This entry in our Cisco ISE blog series takes a brief detour from our regularly scheduled programming to take an in-depth look into the pathing procedure of a two-node, small ISE deployment. As it so happens, LookingPoint has an existing ISE 2.4 small deployment that we would like to bring up to the latest patch as of this writing, ISE 2.4 with patch 1. We thought, why not document our patch upgrade into another blog entry! So here it goes!
As mentioned, we are running a small deployment consisting of two nodes running version 2.4.0.357 and all ISE personas selected. This is the ISE 2.4 GA release without any patches applied.
When you apply a patch to ISE, you do not need to completely re-install the software. As the name patch indicates, you will simply be applying a file that will perform CRUD (create, read, update, and delete) operations against the current software installed. To access the software for the upgrade, I navigated here. In this particular case, there is only one software item I wanted to download as shown/described below.
The Patch Bundle
As mentioned above, we will be applying “Patch1” to our existing install of ISE version 2.4. Usually patch releases contain bug fixes. As a general rule of thumb, you want to keep your ISE deployment on the latest patch for your “major.minor” release unless otherwise directed by the patch documentation. Patches in Cisco ISE are always cumulative, meaning “Patch2” will include all of the fixes associated with “Patch1”, so no need to jump through intermediate patches unless specifically directed to do so by TAC or the patch documentation.
After downloading the patch file,
To apply the patch, login to your Primary Administration Node (PAN) web interface and follow the instructions below.
When you apply a patch to ISE through the PAN GUI, the patch is first applied to each node in the deployment, one at a time. After a patch is applied to a node, it immediately reboots to complete the installation. As long as your deployment is setup in a redundant fashion (i.e. each of your NAD’s point to at least two different ISE PSN nodes), the disruption to service will be minimal, but some interruption to authentications in progress is to be expected.
The patches apply to nodes in the following order:
You can keep track of a node’s progress by logging into the CLI via SSH and executing the command “show application status ise”.
In the below output, my PAN was still initializing some services. In this state, I won’t be able to login to the PAN GUI…must…find…patience!
Ah, yes that’s more like it! Now that my PAN services are fully functional, I am able to login to the GUI to check the status. The patch management process will continue on to apply the patch to my secondary administration node, and so on and so forth.
After the patch has been applied to the Primary Administration Node, we can monitor the status of the patch application to the remaining nodes, by navigating to Administration > Maintenance > Patch Management > Click Radio Button next to Patch Version 1 > Click “Show Node Status”.
Also, while the patch is being applied you can see the node listed in a critical, non-functioning status at the Administration > Deployment menu.
Once the patching is completed across all your nodes, validate the node status is once again healthy at Administration > Deployment.
Finally, take a look at what you’ve done! And don’t forget, you are incredible.
Check out our awesome tech talk on ISE:
Written By: Dominic Zeni, LookingPoint Consulting Services SME - CCIE #26686
If you are interested in LookingPoint installing ISE into your network, feel free to contact us here!
Check out Dominc Zeni's podcast on ISE on the IT in the Bay podcast: