Skip to main content

Cisco ISE Licensing: Navigating the Upgrade from 2.X to 3.X

Networking | Network Access Control | Cybersecurity | Identity Management

In the ever-evolving landscape of network security, staying up to date with the latest technologies and features is paramount. For users of Cisco Identity Services Engine (ISE), upgrading from version 2.X to 3.X presents an opportunity to leverage new functionalities while maintaining robust security measures. However, this transition requires careful planning and execution to guarantee a seamless upgrade process.  

In this guide, we'll outline the essential steps to navigate the upgrade effectively for a smooth transition and maximized benefits of Cisco ISE 3.X. 

Pre-Upgrade Preparation: Before embarking on the upgrade journey, thorough preparation is crucial. Here's what you need to do: 

  • Review Release Notes: Familiarize yourself with the release notes for Cisco ISE 3.X. Understand the new features, enhancements, and any changes in behavior or prerequisites. 
  • Backup: Safeguard your existing Cisco ISE 2.X deployment by backing up configurations, certificates, and critical data. This establishes a reliable restore point in case of any issues during the upgrade. You don’t want to start over with your configurations! Double check that you have backed up all certificates to the box. Note that this is a manual process.  
  • Compatibility Check: Verify that your current hardware and software components meet the requirements for Cisco ISE 3.X. Check hardware specifications, virtualization platforms, and supported operating systems. 

  • License Review: Confirm that your existing licenses are valid for Cisco ISE 3.X and that you have the appropriate licenses for any new features you plan to utilize. 
  • Upgrade Process: Once you've completed the pre-upgrade preparation, it's time to proceed with the upgrade. 
  • Download the Upgrade Package: Obtain the Cisco ISE 3.X upgrade package from the Cisco Software Download Center, ensuring you have the correct version for your deployment. 

Upgrade Process: Follow the recommended upgrade path provided by Cisco. This typically involves installing the new version alongside the existing one, migrating configuration settings, and confirming that your data has transferred. 

Another option you have for the upgrade process— worth considering especially if you are a smaller team — is to start your upgrade fresh. Look at this upgrade as an opportunity to clean out unnecessary data that you may be storing and review your environment. Think about the impact that old, outdated patches or endpoint data can have on your new, upgraded system. If you have the capacity, we recommend doing your backup and then rebuilding every single time you want to upgrade. Upgrades can bring in corruption. Not only is this a better method, but in many cases, it is the faster method.  

  • CISCO DU Preferred Upgrade 

Consider spinning up the new image for the 3.X upgrade as a new box or VM or rebuild one of the existing ISE nodes you have with the new image.  

Keep in mind that if you upgrade your box, newer versions will require more disk space as some of the more current ISE nodes require significantly more resources. Not all physical boxes can be upgraded which means that not all nodes will carry over. Upgrading alone will not fix this problem for you.  

RESTORE the image that you have at that point 

  • Restore Backup  
  • Restore certificates 
  • Restore configuration 
  • Rejoin the ISE node to the domain 
  • Any additional nodes don't have to be restored just added to the deployment 

The admin node pushes the intelligence out to every node in your environment. At IE, we consider this a much more efficient way to upgrade your ISE environment. If you want to learn more, contact us.  

Configuration Migration: Migrate your existing configuration from ISE 2.X to 3.X. Export configurations, policies, and settings from the old version and import them into the new one. 

Testing and Validation: After completing the upgrade and configuration migration, thorough testing is essential to verify that everything works as intended: 

  • Testing: Validate that your policies, authentication methods, and configurations function correctly in the new version of Cisco ISE. Test integrations with other systems to confirm seamless operation. Once you’ve restored your environment, all your assets should be present. You'll have 90 days to re-up your licensing or risk being locked out of your system (though it will keep running, still an inconvenience). 
  • Certificate Renewal: Review and renew any certificates that might have expired or are due to expire. Also, verify the proper installation and configuration of certificates in the new version. 
  • Register your Licensing: Since you are upgrading to 3.X (or x) you will need a smart account for your device. If you are making the jump from any 2.x licenses to 3.x, the smart account registration will be required. 

Post-Upgrade Tasks: Once the upgrade is successful, there are several post-upgrade tasks to complete: 

  • User Communication: Inform users and stakeholders about the upgrade, providing necessary information and instructions to minimize disruption during the transition. 
  • Rollback Plan: Prepare a rollback plan in case of critical issues during the upgrade. Outline steps to revert to the previous version while preserving data and configurations. 
  • Security Updates: Stay current with security updates and patches released for Cisco ISE 3.X. Regularly apply these updates to maintain a secure deployment. 

Ongoing Maintenance: After completing the upgrade, ongoing monitoring and maintenance are essential to ensure the continued security and performance of your Cisco ISE deployment: 

  • Training and Knowledge Sharing: Train your team on the new features and changes introduced in Cisco ISE 3.X. Foster knowledge sharing to encourage efficient utilization of the upgraded environment. 
  • Ongoing Monitoring: Continuously monitor the performance and stability of your Cisco ISE deployment. Address any issues promptly and stay engaged with the Cisco community for best practices and troubleshooting. 

Need Assistance with Your Upgrade? 

IE offers an expert team of engineers specializing in Cisco ISE deployments, upgrades, and optimal utilization for customers. We’re here to help you upgrade efficiently and utilize the most cost-effective Cisco ISE license for your needs. You can request assistance from our ISE engineers or learn how to maximize the ISE deployment in your environment here. Additionally, Cisco provides some helpful resources and walkthroughs on the process. Regardless of how you’d like to proceed with this upgrade, we’re here to help! 

Watch the Cisco ISE Upgrade Demo