Cisco ISE 2.3 Patch 2 was released at the end of January 2018. You can read about the resolved caveats here: Cisco ISE 2.3 Release Notes. Along with the bug fixes, the biggest addition that I’m excited about is the ability to have two RADIUS shared secrets!
Why is that a big deal? Changing the RADIUS shared secret in the past was a little painful. You had to make the change on the NAD and then hurry to change it in ISE (or vice versa). This caused a little bit of downtime because authentications from the NAD would stop working until both RADIUS shared secrets matched.
Now, you can roll out your RADIUS shared secret change almost like a TACACS+ key change. You can change the primary RADIUS shared secret to the new secret and set the old secret as the second RADIUS shared secret. No authentications will stop because ISE will allow the connection even if the NAD is using the old shared secret.
There is one caveat to this. If you are using TrustSec, the CoA for TrustSec sent from the ISE node uses the first RADIUS shared secret. That means it the first shared secret under the ISE NAD configuration must match the RADIUS configuration on the NAD. So changing the RADIUS shared secret on a TrustSec deployment will still require careful planning to minimize authentication failures.