Upgrading a distributed deployment to ise 1.2, licensing

Similar Messages

• Ise distributed deployment upgrade

  My customer has an ISE deployment with 4 nodes: Admin/Monitor Primary and Secondary plus 2 Policy Server. The Admin nodes are VMs, the Policy nodes are 3315 appliances.
  The system was installed almost three years ago with the version 1.1.0 ... It appears the system never had issues so never was patched or upgraded. Why fix something that is working fine?
  Today there was an issue because the certificates expired, so in the review to get the system up and running again, the update issue bring on to the conversation. We like to do an upgrade to the last supported version. So I wonder for some tips and ideas to take care for planning the upgrade.
  I have some doubts:
  Can the 3315 appliance support the release 1.3 without issues?
  I know the upgrade procedure is basically installing a .tar file, but I'm not clear how the process in a distributed deployment should be. I had run upgrades in standalone systems, but never in a distributed deployment. So, I need to upgrade the Primary Admin only and the other nodes would upgrade automatically?
  I would need to upgrade 1.1 to 1.2 first and then 1.2 to 1.3?
  I undertand release 1.1 was in 32 bits, and the version 1.2 and 1.3 are in 64 bits, so I guess the process would take a long time (perhaps a couple of hours), so a maintenance window would need 3 or 4 hours until the full system became stable.
  Can you give me some advice and suggestions to avoid major issues?
  Regards.
  Daniel Escalante.

  Can you give me some advice and suggestions to avoid major issues?
  Documents related to upgarde were given by Venkatesh refer those. Along with that additional information.
  Can the 3315 appliance support the release 1.3 without issues?
  Cisco ISE-3315-K9 (small) 3
  Supports ISE 1.3
  Any
  1x Xeon 2.66-GHz quad-core processor
  4 GB RAM
  2 x 250 GB SATA4 HDD5
  4x 1 GB NIC6
  I know the upgrade procedure is basically installing a .tar file, but I'm not clear how the process in a distributed deployment should be. I had run upgrades in standalone systems, but never in a distributed deployment. So, I need to upgrade the Primary Admin only and the other nodes would upgrade automatically?
  When upgrading to Cisco ISE, Release 1.2, first upgrade the secondary Administration node to Release 1.2. You do not have to manually deregister the node before an upgrade. Use the application upgrade command to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the license file for the Primary Administration node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco Technical Assistance Center for assistance.
  I would need to upgrade 1.1 to 1.2 first and then 1.2 to 1.3? I undertand release 1.1 was in 32 bits, and the version 1.2 and 1.3 are in 64 bits, so I guess the process would take a long time (perhaps a couple of hours), so a maintenance window would need 3 or 4 hours until the full system became stable
  If you are on a version earlier than Cisco ISE, Release 1.2, you must first upgrade to 1.2 and then to 1.3.
  You can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
  Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
  Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
  Cisco ISE, Release 1.1.2, with the latest patch applied
  Cisco ISE, Release 1.1.3, with the latest patch applied
  Cisco ISE, Release 1.1.4, with the latest patch applied
  Type of Deployment
  Node Persona
  Time Taken for Upgrade
  Standalone (2000 endpoints)
  Administration, Policy Service, Monitoring
  1 hour 20 minutes
  Distributed (25,000 users and 250,000 endpoints)
  Secondary Administration
  2 hours
  Monitoring
  1.5 hours
  After upgrading to ISE 1.2, upgrade to ISE 1.3
  Type of Deployment
  Node Persona
  Time Taken for Upgrade
  Standalone (2000 endpoints)
  Administration, Policy Service, Monitoring
  1 hour 20 minutes
  Distributed (25,000 users and 250,000 endpoints)
  Secondary Administration
  2 hours
  Monitoring
  1.5 hours
  Factors That Affect Upgrade Time
  Number of endpoints in your network
  Number of users and guest users in your network
  Profiling service, if enabled

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• ISE NODE NOT REACHABLE when building distributed deployment

  I am trying to build a distributed deployment with the following personas:
  2 policy admin nodes
  2 monitoring nodes
  4 policy service nodes
  This was a project that was partially implemented but never in production. It was in a distributed deployment, but half the nodes were no longer working (http errors or devices weren't reachable or could not sync). I decided to start from scratch. All nodes were:
  -de-registered
  -application was reset to factory defaults on all nodes
  -upgraded all 8 nodes to 1.1.4.218 patch 1
  -installed all new certs and joined all nodes to the domain
  -added to DNS forward and reverse lookup zones
  When I make 1 admin node primary and register the other nodes (secondary admin, monitoring, policy services) the nodes successfully register and show up in the deployment window of the primary; however, all the nodes show as NODE NOT REACHABLE. After registration, I've noticed that the registered nodes are still showing as STANDALONE if I access the GUI. I've tried rebooting them manually after registration and they are still unreachable. I have also tried resetting the database user password from the CLI on both admin nodes and the results are always the same.

  Originally I had added them all at the same time. I thought that maybe I just wasn't waiting long enough for the sync. I waited an entire day and all the nodes were still unreachable. At this point, I've de-registered all the nodes, rebooted all the nodes, converted the primary back to standalone (the remaining nodes never converted from standalone to distributed even when I rebooted them after registering despite a message that they were successfully registered), converted one node back to primary and tried to register just the secondary admin node giving it plenty of time to sync; this node is still not reachable from the primary.
  I've quadruple checked the certificates on all the nodes, these certs were all added on the same day (just last week) and the default self-signed certs were removed.
  I had restored from a backup on the primary so I might just rest the config on that node and try joining the other nodes before I restore again.

• ISE PSN rebooted and will not rejoin distributed deployment

  Hi,
  A PSN was powered down by accident and I'm trying to register it back to its PAN as part of a distributed deployment but I keep getting the error message "ISE not in Standalone mode".
  I'm not sure how to set the PSN node back to Standalone mode when it's no longer part of the deployment.
  Thanks for any help.
  Barry

  Hi,
  Yes Deregister the PSN from the PAN after deregistration this node become Standalone node.

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• ISE's Internal Root CA. How to generate new one in distributed deployment?

  Hello,
  I have two ISE nodes in distributed deployment. I would like to generate new Internal Root CA certificate. I was able to do that from primary node, but only FOR primary node. How can I achieve this for the other node?
  Best Regards,
  Marek

  Hi Marek-
  All of the certificate management is performed from the Admin Node which becomes the Root CA for the ISE PKI. You generate Subordinate CA certificates to your Policy Nodes from the Primary Admin node. Check this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#task_FF93B4C51BAC4CA196A48B607DAA595D
  Also, since the primary node is the Root CA, you should export the certificate and the private key and import it to your secondary Admin node. This will enable the secondary node to be promoted to a Root CA in case of a failure of the primary admin node:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_435C4E3FF56949B1B4D5A0C73671AB22
  I hope this helps!
  Thank you for rating helpful posts!

• ISE Distributed Deployment

  Hi All,
  Deploying multiple PSN's with a  distributed deployment, do all the PSN's have to be in the same domain? I  have 8 set up in one domain, and would like to run a few more through  firewalls and using a different dns domain.
  Also interested to see  how AD integration works with this. I'd still expect to join the nodes  to the common AD domain. Would they be able to join an AD domain which  isn't linked with their FQDN?
  I'm hoping that running the other policy nodes on an external domain, I can use a standard CSR for the external public certs.
  All comments, suggestions, spoliers welcomed! Question is out to Cisco but I know the value of these forums too.

  Hi,
  You will have to join all ISE nodes to the same AD domain since the policy for user enforcement (for any external conditions) is configured at the Primary Admin node and replicated down to the PSNs. However, if you choose to configure a different dns domain for one PSN and then join it to the command AD domain, the only issue I see with this is SAMAccount name being sent in the username and not the UPN.
  If a user requests authentication with johndoe and your AD domain is abc.com but your dns domain is def.com, then ISE will try to authenticate [email protected] (from my experience), there have been some improvements where ISE should be able to note that this is an authentication request and should suffix the request with [email protected] but I am not 100 percent sure.
  If you have a cisco account rep (with your deployment size I am absolute sure you do) have them ping the BU on this issue and see what the official response is.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• We have 2000 base and advanced license we are running ISE 1.2 , if we upgrade to 1.3 what happens to the license do we need to buy plus/apex license

  We have 2000 base and advanced license we are running ISE 1.2 , if we upgrade to 1.3  what happens to the license do we need to buy plus/apex license

  when you migrate to 1.3 your license will be updated , advance license become plus,apex

• How to deploy Cisco ISE agents through SCCM 2012 R2

  Hi,
  We are deploying Cisco ISE in our setup. we need to deploy following 3 .msi & 1 .xml files to 3000 PCs through System Center 2012 R2 Configuration Manager.
  The configuration.xml file must be deployed in specified (%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles) location.
  anyconnect-nam-win-4.0.02052-k9.msi
  anyconnect-win-4.0.02052-pre-deploy-k9.msi
  nacagentsetup-win-4.9.0.42.msi
  configuration.xml
  The above 3 .msi files should be installed silently and configuration.xml file to be copied to said location.
  I want to create  one package to deploy 3.msi files at once and another package for .xml file.
  or
  Is there anyway to create in one package to install the .msi files first and copy the .xml file as well.
  Any idea please.
  Regards,Ali

  Hi,
  Have you tried to create a script.
  You can easily test this by running your script manually with psexec -s
  to emulate running as SYSTEM account. 
  Reference:
  Robocopy
  https://technet.microsoft.com/en-us/library/cc733145.aspx
  Windows Installer : MSIEXEC Silent Install End to END
  http://sccm2o12.blogspot.com/2010/04/windows-installer-msiexec-silent.html
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Selling macbook Pro 2011. It came with Lion, I upgraded to mountain Lion and Mavericks. Can license be transfer to new owner? how?

  selling macbook Pro 2011. It came with Lion, I upgraded to mountain Lion and Mavericks. Can license be transfer to new owner? how?

  Good question now that Mavericks is free to all.
  It used to be - and is probably still the case - that to comply with the license you should erase and re-install the OS that came pre-installed on the Mac when new. If there were restore disks they needed to be passed on with the Mac.
  I'm happy to be corrected on this by someone who's more au fait with the legalese, but an upgraded OS is tied to an AppleID whereas the original OS is tied to the computer, not an AppleID.
  My guess is, that if you launched the Recovery HD, erased the drive using Disk Utility and re-installed the OS, Lion would be installed.
  Be interesting to see what others say.

• Cisco ISE - expired demo license alarm

  Hi,
  We are implementing Cisco ISE 1.2.0.899 and have an alarm reporting expired license. This alarm refers to the Advanced License demo and is therefore a false positive.
  This issue is that we cannot remove the demo icense and stop the root cause of this false positive alarm.
  Does anyone has an idea?
  Thanks in advance.
  Regards,
  Telmo Oliveira

  Please refer the discussion below
  https://supportforums.cisco.com/discussion/12059041/ise-advanced-eval-license-alerts-after-full-base-install

• While trying to upgrade, I get this error message on the license aggreement window pup-up: The license folder for this version cvannot be found.

  When prompted to upgrade, I get an error message on the License agreement pup-up window.
  Consequenty, I connot continue with the normal aggrement procedure to accept and instal.
  == It started when I was prompted to upgrade.

  Do a clean reinstall and download a fresh Firefox copy from http://www.mozilla.com/firefox/all.html and save the file to the desktop.
  Uninstall your current Firefox version and remove the Firefox program folder before installing that copy of the Firefox installer.
  It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
  You can skip the step to create a new profile, that is not necessary for this issue.
  See http://kb.mozillazine.org/Standard_diagnostic_-_Firefox#Clean_reinstall

• Incorrect Deployed To count for device licensing

  My Deployed To count for device licensing says 22, but I've only deployed it to 6 machines.  Is there a way to see what computers Adobe thinks are using licenses?

  Did you ever get a reply or find an answer to this? I'm “missing” some licenses myself, and there is no information about this. Technical details for sysadmins are sorely lacking.

• If I upgrade to latest version QuickTime will the Pro license still work?

  I am running QuickTime 7.0.3 and just bought QuickTime Pro a few days ago to combine some short videos. I should have upgraded to the latest version of QuickTime before getting Pro but I didn't think about it at the time. If I upgrade to QuickTime 7.5 now, will the license I purchased for QuickTime Pro 7.0.3 work with QuickTime 7.5, or will my 7.0.3 Pro license be dumped and I will have to buy another $30 Pro license for 7.5?

  Normally it will be right in the middle of the page, a big blue button that says "Free Download Now". If you don't see that, your web browser isn't showing the entire page. You might try a different browser. You can also download it from here:
  http://support.apple.com/downloads/QuickTime7_5_5_forWindows
  though that site is down for maintenance right now.
  Message was edited by: Dave Sawyer