Solved: ISE 2.4 Production Deployment readiness

Istvan Matyasovszki · ‎07-16-2018

Hi TMEs,

I am planning the migration of a distributed ISE setup currently running an older ISE release on appliances to ISE 2.x running on VMs. The setup has 2xPAN, 2xMnT and about 10x PSNs distributed across various geographical regions.

The currently used main features are: MAB, NEAT, 802.1x, Guest Portal and posible future requirements are: Profiling, Infoblox integration, MDM integration as well as an SDA pilot, thus to me ISE 2.4 Patch 2 looks like the best option.

Afaik, ETA for ISE 2.4 Patch 2 is the last week of July 2018 and 2.4 will become a long lived release.

Would you recommend going with ISE 2.4 Patch 2 ? What would speak at the moment against using ISE 2.4 in production for basic authentication/authorization and profiling ? Are you aware of any show stoppers ?

Thank you

Istvan

Damien Miller · ‎07-16-2018

Based on the recently updated ISE product life cycle doc, May 24th 2018, you can expect 2.4 to be a LTR. Committing to patch/software release dates is a slippery slope, sometime things change. Based on historic patch releases in other trains, you could reasonable assume 2.4 p2 wouldn't be too far out.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html

View solution in original post

Jason Kunst · ‎07-16-2018

The current recommended release is 2.2 with latest patch for stability and long term support

If you’re needing integration with SDA you should use ISE 2.3 with latest patch which has been out for long time and also heavily validated

2.4 is latest release And will of course work with all of your requirements but as usual you should lab it up test it out before going production. Since bleeding edge only recommended for those needing latest features or customers willing to deploy and be open to newest software

Regarding any major showstoppers none besides validating as per above

Istvan Matyasovszki · ‎07-16-2018

Thank you for the quick reply Jason.

Should I interpret your feedback as in ISE 2.4 will not be a long lived release ?

In the migration I've mentioned, the short to mid-term goal is stability for all basic features while still having the option

of working on the integration with other products during the next 6 to 12 months. If we go for ISE 2.2 in less than one year we'd need to plan migrating again as ISE 2.2 is out since Jan 2017, plus it has no support for SDA. I think the situation is very similar for ISE 2.3 in terms of remaining lifetime with full software support. What would you do in this scenario ?

Could you please confirm whether ISE 2.4 Patch 2 is on track to be released at the end of this month ?

Thank you

Istvan

Jason Kunst · ‎07-16-2018

The product managers would have to comment internally on your inquiry about 2.4 long term release information

From your information it’s really up to customer and engineer if want to give up stability of 2.3 and go with 2.4 as latest release for long term planning. 2.4 has been out for a while and working so I think this would be fine for customer long term as being validated in lab and then move forward

Also gives time for customer to wait for patch . Can’t comment on exact date in public forum of the patch. PMs should be able to answer that

Damien Miller · ‎07-16-2018

Based on the recently updated ISE product life cycle doc, May 24th 2018, you can expect 2.4 to be a LTR. Committing to patch/software release dates is a slippery slope, sometime things change. Based on historic patch releases in other trains, you could reasonable assume 2.4 p2 wouldn't be too far out.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html

Istvan Matyasovszki · ‎07-17-2018

Thank you Damien