Upgrading Cisco ISE

Cisco Identity Services Engine (ISE) supports application upgrades only from the command-line Interface(CLI). You can upgrade Cisco ISE from any previous release to the next release. A previous release canhave patches installed on it, or it can be any maintenance release.

• Important Notes To Read Before You Upgrade to Release 1.2, page 2

• Obtain a Backup Before Upgrade to Prevent Any Data Loss, page 5

• Cisco ISE 1.2 Upgrade Process, page 8

• Cisco ISE 1.2 Supported Upgrade Paths, page 9

• Downloading the Upgrade Software, page 10

• CLI Command for Upgrading to Release 1.2, page 11

• Upgrade Methods for Different Types of Deployments, page 11

• Verifying the Upgrade Process, page 11

• Post-Upgrade Tasks, page 12

• Known Upgrade Issues, page 13

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 1

Important Notes To Read Before You Upgrade to Release 1.2

Note • Ensure that you do not accidently delete system default sponsor groups and sponsor group policieswhen you upgrade Cisco ISE, Release 1.0.4.573 to higher versions (for example, Cisco ISE, Release1.1, 1.1.x, and 1.2) or restore from the Cisco ISE, Release 1.0.4.573 backup to higher versions.Upgrade fails, if system default sponsor groups and sponsor group policies are missing in Cisco ISE.

• Ensure that you uncheck the Disable user account after <60> days if password was not changed(valid range 1 to 3650) option here: Administration > Identity Management > Setttings > UserPassword Policy page. Users are disabled, if the password expires after the default setting (60 days)when you upgrade to Cisco ISE, Release 1.2 and restore the Cisco ISE, Release 1.1.x backup.

• You can upgrade only Administration, Policy Service, and Monitoring nodes. Upgrades are notsupported for Inline Posture Nodes (IPNs). For IPNs, you must reimage your appliance and performa fresh installation.

•We strongly recommend that you copy the upgrade bundle to a local repository on all the nodes.Having the upgrade bundle in the local repository significantly reduces the time it takes to downloadit from the network during the upgrade process.

1 Create a local repository for disk:/ from the Cisco ISE UI.

2 Copy the upgrade bundle to the local disk using the copy command from the Cisco ISE CLI:copyftp-filepath ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk:/

Again, after you copy the upgrade bundle to the local disk, check to ensure that the size of theupgrade bundle in your local disk is the same as it is in the repository. Use the dir command toverify the size of the upgrade bundle in the local disk.

• Verify the MD5sum of the upgrade bundle. After you download the upgrade bundle to a repositorysuch as FTP or SFTP, check and verify that the MD5sum is correct. You can use themd5sumcommand in Linux or themd5 command in MAC OSX.

• Ensure that you have read the VMware Virtual Machine Settings for Cisco ISE, Release 1.2, onpage 4 section if you are upgrading Cisco ISE on a virtual machine. These recommendations areuseful when you choose to reimage some nodes, in case of replacing nodes with new VMs orappliances and also if there are any secondary node upgrade failures where remediation is not possible.

Related Topics

Cisco Identity Services Engine User Guide, Release 1.2Cisco Identity Services Engine CLI Reference Guide, Release 1.2

Firewall Ports That Must be Open for CommunicationThe replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall betweenyour primary Administration node and any other node, the following ports must be open before you upgradeto Release 1.2:

Cisco Identity Services Engine Upgrade Guide, Release 1.22 OL-27087-01

Upgrading Cisco ISEImportant Notes To Read Before You Upgrade to Release 1.2

• TCP 1528—For communication between the primary administration node and monitoring nodes.

• TCP 443—For communication between the primary administration node and all other secondary nodes.

• TCP 12001—For global cluster replication.

For a full list of ports that Cisco ISE, Release 1.2, uses, see the Cisco Identity Services Engine HardwareInstallation Guide.

Other Preupgrade ConsiderationsRead the following information carefully, and record these configurations (back up, export, obtain screenshots)wherever possible before you begin an upgrade:

• Read the Data Restoration Guidelines from the Cisco Identity Services Engine User Guide, Release 1.2before you restore data on your newly upgraded node.

• Perform a backup of Cisco ISE configuration data from the primary Administration node, which includesthe Cisco Application Deployment Engine (ADE) configuration data.

• Perform a backup of the Cisco ISE operational data from the primary Monitoring node.

• Export the certificates, including the private key, from all the nodes in the deployment and save themin a local system. Ensure that the Common Name (CN) or SAN in the HTTPS and EAP certificates foreach of your Cisco ISE node matches the Fully Qualified Domain Name of that node.

• Obtain a backup of the running configuration using the copy running-config destinationcommand fromthe Cisco ISE CLI, where destination is a url such as ftp, sftp, or disk:

• Ensure that you have the Active Directory credentials if you are using Active Directory as your externalidentity source. After an upgrade, you might lose Active Directory connections. If this happens, youmust rejoin Cisco ISE with Active Directory.

• Export the default profiler policies to a file and import them after an upgrade if you have edited andcustomized the default profiler policies. The upgrade process overwrites the default profiler policies.

• Record the customization that you have done to the default language templates. After upgrade, you mustedit the default language templates if you have customized them in the old deployment.

• Record the alarm, e-mail settings, report customization, favorite reports, monitoring data backup schedules,and data purge settings. You must reconfigure these settings after upgrade.

• Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable themafter upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled andonboarded again.

• Record the SNMP profiler probe settings. You must reconfigure the profiler SNMP polling from theprimary Administration node after upgrade if you are using it for profiling.

• Disable the console timeout temporarily from the Cisco ISE CLI for remote upgrades. Use the followingcommand from the Cisco ISE CLI: terminal session-timeout 0. After you disable the console timeout,log out and log in to the Cisco ISE CLI. After upgrade is complete, ensure that the terminal sessiontimeout is set to its original value. The default value is 30 minutes.

•We strongly recommend that you delay any deployment configuration changes such as changing nodepersonas, system synchronization, and node registration or deregistration until all the nodes in your

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 3

Upgrading Cisco ISEOther Preupgrade Considerations

deployment are completely upgraded. One exception to this recommendation, however, involves stepsthat are required to recover from a failed upgrade.

• The Monitoring node's database size is reduced after you upgrade to Release 1.2 because of databasedesign and schema changes in Release 1.2, which optimizes disk space utilization and offers betterperformance.

• The upgrade process from Cisco ISE 1.1.x to 1.2 includes the operating system and application binaryupgrade from a 32-bit to a 64-bit system. During upgrade, the node is rebooted twice following thedatabase and operating system upgrade. After the second reboot, the 64-bit application binaries areinstalled and the database is migrated to the 64-bit system. During this process, you can monitor theprogress of the upgrade from the CLI using the show application status ise command. The followingmessage appears: "% NOTICE: Identity Services Engine upgrade is in progress..."

Related Topics

Cisco Identity Services Engine User Guide, Release 1.2Cisco Identity Services Engine CLI Reference Guide, Release 1.2

VMware Virtual Machine Settings for Cisco ISE, Release 1.2If you are upgrading nodes on virtual machines, ensure that you read the following statements carefully. Youshould make these changes before you upgrade to Release 1.2.

You must power down the virtual machine before you make the following changes, and power it back onafter the changes are done.

Note

• Cisco ISE, Release 1.2, is a 64-bit system. Ensure that your virtual machine's hardware is compatiblewith 64-bit systems. See the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2for more information. Enable BIOS settings that are required for 64-bit systems. Refer to the VMwareKnowledge Base for hardware and firmware requirements for 64-bit guest operating systems. After youupgrade to Release 1.2, choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5(64-bit) as the version. See the VMware Knowledge Base for more information.

• You can also increase the CPU and memory size of the virtual machine. Refer to Cisco Identity ServicesEngine Hardware Installation Guide, Release 1.2 for deployment sizing and scaling recommendationsfor the SNS 3400 Series appliances. If you increase the disk size of a virtual machine, you cannot upgradeso you must do a fresh installation of Release 1.2. After you install Release 1.2, you can check the CPUand memory size using the show inventory command from the Cisco ISE CLI.

Upgrade Time Estimation

Upgrade Time Estimation

The following table provides an estimate of the amount of time it might take to upgrade to Release 1.2. Actualtime taken for upgrade varies depending on a number of factors. Your production network continues to functionwithout any downtime during the upgrade process. The data presented here is from a deployment with 44Cisco ISE nodes (2 Administration nodes, 2Monitoring nodes, and 40 Policy Service nodes). This deployment

Cisco Identity Services Engine Upgrade Guide, Release 1.24 OL-27087-01

Upgrading Cisco ISEVMware Virtual Machine Settings for Cisco ISE, Release 1.2

comprises 100,000 endpoints; 12,500 users; 25,000 guest users; 100 user groups (with 5 attributes per user).The Profiling service was enabled and the following probes were turned on: DHCP, HTTP, RADIUS, NetworkScan (NMAP), DNS, SNMPQUERY.

Time Taken for UpgradeNode PersonaType of Deployment

1 hour 20 minutesAdministration, Policy Service,Monitoring

Standalone (2000 endpoints)

7 hoursSecondary AdministrationDistributed (12,500 users and25,000 endpoints)

4 hoursMonitoring

1.5 hoursPolicy Service

2 hoursAdministration, Monitoring

Factors That Affect Upgrade Time

• Number of endpoints in your network

• Number of users and guest users in your network

• Profiling service, if enabled

Cisco ISE nodes on virtual machines might take longer to upgrade to Release 1.2.Note

Obtain a Backup Before Upgrade to Prevent Any Data LossTo prevent any data loss, you should perform an on-demand backup of the Cisco ISE Configuration andMonitoring (operational) data before upgrade.

Performing an On-Demand Backup from the Cisco ISE User InterfaceIn the Cisco ISE user interface, you can perform an on-demand backup of the primary Administration node.You must perform a backup of the Cisco ISE application and ADE-OS configuration data and monitoring(operational) data. For backup and restore operations, the following repository types are not supported:CD-ROM, HTTP, HTTPS, or TFTP. This is because, these repository types are read-only or the protocol doesnot support file listing. In a distributed deployment, if the primary Administration and primary Monitoringpersonas run on the same node (appliance or virtual machine), then you can use the local repository for thebackup. If they run on separate nodes (appliances or virtual machines), the local repository cannot be usedfor the backup. You can use the CLI and GUI to create repositories, but for Cisco ISE, Release 1.2, it isrecommended to use the GUI due to the following reasons:

• Repositories that are created through the CLI are saved locally and do not get replicated to the otherdeployment nodes. These repositories do not get listed in the repository GUI page.

• Repositories that are created on the primary Administration node through the GUI get replicated to theother deployment nodes.

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 5

Upgrading Cisco ISEObtain a Backup Before Upgrade to Prevent Any Data Loss

Before You Begin

• To perform the following task, you must be a Super Admin or System Admin.

• Before you perform this task, you should have a basic understanding of the type of data that can bebacked up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration andMonitoring data.

• Before you perform this task, ensure that you have configured repositories. Refer to Cisco IdentityServices Engine User Guide, Release 1.1.x for more details.

•When you perform a backup, do not change the role of a node or promote a node. Changing node roleswill shut down all the processes and might cause some inconsistency in data if a backup is runningconcurrently. Wait for the backup to complete before you make any node role changes.

• Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISEserver startup configuration. You can use this startup configuration when you restore or troubleshootyour Cisco ISE application from the backup and system logs. For more information about copying therunning configuration to the startup configuration, see the copy command in the Cisco Identity ServicesEngine CLI Reference Guide, Release 1.1.x.

Operational (Monitoring data) backup can be obtained only from the primary and secondary Monitoringnodes.

Note

Procedure

Step 1 Log in to the Cisco ISE administrative user interface.Step 2 Choose Administration > System > Maintenance.Step 3 Choose Data Management > Administration Node > Full Backup On Demand.

Choose Monitoring Node if you want to back up monitoring data.

Step 4 Enter the values as required to perform a backup.Step 5 Click Backup Now.Step 6 Verify that the backup completed successfully.

Cisco ISE appends the backup filename with the timestamp and stores this file in the specified repository.Check if your backup file exists in the repository that you have specified.

Related Topics

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_backup.html#wp1066156Cisco Identity Services Engine User Guide, Release 1.1.x

Performing a Backup from the Cisco ISE CLITo perform a backup of the Cisco ISE configuration or operational data from the Cisco ISE CLI and placethe backup in a repository, enter the backup command in EXEC mode.

Cisco Identity Services Engine Upgrade Guide, Release 1.26 OL-27087-01

Upgrading Cisco ISEPerforming a Backup from the Cisco ISE CLI

Before You Begin

• To perform the following task, you must be a Super Admin or System Admin.

• Before you perform this task, you should have a basic understanding of the type of data that can bebacked up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration andMonitoring data.

• Before you perform this task, ensure that you have configured repositories. Refer to Cisco IdentityServices Engine User Guide, Release 1.1.x for more details.

•When you perform a backup, do not change the role of a node or promote a node. Changing node roleswill shut down all the processes and might cause some inconsistency in data if a backup is runningconcurrently. Wait for the backup to complete before you make any node role changes.

• Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISEserver startup configuration. You can use this startup configuration when you restore or troubleshootCisco ISE from the backup and system logs. Formore information about copying the running configurationto the startup configuration, see the copy command in Cisco Identity Services Engine CLI ReferenceGuide, Release 1.1.x.

Operational backups can be obtained only from the primary and secondary Monitoring nodes.

For backup and restore operations, the following repository types are not supported: CD-ROM, HTTP,HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does not supportfile listings.

In a distributed deployment, if the primary Administration and primary Monitoring personas run on thesame node (appliance or virtual machine), then you can use the local repository for the backup. If theyrun on separate nodes (appliances or virtual machines), the local repository cannot be used for the backup.

Note

Procedure

To obtain Cisco ISE configuration data, enter the backup command with the ise-config command operatorparameter in the CLI of the primary Administration node in your old deployment. To obtain Cisco ISEoperational (monitoring and troubleshooting) data, enter the backup command with the ise-operationalcommand operator parameter in the CLI of the primary or secondaryMonitoring node in your old deployment.CLI command to obtain a Cisco ISE configuration backup.

backup backup-name repository repository-name ise-config encryption-key{hash | plain}encryption-keyname

CLI command to obtain a Cisco ISE operational backup.

backup backup-name repository repository-name ise-operational encryption-key{hash | plain}encryption-keyname

The following table provides the syntax description:Name of the backup file. Supports up to 100alphanumeric characters.

backup-name

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 7

Upgrading Cisco ISEPerforming a Backup from the Cisco ISE CLI

Specifies the repository to store the backup file.repository

Name and location of the repository where the filesshould be backed up to. Supports up to 80alphanumeric characters.

repository-name

(Optional) Backs up Cisco ISE configuration data(includes Cisco ISE ADE-OS configuration data).

ise-config

(Optional) Backs up only Cisco ISE operational(monitoring and troubleshooting) data. You can onlyspecify this command operator parameter on theprimary and secondary Monitoring nodes.

ise-operational

Specifies an encryption key to protect the backup.encryption-key

Specifies a hashed encryption key to protect thebackup.

hash

Specifies a plaintext encryption key to protect thebackup. Specifies an unencrypted plaintext encryptionkey that follows. Supports up to 15 characters inlength. for backup.

plain

Name of the encryption key in hash | plain format.Supports up to 40 characters for hashed encryptionand 15 characters for plaintext encryption.

encryption-key name

The backup command performs a backup of the Cisco ISE and ADE-OS configuration data and monitoringdata and places the backup in a repository with an encrypted (hashed) or unencrypted plaintext password.

You can encrypt and decrypt the backup by using a user-defined encryption key.

ise/admin# backup mybackup repository myrepository ise-config encryption-key plain Lab12345% Creating backup with timestamped filename: backup-111125-1252.tar.gpgise/admin#

ise/admin# backup mybackup repository myrepository ise-operational encryption-key plainLab12345% Creating backup with timestamped filename: backup-111125-1235.tar.gpgise/admin#

Related Topics

Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x

Cisco ISE 1.2 Upgrade ProcessYou can upgrade to Cisco ISE, Release 1.2, only from the Cisco ISE command-line interface (CLI). Forinstructions on upgrading standalone or two-node deployments, see "Chapter 2, Upgrading Standalone and

Cisco Identity Services Engine Upgrade Guide, Release 1.28 OL-27087-01

Upgrading Cisco ISECisco ISE 1.2 Upgrade Process

Two-Node Deployments to Release 1.2". For instructions on upgrading a distributed deployment, see "Chapter3, Upgrading a Distributed Deployment to Cisco ISE, Release 1.2".

The upgrade process for a standalone node is different than the one for upgrading nodes in a deployment.When you run the application upgrade command from the Cisco ISE CLI, the following tasks are performedin the background in each of the nodes:

1 Downloads the upgrade bundle and extracts it.

2 Performs a backup of the configuration database (for automatic rollback in case of recoverable failures).

3 Upgrades the configuration database or downloads a dump of the upgraded configuration database (in thecase of a standalone node).

4 Upgrades the monitoring database.

5 Upgrades the operating system and application binary files.

6 Migrates the database from a 32-bit to a 64-bit system.

7 After a successful upgrade, prompts the user to log in to Cisco ISE, Release 1.2.

For distributed deployments, the upgrade process follows a Split Deployment model. After you upgrade thesecondary Administration node to the new release, Cisco ISE creates a new deployment. The secondaryAdministration node from the old deployment becomes the primaryAdministration node in the new deployment.When you upgrade the rest of the nodes in the old deployment, they join the new deployment.

When you upgrade the secondary Administration node from the old deployment, it saves the old deploymentconfiguration and also notifies the primary Administration node of the upgrade. The primary Administrationnode in the old deployment notifies the other nodes about the upgrade. After upgrade, the nodes from the olddeployment join the primary Administration node in the new deployment. The upgrade process retains licensesand certificates. You do not have to reinstall or reimport them. Cisco ISE, Release 1.2, supports license fileswith two-node unique device identifiers (UDIs). You can request for a new license with the UDI of both theprimary and secondary Administration nodes. See the Cisco Identity Services Engine Hardware InstallationGuide for details.

To upgrade to Cisco ISE, Release 1.2, you do not have to deregister the nodes from the deployment andregister them to the new deployment as was the case in previous releases. When you run the applicationupgrade command from the CLI, the upgrade software deregisters the node and registers it to the newdeployment automatically.

Note

The upgrade fails if you make any node persona changes in the old deployment after you start the upgradeon the secondary Administration node.

You must first upgrade the secondary Administration node. Then, upgrade the primary Monitoring node,followed by the Policy Service nodes and Inline Posture nodes, respectively. Next, upgrade the secondaryMonitoring node (if you have one in your old deployment). Finally, upgrade the primary Administration nodefrom your old deployment. For Policy Service nodes, the database schema is not upgraded. Instead, the PolicyService nodes get a copy of the new database from the primary Administration node in the new deployment.

Cisco ISE 1.2 Supported Upgrade PathsYou can upgrade to Cisco ISE, Release 1.2, from any of the following releases:

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 9

Upgrading Cisco ISECisco ISE 1.2 Supported Upgrade Paths

• Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)

• Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)

• Cisco ISE, Release 1.1.2, with the latest patch applied

• Cisco ISE, Release 1.1.3, with the latest patch applied

• Cisco ISE, Release 1.1.4, with the latest patch applied

The following table lists the Cisco ISE versions and what you need to do to upgrade to Cisco ISE, Release1.2, from those versions.

Table 1: Upgrade Roadmap

Upgrade PathFrom Version

1 Upgrade to Cisco ISE, Release 1.1.0.

2 Apply the latest patch for Cisco ISE, Release 1.1.0.

3 Upgrade to Cisco ISE, Release 1.2.

Cisco ISE, Release 1.0 or 1.0.x

1 Apply the latest patch for Cisco ISE, Release 1.1.0.

2 Upgrade to Cisco ISE, Release 1.2.

Cisco ISE, Release 1.1

1 Apply the latest patch for Cisco ISE, Release 1.1.x.

2 Upgrade to Cisco ISE, Release 1.2.

Cisco ISE, Release 1.1.x

Downloading the Upgrade SoftwareTo download the upgrade bundle (ise-upgradebundle-x.x.x.x.i386.tar.gz) from Cisco.com:

Procedure

PurposeCommand or Action

Go to http://www.cisco.com/go/ise. Youmust already have valid Cisco.com logincredentials to access this link.

Step 1

Click Download Software for thisProduct.

Step 2

Downloadise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz

Download the upgrade bundle.Step 3

to upgrade from Release 1.1.x to Release 1.2.Download

Cisco Identity Services Engine Upgrade Guide, Release 1.210 OL-27087-01

Upgrading Cisco ISEDownloading the Upgrade Software

PurposeCommand or Action

ise-upgradebundle-1.2.0.899.x86_64.tar.gz toupgrade from the Limited Availability Release toRelease 1.2.

What to Do Next

If you have Inline Posture nodes in your deployment, download the ISE-IPN 1.2 ISO image as well.

CLI Command for Upgrading to Release 1.2You can upgrade directly from the Cisco ISE CLI. This option allows you to install the new Cisco ISE softwareon the appliance and simultaneously upgrade configuration and monitoring information databases.

To use the application upgrade command from the Cisco ISE CLI, enter:

application upgrade application-bundle repository-name

• application-bundle is the name of the application bundle to upgrade the Cisco ISE application.

• repository-name is the name of the repository.

When you upgrade or restore Cisco ISE Monitoring nodes from the older versions of Cisco ISE to Release1.2, the active sessions are not retained and are reset to 0.

Related Topics

Upgrading a Two-Node Deployment to Cisco ISE, Release 1.2Performing a Backup to Prevent Data Loss During Upgrade

Upgrade Methods for Different Types of DeploymentsBefore you proceed with an upgrade, we recommend that you review the following chapters in this documentfor information about how to perform an upgrade on the following different types of deployments:

• Standalone and two-node deployments

• Distributed deployments

Related Topics

Upgrading a Two-Node Deployment to Cisco ISE, Release 1.2Upgrading Nodes in a Distributed Deployment

Verifying the Upgrade ProcessTo verify if an upgrade is successful, do one of the following:

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 11

Upgrading Cisco ISECLI Command for Upgrading to Release 1.2

• Check the ade.log file for the upgrade process. To display the ade.log file, enter the following commandfrom the Cisco ISE CLI: show logging system ade/ADE.log

• Enter the show version command to verify the build version.

• Enter the show application status ise command to verify that all the services are running.

If upgrade fails because of configuration database issues, the changes are rolled back automatically. Refer toChapter 4, "Recovering from Cisco ISE Upgrade Failures" for more information.

Post-Upgrade TasksRefer to Cisco Identity Services Engine User Guide, Release 1.2, for details about each of these tasks.

• Check if the local and Certificate Authority (CA) certificates are available. Reimport them, if necessary.

• Reconfigure your backup schedules (configuration and operational). Scheduled backups configured inthe old deployment are lost during upgrade.

• Join Cisco ISE with Active Directory again, if you use Active Directory as your external identity sourceand connection to Active Directory is lost.

• Reset the RSA node secret if you use RSA SecurID server as your external identity source.

• Perform a posture update from the primary Administration node after upgrade if you have enabled thePosture service.

• Check and import custom profiler policies. If you changed the default profiler policies, the upgradeprocess overwrites the changes.

• Check profiling probe configurations and reconfigure them, if necessary.

• Customize default language templates after upgrade. If you had customized the default language templatesin the old deployment, the upgrade process overwrites the changes.

• Reconfigure profiler SNMP polling. This configuration is lost during an upgrade.

• In previous releases of Cisco ISE, guest user records were available in the Internal Users database. CiscoISE, Release 1.2 introduces a Guest Users database, which is different than the Internal Users database.If you have added the Internal Users database to your identity source sequence, the Guest Users databasealso becomes part of your identity source sequence. If guest user login is not applicable, remove theGuest Users database from the identity source sequence.

• Reconfigure e-mail settings, favorite reports, and data purge settings.

• Check the threshold and/or filters for specific alarms that you need. All the alarms are enabled by defaultafter an upgrade.

• Customize reports based on your needs. If you had customized the reports in the old deployment, theupgrade process overwrites the changes that you made.

• The operational (monitoring and troubleshooting) data purge has changed in Cisco ISE, Release 1.2.Purge settings default to 90 days. Some of the logs are purged within 24 hours of upgrading to the newdeployment. Check the dashboard to see if you are viewing data for the previous 24 hours. You can alsocheck the reports and live logs as well. Ensure that you obtain a backup of all the monitoring (operational)data that you need.

Cisco Identity Services Engine Upgrade Guide, Release 1.212 OL-27087-01

Upgrading Cisco ISEPost-Upgrade Tasks

Known Upgrade IssuesThis section lists some of the known upgrade issues with workarounds. Refer to the Open Caveats section inthe Release Notes for Cisco Identity Services Engine, Release 1.2 for more details.

Upgrading Secondary Nodes From Limited Availability Release to Release 1.2Fails

Problem This issue occurs only when you upgrade secondary nodes from the Limited Availability Release toCisco ISE, Release 1.2.

Possible Cause This issue is seen when you have backup schedules configured in Cisco ISE.

Solution Disable or cancel the backup schedules before you upgrade to Release 1.2.

Scheduled Backup Configurations Are LostProblem This issue occurs after you upgrade to Release 1.2 from earlier releases. Even though you backed upthe configuration data before upgrade and restored it in Cisco ISE, Release 1.2, the scheduled backupconfigurations are lost.

Solution You must reconfigure the scheduled backups in Cisco ISE, Release 1.2.

Browser Cache IssuesProblem This issue occurs if you are using the same browser to access Cisco ISE before and after the upgrade.

Solution You must clear your browser cache after upgrade to access Cisco ISE, Release 1.2.

Active Directory Join IssuesProblem If you use Active Directory as your external identity store, after you upgrade to Release 1.2, CiscoISE will no longer be joined to the Active Directory domain.

Solution You must rejoin the nodes to the Active Directory domain from the Active Directory pages of theCisco ISE user interface.

RSA Connection Is LostProblem If you use RSA SecurID Server as your external identity source, the RSA SecurID server connectionmight be lost after an upgrade.

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 13

Upgrading Cisco ISEKnown Upgrade Issues

Solution Reset the RSA node secret from the primary Administration node. Refer to Cisco Identity ServicesEngine User Guide, Release 1.2, for more details.

New Users or Endpoints Added to the Old Deployment During Upgrade AreLost

Problem Guest users or endpoints that are added to the old deployment when the new deployment is formedare lost.

Solution Ensure that you disable services such as Guest, Profiler, Device Onboarding, and so on before anupgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devicesmust be profiled and onboarded again.

Profiler SNMP Polling Configuration Is LostProblem Profiler SNMP polling configuration is lost after an upgrade.

Solution Youmust reconfigure profiler SNMP polling from the Cisco ISE, Release 1.2 primary Administrationnode after an upgrade. Refer to the Cisco Identity Services Engine User Guide, Release 1.2, for moreinformation.

Default Language Template Customization Is LostProblem If you have edited the default language templates, the changes that you have made are lost after anupgrade.

Solution Customize the default language templates again after the upgrade.

CLI Password Policy is Lost During UpgradeProblem This issue occurs when you upgrade to Cisco ISE, Release 1.2.

Possible Cause In Cisco ISE, Release 1.2, the GUI and CLI password policies are unified and replicatedto all nodes.

Solution After you upgrade to Release 1.2, configure the password policy from the Cisco ISE Admin portal(Administration > System > Admin Access > Password Policy).

Posture Updates Are OverwrittenProblem During an upgrade, the operating system list for posture is updated, which might affect posture rules.

Cisco Identity Services Engine Upgrade Guide, Release 1.214 OL-27087-01

Upgrading Cisco ISENew Users or Endpoints Added to the Old Deployment During Upgrade Are Lost

Solution After upgrade, from the primary Administration user interface, choose Administration > System >Settings > Posture > Updates. Check the Cisco supported OS version. If it is set to 0.0.0.0, perform a postureupdate.

Manifest Error While Running UpgradeProblem You might see a "manifest error" when you try to upgrade ISE with an application bundle that wasdownloaded using Apple Safari web browser from Cisco.com.

Possible Cause The upgrade file is decompressed after the download. By default, the Apple Safari webbrowser opens "safe files" after a download. This setting decompresses the upgrade bundle after downloadand causes the manifest error during upgrade.

Solution Uncheck the "open safe files after downloading" option under Preferences in the Apple Safari webbrowser.

Cisco Identity Services Engine Upgrade Guide, Release 1.2 OL-27087-01 15

Upgrading Cisco ISEManifest Error While Running Upgrade

Cisco Identity Services Engine Upgrade Guide, Release 1.216 OL-27087-01

Upgrading Cisco ISEManifest Error While Running Upgrade