Cisco Identity Services Engine Hardware Installation … · iii Cisco Identity Services Engine...

Cisco Identity Services EngineHardware Installation Guide, Release 1.2

February 2017

Cisco Systems, Inc.www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Text Part Number: OL-27044-01

http://www.cisco.com

http://www.cisco.com/go/offices

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFT WARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFT WARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without written authorization from Cisco may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOT WITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFT WARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2Copyright ©2013 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

OL-27044-01

C O N T E N T S

Preface 1

Purpose 1

Audience 2

Document Organization 2

Installation Reference 3

Document Conventions 3

Related Documentation 4

Release-Specific Documents 4

Platform-Specific Documents 5

Obtaining Documentation and Submitting a Service Request 6

C H A P T E R 1 Network Deployments in Cisco ISE 1-1

Architecture Overview 1-1

Network Deployment Terminology 1-2

Node Types and Personas in Distributed Deployments 1-3

Administration Node 1-3

Policy Service Node 1-3

Monitoring Node 1-3

Inline Posture Node 1-4

Inline Posture Node Installation 1-4

Inline Posture Node Reuse 1-4

Standalone and Distributed Deployments 1-5

Distributed Deployment Scenarios 1-5

Small Network Deployments 1-5

Split Deployments 1-6

Medium-Sized Network Deployments 1-7

Large Network Deployments 1-8

Dispersed Network Deployments 1-9

Deployment Size and Scaling Recommendations 1-10

Inline Posture Planning Considerations 1-12

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions 1-13

iiiCisco Identity Services Engine Hardware Installation Guide, Release 1.2

Contents

C H A P T E R 2 Cisco SNS-3400 Series Appliances 2-1

Cisco SNS-3400 Series Appliance Hardware Specifications 2-1

Cisco SNS-3400 Series Front and Rear Panels 2-2

Cisco SNS Support for Cisco ISE 2-4

C H A P T E R 3 Installing and Configuring a Cisco SNS-3400 Series Appliance 3-1

Installing the SNS-3400 Series Appliance in a Rack 3-1

Downloading the Cisco ISE, Release 1.2 ISO Image 3-1

Installing Release 1.2 Software on SNS-3400 Series Appliance 3-2

Cisco Integrated Management Controller 3-3

Configuring CIMC 3-3

Creating a Bootable USB Drive 3-5

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance 3-6

Cisco ISE Setup Program Parameters 3-7

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance 3-9

Supported Time Zones 3-13

Setup Process Verification 3-15

C H A P T E R 4 Installing Release 1.2 Software on a VMware Virtual Machine 4-1

Supported VMware Versions 4-1

Support for VMware vMotion in Release 1.2 4-2

Virtual Machine Requirements 4-2

VMware Appliance Size Recommendations 4-3

Disk Space Requirements 4-4

Evaluating Release 1.2 4-5

Configuring a VMware ESX or ESXi Server 4-5

Enabling Virtualization Technology on an ESX or ESXi Server 4-7

Configuring VMware Server Interfaces for the Cisco ISE Profiler Service 4-8

Configuring a VMware Server 4-9

Preparing a VMware System for Cisco ISE Software Installation 4-17

Configuring a VMware System to Boot From a Cisco ISE Software DVD 4-17

Installing Cisco ISE Software on a VMware System 4-19

Connecting to a Cisco ISE VMware Server Using the Serial Console 4-21

Cloning a Cisco ISE Virtual Machine 4-24

Cloning a Cisco ISE Virtual Machine Using a Template 4-26

Creating a Virtual Machine Template 4-26

Deploying a Virtual Machine Template 4-26

ivCisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Contents

Changing the IP Address and Hostname of a Cloned Virtual Machine 4-27

Connecting a Cloned Cisco Virtual Machine to the Network 4-29

C H A P T E R 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances 5-1

Installing Cisco ISE, Release 1.2, Software from a DVD 5-2

Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance 5-3

Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance 5-3

Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance 5-4

Resetting the Existing RAID Configuration on a Cisco NAC Appliance 5-5

C H A P T E R 6 Managing Administrator Accounts 6-1

CLI-Admin and Web-Based Admin User Right Differences 6-1

Tasks Performed by CLI-Admin and Web-Based Admin Users 6-1

Tasks Performed Only by the CLI-Admin User 6-2

Creating CLI Admin Users 6-2

Creating Web-Based Admin Users 6-2

C H A P T E R 7 Performing Post-Installation Tasks 7-1

Accessing Cisco ISE Using a Web Browser 7-1

Logging In to the Cisco ISE Web-Based Interface 7-2

Administrator Lockout Following Failed Login Attempts 7-3

Logging Out of the Cisco ISE Web-Based Interface 7-3

Installing a License 7-3

Installing Certificates 7-4

Verifying a Cisco ISE Configuration 7-4

Verifying a Configuration Using a Web Browser 7-4

Verifying a Configuration Using the CLI 7-5

Verifying the Installation of VMware Tools 7-6

Upgrading VMware Tools 7-7

Resetting the Administrator Password 7-7

Resetting a Lost, Forgotten, or Compromised Password 7-8

Resetting a Password Due to Administrator Lockout 7-9

Changing the IP Address of a Cisco ISE Appliance 7-9

Configuring the Cisco ISE System 7-10

Enabling System Diagnostic Reports in Cisco ISE 7-10

vCisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Contents

A P P E N D I X A Installing the Cisco SNS-3400 Series Appliance in a Rack A-1

Unpacking and Inspecting the Server A-1

Safety Guidelines A-2

Installing a Cisco SNS-3400 Series Appliance in a Rack A-4

Rack Requirements A-4

Equipment Requirements A-4

Slide Rail Adjustment Range A-4

Installing the Server In a Rack A-4

Connecting and Powering On the Server A-7

Checking the LEDs A-8

Front Panel LEDs and Buttons A-9

Rear Panel LEDs and Buttons A-10

Installing or Replacing Server Components A-11

A P P E N D I X B Cisco SNS-3400 Series Server Specifications B-1

Physical Specifications B-1

Environmental Specifications B-1

Power Specifications B-2

450-Watt Power Supply B-2

650-Watt Power Supply B-2

A P P E N D I X C Cisco SNS-3400 Series Appliance Ports Reference C-1

Ports to be Used for OCSP and CRL C-9

A P P E N D I X D Cisco ISE Licenses D-1

Cisco ISE Licensing D-1

License Count D-3

Obtaining a Cisco ISE License from Cisco.com D-3

Determining Your Hardware ID Using the CLI D-4

Determining Your Hardware ID Using the Admin Portal D-4

Adding or Upgrading a License D-5

Removing a License D-5

A P P E N D I X E Certificate Management in Cisco ISE E-1

HTTPS Communication Using the Cisco ISE Certificate E-1

EAP Communication Using the Cisco ISE Certificate E-2

Certificates Enable Cisco ISE to Provide Secure Access E-2

viCisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Contents

Enabling PKI in Cisco ISE E-3

Local Certificates E-4

Wildcard Certificates E-4

Wildcard Certificates for HTTPS and EAP Communication E-5

Wildcard Certificate Support in Cisco ISE, Release 1.2 E-6

Fully Qualified Domain Name in URL Redirection E-6

Advantages of Using Wildcard Certificates E-7

Disadvantages of Using Wildcard Certificates E-7

Wildcard Certificate Compatibility E-8

Creating a Wildcard Certificate E-8

Installing Wildcard Certificates in Cisco ISE E-10

Creating a Certificate Signing Request for Wildcard Certificates E-10

Exporting the Certificate Signing Request E-11

Submitting the CSR to a Certificate Authority E-11

Importing the Root Certificates to the Certificate Store E-12

Binding the CSR With the New Public Certificate E-13

Exporting the CA-Signed Certificate and Private Key E-13

Importing the CA-Signed Certificate to the Policy Service Nodes E-13

Installing a CA-Signed Certificate in Cisco ISE E-13

Viewing Local Certificates E-15

Adding a Local Certificate E-16

Importing a Local Certificate E-16

Generating a Self-Signed Certificate E-18

Generating a Certificate Signing Request E-19

Binding a CA-Signed Certificate E-20

Editing a Local Certificate E-21

Exporting a Local Certificate E-22

Certificate Signing Requests E-23

Exporting Certificate Signing Requests E-23

Certificate Store E-23

Expiration of X.509 Certificates E-25

CA Certificate Naming Constraint E-25

Viewing Certificate Store Certificates E-26

Changing the Status of a Certificate in Certificate Store E-26

Adding a Certificate to Certificate Store E-27

Editing a Certificate Store Certificate E-27

Exporting a Certificate from the Certificate Store E-27

Importing Certificate Chains E-28

Installation of CA Certificates for Cisco ISE Inter-node Communication E-28

viiCisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Contents

Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL E-28

Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node E-29

Simple Certificate Enrollment Protocol Profiles E-29

Adding Simple Certificate Enrollment Protocol Profiles E-30

OCSP Services E-30

OCSP Certificate Status Values E-31

OCSP High Availability E-31

OCSP Failures E-31

Adding OCSP Services E-32

OCSP Statistics Counters E-33

Monitoring OCSP E-34

Configuring Certificates for Inline Posture Nodes E-34

I N D E X

viiiCisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Preface

Revised: February 22, 2017

This preface contains the following sections:

• Purpose, page 1

• Audience, page 2

• Document Organization, page 2

• Document Conventions, page 3

• Related Documentation, page 4

• Obtaining Documentation and Submitting a Service Request, page 5

PurposeThis installation guide provides the following types of information about Cisco ISE, Release 1.2:

• Prerequisites for installation

• Procedures for installing the Cisco ISE software on a supported Cisco ISE appliance

• Procedures for installing the Cisco ISE software on a supported VMware virtual machine

• Procedures for installing the Cisco ISE software on a supported Cisco Network Admission Control (NAC) appliance or Cisco Secure Access Control System (ACS) appliance

Cisco ISE, Release 1.2 offers a choice of two appliance platforms. Your choice depends on the size of your deployment:

• Small network—SNS 3415

• Large network—SNS 3495

You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2.

For VMware-based installations, you must configure the VMware environment to meet minimum system requirements and then install the Cisco ISE, Release 1.2, software. See Chapter 4, “Installing Release 1.2 Software on a VMware Virtual Machine” for more information.

The supported VMware versions include the following:

• VMware Elastic Sky X (ESX), Version 4.0, 4.0.1, and 4.1

• VMware ESXi, Version 4.x and 5.x

• VMware vSphere Client 4.x and 5.x

-1Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Chapter

AudienceThis guide is designed for network administrators, system integrators, or network deployment personnel who install and configure the Cisco ISE software on Cisco SNS-3400 Series appliances or on VMware servers. As a prerequisite to using this hardware installation guide, you should be familiar with networking equipment and cabling and have a basic knowledge of electronic circuitry, wiring practices, and equipment rack installations.

Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Document Organization

Table 1 Cisco ISE Hardware Installation Guide Organization

Chapter/Appendix and Title Description

Chapter 1, “Network Deployments in Cisco ISE” Provides an overview of the Cisco SNS-3400 Series appliance deployments and their components. Read this chapter before planning a new Cisco ISE deployment.

Chapter 2, “Cisco SNS-3400 Series Appliances” Provides an overview of the Cisco SNS-3400 Series hardware.

Chapter 3, “Installing and Configuring a Cisco SNS-3400 Series Appliance”

Describes how to perform an initial installation of Cisco ISE software on Cisco SNS-3400 Series hardware.

Chapter 4, “Installing Release 1.2 Software on a VMware Virtual Machine”

Describes how to install Cisco ISE software on VMware ESX or ESXi and vSphere virtual machines.

Chapter 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances”

Describes how to install Cisco ISE, Release 1.2 software on existing ISE 3300 series, or legacy NAC and ACS appliances.

Chapter 6, “Managing Administrator Accounts” Describes the two types of administrator accounts in Cisco ISE, their privileges, and how to create them.

Chapter 7, “Performing Post-Installation Tasks” Provides information about installing a Cisco ISE license and lists the configuration tasks that you need to perform following installation.

Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack”

Describes the necessary safety instructions, site requirements, and tasks that you need to perform before installing the Cisco SNS-3400 Series hardware. Also, provides instructions on rack-mounting a Cisco SNS-3400 Series appliance, connecting all cables, powering up the appliance, and replacing the server components.

Appendix B, “Cisco SNS-3400 Series Server Specifications” Provides physical, environmental, and power specifications for maintaining Cisco SNS-3400 Series appliance following installation.

Appendix C, “Cisco SNS-3400 Series Appliance Ports Reference”

Provides a reference list of ports that are used by Cisco SNS-3400 Series appliance services, applications, and devices.


OL-27044-01

Chapter

Installation Reference

Document ConventionsThis guide uses the following conventions to convey instructions and information.

Appendix D, “Cisco ISE Licenses” Describes the different types of licenses available in Cisco ISE and how to install them.

Appendix E, “Certificate Management in Cisco ISE” Describes local (including wildcard certificates) and CA certificates and how to install them.

Table 2 Cisco ISE 1.2 Installation Scenarios

Installation Process Reference

Introducing the Cisco ISE appliance and predeployment requirements

Chapter 2, “Cisco SNS-3400 Series Appliances”

Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack”

Configuring the Cisco ISE software Chapter 3, “Installing and Configuring a Cisco SNS-3400 Series Appliance”

Installing the initial Cisco ISE software on the VMware server

Chapter 4, “Installing Release 1.2 Software on a VMware Virtual Machine”

Installing Cisco ISE software on a Cisco NAC Appliance or on a Cisco Secure ACS Appliance

Chapter 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances”

Performing post installation tasks after logging in to the Cisco ISE web interface

Chapter 7, “Performing Post-Installation Tasks”

Table 1 Cisco ISE Hardware Installation Guide Organization (continued)

Chapter/Appendix and Title Description

Convention Item

bold Commands, keywords, and user-entered text as well as tab and button names in procedural text appear in bold font.

italic Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.

courier Terminal sessions and information the system displays is in courier (monospace, fixed-width) font.

<> In examples that do not allow italics, such as ASCII outputs, arguments for which you must supply a value appear in <angle> brackets.


OL-27044-01

Chapter

Note Means reader take note. Notes contain helpful suggestions or references to material that is not discussed in the manual.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Warning IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device.

SAVE THESE INSTRUCTIONS

Tip Means the following information will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information, similar to a Timesaver.

Related Documentation

Release-Specific Documents

Note General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.

Table 3 Product Documentation for Cisco Identity Services Engine

Document Title Location

Release Notes for the Cisco Identity Services Engine, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html


OL-27044-01

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html



http://www.cisco.com/go/ise

http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html

Chapter Obtaining Documentation and Submitting a Service Request

Platform-Specific Documents

• Cisco ISEhttp://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

• Cisco NAC Appliancehttp://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

• Cisco NAC Guest Serverhttp://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html

• Cisco NAC Profilerhttp://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html

• Cisco Secure ACShttp://www.cisco.com/en/US/products/ps9911/ tsd_products_support_series_home.html

• Cisco UCS C-Series Servershttp://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS_rack_roadmap.html

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.

Cisco Identity Services Engine Upgrade Guide, Release 1.2.


Cisco Identity Services Engine, Release 1.2 Migration Tool Guide.


Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.2.


Cisco Identity Services Engine CLI Reference Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.2.


Cisco Identity Services Engine Troubleshooting Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler


Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

My Devices Portal FAQs, Release 1.2 http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Table 3 Product Documentation for Cisco Identity Services Engine (continued)

Document Title Location


OL-27044-01






http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html


http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html







http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS_rack_roadmap.html

http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

Chapter Obtaining Documentation and Submitting a Service Request

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.


OL-27044-01

http://www.cisco.com/assets/cdc_content_elements/rss/whats_new/whatsnew_rss_feed.xml

Cisco Identity Services

OL-27044-01

C H A P T E R 1
Network Deployments in Cisco ISE
This chapter describes several network deployment scenarios, provides information about how to deploy the Cisco Identity Services Engine (ISE) SNS 3400 Series appliance and its related components, and provides a pointer to the switch and Wireless LAN Controller configurations that are needed to support Cisco ISE. This chapter contains the following sections:

• Architecture Overview, page 1-1

• Network Deployment Terminology, page 1-2

• Node Types and Personas in Distributed Deployments, page 1-3

• Standalone and Distributed Deployments, page 1-5

• Distributed Deployment Scenarios, page 1-5

• Deployment Size and Scaling Recommendations, page 1-10

• Inline Posture Planning Considerations, page 1-12

• Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions, page 1-13

Architecture OverviewCisco ISE architecture includes the following components:

• Nodes and persona types

– Cisco ISE node—A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, or Monitoring

– Inline Posture node—A gatekeeping node that takes care of access policy enforcement

• Network resources

• Endpoints

Note Figure 1-1 shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an Inline Posture node, and a policy information point.

The policy information point represents the point at which external information is communicated to the Policy Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute.

1-1Engine Hardware Installation Guide, Release 1.2

Chapter 1 Network Deployments in Cisco ISE Network Deployment Terminology

Figure 1-1 Cisco ISE Architecture

Network Deployment TerminologyThe following terms are commonly used when discussing Cisco ISE deployment scenarios:

• Service—A service is a specific feature that a persona provides such as network access, profiling, posture, security group access, monitoring, and troubleshooting.

• Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and as software that can be run on VMware.

• Node Type—A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node type and persona determine the type of functionality provided by a node.

• Persona—The persona or personas of a node determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. The menu options that are available through the administrative user interface depend on the role and personas that a node assumes.

• Role—The role of a node determines if it is a standalone, primary, or secondary node and applies only to Administration and Monitoring nodes.

2820

88

1-2Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Node Types and Personas in Distributed Deployments

Node Types and Personas in Distributed DeploymentsIn a Cisco ISE distributed deployment, there are two types of nodes:

• Cisco ISE node—Administration, Policy Service, Monitoring

• Inline Posture node

A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment, with the exception of the Inline Posture node, can assume the Administration, Policy Service, and Monitoring personas. In a distributed deployment, you can have the following combination of nodes on your network:

• Primary and secondary Administration nodes for high availability

• A pair of Monitoring nodes for automatic failover

• One or more Policy Service nodes for session failover

• A pair of Inline Posture nodes for high availability

Related Topics

• Administration Node, page 1-3

• Policy Service Node, page 1-3

• Monitoring Node, page 1-3

• Inline Posture Node, page 1-4

Administration Node

A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE. It handles all system-related configurations that are related to functionality such as authentication, authorization, and accounting. In a distributed deployment, you can have one or a maximum of two nodes running the Administration persona. The Administration persona can take on the standalone, primary, or secondary role.

Policy Service Node

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and provides network access to endpoints based on the result of the policy evaluation. You can have more than one node assume this persona. Typically, there is more than one Policy Service node in a distributed deployment. All Policy Service nodes that reside behind a load balancer share a common multicast address and can be grouped to form a node group. If one of the nodes in a node group goes down, the other nodes detect the failure and reset any pending sessions.

At least one node in your distributed setup should assume the Policy Service persona.

Monitoring Node

A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A


OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Node Types and Personas in Distributed Deployments

node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports. Cisco ISE allows you to have a maximum of two nodes with this persona, and they can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary Monitoring node.

At least one node in your distributed setup should assume the Monitoring persona. We recommend that you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.

Inline Posture Node

An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline Posture nodes, and they can take on primary or secondary roles for high availability.

The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service, and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. For example, it cannot act as an Administration node (offering administration service), or a Policy Service node (offering network access, posture, profile, and guest services), or a Monitoring node (offering monitoring and troubleshooting services).

Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture on any one of the following supported platforms: Cisco ISE 3315, Cisco ISE 3355, Cisco ISE 3395, or Cisco SNS 3415.

Inline Posture Node Installation

You must download the Inline Posture ISO image from Cisco.com and install it on any of the supported platforms, configure certificates through the CLI, and register this node from the user interface of the primary Administration node.

Note You cannot access the web-based user interface of the Inline Posture nodes. You can configure them only from the primary Administration node.

Before you can add an Inline Posture node to a deployment, you must configure a certificate for it and register it with the primary Administration node. See Configuring Certificates for Inline Posture Nodes, page E-34 for more information.

Inline Posture Node Reuse

If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it, but you can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline Posture node, you must first deregister it and then reimage the appliance and install Cisco ISE, Release 1.2, on it.


OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Standalone and Distributed Deployments

Standalone and Distributed DeploymentsA deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas.

A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a distributed fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. A Cisco ISE node can assume any of the following personas: Administration, Policy Service, and Monitoring. An Inline Posture node cannot assume any other persona, due to its specialized nature and it must be a dedicated node.

Distributed Deployment Scenarios• Small Network Deployments, page 1-5

• Medium-Sized Network Deployments, page 1-7

• Large Network Deployments, page 1-8

Small Network Deployments

The smallest Cisco ISE deployment consists of two Cisco ISE nodes as shown in Figure 1-2, with one Cisco ISE node functioning as the primary appliance in a small network.

Note Concurrent endpoints represent the total number of supported users and devices. Concurrent endpoints can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.

The primary node provides all the configuration, authentication, and policy capabilities that are required for this network model, and the secondary Cisco ISE node functions in a backup role. The secondary node supports the primary node and maintains a functioning network whenever connectivity is lost between the primary node and network appliances, network resources, or RADIUS.

Centralized authentication, authorization, and accounting (AAA) operations between clients and the primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus, your secondary node is current with the state of your primary node. In a small network deployment, this type of configuration model allows you to configure both your primary and secondary nodes on all RADIUS clients by using this type of deployment or a similar approach.


OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Distributed Deployment Scenarios

Figure 1-2 Small Network Deployment

As the number of devices, network resources, users, and AAA clients increases in your network environment, you should change your deployment configuration from the basic small model and use more of a split or distributed deployment model, as shown in Figure 1-3.

Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration persona.

Split Deployments

In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor the secondary nodes handles all AAA requests during normal network operations because this workload is distributed between the two nodes.

The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In addition, splitting the load provides better loading while the functional status of the secondary node is maintained during the course of normal network operations.

In split Cisco ISE deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions in the event of a failure. If you have two Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector. Figure 1-3 shows the secondary Cisco ISE node in this role.

2820

92


OL-27044-01


Figure 1-3 Split Network Deployment

In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for growth, as shown in Figure 1-4.

Medium-Sized Network Deployments

As small, local networks grow, you can keep pace and manage network growth by adding Cisco ISE nodes to create a medium-sized network. In medium-sized network deployments, you can dedicate the new nodes for all AAA functions, and use the original nodes for configuration and logging functions.

As the amount of log traffic increases in a network, you can choose to dedicate one or two of the secondary Cisco ISE nodes for log collection in your network.

2820

93


OL-27044-01


Figure 1-4 Medium-Sized Network Deployment

Large Network Deployments

We recommend that you use centralized logging (as shown in Figure 1-5) for large Cisco ISE networks. To use centralized logging, you must first set up a dedicated logging server that serves as a Monitoring persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy network can generate.

Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog appliance can serve as the collector for outbound logging traffic. A dedicated logging server enables you to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes. See “Cisco ISE Setup Program Parameters” section on page 3-7 when configuring the Cisco ISE software to support a dedicated logging server.

You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoring persona on the Cisco ISE node goes down.

In large centralized networks, you should use a load balancer (as shown in Figure 1-5), which simplifies the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes the routing of AAA requests to the available servers.

However, having only a single load balancer introduces the potential for having a single point of failure. To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client, and this configuration remains consistent throughout the network.


OL-27044-01


Figure 1-5 Large Network Deployment

Dispersed Network Deployments

Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and users in different geographical regions and locations.

Large remote sites can have their own AAA infrastructure (as shown in Figure 1-6) for optimal AAA performance. A centralized management model helps maintain a consistent, synchronized AAA policy. A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique network requirements.

2820

94


OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Deployment Size and Scaling Recommendations

Figure 1-6 Dispersed Deployment

Before You Plan a Network with Several Remote Sites

• Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the external database that is available for Cisco ISE to access for optimizing AAA performance.

• The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible to the AAA clients to reduce network latency effects and the potential for loss of access that is caused by WAN failures.

• Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site, which allows for direct, secure console access that bypasses network access to each node.

• If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, consider using a Cisco ISE node as a backup for the local site to provide redundancy.

• Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access to the external databases.

Deployment Size and Scaling RecommendationsThis section provides guidance on the size of the physical and virtual machine appliances that you would need for your deployment based the number of endpoints that connect to your network. Table 1-1 provides guidance on the type of deployment, number of Cisco ISE nodes, and the type of appliance (small, medium, large) that you need based on the number of endpoints that connect to your network.

2820

95


OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Deployment Size and Scaling Recommendations

Table 1-2 provides guidance on the type of appliance that you would need for a dedicated Policy Service node based on the number of active endpoints the node services.

Table 1-1 Cisco ISE Deployment—Size and Scaling Recommendations

Deployment Type Number of Nodes/Personas Appliance Platform

Maximum Number of Dedicated Policy Service Nodes

Number of Active Endpoints

Small Standalone or redundant (2) nodes with Administration, Policy Service, and Monitoring personas enabled.

Cisco ISE 3300 Series (3315, 3355, 3395)

0 Maximum of 2,000 endpoints

Cisco ISE 3415 0 Maximum of 5,000 endpoints

Cisco ISE 3495 0 Maximum of 10,000 endpoints

Medium Administration and Monitoring personas on single or redundant nodes. Maximum of 2 Administration and Monitoring nodes.

Cisco ISE-3355 or Cisco SNS 3415 appliances for Administration and Monitoring personas


Cisco ISE 3395 or Cisco SNS 3495 appliances for Administration and Monitoring personas


Large Dedicated Administration node/nodes. Maximum of 2 Administration nodes.

Dedicated Monitoring node/nodes. Maximum of 2 Monitoring nodes.

Cisco ISE 3395 appliances for Administration and Monitoring personas


Cisco SNS 3495 appliances for Administration and Monitoring personas


Table 1-2 Policy Service Node Size Recommendations

Form Factor Platform Size Appliance Maximum Endpoints

Physical Small Cisco ISE-3315 3,000

Cisco SNS-3415 5,000

Medium Cisco ISE-3355 6,000

Large Cisco ISE-3395 10,000

Cisco SNS-3495 20,000

Virtual Machine Small/Medium/Large Comparable to physical appliance

3,000 to 20,000


OL-27044-01

Chapter 1 Network Deployments in Cisco ISE Inline Posture Planning Considerations

Table 1-3 provides the maximum throughput and the maximum number of endpoints that a single Inline Posture node can support.

Inline Posture Planning ConsiderationsA network or system architect is responsible for researching the issues involved in Inline Posture deployment to determine what best suits network requirements.

A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes:

• Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.

• What type of Inline Posture operating modes will you choose?

Caution The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets flooded out of the untrusted interface. This multicast event can potentially bring down devices that are connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.

Caution Do not change the CLI password for Inline Posture node once it has been added to the deployment. If the password is changed, when you access the Inline Posture node through the Administration node, a Java exception error is displayed and the CLI gets locked. You need to recover the password by using the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original one.

If you need to change the password, then deregister the Inline Posture node from the deployment, modify the password, and then add the node to the deployment with the new credentials.

Related Topics

Cisco Identity Services Engine User Guide, Release 1.2.

Table 1-3 Inline Posture Node Sizing Recommendations

Attribute Performance

Maximum number of endpoints per physical appliance

5,000 to 20,000 (gated by Policy Service nodes)

Maximum throughput per any physical appliance

936 Mbps


OL-27044-01

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html

Chapter 1 Network Deployments in Cisco ISE Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are successful across the network segment, you must configure your network switches with certain required Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and other settings.

Related Topics

For more switch and wireless LAN controller configuration requirements, see Appendix C, “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,” in Cisco Identity Services Engine User Guide, Release 1.2.


OL-27044-01

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_sw_cnfg.html#wp1072107

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_sw_cnfg.html#wp1072107

Chapter 1 Network Deployments in Cisco ISE Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions


OL-27044-01


OL-27044-01

C H A P T E R 2
Cisco SNS-3400 Series Appliances
This chapter describes Cisco Secure Network Server (SNS) 3415 and 3495 appliances and hardware specifications.

• Cisco SNS-3400 Series Appliance Hardware Specifications, page 2-1

• Cisco SNS Support for Cisco ISE, page 2-3

Cisco SNS-3400 Series Appliance Hardware SpecificationsCisco SNS-3400 series appliance hardware consists of Cisco SNS 3415 and 3495 appliances. See the Cisco Identity Services Engine (ISE) Data Sheet for the appliance hardware specifications (Table 3).

Note Cisco ISE 1.2 supports an optional redundant power supply unit for Cisco SNS-3415-K9. The part number for the additional power supply to order is UCSC-PSU-650W=.

Cisco SNS-3400 Series Front and Rear Panels

Front Panel

Figure 2-1 shows the SNS 3415/3495 front panel.


http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-656174.html

Chapter 2 Cisco SNS-3400 Series Appliances Cisco SNS-3400 Series Appliance Hardware Specifications

Figure 2-1 Cisco SNS 3415/3495 Front Panel

Rear Panel

Figure 2-2 shows the SNS 3415/3495 rear panel.

Figure 2-2 SNS 3415/3495 Rear Panel

1 Power button/power status LED 6 Power supply status LED

2 Identification button LED 7 Network link activity LED

3 System status LED 8 Asset tag (serial number)

4 Fan status LED 9 Keyboard, video, mouse (KVM) connector (used with the KVM cable that provides two USBs, one Video Graphics Adapter (VGA), and one serial connector)

5 Temperature status LED 10 Drives (up to eight hot-swappable, 2 to 5-inch drives)

HDD4 HDD5HDD1HDD6

HDD2HDD7

HDD3HDD8

8

9 10

1 34

5 76

2

33

16

82

PSU1PSU1 PSU2PSU2PSU1 PSU2PCIe2

6 7 8 9 10 1211

2 3 4 51

360856


OL-27044-01

Chapter 2 Cisco SNS-3400 Series Appliances Cisco SNS Support for Cisco ISE

Serial Number Location

The serial number for the server is printed on a label on the top of the server, near the front.

Cisco SNS Support for Cisco ISEThe Cisco ISE software run on a dedicated Cisco SNS-3400 series appliance or on a VMware server. Cisco ISE, Release 1.2, software does not support the installation of any other packages or applications on this dedicated platform. See Release Notes for Cisco Identity Service Engine, Release 1.2, for additional hardware, compatibility information.

Release 1.2 is also supported on Cisco ISE 3300 series, Cisco NAC 3300 series, and Cisco Secure ACS 1121 appliances. You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2. For information on Cisco ISE 3300 series appliances, see Chapter 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances.”

1 Power supplies (up to two) 7 Serial port (RJ-45 connector)

2 Slot 2: Low-profile Peripheral Component Interconnect Express (PCIe) slot on riser (half-height, half-length, x16 connector, x16 lane width)

8 1-GB Ethernet dedicated management port used to access CIMC (labeled M)

3 Slot 1: PCIe1 card containing 1-GB Ethernet ports (GigE2 and GigE3)

9 1-GB Ethernet port 1 (GigE0) for Cisco ISE management communication

4 1-GB Ethernet port 3 (GigE2) 10 1-GB Ethernet port 2 (GigE1)

5 1-GB Ethernet port 4 (GigE3) 11 USB ports

6 VGA video connector 12 Rear identification button


OL-27044-01

Chapter 2 Cisco SNS-3400 Series Appliances Cisco SNS Support for Cisco ISE


OL-27044-01


OL-27044-01

C H A P T E R 3
Installing and Configuring a Cisco SNS-3400 Series Appliance
This chapter describes how to install and configure a Cisco Identity Services Engine (ISE) 3400 Series appliance, and contains the following topics:

• Installing the SNS-3400 Series Appliance in a Rack, page 3-1

• Downloading the Cisco ISE, Release 1.2 ISO Image, page 3-1

• Installing Release 1.2 Software on SNS-3400 Series Appliance, page 3-2

• Cisco Integrated Management Controller, page 3-3

• Configuring CIMC, page 3-3

• Creating a Bootable USB Drive, page 3-5

• Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6

• Cisco ISE Setup Program Parameters, page 3-7

• Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

• Setup Process Verification, page 3-15

Note Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE software on a Cisco SNS-3400 series appliance. See Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6 for more information.

Installing the SNS-3400 Series Appliance in a RackRefer to Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack,” for information on safety guidelines, site requirements, and guidelines that you must observe before installing the Cisco SNS-3400 series appliance.

Downloading the Cisco ISE, Release 1.2 ISO ImageYou can download the Cisco ISE, Release 1.2 ISO image from Cisco.com.


http://www.cisco.com

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Installing Release 1.2 Software on SNS-3400 Series Appliance

Note For Inline Posture nodes, you must download the Inline Posture Node, Release 1.2, ISO and continue with the installation process. See Inline Posture Node Installation, page 1-4 for more information.

Step 1 Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.

Step 2 Click Download Software for this Product.

The Cisco ISE, Release 1.2, software image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.

Installing Release 1.2 Software on SNS-3400 Series Appliance

If your SNS-3400 series appliance is running Cisco ISE, Release 1.1.x, you have the option to upgrade it to Release 1.2 using the application upgrade command. Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2. Alternatively, you can reimage your existing SNS-3400 Series appliance to perform a fresh installation of Release 1.2 and register it to an existing deployment.

After you download the ISO image, you can install it on your SNS-3400 Series appliance in any one of the following ways:

• Install the ISO image using the CIMC Remote Management Utility. You must configure the CIMC to perform this remote installation.

1. Configure CIMC.

2. Install Cisco ISE, Release 1.2 remotely.

• Install the ISO image using a USB flash drive.

1. Create a bootable USB flash drive using the iso-to-usb.sh script.

2. Connect the USB flash device to the SNS-3400 Series appliance.

3. Install Cisco ISE, Release 1.2 using the local KVM or remotely using the CIMC KVM.

• Install the ISO using an external DVD drive with a USB port.

1. Burn the ISO image on to a DVD.

2. Connect the external USB DVD to the SNS-3400 Series appliance.

3. Install Cisco ISE 1.2, Release 1.2 via the local KVM or remotely using the CIMC KVM.

Note For installing Release 1.2 using a USB flash device or an external DVD with a USB port, CIMC configuration is optional. Choose one of these options if you do not prefer a remote installation.

Related Topics

• Configuring CIMC, page 3-3

• Creating a Bootable USB Drive, page 3-5

• Cisco ISE Setup Program Parameters, page 3-7


OL-27044-01

http://www.cisco.com/go/ise

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco Integrated Management Controller

• Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

Cisco Integrated Management ControllerYou can monitor the server and system event logs using the built-in Cisco Integrated Management Controller (CIMC) GUI or CLI interfaces. See the user documentation for your release at the following URL:

http://www.cisco.com/en/US/products/ps10739/products_installation_and_configuration_guides_list.html

Configuring CIMCYou can perform all operations on Cisco SNS-3400 series appliance through the CIMC. To do this, you must first configure an IP address and IP gateway to access the CIMC from a web-based browser.

Step 1 Plug in the power cord.

Step 2 Press the Power button to boot the server. Watch for the prompt to press F8 as shown in the following figure.

Step 3 During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following screen appears.


OL-27044-01

http://www.cisco.com/en/US/products/ps10739/products_installation_and_configuration_guides_list.html

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Configuring CIMC

Step 4 Set the NIC mode to specify which ports access the CIMC for server management (see Figure 2-2 on page 2-2 for identification of the ports). Cisco ISE can use up to four Gigabit Ethernet ports. Choose Dedicated NIC mode, set NIC redundancy to None as described in Step 5, and select IP settings.

– Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select NIC redundancy None and select IP settings.

– Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the factory default setting, along with active-active NIC redundancy and DHCP enabled.

– Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You must select a NIC redundancy and IP setting.

Note The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01) that is installed in PCIe slot 1. See Special Considerations for Cisco UCS Virtual Interface Cards.

Step 5 Specify the NIC redundancy setting:

– None—The Ethernet ports operate independently and do not fail over if there is a problem.

– Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.

– Active-active—All Ethernet ports are utilized simultaneously.

Step 6 Choose whether to enable DHCP for dynamic network settings or to enter static network settings.

Note Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC addresses for the server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on the label is the beginning of the range of six contiguous MAC addresses.

Step 7 (Optional) Specify VLAN setting and set a default CIMC user password.


OL-27044-01

http://www.cisco.com/en/US/docs/unified_computing/ucs/c/hw/C200M1/install/replace.html#wpxref18536

http://www.cisco.com/en/US/docs/unified_computing/ucs/c/hw/C200M1/install/replace.html#wpxref18536

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Creating a Bootable USB Drive

Note Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait until the new settings appear before you reboot the server in the next step.

Step 8 Press F10 to save your settings and reboot the server.

Note If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console screen during bootup.

What To Do Next

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

Creating a Bootable USB DriveThe Cisco ISE, Release 1.2, ISO image contains an “images” directory that has a Readme file and a script to create a bootable USB drive to install Cisco ISE, Release 1.2.

Before You Begin

• Ensure that you have read the Readme file in the “images” directory

• You need the following:

– Linux machine with RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.

If you are using a PC or MAC, ensure that you have installed a Linux virtual machine (VM) running RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.

– An 8-GB USB drive

– The iso-to-usb.sh script

Step 1 Plug the USB drive into the USB port.

Step 2 Unmount the USB drive from Linux CLI or GUI without removing the USB device. From the CLI, enter the following command: umount /dev/sdb where /dev/sdb is the USB device.

Note Do not choose the “Safely Remove Drive” or “Eject” options from the GUI.

Step 3 Copy the iso-to-usb.sh script and the Cisco ISE, Release 1.2, ISO image to a directory on the Linux machine.

Step 4 Change the permissions of the script using the chmod command.

For example, # chmod u+x iso-to-usb.sh.

Step 5 As root user, enter the following command:

iso-to-usb.sh source_iso usb_device

For example, # ./iso-to-usb.sh ise-1.2.0.434-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the script, ise-1.2.0.434-x86_64.iso is the name of the ISO image, and /dev/sdb is your USB device.


OL-27044-01

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Prerequisites for Configuring a Cisco SNS-3400 Series Appliance

You might have to use the su command to switch to the root user account. You can also use the sudo command to execute the script with root permissions.

Step 6 Enter a value for the appliance that you want to install the image on.

Step 7 Enter Y to continue.

Step 8 A success message appears.

Step 9 Unplug the USB drive.

What To Do Next

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance

Cisco SNS-3400 series appliances are preinstalled with the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) and the Cisco ISE, Release 1.2, software.

Make sure that you identify all of the following configuration settings for each node in your deployment before proceeding:

• Hostname

• IP address for the Gigabit Ethernet 0 (eth0) interface

• Netmask

• Default gateway

• Domain Name System (DNS) domain

• Primary name server

• Primary Network Time Protocol (NTP) server

• System time zone

• Username (username for CLI-admin user)

• Password (password for CLI-admin user)

For details about the differences between the CLI-admin user and web-based admin user rights, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.

If you are installing Cisco ISE on an SNS-3400 series appliance, download the Cisco ISE, Release 1.2, ISO image, and use any one of the following options to configure the Cisco ISE, Release 1.2, software on the appliance:

• Configure the Cisco Integrated Management Interface (CIMC) and use it to install Cisco ISE, Release 1.2. See Configuring CIMC, page 3-3.

• Create a bootable USB Drive and use it to install Cisco ISE, Release 1.2. See Creating a Bootable USB Drive, page 3-5.


OL-27044-01

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco ISE Setup Program Parameters

Note In case you have purposefully deleted the RAID configuration on the Cisco SNS-3400 series appliance, you must reinstall Cisco ISE, Release 1.2, using CIMC or the USB bootable drive. While using the USB bootable drive to reinstall Cisco ISE, you must manually configure RAID using the webBIOS. For more information on installing Cisco ISE using CIMC, see Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9. For more information on using the USB bootable drive to install Cisco ISE, see Creating a Bootable USB Drive, page 3-5.

If you are installing Cisco ISE on Cisco ISE-3300 series, Cisco Secure ACS, or Cisco NAC appliances, download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install Cisco ISE, Release 1.2. See Appendix 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances,” for the supported Cisco Secure ACS and Cisco NAC platforms.

Cisco ISE Setup Program ParametersWhen the Cisco ISE software configuration begins, an interactive CLI prompts you to enter required parameters to configure the system. (See Table 3-1).

Ensure that the DNS and NTP servers are reachable after you run Setup and whenever a Cisco ISE node reboots in the deployment.

Note If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures VMware Tools, Version 8.3.2, during the initial setup. To verify the installation, see Verifying the Installation of VMware Tools, page 7-6.

Table 3-1 Cisco ISE Setup Program Parameters

Prompt Description Example

Hostname Must not exceed 15 characters. Valid characters include alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The first character must be a letter.

Note We recommend that you use lowercase letters to ensure that certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verifications. You cannot use “localhost” as the hostname for a node.

isebeta1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14

Netmask Must be a valid IPv4 netmask. 255.255.255.0

Default gateway Must be a valid IPv4 address for the default gateway. 10.12.13.1

DNS domain name Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).

example.com

Primary name server

Must be a valid IPv4 address for the primary name server. 10.15.20.25


OL-27044-01

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco ISE Setup Program Parameters

Note For details about the web-based administrator username and password, see Verifying a Configuration Using a Web Browser, page 7-4.

Add/Edit another name server

Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or Coordinated Universal Time (UTC) minus 8 hours).

The time zones referenced in the CLI Reference Guide are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

UTC (default)

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and be composed of valid alphanumeric characters (A–Z, a–z, or 0–9).

admin (default)

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password because there is no default. The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

MyIseYPass2

Table 3-1 Cisco ISE Setup Program Parameters (continued)

Prompt Description Example


OL-27044-01



Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

After you configure the CIMC for your appliance, you can use it to manage a Cisco SNS-3400 series appliance. You can perform all operations including BIOS configuration through the CIMC.

Note To configure VMware servers, see Configuring a VMware System to Boot From a Cisco ISE Software DVD, page 4-17.

Before You Begin

• Ensure that you have configured the CIMC on your appliance. See Configuring CIMC, page 3-3 for more information.

• Ensure that you have properly installed, connected, and powered up the supported appliance by following the recommended procedures. See Connecting and Powering On the Server, page A-7 and Checking the LEDs, page A-8.

• Ensure that you have the Cisco ISE, Release 1.2, ISO image on the client machine from which you are accessing the CIMC or you have a bootable USB with the image for installation. See Creating a Bootable USB Drive, page 3-5.

• Cisco ISE appliances track time internally using UTC time zones. If you do not know your specific time zone, you can enter one based on the city, region, or country where the Cisco ISE appliance is located. See Table 3-2, Table 3-3, and Table 3-4 for sample time zones. We recommend that you configure the preferred time zone (the default is UTC) during installation when the setup program prompts you to configure the setting.

Step 1 Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server using the ports selected by the Network Interface Card (NIC) Mode setting. The active-active and active-passive NIC redundancy settings require you to connect to two ports.

Step 2 Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is based on the CIMC configuration that you made (either a static address or the address assigned by the Dynamic Host Configuration Protocol (DHCP) server).

Note The default username for the server is admin. The default password is password.

Step 3 Click Launch KVM Console.

Step 4 Use your CIMC credentials to log in.

Step 5 Click the Virtual Media tab.

Step 6 Click Add Image to choose the Cisco ISE, Release 1.2, ISO image from the system running your client browser.

Step 7 Check the Mapped check box against the virtual CD/DVD drive that you have created.

Step 8 Click the KVM tab.

Step 9 Choose Macros > Ctrl-Alt-Del to boot the SNS-3400 series appliance using the ISO image. A screen similar to the one shown in the following figure appears.


OL-27044-01


Step 10 Press F6 to bring up the boot menu. A screen similar to the following one appears.

Step 11 Choose the CD/DVD that you mapped and press Enter. A screen similar to the following one appears.


OL-27044-01


Step 12 At the boot prompt, enter 1 and press Enter.

**********************************************

Please type 'setup' to configure the appliance

**********************************************

Step 13 At the prompt, type setup to start the setup program. You are prompted to enter networking parameters and credentials. The following illustrates a sample setup program and default prompts:

Enter hostname[]: ise-server-1Enter IP address[]: 10.1.1.10Enter Netmask[]: 255.255.255.0Enter IP default gateway[]: 172.10.10.10Enter default DNS domain[]: cisco.comEnter Primary nameserver[]: 200.150.200.150Add/Edit another nameserver? Y/N: nEnter primary NTP domain[]: clock.cisco.comAdd/Edit another NTP domain? Y/N: nEnable SSH?: Y/NEnter system time zone[]: UTCEnter username [admin]: adminEnter password:Enter password again:Bringing up the network interface...Pinging the gateway...Pinging the primary nameserver...Do not use `Ctrl-C' from this point on...Virtual machine detected, configuring VMware tools...Appliance is configuredInstalling applications...Installing ISE...Application bundle (ise) installed successfully

===Initial Setup for Application: ise===

Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup is non-interactive, and will take roughly 15 minutes to complete.


OL-27044-01


Running database cloning script...Running database network config assistant tool...Extracting ISE database contents...Starting ISE database processes...

...

Note An “Installing ISE-IPEP” message appears when you install the Inline Posture node, Release 1.2, ISO image and you will see an “Application bundle (ISE-IPEP) installed successfully” message.

Note A “Virtual machine detected, configuring VMware tools...” message appears only if Cisco ISE is installed on a virtual machine.

After the Cisco ISE or Inline Posture node software is configured, the Cisco ISE system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup.

Step 14 If you installed the Inline Posture node ISO image, go to Configuring Certificates for Inline Posture Nodes, page E-34.

Step 15 If you installed the Cisco ISE, Release 1.2, ISO image, log in to the Cisco ISE CLI shell, and run the following CLI command to check the status of the Cisco ISE application processes:

ise-server/admin# show application status ise

ISE Database listener is running, PID: 4845

ISE Database is running, number of processes: 27

ISE Application Server is running, PID: 6344

ISE M&T Session Database is running, PID: 4502

ISE M&T Log Collector is running, PID: 6652

ISE M&T Log Processor is running, PID: 6738

ISE M&T Alert Process is running, PID: 6542

ise-server/admin#

Step 16 After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user interface by using one of the supported web browsers. (See Accessing Cisco ISE Using a Web Browser, page 7-1.)

To log in to the Cisco ISE user interface using a web browser, enter https://<your-ise-hostname or IP address>/admin/ in the Address field:

Here “your-ise-hostname or IP address” represents the hostname or IP address that you configured for the Cisco SNS-3400 series appliance during setup.

Step 17 At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials (username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process.

After you log in to the Cisco ISE user interface, you can then configure your devices, user stores, policies, and other components.


OL-27044-01


The username and password credentials that you use for web-based access to the Cisco ISE user interface are not the same as the CLI-admin user credentials that you created during the setup for accessing the Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.

Caution Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.2.

Supported Time Zones

This section provides three tables that provide more information about common Coordinated Universal Time (UTC) time zones for Europe, the United States and Canada, Australia, and Asia.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with regard to the time stamps.

The format for time zones is POSIX or System V. POSIX time zone format syntax looks like America/Los_Angeles, and System V time zone syntax looks like PST8PDT.

• For time zones in Europe, the United States, and Canada, see Table 3-2.

• For time zones in Australia, see Table 3-3.

• For time zones in Asia, see Table 3-4.

Table 3-2 Europe, United States, and Canada Time Zones

Acronym or Name Time Zone Name

Europe

GMT, GMT0, GMT-0, GMT+0, UTC, Greenwich, Universal, Zulu

Greenwich Mean Time, as UTC

GB British

GB-Eire, Eire Irish

WET Western Europe Time, as UTC

CET Central Europe Time, as UTC plus 1 hour

EET Eastern Europe Time, as UTC plus 2 hours

United States and Canada

EST, EST5EDT Eastern Standard Time, as UTC minus 5 hours

CST, CST6CDT Central Standard Time, as UTC minus 6 hours

MST, MST7MDT Mountain Standard Time, as UTC minus 7 hours


OL-27044-01



Note The Cisco ISE CLI show timezones command displays a list of all time zones available to you. Choose the most appropriate one for your network location.

PST, PST8PDT Pacific Standard Time, as UTC minus 8 hours

HST Hawaiian Standard Time, as UTC minus 10 hours

Table 3-3 Australia Time Zones

Australia1

1. Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.

ACT2

2. ACT = Australian Capital Territory

Adelaide Brisbane Broken_Hill

Canberra Currie Darwin Hobart

Lord_Howe Lindeman LHI3

3. LHI = Lord Howe Island

Melbourne

North NSW4

4. NSW = New South Wales

Perth Queensland

South Sydney Tasmania Victoria

West Yancowinna — —

Table 3-4 Asia Time Zones

Asia1

1. The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.

Aden2

2. Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.

Almaty Amman Anadyr

Aqtau Aqtobe Ashgabat Ashkhabad

Baghdad Bahrain Baku Bangkok

Beirut Bishkek Brunei Kolkata

Choibalsan Chongqing Columbo Damascus

Dhakar Dili Dubai Dushanbe

Gaza Harbin Hong_Kong Hovd

Irkutsk Istanbul Jakarta Jayapura

Jerusalem Kabul Kamchatka Karachi

Kashgar Katmandu Kuala_Lumpur Kuching

Kuwait Krasnoyarsk — —

Table 3-2 Europe, United States, and Canada Time Zones (continued)

Acronym or Name Time Zone Name


OL-27044-01

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Setup Process Verification

Setup Process VerificationTo verify that you have correctly completed the initial setup process, use one of the following two methods to log in to the Cisco ISE appliance:

• Web browser

• Cisco ISE CLI

After you log in to the Cisco ISE user interface, you should perform the following tasks:

• “Installing a License” section on page 7-3

• “Configuring the Cisco ISE System” section on page 7-10


OL-27044-01

Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance Setup Process Verification


OL-27044-01


OL-27044-01

C H A P T E R 4
Installing Release 1.2 Software on a VMware Virtual Machine
This chapter describes the system requirements for installing the Cisco Identity Services Engine (ISE), Release 1.2 software on a VMware virtual machine (VM). The following topics provide information about the installation process:

• Supported VMware Versions, page 4-1

• Support for VMware vMotion in Release 1.2, page 4-2

• Virtual Machine Requirements, page 4-2

• Evaluating Release 1.2, page 4-5

• Configuring a VMware ESX or ESXi Server, page 4-5

• Preparing a VMware System for Cisco ISE Software Installation, page 4-17

• Installing Cisco ISE Software on a VMware System, page 4-19

• Connecting to a Cisco ISE VMware Server Using the Serial Console, page 4-21

• Cloning a Cisco ISE Virtual Machine, page 4-24

Note The Inline Posture node is supported only on Cisco SNS-3415 and Cisco ISE 3300 series appliances. It is not supported on Cisco SNS-3495 series or VMware server systems. All the other designated roles are supported for use on VMware virtual machines.

Supported VMware VersionsCisco ISE supports the following VMware servers and clients:

• VMware Elastic Sky X (ESX), version 4.0, 4.0.1, and 4.1

• VMware ESXi, version 4.x and 5.x

• VMware vSphere Client 4.x and 5.x

Note Cisco ISE, Release 1.2, supports the VMware vMotion feature (live migration of virtual machines from one server to another).


Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Support for VMware vMotion in Release 1.2

Support for VMware vMotion in Release 1.2Cisco ISE, Release 1.2, supports the VMware vMotion feature that allows you to migrate live virtual machine (VM) instances (running any persona) between hosts. For the VMware vMotion feature to be functional, the following conditions must be met:

• Shared storage—The storage for the VM must reside on a storage area network (SAN), and the SAN must be accessible by all the VMware hosts that can host the VM being moved.

• VMFS volume sharing—The VMware host must use shared virtual machine file system (VMFS) volumes.

• Gigabit Ethernet interconnectivity—The SAN and the VMware hosts must be interconnected with Gigabit Ethernet links.

• Processor compatibility—A compatible set of processors must be used. Processors must be from the same vendor and processor family for vMotion compatibility.

Virtual Machine RequirementsTable 4-1 lists the minimum system requirements to install Cisco ISE, Release 1.2, software on a VMware virtual machine and support 100 endpoints.

To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the VMware virtual machine should be allocated system resources equivalent to the Cisco SNS 3415 and 3495 appliances. Refer to the Deployment Size and Scaling Recommendations, page 1-10 and VMware Appliance Size Recommendations, page 4-3 for details.

Table 4-1 Minimum VMware System Requirements

Requirement Type Minimum Requirements

CPU Single Quad-Core; 2.0 GHz or faster

Memory 4 to 32 GB RAM

Hard disks 200 GB to 2 TB of disk storage (size depends on deployment and tasks). Refer to Table 4-3 for more details.

We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM. The Cisco ISE VM requires a minimum write bandwidth of 50 MB per second. This write bandwidth can be easily achieved if the hosting environment uses 10,000 RPM disks.

Note When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the storage requirement. If you use more than one disk to meet the disk space requirement, the installer may not recognize all the disk space.

Storage • File System—VMFS

We recommend that you use VMFS for storage. Other storage protocols are not tested and might result in some file system errors.

• Internal Storage—SCSI/SAS

• External Storage—iSCSI/SAN

We do not recommend the use of NFS storage.

Disk controller SCSI controller


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Virtual Machine Requirements

VMware Appliance Size Recommendations

The VMware appliance specification should be comparable with the physical appliances. Table 4-2 lists the recommended VMware specification for the physical appliances in a production environment.

Cisco ISE, Release 1.2 can be installed on virtual machines based on legacy appliance specifications, but for better performance, we recommend that you deploy new virtual machines based on the SNS-3400 series appliance specifications.

NIC 1 GB NIC interface required (two or more NICs are recommended)

Note When creating network connections for any NICs that you configure, we recommend that you select E1000 from the Adapter drop-down list. Cisco ISE, Release 1.2, supports the E1000 and VMXNET3 adapters for all NICs. It does not support any other virtual NIC drivers. See Step 10 in Configuring a VMware Server, page 4-9.

Hypervisor See Supported VMware Versions, page 4-1.

Table 4-1 Minimum VMware System Requirements (continued)

Requirement Type Minimum Requirements

Table 4-2 VMware Appliance Specifications for a Production Environment

Platform SNS-3415 SNS-3495

Processor1

1. Virtual machine resources should be dedicated. The VM resources should not be shared or oversubscribed across multiple VMs.

Single socket Intel E5-2609 2.4 Ghz CPU

4 total cores

Dual socket Intel E5-2609 2.4 Ghz CPU

8 total cores

Memory 16 GB 32 GB

Total Disk2 Space

2. Policy Service nodes on virtual machines can be deployed with less disk space than Administration or Monitoring nodes. It is recommended to have 150 to 200 GB of disk space for Policy Service nodes. Refer to “Recommended VMware Disk Space” for information on the amount of disk space required for the various personas.

600 GB 600 GB

Ethernet NICs3

3. Virtual machines can be configured with 1 to 4 NICs. The recommendation is to allow for 2 or more NICs. Additional interfaces can be used to support various services such as profiling or RADIUS. Refer to Appendix C, “Cisco SNS-3400 Series Appliance Ports Reference” for details about the services that are supported on each of the ports.

4 x Integrated Gigabit NICs 4 x Integrated Gigabit NICs


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Virtual Machine Requirements

Disk Space Requirements

Table 4-3 lists the Cisco ISE disk-space allocation recommended for running a VMware server in a production deployment. Use the supported VMware ESX and ESXi server versions listed in Table 4-1 for running the Cisco ISE software.

Cisco ISE must be installed on a single disk in VMware.

Note You can allocate only up to 2 TB of disk space for a Cisco ISE, Release 1.2, virtual machine (VM).

On any node that has the Monitoring persona enabled, 30 percent of the VM disk space is allocated for log storage. A deployment with 25,000 endpoints generates approximately 1 GB of logs per day.

For example, if you have a Monitoring node with 600-GB VM disk space, 180 GB is allocated for log storage. If 100,000 endpoints connect to this network every day, it generates approximately 4 GB of logs per day. In this case, you can store 38 days of logs in the Monitoring node, after which you must transfer the old data to a repository and purge it from the Monitoring database.

For extra log storage, you can increase the VM disk space. For every 100 GB of disk space that you add, you get 30 GB more for log storage. Depending on your requirements, you can increase the VM disk size up to a maximum of 2 TB or 614 GB of log storage.

If you increase the disk size of your virtual machine, you must not upgrade to Cisco ISE 1.2, but instead do a fresh installation of Cisco ISE 1.2 on your virtual machine.

Table 4-4 provides the number of days that logs can be retained on your Monitoring node based on the disk space allotted to it and the number of endpoints that connect to your network.

Table 4-3 Recommended VMware Disk Space

ISE PersonaMinimum Disk Space

Maximum Disk Space

Recommended Disk Space for Production

Standalone ISE 200 GB 2 TB 600 GB to 2 TB1

1. Disk allocation varies based on logging retention requirements. See Table 4-4 for details.

Distributed ISE — Administration only2

2. Additional disk space may be allocated to support local logging, and to store the backup and upgrade files on the local disk.

200 GB 2 TB 250 to 300 GB

Distributed ISE —Monitoring only 200 GB 2 TB 600 GB to 2 TB1

Distributed ISE — Policy Service only2 100 GB 2 TB 150 to 200 GB

Distributed ISE — Administration and Monitoring

200 GB 2 TB 600 GB to 2 TB1

Distributed ISE — Administration, Monitoring, and Policy Service

200 GB 2 TB 600 GB to 2 TB

Table 4-4 Days that Logs can be Stored in a Monitoring Node1

No. of Endpoints 200 GB 400 GB 600 GB 1024 GB 2048 GB

10,000 126 252 378 645 1,289

20,000 63 126 189 323 645


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Evaluating Release 1.2

Evaluating Release 1.2For evaluation purposes, Cisco ISE, Release 1.2, can be installed on any supported VMware virtual machines (VMs) that comply with the requirements shown in Table 4-1. When evaluating Release 1.2, you can configure less disk space in the VM, but you still are required to allocate a minimum disk space of 100 GB.

Note You cannot migrate data to a production VM from a VM created with less than 200 GB of disk space. You can migrate data only from VMs created with 200 GB or more disk space to a production environment.

To obtain the Cisco ISE, Release 1.2 evaluation software (R-ISE-EVAL-K9=), contact your Cisco Account Team or your Authorized Cisco Channel Partner.

To migrate a Cisco ISE configuration from an evaluation system to a fully licensed production system, you need to complete the following tasks:

• Back up the configuration of the evaluation version.

• Ensure that your production VM has the required amount of disk space. Refer to Deployment Size and Scaling Recommendations, page 1-10 for details.

• Install a production deployment license.

• Restore the configuration to the production system.

Note For evaluation, the minimum allocation requirements for a hard disk on a VMware server that supports 100 users is 100 GB. When you move the VMware server to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size that is listed in Table 4-3 or higher (up to the allowed maximum of 2 TB).

Configuring a VMware ESX or ESXi ServerThis section describes how to configure a VMware ESX or ESXi server on a VMware virtual machine.

30,000 42 84 126 215 430

40,000 32 63 95 162 323

50,000 26 51 76 129 258

100,000 13 26 38 65 129

150,000 9 17 26 43 86

200,000 7 13 19 33 65

250,000 6 11 16 26 52

1. Numbers are based on having log suppression and anomalous client detection enabled.

Table 4-4 Days that Logs can be Stored in a Monitoring Node1 (continued)

No. of Endpoints 200 GB 400 GB 600 GB 1024 GB 2048 GB


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Configuring a VMware ESX or ESXi Server

To perform the following procedures, you must log in to the ESXi server as a user with administrative privileges (root user). The values that are provided in the following procedures and illustrations are examples only. Actual values depend on your deployment requirements.

Before You Begin

Before you configure a VMware ESX or ESXi server, read the following:

• Cisco ISE, Release 1.2, is a 64-bit system. Before you install a 64-bit system, ensure that Virtualization Technology (VT) is enabled on the ESX/ESXi server. Also, ensure that the virtual machine’s guest operating system is set to 64 bits. See Enabling Virtualization Technology on an ESX or ESXi Server, page 4-7 for more information. For information on hardware and firmware requirements to support 64-bit, guest-operating systems, refer to the following VMware Knowledge Base:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1011712

• You must also ensure that your guest operating system type is set to Red Hat Enterprise Linux 5 (64-bit). Refer to http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005870 for information on how to set your guest operating system type.

• For Red Hat Enterprise Linux 5, the default NIC type is E1000. We recommend that you choose E1000 Adapter. Cisco ISE also supports VMXNET3 Adapter. You can add up to four NICs for your Cisco ISE virtual machine, but ensure that you choose the same Adapter for all the NICs. Cisco ISE, Release 1.2, does not support the VMXNET2 Adapter.

• Ensure that you allocate the recommended amount of disk space on the VMware virtual machine. See Table 4-3 on page 4-4 for more details.

• If you have not created a VMware virtual machine file system (VMFS), you must create one to support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured on the VMware host.

– If you use VMFS5, the 1-MB block size supports up to 2 TB virtual disk size.

– If you use VMFS3, you must choose a VMFS block size based on the largest virtual-disk size hosted on the VMware host. After you configure the VMFS block size, you cannot change it without reformatting the VMFS partitions. For VMFS3, the VMFS block size should be based on the size of the largest virtual disk:

• Do not choose VMware thin provisioning as a storage type. This release of the Cisco ISE software does not support using VMware thin provisioning as a storage type on any of the supported VMware servers. Thin provisioning is not a default setting and Cisco advises against selecting it in Step 13 (as shown in Figure 4-13).

• If you are enabling the Profiler service, ensure that you have read and performed the tasks described in Configuring VMware Server Interfaces for the Cisco ISE Profiler Service, page 4-8.

Table 4-5 VMFS Block Size

Block Size Virtual Disk Size

1 MB 256 GB

2 MB 512 GB

4 MB 1 TB

8 MB 2 TB


OL-27044-01





Enabling Virtualization Technology on an ESX or ESXi Server

Cisco ISE, Release 1.2, is a 64-bit system, and supports VMware ESX versions 4.0, 4.0.1, and 4.1, and ESXi versions 4.x and 5.x. These ESX and ESXi versions can be installed only on 64-bit hardware. Therefore, you can reuse the same hardware that you used for hosting a Cisco ISE, Release 1.1.x, virtual machine with Release 1.2. However, before you install Release 1.2, you must enable Virtualization Technology (VT) on the ESX or ESXi server.

If you have an ESX or ESXi server installed already, you can check if VT is enabled on it without rebooting the machine. To do this, use the esxcfg-info command. Here is an example:

~ # esxcfg-info |grep "HV Support"|----HV Support............................................3

|----World Command Line.................................grep HV Support

If HV Support has a value of 3, then VT is enabled on the ESX or ESXi server and you can proceed with the installation. If HV Support has a value of 2, then VT is supported, but not enabled on the ESX or ESXi server. You must edit the BIOS settings and enable VT on the ESX or ESXi server. For more information about the esxcfg-info command, refer to the VMware Knowledge Base at:


This section describes how to edit the BIOS settings and enable VT on an SNS-3400 series appliance. The instructions and illustrations in this section are examples only. The BIOS menu for your hardware might vary from what you see in this example. Refer to the following VMware Knowledge Base for enabling VT on your ESX or ESXi server:

http://kb.vmware.com/selfservice/microsites/search.do?language=en

_US&cmd=displayKC&externalId=1003944

Step 1 Reboot the SNS-3400 series appliance.

Step 2 Press F2 to enter setup.

Step 3 Choose Advanced > Processor Configuration.

Figure 4-1 Editing the BIOS Setting on an SNS-3400 Series Appliance


OL-27044-01




Step 4 Select Intel(R) VT and enable it.

Figure 4-2 Enabling VT on an SNS-3400 Series Appliance

Step 5 Press F10 to save your changes and exit.

Configuring VMware Server Interfaces for the Cisco ISE Profiler Service

To configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service, perform the following steps:

Step 1 Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance) > VMswitch0 (one of your VMware ESXi server interfaces) > Properties > Security.

Step 2 In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.

Step 3 In the Promiscuous Mode drop-down list, choose Accept and click OK.

Repeat the same steps on the other VMware ESX server interface used for profiler data collection of SPAN or mirrored traffic.


OL-27044-01


Figure 4-3 VMNetwork Properties Window

Configuring a VMware Server

This section describes how to configure VMware servers by using the VMware vSphere Client.

Step 1 Log in to the ESXi server.

Step 2 In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual Machine.

Step 3 In the Configuration dialog box, choose Custom for the VMware configuration, as shown in Figure 4-4, and click Next.


OL-27044-01


Figure 4-4 Virtual Machine Configuration Dialog Box

The Name and Location dialog box appears (see Figure 4-5).

Step 4 Enter a name for the VMware system and click Next.

Tip Use the hostname that you want to use for your VMware host.

Figure 4-5 Name and Location Dialog Box


OL-27044-01


The Datastore dialog box appears (see Figure 4-6).

Step 5 Choose a datastore that has the recommended amount of space available and click Next. Refer to Table 4-3 for details.

Figure 4-6 Datastore Dialog Box

The Virtual Machine Version dialog box appears.

Step 6 (Optional) If your VM host or cluster supports more than one VMware virtual machine version, choose a Virtual Machine version such as Virtual Machine Version 7, and click Next (see Figure 4-7).


OL-27044-01


Figure 4-7 Virtual Machine Version

The Guest Operating System dialog box appears (see Figure 4-8).

Step 7 Choose Linux and Red Hat Enterprise Linux 5 (64-bit) from the Version drop-down list.

Figure 4-8 Guest Operating System Dialog Box

The Number of Virtual Processors dialog box appears (see Figure 4-9).


OL-27044-01


Step 8 Choose 2 from the Number of virtual sockets and the Number of cores per virtual socket drop-down list. Total number of cores should be 4. Refer to “VMware Appliance Specifications for a Production Environment” for details. Click Next.

Figure 4-9 Number of Virtual Processors Dialog Box

(Optional; appears in some versions of ESX server. If you see only the Number of virtual processors, choose 4).

The Memory Configuration dialog box appears (see Figure 4-10).

Step 9 Enter a value based on the recommendations in Table 4-2, and click Next.


OL-27044-01


Figure 4-10 Memory Configuration Dialog Box

The Network Interface Card (NIC) Configuration dialog box appears (see Figure 4-11).

Step 10 Choose a NIC and adapter and click Next.

Note We recommend that you choose the E1000 adapter. Cisco ISE, Release 1.2, supports only the E1000 and VMXNET3 adapters. It does not support any other virtual NIC drivers.

Figure 4-11 NIC Configuration Dialog Box


OL-27044-01


The SCSI controller dialog box appears.

Step 11 Choose LSI Logic Parallel as the SCSI controller and click Next.

The Select a Disk dialog box appears (see Figure 4-12).

Step 12 Choose Create a new virtual disk and click Next.

Figure 4-12 Select a Disk

The Virtual Disk Size and Provisioning Policy dialog box appears.

Step 13 In the Disk Provisioning dialog box, click the Thick Provisioning Lazy Zeroed radio button. Click Next to continue. (See Figure 4-13.)

If you are using an earlier version of VMware client, uncheck the following options:

a. Uncheck the Allocate and commit space on demand (Thin Provisioning) check box.

b. Uncheck the Support clustering features such as Fault Tolerance check box.

Note When selecting the Thick Provisioned Lazy Zeroed option, the virtual disk is allocated all of its provisioned space and immediately made accessible to the virtual machine. A lazy zeroed disk is not zeroed up front, which makes the provisioning very fast. However, there is an added latency on first write because each block is zeroed out before it is written to for the first time. We recommend the Thick Provisioned Eager Zeroed (Recommended for I/O intensive workloads) option when deploying an I/O intensive application on VMFS. The virtual disk is allocated all of its provisioned space and the entire VMDK file is zeroed out before allowing the virtual machine access. This means that the VMDK file will take longer to become accessible to the virtual machine, but will not incur the additional latency of zeroing on first write.


OL-27044-01


Figure 4-13 Disk Provisioning Dialog Box

The Advanced Options dialog box appears.

Step 14 Choose the advanced options, and click Next.

The Ready to Complete New Virtual Machine dialog box appears (see Figure 4-14).

Step 15 Verify the configuration details, such as Name, Guest OS, CPUs, Memory, and Disk Size of the newly created VMware system. You must see the following values:

• Guest OS—Red Hat Enterprise Linux 5 (64-bit)

• CPUs—4

• Memory—4 GB or 4096 MB

• Disk Size—200 GB to 2 TB based on the recommendations for VMware disk space

For the Cisco ISE installation to be successful on a virtual machine, ensure that you adhere to the recommendations given in this document.


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Preparing a VMware System for Cisco ISE Software Installation

Figure 4-14 Ready to Complete Dialog Box

Step 16 Click Finish.

The VMware system is now installed.

To activate the newly created VMware system, right-click VM in the left pane of your VMware client user interface and choose Power > Power On.

Preparing a VMware System for Cisco ISE Software Installation

After configuring the VMware system, you are ready to install the Cisco ISE software. To install the Cisco ISE software from a DVD, you need to configure the VMware system to boot from it. This requires the VMware system to be configured with a virtual DVD drive.

You can perform this installation by using different methods that are dependent upon your network environment. See “Configuring a VMware System to Boot From a Cisco ISE Software DVD” to configure the VMware system by using the DVD drive of a VMware ESX server host.

Note You must download the Cisco ISE 1.2 ISO, burn the ISO image on a DVD, and use it to install Cisco ISE 1.2 on the virtual machine.

Configuring a VMware System to Boot From a Cisco ISE Software DVD

This section describes how to configure a VMware system to boot from the Cisco ISE software DVD by using the DVD drive of the VMware ESX server host.


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Preparing a VMware System for Cisco ISE Software Installation

Step 1 In the VMware client, highlight the newly created VMware system and choose Edit Virtual Machine Settings.

The Virtual Machine Properties window appears. Figure 4-15 displays the properties of a VMware system that is created.

Figure 4-15 Virtual Machine Properties Dialog Box

Step 2 In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1.

The CD/DVD Drive1 properties dialog box appears.

Step 3 Click the Host Device radio button and choose the DVD host device from the drop-down list.


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Installing Cisco ISE Software on a VMware System

Figure 4-16 Virtual Machine Properties - Host Device Option

Step 4 Choose the Connect at Power On option and click OK to save your settings.

You can now use the DVD drive of the VMware ESX server to install the Cisco ISE software.

After you complete this task, click the Console tab in the VMware client user interface, right-click VM in the left pane, choose Power, and choose Reset to restart the VMware system.

Installing Cisco ISE Software on a VMware System

Step 1 Log in to the VMware client.

Step 2 Ensure that the Coordinated Universal Time (UTC) is set in BIOS:

a. If the VMware system is turned on, turn the system off.

b. Turn on the VMware system.

c. Press F1 to enter the BIOS Setup mode.

d. Using the arrow keys, navigate to the Date and Time field and press Enter.

e. Enter the UTC/Greenwich Mean Time (GMT) time zone.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

f. Press Esc to exit to the main BIOS menu.

g. Press Esc to exit from the BIOS Setup mode.


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Installing Cisco ISE Software on a VMware System

Note After installation, if you do not install a permanent license, Cisco ISE automatically installs a 90-day evaluation license that supports a maximum of 100 endpoints.

Step 3 Insert the Cisco ISE software DVD into the VMware ESX host CD/DVD drive and turn on the virtual machine.

Note Download the Cisco ISE, Release 1.2, software from the Cisco Software Download Site at http://www.cisco.com/en/US/products/ps11640/index.html and burn it on a DVD. You will be required to provide your Cisco.com credentials.

When the DVD boots, the console displays:

Welcome to Cisco ISE

To boot from the hard disk press <Enter>

Available boot options:

[1] Cisco Identity Services Engine Installation (Monitor/Keyboard)

[2] Cisco Identity Services Engine Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

<Enter> Boot from hard disk

Please enter boot option and press <Enter>.

boot: 1

You can choose either the monitor and keyboard port, or the console port to perform the initial setup.

Step 4 At the system prompt, enter 1 to choose a monitor and keyboard port or 2 to choose a console port and press Enter.

The installer starts the installation of the Cisco ISE software on the VMware system.

Note Allow 20 minutes for the installation process to complete.

When the installation process finishes, the virtual machine reboots automatically.


OL-27044-01

http://www.cisco.com/en/US/products/ps11640/index.html

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Connecting to a Cisco ISE VMware Server Using the Serial Console

When the VM reboots, the console displays:

Type 'setup' to configure your appliance

localhost:

Step 5 At the system prompt, type setup and press Enter.

The Setup Wizard appears and guides you through the initial configuration. For more information about the setup process, see Cisco ISE Setup Program Parameters, page 3-7.

Connecting to a Cisco ISE VMware Server Using the Serial Console

To connect to the Cisco ISE VMWare server using the serial console, perform the following steps:

Step 1 Power down the particular VMware server (for example ISE-120).

Step 2 Right-click the VMware server and choose Edit.

Step 3 Click Add on the Hardware tab (see Figure 4-15).

Step 4 Choose Serial Port and click Next (see Figure 4-17).

Figure 4-17 Add Hardware - Device Type

Step 5 In the Serial Port Output area, click the Use physical serial port on the host or the Connect via Network radio button and click Next (see Figure 4-18).


OL-27044-01


Figure 4-18 Add Hardware - Serial Port Type

a. If you choose the Connect via Network option, you must open the firewall ports over the ESX server.

b. If you select the Use physical serial port on the host, choose the port. You may choose one of the following two options:

• /dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1).

• /dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).


OL-27044-01


Step 6 Click Next (see Figure 4-19).

Figure 4-19 Select a Physical Serial Port

Step 7 In the Device Status area, check the appropriate check box. The default is Connected (see Figure 4-20).

Figure 4-20 Hardware - Device Status


OL-27044-01

Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

Step 8 Click OK to connect to the Cisco ISE VMware server.

Cloning a Cisco ISE Virtual MachineYou can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually.

You can also clone a Cisco ISE VM using a template. See Cloning a Cisco ISE Virtual Machine Using a Template, page 4-26 for more information.

Before You Begin

• Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.

• Ensure that you change the IP Address and Hostname of the cloned machine before you power it on and connect it to the network.

Step 1 Log in to the ESXi server as a user with administrative privileges (root user).

Step 2 Right-click the Cisco ISE VM you want to clone, and click Clone (see Figure 4-21).

Figure 4-21 Cloning a Cisco ISE Virtual Machine

Step 3 Enter a name for the new machine that you are creating in the Name and Location dialog box and click Next.

This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your reference.


OL-27044-01


Step 4 Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next.

Step 5 Select a datastore for the new Cisco ISE VM that you are creating and click Next.

This datastore could be the local datastore on the ESX or ESXi server or a remote storage. See Table 4-1 on page 4-2 for supported storage types. Ensure that the datastore has enough disk space as described in Table 4-3 on page 4-4.

Step 6 Click the Same format as source radio button in the Disk Format dialog box and click Next.

This option copies the same format that is used in the Cisco ISE VM that you are cloning this new machine from.

Step 7 Click the Do not customize radio button in the Guest Customization dialog box and click Next.

The Ready to Complete dialog box appears (see Figure 4-22)

Figure 4-22 Ready to Clone Dialog


What To Do Next

• Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-27

• Connecting a Cloned Cisco Virtual Machine to the Network, page 4-29

Related Topics

• Cloning a Cisco ISE Virtual Machine Using a Template, page 4-26


OL-27044-01


Cloning a Cisco ISE Virtual Machine Using a Template

If you are using vCenter, then you can use a VMware template to clone a Cisco ISE virtual machine (VM). You can clone the Cisco ISE node to a template and use that template to create multiple new Cisco ISE nodes. Cloning a virtual machine using a template is a two-step process:

1. Creating a Virtual Machine Template, page 4-26

2. Deploying a Virtual Machine Template, page 4-26

Creating a Virtual Machine Template

Before You Begin

• Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.

• We recommend that you create a template from a Cisco ISE, Release 1.2, VM that you have just installed and not run the setup program on. You can then run the setup program on each of the individual Cisco ISE nodes that you have created and configure IP address and hostnames individually.

Step 1 Log in to the ESXi server as a user with administrative privileges (root user).

Step 2 Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.

Step 3 Enter a name for the template, choose a location to save the template in the Name and Location dialog box, and click Next.

Step 4 Choose the ESX host that you want to store the template on and click Next.

Step 5 Choose the datastore that you want to use to store the template and click Next.

Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more details.


The Ready to Complete dialog box appears.


Deploying a Virtual Machine Template

After you create a virtual machine template, you can deploy it on other virtual machines (VMs).

Step 1 Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from this template.

Step 2 Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog box, and click Next.

Step 3 Choose the ESX host where you want to store the new Cisco ISE node and click Next.

Step 4 Choose the datastore that you want to use for the new Cisco ISE node and click Next.

Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more details.


OL-27044-01



Step 6 Click the Do not customize radio button in the Guest Customization dialog box.

The Ready to Complete dialog box appears.

Step 7 Check the Edit Virtual Hardware check box and click Continue.

The Virtual Machine Properties page appears.

Step 8 Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click OK.


You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the network.

What To Do Next

• Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-27

• Connecting a Cloned Cisco Virtual Machine to the Network, page 4-29

Related Topics

• Cloning a Cisco ISE Virtual Machine Using a Template, page 4-26

Changing the IP Address and Hostname of a Cloned Virtual Machine

After you clone a Cisco ISE virtual machine (VM), you have to power it on and change the IP address and hostname. You cannot use “localhost” as the hostname for a node.

Before You Begin

• Ensure that the Cisco ISE node is in the standalone state.

• Ensure that the network adapter on the newly cloned Cisco ISE VM is not connected when you power on the machine. Uncheck the Connected and Connect at power on check boxes. See Figure 4-23. Otherwise, if this node comes up, it will have the same IP address as the source machine from which it was cloned.


OL-27044-01


Figure 4-23 Disconnecting the Network Adapter

• Ensure that you have the IP address and hostname that you are going to configure for the newly cloned VM as soon as you power on the machine. This IP address and hostname entry should be in the DNS server.

• Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname.

Step 1 Right-click the newly cloned Cisco ISE VM and choose Power > Power On.

Step 2 Select the newly cloned Cisco ISE VM and click the Console tab.

Step 3 Enter the following commands on the Cisco ISE CLI:

configure terminal

hostname hostname

hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted.

Step 4 Enter the following commands:

interface gigabit 0

ip address ip_address netmask

ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services.

Step 5 Enter Y to restart Cisco ISE services.

Related Topics

Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2, for the ip address and hostname commands.


OL-27044-01


Connecting a Cloned Cisco Virtual Machine to the Network

After you power on and change the ip address and hostname, you must connect the Cisco ISE node to the network.

Step 1 Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.

Step 2 Click Network adapter in the Virtual Machine Properties dialog box.

Step 3 In the Device Status area, check the Connected and Connect at power on check boxes.

Step 4 Click OK.


OL-27044-01



OL-27044-01


OL-27044-01

C H A P T E R 5
Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances
This appendix describes the process for performing an initial (or fresh) installation of the Cisco ISE, Release 1.2, software from a DVD on the following supported Cisco ISE-3300, Cisco Secure ACS, and Cisco NAC appliance platforms:

• Cisco ISE-3315

• Cisco ISE-3355

• Cisco ISE-3395

• Cisco Secure ACS-1121

• Cisco NAC-3315

• Cisco NAC-3355

• Cisco NAC-3395

Note Download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.

Installing the software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because the underlying hardware on which the Cisco ISE software will be installed is the same physical device type.

• Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliances).

• Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395 appliances, respectively).

Note For specific details about the Cisco ISE 3300 series hardware platforms, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.


http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html

Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE, Release 1.2, Software from a DVD

This appendix describes the following procedures:

• Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2—Provides instructions for installing the Cisco ISE, Release 1.2, software using a DVD.

• Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance, page 5-3—Provides instructions for installing the Cisco ISE software with a DVD, configuring the appliance using the Setup program, and verifying the configuration process.

• Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance, page 5-3—Provides instructions for installing the Cisco ISE software with a DVD, configuring the appliance using the Setup program, and verifying the configuration process.

• Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance, page 5-4—Provides instructions for installing the Cisco ISE software with a DVD, including how to reset the RAID configuration on the Cisco NAC appliance before you complete the reimage process.

Note To reuse a Cisco Secure ACS or Cisco NAC appliance as a Cisco ISE, Release 1.2 appliance, reimage the Cisco Secure ACS or Cisco NAC appliance, install the Cisco ISE software, and use the Setup program to configure the appliance.

Installing Cisco ISE, Release 1.2, Software from a DVDBefore You Begin

• Download the Cisco ISE 1.2, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.

• Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before you run the setup program.

Step 1 Connect a keyboard and a VGA monitor to the appliance.

Step 2 Ensure that a power cord is connected to the appliance, insert the DVD in the appliance CD/DVD drive, and turn on the appliance.

The console displays the boot options.

Step 3 At the boot prompt, enter 1 and press Enter.

Step 4 At the prompt, type setup to start the setup program.

Step 5 Enter the values for the setup program parameters.

After the Cisco ISE or IPN software is configured, the system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup.

What To Do Next

• If you installed the IPN ISO, go to Configuring Certificates for Inline Posture Nodes, page E-34.

• If you installed the Cisco ISE, Release 1.2 ISO image, after you log in to the Cisco ISE CLI shell, you can run the show application status ise CLI command to check the status of the Cisco ISE application processes.


OL-27044-01

Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance

Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance

This section provides the procedure for reimaging an existing Cisco ISE-3300 Series appliance as a Cisco ISE 1.2 appliance.

Before You Begin

• Download the Cisco ISE, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.

• Review the information in Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6.


Step 1 If the Cisco ISE appliance is on, turn it off.

Step 2 Turn on the Cisco ISE appliance.

Step 3 Press F1 to enter the BIOS setup mode.

Step 4 Use the arrow keys to navigate to the Date and Time field and press Enter.

Step 5 Set the time to the UTC/GMT time zone.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps.

Step 6 Press Esc to exit to main BIOS menu.

Step 7 Press Esc to exit from the BIOS setup mode.

Step 8 Perform the instructions described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.

Step 9 Perform the instructions described in Setup Process Verification, page 3-15.

Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance

This section provides the procedure for reimaging an existing Cisco Secure ACS appliance as a Cisco ISE, Release 1.2, appliance.

Before You Begin

• Download the Cisco ISE, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.


OL-27044-01

Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance



Step 1 If the Cisco Secure ACS appliance is on, turn it off.

Step 2 Turn on the Cisco Secure ACS appliance.


Step 4 Use the arrow keys to navigate to the Date and Time field and press Enter.

Step 5 Set the time for your appliance to the UTC/GMT time zone.




Step 8 Perform the instructions described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.

Step 9 Perform the instructions described in Setup Process Verification, page 3-15.

Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance

This section provides the procedure for reimaging an existing Cisco NAC appliance as a Cisco ISE 1.2 appliance.

Before You Begin

• Download the Cisco ISE 1.2, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.



Step 1 If the Cisco NAC appliance is on, turn it off.

Step 2 Turn on the Cisco NAC appliance.


Step 4 Using the arrow keys, navigate to the Date and Time field and press Enter.

Step 5 Set the time for your appliance to the UTC/GMT time zone.


OL-27044-01





Note If the Cisco ISE DVD installation process returns a message indicating that “The installer requires at least 600 GB disk space for this appliance type,” you may need to reset the RAID settings on the appliance to facilitate installation as described in Resetting the Existing RAID Configuration on a Cisco NAC Appliance.

Step 8 Perform the instructions that are described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.

Step 9 Perform the instructions that are described in Setup Process Verification, page 3-15.

Resetting the Existing RAID Configuration on a Cisco NAC Appliance

It may be necessary to reset the RAID settings on your NAC appliance to facilitate Cisco ISE 1.2 installation.

Step 1 Reboot the Cisco NAC appliance with the Cisco ISE Software DVD.

Step 2 When you see the RAID controller version information appear in the CLI, press Ctrl-C. The RAID controller version information appears, displaying a label like LSI Corporation MPT SAS BIOS, and the LSI Corp Config Utility becomes active.

Step 3 Press Enter to specify the default controller. (The highlighted controller name should read something similar to SR-BR10i.) A screen containing the Cisco NAC appliance adapter information appears.

Step 4 Use the arrow keys to navigate to “RAID properties” and press Enter.

Step 5 Use the arrow keys to navigate to “Manage Array” and press Enter.

Step 6 Use the arrow keys to navigate to “Delete Array” and press Enter.

Step 7 Enter Y to confirm that you want to delete the existing RAID array.

Step 8 Press Esc twice to exit the RAID configuration utility.

The system prompts you with an Exit the Configuration Utility and Reboot? prompt.

Step 9 Press Enter. The Cisco NAC appliance reboots. As long as the Cisco ISE Software DVD is still inserted, the appliance automatically boots to the install menu.

Step 10 Press 1 to begin the Cisco ISE, Release 1.2, installation.


OL-27044-01



OL-27044-01


OL-27044-01

C H A P T E R 6
Managing Administrator Accounts
This chapter describes the two types of administrator accounts in Cisco ISE, their privileges, and how to create these accounts. This chapter contains the following topics:

• CLI-Admin and Web-Based Admin User Right Differences, page 6-1

• Tasks Performed by CLI-Admin and Web-Based Admin Users, page 6-1

• Tasks Performed Only by the CLI-Admin User, page 6-2

• Creating CLI Admin Users, page 6-2

• Creating Web-Based Admin Users, page 6-2

CLI-Admin and Web-Based Admin User Right DifferencesThe username and password that you configure by using the Cisco ISE setup program are intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface. The administrator that has access to the Cisco ISE CLI is called the CLI-admin user. By default, the username for the CLI-admin user is admin and the password is user-defined during the setup process. There is no default password.

You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. There is no default username and password for a web-based admin.

The CLI-admin user is copied to the Cisco ISE web-based admin user database. Only the first CLI-admin user is copied as the web-based admin user. You should keep the CLI- and web-based admin user stores synchronized, so that you can use the same username and password for both admin roles.

The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin user and can perform other administrative tasks.

Tasks Performed by CLI-Admin and Web-Based Admin Users

• Back up the Cisco ISE application data.

• Display any system, application, or diagnostic logs on the Cisco ISE appliance.

• Apply Cisco ISE software patches, maintenance releases, and upgrades.

• Set the NTP server configuration.


Chapter 6 Managing Administrator Accounts Tasks Performed Only by the CLI-Admin User

Tasks Performed Only by the CLI-Admin User• Start and stop the Cisco ISE application software.

• Reload or shut down the Cisco ISE appliance.

• Reset the web-based admin user in case of a lockout. For additional details, see Resetting a Password Due to Administrator Lockout, page 7-9.

Note Web-based admin users that are created by using the Cisco ISE user interface cannot automatically log in to the Cisco ISE CLI. Only CLI-admin users can access the Cisco ISE CLI.

Refer to Accessing Cisco ISE Using a Web Browser, page 7-1 for information on the supported browsers.

Creating CLI Admin UsersCisco ISE allows you to create additional CLI-admin user accounts other than the one you created during the setup process. To protect the CLI-admin user credentials, create the minimum number of CLI-admin users needed to access the Cisco ISE CLI.

Step 1 Log in by using the CLI-admin username and password that you created during the setup process.

Step 2 Enter the Configuration mode.

Step 3 Enter the username command.

Note For details about the username command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.2.

Creating Web-Based Admin UsersFor first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup.

You can add web-based admin users through the user interface itself. See the “Creating a New Cisco ISE Administrator” section of the Cisco Identity Services Engine User Guide, Release 1.2 for additional details.


OL-27044-01

http://www.cisco.com/en/US/docs/security/ise/1.2/cli_ref_guide/ise_cli_app_a.html#wp1014456


http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_admin.html#wp1579129


OL-27044-01

C H A P T E R 7
Performing Post-Installation Tasks
This chapter describes several tasks that you must perform after successfully completing the installation and configuration of the Cisco Identity Services Engine (ISE), Release 1.2, software. This chapter contains information about the following topics:

• Accessing Cisco ISE Using a Web Browser, page 7-1

• Verifying a Cisco ISE Configuration, page 7-4

• Verifying the Installation of VMware Tools, page 7-6

• Resetting the Administrator Password, page 7-7

• Configuring the Cisco ISE System, page 7-10

• Enabling System Diagnostic Reports in Cisco ISE, page 7-10

Accessing Cisco ISE Using a Web BrowserCisco SNS-3400 series appliances support a web interface using the following HTTPS-enabled browsers:

• Mozilla Firefox version 3.6.x and above

• Microsoft Internet Explorer 8.x and above

Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7 compatibility mode (Microsoft IE8 is supported in IE8 mode only).

• Apple Safari 4.x and above

Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser.

This section provides information about the following topics:

• Logging In to the Cisco ISE Web-Based Interface, page 7-2

• Logging Out of the Cisco ISE Web-Based Interface, page 7-3


Chapter 7 Performing Post-Installation Tasks Accessing Cisco ISE Using a Web Browser

Logging In to the Cisco ISE Web-Based Interface

When you log in to the Cisco ISE web-based interface for the first time, you will be using the preinstalled Evaluation license. You must use only the supported HTTPS-enabled browsers listed in the previous section. After you have installed Cisco ISE as described in this guide, you can log in to the Cisco ISE web-based interface.

Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.

Step 2 In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following format and press Enter.

https://<IP address or host name>/admin/

For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.

Step 3 Enter a username and password that you defined during setup.

Step 4 Click Login.

Note To recover or reset the Cisco ISE CLI-admin username or password, see the Resetting the Administrator Password, page 7-7.


OL-27044-01

Chapter 7 Performing Post-Installation Tasks Installing a License

Tip The minimum required screen resolution to view the Cisco ISE GUI is 1280 x 800 pixels.

CLI admin and web-based admin username and password values are not the same. when logging into the Cisco ISE. For more information about the differences between them, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.

Note The license page only appears the first time that you log in to Cisco ISE after the evaluation license has expired.

Note We recommend that you use the Cisco ISE user interface to periodically reset your administrator login password. See the Cisco Identity Services Engine User Guide, Release 1.2 for more information.

Administrator Lockout Following Failed Login Attempts

If you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE user interface “locks you out” of the system. Cisco ISE adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you reset the password associated with that administrator ID, as described in Resetting a Password Due to Administrator Lockout, page 7-9. The number of failed attempts required to disable the administrator account is configurable according to the guidelines that are described in the “Managing Administrators and Admin Access Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. After an administrator user account gets locked out, an email is sent to the associated admin user.

Logging Out of the Cisco ISE Web-Based Interface

To log out of the Cisco ISE web-based interface, click Log Out on the Cisco ISE main window toolbar. This ends your administrative session and logs you out.

Caution For security reasons, we recommend that you log out when you complete your administrative session. If you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data.

For more information on using the Cisco ISE web-based web interface, see the Cisco Identity Services Engine User Guide, Release 1.2.

Installing a LicenseRefer to Appendix D, “Cisco ISE Licenses” for information on licenses.


OL-27044-01

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_admin.html#wp1579129

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_user_guide.html


http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_admin.html

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_admin.html

Chapter 7 Performing Post-Installation Tasks Installing Certificates

Installing CertificatesRefer to Appendix E, “Certificate Management in Cisco ISE” for information on certificates.

Verifying a Cisco ISE ConfigurationThis section provides two methods that each use a different set of username and password credentials for verifying Cisco ISE configuration:

• Verifying a Configuration Using a Web Browser, page 7-4

• Verifying a Configuration Using the CLI, page 7-5

Note For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup. For CLI-based access to a Cisco ISE system, the administrator username by default is admin and the administrator password (is user-defined because there is no default).

To better understand the differences between a CLI-admin user and a web-based admin user, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.

Verifying a Configuration Using a Web Browser

To verify that you successfully configured your Cisco SNS-3400 Series appliance, complete the following steps using a web browser:

Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.

Step 2 In the Address field, enter the IP address (or host name) of the Cisco ISE appliance using the following format and press Enter.

https://<IP address or host name>/admin/

For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.

Step 3 In the Cisco ISE Login page, enter the username and password that you have defined during setup and click Login.

The Cisco ISE dashboard appears.

Note We recommend that you use the Cisco ISE user interface to periodically reset the administrator password. To reset the administrator password, see Cisco Identity Services Engine User Guide, Release 1.2 for details.


OL-27044-01



Chapter 7 Performing Post-Installation Tasks Verifying a Cisco ISE Configuration

Verifying a Configuration Using the CLI

To verify that you successfully configured your Cisco ISE appliance, use the Cisco CLI and complete the following steps:

Step 1 After the Cisco ISE appliance reboot has completed, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.

Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open.

Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter.

Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter.

Step 5 At the system prompt, enter show application version ise and press Enter.

The console displays the following screen.

Note The Version field lists the currently installed version of Cisco ISE software.

Step 6 To check the status of the Cisco ISE processes, enter show application status ise and press Enter.

The console displays the following screen.


OL-27044-01

Chapter 7 Performing Post-Installation Tasks Verifying the Installation of VMware Tools

Note To get the latest Cisco ISE patches and keep Cisco ISE up-to-date, visit the following web site: http://www.cisco.com/public/sw-center/index.shtml

Step 7 To check the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) version, enter show version and press Enter.

The console displays output similar to the following:

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.5.083

ADE-OS System Architecture: i386

Verifying the Installation of VMware ToolsYou can verify the Installation of the VMware tools in the following two ways:

• Using the Summary Tab in the vSphere Client

• Using the CLI

Using the Summary Tab in the vSphere Client

Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware Tools field should be OK. (See Figure 7-1.)

Figure 7-1 Verifying VMware Tools in the vSphere Client


OL-27044-01

http://www.cisco.com/public/sw-center/index.shtml

Chapter 7 Performing Post-Installation Tasks Resetting the Administrator Password

Using the CLI

You can also verify if the VMware tools are installed using the show inventory command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware Virtual Ethernet driver will be listed in the Driver Descr field.

vm36/admin# show inventory

NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"

PID: ISE-VM-K9 , VID: V01 , SN: 8JDCBLIDLJA

Total RAM Memory: 4016564 kB

CPU Core Count: 1

CPU 0: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz

Hard Disk Count(*): 1

Disk 0: Device Name: /dev/sda

Disk 0: Capacity: 64.40 GB

Disk 0: Geometry: 255 heads 63 sectors/track 7832 cylinders

NIC Count: 1

NIC 0: Device Name: eth0

NIC 0: HW Address: 00:0C:29:BA:C7:82

NIC 0: Driver Descr: VMware Virtual Ethernet driver

(*) Hard Disk Count may be Logical.

vm36/admin#

Upgrading VMware Tools

The Cisco ISE ISO image (regular, upgrade, or patch) contains the supported VMware tools. Upgrading VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE (regular, upgrade, or patch release).

Resetting the Administrator PasswordThere are two ways to reset the Cisco ISE administrator password:

• Resetting a Lost, Forgotten, or Compromised Password, page 7-8—Use this procedure if no one is able to log in to the Cisco ISE system because the administrator password has been lost, forgotten, or compromised.

• Resetting a Password Due to Administrator Lockout, page 7-9—Use this procedure if the administrator account is locked due to too many failed login attempts..


OL-27044-01

Chapter 7 Performing Post-Installation Tasks Resetting the Administrator Password

Resetting a Lost, Forgotten, or Compromised Password

If no one is able to log in to the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, you can use the Cisco ISE Software DVD to reset the administrator password.

Before You Begin

Make sure you understand the following connection-related conditions that can cause a problem when attempting to use the Cisco ISE Software DVD to start up a Cisco ISE appliance:

• You have a terminal server associated with the serial console connection to the Cisco ISE appliance that is set to exec. Setting it to no exec allows you to use a KVM connection and a serial console connection.

• You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can be either a remote KVM or a VMware vSphere client console connection).

• You have a serial console connection to the Cisco ISE appliance.

Step 1 Ensure that the Cisco ISE appliance is powered up.

Step 2 Insert the Cisco ISE Software DVD.

Step 3 Reboot the Cisco ISE appliance to boot from the DVD.

The console displays the following message (this example shows a Cisco ISE 3355):

Welcome to Cisco Identity Services Engine - ISE 3355

To boot from hard disk press <Enter>

Available boot options:

[1] Cisco Identity Services Engine Installation (Keyboard/Monitor)

[2] Cisco Identity Services Engine Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

<Enter> Boot from hard disk

Please enter boot option and press <Enter>.

boot:

Step 4 At the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or enter 4 if you use a local serial console port connection.

The console displays a set of parameters.

Step 5 Enter the parameters by using the descriptions that are listed in Table 7-1.

The console displays:

Table 7-1 Password Reset Parameters

Parameter Description

Admin username Enter the number of the administrator whose password you want to reset.

Password Enter a new password.

Verify password Enter the password again.

Save change and reboot Enter Y to save.


OL-27044-01

Chapter 7 Performing Post-Installation Tasks Changing the IP Address of a Cisco ISE Appliance

Admin username:

[1]:admin

[2]:admin2

[3]:admin3

[4]:admin4

Enter number of admin for password recovery:2

Password:

Verify password:

Save change and reboot? [Y/N]:

See the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 more information.

Resetting a Password Due to Administrator Lockout

An administrator can enter an incorrect password enough times to disable the account. The minimum and default number of attempts is five.

Note Use this command to reset the administrator user interface password. It does not affect the CLI password of the administrator.

Step 1 Access the direct-console CLI and enter:

application reset-passwd ise administrator_ID

Step 2 Specify and confirm a new password that is different from the previous two passwords that were used for this administrator ID:

Enter new password:Confirm new password:

Password reset successfully

After you successfully reset the administrator password, the credentials are immediately active and you can log in without having to reboot the system.

For more details on using the application reset-passwd ise command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.2.

Changing the IP Address of a Cisco ISE ApplianceTo change the IP address of a Cisco SNS-3400 series appliance, complete the following steps:

Before You Begin

Ensure that the Cisco ISE node is in a standalone state before you change the IP address. If the node is part of a distributed deployment, deregister the node from the deployment and make it a standalone node.

Step 1 Log in to the Cisco ISE CLI.


OL-27044-01




Chapter 7 Performing Post-Installation Tasks Configuring the Cisco ISE System

Step 2 Enter the following:

configure terminal

interface GigabitEthernet 0

ip address new_ip_address new_subnet_mask

exit

Note Do not use the no ip address command when you change the Cisco ISE appliance IP address.

Note All Cisco ISE services have to be restarted after changing the Cisco ISE appliance IP address.

Configuring the Cisco ISE SystemBy using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE system to suit your needs. For details on configuring authentication and authorization policies, and other features, menus, and options, see the Cisco Identity Services Engine User Guide, Release 1.2.

For details on each of the Cisco ISE operations and other administrative functions, such as monitoring and reporting, see the Cisco Identity Services Engine User Guide, Release 1.2.

For the most current information about this release, see the Release Notes for Cisco Identity Service Engine, Release 1.2.

Enabling System Diagnostic Reports in Cisco ISEAfter installing Cisco ISE the first time or reimaging an appliance, you can choose to enable the system-level diagnostic reports using the Cisco ISE CLI (the logging function that reports on system diagnostics is not enabled in Cisco ISE by default).

To enable system diagnostic reports, do the following:

Step 1 Log in to the Cisco ISE CLI console using the default administrator user ID and password.

Step 2 Enter the following commands:

a. configure terminal

b. logging 127.0.0.1:20514

c. end

d. write memory

You can configure system diagnostic settings through the Cisco ISE user interface (Administration > System > Logging > Logging Categories > System Diagnostics).


OL-27044-01



http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html

Cisco Identity Services Engine

OL-27044-01

A

P P E N D I X A
Installing the Cisco SNS-3400 Series Appliance in a Rack
This appendix describes the safety guidelines, site requirements, and guidelines that you must observe before installing the Cisco SNS-3400 Series appliances, and also provides instructions on how to rack mount a Cisco SNS-3400 Series appliance, connect all the cables, power up the appliance, and remove or replace the server components.

This appendix contains the following sections:

• Unpacking and Inspecting the Server, page A-1

• Safety Guidelines, page A-2

• Installing a Cisco SNS-3400 Series Appliance in a Rack, page A-4

• Connecting and Powering On the Server, page A-7

• Checking the LEDs, page A-8

• Installing or Replacing Server Components, page A-11

Unpacking and Inspecting the ServerThis section provides information on how you can prepare your site for safely installing the Cisco SNS-3400 series appliance.

Caution When handling internal server components, wear an ESD strap and handle modules by the carrier edges only.

Tip Keep the shipping container in case the server requires shipping in the future.

Note The chassis is thoroughly inspected before shipment. If any damage occurred during transportation or any items are missing, contact your customer service representative immediately.

To inspect the shipment, follow these steps:

Step 1 Remove the server from its cardboard container and save all packaging material.

A-1 Hardware Installation Guide, Release 1.2

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Safety Guidelines

Step 2 Compare the shipment to the equipment list provided by your customer service representative and Figure A-1. Verify that you have all items.

Step 3 Check for damage and report any discrepancies or damage to your customer service representative. Have the following information ready:

• Invoice number of shipper (see the packing slip)

• Model and serial number of the damaged unit

• Description of damage

• Effect of damage on the installation

Figure A-1 Shipping Box Contents

Safety Guidelines

Note Before you install, operate, or service a Cisco SNS-3400 series appliance, review the Regulatory Compliance and Safety Information for Cisco SNS 3400 Series Appliance for important safety information.

Warning IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at

1 Server 3 Documentation

2 Power cord (optional, up to two) 4 KVM cable

CiscoUCS C-Series

1 2

3 4

3316

85

A-2Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/regulatory/compliance/csacsrcsi.html

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/regulatory/compliance/csacsrcsi.html

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Safety Guidelines

the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071

Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of: 40° C (104° F). Statement 1047

Warning The plug-socket combination must be accessible at all times, because it serves as the main disconnecting device.Statement 1019

Warning This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than: 250 V, 15 A.Statement 1005

Warning Installation of the equipment must comply with local and national electrical codes.Statement 1074

When you are installing a server, use the following guidelines:

• Plan your site configuration and prepare the site before installing the server. See the Cisco UCS Site Preparation Guide for the recommended site planning tasks.

• Ensure that there is adequate space around the server to allow for servicing the server and for adequate airflow. The airflow in this server is from front to back.

• Ensure that the air-conditioning meets the thermal requirements listed in the Appendix B, “Cisco SNS-3400 Series Server Specifications.”

• Ensure that the cabinet or rack meets the requirements listed in the “Rack Requirements” section on page A-4.

• Ensure that the site power meets the power requirements listed in the Appendix B, “Cisco SNS-3400 Series Server Specifications.” If available, you can use an uninterruptible power supply (UPS) to protect against power failures.

Caution Avoid UPS types that use ferroresonant technology. These UPS types can become unstable with systems such as the Cisco SNS 3400 series appliances, which can have substantial current draw fluctuations from fluctuating data traffic patterns.


OL-27044-01

http://www.cisco.com/en/US/docs/unified_computing/ucs/hw/site-prep-guide/ucs_site_prep.html

http://www.cisco.com/en/US/docs/unified_computing/ucs/hw/site-prep-guide/ucs_site_prep.html

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Installing a Cisco SNS-3400 Series Appliance in a Rack

Installing a Cisco SNS-3400 Series Appliance in a RackThis section describes how to mount the ISE 3400 series appliance on a rack and contains the following topics:

• Rack Requirements, page A-4

• Equipment Requirements, page A-4

• Slide Rail Adjustment Range, page A-4

• Installing the Server In a Rack, page A-4

Rack Requirements

The following are the requirements for standard open racks:

• A standard 19-in. (48.3-cm) wide, four-post EIA rack, with mounting posts that conform to English universal hole spacing, per section 1 of ANSI/EIA-310-D-1992.

• The rack post holes can be square .38-inch (9.6 mm), round .28-inch (7.1 mm), #12-24 UNC, or #10-32 UNC when you use the supplied slide rails.

• The minimum vertical rack space per server must be one RU, equal to 1.75 in. (44.45 mm).

Equipment Requirements

The slide rails supplied by Cisco Systems for this server do not require tools for installation. The inner rails (mounting brackets) are preattached to the sides of the server.

Slide Rail Adjustment Range

The slide rails for this server have an adjustment range of 24 to 36 inches (610 to 914 mm).

Installing the Server In a Rack

This section describes how to install the server in a rack.

Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety:This unit should be mounted at the bottom of the rack if it is the only unit in the rack.When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack.If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack. Statement 1006


OL-27044-01


To install the slide rails and the server into a rack, follow these steps:

Step 1 Open the front securing latch (see Figure A-2). The end of the slide-rail assembly marked “FRONT” has a spring-loaded securing latch that must be open before you can insert the mounting pegs into the rack-post holes.

a. On the rear side of the securing-latch assembly, hold open the clip marked “PULL.”

b. Slide the spring-loaded securing latch away from the mounting pegs.

c. Release the clip marked “PULL” to lock the securing latch in the open position.

Figure A-2 Front Securing Latch

Step 2 Install the slide rails on the rack:

a. Position a slide-rail assembly inside the two left-side rack posts (see Figure A-3).

Use the “FRONT” and “REAR” markings on the slide-rail assembly to orient the assembly correctly with the front and rear rack posts.

b. Position the front mounting pegs so that they enter the desired front rack-post holes from the front.

Note The mounting pegs that protrude through the rack-post holes are designed to fit round or square holes, or smaller #10-32 round holes when the mounting peg is compressed. If your rack has #10-32 rack-post holes, align the mounting pegs with the holes and then compress the spring-loaded pegs to expose the #10-32 inner peg.

c. Expand the length-adjustment bracket until the rear mounting pegs protrude through the desired holes in the rear rack post.

1 Clip marked “PULL” on rear of assembly 3 Spring-loaded securing latch on front of assembly

2 Front mounting pegs

3

1

2

3320

61


OL-27044-01


Use your finger to hold the rear securing latch open when you insert the rear mounting pegs to their holes. When you release the latch, it wraps around the rack post and secures the slide-rail assembly.

Figure A-3 Attaching a Slide-Rail Assembly

d. Attach the second slide-rail assembly to the opposite side of the rack. Ensure that the two slide-rail assemblies are level and at the same height with each other.

e. Pull the inner slide rails on each assembly out toward the rack front until they hit the internal stops and lock in place.

Step 3 Insert the server into the slide rails:

Note The inner rails are preattached to the sides of the server at the factory. You can order replacement inner rails if these are damaged or lost (Cisco PID UCSC-RAIL1-I).

a. Align the inner rails that are preattached to the server sides with the front ends of the empty slide rails.

b. Push the server into the slide rails until it stops at the internal stops.

c. Push in the plastic release clip on each inner rail (labelled PUSH), and then continue pushing the server into the rack until the front latches engage the rack posts.

Step 4 Attach the (optional) cable management arm (CMA) to the rear of the slide rails:

Note The CMA is designed for mounting on either the right or left slide rails. These instructions describe an installation to the rear of the right slide rails, as viewed from the rear of server.

a. Slide the plastic clip on the inner CMA arm over the flange on the mounting bracket that attached to the side of the server. See Figure A-4.

1 Front-left rack post 4 Length-adjustment bracket

2 Front mounting pegs 5 Rear mounting pegs

3 Slide-rail assembly 6 Rear securing latch

3316

89

1

32 5 6

4


OL-27044-01

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Connecting and Powering On the Server

Note Whether you are mounting the CMA to the left or right slide rails, be sure to orient the engraved “UP” marking so that it is always on the upper side of the CMA. See Figure A-4.

b. Slide the plastic clip on the outer CMA arm over the flange on the slide rail. See Figure A-4.

c. Attach the CMA retaining bracket to the left slide rail. Slide the plastic clip on the bracket over the flange on the end of the left slide rail. See Figure A-4.

Figure A-4 Attaching the Cable Management Arm (Rear of Server Shown)

Step 5 Continue with the “Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance” section on page 3-9.

Connecting and Powering On the ServerThis section describes how to power on the server and assign an IP address to connect to it. The server is shipped with a default NIC mode called Shared LOM, default NIC redundancy is active-active, and DHCP is enabled. Shared LOM mode enables the two 1-Gb Ethernet ports to access the Cisco Integrated Management Interface (CIMC). If you want to use the 1-Gb Ethernet dedicated management port, or a port on a Cisco UCS P81E Virtual Interface Card (VIC) to access the CIMC, you must first connect to the server and change the NIC mode as described in Step 3 of the following procedure. In that step, you can also change the NIC redundancy and set static IP settings.

Use the following procedure to perform the initial setup of the server:

1 Flange on rear of outer left slide rail 5 Inner CMA arm attachment clip

2 CMA retaining bracket 6 “UP” orientation marking

3 Flange on rear of right mounting bracket 7 Outer CMA arm attachment clip

4 Flange on rear of outer right slide rail

7

3316

9065

4

3

1

2


OL-27044-01

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Checking the LEDs

Step 1 Attach a supplied power cord to each power supply in the server and then attach the power cord to a grounded AC power outlet. See the Power Specifications, page B-2 for power specifications.

Wait for approximately two minutes to let the server boot in standby power during the first bootup.

You can verify the power status by looking at the Power Status LED:

• Off—There is no AC power present in the server.

• Amber—The server is in standby power mode. Power is supplied only to the CIMC and some motherboard functions.

• Green—The server is in main power mode. Power is supplied to all server components.

Note During bootup, the server beeps once for each USB device that is attached to the server. Even if there are no external USB devices attached, there is a short beep for each virtual USB device such as a virtual floppy drive, CD/DVD drive, keyboard, or mouse. A beep is also emitted if a USB device is hot-plugged or hot-unplugged during BIOS power-on self-test (POST), or while you are accessing the BIOS Setup utility or the EFI shell.

Step 2 Connect a USB keyboard and VGA monitor by using the supplied KVM cable connected to the KVM connector on the front panel.

Note Alternatively, you can use the VGA and USB ports on the rear panel. However, you cannot use the front panel VGA and the rear panel VGA at the same time. If you are connected to one VGA connector and you then connect a video device to the other connector, the first VGA connector is disabled.

Checking the LEDsWhen the Cisco SNS-3400 series appliances have been started up and are running, observe the state of the front-panel and rear-panel LEDs. The following topics describe the LED color, its power status, activity, and other important status indicators that are displayed for the Cisco-SNS 3400 series appliance:

• Front Panel LEDs and Buttons, page B-2

• Rear Panel LEDs and Buttons, page B-4


OL-27044-01


Front Panel LEDs and Buttons

Table A-1 Front Panel LED States

LED Name State

Power button/Power status LED • Off—There is no AC power to the server.

• Amber—The server is in standby power mode. Power is supplied only to the CIMC and some motherboard functions.

• Green—The server is in main power mode. Power is supplied to all server components.

Identification • Off—The Identification LED is not in use.

• Blue—The Identification LED is activated.

System status • Green—The server is running in a normal operating condition.

• Green, blinking—The server is performing system initialization and memory checks.

• Amber, steady—The server is in a degraded operational state, which may be due to one of the following:

– Power supply redundancy is lost.

– CPUs are mismatched.

– At least one CPU is faulty.

– At least one DIMM is faulty.

– At least one drive in a RAID configuration failed.

• Amber, blinking—The server is in a critical fault state, which may be due to one of the following:

– Boot failed.

– Fatal CPU and/or bus error is detected.

– Server is in an over-temperature condition.

Fan status • Green—All fan modules are operating properly.

• Amber, steady—One fan module has failed.

• Amber, blinking—Critical fault, two or more fan modules have failed.

Temperature status • Green—The server is operating at normal temperature.

• Amber, steady—One or more temperature sensors have exceeded a warning threshold.

• Amber, blinking—One or more temperature sensors have exceeded a critical threshold.

Power supply status • Green—All power supplies are operating normally.

• Amber, steady—One or more power supplies are in a degraded operational state.

• Amber, blinking—One or more power supplies are in a critical fault state.

Network link activity • Off—The Ethernet link is idle.

• Green—One or more Ethernet LOM ports are link-active, but there is no activity.

• Green, blinking—One or more Ethernet LOM ports are link-active, with activity.


OL-27044-01


Rear Panel LEDs and Buttons

Hard drive fault • Off—The hard drive is operating properly.

• Amber—The hard drive has failed.

• Amber, blinking—The device is rebuilding.

Hard drive activity • Off—There is no hard drive in the hard drive sled (no access, no fault).

• Green—The hard drive is ready.

• Green, blinking—The hard drive is reading or writing data.

Table A-2 Rear Panel LED States

LED Name State

Power supply fault • Off—The power supply is operating normally.

• Amber, blinking—An event warning threshold has been reached, but the power supply continues to operate.

• Amber, solid—A critical fault threshold has been reached, causing the power supply to shut down (for example, a fan failure or an over-temperature condition).

Power supply AC OK • Off—There is no AC power to the power supply.

• Green, blinking—AC power OK, DC output not enabled.

• Green, solid—AC power OK, DC outputs OK.

1-Gb Ethernet dedicated management link speed

• Off—link speed is 10 Mbps.

• Amber—link speed is 100 Mbps.

• Green—link speed is 1 Gbps.

1-Gb Ethernet dedicated management link status

• Off—No link is present.

• Green—Link is active.

• Green, blinking—Traffic is present on the active link.

1-Gb Ethernet link speed • Off—link speed is 10 Mbps.

• Amber—link speed is 100 Mbps.

• Green—link speed is 1 Gbps.

1-Gb Ethernet link status • Off—No link is present.

• Green—Link is active.

• Green, blinking—Traffic is present on the active link.

Identification • Off—The Identification LED is not in use.

• Blue—The Identification LED is activated.

Table A-1 Front Panel LED States (continued)

LED Name State


OL-27044-01

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Installing or Replacing Server Components

Installing or Replacing Server ComponentsRefer to the Cisco UCS C220 Server Installation and Service Guide for information on how to install or replace the Cisco SNS 3415 or 3495 appliance components.


OL-27044-01

http://www.cisco.com/en/US/docs/unified_computing/ucs/c/hw/C220/install/replace.html#wp1205056

Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack Installing or Replacing Server Components


OL-27044-01


OL-27044-01

A

P P E N D I X B
Cisco SNS-3400 Series Server Specifications
This appendix lists the technical specifications for the server and includes the following sections:

• Physical Specifications, page B-1

• Environmental Specifications, page B-1

• Power Specifications, page B-2

Physical SpecificationsTable B-1 lists the physical specifications for the server.

Environmental Specifications Table B-2 lists the environmental specifications for the server.

Table B-1 Cisco SNS-3400 Series Server Physical Specifications

Description Specification

Height 1.7 in. (4.3 cm)

Width 16.9 in. (42.9 cm)

Depth 28.5 in. (72.4 cm)

Weight (fully loaded chassis) 35.6 lb. (16.1 Kg)

Table B-2 Cisco SNS-3400 Series Server Environmental Specifications


Temperature, operating 41 to 104°F (5 to 40°C)Derate the maximum temperature by 1°C per every 305 meters of altitude above sea level.

Temperature, non-operating –40 to 149°F (–40 to 65°C)

Humidity (RH), noncondensing 10 to 90 percent

Altitude, operating 0 to 10,000 feet

B-1 Hardware Installation Guide, Release 1.2

Appendix B Cisco SNS-3400 Series Server Specifications Power Specifications

Power Specifications The power specifications for the two power supply options are listed in the following sections:

• 450-Watt Power Supply, page B-2

• 650-Watt Power Supply, page B-2

Note Do not mix power supply types in the server. Both power supplies must be either 450W or 650W.

450-Watt Power Supply

Table B-3 lists the specifications for each 450W power supply (Cisco part number UCSC-PSU-450W).

650-Watt Power Supply

Table B-4 lists the specifications for each 650W power supply (Cisco part number UCSC-PSU-650W).

Altitude, non-operating 0 to 40,000 feet

Sound power levelMeasure A-weighted per ISO7779 LwAd (Bels)Operation at 73°F (23°C)

5.4

Sound pressure levelMeasure A-weighted per ISO7779 LpAm (dBA)Operation at 73°F (23°C)

37

Table B-2 Cisco SNS-3400 Series Server Environmental Specifications


Table B-3 Cisco SNS-3400 Series Server 450-Watt Power Supply Specifications


AC input voltage range Low range: 100 VAC to 120 VACHigh range: 200 VAC to 240 VAC

AC input frequency Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)

AC line input current (steady state) 6.0 A peak at 100 VAC3.0 A peak at 208 VAC

Maximum output power for each power supply

450 Watts

Power supply output voltage Main power: 12 VDC

Standby power: 12 VDC

B-2Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01


Table B-4 Cisco SNS-3400 Series Server 650-Watt Power Supply Specifications


AC input voltage range 90 to 264 VAC (self-ranging, 180 to 264 VAC nominal)

AC input frequency Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)

AC line input current (steady state) 7.6 A peak at 100 VAC3.65 A peak at 208 VAC

Maximum output power for each power supply

650 Watts

Power supply output voltage Main power: 12 VDC

Standby power: 12 VDC


OL-27044-01



OL-27044-01


OL-27044-01

A

P P E N D I X C
Cisco SNS-3400 Series Appliance Ports Reference
This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices.

Table C-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on the corresponding firewall. The ports list provides information that can be useful when configuring a firewall, creating access control lists (ACLs), and configuring services on a Cisco ISE network.

• Cisco ISE management is restricted to Gigabit Ethernet 0.

• RADIUS listens on all network interface cards (NICs).

• All NICs can be configured with IP addresses.

PANPSN

IPN

MnT

Cisco.comPerfigo.com

Syslog: udp/20514, tcp/1468Secure Syslog: tcp/6514NetFlow: udp/9996

HTTPS: tcp/443Syslog: udp/20514,tcp/1468Secure Syslog: tcp/6514

Syslog: udp/20514,tcp/1468Secure Syslog: tcp/6514SNMP Traps: udp/162

GUI: tcp/80,443SSH: tcp/22Sponsor: tcp/8443SNMP: udp/161ERS: tcp/9060

Guest: tcp/8443Discovery: tcp/8443, tcp/8905Agent Install: tcp/8909NAC Agent: tcp/8905; udp/8905PRA/KA: SWISS udp/8905

RADIUS Auth: udp/1645,1812RADIUS Acct: udp/1646,1813RADIUS CoA: udp/1700,3799WebAuth: tcp:443,8443SNMP: udp/161SNMP Trap: udp/162NetFlow: udp/9996DHCP:udp/67, udp/68SPAN:tcp/80,8080

LDAP: tcp/389,3268SMB:tcp/445KDC:tcp/88KPASS: tcp/464SCEP: tcp/80, tcp/443NTP: udp/123

RADIUS Auth: Audp/1645,1812 RADIUS Acct: udp/1646,1813RADIUS CoA: dp1700,3799

Query Attributes

Logging

Admin(P) - Admin(S): tcp/443,tcp/12001(JGroups)

Monitor(P) - Monitor(S): tcp/443

Policy - Policy: udp/45588,45990, tcp/7802(Node Groups/JGroups)

Inline(P) - Inline(S): udp/694 (Heartbeat)

Inter-Node Communications

HTTPS; tcp/443Syslog: udp/20514, tcp/1468Secure Syslog: tcp/6514 Oracle DB (Secure JDBC): tcp/2484JGroups: tcp12001

Syslog: udp/20514

DNS: tcp-udp/53NTP: udp/123

RADIUS Auth: ump/1645,1812 RADIUS Acct: udp/1646,1813

HTTPS: tcp/8443

SMTP: tcp/25

SSH: tcp/22SMTP: tcp/25

EndpointNADs

Email/SMSGateways

PIP

3602

94

Update: tcp/443

HTTPS: tcp/443JGroups: tcp12001

Admin/Sponsor

C-1 Hardware Installation Guide, Release 1.2

Appendix C Cisco SNS-3400 Series Appliance Ports Reference

Table C-1 Cisco ISE Services and Ports

Cisco ISE Node

Cisco ISE Service

Ports on Gigabit Ethernet 0




Administration node

Administration • TCP: 22 (Secure Shell [SSH] server)

• TCP: 801 (HTTP)

• TCP: 4431 (HTTPS)

• TCP: 9060 (External RESTful Services (ERS) REST API)

Note Port 80 is redirected to port 443 (not configurable).

Note Ports 80 and 443 support Admin web applications and are enabled by default.

Cisco ISE management is restricted to Gigabit Ethernet 0.



Replication and Synchronization

• TCP: 443 (HTTPS SOAP)

• TCP: 12001 Global (JGroups - Data synchronization / Data replication)

— — —

Monitoring • UDP: 161 (SNMP Query)

Note This port is route table dependent.

— — —

C-2Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01


Logging (Outbound)

• UDP: 20514, TCP: 1468 (Syslog)

• TCP: 6514 (Secure Syslog)

Note Default ports are configurable for external logging.

• UDP: 162 (SNMP Traps)—

External Identity Stores and Resources

• TCP: 389, 3268, UDP: 389 (LDAP)

• TCP: 445 (SMB)

• TCP: 88, UDP: 88 (KDC)

• TCP: 464 (KPASS)

• UDP: 123 (NTP)

• TCP: 53, UDP: 53 (DNS)

(Admin user interface authentication)

— — —

Guest Guest account expiry email notification: SMTP: TCP/25

Table C-1 Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service






OL-27044-01


Monitoring node

Administration • TCP: 22 (SSH server)

• TCP: 801 (HTTP)


— — —



• TCP: 1521 - Oracle DB Listener





Monitoring • UDP: 161 (SNMP)


Logging • UDP: 20514, TCP: 1468 (Syslog)



• TCP: 25 (SMTP)

• UDP: 162 (SNMP Traps)

External Resources

• TCP: 389, 3268, UDP: 389 (LDAP)

• TCP: 445 (SMB)

• TCP: 88, UDP: 88 (KDC)


• UDP: 123 (NTP)

• TCP: 53, UDP: 53 (DNS)

(Admin user interface authentication)

— — —


Cisco ISE Node

Cisco ISE Service






OL-27044-01


Policy Service node


• TCP: 801 (HTTP)


— — —




— — —

Clustering (Node Group)

• UDP: 45588, 45590 (Local JGroup)

• TCP: 7802 (Local JGroup failure detection)

— — —

Monitoring • UDP: 161 (SNMP)


— — —

Logging (Outbound)

• UDP: 20514, TCP: 1468 (Syslog)



• UDP: 162 (SNMP Traps)

Session • UDP:1645, 1812 (RADIUS Authentication)

• UDP:1646, 1813 (RADIUS Accounting)

• UDP: 1700 (RADIUS change of authorization Send)

• UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)

Note UDP port 3799 is not configurable.


Cisco ISE Node

Cisco ISE Service






OL-27044-01


Policy Service node (continued)

External Identity Stores and Resources

• TCP: 389, 3268, (LDAP)

• TCP: 445 (SMB)

• TCP: 88 (KDC)


• UDP: 123 (NTP)

• UDP: 53 (DNS)

(Admin user interface authentication and endpoint authentication)

— — —

Web Portal Services:

- Guest/Web Auth

- Guest Sponsor portal

- My Devices portal

- Client Provisioning

- BlackListing portal

• HTTPS (Interface must be enabled for service in Cisco ISE.)

• TCP: 8000-8999 (Guest Portal and Client Provisioning. Default port is TCP: 8443.)

• TCP: 8000-8999 (Sponsor Portal. Default port is TCP: 8443.)

• TCP: 8000-8999 (My Devices Portal. Default port is TCP: 8443.)

• TCP: 8000-8999 (Blacklist Portal. Default port is TCP: 8444.)

• TCP: 25 (SMTP Notification)


Cisco ISE Node

Cisco ISE Service






OL-27044-01



Posture

- Discovery

- Provisioning

- Assessment/ Heartbeat

• TCP: 80 (HTTP) Discovery - Client side

• TCP: 8905 (HTTPS) Discovery - Client side

Note By default, TCP: 80 is redirected to TCP: 8443. See Web Portal Services: Guest Portal and Client Provisioning.

• TCP: 8443, 8905 (HTTPS) Discovery - Policy Service node side

• URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning.

• Active-X and Java Applet Install including IP refresh, Web Agent install, and launch NAC Agent install—Provisioning: See Web Portal Services: Guest Portal and Client Provisioning

• TCP: 8443 Provisioning: NAC Agent Install

• UDP: 8905 (SWISS) Provisioning: NAC Agent update notification

• TCP: 8905 (HTTPS) Provisioning: NAC Agent and other package/module updates

• TCP: 8905 (HTTPS) Assessment: Posture Negotiation and Agent Reports

• UDP: 8905 (SWISS) Assessment: PRA/Keep-alive

Bring Your Own Device (BYOD) / Network Service Protocol

- Redirection

- Provisioning

- SCEP

• URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning

• Active-X and Java Applet Install (includes the launch of Wizard Install)—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning

• TCP: 8443 Provisioning: Wizard Install from Cisco ISE (Windows and Mac OS)

• TCP: 443 Provisioning: Wizard Install from Google Play (Android)

• TCP: 8905 Provisioning: Supplicant Provisioning Process

• TCP: 80 or TCP: 443 SCEP Proxy to CA (Based on SCEP RA URL config)

Mobile Device Management (MDM) API Integration

• URL Redirection—See Web Portal Services: Guest Portal and Client Provisioning

• API—Vendor-specific

• Agent Install and Device Registration—Vendor-specific


Cisco ISE Node

Cisco ISE Service






OL-27044-01



Profiling • UDP: 9996 (NetFlow)

Note This port is configurable.

• UDP: 67 (DHCP)


• UDP: 68 (DHCP SPAN)

• TCP: 80, 8080 (HTTP)

• NMAP uses ports 0-655352 (outbound).

• UDP: 53 (DNS lookup)


• UDP: 161 (SNMP Query)


• UDP: 162 (SNMP Trap)


Inline Posture node



Note TCP: 8443 is used by the Administration node.

— — —

Inline Posture • UDP: 1645, 1812 (RADIUS proxy for authentication)

• UDP: 1646, 1813 (RADIUS proxy for accounting)

• UDP: 1700, 3799 (RADIUS CoA)

Note UDP port 3799 is not configurable.

• TCP: 9090 (Redirect)

• UDP: 1645, 1812 (RADIUS proxy for authentication)

• UDP: 1646, 1813 (RADIUS proxy for accounting)

• RADIUS CoA: Not Applicable

• TCP: 9090 (Redirect)

— —

Logging • UDP: 20154 (Syslog)


• UDP: 20154 (Syslog)


— —

Note Inline Posture node High Availability does not apply to any other Cisco ISE node types.


Cisco ISE Node

Cisco ISE Service






OL-27044-01


Ports to be Used for OCSP and CRL

For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the ports are dependent on the CA Server or service hosting OCSP/CRL although the Cisco ISE Services and ports table above lists basic ports that are used in Cisco ISE.

For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE admin portal expects http-based URL for OCSP services, and so, TCP 80 would be the default. You can also use non-default ports.

For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports would naturally be 80, 443, and 389 respectively. The actual port is contingent on the CRL server.

For more information, see OCSP Services and Certificate Store Edit Settings

Inline Posture node (continued)

High Availability — — UDP: 694 (Heartbeat)

UDP: 694 (Heartbeat)

1. Because Inline Posture nodes do not support the Administration persona, they will not have access to this port.

2. NMAP OS Scan uses ports 0.65535 to detect endpoint operating system


Cisco ISE Node

Cisco ISE Service






OL-27044-01

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wpxref64930

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ui_reference_administration.html#wp1236349



OL-27044-01


OL-27044-01

A

P P E N D I X D
Cisco ISE Licenses
This chapter describes the licensing mechanism and schemes that are available for Cisco ISE and how to add and upgrade licensees.

• Cisco ISE Licensing, page D-1

• Obtaining a Cisco ISE License from Cisco.com, page D-3

• Adding or Upgrading a License, page D-5

• Removing a License, page D-5

Cisco ISE LicensingCisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.

To help you select the features you want, licensing in Cisco ISE is granular. Cisco offers multiple license packages, such as Base, Plus, and Advanced.

Table D-1 Cisco ISE License Packages

License PackagePerpetual or Subscription

ISE Functionality Covered Notes

Base Perpetual • Basic network access: AAA, IEEE-802.1X

• Guest management

• Link encryption (MACSec)

Plus Subscription (1, 3, or 5 years)

• Bring Your Own Device (BYOD)

• Profiling

• Endpoint Protection Service (EPS)

• TrustSec SGT

Does not include Base services. A Base license is required for each Plus license.

D-1 Hardware Installation Guide, Release 1.2

Appendix D Cisco ISE Licenses Cisco ISE Licensing

All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and register Base licenses for the number of concurrent users on your system. If you require additional functionality, you will need Plus or Advanced licenses to enable that functionality.

After you install the Cisco ISE software and initially configure the appliance as the primary Administration node, you must obtain a license for Cisco ISE and then register that license.

Cisco ISE supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. You register all licenses to the Cisco ISE primary Administration node via the primary and secondary Administration node hardware ID. The primary Administration node then centrally manages all the licenses that are registered for your deployment.

Advanced Subscription (1, 3, or 5 years)

• Bring Your Own Device (BYOD)

• Profiling

• Endpoint Protection Service (EPS)

• TrustSec SGT

• Mobile Device Manager (MDM)

• Health Compliance and Remediation

• Posture

Does not include Base services. A Base license is required for each Advanced license. The Advanced license includes all the functionality of Plus license.

Wireless Subscription (1, 3, or 5 years)

A Wireless license turns on the functionality of Base and Advanced licenses for wireless LAN deployments.

Cannot coexist on a Cisco Administration node with Base, Plus, or Advanced Licenses.

Wireless Upgrade Subscription (1, 3, or 5 years)

A Wireless Upgrade license turns on the functionality of Base and Advanced licenses for all wireless and non-wireless client-access methods, including wired and VPN Concentrator access.

You can only install a Wireless Upgrade License on top of an existing Wireless license.

Evaluation Temporary (90 days) Full Cisco ISE functionality is provided for 100 endpoints.

Limited use of Cisco ISE product for pre-sale customer evaluations. All Cisco ISE appliances are supplied with an Evaluation license.

Table D-1 Cisco ISE License Packages

License PackagePerpetual or Subscription

ISE Functionality Covered Notes

D-2Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Appendix D Cisco ISE Licenses Obtaining a Cisco ISE License from Cisco.com

Note You always require a Base license. However, you do not need a Plus license in order to have an Advanced license or vice versa.

Cisco recommends installing the Base, Plus, and Advanced Licenses at the same time.

• When you install a Base License over a default Evaluation License, the Base License overrides only the base license-related portion of the Evaluation License and keeps the Plus and Advanced License capabilities available for the remainder of the default Evaluation License duration.

• You cannot upgrade the Evaluation License to a Plus or Advanced License without first installing the Base License.

• When you install a Wireless License over a default Evaluation License, the Wireless License overrides the Evaluation License parameters with the specific duration and user count associated with the Wireless License.

License Count

A Cisco ISE user consumes a license during an active session. Once the sessions has ended, ISE releases the license for reuse by another user.

The Cisco ISE license is counted as follows:

• A Base, Plus, or Advanced license is consumed based on the feature that is used.

• An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.

• Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system.

To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts:

• 80% Info

• 90% Warning

• 100% Critical

Obtaining a Cisco ISE License from Cisco.comTo continue to use Cisco ISE services after the 90-day Evaluation License expires, and to support more than 100 concurrent endpoints on the network, you must install a Base, Plus, Advanced, or Wireless license package for Cisco ISE. License files are based on a combination of the Cisco ISE hardware ID and Product Authorization Key (PAK). When you purchase Cisco ISE, or before the 90-day license expires, you can research the licensing options on Cisco.com and order the package that is suitable for your deployment of Cisco ISE.


OL-27044-01

Appendix D Cisco ISE Licenses Obtaining a Cisco ISE License from Cisco.com

If you have two Administration nodes deployed in a high-availability pair, you must ensure each of them have the same license capabilities and add the licenses while the node is in a standalone or primary state.

Within an hour of ordering your license files from Cisco.com, you should receive an e-mail with the Cisco Supplemental End-User License Agreement and a Claim Certificate containing a PAK for each license that you order. After receiving the Claim Certificate, you can log in and access the Cisco Product License Registration website at http://www.cisco.com/go/license and provide the appropriate hardware ID information and PAK to generate your license.

You must supply the following specific information to generate your license file:

• Product identifier (PID) of both the primary and secondary Administration nodes

• Version identifier (VID)

• Serial number (SN)

• PAK

See the Cisco Identity Services Engine Licensing Note for more details.

The day after you submit your license information in the Cisco Product License Registration website, you will receive an e-mail with your license file as an attachment. Save the license file to a known location on a local machine and use the instructions in Adding or Upgrading a License, page D-5 to add and update any product licenses for Cisco ISE.

For detailed information and license part numbers that are available for Cisco ISE, including licensing options for new installations as well as migration from an existing Cisco security product like Cisco Secure Access Control Server, see the Cisco Identity Services Engine Ordering Guidelines at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html.

Related Topics

• Determining Your Hardware ID Using the CLI, page D-4

• Determining Your Hardware ID Using the Admin Portal, page D-4

Determining Your Hardware ID Using the CLI

Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address.

To determine the Hardware ID, access the Cisco ISE direct-console CLI and enter the show inventory command. The output includes a line showing the PID, VID, and SN, similar to the following:

PID: NAC3315, VID: V01, SN: ABCDEFG

Determining Your Hardware ID Using the Admin Portal

Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address.

If your current license has not expired, you can view the Administration node hardware ID by completing the following steps:

Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing.

Step 2 In the License Operations navigation pane, click Current Licenses.


OL-27044-01

http://www.cisco.com/go/license

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/sales_tool_c96-729045.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html

Appendix D Cisco ISE Licenses Adding or Upgrading a License

Step 3 Select the button corresponding to the Cisco ISE node that you want to check for the Administration node hardware ID, and click Administration Node to view the PID, VID, and SN.

Adding or Upgrading a LicenseYou can add a license only on a standalone or a primary Administration node. You can upgrade your existing Evaluation License on or before the expiration of the 90-day evaluation period. You have two options for upgrading or replacing your Evaluation License:

• Install a Base license and then choose whether to also install a Plus or Advanced license

• Install a Wireless license

A single endpoint with multiple network connections may consume more than one Base, Plus, or Advanced License. This situation can occur, for example, if an endpoint has both a wired and a wireless network connection. Each unique authenticated connection will require its own license.

Before You Begin

Make sure that you have obtained and installed an appropriate license on your Cisco ISE node. See Obtaining a Cisco ISE License from Cisco.com, page D-3 for more information.

Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing > Current Licenses.

Step 2 Click the radio button next to the license name that you want to upgrade, and click Edit.

Step 3 Click Add Services.

Step 4 Click Browse and select the Licence file.

Step 5 Click Import to import the new license file that supports the added service.

Step 6 Go back to the Current Licenses page to verify the addition of the upgraded license. For further confirmation, check the features of the respective services for which the license has been upgraded.

Note The Current Licenses page displays the number of installed Plus and Advanced licenses in a combined Advance/Plus Counter. For example, if you have installed 500 Plus licenses and 1000 Advanced licenses, the Advance/Plus Counter displays 1500.

Related Topics

• Removing a License, page D-5

Removing a LicenseYou can remove individual Base, Plus, Advanced, and Wireless licenses, but keep in mind the following conditions:

• If the Plus or Advanced license count is greater than the Base license count, then the Base license cannot be deleted.


OL-27044-01

Appendix D Cisco ISE Licenses Removing a License

• If you install a combined license, all related installations in the Base and Advanced packages are also removed.

• If you remove a production-level license within the standard 90-day evaluation period, the Evaluation License is automatically restored after you remove the production license.

• You cannot remove Evaluation Licenses.

Before You Begin

If you have installed a Wireless Upgrade license after a Wireless license, you must remove the Wireless Upgrade license before you can remove the underlying Wireless license.

Step 1 Choose Administration > System > Licensing > Current Licenses.

Step 2 Click the radio button next to the relevant node name, and click Edit.

Step 3 Click the radio button next to the license name that you want to delete and click Remove.

Step 4 Click OK.


OL-27044-01


OL-27044-01

A

P P E N D I X E
Certificate Management in Cisco ISE
Certificates are used in a network to provide secure access. Certificates are used to identify Cisco ISE to an endpoint and also to secure the communication between that endpoint and the Cisco ISE node. Certificates are used for all HTTPS communication and the Extensible Authentication Protocol (EAP) communication.

HTTPS Communication Using the Cisco ISE CertificateAll Cisco ISE web portals from release 1.1.0 onwards are secured using the HTTPS (TLS-encrypted HTTP communication) protocol:

• Administration Portal

• Centralized Web Authentication Portal

• Sponsor Portal

• Client Provisioning Portal

• My Devices Portal

Figure E-1 shows an TLS-encrypted process when communicating with the Admin portal.

Figure E-1 HTTPS (TLS-Encrypted HTTP Communication)

E-1 Hardware Installation Guide, Release 1.2

Appendix E Certificate Management in Cisco ISE EAP Communication Using the Cisco ISE Certificate

EAP Communication Using the Cisco ISE CertificateCertificates are used with almost all EAP methods. The following EAP methods are commonly used:

• EAP-TLS

• PEAP

• EAP-FAST

For tunneled EAP methods, such as PEAP and FAST, Transport Layer Security (TLS) is used to secure the credential exchange. Similar to a request to a HTTPS web site, the client establishes a connection with the server. The server presents its certificate to the client. If the client trusts the certificate, the TLS tunnel is formed. The client’s credentials are not sent to the server until after the tunnel is established, thereby ensuring a secure exchange. In a secure access deployment, the client is a supplicant, and the server is an ISE Policy Service node. Figure E-2 shows an example using PEAP.

Figure E-2 EAP Communication

Certificates Enable Cisco ISE to Provide Secure AccessThe Cisco Identity Services Engine (ISE) relies on public key infrastructure (PKI) to provide secure communication with both endpoints and administrators, as well as between Cisco ISE nodes in a multinode deployment. PKI relies on X.509 digital certificates to transfer public keys for encryption and decryption of messages, and to verify the authenticity of other certificates representing users and devices. Cisco ISE provides the Admin Portal to manage the following two categories of X.509 certificates:

• Local certificates—These are server certificates that identify a Cisco ISE node to client applications. Every Cisco ISE node has its own local certificates, each of which are stored on the node along with the corresponding private key.

• Certificate Store certificates—These are certificate authority (CA) certificates used to establish trust for the public keys received from users and devices. The Certificate Store also contains certificates that are distributed by the Simple Certificate Enrollment Protocol (SCEP), which enables registration of mobile devices into the enterprise network. Certificates in the Certificate Store are managed on the primary Administration node, and are automatically replicated to all other nodes in an Cisco ISE deployment.

E-2Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

Appendix E Certificate Management in Cisco ISE Enabling PKI in Cisco ISE

In a distributed deployment, you must import the certificate only in to the certificate trust list (CTL) of the primary Administration node. The certificate gets replicated to the secondary nodes.

In general, to ensure certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verification functions, use lower case hostnames for all Cisco ISE nodes deployed in a network.

Enabling PKI in Cisco ISEYou should enable PKI in Cisco ISE in the following way:

Step 1 Establish local certificates on each deployment node for TLS-enabled authentication protocols (for example, EAP-TLS protocol), and for HTTPS, which is used by browser and REST clients to access the Cisco ISE web portals.

By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for both purposes. In a typical enterprise environment, this certificate is replaced with one or two server certificates that are signed by a trusted CA.

Step 2 Populate the Certificate Store with the CA certificates that are necessary to establish trust with the user as well as device certificates that will be presented to Cisco ISE.

If a certificate chain consisting of a root CA certificate plus one or more intermediate CA certificates is required to validate the authenticity of a user or device certificate, you must import the entire chain into the Certificate Store.

Related Topics

• See Local Certificates, page E-4 for details on how to generate a Certificate Signing Request and import a CA-signed certificate.

• See Certificate Store, page E-24 for details on how to import these certificate chains.

The Cisco ISE nodes use HTTPS for inter-node communication, so an administrator must populate the Certificate Store with the trust certificate(s) needed to validate the HTTPS local certificate belonging to each node in the Cisco ISE deployment. If a default self-signed certificate is used for HTTPS, then you must export this certificate from each Cisco ISE node and import it into the certificate store. If you replace the self-signed certificates with CA-signed certificates, it is only necessary to populate the Certificate Store with the appropriate root CA and intermediate CA certificates. Be aware that you cannot register a node in a Cisco ISE deployment until you complete this step.

If a Cisco ISE deployment is to be operated in FIPS mode, you must ensure that all local and certificate store certificates are FIPS-compliant. This means that each certificate must have a minimum key size of 2048 bytes, and use SHA-1 or SHA-256 encryption.

Note After you obtain a backup from a standalone Cisco ISE or primary Administration node, if you change the certificate configuration on one or more nodes in your deployment, you must obtain another backup to restore data. Otherwise, if you try to restore data using the older backup, communication between the nodes might fail.


OL-27044-01

Appendix E Certificate Management in Cisco ISE Local Certificates

This chapter contains the following sections:

• Local Certificates, page E-4

• Certificate Signing Requests, page E-23

• Certificate Store, page E-24

• Simple Certificate Enrollment Protocol Profiles, page E-29

• OCSP Services, page E-30

Local CertificatesCisco ISE local certificates are server certificates that identify a Cisco ISE node to client applications. Local certificates are:

• Used by browser and REST clients who connect to Cisco ISE web portals. You must use HTTPS protocol for these connections.

• Used to form the outer TLS tunnel with PEAP and EAP-FAST. These certificates can be used for mutual authentication with EAP-TLS, PEAP, and EAP-FAST.

You must install valid local certificates for HTTPS and EAP-TLS on each node in your Cisco ISE deployment. By default, a self-signed certificate is created on a Cisco ISE node during installation time, and this certificate is designated for HTTPS and EAP-TLS use (it has a key length of 1024 and is valid for one year). It is recommended that you replace the self-signed certificate with a CA-signed certificate for greater security.

Wildcard Certificates

A wildcard certificate uses a wildcard notation (an asterisk and period before the domain name) and allows the certificate to be shared across multiple hosts in an organization. For example, the CN value for the Certificate Subject would be some generic hostname such as aaa.ise.local and the SAN field would include the same generic hostname and the wildcard notation such as DNS.1=aaa.ise.local and DNS.2=*.ise.local

If you configure a wildcard certificate to use *.ise.local, you can use the same certificate to secure any other host whose DNS name ends with “.ise.local,” such as:

• aaa.ise.local

• psn.ise.local

• mydevices.ise.local

• sponsor.ise.local

Figure E-3 shows an example of a wildcard certificate that is used to secure a web site.


OL-27044-01


Figure E-3 Wildcard Certificate Example

Wildcard certificates secure communications in the same way as a regular certificate, and requests are processed using the same validation methods.

Related Topics

• Wildcard Certificates for HTTPS and EAP Communication, page E-5

• Wildcard Certificate Support in Cisco ISE, Release 1.2, page E-6

• Fully Qualified Domain Name in URL Redirection, page E-6

• Wildcard Certificate Compatibility, page E-8

• Creating a Wildcard Certificate, page E-8

• Installing Wildcard Certificates in Cisco ISE, page E-10

Wildcard Certificates for HTTPS and EAP Communication

You can use wildcard server certificates in Cisco ISE for HTTPS (web-based services) and EAP protocols that use SSL/TLS tunneling. With the use of wildcard certificates, you no longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field allows you to share a single certificate across multiple nodes in a deployment and helps prevent certificate name mismatch warnings. However, use of wildcard certificates is considered less secure than assigning a unique server certificate for each Cisco ISE node.


OL-27044-01


Note If you use wildcard certificates, we strongly recommend that you partition your domain space for greater security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do not partition your domain, it can lead to serious security issues.

Wildcard certificate uses an asterisk (*) and a period before the domain name. For example, the CN value for a certificate’s Subject Name would be a generic host name such as aaa.ise.local and the SAN field would have the wildcard character such as *.ise.local. Cisco ISE supports wildcard certifications in which the wildcard character (*) is the left most character in the presented identifier. For example, *.example.com or *.ind.example.com. Cisco ISE does not support certificates in which the presented identifier contains additional characters along with the wildcard character. For example, abc*.example.com or a*b.example.com or *abc.example.com.

Wildcard Certificate Support in Cisco ISE, Release 1.2

Cisco ISE release 1.2 supports wildcard certificates. Prior to release 1.2, Cisco ISE verifies any certificate enabled for HTTPS to ensure the CN field matches the Fully Qualified Domain Name (FQDN) of the host exactly. If the fields did not match, the certificate could not be used for HTTPS communication.

Prior to release 1.2, Cisco ISE uses that CN value to replace the variable in the url-redirect A-V pair string. For all Centralized Web Authentication (CWA), onboarding, posture redirection, and so on, the CN value is used.

Cisco ISE 1.2 uses the hostname as the CN instead of relying on the CN field.

Fully Qualified Domain Name in URL Redirection

When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:

url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa

When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI:

ISE /admin(config)# ip host IP_address host-alias FQDN-string

where IP_address is the IP address of the network interface (eth1 or eth2 or eth3)

host-alias is the name that you assign to the network interface

FQDN-string is the fully qualified domain name of the network interface

Using this command, you can assign a host-alias or an FQDN-string or both to a network interface.

Here is an example:

ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com

After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco ISE using the application start ise command.


OL-27044-01


Use the no form of this command to remove the association of the host alias with the network interface:

ISE/admin(config)# no ip-host IP_address host-alias FQDN-string

Use the show running-config command to view the host alias definitions.

If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.

When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields.

Advantages of Using Wildcard Certificates

• Cost savings. Certificates signed by a third party Certificate Authority is expensive, especially as the number of servers increase. Wildcard certificates may be used on multiple nodes in the Cisco ISE deployment.

• Operational efficiency. Wildcard certificates allow all Policy Service Node (PSN) EAP and web services to share the same certificate. In addition to significant cost savings, certificate administration is also simplified by creating the certificate once and applying it on all the PSNs.

• Reduced authentication errors. Wildcard certificates address issues seen with Apple iOS devices where the client stores trusted certificates within the profile, and does not follow the iOS keychain where the signing root is trusted. When an iOS client first communicates with a PSN, it does not explicitly trust the PSN certificate, even though a trusted Certificate Authority has signed the certificate. Using a wildcard certificate, the certificate will be the same across all PSNs, so the user only has to accept the certificate once and successive authentications to different PSNs proceed without error or prompting.

• Simplified supplicant configuration. For example, Microsoft Windows supplicant with PEAP-MSCHAPv2 and server certificate trust enabled requires that you specify each of the server certificate to trust, or the user may be prompted to trust each PSN certificate when the client connects using a different PSN. With wildcard certificates, a single server certificate can be trusted rather than individual certificates from each PSN.

• Wildcard certificates result in an improved user experience with less prompting and more seamless connectivity.

Disadvantages of Using Wildcard Certificates

The following are some of the security considerations related to wildcard certificates:

• Loss of auditability and nonrepudiation

• Increased exposure of the private key

• Not common or understood by administrators

Wildcard certificates are considered less secure than a unique server certificate per ISE node. But, cost and other operational factors outweigh the security risk.

Security devices such as ASA also support wildcard certificates.


OL-27044-01


You must be careful when deploying wildcard certificates. For example, if you create a certificate with *.company.local and an attacker is able to recover the private key, that attacker can spoof any server in the company.local domain. Therefore, it is considered a best practice to partition the domain space to avoid this type of compromise.

To address this possible issue and to limit the scope of use, wildcard certificates may also be used to secure a specific subdomain of your organization. Add an asterisk (*) in the subdomain area of the common name where you want to specify the wildcard.

For example, if you configure a wildcard certificate for *.ise.company.local, that certificate may be used to secure any host whose DNS name ends in “.ise.company.local”, such as:

• psn.ise.company.local

• mydevices.ise.company.local

• sponsor.ise.company.local

Wildcard Certificate Compatibility

Wildcard certificates are usually created with the wildcard listed as the Common Name (CN) of the Certificate Subject, such as the example in Figure E-3. Cisco ISE release 1.2 supports this type of construction. However, not all endpoint supplicants support the wildcard character in the Certificate Subject.

All Microsoft native supplicants tested (including Windows Mobile) do not support wildcard character in the Certificate Subject.

You can use another supplicant, such as Cisco AnyConnect Network Access Manager (NAM) that might allow the use of wildcard character in the Subject field.

You can also use special wildcard certificates such as DigiCert's Wildcard Plus that is designed to work with incompatible devices by including specific subdomains in the Subject Alternative Name of the certificate.

Although the Microsoft supplicant limitation appears to be a deterrent to using wildcard certificates, there are alternative ways to create the wildcard certificate that allow it to work with all devices tested for secure access, including the Microsoft native supplicants.

To do this, instead of using the wildcard character in the Subject, you must use the wildcard character in the Subject Alterative Name (SAN) field instead. The SAN field maintains an extension designed for checking the domain name (DNS name). See RFCs 6125 and 2128 for more information.

For more information on Microsoft support of wildcard certificates, see: http://technet.microsoft.com/en-US/cc730460

Creating a Wildcard Certificate

This section describes how to create a wildcard certificate. This procedure would work for most SSL certificate providers.

However, if your SSL certificate provider does not support wildcard values in the SAN field of the certificate, then you must populate the certificate SAN with the FQDN of each ISE node and interface (per the alias specified using the ip host command). This certificate is known as a multi-domain certificate. FQDNs for specific service aliases such as those used for the My Devices and Sponsor portals should also be included in the certificate SAN. Some services such as Local Web Authentication to the


OL-27044-01

http://technet.microsoft.com/en-US/cc730460


ISE Admin portal, Sponsor portal, and the My Devices portal can use a load balancer. In these cases, the FQDN assigned to the virtual IP address of the load-balanced service should be included in the SAN field of the certificate.

Note It is possible to have separate certificates for HTTPS and EAP authentication. The certificate designated for HTTPS is used to secure inter-node communications and all web portal services including Central Web Authentication, DRW, Posture Discovery and Assessment, Mobile Device Management, Native Supplicant Provisioning, Sponsor, and My Devices portals. The certificate designated for EAP is used to secure all client authentication using EAP protocols including PEAP, EAP-TLS, and EAP-FAST.

For example, if you have an ISE deployment with two PSN nodes (psn1 and psn2 with eth0, eth1, and eth2 interfaces enabled) and you want to create a multi-domain certificate without wildcards, then your values would be:

CN=aaa.company.local (FQDN of an ISE node in the deployment)

SAN=DNS.1=aaa.company.local, DNS.2=psn1.company.local, DNS.3=psn2.company.local, DNS.4=psn1-e1.company.local, DNS.5=psn2-e1.company.local, DNS.6=psn1-e2.company.local, DNS.7=psn2-e2.company.local.

Tip If you are planning to deploy additional Policy Service nodes in the future, then you can add additional DNS name entries in the SAN field so that you can reuse the same certificate at the time of deploying the new nodes.

For cases where an IP address needs to be specified in the SAN field of the certificate (for example, DMZ with a static IP address for URL re-direction), ensure that you specify the IP address of the policy service node as the DNS Name and IP Address in the SAN field of the certificate. For example, CN=psn.ise.local and SAN=DNS.1=psn.ise.local, DNS.2=*.ise.local, DNS.3=10.1.1.20, IP.1=10.1.1.20.

Before You Begin

For Microsoft native supplicants, use the wildcard character in the SAN field of the certificate.

Step 1 Enter a generic hostname for the CN field of the Subject. For example, CN=aaa.ise.local.

Step 2 Enter the same generic hostname and a wildcard notation in the SAN field of the certificate. For example, DNS Name=aaa.ise.local, DNS Name=*.ise.local. See Figure E-3.

This method is successful with the majority of the tested public Certificate Authorities such as Comodo.com and SSL.com. With these public CAs, you must request a “Unified Communications Certificate (UCC).”

What To Do Next

Import the wildcard certificates in to the Policy Service nodes.

Related Topics

Installing Wildcard Certificates in Cisco ISE, page E-10


OL-27044-01


Installing Wildcard Certificates in Cisco ISE

Before You Begin

If you have enabled non-eth0 interfaces, ensure that you map a host alias to that interface using the ip host command from the CLI. See Fully Qualified Domain Name in URL Redirection for more information.

To install wildcard certificates, you must perform the following tasks:

Step 1 Create the Certificate Signing Request for Wildcard Certificates. See Creating a Certificate Signing Request for Wildcard Certificates, page E-10.

Step 2 Export the Certificate Signing Request. See Exporting the Certificate Signing Request, page E-11.

Step 3 Submit the Certificate Signing Request to a Certificate Authority. See Submitting the CSR to a Certificate Authority, page E-11.

Step 4 Import the Root Certificates to the Certificate Store. See Importing the Root Certificates to the Certificate Store, page E-12.

Step 5 Bind the Certificate Signing Request with the new public certificate. See Binding the CSR With the New Public Certificate, page E-13.

Step 6 Export the CA-Signed Certificate and Private Key. See Exporting the CA-Signed Certificate and Private Key, page E-13.

Step 7 Import the CA-Signed Certificate and Private Key in to all the Policy Service nodes. See Importing the CA-Signed Certificate to the Policy Service Nodes, page E-13.

Creating a Certificate Signing Request for Wildcard Certificates

Step 1 Choose Administration > Certificates > Local Certificates.

Step 2 Click Add > Generate Certificate Signing Request.

Step 3 In the Certificate Subject, enter the generic FQDN of any one of your Policy Service nodes. For example, CN=psn.ise.local.

Step 4 Enter two values for the SAN. One of the values must be same as the CN that you entered for the Certificate Subject. The other value is the wildcard notation. For example, DNS name=psn.ise.local, DNS name=*.ise.local.

Step 5 Check the Allow Wildcard Certificates check box.


OL-27044-01


Figure E-4 Certificate Signing Request Using a Wildcard Notation

Step 6 Click Submit.

Exporting the Certificate Signing Request

Step 1 Choose Administration > Certificates > Certificate Signing Requests.

Step 2 Check the check box next to the CSR that you generated. For example, psn.ise.local.

Step 3 Click Export.

Step 4 Save the CSR to your local system.

Submitting the CSR to a Certificate Authority

Step 1 Open the CSR in a text editor such as Notepad.

Step 2 Copy all the text from “-----BEGIN CERTIFICATE REQUEST-----” through “-----END CERTIFICATE REQUEST-----.”

Step 3 Paste the contents of the CSR in to the certificate request of a chosen CA. See Figure E-5.


OL-27044-01


Figure E-5 CSR Content in a Certificate Request Form - Active Directory CA

Step 4 Download the signed certificate.

Some CAs might email the signed certificate to you. The signed certificate is in the form of a zip file that contains the newly issued certificate and the public signing certificates of the CA that you must add to the Cisco ISE trusted certificate store. See Figure E-6.

Figure E-6 Certificates Returned By the CA

Importing the Root Certificates to the Certificate Store

Before You Begin

Before we bind the newly signed certificate to the CSR on Cisco ISE, ensure that the signing root certificates exist in the Cisco ISE Certificate Store.

Step 1 Choose Administration > Certificates > Certificate Store.


OL-27044-01


Step 2 Click Import.

Step 3 Choose the root certificates returned by your CA.

Binding the CSR With the New Public Certificate


Step 2 Click Add > Bind CA signed Certificate.

Step 3 Choose the CA-signed certificate.

Step 4 Check the Allow Wildcard Certificates check box.

Step 5 Choose the protocol.


Exporting the CA-Signed Certificate and Private Key


Step 2 Check the check box next to the CA-signed certificate and click Export.

Step 3 Save the file to your local system.

Importing the CA-Signed Certificate to the Policy Service Nodes

Step 1 Choose Administration > Certificates > Certificate Store.

Step 2 Choose the CA-signed certificate that you exported.


Installing a CA-Signed Certificate in Cisco ISE

The procedure for installing a CA-signed certificate is as follows:

Step 1 In the Cisco ISE administration interface of the node requiring the CA-signed certificate, generate a Certificate Signing Request (CSR).

Step 2 Export the CSR into a file.

Step 3 Provide the CSR file to the Certificate Authority and request the CA to create and sign a certificate using the attributes specified in the CSR. The CA should return the certificate in a file.


OL-27044-01


Step 4 In the Cisco ISE administration interface of the same node, bind the CA-signed certificate to its private key, which is kept with the CSR on the node. Designate the certificate for HTTPS and/or EAP-TLS use.

Note If you are going to use the CA-signed certificate for HTTPS, the subject Common Name value specified for the CSR must match the fully qualified domain name (FQDN) of the Cisco ISE node, or must match the wildcard domain name specified in the SAN/CN field of the certificate.

Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.

2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3. If no match is found, the certificate is rejected.

Note X.509 certificates imported to Cisco ISE must be in privacy-enhanced mail (PEM) or distinguished encoding rule (DER) format. Files containing a certificate chain, which is a local certificate along with the sequence of trust certificates that sign it, can be imported, subject to certain restrictions. See Importing Certificate Chains, page E-28 for more information.

X.509 certificates are only valid until a specific date. When a local certificate expires, the Cisco ISE functionality that depends on the certificate is impacted. Cisco ISE will notify you about the pending expiration of a local certificate when the expiration date is within 90 days. This notification appears in several ways:

• Colored expiration status icons appear in the Local Certificates page.

• Expiration messages appear in the Cisco ISE System Diagnostic report.

• Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before expiration.

If the expiring certificate is a self-signed certificate, you can extend its expiration date by editing the certificate. For a CA-signed certificate, you must allow sufficient time to acquire replacement certificate from your CA.

You can perform the following tasks from the Cisco ISE administration interface to manage local certificates:

• View a list of the local certificates stored on an Cisco ISE node. The list shows the protocol assignment (HTTPS, EAP-TLS) of each certificate, along with its expiration status.

• Generate a CSR

• Export a CSR

• Bind a CA-signed certificate to its private key

• Export a local certificate and, optionally, its private key

• Import a local certificate and its private key


OL-27044-01


• Generate a self-signed local certificate

• Edit a local certificate, which includes extending the expiration date if the certificate is self-signed

• Delete a local certificate

• Delete a CSR

This section contains the following topics:

• Viewing Local Certificates, page E-15

• Adding a Local Certificate, page E-16

• Editing a Local Certificate, page E-21

• Exporting a Local Certificate, page E-22

Related Topics

• Wildcard Certificates, page E-4

• Fully Qualified Domain Name in URL Redirection, page E-6

• Importing a Local Certificate, page E-16

• Generating a Certificate Signing Request, page E-19

• Binding a CA-Signed Certificate, page E-20

Viewing Local Certificates

The Local Certificate page lists all the local certificates added to Cisco ISE.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.

Step 1 Choose Administration > System > Certificates > Local Certificates.

The Local Certificate page appears and provides the following information for the local certificates:

• Friendly Name—Name of the certificate.

• Protocol—Protocols for which to use this certificate.

• Issued To—Common Name of the certificate subject.

• Issued By—Common Name of the certificate issuer

• Valid From—Date on which the certificate was created, also know as the Not Before certificate attribute.

• Expiration Date—Expiration date of the certificate, also known as the Not After certificate attribute.

• Expiration Status—Indicates when the certificate expires. There are five categories along with an associated icon that appear here:

1. Expiring in more than 90 days (green icon)

2. Expiring in 90 days or less (blue icon)

3. Expiring in 60 days or less (yellow icon)

4. Expiring in 30 days or less (orange icon)


OL-27044-01


5. Expired (red icon)

Related Topics


Adding a Local Certificate

You can add a local certificate to Cisco ISE in one of the following ways:


• Generating a Self-Signed Certificate, page E-18

• Generating a Certificate Signing Request, page E-19 and Binding a CA-Signed Certificate, page E-20

If you are planning to import a wildcard certificate, ensure that you have read the following sections:




Note If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.

Importing a Local Certificate

You can add a new local certificate by importing a local certificate.

Before You Begin

Ensure that you have the local certificate and the private key file on the system that is running the client browser.


If the local certificate that you import contains the basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and the keyEncipherment bit or the keyAgreement bit or both are set.


To import a local certificate to a secondary node, choose Administration > System > Server Certificate.

Step 2 Choose Add > Import Local Server Certificate.

Step 3 Click Browse to choose the certificate file and the private key from the system that is running your client browser.

If the private key is encrypted, enter the Password to decrypt it.


OL-27044-01


Step 4 Enter a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit number.

Step 5 Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate certificate extensions.

If you check the Enable Validation of Certificate Extensions check box and the certificate that you are importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.

Step 6 Check the Allow Wildcard Certificates check box if you want to import a wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name.

Step 7 In the Protocol group box:

• Check the EAP check box to use this certificate for EAP protocols to identify the Cisco ISE node.

• Check the HTTPS check box to use this certificate to authenticate the web server.

If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard notation if a wildcard certificate is used. Otherwise, the import process will fail.

Step 8 Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate. This option updates the content of the certificate, but retains the existing protocol selections for the certificate.

Note If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or greater in size and use either SHA-1 or SHA-256 hash algorithm.

Step 9 Click Submit to import the local certificate.

If you import a local certificate to your primary Cisco ISE node and the management interface option is enabled on the node in your deployment, Cisco ISE automatically restarts the application server on the node. Otherwise, you must restart the secondary nodes that are connected to your primary Cisco ISE node.

To restart the secondary nodes from the CLI, enter the following commands in the given order:

a. application stop ise

b. application start ise

Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 for more information on these commands.

Related Topics





OL-27044-01



Generating a Self-Signed Certificate

You can add a new local certificate by generating a self-signed certificate. Cisco recommends that you only employ self-signed certificates for your internal testing and evaluation needs. If you are planning to deploy Cisco ISE in a production environment, be sure to use CA-signed certificates whenever possible to ensure more uniform acceptance around a production network.

Before You Begin



To generate a self-signed certificate from a secondary node, choose Administration > System > Server Certificate.

Step 2 Choose Add > Generate Self Signed Certificate.

Step 3 Enter the following information in the Generate Self Signed Certificate page:

• Certificate Subject—A distinguished name (DN) identifying the entity that is associated with the certificate. The DN must include a Common Name (CN) value.

• Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.

• Required Key Length—Valid values are 512, 1024, 2048, and 4096. If you are deploying Cisco ISE as a FIPS-compliant policy management-engine, you must specify a 2048-bit or larger key length.

• Digest to Sign With—You can choose to encrypt and decrypt certificates using either SHA-1 or SHA-256.

• Certificate Expiration TTL. You can specify an expiration time period in days, weeks, months, or years.

• If you would like to specify a Friendly Name for the certificate, enter it in the field below the private key password. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit number.

Step 4 Check the Allow Wildcard Certificates check box if you want to generate a self-signed wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be *.amer.cisco.com.


• Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.

• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE portals.

If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node. Otherwise, the self-signed certificate will not be generated.

If the HTTPS check box is checked, then the application server on the Cisco ISE node will be restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment, then the application server on all other nodes in the deployment will also be restarted. They will restart one node at a time, after the Primary Administration node restart has completed.

Step 6 In the Override Policy area, check the Replace Certificate check box to replace an existing certificate with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate. This option updates the content of the certificate, but retains the existing protocol selections for the certificate.


OL-27044-01


Step 7 Click Submit to generate the certificate.

Note If you are using a self-signed certificate and you must change the hostname of your Cisco ISE node, you must log in to the Admin portal of the Cisco ISE node, delete the self-signed certificate that has the old hostname, and generate a new self-signed certificate. Otherwise, Cisco ISE will continue to use the self-signed certificate with the old hostname.

Related Topics



Generating a Certificate Signing Request

You can add a new local certificate by generating a certificate signing request and then binding a CA-signed certificate.

Before You Begin



To generate a CSR from a secondary node, choose Administration > System > Server Certificate.

Step 2 Choose Add > Generate Certificate Signing Request.

Step 3 Enter the certificate subject and the required key length. The certificate subject is a distinguished name (DN) identifying the entity that is associated with the certificate. The DN must include a common name value. Elements of the distinguished name are:

• C = Country

• ST = Test state or province

• L = Test locality (City)

• O = Organization name

• OU = Organizational unit name

• CN = Common name

• E = E-mail address

For example, the Certificate Subject in a CSR can take the following values: “CN=Host-ISE.cisco.com, OU=Cisco, O=security, C=US, ST=NC, L=RTP, [email protected]” or “CN=aaa.amer.cisco.com, DNS name in SAN=*.amer.cisco.com, OU=Cisco, O=security, C=US, ST=NC, L=RTP, [email protected].”

Note When populating the Certificate Subject field, do not encapsulate the string in quotation marks.

If you intend to use the certificate generated from this CSR for HTTPS communication, ensure that the common name value in the Certificate Subject is the FQDN of the node. Otherwise, you will not be able to select Management Interface when binding the generated certificate.

Step 4 Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.


OL-27044-01


Step 5 Choose to encrypt and decrypt certificates using either SHA-1 or SHA-256.

Note If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or greater in size and use either SHA-1 or SHA-256 hash algorithm.

Step 6 Check the Allow Wildcard Certificates check box if the Certificate Subject contains a CN or SAN with a wildcard FQDN.

Step 7 Click Submit to generate a CSR.

A CSR and its private key are generated and stored in Cisco ISE. You can view this CSR in the Certificate Signing Requests page. You can export the CSR and send it to a CA to obtain a signature.

Related Topics


• Creating a Certificate Signing Request for Wildcard Certificates, page E-10

Binding a CA-Signed Certificate

After a Certificate Signing Request is signed by a Certificate Authority and returned to you, you must bind the CA-signed certificate with its private key to complete the process of adding a local certificate in Cisco ISE.

Before You Begin

• To perform the following task, you must be a Super Admin or System Admin.


To bind a CA-signed certificate to a secondary node, choose Administration > System > Server Certificate.

Step 2 Choose Add > Bind CA Certificate.

Step 3 Click Browse to choose the CA-signed certificate and choose the appropriate CA-signed certificate.

Step 4 Specify a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit number.

Step 5 Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate certificate extensions.

Note If you enable the Enable Validation of Certificate Extensions option, and the certificate that you are importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.

Step 6 Check the Allow Wildcard Certificates check box to bind a certificate that contains the wildcard character, asterisk (*) in any CN in the Subject or DNS in the Subject Alternative Name.



OL-27044-01



• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.

If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard notation if a wildcard certificate is used. Otherwise, the bind operation will fail.


Step 8 Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate. This option updates the content of the certificate, but retains the existing protocol selections for the certificate.

Step 9 Click Submit to bind the CA-signed certificate.

Related Topics



Editing a Local Certificate

You can use this page to edit local certificates.

Before You Begin



To edit a local certificate on a secondary node, choose Administration > System > Server Certificate.

Step 2 Check the check box next to the certificate that you want to edit, and click Edit.

Step 3 You can edit the following:

• Friendly name

• Description

• Protocols

• Expiration TTL (if the certificate is self-signed)

Step 4 Enter an optional friendly name and description to identify this certificate.



• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.


OL-27044-01



Note If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard notation if a wildcard certificate is used. If the Common Name value is blank, the edit operation will fail.For example, if local_certificate_1 is currently designated for EAP and you check the EAP check box while editing local_certificate_2, then after you save the changes to local_certificate_2, local_certificate_1 will no longer be associated with EAP.

Step 6 Check the Renew Self Signed Certificate check box if you are editing a self-signed certificate and want to extend the Expiration Date.

Step 7 Enter the Expiration TTL (Time to Live) in days, weeks, months, or years.

Step 8 Click Save to save your changes.

Related Topics




Exporting a Local Certificate

You can export a selected local certificate or a certificate and its associated private key. If you export a certificate and its private key for backup purposes, you can reimport them later if needed.

Before You Begin



To export a local certificate from a secondary node, choose Administration > System > Server Certificate.

Step 2 Check the check box next to the certificate that you want to export and then click Export.

Step 3 Choose whether to export only the certificate, or the certificate and its associated private key.

Tip We do not recommend exporting the private key associated with a certificate because its value may be exposed. If you must export a private key, specify an encryption password for the private key. You will need to specify this password while importing this certificate into another Cisco ISE server to decrypt the private key.

Step 4 Choose the certificate component that you want to export.


OL-27044-01

Appendix E Certificate Management in Cisco ISE Certificate Signing Requests

Step 5 Enter the password if you have chosen to export the private key. The password should be at least 8 characters long.

Step 6 Click OK to save the certificate to the file system that is running your client browser.

If you export only the certificate, the certificate is stored in the privacy-enhanced mail format. If you export both the certificate and private key, the certificate is exported as a .zip file that contains the certificate in the privacy-enhanced mail format and the encrypted private key file.

Related Topics


Certificate Signing RequestsThe list of Certificate Signing Requests (CSRs) that you have created is available in the Certificate Signing Requests page. To obtain signatures from a CA, you must export the CSRs to the local file system that is running your client browser. You must then send the certificates to a CA. The CA will sign and return your certificates.

Note If your Cisco ISE deployment has multiple nodes in a distributed setup, you must export the CSRs from each node in your deployment individually.

Related Topic

Exporting Certificate Signing Requests, page E-23

Exporting Certificate Signing Requests

You can use this page to export certificate signing requests.

Before You Begin


Step 1 Choose Administration > System > Certificates > Certificate Signing Requests.

If you want to export CSRs from a secondary node, choose Administration > System > Certificate Signing Requests.

Step 2 Check the check box next to the certificates that you want to export, and click Export.

Step 3 Click OK to save the file to the file system that is running the client browser.

Related Topics



OL-27044-01

Appendix E Certificate Management in Cisco ISE Certificate Store

Certificate StoreThe Cisco ISE Certificate Store contains X.509 certificates that are used for trust and for Simple Certificate Enrollment Protocol (SCEP). The certificates in the Certificate Store are managed on the primary administration node, and are replicated to every node in the Cisco ISE deployment.

Cisco ISE supports wildcard certificates.

Cisco ISE uses the Certificate Store certificates for the following purposes:

• To verify client certificates used for authentication by endpoints, and by Cisco ISE administrators accessing the Admin Portal using certificate-based administrator authentication.

• To enable secure communication between Cisco ISE nodes in a deployment. The Certificate Store must contain the chain of CA certificates needed to establish trust with the local HTTPS server certificate on each node in a deployment.

– If a self-signed certificate is used for the server certificate, the self-signed certificate from each node must be placed in the Certificate Store of the primary Administration node.

– If a CA-signed certificate is used for the server certificate, the CA root certificate, as well as any intermediate certificates in the trust chain, must be placed in the Certificate Store of the primary Administration node.

• To enable secure LDAP authentication. A certificate from the Certificate Store must be selected when defining an LDAP identity source that will be accessed over SSL.

• For distribution to mobile devices preparing to register in the network using the My Devices portal. Cisco ISE implements the SCEP on Policy Service Nodes (PSN) to support mobile device registration. A registering device uses the SCEP protocol to request a client certificate from a PSN. The PSN contains a registration authority (RA) that acts as an intermediary; it receives and validates the request from the registering device, and then forwards the request to a CA, which actually issues the client certificate. The CA sends the certificate back to the RA, which returns it to the device.

Each SCEP CA used by Cisco ISE is defined by a SCEP RA Profile. When a SCEP RA Profile is created, two certificates are automatically added to the Certificate Store:

a. A CA certificate (a self-signed certificate)

b. An RA certificate (a Certificate Request Agent certificate), which is signed by the CA.

The SCEP protocol requires that these two certificates be provided by the RA to a registering device. By placing these two certificates in the Certificate Store, they are replicated to all PSN nodes for use by the RA on those nodes.

Note X.509 certificates imported to Cisco ISE must be in Privacy-Enhanced Mail (PEM) or Distinguished Encoding Rule (DER) format. Files containing a certificate chain, that is, a local certificate along with the sequence of trust certificates that sign it, can be imported, subject to certain restrictions.

Related Topics

• Simple Certificate Enrollment Protocol Profiles, page E-29

• Importing Certificate Chains, page E-28

• Expiration of X.509 Certificates, page E-25

• CA Certificate Naming Constraint, page E-25

• Viewing Certificate Store Certificates, page E-26

• Changing the Status of a Certificate in Certificate Store, page E-26


OL-27044-01


• Adding a Certificate to Certificate Store, page E-27

• Editing a Certificate Store Certificate, page E-27

• Exporting a Certificate from the Certificate Store, page E-27

Expiration of X.509 Certificates

X.509 certificates are only valid until a specific date. Once a Certificate Store certificate expires, the Cisco ISE functionality that depends on the certificate is impacted. Cisco ISE notifies you about the pending expiration of a certificate when the expiration date is within 90 days. This notification appears in several ways:

• Colored expiration status icons appear in the Certificate Store page.

• Expiration messages appear in the Cisco ISE System Diagnostic report.

• Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before expiration.

The Certificate Store is prepopulated with two Cisco CA certificates: a Manufacturing certificate and a Root certificate. The Root certificate signs the Manufacturing certificate. These certificates are disabled by default. If you have Cisco IP phones as endpoints in your deployment, you should enable these two certificates so the Cisco-signed client certificates for the phones can be authenticated.


• Viewing Certificate Store Certificates, page E-26


• Editing a Certificate Store Certificate, page E-27


• Importing Certificate Chains, page E-28

• Installation of CA Certificates for Cisco ISE Inter-node Communication, page E-28

CA Certificate Naming Constraint

A CA certificate in CTL may contain a name constraint extension. This extension defines a namespace for values of all subject name and subject alternative name fields of subsequent certificates in a certificate chain. Cisco ISE does not check constraints specified in a root certificate.

The following name constraints are supported:

• Directory name

The Directory name constraint should be a prefix of the directory name in subject/SAN. For example,

– Correct subject prefix:

CA certificate name constraint: Permitted: O=Cisco

Client certificate subject: O=Cisco,CN=Salomon

– Incorrect subject prefix:

CA certificate name constraint: Permitted: O=Cisco

Client certificate subject: CN=Salomon,O=Cisco


OL-27044-01


• DNS

• E-mail

• URI (The URI constraint must start with a URI prefix such as http://, https://, ftp://, or ldap://).

The following name constraints are not supported:

• IP address

• Othername

When a CA certificate contains a constraint that is not supported and certificate that is being verified does not contain appropriate field, it is rejected because Cisco ISE cannot verify unsupported constraints.

The following is an example of the name constraints definition within the CA certificate:

X509v3 Name Constraints: critical Permitted: othername:<unsupported> email:.abcde.at email:.abcde.be email:.abcde.bg email:.abcde.by DNS:.dir DirName: DC = dir, DC = emea DirName: C = AT, ST = EMEA, L = AT, O = ABCDE Group, OU = Domestic DirName: C = BG, ST = EMEA, L = BG, O = ABCDE Group, OU = Domestic DirName: C = BE, ST = EMEA, L = BN, O = ABCDE Group, OU = Domestic DirName: C = CH, ST = EMEA, L = CH, O = ABCDE Group, OU = Service Z100 URI:.dir IP:172.23.0.171/255.255.255.255 Excluded: DNS:.dir URI:.dir

An acceptable client certificate subject that matches the above definition is as follows:

Subject: DC=dir, DC=emea, OU=+DE, OU=OU-Administration, OU=Users, OU=X1, CN=cwinwell

Viewing Certificate Store Certificates

The Certificate Store page lists all the CA certificates that have been added to Cisco ISE. To view the CA certificates, you must be a Super Admin or System Admin.

To view all the certificates, choose Administration > System > Certificates > Certificate Store. The Certificate Store page appears, listing all the CA certificates.

Changing the Status of a Certificate in Certificate Store

The status of a certificate must be enabled so that Cisco ISE can use the certificate for establishing trust. When a certificate is imported into the Certificate Store, it is automatically enabled.

Step 1 Choose Administration > System > Certificates > Certificate Store.

Step 2 Check the check box next to the certificate you want to enable or disable, and click Change Status.


OL-27044-01


Adding a Certificate to Certificate Store

The Certificate Store page allows you to add CA certificates to Cisco ISE.

Before You Begin

• To perform the following task, you must be a Super Admin or System Admin.

• Ensure that the certificate store certificate resides on the file system of the computer where your browser is running. The certificate must be in PEM or DER format.


Step 2 Click Import.

Step 3 Configure the field values as necessary.

If client certificate-based authentication is enabled, then Cisco ISE will restart the application server on each node in your deployment, starting with the application server on the primary Administration node and followed, one-by-one, by each additional node.

Editing a Certificate Store Certificate

After you add a certificate to the Certificate Store, you can further edit it by using the edit settings.

Before You Begin



Step 2 Check the check box next to the certificate that you want to edit, and click Edit.

Step 3 Modify the editable fields as required.

Step 4 Click Save to save the changes you have made to the certificate store.

Exporting a Certificate from the Certificate Store

Before You Begin



Step 2 Check the check box next to the certificate that you want to export, and click Export. You can export only one certificate at a time.

Step 3 Save the privacy-enhanced mail file to the file system that is running your client browser.


OL-27044-01


Importing Certificate Chains

You can import multiple certificates from a single file that contains a certificate chain received from a Certificate store. All certificates in the file must be in Privacy-Enhanced Mail (PEM) format, and the certificates must be arranged in the following order:

• The last certificate in the file must be the client or server certificate being issued by the CA.

• All preceding certificates must be the root CA certificate plus any intermediate CA certificates in the signing chain for the issued certificate.

Importing a certificate chain is a two-step process:

Step 1 Import the certificate chain file into the Certificate Store using the Adding a Certificate to Certificate Store operation. This operation will import all certificates from the file except the last one into the Certificate Store. You can perform this step only on the primary Administration node.

Step 2 Import the certificate chain file using the Binding a CA-Signed Certificate operation. This operation will import the last certificate from the file as a local certificate.

Installation of CA Certificates for Cisco ISE Inter-node Communication

In a distributed deployment, before registering a secondary node, you must populate the primary node’s CTL with the appropriate CA certificates that are used to validate the HTTPS certificate of the secondary node. The procedure to populate the CTL of the primary node is different for different scenarios:

• If the secondary node is using a CA-signed certificate for HTTPS communication, you must import the CA-signed certificate of the secondary node into the CTL of the primary node.

• If the secondary node is using a self-signed certificate for HTTPS communication, you can import the self-signed certificate of the secondary node into the CTL of the primary node.

Note If you change the HTTPS certificate on the registered secondary node, after registering your secondary node to the primary node, you must obtain appropriate CA certificates that can be used to validate the secondary node’s HTTPS certificate.

Related Topics

• Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL, page E-28

• Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node, page E-29

Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL

Before You Begin


Step 1 Log in to the Admin portal of the node that you are going to register as your secondary node, and export the CA-signed certificate that is used for HTTPS communication to the file system running your client browser.


OL-27044-01

Appendix E Certificate Management in Cisco ISE Simple Certificate Enrollment Protocol Profiles

Step 2 In the Export dialog box, click the Export Certificate Only radio button.

Step 3 Log in to the Admin portal of your primary node, and import the CA-signed certificate of the secondary node into the CTL of the primary node.

Related Topics



Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node

Before You Begin


Step 1 Log in to the Admin portal of the node that you are going to register as your secondary node and export the self-signed certificate that is used for HTTPS communication to the file system running your client browser.

Step 2 In the Export dialog box, click the Export Certificate Only radio button.

Step 3 Log in to the Admin portal of your primary node, and import the self-signed certificate of the secondary node into the CTL of the primary node.

Related Topics

• Exporting a Local Certificate, page E-22


Simple Certificate Enrollment Protocol ProfilesTo help enable certificate provisioning functions for the variety of mobile devices that users can register on the network, Cisco ISE enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) Certificate Authority (CA) profiles to point Cisco ISE to multiple CA locations. The benefit of allowing for multiple profiles is to help ensure high availability and perform load balancing across the CA locations that you specify. If a request to a particular SCEP CA goes unanswered three consecutive times, Cisco ISE declares that particular server unavailable and automatically moves to the CA with the next lowest known load and response times, then it begins periodic polling until the server comes back online.

For details on how to set up your Microsoft SCEP server to interoperate with Cisco ISE, see

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf.

Related Topics

• Adding Simple Certificate Enrollment Protocol Profiles, page E-30

• OCSP Services, page E-30


OL-27044-01

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf

Appendix E Certificate Management in Cisco ISE OCSP Services

Adding Simple Certificate Enrollment Protocol Profiles

Step 1 Choose Administration > System > Certificates > SCEP CA Profile.

Step 2 Specify a Name for the profile to distinguish it from other SCEP CS profile names.

Step 3 Enter an optional Description of the profile.

Step 4 Specify the URL of the SCEP CA server in question, where Cisco ISE can direct SCEP CA requests when users access the network from their mobile devices.

You can optionally use the adjacent Test Connectivity button to verify that Cisco ISE is able to reach the server at the URL that you specify, before clicking the Submit button to end the session. (Either way, Cisco ISE will test the URL before allowing you to save the profile.)


For Reference:

Once users’ devices receive their validated certificate, they reside on the device as described in Table E-1.

OCSP ServicesThe Online Certificate Status Protocol (OCSP) is a protocol that is used for checking the status of x.509 digital certificates. This protocol is an alternative to the Certificate Revocation List (CRL) and addresses issues that result in handling CRLs.

Cisco ISE has the capability to communicate with OCSP servers over HTTP to validate the status of certificates in authentications. The OCSP configuration is configured in a reusable configuration object that can be referenced from any certificate authority (CA) certificate that is configured in Cisco ISE. See Editing a Certificate Store Certificate, page E-27.

You can configure CRL and/or OCSP verification per CA. If both are selected, then Cisco ISE first performs verification over OCSP. If a communication problem is detected with both the primary and secondary OCSP servers, or if an unknown status is returned for a given certificate, Cisco ISE switches to checking the CRL.


• OCSP Certificate Status Values, page E-31

Table E-1 Device Certificate Location

Device Certificate Storage Location Access Method

iPhone/iPad Standard certificate store Settings > General > Profile

Android Encrypted certificate store Invisible to end users.

Note Certificates can be removed using Settings > Location & Security > Clear Storage.

Windows Standard certificate store Launch mmc.exe from the /cmd prompt or view in the certificate snap-in.

Mac Standard certificate store Application > Utilities > Keychain Access


OL-27044-01


• OCSP High Availability, page E-31

• Adding OCSP Services, page E-32

• OCSP Statistics Counters, page E-33

• OCSP Failures, page E-31

• Monitoring OCSP, page E-34

OCSP Certificate Status Values

OCSP services return the following values for a given certificate request:

• Good—Indicates a positive response to the status inquiry. It means that the certificate is not revoked, and the state is good only until the next time interval (time to live) value.

• Revoked—The certificate was revoked.

• Unknown—The certificate status is unknown. This can happen if the OCSP is not configured to handle the given certificate CA.

• Error—No response was received for the OCSP request.

Related Topics

OCSP Statistics Counters, page E-33

OCSP High Availability

Cisco ISE has the capability to configure up to two OCSP servers per CA, and they are called primary and secondary OCSP servers. Each OCSP server configuration contains the following parameters:

• URL—The OCSP server URL.

• Nonce—A random number that is sent in the request. This option ensures that old communications cannot be reused in reply attacks.

• Validate response—Cisco ISE validates the response signature that is received from the OCSP server.

In case of timeout (which is 5 seconds), when Cisco ISE communicates with the primary OCSP server, it switches to the secondary OCSP server.

Cisco ISE uses the secondary OCSP server for a configurable amount of time before attempting to use the primary server again.

OCSP Failures

The three general OCSP failure scenarios are as follows:

1. Failed OCSP cache or OCSP client side (Cisco ISE) failures.

2. Failed OCSP responder scenarios, for example:

a. The first primary OCSP responder not responding, and the secondary OCSP responder responding to the Cisco ISE OCSP request.

b. Errors or responses not received from Cisco ISE OCSP requests.


OL-27044-01


An OCSP responder may not provide a response to the Cisco ISE OCSP request or it may return an OCSP Response Status as not successful. OCSP Response Status values can be as follows:

– tryLater

– signRequired

– unauthorized

– internalError

– malformedRequest

There are many date-time checks, signature validity checks and so on, in the OCSP request. For more details, refer to RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate StatusProtocol - OCSP which describes all the possible states, including the error states.

3. Failed OCSP reports

Adding OCSP Services

You can use the add OCSP page to add new OCSP services to Cisco ISE.

Step 1 Choose Administration > System > Certificates > OCSP Services.

Step 2 Click Add

Step 3 Provide a name and description for the OCSP service.

Step 4 Check the Enable Secondary Server check box if you want to enable high availability.

Step 5 Select one of the following options for high availability:

• Always Access Primary Server First —Use this option to check the primary server before trying to move to the secondary server. Even if the primary was checked earlier and found to be unresponsive, Cisco ISE will try to send a request to the primary server before moving to the secondary server.

• Fallback to Primary Server After Interval—Use this option when you want Cisco ISE to move to the secondary server and then fall back to the primary server again. In this case, all other requests are skipped, and the secondary server is used for the amount of time that is configured in the text box. The allowed time range is 1 to 999 minutes.

Step 6 Provide the URLs or IP addresses of the primary and secondary OCSP servers.

Step 7 Check or uncheck the following options:

• Nonce—You can configure a nonce to be sent as part of the OCSP request. The Nonce includes a pseudo-random number in the OCSP request. It is verified that the number that is received in the response is the same as the number that is included in the request. This option ensures that old communications cannot be reused in replay attacks.

• Validate Response Signature—The OCSP responder signs the response with one of the following signatures:

– The CA certificate

– A certificate different from the CA certificate

In order for Cisco ISE to validate the response signature, the OCSP responder needs to send the response along with the certificate, otherwise the response verification fails, and the status of the certificate cannot be relied on. According to the RFC, OCSP can sign the response using different


OL-27044-01


certificates. This is true as long as OCSP sends the certificate that signed the response for Cisco ISE to validate it. If OCSP signs the response with a different certificate that is not configured in Cisco ISE, the response verification will fail.

Step 8 Provide the number of minutes for the Cache Entry Time to Live.

Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the certificate will be updated next on the server. When the OCSP response is cached, the two values (one from the configuration and another from response) are compared, and the response is cached for the period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not cached at all.

Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent, so when Cisco ISE restarts, the cache is cleared.

The OCSP cache is used in order to maintain the OCSP responses and for the following reasons:

• To reduce network traffic and load from the OCSP servers on an already-known certificate

• To increase the performance of Cisco ISE by caching already-known certificate statuses

Step 9 Click Clear Cache to clear entries of all the certificate authorities that are connected to the OCSP service.

In a deployment, Clear Cache interacts with all the nodes and performs the operation. This mechanism updates every node in the deployment.

OCSP Statistics Counters

The OCSP counters are used for logging and monitoring the data and health of the OCSP servers. Logging occurs every five minutes. A syslog message is sent to the Cisco ISE Monitoring node and is preserved in the local store, which contains data from the previous five minutes. After the message is sent, the counters are recalculated for the next interval. This means, after five minutes, a new five-minute window interval starts again.

Table E-2 lists the OCSP syslog messages and their descriptions.

Table E-2 OCSP Syslog Messages

Message Description

OCSPPrimaryNotResponsiveCount The number of nonresponsive primary requests

OCSPSecondaryNotResponsiveCount The number of nonresponsive secondary requests

OCSPPrimaryCertsGoodCount The number of ‘good’ certificates that are returned for a given CA using the primary OCSP server

OCSPSecondaryCertsGoodCount The number of ‘good’ statuses that are returned for a given CA using the primary OCSP server

OCSPPrimaryCertsRevokedCount The number of ‘revoked’ statuses that are returned for a given CA using the primary OCSP server

OCSPSecondaryCertsRevokedCount The number of ‘revoked’ statuses that are returned for a given CA using the secondary OCSP server

OCSPPrimaryCertsUnknownCount The number of ‘Unknown’ statuses that are returned for a given CA using the primary OCSP server


OL-27044-01

Appendix E Certificate Management in Cisco ISE Configuring Certificates for Inline Posture Nodes

Monitoring OCSP

You can view the OCSP services data in the form of an OCSP Monitoring Report. For more information on Cisco ISE reports, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

Configuring Certificates for Inline Posture NodesAfter you install the Inline Posture node, Release 1.2, ISO image on any of the supported appliance platforms and run the setup program, you must configure certificates for Inline Posture nodes before you can add them to the deployment. You configure Inline Posture node certificates only from the CLI.

Before You Begin

• The Inline Posture node must be certified from the same certificate authority (CA) that certified the primary Administration node.

• If you wish to deploy an active-standby pair of Inline Posture nodes, you must configure the certificates on both the active and standby Inline Posture nodes.

Step 1 Log in to the Inline Posture node through the CLI.

Step 2 Enter the following command:

pep certificate server generatecsr

Step 3 Enter n to use an existing private key file to use with the certificate signing request (CSR) or enter y to generate a new one.

Step 4 Enter the desired key size.

Step 5 Enter the type of digest that you want to sign the certificate with.

Step 6 Enter a country code name (2 letter code).

Step 7 Enter values for the state, city, organization, organizational unit.

OCSPSecondaryCertsUnknownCount The number of ‘Unknown’ statuses that are returned for a given CA using the secondary OCSP server

OCSPPrimaryCertsFoundCount The number of certificates that were found in cache from a primary origin

OCSPSecondaryCertsFoundCount The number of certificates that were found in cache from a secondary origin

ClearCacheInvokedCount How many times clear cache was triggered since the interval

OCSPCertsCleanedUpCount How many cached entries were cleaned since the t interval

NumOfCertsFoundInCache Number of the fulfilled requests from the cache

OCSPCacheCertsCount Number of certificates that were found in the OCSP cache

Table E-2 OCSP Syslog Messages

Message Description


OL-27044-01


Step 8 Enter the Common Name. The Common Name is the same as your hostname. You must enter the fully qualified domain name (FQDN). For example, if your hostname is IPN1 and your DNS domain name is cisco.com, you must enter IPN1.cisco.com as your Common Name.

Step 9 Enter an e-mail address.

Step 10 Copy the entire block of text including the blank line after the END CERTIFICATE REQUEST tag (to include the carriage return).

Step 11 Send this CSR to the CA that signed the primary Administration node certificate.

If you are using the Microsoft CA, choose Web Server as the certificate template while sending the signing request.

Note Only server authentication is supported in Release 1.2. If you use other CAs to sign a certificate, ensure that the extended key usage specifies server authentication alone.

Step 12 Download the signed certificate in the DER or base64 format and copy it to an FTP server.

Step 13 Enter the following command from the Inline Posture node CLI:

copy ftp://a.b.c.d/ipn1.cer disk:

where a.b.c.d is the IP address of the FTP server and ipn1.cer is the CA-signed certificate that you are adding to the Inline Posture node.

Step 14 Enter the username and password for the FTP server.

Step 15 Enter the following command from the Inline Posture node CLI:

pep certificate server add

Step 16 Enter y for the application to restart.

Step 17 Enter y to bind the certificate to the last CSR.

Step 18 Enter the name of the CA-signed certificate.

The Inline Posture application restarts. You can now register this Inline Posture node with your primary Administration node. Refer to the Cisco Identity Services Engine User Guide, Release 1.2 for more information.


OL-27044-01

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html#wp1110248



OL-27044-01


OL-27044-01

I N D E X

B

beeps for USB devices A-8

C

cable management arm installation A-6

Cisco ISE deployment 1-1

D

DHCP, enabling 3-4

E

environmental specifications B-1

I

installation

cable management arm A-6

initial power-on and setup A-7

IP settings 3-4

NIC modes 3-4

NIC redundancy 3-4

power cables A-8

rack installation A-4

rack requirements A-4

required equipment A-4

slide rails A-5

unpacking and inspection A-2

verification 3-15

installing Cisco ISE

setup program 3-7

post-installation tasks 7-1

IP settings, DHCP or static 3-4

L

location

serial number 2-1

M

motherboard beeps A-8

N

NIC modes, setting 3-4

NIC redundancy 3-4

P

packing list A-2

physical specifications B-1


power

connecting power cords A-8

specifications B-2

R

rack installation A-4, A-5

rack requirements A-4

required equipment

installation A-4

IN-1Engine Hardware Installation Guide, Release 1.2

Index

S

serial number

location 2-1

setting NIC modes 3-4

setting NIC redundancy 3-4

slide rail installation A-5

specifications

environmental B-1

physical B-1

power B-2

static IP, setting 3-4

U

unpacking the server A-2

upgrading


V

VMware

configuring 4-9

hardware requirements 4-2

installing 4-1

installing the Cisco ISE appliance 4-19

IN-2Cisco Identity Services Engine Hardware Installation Guide, R
elease 1.2
OL-27044-01

Date post:	01-Sep-2018
Category:	Documents
Upload:	lynguyet
View:	236 times
Download:	1 times