Professional Documents
Culture Documents
December 2018
THE SOFT WARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFT WARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply
with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection
against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without written authorization from Cisco may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Move the equipment to one side or the other of the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOT WITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFT WARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1721R)
Preface 1
Purpose 1
Audience 2
Document Organization 2
Installation Reference 3
Document Conventions 3
Related Documentation 4
Release-Specific Documents 4
Platform-Specific Documents 5
Obtaining Documentation and Submitting a Service Request 6
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE
Functions 1-13
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance 3-9
Supported Time Zones 3-13
Setup Process Verification 3-15
Connecting to a Cisco ISE VMware Server Using the Serial Console 4-21
CHAPTER 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS
Appliances 5-1
Installing Cisco ISE, Release 1.2, Software from a DVD 5-2
Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance 5-3
Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance 5-3
Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s
CTL E-28
Importing a Self-Signed Certificate from a Secondary Node into the CTL of the
Primary Node E-29
Simple Certificate Enrollment Protocol Profiles E-29
Adding Simple Certificate Enrollment Protocol Profiles E-30
I NDEX
Purpose
This installation guide provides the following types of information about Cisco ISE, Release 1.2:
• Prerequisites for installation
• Procedures for installing the Cisco ISE software on a supported Cisco ISE appliance
• Procedures for installing the Cisco ISE software on a supported VMware virtual machine
• Procedures for installing the Cisco ISE software on a supported Cisco Network Admission Control
(NAC) appliance or Cisco Secure Access Control System (ACS) appliance
Cisco ISE, Release 1.2 offers a choice of two appliance platforms. Your choice depends on the size of
your deployment:
• Small network—SNS 3415
• Large network—SNS 3495
You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2.
For VMware-based installations, you must configure the VMware environment to meet minimum system
requirements and then install the Cisco ISE, Release 1.2, software. See Chapter 4, “Installing Release
1.2 Software on a VMware Virtual Machine” for more information.
The supported VMware versions include the following:
• VMware Elastic Sky X (ESX), Version 4.0, 4.0.1, and 4.1
• VMware ESXi, Version 4.x and 5.x
• VMware vSphere Client 4.x and 5.x
Audience
This guide is designed for network administrators, system integrators, or network deployment personnel
who install and configure the Cisco ISE software on Cisco SNS-3400 Series appliances or on VMware
servers. As a prerequisite to using this hardware installation guide, you should be familiar with
networking equipment and cabling and have a basic knowledge of electronic circuitry, wiring practices,
and equipment rack installations.
Warning Only trained and qualified personnel should be allowed to install, replace, or service this
equipment. Statement 1030
Document Organization
Table 1 Cisco ISE Hardware Installation Guide Organization
Installation Reference
Table 2 Cisco ISE 1.2 Installation Scenarios
Document Conventions
This guide uses the following conventions to convey instructions and information.
Convention Item
bold Commands, keywords, and user-entered text as
well as tab and button names in procedural text
appear in bold font.
italic Document titles, new or emphasized terms, and
arguments for which you supply values are in
italic font.
courier Terminal sessions and information the system
displays is in courier (monospace, fixed-width)
font.
<> In examples that do not allow italics, such as
ASCII outputs, arguments for which you must
supply a value appear in <angle> brackets.
Note Means reader take note. Notes contain helpful suggestions or references to material that is not discussed
in the manual.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before
you work on any equipment, be aware of the hazards involved with electrical circuitry and be
familiar with standard practices for preventing accidents. Use the statement number provided at
the end of each warning to locate its translation in the translated safety warnings that
accompanied this device.
Tip Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but could be useful information, similar to a Timesaver.
Related Documentation
Release-Specific Documents
Note General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user
documentation is available on Cisco.com at
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Platform-Specific Documents
• Cisco ISE
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
• Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
• Cisco NAC Guest Server
http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html
• Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html
• Cisco Secure ACS
http://www.cisco.com/en/US/products/ps9911/ tsd_products_support_series_home.html
• Cisco UCS C-Series Servers
http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/
UCS_rack_roadmap.html
• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services,
visit Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.
This chapter describes several network deployment scenarios, provides information about how to deploy
the Cisco Identity Services Engine (ISE) SNS 3400 Series appliance and its related components, and
provides a pointer to the switch and Wireless LAN Controller configurations that are needed to support
Cisco ISE. This chapter contains the following sections:
• Architecture Overview, page 1-1
• Network Deployment Terminology, page 1-2
• Node Types and Personas in Distributed Deployments, page 1-3
• Standalone and Distributed Deployments, page 1-5
• Distributed Deployment Scenarios, page 1-5
• Deployment Size and Scaling Recommendations, page 1-10
• Inline Posture Planning Considerations, page 1-12
• Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,
page 1-13
Architecture Overview
Cisco ISE architecture includes the following components:
• Nodes and persona types
– Cisco ISE node—A Cisco ISE node can assume any or all of the following personas:
Administration, Policy Service, or Monitoring
– Inline Posture node—A gatekeeping node that takes care of access policy enforcement
• Network resources
• Endpoints
Note Figure 1-1 shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an
Inline Posture node, and a policy information point.
The policy information point represents the point at which external information is communicated to the
Policy Service persona. For example, external information could be a Lightweight Directory Access
Protocol (LDAP) attribute.
282088
Network Deployment Terminology
The following terms are commonly used when discussing Cisco ISE deployment scenarios:
• Service—A service is a specific feature that a persona provides such as network access, profiling,
posture, security group access, monitoring, and troubleshooting.
• Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as
an appliance and as software that can be run on VMware.
• Node Type—A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node
type and persona determine the type of functionality provided by a node.
• Persona—The persona or personas of a node determines the services provided by a node. A Cisco
ISE node can assume any or all of the following personas: Administration, Policy Service, and
Monitoring. The menu options that are available through the administrative user interface depend
on the role and personas that a node assumes.
• Role—The role of a node determines if it is a standalone, primary, or secondary node and applies
only to Administration and Monitoring nodes.
Related Topics
• Administration Node, page 1-3
• Policy Service Node, page 1-3
• Monitoring Node, page 1-3
• Inline Posture Node, page 1-4
Administration Node
A Cisco ISE node with the Administration persona allows you to perform all administrative operations
on Cisco ISE. It handles all system-related configurations that are related to functionality such as
authentication, authorization, and accounting. In a distributed deployment, you can have one or a
maximum of two nodes running the Administration persona. The Administration persona can take on the
standalone, primary, or secondary role.
Monitoring Node
A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages
from all the Administration and Policy Service nodes in a network. This persona provides advanced
monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A
node with this persona aggregates and correlates the data that it collects, and provides you with
meaningful reports. Cisco ISE allows you to have a maximum of two nodes with this persona, and they
can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring
nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring
node automatically becomes the primary Monitoring node.
At least one node in your distributed setup should assume the Monitoring persona. We recommend that
you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We
recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.
Note You cannot access the web-based user interface of the Inline Posture nodes. You can configure them only
from the primary Administration node.
Before you can add an Inline Posture node to a deployment, you must configure a certificate for it and
register it with the primary Administration node. See Configuring Certificates for Inline Posture Nodes,
page E-34 for more information.
Note Concurrent endpoints represent the total number of supported users and devices. Concurrent endpoints
can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming
consoles, printers, fax machines, or other types of network devices.
The primary node provides all the configuration, authentication, and policy capabilities that are required
for this network model, and the secondary Cisco ISE node functions in a backup role. The secondary
node supports the primary node and maintains a functioning network whenever connectivity is lost
between the primary node and network appliances, network resources, or RADIUS.
Centralized authentication, authorization, and accounting (AAA) operations between clients and the
primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates
all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus,
your secondary node is current with the state of your primary node. In a small network deployment, this
type of configuration model allows you to configure both your primary and secondary nodes on all
RADIUS clients by using this type of deployment or a similar approach.
282092
As the number of devices, network resources, users, and AAA clients increases in your network
environment, you should change your deployment configuration from the basic small model and use
more of a split or distributed deployment model, as shown in Figure 1-3.
Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA
functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration
persona.
Split Deployments
In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in
a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to
optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to
handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor
the secondary nodes handles all AAA requests during normal network operations because this workload
is distributed between the two nodes.
The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system.
In addition, splitting the load provides better loading while the functional status of the secondary node
is maintained during the course of normal network operations.
In split Cisco ISE deployments, each node can perform its own specific operations, such as network
admission or device administration, and still perform all the AAA functions in the event of a failure. If
you have two Cisco ISE nodes that process authentication requests and collect accounting data from
AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector.
Figure 1-3 shows the secondary Cisco ISE node in this role.
282093
In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for
growth, as shown in Figure 1-4.
282094
Dispersed Network Deployments
Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus
with regional, national, or satellite locations elsewhere. The main campus is where the primary network
resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and
users in different geographical regions and locations.
Large remote sites can have their own AAA infrastructure (as shown in Figure 1-6) for optimal AAA
performance. A centralized management model helps maintain a consistent, synchronized AAA policy.
A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We
still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote
location should retain its own unique network requirements.
282095
Before You Plan a Network with Several Remote Sites
• Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight
Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the
external database that is available for Cisco ISE to access for optimizing AAA performance.
• The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible
to the AAA clients to reduce network latency effects and the potential for loss of access that is
caused by WAN failures.
• Cisco ISE has console access for some functions such as backup. Consider using a terminal at each
site, which allows for direct, secure console access that bypasses network access to each node.
• If small, remote sites are in close proximity and have reliable WAN connectivity to other sites,
consider using a Cisco ISE node as a backup for the local site to provide redundancy.
• Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access
to the external databases.
Maximum Number
Deployment of Dedicated Policy Number of Active
Type Number of Nodes/Personas Appliance Platform Service Nodes Endpoints
Small Standalone or redundant (2) Cisco ISE 3300 Series 0 Maximum of 2,000
nodes with Administration, (3315, 3355, 3395) endpoints
Policy Service, and Cisco ISE 3415 0 Maximum of 5,000
Monitoring personas enabled. endpoints
Cisco ISE 3495 0 Maximum of 10,000
endpoints
Medium Administration and Cisco ISE-3355 or 5 Maximum of 5,000
Monitoring personas on single Cisco SNS 3415 endpoints
or redundant nodes. Maximum appliances for
of 2 Administration and Administration and
Monitoring nodes. Monitoring personas
Cisco ISE 3395 or 5 Maximum of 10,000
Cisco SNS 3495 endpoints
appliances for
Administration and
Monitoring personas
Large Dedicated Administration Cisco ISE 3395 40 Maximum of 100,000
node/nodes. Maximum of 2 appliances for endpoints
Administration nodes. Administration and
Monitoring personas
Dedicated Monitoring
node/nodes. Maximum of 2 Cisco SNS 3495 40 Maximum of 250,000
Monitoring nodes. appliances for endpoints
Administration and
Monitoring personas
Table 1-2 provides guidance on the type of appliance that you would need for a dedicated Policy Service
node based on the number of active endpoints the node services.
Table 1-3 provides the maximum throughput and the maximum number of endpoints that a single Inline
Posture node can support.
Attribute Performance
Maximum number of endpoints per physical 5,000 to 20,000 (gated by Policy Service nodes)
appliance
Maximum throughput per any physical 936 Mbps
appliance
Caution The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node
is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial
configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets
flooded out of the untrusted interface. This multicast event can potentially bring down devices that are
connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.
Caution Do not change the CLI password for Inline Posture node once it has been added to the deployment. If
the password is changed, when you access the Inline Posture node through the Administration node, a
Java exception error is displayed and the CLI gets locked. You need to recover the password by using
the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original
one.
If you need to change the password, then deregister the Inline Posture node from the deployment, modify
the password, and then add the node to the deployment with the new credentials.
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2.
Related Topics
For more switch and wireless LAN controller configuration requirements, see Appendix C, “Switch and
Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,” in Cisco Identity
Services Engine User Guide, Release 1.2.
This chapter describes Cisco Secure Network Server (SNS) 3415 and 3495 appliances and hardware
specifications.
• Cisco SNS-3400 Series Appliance Hardware Specifications, page 2-1
• Cisco SNS Support for Cisco ISE, page 2-3
Note Cisco ISE 1.2 supports an optional redundant power supply unit for Cisco SNS-3415-K9. The part
number for the additional power supply to order is UCSC-PSU-650W=.
4 6
1 2 3 5 7 8
331682
HDD4 HDD5 HDD6 HDD7 HDD8
9 10
Rear Panel
Figure 2-2 shows the SNS 3415/3495 rear panel.
1 2 3 4 5
PCIe2
PSU1 PSU2
360856
6 7 8 9 10 11 12
This chapter describes how to install and configure a Cisco Identity Services Engine (ISE) 3400 Series
appliance, and contains the following topics:
• Installing the SNS-3400 Series Appliance in a Rack, page 3-1
• Downloading the Cisco ISE, Release 1.2 ISO Image, page 3-1
• Installing Release 1.2 Software on SNS-3400 Series Appliance, page 3-2
• Cisco Integrated Management Controller, page 3-3
• Configuring CIMC, page 3-3
• Creating a Bootable USB Drive, page 3-5
• Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6
• Cisco ISE Setup Program Parameters, page 3-7
• Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
• Setup Process Verification, page 3-15
Note Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco
ISE software on a Cisco SNS-3400 series appliance. See Prerequisites for Configuring a Cisco
SNS-3400 Series Appliance, page 3-6 for more information.
Note For Inline Posture nodes, you must download the Inline Posture Node, Release 1.2, ISO and continue
with the installation process. See Inline Posture Node Installation, page 1-4 for more information.
Step 1 Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access
this link.
Step 2 Click Download Software for this Product.
The Cisco ISE, Release 1.2, software image comes with a 90-day evaluation license already installed, so
you can begin testing all Cisco ISE services when the installation and initial configuration is complete.
Note For installing Release 1.2 using a USB flash device or an external DVD with a USB port, CIMC
configuration is optional. Choose one of these options if you do not prefer a remote installation.
Related Topics
• Configuring CIMC, page 3-3
• Creating a Bootable USB Drive, page 3-5
• Cisco ISE Setup Program Parameters, page 3-7
• Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
Configuring CIMC
You can perform all operations on Cisco SNS-3400 series appliance through the CIMC. To do this, you
must first configure an IP address and IP gateway to access the CIMC from a web-based browser.
Step 3 During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following
screen appears.
Step 4 Set the NIC mode to specify which ports access the CIMC for server management (see Figure 2-2 on
page 2-2 for identification of the ports). Cisco ISE can use up to four Gigabit Ethernet ports. Choose
Dedicated NIC mode, set NIC redundancy to None as described in Step 5, and select IP settings.
– Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select
NIC redundancy None and select IP settings.
– Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the
factory default setting, along with active-active NIC redundancy and DHCP enabled.
– Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You
must select a NIC redundancy and IP setting.
Note The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC
(N2XX-ACPCI01) that is installed in PCIe slot 1. See Special Considerations for Cisco UCS
Virtual Interface Cards.
Note Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC
addresses for the server. The MAC address is printed on a label on the rear of the server. This
server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on
the label is the beginning of the range of six contiguous MAC addresses.
Step 7 (Optional) Specify VLAN setting and set a default CIMC user password.
Note Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait
until the new settings appear before you reboot the server in the next step.
Step 8 Press F10 to save your settings and reboot the server.
Note If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on
the console screen during bootup.
What To Do Next
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
Note Do not choose the “Safely Remove Drive” or “Eject” options from the GUI.
Step 3 Copy the iso-to-usb.sh script and the Cisco ISE, Release 1.2, ISO image to a directory on the Linux
machine.
Step 4 Change the permissions of the script using the chmod command.
For example, # chmod u+x iso-to-usb.sh.
Step 5 As root user, enter the following command:
iso-to-usb.sh source_iso usb_device
For example, # ./iso-to-usb.sh ise-1.2.0.434-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the
script, ise-1.2.0.434-x86_64.iso is the name of the ISO image, and /dev/sdb is your USB device.
You might have to use the su command to switch to the root user account. You can also use the sudo
command to execute the script with root permissions.
Step 6 Enter a value for the appliance that you want to install the image on.
Step 7 Enter Y to continue.
Step 8 A success message appears.
Step 9 Unplug the USB drive.
What To Do Next
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
Note In case you have purposefully deleted the RAID configuration on the Cisco SNS-3400 series
appliance, you must reinstall Cisco ISE, Release 1.2, using CIMC or the USB bootable drive.
While using the USB bootable drive to reinstall Cisco ISE, you must manually configure RAID
using the webBIOS. For more information on installing Cisco ISE using CIMC, see Using CIMC
to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9. For more
information on using the USB bootable drive to install Cisco ISE, see Creating a Bootable USB
Drive, page 3-5.
If you are installing Cisco ISE on Cisco ISE-3300 series, Cisco Secure ACS, or Cisco NAC appliances,
download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install
Cisco ISE, Release 1.2. See Appendix 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series,
Cisco NAC, and Cisco Secure ACS Appliances,” for the supported Cisco Secure ACS and Cisco NAC
platforms.
Note If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures
VMware Tools, Version 8.3.2, during the initial setup. To verify the installation, see Verifying the
Installation of VMware Tools, page 7-6.
Note For details about the web-based administrator username and password, see Verifying a Configuration
Using a Web Browser, page 7-4.
Note To configure VMware servers, see Configuring a VMware System to Boot From a Cisco ISE Software
DVD, page 4-17.
Step 1 Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server
using the ports selected by the Network Interface Card (NIC) Mode setting. The active-active and
active-passive NIC redundancy settings require you to connect to two ports.
Step 2 Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is
based on the CIMC configuration that you made (either a static address or the address assigned by the
Dynamic Host Configuration Protocol (DHCP) server).
Note The default username for the server is admin. The default password is password.
Step 10 Press F6 to bring up the boot menu. A screen similar to the following one appears.
Step 11 Choose the CD/DVD that you mapped and press Enter. A screen similar to the following one appears.
Welcome to the ISE initial setup. The purpose of this setup is to provision the
internal ISE database. This setup is non-interactive, and will take roughly 15
minutes to complete.
...
Note An “Installing ISE-IPEP” message appears when you install the Inline Posture node, Release 1.2, ISO
image and you will see an “Application bundle (ISE-IPEP) installed successfully” message.
Note A “Virtual machine detected, configuring VMware tools...” message appears only if Cisco ISE is
installed on a virtual machine.
After the Cisco ISE or Inline Posture node software is configured, the Cisco ISE system reboots
automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you
configured during setup.
Step 14 If you installed the Inline Posture node ISO image, go to Configuring Certificates for Inline Posture
Nodes, page E-34.
Step 15 If you installed the Cisco ISE, Release 1.2, ISO image, log in to the Cisco ISE CLI shell, and run the
following CLI command to check the status of the Cisco ISE application processes:
ise-server/admin# show application status ise
Step 16 After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user
interface by using one of the supported web browsers. (See Accessing Cisco ISE Using a Web Browser,
page 7-1.)
To log in to the Cisco ISE user interface using a web browser, enter https://<your-ise-hostname
or IP address>/admin/ in the Address field:
Here “your-ise-hostname or IP address” represents the hostname or IP address that you configured for
the Cisco SNS-3400 series appliance during setup.
Step 17 At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials
(username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE
web interface by using the CLI-admin user’s username and password that you defined during the setup
process.
After you log in to the Cisco ISE user interface, you can then configure your devices, user stores,
policies, and other components.
The username and password credentials that you use for web-based access to the Cisco ISE user interface
are not the same as the CLI-admin user credentials that you created during the setup for accessing the
Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users,
see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.
Caution Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on
that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in
Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.2.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting
ensures that the reports, logs, and posture agent log files from the various nodes in the
deployment are always synchronized with regard to the time stamps.
The format for time zones is POSIX or System V. POSIX time zone format syntax looks like
America/Los_Angeles, and System V time zone syntax looks like PST8PDT.
• For time zones in Europe, the United States, and Canada, see Table 3-2.
• For time zones in Australia, see Table 3-3.
• For time zones in Asia, see Table 3-4.
Table 3-2 Europe, United States, and Canada Time Zones (continued)
Australia1
ACT2 Adelaide Brisbane Broken_Hill
Canberra Currie Darwin Hobart
3
Lord_Howe Lindeman LHI Melbourne
4
North NSW Perth Queensland
South Sydney Tasmania Victoria
West Yancowinna — —
1. Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.
2. ACT = Australian Capital Territory
3. LHI = Lord Howe Island
4. NSW = New South Wales
Asia1
Aden2 Almaty Amman Anadyr
Aqtau Aqtobe Ashgabat Ashkhabad
Baghdad Bahrain Baku Bangkok
Beirut Bishkek Brunei Kolkata
Choibalsan Chongqing Columbo Damascus
Dhakar Dili Dubai Dushanbe
Gaza Harbin Hong_Kong Hovd
Irkutsk Istanbul Jakarta Jayapura
Jerusalem Kabul Kamchatka Karachi
Kashgar Katmandu Kuala_Lumpur Kuching
Kuwait Krasnoyarsk — —
1. The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.
2. Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.
Note The Cisco ISE CLI show timezones command displays a list of all time zones available to you. Choose
the most appropriate one for your network location.
This chapter describes the system requirements for installing the Cisco Identity Services Engine (ISE),
Release 1.2 software on a VMware virtual machine (VM). The following topics provide information
about the installation process:
• Supported VMware Versions, page 4-1
• Support for VMware vMotion in Release 1.2, page 4-2
• Virtual Machine Requirements, page 4-2
• Evaluating Release 1.2, page 4-5
• Configuring a VMware ESX or ESXi Server, page 4-6
• Preparing a VMware System for Cisco ISE Software Installation, page 4-16
• Installing Cisco ISE Software on a VMware System, page 4-18
• Connecting to a Cisco ISE VMware Server Using the Serial Console, page 4-20
• Cloning a Cisco ISE Virtual Machine, page 4-23
Note The Inline Posture node is supported only on Cisco SNS-3415 and Cisco ISE 3300 series appliances. It is not
supported on Cisco SNS-3495 series or VMware server systems. All the other designated roles are supported
for use on VMware virtual machines.
Note Cisco ISE, Release 1.2, supports the VMware vMotion feature (live migration of virtual machines from
one server to another).
Note When creating network connections for any NICs that you configure, we recommend that you
select E1000 from the Adapter drop-down list. Cisco ISE, Release 1.2, supports the E1000
and VMXNET3 adapters for all NICs. It does not support any other virtual NIC drivers. See
Step 11 in Configuring a VMware Server, page 4-9.
Cisco ISE, Release 1.2 can be installed on virtual machines based on legacy appliance specifications,
but for better performance, we recommend that you deploy new virtual machines based on the SNS-3400
series appliance specifications.
Recommended
Minimum Maximum Disk Space for
ISE Persona Disk Space Disk Space Production
Standalone ISE 200 GB 1.999 TB 600 GB to 1.999
TB1
Distributed ISE — Administration only2 200 GB 1.999 TB 250 to 300 GB
Distributed ISE —Monitoring only 200 GB 1.999 TB 600 GB to 1.999
TB1
Distributed ISE — Policy Service only2 100 GB 1.999 TB 150 to 200 GB
Distributed ISE — Administration and 200 GB 1.999 TB 600 GB to 1.999
Monitoring TB1
Distributed ISE — Administration, 200 GB 1.999 TB 600 GB to 1.999 TB
Monitoring, and Policy Service
1. Disk allocation varies based on logging retention requirements. See Table 4-4 for details.
2. Additional disk space may be allocated to support local logging, and to store the backup and upgrade files on the local disk.
Note You can allocate only up to 1.999 TB of disk space for a Cisco ISE, Release 1.2, virtual machine (VM).
On any node that has the Monitoring persona enabled, 30 percent of the VM disk space is allocated for
log storage. A deployment with 25,000 endpoints generates approximately 1 GB of logs per day.
For example, if you have a Monitoring node with 600-GB VM disk space, 180 GB is allocated for log
storage. If 100,000 endpoints connect to this network every day, it generates approximately 4 GB of logs
per day. In this case, you can store 38 days of logs in the Monitoring node, after which you must transfer
the old data to a repository and purge it from the Monitoring database.
For extra log storage, you can increase the VM disk space. For every 100 GB of disk space that you add,
you get 30 GB more for log storage. Depending on your requirements, you can increase the VM disk
size up to a maximum of 1.999 TB or 614 GB of log storage.
If you increase the disk size of your virtual machine, you must not upgrade to Cisco ISE 1.2, but instead
do a fresh installation of Cisco ISE 1.2 on your virtual machine.
Table 4-4 provides the number of days that logs can be retained on your Monitoring node based on the
disk space allotted to it and the number of endpoints that connect to your network.
Note You cannot migrate data to a production VM from a VM created with less than 200 GB of disk space.
You can migrate data only from VMs created with 200 GB or more disk space to a production
environment.
To obtain the Cisco ISE, Release 1.2 evaluation software (R-ISE-EVAL-K9=), contact your Cisco
Account Team or your Authorized Cisco Channel Partner.
To migrate a Cisco ISE configuration from an evaluation system to a fully licensed production system,
you need to complete the following tasks:
• Back up the configuration of the evaluation version.
• Ensure that your production VM has the required amount of disk space. Refer to Deployment Size
and Scaling Recommendations, page 1-10 for details.
• Install a production deployment license.
• Restore the configuration to the production system.
Note For evaluation, the minimum allocation requirements for a hard disk on a VMware server that supports
100 users is 100 GB. When you move the VMware server to a production environment that supports a
larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum
disk size that is listed in Table 4-3 or higher (up to the allowed maximum of 1.999 TB).
• Do not choose VMware thin provisioning as a storage type. This release of the Cisco ISE software
does not support using VMware thin provisioning as a storage type on any of the supported VMware
servers. Thin provisioning is not a default setting and Cisco advises against selecting it in Step 14
(as shown in Figure 4-12).
• If you are enabling the Profiler service, ensure that you have read and performed the tasks described
in Configuring VMware Server Interfaces for the Cisco ISE Profiler Service, page 4-8.
Configuring VMware Server Interfaces for the Cisco ISE Profiler Service
To configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or
mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service, perform the following
steps:
Step 1 Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server
instance) > VMswitch0 (one of your VMware ESXi server interfaces) > Properties > Security.
Step 2 In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.
Step 3 In the Promiscuous Mode drop-down list, choose Accept and click OK.
Repeat the same steps on the other VMware ESX server interface used for profiler data collection of
SPAN or mirrored traffic.
The Name and Location dialog box appears (see Figure 4-5).
Step 4 Enter a name for the VMware system and click Next.
Tip Use the hostname that you want to use for your VMware host.
The Guest Operating System dialog box appears (see Figure 4-8).
Step 7 Choose Linux and Red Hat Enterprise Linux 5 (64-bit) from the Version drop-down list.
The Number of Virtual Processors dialog box appears (see Figure 4-9).
Step 8 Choose 2 from the Number of virtual sockets and the Number of cores per virtual socket drop-down list.
Total number of cores should be 4. Refer to “VMware Appliance Specifications for a Production
Environment” for details. Click Next.
(Optional; appears in some versions of ESX server. If you see only the Number of virtual processors,
choose 4).
The Memory Configuration dialog box appears.
Step 9 Enter a value based on the recommendations in Table 4-2, and click Next.
Step 10 The Network Interface Card (NIC) Configuration dialog box appears (see Figure 4-10).
Step 11 Choose a NIC and adapter and click Next.
Note We recommend that you choose the E1000 adapter. Cisco ISE, Release 1.2, supports only the
E1000 and VMXNET3 adapters. It does not support any other virtual NIC drivers.
The Virtual Disk Size and Provisioning Policy dialog box appears.
Step 14 In the Disk Provisioning dialog box, click the Thick Provisioning Lazy Zeroed radio button. Click Next
to continue. (See Figure 4-12.)
If you are using an earlier version of VMware client, uncheck the following options:
a. Uncheck the Allocate and commit space on demand (Thin Provisioning) check box.
b. Uncheck the Support clustering features such as Fault Tolerance check box.
Note When selecting the Thick Provisioned Lazy Zeroed option, the virtual disk is allocated all of its
provisioned space and immediately made accessible to the virtual machine. A lazy zeroed disk is not
zeroed up front, which makes the provisioning very fast. However, there is an added latency on first write
because each block is zeroed out before it is written to for the first time.
We recommend the Thick Provisioned Eager Zeroed (Recommended for I/O intensive workloads) option
when deploying an I/O intensive application on VMFS. The virtual disk is allocated all of its provisioned
space and the entire VMDK file is zeroed out before allowing the virtual machine access. This means
that the VMDK file will take longer to become accessible to the virtual machine, but will not incur the
additional latency of zeroing on first write.
• Disk Size—200 GB to 1.999 TB based on the recommendations for VMware disk space
For the Cisco ISE installation to be successful on a virtual machine, ensure that you adhere to the
recommendations given in this document.
To activate the newly created VMware system, right-click VM in the left pane of your VMware client
user interface and choose Power > Power On.
Note You must download the Cisco ISE 1.2 ISO, burn the ISO image on a DVD, and use it to install Cisco ISE
1.2 on the virtual machine.
Step 1 In the VMware client, highlight the newly created VMware system and choose Edit Virtual
Machine Settings.
The Virtual Machine Properties window appears. Figure 4-14 displays the properties of a VMware
system that is created.
Step 2 In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1.
The CD/DVD Drive1 properties dialog box appears.
Step 3 Click the Host Device radio button and choose the DVD host device from the drop-down list.
Step 4 Choose the Connect at Power On option and click OK to save your settings.
You can now use the DVD drive of the VMware ESX server to install the Cisco ISE software.
After you complete this task, click the Console tab in the VMware client user interface, right-click VM
in the left pane, choose Power, and choose Reset to restart the VMware system.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting
ensures that the reports, logs, and posture-agent log files from the various nodes in your
deployment are always synchronized with regard to the time stamps.
Note After installation, if you do not install a permanent license, Cisco ISE automatically installs a
90-day evaluation license that supports a maximum of 100 endpoints.
Step 3 Insert the Cisco ISE software DVD into the VMware ESX host CD/DVD drive and turn on the virtual
machine.
Note Download the Cisco ISE, Release 1.2, software from the Cisco Software Download Site at
http://www.cisco.com/en/US/products/ps11640/index.html and burn it on a DVD. You will be
required to provide your Cisco.com credentials.
When the installation process finishes, the virtual machine reboots automatically.
Step 1 Power down the particular VMware server (for example ISE-120).
Step 2 Right-click the VMware server and choose Edit.
Step 3 Click Add on the Hardware tab (see Figure 4-14).
Step 4 Choose Serial Port and click Next (see Figure 4-16).
Step 5 In the Serial Port Output area, click the Use physical serial port on the host or the Connect via
Network radio button and click Next (see Figure 4-17).
a. If you choose the Connect via Network option, you must open the firewall ports over the ESX server.
b. If you select the Use physical serial port on the host, choose the port. You may choose one of the
following two options:
• /dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1).
• /dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).
Step 7 In the Device Status area, check the appropriate check box. The default is Connected (see Figure 4-19).
Step 1 Log in to the ESXi server as a user with administrative privileges (root user).
Step 2 Right-click the Cisco ISE VM you want to clone, and click Clone (see Figure 4-20).
Step 3 Enter a name for the new machine that you are creating in the Name and Location dialog box and click
Next.
This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your
reference.
Step 4 Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next.
Step 5 Select a datastore for the new Cisco ISE VM that you are creating and click Next.
This datastore could be the local datastore on the ESX or ESXi server or a remote storage. See Table 4-1
on page 4-2 for supported storage types. Ensure that the datastore has enough disk space as described in
Table 4-3 on page 4-4.
Step 6 Click the Same format as source radio button in the Disk Format dialog box and click Next.
This option copies the same format that is used in the Cisco ISE VM that you are cloning this new
machine from.
Step 7 Click the Do not customize radio button in the Guest Customization dialog box and click Next.
The Ready to Complete dialog box appears (see Figure 4-21)
What To Do Next
• Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-26
• Connecting a Cloned Cisco Virtual Machine to the Network, page 4-28
Related Topics
• Cloning a Cisco ISE Virtual Machine Using a Template, page 4-25
Step 1 Log in to the ESXi server as a user with administrative privileges (root user).
Step 2 Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.
Step 3 Enter a name for the template, choose a location to save the template in the Name and Location dialog
box, and click Next.
Step 4 Choose the ESX host that you want to store the template on and click Next.
Step 5 Choose the datastore that you want to use to store the template and click Next.
Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more
details.
Step 6 Click the Same format as source radio button in the Disk Format dialog box and click Next.
The Ready to Complete dialog box appears.
Step 7 Click Finish.
Step 1 Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from
this template.
Step 2 Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog
box, and click Next.
Step 3 Choose the ESX host where you want to store the new Cisco ISE node and click Next.
Step 4 Choose the datastore that you want to use for the new Cisco ISE node and click Next.
Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more
details.
Step 5 Click the Same format as source radio button in the Disk Format dialog box and click Next.
Step 6 Click the Do not customize radio button in the Guest Customization dialog box.
The Ready to Complete dialog box appears.
Step 7 Check the Edit Virtual Hardware check box and click Continue.
The Virtual Machine Properties page appears.
Step 8 Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click
OK.
Step 9 Click Finish.
You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the
network.
What To Do Next
• Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-26
• Connecting a Cloned Cisco Virtual Machine to the Network, page 4-28
Related Topics
• Cloning a Cisco ISE Virtual Machine Using a Template, page 4-25
• Ensure that you have the IP address and hostname that you are going to configure for the newly
cloned VM as soon as you power on the machine. This IP address and hostname entry should be in
the DNS server.
• Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname.
Step 1 Right-click the newly cloned Cisco ISE VM and choose Power > Power On.
Step 2 Select the newly cloned Cisco ISE VM and click the Console tab.
Step 3 Enter the following commands on the Cisco ISE CLI:
configure terminal
hostname hostname
hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted.
Step 4 Enter the following commands:
interface gigabit 0
ip address ip_address netmask
ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the
subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services.
Step 5 Enter Y to restart Cisco ISE services.
Related Topics
Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2, for the ip address and
hostname commands.
Step 1 Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.
Step 2 Click Network adapter in the Virtual Machine Properties dialog box.
Step 3 In the Device Status area, check the Connected and Connect at power on check boxes.
Step 4 Click OK.
This appendix describes the process for performing an initial (or fresh) installation of the Cisco ISE,
Release 1.2, software from a DVD on the following supported Cisco ISE-3300, Cisco Secure ACS, and
Cisco NAC appliance platforms:
• Cisco ISE-3315
• Cisco ISE-3355
• Cisco ISE-3395
• Cisco Secure ACS-1121
• Cisco NAC-3315
• Cisco NAC-3355
• Cisco NAC-3395
Note Download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install
Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.
Installing the software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because
the underlying hardware on which the Cisco ISE software will be installed is the same physical device
type.
• Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware
that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliances).
• Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are
used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395
appliances, respectively).
Note For specific details about the Cisco ISE 3300 series hardware platforms, see the Cisco Identity Services
Engine Hardware Installation Guide, Release 1.1.x.
Note To reuse a Cisco Secure ACS or Cisco NAC appliance as a Cisco ISE, Release 1.2 appliance, reimage
the Cisco Secure ACS or Cisco NAC appliance, install the Cisco ISE software, and use the Setup
program to configure the appliance.
What To Do Next
• If you installed the IPN ISO, go to Configuring Certificates for Inline Posture Nodes, page E-34.
• If you installed the Cisco ISE, Release 1.2 ISO image, after you log in to the Cisco ISE CLI shell,
you can run the show application status ise CLI command to check the status of the Cisco ISE
application processes.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting
ensures that the reports and logs from the various nodes in a deployment are always in sync with
regard to the time stamps.
• Review the information in Prerequisites for Configuring a Cisco SNS-3400 Series Appliance,
page 3-6.
• Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before
you run the setup program.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting
ensures that the reports and logs from the various nodes in a deployment are always in sync with
regard to the time stamps.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting
ensures that the reports and logs from the various nodes in a deployment are always in sync with
regard to the time stamps.
Note If the Cisco ISE DVD installation process returns a message indicating that “The installer
requires at least 600 GB disk space for this appliance type,” you may need to reset the RAID
settings on the appliance to facilitate installation as described in Resetting the Existing RAID
Configuration on a Cisco NAC Appliance.
Step 8 Perform the instructions that are described in Installing Cisco ISE, Release 1.2, Software from a DVD,
page 5-2.
Step 9 Perform the instructions that are described in Setup Process Verification, page 3-15.
Step 1 Reboot the Cisco NAC appliance with the Cisco ISE Software DVD.
Step 2 When you see the RAID controller version information appear in the CLI, press Ctrl-C. The RAID
controller version information appears, displaying a label like LSI Corporation MPT SAS BIOS, and the
LSI Corp Config Utility becomes active.
Step 3 Press Enter to specify the default controller. (The highlighted controller name should read something
similar to SR-BR10i.) A screen containing the Cisco NAC appliance adapter information appears.
Step 4 Use the arrow keys to navigate to “RAID properties” and press Enter.
Step 5 Use the arrow keys to navigate to “Manage Array” and press Enter.
Step 6 Use the arrow keys to navigate to “Delete Array” and press Enter.
Step 7 Enter Y to confirm that you want to delete the existing RAID array.
Step 8 Press Esc twice to exit the RAID configuration utility.
The system prompts you with an Exit the Configuration Utility and Reboot? prompt.
Step 9 Press Enter. The Cisco NAC appliance reboots. As long as the Cisco ISE Software DVD is still inserted,
the appliance automatically boots to the install menu.
Step 10 Press 1 to begin the Cisco ISE, Release 1.2, installation.
This chapter describes the two types of administrator accounts in Cisco ISE, their privileges, and how to
create these accounts. This chapter contains the following topics:
• CLI-Admin and Web-Based Admin User Right Differences, page 6-1
• Tasks Performed by CLI-Admin and Web-Based Admin Users, page 6-1
• Tasks Performed Only by the CLI-Admin User, page 6-2
• Creating CLI Admin Users, page 6-2
• Creating Web-Based Admin Users, page 6-2
Note Web-based admin users that are created by using the Cisco ISE user interface cannot automatically log
in to the Cisco ISE CLI. Only CLI-admin users can access the Cisco ISE CLI.
Refer to Accessing Cisco ISE Using a Web Browser, page 7-1 for information on the supported browsers.
Step 1 Log in by using the CLI-admin username and password that you created during the setup process.
Step 2 Enter the Configuration mode.
Step 3 Enter the username command.
Note For details about the username command, see the Cisco Identity Services Engine CLI Reference Guide,
Release 1.2.
This chapter describes several tasks that you must perform after successfully completing the installation
and configuration of the Cisco Identity Services Engine (ISE), Release 1.2, software. This chapter
contains information about the following topics:
• Accessing Cisco ISE Using a Web Browser, page 7-1
• Verifying a Cisco ISE Configuration, page 7-4
• Verifying the Installation of VMware Tools, page 7-6
• Resetting the Administrator Password, page 7-7
• Configuring the Cisco ISE System, page 7-10
• Enabling System Diagnostic Reports in Cisco ISE, page 7-10
Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7
compatibility mode (Microsoft IE8 is supported in IE8 mode only).
Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.
Step 2 In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following
format and press Enter.
https://<IP address or host name>/admin/
For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.
Step 3 Enter a username and password that you defined during setup.
Step 4 Click Login.
Note To recover or reset the Cisco ISE CLI-admin username or password, see the Resetting the Administrator
Password, page 7-7.
Tip The minimum required screen resolution to view the Cisco ISE GUI is 1280 x 800 pixels.
CLI admin and web-based admin username and password values are not the same. when logging into the
Cisco ISE. For more information about the differences between them, see CLI-Admin and Web-Based
Admin User Right Differences, page 6-1.
Note The license page only appears the first time that you log in to Cisco ISE after the evaluation
license has expired.
Note We recommend that you use the Cisco ISE user interface to periodically reset your administrator login
password. See the Cisco Identity Services Engine User Guide, Release 1.2 for more information.
Caution For security reasons, we recommend that you log out when you complete your administrative session. If
you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity,
and does not save any unsubmitted configuration data.
For more information on using the Cisco ISE web-based web interface, see the Cisco Identity Services
Engine User Guide, Release 1.2.
Installing a License
Refer to Appendix D, “Cisco ISE Licenses” for information on licenses.
Installing Certificates
Refer to Appendix E, “Certificate Management in Cisco ISE” for information on certificates.
Note For first-time web-based access to Cisco ISE system, the administrator username and password is the same
as the CLI-based access that you configured during setup. For CLI-based access to a Cisco ISE system, the
administrator username by default is admin and the administrator password (is user-defined because there is
no default).
To better understand the differences between a CLI-admin user and a web-based admin user, see
CLI-Admin and Web-Based Admin User Right Differences, page 6-1.
Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.
Step 2 In the Address field, enter the IP address (or host name) of the Cisco ISE appliance using the following
format and press Enter.
https://<IP address or host name>/admin/
For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.
Step 3 In the Cisco ISE Login page, enter the username and password that you have defined during setup and
click Login.
The Cisco ISE dashboard appears.
Note We recommend that you use the Cisco ISE user interface to periodically reset the administrator
password. To reset the administrator password, see Cisco Identity Services Engine User Guide, Release
1.2 for details.
Step 1 After the Cisco ISE appliance reboot has completed, launch a supported product, such as PuTTY, for
establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.
Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format
of the Cisco ISE appliance) and click Open.
Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during
setup and press Enter.
Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is
user-defined and there is no default) and press Enter.
Step 5 At the system prompt, enter show application version ise and press Enter.
The console displays the following screen.
Note The Version field lists the currently installed version of Cisco ISE software.
Step 6 To check the status of the Cisco ISE processes, enter show application status ise and press Enter.
The console displays the following screen.
Note To get the latest Cisco ISE patches and keep Cisco ISE up-to-date, visit the following web site:
http://www.cisco.com/public/sw-center/index.shtml
Step 7 To check the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) version,
enter show version and press Enter.
The console displays output similar to the following:
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.5.083
ADE-OS System Architecture: i386
Parameter Description
Admin username Enter the number of the administrator whose password you want
to reset.
Password Enter a new password.
Verify password Enter the password again.
Save change and reboot Enter Y to save.
Admin username:
[1]:admin
[2]:admin2
[3]:admin3
[4]:admin4
Enter number of admin for password recovery:2
Password:
Verify password:
Save change and reboot? [Y/N]:
See the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 more information.
Note Use this command to reset the administrator user interface password. It does not affect the CLI password
of the administrator.
After you successfully reset the administrator password, the credentials are immediately active and you
can log in without having to reboot the system.
For more details on using the application reset-passwd ise command, see the Cisco Identity Services
Engine CLI Reference Guide, Release 1.2.
Note Do not use the no ip address command when you change the Cisco ISE appliance IP address.
Note All Cisco ISE services have to be restarted after changing the Cisco ISE appliance IP address.
Step 1 Log in to the Cisco ISE CLI console using the default administrator user ID and password.
Step 2 Enter the following commands:
a. configure terminal
b. logging 127.0.0.1:20514
c. end
d. write memory
You can configure system diagnostic settings through the Cisco ISE user interface (Administration >
System > Logging > Logging Categories > System Diagnostics).
This appendix describes the safety guidelines, site requirements, and guidelines that you must observe
before installing the Cisco SNS-3400 Series appliances, and also provides instructions on how to rack
mount a Cisco SNS-3400 Series appliance, connect all the cables, power up the appliance, and remove
or replace the server components.
This appendix contains the following sections:
• Unpacking and Inspecting the Server, page A-1
• Safety Guidelines, page A-2
• Installing a Cisco SNS-3400 Series Appliance in a Rack, page A-4
• Connecting and Powering On the Server, page A-7
• Checking the LEDs, page A-8
• Installing or Replacing Server Components, page A-11
Caution When handling internal server components, wear an ESD strap and handle modules by the carrier edges
only.
Tip Keep the shipping container in case the server requires shipping in the future.
Note The chassis is thoroughly inspected before shipment. If any damage occurred during transportation or
any items are missing, contact your customer service representative immediately.
Step 1 Remove the server from its cardboard container and save all packaging material.
Step 2 Compare the shipment to the equipment list provided by your customer service representative and
Figure A-1. Verify that you have all items.
Step 3 Check for damage and report any discrepancies or damage to your customer service representative. Have
the following information ready:
• Invoice number of shipper (see the packing slip)
• Model and serial number of the damaged unit
• Description of damage
• Effect of damage on the installation
1 2
3 4
U
C -S
C
is e
S
co ri
C
es
331685
1 Server 3 Documentation
2 Power cord (optional, up to two) 4 KVM cable
Safety Guidelines
Note Before you install, operate, or service a Cisco SNS-3400 series appliance, review the Regulatory
Compliance and Safety Information for Cisco SNS 3400 Series Appliance for important safety
information.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before
you work on any equipment, be aware of the hazards involved with electrical circuitry and be
familiar with standard practices for preventing accidents. Use the statement number provided at
the end of each warning to locate its translation in the translated safety warnings that
accompanied this device.
Statement 1071
Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum
recommended ambient temperature of: 40° C (104° F).
Statement 1047
Warning The plug-socket combination must be accessible at all times, because it serves as the main
disconnecting device.
Statement 1019
Warning This product relies on the building’s installation for short-circuit (overcurrent) protection.
Ensure that the protective device is rated not greater than: 250 V, 15 A.
Statement 1005
Warning Installation of the equipment must comply with local and national electrical codes.
Statement 1074
Caution Avoid UPS types that use ferroresonant technology. These UPS types can become unstable with systems
such as the Cisco SNS 3400 series appliances, which can have substantial current draw fluctuations from
fluctuating data traffic patterns.
Rack Requirements
The following are the requirements for standard open racks:
• A standard 19-in. (48.3-cm) wide, four-post EIA rack, with mounting posts that conform to English
universal hole spacing, per section 1 of ANSI/EIA-310-D-1992.
• The rack post holes can be square .38-inch (9.6 mm), round .28-inch (7.1 mm), #12-24 UNC, or
#10-32 UNC when you use the supplied slide rails.
• The minimum vertical rack space per server must be one RU, equal to 1.75 in. (44.45 mm).
Equipment Requirements
The slide rails supplied by Cisco Systems for this server do not require tools for installation. The inner
rails (mounting brackets) are preattached to the sides of the server.
Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special
precautions to ensure that the system remains stable. The following guidelines are provided to
ensure your safety:
This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest
component at the bottom of the rack.
If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the
rack. Statement 1006
To install the slide rails and the server into a rack, follow these steps:
Step 1 Open the front securing latch (see Figure A-2). The end of the slide-rail assembly marked “FRONT” has
a spring-loaded securing latch that must be open before you can insert the mounting pegs into the
rack-post holes.
a. On the rear side of the securing-latch assembly, hold open the clip marked “PULL.”
b. Slide the spring-loaded securing latch away from the mounting pegs.
c. Release the clip marked “PULL” to lock the securing latch in the open position.
332061
1 Clip marked “PULL” on rear of assembly 3 Spring-loaded securing latch on front of
assembly
2 Front mounting pegs
Note The mounting pegs that protrude through the rack-post holes are designed to fit round or square holes,
or smaller #10-32 round holes when the mounting peg is compressed. If your rack has #10-32 rack-post
holes, align the mounting pegs with the holes and then compress the spring-loaded pegs to expose the
#10-32 inner peg.
c. Expand the length-adjustment bracket until the rear mounting pegs protrude through the desired
holes in the rear rack post.
Use your finger to hold the rear securing latch open when you insert the rear mounting pegs to their
holes. When you release the latch, it wraps around the rack post and secures the slide-rail assembly.
2 5 6
3
331689
1 Front-left rack post 4 Length-adjustment bracket
2 Front mounting pegs 5 Rear mounting pegs
3 Slide-rail assembly 6 Rear securing latch
d. Attach the second slide-rail assembly to the opposite side of the rack. Ensure that the two slide-rail
assemblies are level and at the same height with each other.
e. Pull the inner slide rails on each assembly out toward the rack front until they hit the internal stops
and lock in place.
Step 3 Insert the server into the slide rails:
Note The inner rails are preattached to the sides of the server at the factory. You can order replacement
inner rails if these are damaged or lost (Cisco PID UCSC-RAIL1-I).
a. Align the inner rails that are preattached to the server sides with the front ends of the empty slide
rails.
b. Push the server into the slide rails until it stops at the internal stops.
c. Push in the plastic release clip on each inner rail (labelled PUSH), and then continue pushing the
server into the rack until the front latches engage the rack posts.
Step 4 Attach the (optional) cable management arm (CMA) to the rear of the slide rails:
Note The CMA is designed for mounting on either the right or left slide rails. These instructions
describe an installation to the rear of the right slide rails, as viewed from the rear of server.
a. Slide the plastic clip on the inner CMA arm over the flange on the mounting bracket that attached
to the side of the server. See Figure A-4.
Note Whether you are mounting the CMA to the left or right slide rails, be sure to orient the engraved
“UP” marking so that it is always on the upper side of the CMA. See Figure A-4.
b. Slide the plastic clip on the outer CMA arm over the flange on the slide rail. See Figure A-4.
c. Attach the CMA retaining bracket to the left slide rail. Slide the plastic clip on the bracket over the
flange on the end of the left slide rail. See Figure A-4.
Figure A-4 Attaching the Cable Management Arm (Rear of Server Shown)
1 4
7
2
331690
6
1 Flange on rear of outer left slide rail 5 Inner CMA arm attachment clip
2 CMA retaining bracket 6 “UP” orientation marking
3 Flange on rear of right mounting bracket 7 Outer CMA arm attachment clip
4 Flange on rear of outer right slide rail
Step 5 Continue with the “Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance”
section on page 3-9.
Step 1 Attach a supplied power cord to each power supply in the server and then attach the power cord to a
grounded AC power outlet. See the Power Specifications, page B-2 for power specifications.
Wait for approximately two minutes to let the server boot in standby power during the first bootup.
You can verify the power status by looking at the Power Status LED:
• Off—There is no AC power present in the server.
• Amber—The server is in standby power mode. Power is supplied only to the CIMC and some
motherboard functions.
• Green—The server is in main power mode. Power is supplied to all server components.
Note During bootup, the server beeps once for each USB device that is attached to the server. Even if
there are no external USB devices attached, there is a short beep for each virtual USB device
such as a virtual floppy drive, CD/DVD drive, keyboard, or mouse. A beep is also emitted if a
USB device is hot-plugged or hot-unplugged during BIOS power-on self-test (POST), or while
you are accessing the BIOS Setup utility or the EFI shell.
Step 2 Connect a USB keyboard and VGA monitor by using the supplied KVM cable connected to the KVM
connector on the front panel.
Note Alternatively, you can use the VGA and USB ports on the rear panel. However, you cannot use
the front panel VGA and the rear panel VGA at the same time. If you are connected to one VGA
connector and you then connect a video device to the other connector, the first VGA connector
is disabled.
This appendix lists the technical specifications for the server and includes the following sections:
• Physical Specifications, page B-1
• Environmental Specifications, page B-1
• Power Specifications, page B-2
Physical Specifications
Table B-1 lists the physical specifications for the server.
Description Specification
Height 1.7 in. (4.3 cm)
Width 16.9 in. (42.9 cm)
Depth 28.5 in. (72.4 cm)
Weight (fully loaded chassis) 35.6 lb. (16.1 Kg)
Environmental Specifications
Table B-2 lists the environmental specifications for the server.
Description Specification
Temperature, operating 41 to 104°F (5 to 40°C)
Derate the maximum temperature by 1°C per every
305 meters of altitude above sea level.
Temperature, non-operating –40 to 149°F (–40 to 65°C)
Humidity (RH), noncondensing 10 to 90 percent
Altitude, operating 0 to 10,000 feet
Description Specification
Altitude, non-operating 0 to 40,000 feet
Sound power level 5.4
Measure A-weighted per ISO7779 LwAd (Bels)
Operation at 73°F (23°C)
Sound pressure level 37
Measure A-weighted per ISO7779 LpAm (dBA)
Operation at 73°F (23°C)
Power Specifications
The power specifications for the two power supply options are listed in the following sections:
• 450-Watt Power Supply, page B-2
• 650-Watt Power Supply, page B-2
Note Do not mix power supply types in the server. Both power supplies must be either 450W or 650W.
Table B-3 Cisco SNS-3400 Series Server 450-Watt Power Supply Specifications
Description Specification
AC input voltage range Low range: 100 VAC to 120 VAC
High range: 200 VAC to 240 VAC
AC input frequency Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)
AC line input current (steady state) 6.0 A peak at 100 VAC
3.0 A peak at 208 VAC
Maximum output power for each power 450 Watts
supply
Power supply output voltage Main power: 12 VDC
Standby power: 12 VDC
Table B-4 Cisco SNS-3400 Series Server 650-Watt Power Supply Specifications
Description Specification
AC input voltage range 90 to 264 VAC (self-ranging, 180 to 264 VAC nominal)
AC input frequency Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)
AC line input current (steady state) 7.6 A peak at 100 VAC
3.65 A peak at 208 VAC
Maximum output power for each power 650 Watts
supply
Power supply output voltage Main power: 12 VDC
Standby power: 12 VDC
This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork
communications with external applications and devices.
Table C-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or
protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet
ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on
the corresponding firewall. The ports list provides information that can be useful when configuring a
firewall, creating access control lists (ACLs), and configuring services on a Cisco ISE network.
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
DNS: tcp-udp/53
NTP: udp/123
HTTPS: tcp/8443 MnT RADIUS Auth: ump/1645,1812
RADIUS Acct: udp/1646,1813
Email/SMS Syslog: udp/20514
Gateways SMTP: tcp/25
Syslog: udp/20514, tcp/1468 IPN
Logging Secure Syslog: tcp/6514
NetFlow: udp/9996
HTTPS; tcp/443
Syslog: udp/20514, tcp/1468
HTTPS: tcp/443 RADIUS Auth: Audp/1645,1812
Secure Syslog: tcp/6514
Syslog: udp/20514, RADIUS Acct: udp/1646,1813
Oracle DB (Secure JDBC): SSH: tcp/22
tcp/1468 RADIUS CoA: dp1700,3799
SMTP: tcp/25 tcp/2484
Secure Syslog: tcp/6514
JGroups: tcp12001
Query Attributes
PSN
PAN HTTPS: tcp/443 LDAP: tcp/389,3268
Syslog: udp/20514, JGroups: tcp12001 SMB:tcp/445
tcp/1468 KDC:tcp/88
Secure Syslog: tcp/6514 KPASS: tcp/464 PIP
SNMP Traps: udp/162 SCEP: tcp/80, tcp/443
NTP: udp/123
RADIUS Auth: udp/1645,1812
RADIUS Acct: udp/1646,1813
GUI: tcp/80,443 Guest: tcp/8443 RADIUS CoA: udp/1700,3799
SSH: tcp/22 Discovery: tcp/8443, tcp/8905 WebAuth: tcp:443,8443 Inter-Node Communications
Update: tcp/443 Sponsor: tcp/8443 Agent Install: tcp/8909 SNMP: udp/161
SNMP: udp/161 NAC Agent: tcp/8905; udp/8905 SNMP Trap: udp/162 Admin(P) - Admin(S): tcp/443,
ERS: tcp/9060 PRA/KA: SWISS udp/8905 NetFlow: udp/9996 tcp/12001(JGroups)
DHCP:udp/67, udp/68
SPAN:tcp/80,8080 Monitor(P) - Monitor(S): tcp/443
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Administration Administration • TCP: 22 (Secure Shell Cisco ISE Cisco ISE Cisco ISE
node [SSH] server) management is management is management is
1 restricted to Gigabit restricted to restricted to
• TCP: 80 (HTTP)
Ethernet 0. Gigabit Ethernet 0. Gigabit
• TCP: 4431 (HTTPS) Ethernet 0.
• TCP: 9060 (External
RESTful Services
(ERS) REST API)
Note Port 80 is redirected
to port 443 (not
configurable).
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Logging • UDP: 20514, TCP: 1468 (Syslog)
(Outbound)
• TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Monitoring Administration • TCP: 22 (SSH server) — — —
node
• TCP: 801 (HTTP)
• TCP: 4431 (HTTPS)
Replication and • TCP: 443 (HTTPS • TCP: 1521 - • TCP: 1521 - • TCP: 1521
Synchronization SOAP) Oracle DB Oracle DB - Oracle
Listener Listener DB
• TCP: 1521 - Oracle
Listener
DB Listener
• TCP: 12001 Global
(JGroups - Data
synchronization /
Data replication)
Monitoring • UDP: 161 (SNMP)
Note This port is route
table dependent.
Logging • UDP: 20514, TCP: 1468 (Syslog)
• TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
• TCP: 25 (SMTP)
• UDP: 162 (SNMP Traps)
External • TCP: 389, 3268, — — —
Resources UDP: 389 (LDAP)
• TCP: 445 (SMB)
• TCP: 88, UDP: 88
(KDC)
• TCP: 464 (KPASS)
• UDP: 123 (NTP)
• TCP: 53, UDP: 53
(DNS)
(Admin user interface
authentication)
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Policy Service Administration • TCP: 22 (SSH server) — — —
node
• TCP: 801 (HTTP)
• TCP: 4431 (HTTPS)
Replication and • TCP: 443 (HTTPS — — —
Synchronization SOAP)
• TCP: 12001 Global
(JGroups - Data
synchronization /
Data replication)
Clustering (Node • UDP: 45588, 45590 — — —
Group) (Local JGroup)
• TCP: 7802 (Local
JGroup failure
detection)
Monitoring • UDP: 161 (SNMP) — — —
Note This port is route
table dependent.
Logging • UDP: 20514, TCP: 1468 (Syslog)
(Outbound) • TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Policy Service External Identity • TCP: 389, 3268, — — —
node Stores and (LDAP)
(continued) Resources
• TCP: 445 (SMB)
• TCP: 88 (KDC)
• TCP: 464 (KPASS)
• UDP: 123 (NTP)
• UDP: 53 (DNS)
(Admin user interface
authentication and
endpoint authentication)
Web Portal • HTTPS (Interface must be enabled for service in Cisco ISE.)
Services:
• TCP: 8000-8999 (Guest Portal and Client Provisioning. Default port is TCP: 8443.)
- Guest/Web
• TCP: 8000-8999 (Sponsor Portal. Default port is TCP: 8443.)
Auth
• TCP: 8000-8999 (My Devices Portal. Default port is TCP: 8443.)
- Guest Sponsor
portal • TCP: 8000-8999 (Blacklist Portal. Default port is TCP: 8444.)
- My Devices • TCP: 25 (SMTP Notification)
portal
- Client
Provisioning
- BlackListing
portal
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Policy Service Posture • TCP: 80 (HTTP) Discovery - Client side
node
- Discovery • TCP: 8905 (HTTPS) Discovery - Client side
(continued)
- Provisioning Note By default, TCP: 80 is redirected to TCP: 8443. See Web Portal Services: Guest
- Assessment/ Portal and Client Provisioning.
Heartbeat
• TCP: 8443, 8905 (HTTPS) Discovery - Policy Service node side
• URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client
Provisioning.
• Active-X and Java Applet Install including IP refresh, Web Agent install, and
launch NAC Agent install—Provisioning: See Web Portal Services: Guest Portal
and Client Provisioning
• TCP: 8443 Provisioning: NAC Agent Install
• UDP: 8905 (SWISS) Provisioning: NAC Agent update notification
• TCP: 8905 (HTTPS) Provisioning: NAC Agent and other package/module updates
• TCP: 8905 (HTTPS) Assessment: Posture Negotiation and Agent Reports
• UDP: 8905 (SWISS) Assessment: PRA/Keep-alive
Bring Your Own • URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client
Device (BYOD) / Provisioning
Network Service
• Active-X and Java Applet Install (includes the launch of Wizard
Protocol
Install)—Provisioning. See Web Portal Services: Guest Portal and Client
- Redirection Provisioning
- Provisioning • TCP: 8443 Provisioning: Wizard Install from Cisco ISE (Windows and Mac OS)
- SCEP • TCP: 443 Provisioning: Wizard Install from Google Play (Android)
• TCP: 8905 Provisioning: Supplicant Provisioning Process
• TCP: 80 or TCP: 443 SCEP Proxy to CA (Based on SCEP RA URL config)
Mobile Device • URL Redirection—See Web Portal Services: Guest Portal and Client Provisioning
Management
• API—Vendor-specific
(MDM) API
Integration • Agent Install and Device Registration—Vendor-specific
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Policy Service Profiling • UDP: 9996 (NetFlow)
node
Note This port is configurable.
(continued)
• UDP: 67 (DHCP)
Note This port is configurable.
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Inline Posture High Availability — — UDP: 694 UDP: 694
node (Heartbeat) (Heartbeat)
(continued)
1. Because Inline Posture nodes do not support the Administration persona, they will not have access to this port.
2. NMAP OS Scan uses ports 0.65535 to detect endpoint operating system
This chapter describes the licensing mechanism and schemes that are available for Cisco ISE and how
to add and upgrade licensees.
• Cisco ISE Licensing, page D-1
• Obtaining a Cisco ISE License from Cisco.com, page D-3
• Adding or Upgrading a License, page D-5
• Removing a License, page D-5
All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE
services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints
on the network, you must obtain and register Base licenses for the number of concurrent users on your
system. If you require additional functionality, you will need Plus or Advanced licenses to enable that
functionality.
After you install the Cisco ISE software and initially configure the appliance as the primary
Administration node, you must obtain a license for Cisco ISE and then register that license.
Cisco ISE supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs
of both the primary and secondary Administration nodes. You register all licenses to the Cisco ISE
primary Administration node via the primary and secondary Administration node hardware ID. The
primary Administration node then centrally manages all the licenses that are registered for your
deployment.
Note You always require a Base license. However, you do not need a Plus license in order to have an Advanced
license or vice versa.
Cisco recommends installing the Base, Plus, and Advanced Licenses at the same time.
• When you install a Base License over a default Evaluation License, the Base License overrides only
the base license-related portion of the Evaluation License and keeps the Plus and Advanced License
capabilities available for the remainder of the default Evaluation License duration.
• You cannot upgrade the Evaluation License to a Plus or Advanced License without first installing
the Base License.
• When you install a Wireless License over a default Evaluation License, the Wireless License
overrides the Evaluation License parameters with the specific duration and user count associated
with the Wireless License.
License Count
A Cisco ISE user consumes a license during an active session. Once the sessions has ended, ISE releases
the license for reuse by another user.
The Cisco ISE license is counted as follows:
• A Base, Plus, or Advanced license is consumed based on the feature that is used.
• An endpoint with multiple network connections can consume more than one license per MAC
address. For example, a laptop connected to wired and also to wireless at the same time. Licenses
for VPN connections are based on the IP address.
• Licenses are counted against concurrent, active sessions. An active session is one for which a
RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
Note Sessions without RADIUS activity are automatically purged from Active Session list every
5 days or if the endpoint is deleted from the system.
To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license
entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on
the network and generate alarms when endpoint counts exceed the licensed amounts:
• 80% Info
• 90% Warning
• 100% Critical
Licenses are centrally managed by the Administration node. If you have two Administration nodes
deployed in a high-availability pair, obtain a license based on the hardware IDs (UIDs) of both the
primary and secondary Administration nodes. After you obtain the license, add it only to the primary
Administration node. The license gets replicated to the secondary Administration node.
Within an hour of ordering your license files from Cisco.com, you should receive an e-mail with the
Cisco Supplemental End-User License Agreement and a Claim Certificate containing a PAK for each
license that you order. After receiving the Claim Certificate, you can log in and access the Cisco Product
License Registration website at http://www.cisco.com/go/license and provide the appropriate hardware
ID information and PAK to generate your license.
You must supply the following specific information to generate your license file:
• Product identifier (PID) of both the primary and secondary Administration nodes
• Version identifier (VID)
• Serial number (SN)
• PAK
See the Cisco Identity Services Engine Licensing Note for more details.
The day after you submit your license information in the Cisco Product License Registration website,
you will receive an e-mail with your license file as an attachment. Save the license file to a known
location on a local machine and use the instructions in Adding or Upgrading a License, page D-5 to add
and update any product licenses for Cisco ISE.
For detailed information and license part numbers that are available for Cisco ISE, including licensing
options for new installations as well as migration from an existing Cisco security product like Cisco
Secure Access Control Server, see the Cisco Identity Services Engine Ordering Guidelines at http://
www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html.
Related Topics
• Determining Your Hardware ID Using the CLI, page D-4
• Determining Your Hardware ID Using the Admin Portal, page D-4
Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing.
Step 2 In the License Operations navigation pane, click Current Licenses.
Step 3 Select the button corresponding to the Cisco ISE node that you want to check for the Administration
node hardware ID, and click Administration Node to view the PID, VID, and SN.
Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing > Current
Licenses.
Step 2 Click the radio button next to the license name that you want to upgrade, and click Edit.
Step 3 Click Add Services.
Step 4 Click Browse and select the Licence file.
Step 5 Click Import to import the new license file that supports the added service.
Step 6 Go back to the Current Licenses page to verify the addition of the upgraded license. For further
confirmation, check the features of the respective services for which the license has been upgraded.
Note The Current Licenses page displays the number of installed Plus and Advanced licenses in a combined
Advance/Plus Counter. For example, if you have installed 500 Plus licenses and 1000 Advanced licenses,
the Advance/Plus Counter displays 1500.
Related Topics
• Removing a License, page D-5
Removing a License
You can remove individual Base, Plus, Advanced, and Wireless licenses, but keep in mind the following
conditions:
• If the Plus or Advanced license count is greater than the Base license count, then the Base license
cannot be deleted.
• If you install a combined license, all related installations in the Base and Advanced packages are
also removed.
• If you remove a production-level license within the standard 90-day evaluation period, the
Evaluation License is automatically restored after you remove the production license.
• You cannot remove Evaluation Licenses.
Step 1 Choose Administration > System > Licensing > Current Licenses.
Step 2 Click the radio button next to the relevant node name, and click Edit.
Step 3 Click the radio button next to the license name that you want to delete and click Remove.
Step 4 Click OK.
Certificates are used in a network to provide secure access. Certificates are used to identify Cisco ISE
to an endpoint and also to secure the communication between that endpoint and the Cisco ISE node.
Certificates are used for all HTTPS communication and the Extensible Authentication Protocol (EAP)
communication.
In a distributed deployment, you must import the certificate only in to the certificate trust list (CTL) of
the primary Administration node. The certificate gets replicated to the secondary nodes.
In general, to ensure certificate authentication in Cisco ISE is not impacted by minor differences in
certificate-driven verification functions, use lower case hostnames for all Cisco ISE nodes deployed in
a network.
Step 1 Establish local certificates on each deployment node for TLS-enabled authentication protocols (for
example, EAP-TLS protocol), and for HTTPS, which is used by browser and REST clients to access the
Cisco ISE web portals.
By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for both purposes.
In a typical enterprise environment, this certificate is replaced with one or two server certificates that are
signed by a trusted CA.
Step 2 Populate the Certificate Store with the CA certificates that are necessary to establish trust with the user
as well as device certificates that will be presented to Cisco ISE.
If a certificate chain consisting of a root CA certificate plus one or more intermediate CA certificates is
required to validate the authenticity of a user or device certificate, you must import the entire chain into
the Certificate Store.
Related Topics
• See Local Certificates, page E-4 for details on how to generate a Certificate Signing Request and
import a CA-signed certificate.
• See Certificate Store, page E-24 for details on how to import these certificate chains.
The Cisco ISE nodes use HTTPS for inter-node communication, so an administrator must populate the
Certificate Store with the trust certificate(s) needed to validate the HTTPS local certificate belonging to
each node in the Cisco ISE deployment. If a default self-signed certificate is used for HTTPS, then you
must export this certificate from each Cisco ISE node and import it into the certificate store. If you
replace the self-signed certificates with CA-signed certificates, it is only necessary to populate the
Certificate Store with the appropriate root CA and intermediate CA certificates. Be aware that you
cannot register a node in a Cisco ISE deployment until you complete this step.
If a Cisco ISE deployment is to be operated in FIPS mode, you must ensure that all local and certificate
store certificates are FIPS-compliant. This means that each certificate must have a minimum key size of
2048 bytes, and use SHA-1 or SHA-256 encryption.
Note After you obtain a backup from a standalone Cisco ISE or primary Administration node, if you change
the certificate configuration on one or more nodes in your deployment, you must obtain another backup
to restore data. Otherwise, if you try to restore data using the older backup, communication between the
nodes might fail.
Local Certificates
Cisco ISE local certificates are server certificates that identify a Cisco ISE node to client applications.
Local certificates are:
• Used by browser and REST clients who connect to Cisco ISE web portals. You must use HTTPS
protocol for these connections.
• Used to form the outer TLS tunnel with PEAP and EAP-FAST. These certificates can be used for
mutual authentication with EAP-TLS, PEAP, and EAP-FAST.
You must install valid local certificates for HTTPS and EAP-TLS on each node in your Cisco ISE
deployment. By default, a self-signed certificate is created on a Cisco ISE node during installation time,
and this certificate is designated for HTTPS and EAP-TLS use (it has a key length of 1024 and is valid
for one year). It is recommended that you replace the self-signed certificate with a CA-signed certificate
for greater security.
Wildcard Certificates
A wildcard certificate uses a wildcard notation (an asterisk and period before the domain name) and
allows the certificate to be shared across multiple hosts in an organization. For example, the CN value
for the Certificate Subject would be some generic hostname such as aaa.ise.local and the SAN field
would include the same generic hostname and the wildcard notation such as DNS.1=aaa.ise.local and
DNS.2=*.ise.local
If you configure a wildcard certificate to use *.ise.local, you can use the same certificate to secure any
other host whose DNS name ends with “.ise.local,” such as:
• aaa.ise.local
• psn.ise.local
• mydevices.ise.local
• sponsor.ise.local
Figure E-3 shows an example of a wildcard certificate that is used to secure a web site.
Wildcard certificates secure communications in the same way as a regular certificate, and requests are
processed using the same validation methods.
Related Topics
• Wildcard Certificates for HTTPS and EAP Communication, page E-5
• Wildcard Certificate Support in Cisco ISE, Release 1.2, page E-6
• Fully Qualified Domain Name in URL Redirection, page E-6
• Wildcard Certificate Compatibility, page E-8
• Creating a Wildcard Certificate, page E-8
• Installing Wildcard Certificates in Cisco ISE, page E-10
Note If you use wildcard certificates, we strongly recommend that you partition your domain space for greater
security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do
not partition your domain, it can lead to serious security issues.
Wildcard certificate uses an asterisk (*) and a period before the domain name. For example, the CN value
for a certificate’s Subject Name would be a generic host name such as aaa.ise.local and the SAN field
would have the wildcard character such as *.ise.local. Cisco ISE supports wildcard certifications in
which the wildcard character (*) is the left most character in the presented identifier. For example,
*.example.com or *.ind.example.com. Cisco ISE does not support certificates in which the presented
identifier contains additional characters along with the wildcard character. For example,
abc*.example.com or a*b.example.com or *abc.example.com.
Use the no form of this command to remove the association of the host alias with the network interface:
ISE/admin(config)# no ip-host IP_address host-alias FQDN-string
Use the show running-config command to view the host alias definitions.
If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you
provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to
form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a
network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.
When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows,
you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured
appropriately in the Policy Service node certificate's SAN fields.
You must be careful when deploying wildcard certificates. For example, if you create a certificate with
*.company.local and an attacker is able to recover the private key, that attacker can spoof any server in
the company.local domain. Therefore, it is considered a best practice to partition the domain space to
avoid this type of compromise.
To address this possible issue and to limit the scope of use, wildcard certificates may also be used to
secure a specific subdomain of your organization. Add an asterisk (*) in the subdomain area of the
common name where you want to specify the wildcard.
For example, if you configure a wildcard certificate for *.ise.company.local, that certificate may be used
to secure any host whose DNS name ends in “.ise.company.local”, such as:
• psn.ise.company.local
• mydevices.ise.company.local
• sponsor.ise.company.local
ISE Admin portal, Sponsor portal, and the My Devices portal can use a load balancer. In these cases, the
FQDN assigned to the virtual IP address of the load-balanced service should be included in the SAN
field of the certificate.
Note It is possible to have separate certificates for HTTPS and EAP authentication. The certificate designated
for HTTPS is used to secure inter-node communications and all web portal services including Central
Web Authentication, DRW, Posture Discovery and Assessment, Mobile Device Management, Native
Supplicant Provisioning, Sponsor, and My Devices portals. The certificate designated for EAP is used
to secure all client authentication using EAP protocols including PEAP, EAP-TLS, and EAP-FAST.
For example, if you have an ISE deployment with two PSN nodes (psn1 and psn2 with eth0, eth1, and
eth2 interfaces enabled) and you want to create a multi-domain certificate without wildcards, then your
values would be:
CN=aaa.company.local (FQDN of an ISE node in the deployment)
SAN=DNS.1=aaa.company.local, DNS.2=psn1.company.local, DNS.3=psn2.company.local,
DNS.4=psn1-e1.company.local, DNS.5=psn2-e1.company.local, DNS.6=psn1-e2.company.local,
DNS.7=psn2-e2.company.local.
Tip If you are planning to deploy additional Policy Service nodes in the future, then you can add
additional DNS name entries in the SAN field so that you can reuse the same certificate at the time
of deploying the new nodes.
For cases where an IP address needs to be specified in the SAN field of the certificate (for example, DMZ
with a static IP address for URL re-direction), ensure that you specify the IP address of the policy service
node as the DNS Name and IP Address in the SAN field of the certificate. For example, CN=psn.ise.local
and SAN=DNS.1=psn.ise.local, DNS.2=*.ise.local, DNS.3=10.1.1.20, IP.1=10.1.1.20.
Step 1 Enter a generic hostname for the CN field of the Subject. For example, CN=aaa.ise.local.
Step 2 Enter the same generic hostname and a wildcard notation in the SAN field of the certificate. For example,
DNS Name=aaa.ise.local, DNS Name=*.ise.local. See Figure E-3.
This method is successful with the majority of the tested public Certificate Authorities such as
Comodo.com and SSL.com. With these public CAs, you must request a “Unified Communications
Certificate (UCC).”
What To Do Next
Import the wildcard certificates in to the Policy Service nodes.
Related Topics
Installing Wildcard Certificates in Cisco ISE, page E-10
Step 1 Create the Certificate Signing Request for Wildcard Certificates. See Creating a Certificate Signing
Request for Wildcard Certificates, page E-10.
Step 2 Export the Certificate Signing Request. See Exporting the Certificate Signing Request, page E-11.
Step 3 Submit the Certificate Signing Request to a Certificate Authority. See Submitting the CSR to a
Certificate Authority, page E-11.
Step 4 Import the Root Certificates to the Certificate Store. See Importing the Root Certificates to the
Certificate Store, page E-12.
Step 5 Bind the Certificate Signing Request with the new public certificate. See Binding the CSR With the New
Public Certificate, page E-13.
Step 6 Export the CA-Signed Certificate and Private Key. See Exporting the CA-Signed Certificate and Private
Key, page E-13.
Step 7 Import the CA-Signed Certificate and Private Key in to all the Policy Service nodes. See Importing the
CA-Signed Certificate to the Policy Service Nodes, page E-13.
Step 1 In the Cisco ISE administration interface of the node requiring the CA-signed certificate, generate a
Certificate Signing Request (CSR).
Step 2 Export the CSR into a file.
Step 3 Provide the CSR file to the Certificate Authority and request the CA to create and sign a certificate using
the attributes specified in the CSR. The CA should return the certificate in a file.
Step 4 In the Cisco ISE administration interface of the same node, bind the CA-signed certificate to its private
key, which is kept with the CSR on the node. Designate the certificate for HTTPS and/or EAP-TLS use.
Note If you are going to use the CA-signed certificate for HTTPS, the subject Common Name value specified
for the CSR must match the fully qualified domain name (FQDN) of the Cisco ISE node, or must match
the wildcard domain name specified in the SAN/CN field of the certificate.
Note X.509 certificates imported to Cisco ISE must be in privacy-enhanced mail (PEM) or distinguished
encoding rule (DER) format. Files containing a certificate chain, which is a local certificate along with
the sequence of trust certificates that sign it, can be imported, subject to certain restrictions. See
Importing Certificate Chains, page E-28 for more information.
X.509 certificates are only valid until a specific date. When a local certificate expires, the Cisco ISE
functionality that depends on the certificate is impacted. Cisco ISE will notify you about the pending
expiration of a local certificate when the expiration date is within 90 days. This notification appears in
several ways:
• Colored expiration status icons appear in the Local Certificates page.
• Expiration messages appear in the Cisco ISE System Diagnostic report.
• Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before
expiration.
If the expiring certificate is a self-signed certificate, you can extend its expiration date by editing the
certificate. For a CA-signed certificate, you must allow sufficient time to acquire replacement certificate
from your CA.
You can perform the following tasks from the Cisco ISE administration interface to manage local
certificates:
• View a list of the local certificates stored on an Cisco ISE node. The list shows the protocol
assignment (HTTPS, EAP-TLS) of each certificate, along with its expiration status.
• Generate a CSR
• Export a CSR
• Bind a CA-signed certificate to its private key
• Export a local certificate and, optionally, its private key
• Import a local certificate and its private key
Related Topics
• Wildcard Certificates, page E-4
• Fully Qualified Domain Name in URL Redirection, page E-6
• Importing a Local Certificate, page E-16
• Generating a Certificate Signing Request, page E-19
• Binding a CA-Signed Certificate, page E-20
Step 1 Choose Administration > System > Certificates > Local Certificates.
The Local Certificate page appears and provides the following information for the local certificates:
• Friendly Name—Name of the certificate.
• Protocol—Protocols for which to use this certificate.
• Issued To—Common Name of the certificate subject.
• Issued By—Common Name of the certificate issuer
• Valid From—Date on which the certificate was created, also know as the Not Before certificate
attribute.
• Expiration Date—Expiration date of the certificate, also known as the Not After certificate attribute.
• Expiration Status—Indicates when the certificate expires. There are five categories along with an
associated icon that appear here:
1. Expiring in more than 90 days (green icon)
2. Expiring in 90 days or less (blue icon)
3. Expiring in 60 days or less (yellow icon)
4. Expiring in 30 days or less (orange icon)
Related Topics
• Wildcard Certificates, page E-4
Note If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate
on a node, existing browser sessions connected to that node do not automatically switch over to the new
certificate. You must restart your browser to see the new certificate.
Step 1 Choose Administration > System > Certificates > Local Certificates.
To import a local certificate to a secondary node, choose Administration > System > Server
Certificate.
Step 2 Choose Add > Import Local Server Certificate.
Step 3 Click Browse to choose the certificate file and the private key from the system that is running your client
browser.
If the private key is encrypted, enter the Password to decrypt it.
Step 4 Enter a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically creates
a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit
number.
Step 5 Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate
certificate extensions.
If you check the Enable Validation of Certificate Extensions check box and the certificate that you are
importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage
extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.
Step 6 Check the Allow Wildcard Certificates check box if you want to import a wildcard certificate (a
certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the
Subject Alternative Name.
Step 7 In the Protocol group box:
• Check the EAP check box to use this certificate for EAP protocols to identify the Cisco ISE node.
• Check the HTTPS check box to use this certificate to authenticate the web server.
If you check the Management Interface check box, ensure that the Common Name value in the
Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard
notation if a wildcard certificate is used. Otherwise, the import process will fail.
Step 8 Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate.
A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as
an existing certificate. This option updates the content of the certificate, but retains the existing protocol
selections for the certificate.
Note If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or
greater in size and use either SHA-1 or SHA-256 hash algorithm.
Related Topics
• Wildcard Certificates, page E-4
• Creating a Wildcard Certificate, page E-8
• Installing Wildcard Certificates in Cisco ISE, page E-10
Step 1 Choose Administration > System > Certificates > Local Certificates.
To generate a self-signed certificate from a secondary node, choose Administration > System > Server
Certificate.
Step 2 Choose Add > Generate Self Signed Certificate.
Step 3 Enter the following information in the Generate Self Signed Certificate page:
• Certificate Subject—A distinguished name (DN) identifying the entity that is associated with the
certificate. The DN must include a Common Name (CN) value.
• Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.
• Required Key Length—Valid values are 512, 1024, 2048, and 4096. If you are deploying Cisco ISE
as a FIPS-compliant policy management-engine, you must specify a 2048-bit or larger key length.
• Digest to Sign With—You can choose to encrypt and decrypt certificates using either SHA-1 or
SHA-256.
• Certificate Expiration TTL. You can specify an expiration time period in days, weeks, months, or
years.
• If you would like to specify a Friendly Name for the certificate, enter it in the field below the private
key password. If you do not specify a name, Cisco ISE automatically creates a name in the format
<common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit number.
Step 4 Check the Allow Wildcard Certificates check box if you want to generate a self-signed wildcard
certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS
name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be
*.amer.cisco.com.
Step 5 In the Protocol group box:
• Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.
• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE portals.
If you check the Management Interface check box, ensure that the Common Name value in the
Certificate Subject matches the fully qualified domain name (FQDN) of the node. Otherwise, the
self-signed certificate will not be generated.
If the HTTPS check box is checked, then the application server on the Cisco ISE node will be
restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment,
then the application server on all other nodes in the deployment will also be restarted. They will
restart one node at a time, after the Primary Administration node restart has completed.
Step 6 In the Override Policy area, check the Replace Certificate check box to replace an existing certificate
with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and
the same serial number as an existing certificate. This option updates the content of the certificate, but
retains the existing protocol selections for the certificate.
Note If you are using a self-signed certificate and you must change the hostname of your Cisco ISE node, you
must log in to the Admin portal of the Cisco ISE node, delete the self-signed certificate that has the old
hostname, and generate a new self-signed certificate. Otherwise, Cisco ISE will continue to use the
self-signed certificate with the old hostname.
Related Topics
• Wildcard Certificates, page E-4
• Installing Wildcard Certificates in Cisco ISE, page E-10
Step 1 Choose Administration > System > Certificates > Local Certificates.
To generate a CSR from a secondary node, choose Administration > System > Server Certificate.
Step 2 Choose Add > Generate Certificate Signing Request.
Step 3 Enter the certificate subject and the required key length. The certificate subject is a distinguished name
(DN) identifying the entity that is associated with the certificate. The DN must include a common name
value. Elements of the distinguished name are:
• C = Country
• ST = Test state or province
• L = Test locality (City)
• O = Organization name
• OU = Organizational unit name
• CN = Common name
• E = E-mail address
For example, the Certificate Subject in a CSR can take the following values: “CN=Host-ISE.cisco.com,
OU=Cisco, O=security, C=US, ST=NC, L=RTP, e=test@test.com” or “CN=aaa.amer.cisco.com, DNS
name in SAN=*.amer.cisco.com, OU=Cisco, O=security, C=US, ST=NC, L=RTP, e=abc@xyz.com.”
Note When populating the Certificate Subject field, do not encapsulate the string in quotation marks.
If you intend to use the certificate generated from this CSR for HTTPS communication, ensure that the
common name value in the Certificate Subject is the FQDN of the node. Otherwise, you will not be able
to select Management Interface when binding the generated certificate.
Step 4 Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.
Step 5 Choose to encrypt and decrypt certificates using either SHA-1 or SHA-256.
Note If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or
greater in size and use either SHA-1 or SHA-256 hash algorithm.
Step 6 Check the Allow Wildcard Certificates check box if the Certificate Subject contains a CN or SAN with
a wildcard FQDN.
Step 7 Click Submit to generate a CSR.
A CSR and its private key are generated and stored in Cisco ISE. You can view this CSR in the Certificate
Signing Requests page. You can export the CSR and send it to a CA to obtain a signature.
Related Topics
• Wildcard Certificates, page E-4
• Creating a Certificate Signing Request for Wildcard Certificates, page E-10
Step 1 Choose Administration > System > Certificates > Local Certificates.
To bind a CA-signed certificate to a secondary node, choose Administration > System > Server
Certificate.
Step 2 Choose Add > Bind CA Certificate.
Step 3 Click Browse to choose the CA-signed certificate and choose the appropriate CA-signed certificate.
Step 4 Specify a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically
creates a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique
five-digit number.
Step 5 Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate
certificate extensions.
Note If you enable the Enable Validation of Certificate Extensions option, and the certificate that
you are importing contains a basic constraints extension with the CA flag set to true, ensure that
the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit,
or both, are also set.
Step 6 Check the Allow Wildcard Certificates check box to bind a certificate that contains the wildcard
character, asterisk (*) in any CN in the Subject or DNS in the Subject Alternative Name.
Step 7 In the Protocol group box:
• Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.
• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.
If you check the Management Interface check box, ensure that the Common Name value in the
Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard
notation if a wildcard certificate is used. Otherwise, the bind operation will fail.
If the HTTPS check box is checked, then the application server on the Cisco ISE node will be
restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment,
then the application server on all other nodes in the deployment will also be restarted. They will
restart one node at a time, after the Primary Administration node restart has completed.
Step 8 Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate.
A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as
an existing certificate. This option updates the content of the certificate, but retains the existing protocol
selections for the certificate.
Step 9 Click Submit to bind the CA-signed certificate.
Related Topics
• Wildcard Certificates, page E-4
• Installing Wildcard Certificates in Cisco ISE, page E-10
Step 1 Choose Administration > System > Certificates > Local Certificates.
To edit a local certificate on a secondary node, choose Administration > System > Server Certificate.
Step 2 Check the check box next to the certificate that you want to edit, and click Edit.
Step 3 You can edit the following:
• Friendly name
• Description
• Protocols
• Expiration TTL (if the certificate is self-signed)
Step 4 Enter an optional friendly name and description to identify this certificate.
Step 5 In the Protocol group box:
• Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.
• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.
If the HTTPS check box is checked, then the application server on the Cisco ISE node will be
restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment,
then the application server on all other nodes in the deployment will also be restarted. They will
restart one node at a time, after the Primary Administration node restart has completed.
Note If you check the Management Interface check box, ensure that the Common Name value in the
Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard
notation if a wildcard certificate is used. If the Common Name value is blank, the edit operation
will fail.
For example, if local_certificate_1 is currently designated for EAP and you check the EAP check
box while editing local_certificate_2, then after you save the changes to local_certificate_2,
local_certificate_1 will no longer be associated with EAP.
Step 6 Check the Renew Self Signed Certificate check box if you are editing a self-signed certificate and want
to extend the Expiration Date.
Step 7 Enter the Expiration TTL (Time to Live) in days, weeks, months, or years.
Step 8 Click Save to save your changes.
Related Topics
• Wildcard Certificates, page E-4
• Creating a Wildcard Certificate, page E-8
• Installing Wildcard Certificates in Cisco ISE, page E-10
Step 1 Choose Administration > System > Certificates > Local Certificates.
To export a local certificate from a secondary node, choose Administration > System > Server
Certificate.
Step 2 Check the check box next to the certificate that you want to export and then click Export.
Step 3 Choose whether to export only the certificate, or the certificate and its associated private key.
Tip We do not recommend exporting the private key associated with a certificate because its value may
be exposed. If you must export a private key, specify an encryption password for the private key. You
will need to specify this password while importing this certificate into another Cisco ISE server to
decrypt the private key.
Step 5 Enter the password if you have chosen to export the private key. The password should be at least 8
characters long.
Step 6 Click OK to save the certificate to the file system that is running your client browser.
If you export only the certificate, the certificate is stored in the privacy-enhanced mail format. If you
export both the certificate and private key, the certificate is exported as a .zip file that contains the
certificate in the privacy-enhanced mail format and the encrypted private key file.
Related Topics
• Importing a Local Certificate, page E-16
Note If your Cisco ISE deployment has multiple nodes in a distributed setup, you must export the CSRs from
each node in your deployment individually.
Related Topic
Exporting Certificate Signing Requests, page E-23
Step 1 Choose Administration > System > Certificates > Certificate Signing Requests.
If you want to export CSRs from a secondary node, choose Administration > System > Certificate
Signing Requests.
Step 2 Check the check box next to the certificates that you want to export, and click Export.
Step 3 Click OK to save the file to the file system that is running the client browser.
Related Topics
• Wildcard Certificates, page E-4
Certificate Store
The Cisco ISE Certificate Store contains X.509 certificates that are used for trust and for Simple
Certificate Enrollment Protocol (SCEP). The certificates in the Certificate Store are managed on the
primary administration node, and are replicated to every node in the Cisco ISE deployment.
Cisco ISE supports wildcard certificates.
Cisco ISE uses the Certificate Store certificates for the following purposes:
• To verify client certificates used for authentication by endpoints, and by Cisco ISE administrators
accessing the Admin Portal using certificate-based administrator authentication.
• To enable secure communication between Cisco ISE nodes in a deployment. The Certificate Store
must contain the chain of CA certificates needed to establish trust with the local HTTPS server
certificate on each node in a deployment.
– If a self-signed certificate is used for the server certificate, the self-signed certificate from each
node must be placed in the Certificate Store of the primary Administration node.
– If a CA-signed certificate is used for the server certificate, the CA root certificate, as well as
any intermediate certificates in the trust chain, must be placed in the Certificate Store of the
primary Administration node.
• To enable secure LDAP authentication. A certificate from the Certificate Store must be selected
when defining an LDAP identity source that will be accessed over SSL.
• For distribution to mobile devices preparing to register in the network using the My Devices portal.
Cisco ISE implements the SCEP on Policy Service Nodes (PSN) to support mobile device
registration. A registering device uses the SCEP protocol to request a client certificate from a PSN.
The PSN contains a registration authority (RA) that acts as an intermediary; it receives and validates
the request from the registering device, and then forwards the request to a CA, which actually issues
the client certificate. The CA sends the certificate back to the RA, which returns it to the device.
Each SCEP CA used by Cisco ISE is defined by a SCEP RA Profile. When a SCEP RA Profile is
created, two certificates are automatically added to the Certificate Store:
a. A CA certificate (a self-signed certificate)
b. An RA certificate (a Certificate Request Agent certificate), which is signed by the CA.
The SCEP protocol requires that these two certificates be provided by the RA to a registering device.
By placing these two certificates in the Certificate Store, they are replicated to all PSN nodes for use
by the RA on those nodes.
Note X.509 certificates imported to Cisco ISE must be in Privacy-Enhanced Mail (PEM) or Distinguished
Encoding Rule (DER) format. Files containing a certificate chain, that is, a local certificate along with
the sequence of trust certificates that sign it, can be imported, subject to certain restrictions.
Related Topics
• Simple Certificate Enrollment Protocol Profiles, page E-29
• Importing Certificate Chains, page E-28
• Expiration of X.509 Certificates, page E-25
• CA Certificate Naming Constraint, page E-25
• Viewing Certificate Store Certificates, page E-26
• Changing the Status of a Certificate in Certificate Store, page E-26
• DNS
• E-mail
• URI (The URI constraint must start with a URI prefix such as http://, https://, ftp://, or ldap://).
The following name constraints are not supported:
• IP address
• Othername
When a CA certificate contains a constraint that is not supported and certificate that is being verified
does not contain appropriate field, it is rejected because Cisco ISE cannot verify unsupported
constraints.
The following is an example of the name constraints definition within the CA certificate:
X509v3 Name Constraints: critical
Permitted:
othername:<unsupported>
email:.abcde.at
email:.abcde.be
email:.abcde.bg
email:.abcde.by
DNS:.dir
DirName: DC = dir, DC = emea
DirName: C = AT, ST = EMEA, L = AT, O = ABCDE Group, OU = Domestic
DirName: C = BG, ST = EMEA, L = BG, O = ABCDE Group, OU = Domestic
DirName: C = BE, ST = EMEA, L = BN, O = ABCDE Group, OU = Domestic
DirName: C = CH, ST = EMEA, L = CH, O = ABCDE Group, OU = Service Z100
URI:.dir
IP:172.23.0.171/255.255.255.255
Excluded:
DNS:.dir
URI:.dir
An acceptable client certificate subject that matches the above definition is as follows:
Subject: DC=dir, DC=emea, OU=+DE, OU=OU-Administration, OU=Users, OU=X1,
CN=cwinwell
Step 1 Choose Administration > System > Certificates > Certificate Store.
Step 2 Check the check box next to the certificate you want to enable or disable, and click Change Status.
Step 1 Choose Administration > System > Certificates > Certificate Store.
Step 2 Click Import.
Step 3 Configure the field values as necessary.
If client certificate-based authentication is enabled, then Cisco ISE will restart the application server on
each node in your deployment, starting with the application server on the primary Administration node
and followed, one-by-one, by each additional node.
Step 1 Choose Administration > System > Certificates > Certificate Store.
Step 2 Check the check box next to the certificate that you want to edit, and click Edit.
Step 3 Modify the editable fields as required.
Step 4 Click Save to save the changes you have made to the certificate store.
Step 1 Choose Administration > System > Certificates > Certificate Store.
Step 2 Check the check box next to the certificate that you want to export, and click Export. You can export
only one certificate at a time.
Step 3 Save the privacy-enhanced mail file to the file system that is running your client browser.
Step 1 Import the certificate chain file into the Certificate Store using the Adding a Certificate to Certificate
Store operation. This operation will import all certificates from the file except the last one into the
Certificate Store. You can perform this step only on the primary Administration node.
Step 2 Import the certificate chain file using the Binding a CA-Signed Certificate operation. This operation will
import the last certificate from the file as a local certificate.
Note If you change the HTTPS certificate on the registered secondary node, after registering your secondary
node to the primary node, you must obtain appropriate CA certificates that can be used to validate the
secondary node’s HTTPS certificate.
Related Topics
• Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL, page E-28
• Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node,
page E-29
Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL
Before You Begin
To perform the following task, you must be a Super Admin or System Admin.
Step 1 Log in to the Admin portal of the node that you are going to register as your secondary node, and export
the CA-signed certificate that is used for HTTPS communication to the file system running your client
browser.
Step 2 In the Export dialog box, click the Export Certificate Only radio button.
Step 3 Log in to the Admin portal of your primary node, and import the CA-signed certificate of the secondary
node into the CTL of the primary node.
Related Topics
• Exporting a Certificate from the Certificate Store, page E-27
• Adding a Certificate to Certificate Store, page E-27
Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node
Before You Begin
To perform the following task, you must be a Super Admin or System Admin.
Step 1 Log in to the Admin portal of the node that you are going to register as your secondary node and export
the self-signed certificate that is used for HTTPS communication to the file system running your client
browser.
Step 2 In the Export dialog box, click the Export Certificate Only radio button.
Step 3 Log in to the Admin portal of your primary node, and import the self-signed certificate of the secondary
node into the CTL of the primary node.
Related Topics
• Exporting a Local Certificate, page E-22
• Adding a Certificate to Certificate Store, page E-27
Related Topics
• Adding Simple Certificate Enrollment Protocol Profiles, page E-30
• OCSP Services, page E-30
For Reference:
Once users’ devices receive their validated certificate, they reside on the device as described in
Table E-1.
OCSP Services
The Online Certificate Status Protocol (OCSP) is a protocol that is used for checking the status of x.509
digital certificates. This protocol is an alternative to the Certificate Revocation List (CRL) and addresses
issues that result in handling CRLs.
Cisco ISE has the capability to communicate with OCSP servers over HTTP to validate the status of
certificates in authentications. The OCSP configuration is configured in a reusable configuration object
that can be referenced from any certificate authority (CA) certificate that is configured in Cisco ISE. See
Editing a Certificate Store Certificate, page E-27.
You can configure CRL and/or OCSP verification per CA. If both are selected, then Cisco ISE first
performs verification over OCSP. If a communication problem is detected with both the primary and
secondary OCSP servers, or if an unknown status is returned for a given certificate, Cisco ISE switches
to checking the CRL.
This section contains the following topics:
• OCSP Certificate Status Values, page E-31
Related Topics
OCSP Statistics Counters, page E-33
OCSP Failures
The three general OCSP failure scenarios are as follows:
1. Failed OCSP cache or OCSP client side (Cisco ISE) failures.
2. Failed OCSP responder scenarios, for example:
a. The first primary OCSP responder not responding, and the secondary OCSP responder
responding to the Cisco ISE OCSP request.
b. Errors or responses not received from Cisco ISE OCSP requests.
An OCSP responder may not provide a response to the Cisco ISE OCSP request or it may return an
OCSP Response Status as not successful. OCSP Response Status values can be as follows:
– tryLater
– signRequired
– unauthorized
– internalError
– malformedRequest
There are many date-time checks, signature validity checks and so on, in the OCSP request. For
more details, refer to RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status
Protocol - OCSP which describes all the possible states, including the error states.
3. Failed OCSP reports
Step 1 Choose Administration > System > Certificates > OCSP Services.
Step 2 Click Add
Step 3 Provide a name and description for the OCSP service.
Step 4 Check the Enable Secondary Server check box if you want to enable high availability.
Step 5 Select one of the following options for high availability:
• Always Access Primary Server First —Use this option to check the primary server before trying to
move to the secondary server. Even if the primary was checked earlier and found to be unresponsive,
Cisco ISE will try to send a request to the primary server before moving to the secondary server.
• Fallback to Primary Server After Interval—Use this option when you want Cisco ISE to move to the
secondary server and then fall back to the primary server again. In this case, all other requests are
skipped, and the secondary server is used for the amount of time that is configured in the text box.
The allowed time range is 1 to 999 minutes.
Step 6 Provide the URLs or IP addresses of the primary and secondary OCSP servers.
Step 7 Check or uncheck the following options:
• Nonce—You can configure a nonce to be sent as part of the OCSP request. The Nonce includes a
pseudo-random number in the OCSP request. It is verified that the number that is received in the
response is the same as the number that is included in the request. This option ensures that old
communications cannot be reused in replay attacks.
• Validate Response Signature—The OCSP responder signs the response with one of the following
signatures:
– The CA certificate
– A certificate different from the CA certificate
In order for Cisco ISE to validate the response signature, the OCSP responder needs to send the
response along with the certificate, otherwise the response verification fails, and the status of the
certificate cannot be relied on. According to the RFC, OCSP can sign the response using different
certificates. This is true as long as OCSP sends the certificate that signed the response for Cisco ISE
to validate it. If OCSP signs the response with a different certificate that is not configured in Cisco
ISE, the response verification will fail.
Step 8 Provide the number of minutes for the Cache Entry Time to Live.
Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the
certificate will be updated next on the server. When the OCSP response is cached, the two values (one
from the configuration and another from response) are compared, and the response is cached for the
period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not
cached at all.
Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent,
so when Cisco ISE restarts, the cache is cleared.
The OCSP cache is used in order to maintain the OCSP responses and for the following reasons:
• To reduce network traffic and load from the OCSP servers on an already-known certificate
• To increase the performance of Cisco ISE by caching already-known certificate statuses
Step 9 Click Clear Cache to clear entries of all the certificate authorities that are connected to the OCSP
service.
In a deployment, Clear Cache interacts with all the nodes and performs the operation. This mechanism
updates every node in the deployment.
Message Description
OCSPPrimaryNotResponsiveCount The number of nonresponsive primary requests
OCSPSecondaryNotResponsiveCount The number of nonresponsive secondary requests
OCSPPrimaryCertsGoodCount The number of ‘good’ certificates that are returned for
a given CA using the primary OCSP server
OCSPSecondaryCertsGoodCount The number of ‘good’ statuses that are returned for a
given CA using the primary OCSP server
OCSPPrimaryCertsRevokedCount The number of ‘revoked’ statuses that are returned for
a given CA using the primary OCSP server
OCSPSecondaryCertsRevokedCount The number of ‘revoked’ statuses that are returned for
a given CA using the secondary OCSP server
OCSPPrimaryCertsUnknownCount The number of ‘Unknown’ statuses that are returned
for a given CA using the primary OCSP server
Message Description
OCSPSecondaryCertsUnknownCount The number of ‘Unknown’ statuses that are returned
for a given CA using the secondary OCSP server
OCSPPrimaryCertsFoundCount The number of certificates that were found in cache
from a primary origin
OCSPSecondaryCertsFoundCount The number of certificates that were found in cache
from a secondary origin
ClearCacheInvokedCount How many times clear cache was triggered since the
interval
OCSPCertsCleanedUpCount How many cached entries were cleaned since the t
interval
NumOfCertsFoundInCache Number of the fulfilled requests from the cache
OCSPCacheCertsCount Number of certificates that were found in the OCSP
cache
Monitoring OCSP
You can view the OCSP services data in the form of an OCSP Monitoring Report. For more information
on Cisco ISE reports, refer to the Cisco Identity Services Engine User Guide, Release 1.2.
Step 8 Enter the Common Name. The Common Name is the same as your hostname. You must enter the fully
qualified domain name (FQDN). For example, if your hostname is IPN1 and your DNS domain name is
cisco.com, you must enter IPN1.cisco.com as your Common Name.
Step 9 Enter an e-mail address.
Step 10 Copy the entire block of text including the blank line after the END CERTIFICATE REQUEST tag (to
include the carriage return).
Step 11 Send this CSR to the CA that signed the primary Administration node certificate.
If you are using the Microsoft CA, choose Web Server as the certificate template while sending the
signing request.
Note Only server authentication is supported in Release 1.2. If you use other CAs to sign a certificate,
ensure that the extended key usage specifies server authentication alone.
Step 12 Download the signed certificate in the DER or base64 format and copy it to an FTP server.
Step 13 Enter the following command from the Inline Posture node CLI:
copy ftp://a.b.c.d/ipn1.cer disk:
where a.b.c.d is the IP address of the FTP server and ipn1.cer is the CA-signed certificate that you are
adding to the Inline Posture node.
Step 14 Enter the username and password for the FTP server.
Step 15 Enter the following command from the Inline Posture node CLI:
pep certificate server add
Step 16 Enter y for the application to restart.
Step 17 Enter y to bind the certificate to the last CSR.
Step 18 Enter the name of the CA-signed certificate.
The Inline Posture application restarts. You can now register this Inline Posture node with your primary
Administration node. Refer to the Cisco Identity Services Engine User Guide, Release 1.2 for more
information.
C L
cable management arm installation A-6 location
Cisco ISE deployment 1-1 serial number 2-1
D M
DHCP, enabling 3-4 motherboard beeps A-8
E N
environmental specifications B-1 NIC modes, setting 3-4
NIC redundancy 3-4
I
P
installation
cable management arm A-6 packing list A-2
initial power-on and setup A-7 physical specifications B-1
IP settings 3-4 post-installation tasks 7-1
NIC modes 3-4 power
NIC redundancy 3-4 connecting power cords A-8
power cables A-8 specifications B-2
rack installation A-4
rack requirements A-4
required equipment A-4
R
slide rails A-5 rack installation A-4, A-5
unpacking and inspection A-2 rack requirements A-4
verification 3-15 required equipment
installing Cisco ISE installation A-4
serial number
location 2-1
setting NIC modes 3-4
setting NIC redundancy 3-4
slide rail installation A-5
specifications
environmental B-1
physical B-1
power B-2
static IP, setting 3-4
VMware
configuring 4-9
hardware requirements 4-2
installing 4-1
installing the Cisco ISE appliance 4-19