ISE version 1.1.2 patch-5 or 1.1.3

Similar Messages

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• ISE version 1.2 patch 6 release notes

  Hi Everyone,
  I notice that Cisco has released patch 6 for ISE version 1.2 yesterday. 
  I am trying to locate the all the "resolved" issues for patch 6; However, when I look at the ISE release notes
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/release_notes/ise12_rn.html#wp407339
  It only shows resolved issues up to patch 5.
  Where can I find the list of "resolved" issues that comes with patch 6?
  Thanks in advance.

  Due to the high demand for patch 6, it was released prior to the release notes.  The Release Notes will be updated within 24 hours.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE version 1.2 patch-5 backup schedules

  Hi,
  I have ISE version 1.2 patch 5 and I have scheduled a backup every day @3am EST. 
  Now I would like to delete that backup schedule.  I know how to disable the backup but I would like to delete it completely.  In other words, I do not want to see it everytime I log into the WebUI Administration --> backup & restore.
  Is it possible?       

  At this time, you can only disable the scheduled backups, you cannot delete them.  I know that enhancements to the sceduled backup are scheduled for 1.2.1 and hope that this is one of them.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2.0.899 patch 1,2,3,4 with blackberry 9700

                     Hi, I'm using ISE 1.2.0.899 patch 1,2,3,4, and I am trying to use guest portal on blackberry 9700.
  I verified that I am able to do 802.1x with blackberry.
  I associated to ssid, and opened web browser, and I can see the guest portal.
  However, when I clicked on "don't have account?" to creating guest ID, I could not go any further.
  does anyone know if it's supported or not ? if it's working or not ?
  I know in the network compatibility document for 1.2, there is no mention about blackberry.
  does anyone know about this ?

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.

• ISE 1.1.2.145 patch-3 and CLI password disable

  I am running ISE 1.1.2.145 patch-3 on VMWare ESXi 4.1  The ISE is running fine without any issues.
  During the initial setup of the ISE, I create an account called "admin" so that I can ssh into the ISE.  According to Cisco, the CLI password does NOT expire and does NOT lock out.  However, when I ssh into the ISE and "intentionally" entered the wrong password 5 times.  After that, I can no longer ssh or console in the ISE with the "admin" account.  The only way to fix this is to do "password recovery" with the DVD.
  I notice the same issue with ISE version 1.1.1.268 patch-5 as well.
  Is this a "known" issue with ISE or bug?

  There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  CSCub89895
  SNMP process stops randomly due to an issue in netsnmp
  The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of  the Cisco ISE node to fail until the daemon is restarted. This issue  has been observed in Cisco ISE, Release 1.1.1.
  Workaround   Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
  For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE version 1.2.1.198 distribution deployment issue

  Dear All, I am having 3 ISE (Admin, PSN & MNT node) running on version 1.2.1.198 with no patch. My MNT node is not sync. with admin node. I need to apply a certificate but getting error. I am unable to deregister it. I have tried to push the patch 3 by installing same on Admin node but it is not getting push to either MNT or PSN node. I am attaching the screen-shots for your reference. Please let me know if you need any input from my side.

  Hi, I have made PSN as monitor Primary, then de-registered the Monitor node & registered it back & made it monitor primary. Now all nodes are syncing properly. But after this my call flow is breaking. All user request are going for default deny, i.e. access reject & drop. Earlier it was working properly, users were able to connect / authenticated & authorized also access the websites properly. Earlier only monitor node was not syncing , but now although it is syncing but call flow is breaking & there is no change in configuration. I have updated the ISE version 1.2.1.198 with only a patch , i.e. patch 3 on all 3 nodes i.e. admin, PSN & monitor. Please suggest also let me know incase you need more info.

• Acrobat 9.5 - use Touchup text Tool to edit PDF. Updates do not display. But, if I "save as" Word doc, the edits appear in Word. This feature worked in earlier versions of 9.x patches.

  Acrobat 9.5 - use Touchup text Tool to edit PDF. Updates do not display. But, if I "save as" Word doc, the edits appear in Word. This feature worked in earlier versions of 9.x patches.

  I have a suspicion you're working with a scanned document that has had OCR run to recognize the text. The recognized text may be stored on an invisible layer above the image of the text, and that is what you're toucing up. It's invisible, so you don't see it, but retains the changes, so exporting produces the new edits.
  When you run OCR to recognize scanned text,, try using the ClearScan option, instead of Searchable Text. See this help page on Acrobat (this is for version X, but still applies):
  Adobe Acrobat X Pro * Recognize Text - General Settings dialog box
  mh++

• Cisco Identity Services Engine (ISE) Version 1.2: What's New in Features and Troubleshooting Options

  With Ali Mohammed
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about what’s new in Cisco Identity Services Engine (ISE) Version 1.2 and to understand the new features and enhanced troubleshooting options with Cisco expert Ali Mohammed.
  Cisco ISE can be deployed as an appliance or virtual machine to enforce security policy on all devices that attempt to gain access to network infrastructure. ISE 1.2 provides feature enrichment in terms of mobile device management, BYOD enhancements, and so on. It also performs noise suppression in log collection so customers have greater ability to store and analyze logs for a longer period.
  Ali Mohammed is an escalation engineer with the Security Access and Mobility Product Group (SAMPG), providing support to all Cisco NAC and Cisco ISE installed base. Ali works on complicated recreations of customer issues and helps customers in resolving configuration, deployment, setup, and integration issues involving Cisco NAC and Cisco ISE products. Ali works on enhancing tools available in ISE/NAC that are required to help troubleshoot the product setup in customer environments. Ali has six and a half years of experience at Cisco and is CCIE certified in security (number 24130).
  Remember to use the rating system to let Ali know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through September 6, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Ali,
  We currently have a two-node deployment running 1.1.3.124, as depicted in diagram:
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_010.html#ID89
  Question 1:
  After step 1 is done, node B becomes the new primary node.
  What's the license impact at that stage, when the license is mainly tied to node A, the previous primary PAN?
  Step 3 says to obtain a new license that's tied to both node A & node B, as if it's implying an issue would arise, if we leave node B as the primary PAN, instead of reverting back to node A.
  =========
  Question 2:
  When step 1 is completed, node B runs 1.2, while node A runs 1.1.3.124.
  Do both nodes still function as PSN nodes, and can service end users at that point? (before we proceed to step 2)
  Both nodes are behind our ACE load balancer, and I'm trying to confirm the behavior during the upgrade, to determine when to take each node out of the load balancing serverfarm, to keep the service up and avoid an outage.
  ===========
  Question 3:
  According to the upgrade guide, we're supposed to perform a config backup from PAN & MnT nodes.
  Is the config backup used only when we need to rollback from 1.2 to 1.1.3, or can it be used to restore config on 1.2?
  It also says to record customizations & alert settings because after  the upgrade to 1.2, these settings would change, and we would need to  re-configure them.
  Is this correct? That's a lot of screen shots we'll need to take; is there any way to avoid this?
  It says: "
  Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and onboarded again."
  Exactly how do you disable services? Disable all the authorization policies?
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#reference_4EFE5E15B9854A648C9EF18D492B9105
  ==================
  Question 4:
  The 1.1 user guide says the maximum number of nodes in a node group was 4.
  The 1.2 guide now says the maximum is 10.
  Is there a hard limit on how many nodes can be in a node group?
  We currently don't use node group, due to the lack of multicast support on the ACE-20.
  Is it a big deal not to have one?
  http://www.cisco.com/en/US/customer/docs/security/ise/1.2/user_guide/ise_dis_deploy.html#wp1230118
  thanks,
  Kevin

• Secure Network Servers (SNS) in ISE version 1.1.4

  Hi board,
  I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
  In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
  For example ISE Q&A
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  What else is being released with ISE 1.2*?
  A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS)  security applications. The multiuse Cisco Secure Network Servers offer  many improvements over current ISE, ACS, and NAC appliances, and are the  platform recommended to deploy newer versions of these applications.  During ordering, customers can specify which security application they  would like to have installed. See the Product Details section for more  information.
  On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
  New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series  appliance. For details on the installing and configuring the Cisco SNS  3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the  following location:
  What is true now? What HW appliance do I chose, if I want to order today?
  I don't want to order the old appliances (33xx), because they are already EoL announced:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
  Thanks!

  Hi Johanne,
  Cisco ISE software is packaged with your appliance  or image for installation. Cisco ISE, Release 1.2 is shipped on the  following platforms. After installation, you can configure Cisco ISE  with specified component personas (Administration, Policy Service, and  Monitoring) or as an Inline Posture node on the platforms.
  Supported Hardware and Personas:
  Hardware Platform Persona Configuration
  Cisco SNS-3415-K9
  (small)
  Any
  •Cisco UCS 1 C220 M3
  •Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
  •16-GB RAM
  •1 x 600-GB disk
  •Embedded Software RAID 0
  •4 GE network interfaces
  Cisco SNS-3495-K92
  (large)
  Administration
  Policy Service
  Monitor
  •Cisco UCS C220 M3
  •Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
  •32-GB RAM
  •2 x 600-GB disk
  •RAID 0+1
  •4 GE network interfaces
  Cisco ISE-3315-K9 (small)
  Any
  •1x Xeon 2.66-GHz quad-core processor
  •4 GB RAM
  •2 x 250 GB SATA3 HDD4
  •4x 1 GB NIC5
  Cisco ISE-3355-K9 (medium)
  Any
  •1x Nehalem 2.0-GHz quad-core processor
  •4 GB RAM
  •2 x 300 GB 2.5 in. SATA HDD
  •RAID6 (disabled)
  •4x 1 GB NIC
  •Redundant AC power
  Cisco ISE-3395-K9 (large)
  Any
  •2x Nehalem 2.0-GHz quad-core processor
  •4 GB RAM
  •4 x 300 GB 2.5 in. SAS II HDD
  •RAID 1
  •4x 1 GB NIC
  •Redundant AC power
  Cisco ISE-VM-K9 (VMware)
  Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
  •For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
  •Hard Disks (minimum allocated memory):
  –Stand-alone—600 GB
  –Administration—200 GB
  –Policy Service and Monitoring—600 GB
  –Monitoring—500 GB
  –Policy Service—100 GB
  •NIC—1 GB NIC interface required (You can install up to 4 NICs.)
  •Supported VMware versions include:
  –ESX 4.x
  –ESXi 4.x and 5.x
  1 Cisco Unified Computing System (UCS)
  2 Inline  posture is a 32-bit system and is not capable of symmetric  multiprocessing (SMP). Therefore, it is not available on the SNS-3495  platform.
  3 SATA = Serial Advanced Technology Attachment
  4 HDD = hard disk drive
  5 NIC = network interface card
  6 RAID = Redundant Array of Independent Disks
  7 Memory  allocation of less than 4GB is not supported for any VMware appliance  configuration. In the event of a Cisco ISE behavior issue, all users  will be required to change allocated memory to at least 4GB prior to  opening a case with the Cisco Technical Assistance Center.
  Please check the following link for fruther information.
  https://supportforums.cisco.com/message/3986953#3986953

• Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

  Hi
  Can Anybody can update whether   ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
  Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
  has succeed in  command level accounting on  Cisco ISE ..
  Please update
  Cisco ISE doesn't have TACACS feature ...

  Command Accounting is a TACACS+ feature so not for ISE....yet.
  However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
  conf t
  archive
  log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  end
  wr mem
  Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  -James

• ISE version 1.3 and static route not working

  This command works without any issues with ISE version 1.1 and 1.2:
  ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
  However, it does NOT work in ISE version 1.3.  See below:
  ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
  % Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.
  % Error: Error adding static route.
  ciscoisedev/admin(config)#
  Any ideas anyone?

  So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added. 
  For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access

• Cisco ISE Version control via HTTPS

  Hi there. 
  Is it possible to verify the ISE version by Web GUI? If yes. where can I find the version number`?'
  BR.

  At the bottom left corner there is a question mark with button "help", hover over it and then press "About Identity Services Engine".

• How to upgrade eSourcing from version 5.1.8 Patch 3 to 5.1.8 Patch 4

  Please some one can guide me How to upgrade eSourcing from version 5.1.8 Patch 3 to 5.1.8 Patch 4 since i am new in CLM.

  Hello Gadewar,
  First of all make sure you read all the details given in the Upgrade Guide located at "Installation and Upgrade Guide"->SAP SRM->SAP E-Sourcing 5.1/SAP CLM 2.0->E-Sourcing 5.1/CLM 2.0 Component Upgrade Guide PDF at service.sap.com/support website.
  Note you need to have the support account to login to that website.
  How ever I am listing down basic steps required for upgrade below.
  1) Download the installables from the website I did mention above, have DB jar, have custom jar (optional).
  2) Take backup of the DB.
  3) Take backup of Config folder. Also take backup of the <home Dir>/Lib if you have some customizations in the form of JARS.
  3) Make sure the userid which is used for connection to DB have the required permission like CONNECT, RESOURCE, UNLIMITED TABLESPACE etc. It is given in the guide I mentioned above in section 4.1 Verify Privileges of Oracle Service Account.
  4) Stop ESO instance and run the setup and then upgrade scripts.
  5) Undeploy the old ESO application from App server and then deploy new .EAR from new <home dir>/fsapp on the app server.
  6) Start the app server and your ESO will be ready. You may need to use Workbooks to upload Localized Resources. This is the case if you have modified some OOTB localized resources in the past as a part of customization and have not used the overrides to give new resource values. If you have used overrides for localized resources in the past then you are good and need not to load the workbook.
  Again usage of Workbook depends on the requirement to requirement. You may need to use workbook based upon your business needs.
  Make sure you have not modified any OOTB query definitions as a part of customizations, if that is the case you will loose those query definitions as upgrade scripts overrides OOTB queries and then you should backup those as well before upgrade and then you may re-pull them after upgrade.
  Regards,
  Jagjeet Singh
  Edited by: ESO123 on Feb 2, 2011 8:54 PM

• ISE 1.2.0.899 Patch 7

  Hey guys I have ISE 1.2.0.899 with patch 7 installed in my environment, also I have a WLC 5508 running version 7.4.121.0. We are authenticating our user with ISE. We are having an issue with our Guest WLAN, after we create an account with the sponsor portal for our guests, they can log in and get to the internet, but after 7 to 10 minutes the guest user is ask to re-authenticate again. I check in the WLC to see if there is any timeout for our Guest WLAN, but there not. At this point we don't know what is causing this problem since it only happens with the Guest WLAN, the other WLAN for Users that authenticate with AD credentials works without any problems. Is anybody experiencing this same issue? 

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.