Cisco ISE (Identity Services Engine) is an Enterprise grade AAA product that has been around for seven years.
Cisco ISE is the successor to Cisco's popular and widespread ACS product which has reached the end of sale status.
With the introduction of ISE 2.4, Cisco have reached feature parity with ACS and this should accelerate customer migrations of Cisco ACS to Cisco ISE.
We have plenty of other material if you're interested to read more on Cisco ISE, in the Top 5 Unique Features of Cisco ISE.
Cisco ISE Migration
Cisco provides migration tools to assist with these migrations, but in many cases it makes sense to re-architect the system to allow efficiencies to be gained.
IPTel has performed a number of complex migrations from ACS to ISE to ensure business continuity with minimal downtime.
Cisco ISE migration is something to be carefully considered. The platform often operates as the central hub of any network - all clients connecting to the network have to authenticate (or at least should be), so a failure of the core authentication platform is a major issue.
Why So Many ISE 2.X versions?
Cisco has recently published a product bulletin explaining the Cisco ISE Lifecycle for the 2.x version numbering as well as the maintenance around these versions. One may wonder why there are so many sub releases of ISE 2.x (i.e. the 'x', or minor release version) in 2.x available for download. Furthermore, why is each minor release independently maintained with ongoing patches? The Cisco ISE Business Unit plans to release a new version every six months, and this has almost consistently been the case thus far.
Figure 1: ISE Releases
Cisco has recently explained that the odd-numbered releases are STR (Short Term Release) and even-numbered releases are LTR (Long Term Releases) - this is a rule of thumb and is subject to variations. Similar approaches to this are seen with Linux distributions where the release schedule and maintenance terms are predictable.
What Does This Mean For Customers?
This is good news for customers because they can expect a steady rate of new versions, and depending on their agility and appetite for new features, chose the appropriate release. A more conservative customer may wish to upgrade every 24 months on the even numbered releases, whilst applying patches within those long term releases. On the other hand, customers looking for new features can get those every six to 12 months.
The caveat is that STR releases are to be seen as short lived and customers are encouraged to move off those releases before they become end of support. One of the commonly asked questions from customers is "which release should I be using"? The answer is always "it depends" because there is no empirical evidence or matrix that displays features versus software reliability. Cisco will tell you that ISE 2.2 is currently their safe harbour release and the reasoning is predicated on their release strategy, not on software quality metrics (at least, those metrics are not made public). Once the ISE 2.4 patch cycle gets going then it will become the next de-facto safe harbour release.
Figure 2: ISE Lifecycle pattern*
Cisco's ISE 2.X Software Release Lifecycle: Conclusion
Cisco didn't indicate whether STR and LTR would differ in terms of what type of features would be introduced in those releases. The message is more around the regular frequency with which customers can expect to progress in this evolving product life cycle. This product bulletin does not hint at which release is the best release to go for, but it would stand to reason that the latest LTR release is the sensible choice because it contains cumulative bug fixes and will continue doing so for a longer time than an STR release.
Need any help with your Cisco ISE install?
If you need help with your Cisco ACS to ISE migration, drop us a line at our Contact Page, or send an email to sales@iptel.com.au.
If you're interested to hear more about some of our ISE engineers, have a look over the blog about Arne Bier - he's a Cisco ISE champion and VIP.
*Figure 2: ISE Lifecycle pattern, sourced from https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html, Cisco, May 24 2018
