Skip to content
  • There are no suggestions because the search field is empty.

Install Patch on ISE

Step-by-Step Guide to Installing, Verifying, and Rolling Back Cisco ISE Patches

 

Prerequisites

  • Administrator Role: You must have Super Admin or System Admin privileges.
  • Backups: Collect configuration and operational backups before starting.
  • Version Compatibility: Only install patches applicable to your deployed Cisco ISE version.
  • Maintenance Window: Schedule patch installations during downtime to avoid service interruptions.

Patch Installation Methods

1. Install via GUI

  1. Download the patch file from Cisco.com (navigate to Downloads > Products > Security > Identity Services Engine).
  2. Verify the MD5/SHA512 checksum of the downloaded file.
  3. Log in to the Primary Administration Node (PAN) GUI.
  4. Go to Administration > System > Maintenance > Patch Management > Install.
  5. Click Browse, select the patch file, and then click Install.
  6. The node will reboot automatically after installation.

Note: Cisco ISE patches are cumulative (e.g., Patch 11 includes all prior patches).

2. Install via CLI

  1. Configure an ISE repository and place the patch file in it.
  2. Log in to the ISE node via SSH.
  3. Verify repository contents using: 
    show repository <repository_name>
  4. Run the patch installation command: 
    patch install <patch_file_name> <repository_name>
  5. Confirm prompts and allow the system to reboot.

Important: CLI installation applies only to the specific node. Use the PAN GUI to deploy patches across all nodes.

Deployment-Wide Installation

  • In distributed deployments, patches are installed first on the Primary PAN, then on all secondary nodes.
  • If installation fails on the PAN, it will not proceed to secondary nodes.
  • If installation fails on a secondary node, the process continues with the next node.

Rolling Back Patches

1. Rollback via GUI

  1. Log in to the PAN GUI.
  2. Navigate to Administration > System > Maintenance > Patch Management.
  3. Select the patch and click Rollback.
  4. Secondary nodes will restart after rollback.

2. Rollback via CLI

  1. SSH into the ISE node.
  2. Verify installed patches with: 
    show version
  3. Remove a patch using: 
    patch remove ise <patch_number>
  4. Confirm prompts and allow the system to reboot.

Note: Patches are cumulative. You must remove the latest patch before rolling back earlier ones.

Verification

  • GUI: Navigate to Administration > System > Maintenance > Patch Management > Show Node Status.
  • CLI: Run show version to confirm patch details.
  • Logs: Review system logs (sh logging system ade/ADE.log tail) for patch installation events.

FAQs

  • Do patches require a reboot? Yes, every patch installation or rollback triggers a reboot.
  • Can I install older patches over newer ones? No, only higher or equal versions can be installed.
  • Are patches cumulative? Yes, each patch includes all previous fixes

Source: Cisco Support – Install Patch on ISE