    You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
    Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
    I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
    I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
    I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
    Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
    Once the restore finished, I then restored the certificate and picked one of the PSNs
    backup the cert,
    Had the AD join user account handy
    reset-db,
    and run the upgrade script.
    Once that is done I then restore the cert
    Join the PSN to the new deployment
    Join both nodes to AD through primary admin node
    Monitor for a few days (seperate consoles to make sure everything runs smooth)
    If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
    Thanks and I hope that helps,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • Call JCo from java code?

    My problem is that i need to access SAP R/3 backend via connector frame work using JCo please let me know the directory structure for an application that addressess the same.

  • Users in Shared Services

    Can someone tell me if there is a SQL table somewhere that stores the listing of users in Shared Services? Where would that data be stored?

  • Slow Finder windows

    Why does my new Mac Pro take 3-4 seconds before it will display a listing the files in a folder in the Finder Window set to display columns. It seems like it has to examine the folder because, if I select a different folder and then select the first

  • Error: No more virtual tiles can be allocated

    Hello all When using the following filters in Photoshop CS6 all updated installed: Adaptive Wide Angle Lens Correction I get the following error: No more virtual tiles can be allocated. I have 8 GB of RAM and 100 GB free on my only partition and a Ge

  • BADI Impl Called in which TCode

    Hi, In the system we have a badi implementation. I would like to know in which TCode the badi implementation is called and executed, without executing any transactions. Is there any table or function module to find that out? Thanks in advance. Peter