Cisco ISE Upgrade Overview
From Cisco Identity Services Engine (Cisco ISE) Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.
pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.
This document describes how to upgrade your Cisco ISE software on Cisco ISE appliances and virtual machines (VMs) to Release 3.3. (See the section "What is New in Cisco ISE, Release 3.3" in the Release Notes for Cisco Identity Services Engine, Release 3.3.)
Upgrading a Cisco ISE deployment is a multistep process and must be performed in the order that is specified in this document. Use the time estimates provided in this document to plan for an upgrade with minimum downtime. For a deployment with multiple Policy Service Nodes (PSNs) that are a part of a PSN group, there is no downtime. If no endpoints are authenticated through a PSN that is being upgraded, the request is processed by another PSN in the node group. The endpoint is reauthenticated and granted network access after the authentication is successful.
Caution |
If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime for all the authentications when the PSN is being upgraded. |
Note |
When upgrading to Cisco ISE Release 3.2 and above, Root CA regeneration happens automatically in the upgrade flow. Thus, post-upgrade Root CA regeneration is not required. |
Different Types of Deployment
-
Standalone Node: A single Cisco ISE node assuming the Administration, Policy Service, and Monitoring persona.
-
Multi-Node Deployment: A distributed deployment with several ISE nodes.
Differences in Native Cloud Deployments of Cisco ISE
-
Amazon Web Services (AWS)
-
Azure Cloud
-
Oracle Cloud Infrastructure (OCI)
In the case of AWS, to upgrade from Cisco ISE Release 3.2 to Release 3.3 :
-
Backup configuration data from the Cisco ISE Release 3.2 AWS instance.
-
Reconfigure the AWS instance with Cisco ISE Release 3.3.
-
Restore configuration data on the newly created Cisco ISE Release 3.3 instance.
In case of the following events, you must regenerate the root CA chain:
-
Changing the domain name or hostname of your PAN or PSN.
-
Restoring a backup on a new deployment.
-
Promoting the old Primary PAN to new Primary PAN after upgrade.
-
In the Cisco ISE GUI, click the Menu icon () and choose .
-
Click Generate Certificate Signing Request (CSR).
-
From the Certificate(s) will be used for drop-down list, choose ISE Root CA.
-
Click Replace ISE root CA Certificate Chain.