ISE Hardware Refresh: Assessment
Data Collection
Full Refresh Report (Primary Command)
# Complete refresh planning report - version, patches, nodes, certs, license, backup
netapi ise get-nodes --refreshOutput includes:
-
Product version (e.g., 3.5.0.527)
-
Installed patches
-
Deployment nodes (hostname, IP, FQDN, roles, status)
-
Certificate expiration dates
-
License tiers and consumption
-
Last backup status
JSON Output for jq Processing
# Full report as JSON
netapi ise -f json get-nodes --refresh | jq '.'
# Extract version only
netapi ise -f json get-nodes --refresh | jq '.version'
# All certificate expiration dates
netapi ise -f json get-nodes --refresh | jq '.certificates | to_entries[] | .value[] | {name, expiration_date}'
# Filter certs by name - jq regex: test("pattern"; "i") for case-insensitive
netapi ise -f json get-nodes --refresh | jq '.certificates[][] | select(.name | test("EAP"; "i"))'
# License tier summary
netapi ise -f json get-nodes --refresh | jq '.license_tiers[] | "\(.name): \(.compliance) (\(.endpoints) endpoints)"'
# Nodes with status
netapi ise -f json get-nodes --refresh | jq '.nodes[] | "\(.hostname) [\(.status)] - \(.roles | join(", "))"'
# Check if any cert expires within 365 days (requires date parsing)
netapi ise -f json get-nodes --refresh | jq '.certificates[][] | .name'Capacity Planning
# License consumption, endpoint count, deployment scale
netapi ise get-nodes --capacityCertificate Expiry Report
# Certificate expiry with days remaining and warnings
netapi ise get-nodes --certsLegend: ✓ = OK, ⚠ = Warning (<90d), ✗ = Critical (<30d or expired)
Detailed Node Topology
# Node details - hostname, IP, roles, services, status
netapi ise get-nodes --detailedAdditional Data Points
# Active sessions (current load)
netapi ise mnt sessions | wc -l
# Endpoint identity groups
netapi ise get-endpoint-groups
# Authorization profiles (policy complexity)
netapi ise get-authz-profilesHardware/VM Specs (SSH Required)
| Hardware details are NOT available via API. Must SSH to each node. |
SSH Config Fix: ISE host blocks must come BEFORE Host * in ~/.ssh/config (see RCA-2026-03-16-002).
# SSH to ISE (uses admin user, password auth)
ssh ise-01 # or ssh ise-02
# Once connected, run these commands:
show version # Software version, build date, patches
show inventory # Hardware: PID, serial, CPU, RAM, disk
show udi # Quick: PID and serial only
show disk # Disk usage details
show application status ise # Service statusExample show inventory output (Virtual):
NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis" PID: ISE-VM-K9, VID: V01, SN: HFOPKI3IA94 Manufacturer: Red Hat Product Name: KVM Total RAM Memory: 16138384 kB CPU Core Count: 8 CPU 0: Model Info: Intel(R) Xeon(R) D-2146NT CPU @ 2.30GHz Hard Disk Count(*): 1 Disk 0: Capacity: 300GiB
Physical appliance PIDs:
| PID | Model | Notes |
|---|---|---|
SNS-3515-K9 |
Small/Medium deployment |
Up to 10K endpoints |
SNS-3595-K9 |
Medium/Large deployment |
Up to 50K endpoints |
SNS-3655-K9 |
Large deployment |
Up to 100K+ endpoints |
SNS-3755-K9 |
Extra Large deployment |
CHLA has this - enterprise scale |
ISE-VM-K9 |
Virtual appliance |
Check hypervisor specs |
Cisco EOL/EOS Reference
Check these against current version:
| Version | End of SW Maintenance | End of Support | 18-Month Window | Action |
|---|---|---|---|---|
ISE 2.7 |
2023-07-31 |
2026-07-31 |
PAST |
CRITICAL - Upgrade immediately |
ISE 3.0 |
2024-02-29 |
2027-02-28 |
Sep 2027 |
Plan upgrade by Q2 2027 |
ISE 3.1 |
2025-01-31 |
2028-01-31 |
Jul 2028 |
Monitor, plan for 3.3+ |
ISE 3.2 |
2025-10-31 |
2028-10-31 |
Apr 2028 |
Current stable |
ISE 3.3 |
TBD |
TBD |
TBD |
Latest - recommended target |
ISE 3.4+ |
TBD |
TBD |
TBD |
Future versions |
18-Month Decision Matrix:
-
Version < 3.1 → Hardware refresh required (EOL within window)
-
Version 3.1-3.2 → Software upgrade recommended, hardware likely adequate
-
Version 3.3+ → No immediate action, monitor capacity
-
VM on old ESXi → Consider hypervisor refresh alongside ISE
-
Appliance SNx-3xxx → Check SmartNet coverage dates
Capacity Planning
Current Load
# Peak authentication rate (check MNT logs)
netapi ise mnt auth-list --hours 24 | wc -l# Failed authentications (may indicate capacity issues)
netapi ise mnt failures --hours 24 | wc -lGrowth Projections
| Metric | Current | 18-Month Projection |
|---|---|---|
Total Endpoints |
TBD |
TBD |
Peak Auth/sec |
TBD |
TBD |
PSN Count |
TBD |
TBD |
Data Collection Log
| Date | Data Point | Value |
|---|---|---|
2026-03-16 |
Assessment initiated |
Pending data collection |
2026-03-16 |
Home lab test (d000) - Software |
ISE 3.5.0.527 Patch 2 |
2026-03-16 |
Home lab test (d000) - Hardware |
ISE-VM-K9 (Virtual), SN: HFOPKI3IA94, 8 CPU, 16GB RAM, 300GB disk |
2026-03-16 |
Home lab test (d000) - Platform |
KVM on Red Hat, Xeon D-2146NT @ 2.30GHz |
2026-03-16 |
CHLA Production - Software |
ISE 3.2.0.542 Patch 3, Patch 6 |
2026-03-16 |
CHLA Production - Hardware |
SNS-3755-K9 (Physical appliance) |