ISE Hardware Refresh: Decisions & Risks

Recommendations

Assessment Date: 2026-03-16

[x] Hardware adequate for 18 months [ ] Recommend hardware refresh [x] Recommend version upgrade only [ ] Recommend capacity expansion (add PSN)

Summary

Finding Detail

Hardware

SNS-3755-K9 is enterprise-class, no refresh needed

Software

Version 3.2 past SW maintenance (ended 2025-10-31)

Action Required

Upgrade to ISE 3.3+ before EOS (2028-10-31)

Timeline

Plan upgrade within next 6-12 months

Risk if no action

No new patches after EOS, security vulnerabilities unpatched

Recommended Upgrade Path

  1. Current: 3.2.0.542 Patch 6

  2. Target: 3.3.x or 3.4.x (latest stable)

  3. Method: In-place upgrade (hardware supports newer versions)

  4. Downtime: Plan maintenance window (typically 2-4 hours per node)

Decision Log

Date Decision Rationale Decided By

2026-03-16

No hardware refresh required

SNS-3755-K9 is enterprise-class, supports ISE 3.3+/3.4. No capacity or compatibility constraints within 18-month window.

Evan

2026-03-16

Software upgrade to 3.3+ recommended

ISE 3.2 SW maintenance ended 2025-10-31. No new patches available. Security risk increases with time.

Evan

2026-03-16

Use netapi --refresh for data collection

Single command aggregates version, patches, nodes, certs, license, backup. Repeatable and scriptable for future assessments.

Evan

2026-03-16

SSH required for hardware specs

ISE ERS/OpenAPI does not expose hardware details (PID, serial, CPU, RAM, disk). Must SSH to each node for show inventory.

Evan

Risk Assessment

Risk Likelihood Impact Mitigation Contingency

No security patches after 3.2 EOS (2028-10-31)

High

High

Upgrade to 3.3+ within 6-12 months. Track CVEs against current version.

Emergency upgrade if critical CVE published before planned window

Upgrade breaks existing ISE policies or integrations

Medium

High

Test upgrade in domus home lab first. Document all policies before upgrade. Maintain backup.

Restore from backup. Rollback to 3.2 if needed.

Maintenance window unavailable due to hospital operations

Medium

Medium

Schedule during lowest-traffic window (weekend). Rolling upgrade minimizes downtime per node.

Break upgrade into multiple smaller windows (one node at a time)

Certificate expiry during assessment period

Low

High

Monitor via netapi ise get-nodes --certs. Renew any certs expiring within 180 days immediately.

Emergency cert renewal procedure documented in infra-ops

SmartNet coverage lapse on SNS-3755-K9

Low

Medium

Verify SmartNet contract dates. Renew before expiration.

Procure new contract or replacement appliance if lapsed

References (Official Cisco Documentation)

ISE Software EOL/EOS

Document Link

ISE 3.1/3.2 EOL Bulletin

www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-1-3-2.html

All ISE EOL Notices

www.cisco.com/c/en/us/products/security/identity-services-engine/eos-eol-notice-listing.html

ISE Software Lifecycle Policy

www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html

Hardware Documentation (SNS-3755-K9)

Document Link

SNS Appliance Data Sheet

www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-726524.html

SNS 3700 Hardware Guide

www.cisco.com/c/en/us/td/docs/security/ise/sns3700hig/sns_3700_hardware_install_guide/m_sns37xxoverview.html

Key Dates (ISE 3.2)

Milestone Date

End of SW Maintenance

2025-10-31

Last Patch

3.2 P8

End of Sale

2026-11-03

End of Support

2028-10-31