Ise Ig

Cisco Identity Services Engine
Hardware Installation Guide, Release 1.2
December 2018
Cisco Systems, Inc.

www.cisco.com
Cisco has more than 200 offices worldwide.

Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: OL-27044-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFT WARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFT WARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply
with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection
against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without written authorization from Cisco may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOT WITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFT WARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1721R)
Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

Copyright ©2013 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface 1
Purpose 1
Audience 2
Document Organization 2
Installation Reference 3
Document Conventions 3
Related Documentation 4
Release-Specific Documents 4
Platform-Specific Documents 5
Obtaining Documentation and Submitting a Service Request 6
CHAPTER 1 Network Deployments in Cisco ISE 1-1
Architecture Overview 1-1
Network Deployment Terminology 1-2
Node Types and Personas in Distributed Deployments 1-3

Administration Node 1-3
Policy Service Node 1-3
Monitoring Node 1-3
Inline Posture Node 1-4
Inline Posture Node Installation 1-4
Inline Posture Node Reuse 1-4
Standalone and Distributed Deployments 1-5
Distributed Deployment Scenarios 1-5
Small Network Deployments 1-5
Split Deployments 1-6
Medium-Sized Network Deployments 1-7
Large Network Deployments 1-8
Dispersed Network Deployments 1-9
Deployment Size and Scaling Recommendations 1-10
Inline Posture Planning Considerations 1-12
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE
Functions 1-13

OL-27044-01 iii
Contents
CHAPTER 2 Cisco SNS-3400 Series Appliances 2-1
Cisco SNS-3400 Series Appliance Hardware Specifications 2-1

Cisco SNS-3400 Series Front and Rear Panels 2-2
Cisco SNS Support for Cisco ISE 2-4
CHAPTER 3 Installing and Configuring a Cisco SNS-3400 Series Appliance 3-1
Installing the SNS-3400 Series Appliance in a Rack 3-1
Downloading the Cisco ISE, Release 1.2 ISO Image 3-1
Installing Release 1.2 Software on SNS-3400 Series Appliance 3-2
Cisco Integrated Management Controller 3-3
Configuring CIMC 3-3
Creating a Bootable USB Drive 3-5
Prerequisites for Configuring a Cisco SNS-3400 Series Appliance 3-6
Cisco ISE Setup Program Parameters 3-7
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance 3-9
Supported Time Zones 3-13
Setup Process Verification 3-15
CHAPTER 4 Installing Release 1.2 Software on a VMware Virtual Machine 4-1
Supported VMware Versions 4-1
Support for VMware vMotion in Release 1.2 4-2
Virtual Machine Requirements 4-2

VMware Appliance Size Recommendations 4-3
Disk Space Requirements 4-4
Evaluating Release 1.2 4-5
Configuring a VMware ESX or ESXi Server 4-5
Enabling Virtualization Technology on an ESX or ESXi Server 4-7
Configuring VMware Server Interfaces for the Cisco ISE Profiler Service 4-8
Configuring a VMware Server 4-9
Preparing a VMware System for Cisco ISE Software Installation 4-17
Configuring a VMware System to Boot From a Cisco ISE Software DVD 4-17
Installing Cisco ISE Software on a VMware System 4-19
Connecting to a Cisco ISE VMware Server Using the Serial Console 4-21
Cloning a Cisco ISE Virtual Machine 4-24

Cloning a Cisco ISE Virtual Machine Using a Template 4-26
Creating a Virtual Machine Template 4-26
Deploying a Virtual Machine Template 4-26

iv OL-27044-01
Contents
Changing the IP Address and Hostname of a Cloned Virtual Machine 4-27

Connecting a Cloned Cisco Virtual Machine to the Network 4-29
CHAPTER 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS
Appliances 5-1
Installing Cisco ISE, Release 1.2, Software from a DVD 5-2
Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance 5-3
Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance 5-3
Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance 5-4

Resetting the Existing RAID Configuration on a Cisco NAC Appliance 5-5
CHAPTER 6 Managing Administrator Accounts 6-1
CLI-Admin and Web-Based Admin User Right Differences 6-1
Tasks Performed by CLI-Admin and Web-Based Admin Users 6-1
Tasks Performed Only by the CLI-Admin User 6-2
Creating CLI Admin Users 6-2
Creating Web-Based Admin Users 6-2
CHAPTER 7 Performing Post-Installation Tasks 7-1
Accessing Cisco ISE Using a Web Browser 7-1

Logging In to the Cisco ISE Web-Based Interface 7-2
Administrator Lockout Following Failed Login Attempts 7-3
Logging Out of the Cisco ISE Web-Based Interface 7-3
Installing a License 7-3
Installing Certificates 7-4
Verifying a Cisco ISE Configuration 7-4

Verifying a Configuration Using a Web Browser 7-4
Verifying a Configuration Using the CLI 7-5
Verifying the Installation of VMware Tools 7-6
Upgrading VMware Tools 7-7
Resetting the Administrator Password 7-7
Resetting a Lost, Forgotten, or Compromised Password 7-8
Resetting a Password Due to Administrator Lockout 7-9
Changing the IP Address of a Cisco ISE Appliance 7-9
Configuring the Cisco ISE System 7-10
Enabling System Diagnostic Reports in Cisco ISE 7-10

OL-27044-01 v
Contents
APPENDIX A Installing the Cisco SNS-3400 Series Appliance in a Rack A-1
Unpacking and Inspecting the Server A-1
Safety Guidelines A-2
Installing a Cisco SNS-3400 Series Appliance in a Rack A-4

Rack Requirements A-4
Equipment Requirements A-4
Slide Rail Adjustment Range A-4
Installing the Server In a Rack A-4
Connecting and Powering On the Server A-7
Checking the LEDs A-8

Front Panel LEDs and Buttons A-9
Rear Panel LEDs and Buttons A-10
Installing or Replacing Server Components A-11
APPENDIX B Cisco SNS-3400 Series Server Specifications B-1
Physical Specifications B-1
Environmental Specifications B-1
Power Specifications B-2

450-Watt Power Supply B-2
650-Watt Power Supply B-2
APPENDIX C Cisco SNS-3400 Series Appliance Ports Reference C-1

Ports to be Used for OCSP and CRL C-9
APPENDIX D Cisco ISE Licenses D-1
Cisco ISE Licensing D-1

License Count D-3
Obtaining a Cisco ISE License from Cisco.com D-3
Determining Your Hardware ID Using the CLI D-4
Determining Your Hardware ID Using the Admin Portal D-4
Adding or Upgrading a License D-5
Removing a License D-5
APPENDIX E Certificate Management in Cisco ISE E-1
HTTPS Communication Using the Cisco ISE Certificate E-1
EAP Communication Using the Cisco ISE Certificate E-2
Certificates Enable Cisco ISE to Provide Secure Access E-2

vi OL-27044-01
Contents
Enabling PKI in Cisco ISE E-3
Local Certificates E-4

Wildcard Certificates E-4
Wildcard Certificates for HTTPS and EAP Communication E-5
Wildcard Certificate Support in Cisco ISE, Release 1.2 E-6
Fully Qualified Domain Name in URL Redirection E-6
Advantages of Using Wildcard Certificates E-7
Disadvantages of Using Wildcard Certificates E-7
Wildcard Certificate Compatibility E-8
Creating a Wildcard Certificate E-8
Installing Wildcard Certificates in Cisco ISE E-10
Creating a Certificate Signing Request for Wildcard Certificates E-10
Exporting the Certificate Signing Request E-11
Submitting the CSR to a Certificate Authority E-11
Importing the Root Certificates to the Certificate Store E-12
Binding the CSR With the New Public Certificate E-13
Exporting the CA-Signed Certificate and Private Key E-13
Importing the CA-Signed Certificate to the Policy Service Nodes E-13
Installing a CA-Signed Certificate in Cisco ISE E-13
Viewing Local Certificates E-15
Adding a Local Certificate E-16
Importing a Local Certificate E-16
Generating a Self-Signed Certificate E-18
Generating a Certificate Signing Request E-19
Binding a CA-Signed Certificate E-20
Editing a Local Certificate E-21
Exporting a Local Certificate E-22
Certificate Signing Requests E-23
Exporting Certificate Signing Requests E-23
Certificate Store E-23

Expiration of X.509 Certificates E-25
CA Certificate Naming Constraint E-25
Viewing Certificate Store Certificates E-26
Changing the Status of a Certificate in Certificate Store E-26
Adding a Certificate to Certificate Store E-27
Editing a Certificate Store Certificate E-27
Exporting a Certificate from the Certificate Store E-27
Importing Certificate Chains E-28
Installation of CA Certificates for Cisco ISE Inter-node Communication E-28

OL-27044-01 vii
Contents
Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s
CTL E-28
Importing a Self-Signed Certificate from a Secondary Node into the CTL of the
Primary Node E-29
Simple Certificate Enrollment Protocol Profiles E-29
Adding Simple Certificate Enrollment Protocol Profiles E-30
OCSP Services E-30

OCSP Certificate Status Values E-31
OCSP High Availability E-31
OCSP Failures E-31
Adding OCSP Services E-32
OCSP Statistics Counters E-33
Monitoring OCSP E-34
Configuring Certificates for Inline Posture Nodes E-34
I NDEX

viii OL-27044-01
Preface
Revised: December 20, 2018

This preface contains the following sections:
• Purpose, page 1
• Audience, page 2
• Document Organization, page 2
• Document Conventions, page 3
• Related Documentation, page 4
• Obtaining Documentation and Submitting a Service Request, page 6
Purpose
This installation guide provides the following types of information about Cisco ISE, Release 1.2:
• Prerequisites for installation
• Procedures for installing the Cisco ISE software on a supported Cisco ISE appliance
• Procedures for installing the Cisco ISE software on a supported VMware virtual machine
• Procedures for installing the Cisco ISE software on a supported Cisco Network Admission Control
(NAC) appliance or Cisco Secure Access Control System (ACS) appliance
Cisco ISE, Release 1.2 offers a choice of two appliance platforms. Your choice depends on the size of
your deployment:
• Small network—SNS 3415
• Large network—SNS 3495
You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2.
For VMware-based installations, you must configure the VMware environment to meet minimum system
requirements and then install the Cisco ISE, Release 1.2, software. See Chapter 4, “Installing Release
1.2 Software on a VMware Virtual Machine” for more information.
The supported VMware versions include the following:
• VMware Elastic Sky X (ESX), Version 4.0, 4.0.1, and 4.1
• VMware ESXi, Version 4.x and 5.x
• VMware vSphere Client 4.x and 5.x

OL-27044-01 -1
Chapter
Audience
This guide is designed for network administrators, system integrators, or network deployment personnel
who install and configure the Cisco ISE software on Cisco SNS-3400 Series appliances or on VMware
servers. As a prerequisite to using this hardware installation guide, you should be familiar with
networking equipment and cabling and have a basic knowledge of electronic circuitry, wiring practices,
and equipment rack installations.
Warning Only trained and qualified personnel should be allowed to install, replace, or service this
equipment. Statement 1030
Document Organization
Table 1 Cisco ISE Hardware Installation Guide Organization
Chapter/Appendix and Title Description

Chapter 1, “Network Deployments in Cisco ISE” Provides an overview of the Cisco SNS-3400 Series
appliance deployments and their components. Read this
chapter before planning a new Cisco ISE deployment.
Chapter 2, “Cisco SNS-3400 Series Appliances” Provides an overview of the Cisco SNS-3400 Series
hardware.
Chapter 3, “Installing and Configuring a Cisco SNS-3400 Describes how to perform an initial installation of Cisco ISE
Series Appliance” software on Cisco SNS-3400 Series hardware.
Chapter 4, “Installing Release 1.2 Software on a VMware Describes how to install Cisco ISE software on VMware ESX
Virtual Machine” or ESXi and vSphere virtual machines.
Chapter 5, “Installing Release 1.2 Software on Cisco ISE Describes how to install Cisco ISE, Release 1.2 software on
3300 Series, Cisco NAC, and Cisco Secure ACS Appliances” existing ISE 3300 series, or legacy NAC and ACS appliances.
Chapter 6, “Managing Administrator Accounts” Describes the two types of administrator accounts in Cisco
ISE, their privileges, and how to create them.
Chapter 7, “Performing Post-Installation Tasks” Provides information about installing a Cisco ISE license and
lists the configuration tasks that you need to perform
following installation.
Appendix A, “Installing the Cisco SNS-3400 Series Describes the necessary safety instructions, site
Appliance in a Rack” requirements, and tasks that you need to perform before
installing the Cisco SNS-3400 Series hardware. Also,
provides instructions on rack-mounting a Cisco SNS-3400
Series appliance, connecting all cables, powering up the
appliance, and replacing the server components.
Appendix B, “Cisco SNS-3400 Series Server Specifications” Provides physical, environmental, and power specifications
for maintaining Cisco SNS-3400 Series appliance following
installation.
Appendix C, “Cisco SNS-3400 Series Appliance Ports Provides a reference list of ports that are used by Cisco
Reference” SNS-3400 Series appliance services, applications, and
devices.

-2 OL-27044-01
Chapter
Table 1 Cisco ISE Hardware Installation Guide Organization (continued)
Chapter/Appendix and Title Description

Appendix D, “Cisco ISE Licenses” Describes the different types of licenses available in Cisco
ISE and how to install them.
Appendix E, “Certificate Management in Cisco ISE” Describes local (including wildcard certificates) and CA
certificates and how to install them.
Installation Reference
Table 2 Cisco ISE 1.2 Installation Scenarios
Installation Process Reference

Introducing the Cisco ISE appliance and Chapter 2, “Cisco SNS-3400 Series Appliances”
predeployment requirements Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a
Rack”
Configuring the Cisco ISE software Chapter 3, “Installing and Configuring a Cisco SNS-3400 Series
Appliance”
Installing the initial Cisco ISE software on the VMware Chapter 4, “Installing Release 1.2 Software on a VMware Virtual
server Machine”
Installing Cisco ISE software on a Cisco NAC Chapter 5, “Installing Release 1.2 Software on Cisco ISE 3300
Appliance or on a Cisco Secure ACS Appliance Series, Cisco NAC, and Cisco Secure ACS Appliances”
Performing post installation tasks after logging in to the Chapter 7, “Performing Post-Installation Tasks”
Cisco ISE web interface
Document Conventions
This guide uses the following conventions to convey instructions and information.
Convention Item
bold Commands, keywords, and user-entered text as
well as tab and button names in procedural text
appear in bold font.
italic Document titles, new or emphasized terms, and
arguments for which you supply values are in
italic font.
courier Terminal sessions and information the system
displays is in courier (monospace, fixed-width)
font.
<> In examples that do not allow italics, such as
ASCII outputs, arguments for which you must
supply a value appear in <angle> brackets.

OL-27044-01 -3
Chapter
Note Means reader take note. Notes contain helpful suggestions or references to material that is not discussed
in the manual.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Warning IMPORTANT SAFETY INSTRUCTIONS
This warning symbol means danger. You are in a situation that could cause bodily injury. Before
you work on any equipment, be aware of the hazards involved with electrical circuitry and be
familiar with standard practices for preventing accidents. Use the statement number provided at
the end of each warning to locate its translation in the translated safety warnings that
accompanied this device.
SAVE THESE INSTRUCTIONS
Tip Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but could be useful information, similar to a Timesaver.
Related Documentation
Release-Specific Documents
Note General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user
documentation is available on Cisco.com at
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Table 3 Product Documentation for Cisco Identity Services Engine
Document Title Location

Release Notes for the Cisco Identity Services http://www.cisco.com/en/US/products/
Engine, Release 1.2 ps11640/prod_release_notes_list.html
Cisco Identity Services Engine Network http://www.cisco.com/en/US/products/
Component Compatibility, Release 1.2 ps11640/products_device_support_tables_list.html
Cisco Identity Services Engine User Guide, http://www.cisco.com/en/US/products/ps11640/
Release 1.2 products_user_guide_list.html
Cisco Identity Services Engine Hardware http://www.cisco.com/en/US/products/ps11640/
Installation Guide, Release 1.2 prod_installation_guides_list.html

-4 OL-27044-01
Chapter
Table 3 Product Documentation for Cisco Identity Services Engine (continued)
Document Title Location

Cisco Identity Services Engine Upgrade http://www.cisco.com/en/US/products/ps11640/
Guide, Release 1.2. prod_installation_guides_list.html
Cisco Identity Services Engine, Release 1.2 http://www.cisco.com/en/US/products/ps11640/
Migration Tool Guide. prod_installation_guides_list.html
Cisco Identity Services Engine Sponsor http://www.cisco.com/en/US/products/ps11640/
Portal User Guide, Release 1.2. products_user_guide_list.html
Cisco Identity Services Engine CLI http://www.cisco.com/en/US/products/ps11640/
Reference Guide, Release 1.2. prod_command_reference_list.html
Cisco Identity Services Engine API http://www.cisco.com/en/US/products/ps11640/
Reference Guide, Release 1.2. prod_command_reference_list.html
Cisco Identity Services Engine http://www.cisco.com/en/US/products/ps11640/
Troubleshooting Guide, Release 1.2. prod_troubleshooting_guides_list.html
Regulatory Compliance and Safety http://www.cisco.com/en/US/products/ps11640/
Information for Cisco Identity Services prod_installation_guides_list.html
Engine, Cisco 1121 Secure Access Control
System, Cisco NAC Appliance, Cisco NAC
Guest Server, and Cisco NAC Profiler
Cisco Identity Services Engine In-Box http://www.cisco.com/en/US/products/ps11640/
Documentation and China RoHS Pointer products_documentation_roadmaps_list.html
Card
My Devices Portal FAQs, Release 1.2 http://www.cisco.com/en/US/products/ps11640/
products_user_guide_list.html
Platform-Specific Documents
• Cisco ISE
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
• Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
• Cisco NAC Guest Server
• Cisco NAC Profiler
• Cisco Secure ACS
http://www.cisco.com/en/US/products/ps9911/ tsd_products_support_series_home.html
• Cisco UCS C-Series Servers
http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/
UCS_rack_roadmap.html
Communications, Services, and Additional Information

• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

OL-27044-01 -5
Chapter
• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services,
visit Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system
that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST
provides you with detailed defect information about your products and software.

-6 OL-27044-01
CHAPTER 1
Network Deployments in Cisco ISE
This chapter describes several network deployment scenarios, provides information about how to deploy
the Cisco Identity Services Engine (ISE) SNS 3400 Series appliance and its related components, and
provides a pointer to the switch and Wireless LAN Controller configurations that are needed to support
Cisco ISE. This chapter contains the following sections:
• Architecture Overview, page 1-1
• Network Deployment Terminology, page 1-2
• Node Types and Personas in Distributed Deployments, page 1-3
• Standalone and Distributed Deployments, page 1-5
• Distributed Deployment Scenarios, page 1-5
• Deployment Size and Scaling Recommendations, page 1-10
• Inline Posture Planning Considerations, page 1-12
• Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,
page 1-13
Architecture Overview
Cisco ISE architecture includes the following components:
• Nodes and persona types
– Cisco ISE node—A Cisco ISE node can assume any or all of the following personas:
Administration, Policy Service, or Monitoring
– Inline Posture node—A gatekeeping node that takes care of access policy enforcement
• Network resources
• Endpoints
Note Figure 1-1 shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an
Inline Posture node, and a policy information point.
The policy information point represents the point at which external information is communicated to the
Policy Service persona. For example, external information could be a Lightweight Directory Access
Protocol (LDAP) attribute.

OL-27044-01 1-1
Chapter 1 Network Deployments in Cisco ISE
Network Deployment Terminology
Figure 1-1 Cisco ISE Architecture
282088
Network Deployment Terminology
The following terms are commonly used when discussing Cisco ISE deployment scenarios:
• Service—A service is a specific feature that a persona provides such as network access, profiling,
posture, security group access, monitoring, and troubleshooting.
• Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as
an appliance and as software that can be run on VMware.
• Node Type—A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node
type and persona determine the type of functionality provided by a node.
• Persona—The persona or personas of a node determines the services provided by a node. A Cisco
ISE node can assume any or all of the following personas: Administration, Policy Service, and
Monitoring. The menu options that are available through the administrative user interface depend
on the role and personas that a node assumes.
• Role—The role of a node determines if it is a standalone, primary, or secondary node and applies
only to Administration and Monitoring nodes.

1-2 OL-27044-01
Node Types and Personas in Distributed Deployments

In a Cisco ISE distributed deployment, there are two types of nodes:
• Cisco ISE node—Administration, Policy Service, Monitoring
• Inline Posture node
A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a
deployment, with the exception of the Inline Posture node, can assume the Administration, Policy
Service, and Monitoring personas. In a distributed deployment, you can have the following combination
of nodes on your network:
• Primary and secondary Administration nodes for high availability
• A pair of Monitoring nodes for automatic failover
• One or more Policy Service nodes for session failover
• A pair of Inline Posture nodes for high availability
Related Topics
• Administration Node, page 1-3
• Policy Service Node, page 1-3
• Monitoring Node, page 1-3
• Inline Posture Node, page 1-4
Administration Node
A Cisco ISE node with the Administration persona allows you to perform all administrative operations
on Cisco ISE. It handles all system-related configurations that are related to functionality such as
authentication, authorization, and accounting. In a distributed deployment, you can have one or a
maximum of two nodes running the Administration persona. The Administration persona can take on the
standalone, primary, or secondary role.
Policy Service Node

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client
provisioning, and profiling services. This persona evaluates the policies and provides network access to
endpoints based on the result of the policy evaluation. You can have more than one node assume this
persona. Typically, there is more than one Policy Service node in a distributed deployment. All Policy
Service nodes that reside behind a load balancer share a common multicast address and can be grouped
to form a node group. If one of the nodes in a node group goes down, the other nodes detect the failure
and reset any pending sessions.
At least one node in your distributed setup should assume the Policy Service persona.
Monitoring Node
A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages
from all the Administration and Policy Service nodes in a network. This persona provides advanced
monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A

OL-27044-01 1-3
node with this persona aggregates and correlates the data that it collects, and provides you with
meaningful reports. Cisco ISE allows you to have a maximum of two nodes with this persona, and they
can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring
nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring
node automatically becomes the primary Monitoring node.
At least one node in your distributed setup should assume the Monitoring persona. We recommend that
you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We
recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.
Inline Posture Node

An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as
wireless LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access
policies after a user has been authenticated and granted access, and handles change of authorization
(CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline
Posture nodes, and they can take on primary or secondary roles for high availability.
The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service,
and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature
of its service, an Inline Posture node cannot assume any persona. For example, it cannot act as an
Administration node (offering administration service), or a Policy Service node (offering network
access, posture, profile, and guest services), or a Monitoring node (offering monitoring and
troubleshooting services).
Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture
on any one of the following supported platforms: Cisco ISE 3315, Cisco ISE 3355, Cisco ISE 3395, or
Cisco SNS 3415.
Inline Posture Node Installation

You must download the Inline Posture ISO image from Cisco.com and install it on any of the supported
platforms, configure certificates through the CLI, and register this node from the user interface of the
primary Administration node.
Note You cannot access the web-based user interface of the Inline Posture nodes. You can configure them only
from the primary Administration node.
Before you can add an Inline Posture node to a deployment, you must configure a certificate for it and
register it with the primary Administration node. See Configuring Certificates for Inline Posture Nodes,
page E-34 for more information.
Inline Posture Node Reuse

If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it,
but you can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline
Posture node, you must first deregister it and then reimage the appliance and install Cisco ISE, Release
1.2, on it.

1-4 OL-27044-01
Standalone and Distributed Deployments
Standalone and Distributed Deployments

A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the
Administration, Policy Service, and Monitoring personas.
A deployment that has more than one Cisco ISE node is called a distributed deployment. To support
failover and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a
distributed fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are
centralized, and processing is distributed across the Policy Service nodes. Depending on your
performance needs, you can scale your deployment. A Cisco ISE node can assume any of the following
personas: Administration, Policy Service, and Monitoring. An Inline Posture node cannot assume any
other persona, due to its specialized nature and it must be a dedicated node.
Distributed Deployment Scenarios

• Small Network Deployments, page 1-5
• Medium-Sized Network Deployments, page 1-7
• Large Network Deployments, page 1-8
Small Network Deployments

The smallest Cisco ISE deployment consists of two Cisco ISE nodes as shown in Figure 1-2, with one
Cisco ISE node functioning as the primary appliance in a small network.
Note Concurrent endpoints represent the total number of supported users and devices. Concurrent endpoints
can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming
consoles, printers, fax machines, or other types of network devices.
The primary node provides all the configuration, authentication, and policy capabilities that are required
for this network model, and the secondary Cisco ISE node functions in a backup role. The secondary
node supports the primary node and maintains a functioning network whenever connectivity is lost
between the primary node and network appliances, network resources, or RADIUS.
Centralized authentication, authorization, and accounting (AAA) operations between clients and the
primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates
all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus,
your secondary node is current with the state of your primary node. In a small network deployment, this
type of configuration model allows you to configure both your primary and secondary nodes on all
RADIUS clients by using this type of deployment or a similar approach.

OL-27044-01 1-5
Figure 1-2 Small Network Deployment
282092
As the number of devices, network resources, users, and AAA clients increases in your network
environment, you should change your deployment configuration from the basic small model and use
more of a split or distributed deployment model, as shown in Figure 1-3.
Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA
functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration
persona.
Split Deployments
In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in
a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to
optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to
handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor
the secondary nodes handles all AAA requests during normal network operations because this workload
is distributed between the two nodes.
The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system.
In addition, splitting the load provides better loading while the functional status of the secondary node
is maintained during the course of normal network operations.
In split Cisco ISE deployments, each node can perform its own specific operations, such as network
admission or device administration, and still perform all the AAA functions in the event of a failure. If
you have two Cisco ISE nodes that process authentication requests and collect accounting data from
AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector.
Figure 1-3 shows the secondary Cisco ISE node in this role.

1-6 OL-27044-01
Figure 1-3 Split Network Deployment
282093
In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for
growth, as shown in Figure 1-4.
Medium-Sized Network Deployments

As small, local networks grow, you can keep pace and manage network growth by adding Cisco ISE
nodes to create a medium-sized network. In medium-sized network deployments, you can dedicate the
new nodes for all AAA functions, and use the original nodes for configuration and logging functions.
As the amount of log traffic increases in a network, you can choose to dedicate one or two of the
secondary Cisco ISE nodes for log collection in your network.

OL-27044-01 1-7
Figure 1-4 Medium-Sized Network Deployment
Large Network Deployments

We recommend that you use centralized logging (as shown in Figure 1-5) for large Cisco ISE networks.
To use centralized logging, you must first set up a dedicated logging server that serves as a Monitoring
persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy
network can generate.
Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog
appliance can serve as the collector for outbound logging traffic. A dedicated logging server enables you
to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes.
See “Cisco ISE Setup Program Parameters” section on page 3-7 when configuring the Cisco ISE
software to support a dedicated logging server.
You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE
node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the
Monitoring persona on the Cisco ISE node goes down.
In large centralized networks, you should use a load balancer (as shown in Figure 1-5), which simplifies
the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers,
and the load balancer optimizes the routing of AAA requests to the available servers.
However, having only a single load balancer introduces the potential for having a single point of failure.
To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover.
This configuration requires you to set up two AAA server entries in each AAA client, and this
configuration remains consistent throughout the network.

1-8 OL-27044-01
Figure 1-5 Large Network Deployment
282094
Dispersed Network Deployments
Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus
with regional, national, or satellite locations elsewhere. The main campus is where the primary network
resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and
users in different geographical regions and locations.
Large remote sites can have their own AAA infrastructure (as shown in Figure 1-6) for optimal AAA
performance. A centralized management model helps maintain a consistent, synchronized AAA policy.
A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We
still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote
location should retain its own unique network requirements.

OL-27044-01 1-9
Deployment Size and Scaling Recommendations
Figure 1-6 Dispersed Deployment
282095
Before You Plan a Network with Several Remote Sites
• Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight
Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the
external database that is available for Cisco ISE to access for optimizing AAA performance.
• The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible
to the AAA clients to reduce network latency effects and the potential for loss of access that is
caused by WAN failures.
• Cisco ISE has console access for some functions such as backup. Consider using a terminal at each
site, which allows for direct, secure console access that bypasses network access to each node.
• If small, remote sites are in close proximity and have reliable WAN connectivity to other sites,
consider using a Cisco ISE node as a backup for the local site to provide redundancy.
• Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access
to the external databases.

This section provides guidance on the size of the physical and virtual machine appliances that you would
need for your deployment based the number of endpoints that connect to your network. Table 1-1
provides guidance on the type of deployment, number of Cisco ISE nodes, and the type of appliance
(small, medium, large) that you need based on the number of endpoints that connect to your network.

1-10 OL-27044-01
Table 1-1 Cisco ISE Deployment—Size and Scaling Recommendations
Maximum Number
Deployment of Dedicated Policy Number of Active
Type Number of Nodes/Personas Appliance Platform Service Nodes Endpoints
Small Standalone or redundant (2) Cisco ISE 3300 Series 0 Maximum of 2,000
nodes with Administration, (3315, 3355, 3395) endpoints
Policy Service, and Cisco ISE 3415 0 Maximum of 5,000
Monitoring personas enabled. endpoints
Cisco ISE 3495 0 Maximum of 10,000
endpoints
Medium Administration and Cisco ISE-3355 or 5 Maximum of 5,000
Monitoring personas on single Cisco SNS 3415 endpoints
or redundant nodes. Maximum appliances for
of 2 Administration and Administration and
Monitoring nodes. Monitoring personas
Cisco ISE 3395 or 5 Maximum of 10,000
Cisco SNS 3495 endpoints
appliances for
Administration and
Monitoring personas
Large Dedicated Administration Cisco ISE 3395 40 Maximum of 100,000
node/nodes. Maximum of 2 appliances for endpoints
Administration nodes. Administration and
Monitoring personas
Dedicated Monitoring
node/nodes. Maximum of 2 Cisco SNS 3495 40 Maximum of 250,000
Monitoring nodes. appliances for endpoints
Administration and
Monitoring personas
Table 1-2 provides guidance on the type of appliance that you would need for a dedicated Policy Service
node based on the number of active endpoints the node services.
Table 1-2 Policy Service Node Size Recommendations
Form Factor Platform Size Appliance Maximum Endpoints

Physical Small Cisco ISE-3315 3,000
Cisco SNS-3415 5,000
Medium Cisco ISE-3355 6,000
Large Cisco ISE-3395 10,000
Cisco SNS-3495 20,000
Virtual Machine Small/Medium/Large Comparable to physical 3,000 to 20,000
appliance

OL-27044-01 1-11
Inline Posture Planning Considerations
Table 1-3 provides the maximum throughput and the maximum number of endpoints that a single Inline
Posture node can support.
Table 1-3 Inline Posture Node Sizing Recommendations
Attribute Performance
Maximum number of endpoints per physical 5,000 to 20,000 (gated by Policy Service nodes)
appliance
Maximum throughput per any physical 936 Mbps
appliance
Inline Posture Planning Considerations

A network or system architect is responsible for researching the issues involved in Inline Posture
deployment to determine what best suits network requirements.
A network or system architect must address the following basic questions when planning to deploy Inline
Posture nodes:
• Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE
networks support up to two Inline Posture nodes configured on a network at any one time.
• What type of Inline Posture operating modes will you choose?
Caution The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node
is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial
configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets
flooded out of the untrusted interface. This multicast event can potentially bring down devices that are
connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.
Caution Do not change the CLI password for Inline Posture node once it has been added to the deployment. If
the password is changed, when you access the Inline Posture node through the Administration node, a
Java exception error is displayed and the CLI gets locked. You need to recover the password by using
the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original
one.
If you need to change the password, then deregister the Inline Posture node from the deployment, modify
the password, and then add the node to the deployment with the new credentials.
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2.

1-12 OL-27044-01
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Switch and Wireless LAN Controller Configuration

Required to Support Cisco ISE Functions
To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are
successful across the network segment, you must configure your network switches with certain required
Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and
other settings.
Related Topics
For more switch and wireless LAN controller configuration requirements, see Appendix C, “Switch and
Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,” in Cisco Identity
Services Engine User Guide, Release 1.2.

OL-27044-01 1-13
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

1-14 OL-27044-01
CHAPTER 2
Cisco SNS-3400 Series Appliances
This chapter describes Cisco Secure Network Server (SNS) 3415 and 3495 appliances and hardware
specifications.
• Cisco SNS-3400 Series Appliance Hardware Specifications, page 2-1
• Cisco SNS Support for Cisco ISE, page 2-3
Cisco SNS-3400 Series Appliance Hardware Specifications

Cisco SNS-3400 series appliance hardware consists of Cisco SNS 3415 and 3495 appliances. See the
Cisco Identity Services Engine (ISE) Data Sheet for the appliance hardware specifications (Table 3).
Note Cisco ISE 1.2 supports an optional redundant power supply unit for Cisco SNS-3415-K9. The part
number for the additional power supply to order is UCSC-PSU-650W=.
Cisco SNS-3400 Series Front and Rear Panels

Front Panel
Figure 2-1 shows the SNS 3415/3495 front panel.

OL-27044-01 2-1
Chapter 2 Cisco SNS-3400 Series Appliances
Cisco SNS-3400 Series Appliance Hardware Specifications
Figure 2-1 Cisco SNS 3415/3495 Front Panel
4 6
1 2 3 5 7 8
HDD1 HDD2 HDD3
331682
HDD4 HDD5 HDD6 HDD7 HDD8
9 10
1 Power button/power status LED 6 Power supply status LED

2 Identification button LED 7 Network link activity LED
3 System status LED 8 Asset tag (serial number)
4 Fan status LED 9 Keyboard, video, mouse (KVM) connector
(used with the KVM cable that provides two
USBs, one Video Graphics Adapter (VGA),
and one serial connector)
5 Temperature status LED 10 Drives (up to eight hot-swappable, 2 to 5-inch
drives)
Rear Panel
Figure 2-2 shows the SNS 3415/3495 rear panel.
Figure 2-2 SNS 3415/3495 Rear Panel
1 2 3 4 5
PCIe2
PSU1 PSU2
360856
6 7 8 9 10 11 12

2-2 OL-27044-01
Cisco SNS Support for Cisco ISE
1 Power supplies (up to two) 7 Serial port (RJ-45 connector)

2 Slot 2: Low-profile Peripheral 8 1-GB Ethernet dedicated management port
Component Interconnect Express used to access CIMC (labeled M)
(PCIe) slot on riser (half-height,
half-length, x16 connector, x16
lane width)
3 Slot 1: PCIe1 card containing 9 1-GB Ethernet port 1 (GigE0) for Cisco ISE
1-GB Ethernet ports (GigE2 and management communication
GigE3)
4 1-GB Ethernet port 3 (GigE2) 10 1-GB Ethernet port 2 (GigE1)
5 1-GB Ethernet port 4 (GigE3) 11 USB ports
6 VGA video connector 12 Rear identification button
Serial Number Location

The serial number for the server is printed on a label on the top of the server, near the front.

The Cisco ISE software run on a dedicated Cisco SNS-3400 series appliance or on a VMware server.
Cisco ISE, Release 1.2, software does not support the installation of any other packages or applications
on this dedicated platform. See Release Notes for Cisco Identity Service Engine, Release 1.2, for
additional hardware, compatibility information.
Release 1.2 is also supported on Cisco ISE 3300 series, Cisco NAC 3300 series, and Cisco Secure ACS
1121 appliances. You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2. For
information on Cisco ISE 3300 series appliances, see Chapter 5, “Installing Release 1.2 Software on
Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances.”

OL-27044-01 2-3

2-4 OL-27044-01
CHAPTER 3
Installing and Configuring a Cisco SNS-3400
Series Appliance
This chapter describes how to install and configure a Cisco Identity Services Engine (ISE) 3400 Series
appliance, and contains the following topics:
• Installing the SNS-3400 Series Appliance in a Rack, page 3-1
• Downloading the Cisco ISE, Release 1.2 ISO Image, page 3-1
• Installing Release 1.2 Software on SNS-3400 Series Appliance, page 3-2
• Cisco Integrated Management Controller, page 3-3
• Configuring CIMC, page 3-3
• Creating a Bootable USB Drive, page 3-5
• Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6
• Cisco ISE Setup Program Parameters, page 3-7
• Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
• Setup Process Verification, page 3-15
Note Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco
ISE software on a Cisco SNS-3400 series appliance. See Prerequisites for Configuring a Cisco
SNS-3400 Series Appliance, page 3-6 for more information.
Installing the SNS-3400 Series Appliance in a Rack

Refer to Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack,” for information on
safety guidelines, site requirements, and guidelines that you must observe before installing the Cisco
SNS-3400 series appliance.
Downloading the Cisco ISE, Release 1.2 ISO Image

You can download the Cisco ISE, Release 1.2 ISO image from Cisco.com.

OL-27044-01 3-1
Chapter 3 Installing and Configuring a Cisco SNS-3400 Series Appliance
Installing Release 1.2 Software on SNS-3400 Series Appliance
Note For Inline Posture nodes, you must download the Inline Posture Node, Release 1.2, ISO and continue
with the installation process. See Inline Posture Node Installation, page 1-4 for more information.
Step 1 Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access
this link.
Step 2 Click Download Software for this Product.
The Cisco ISE, Release 1.2, software image comes with a 90-day evaluation license already installed, so
you can begin testing all Cisco ISE services when the installation and initial configuration is complete.
Installing Release 1.2 Software on SNS-3400 Series

Appliance
If your SNS-3400 series appliance is running Cisco ISE, Release 1.1.x, you have the option to upgrade
it to Release 1.2 using the application upgrade command. Refer to the Cisco Identity Services Engine
Upgrade Guide, Release 1.2. Alternatively, you can reimage your existing SNS-3400 Series appliance
to perform a fresh installation of Release 1.2 and register it to an existing deployment.
After you download the ISO image, you can install it on your SNS-3400 Series appliance in any one of
the following ways:
• Install the ISO image using the CIMC Remote Management Utility. You must configure the CIMC
to perform this remote installation.
1. Configure CIMC.
2. Install Cisco ISE, Release 1.2 remotely.
• Install the ISO image using a USB flash drive.
1. Create a bootable USB flash drive using the iso-to-usb.sh script.
2. Connect the USB flash device to the SNS-3400 Series appliance.
3. Install Cisco ISE, Release 1.2 using the local KVM or remotely using the CIMC KVM.
• Install the ISO using an external DVD drive with a USB port.
1. Burn the ISO image on to a DVD.
2. Connect the external USB DVD to the SNS-3400 Series appliance.
3. Install Cisco ISE 1.2, Release 1.2 via the local KVM or remotely using the CIMC KVM.
Note For installing Release 1.2 using a USB flash device or an external DVD with a USB port, CIMC
configuration is optional. Choose one of these options if you do not prefer a remote installation.
Related Topics
• Configuring CIMC, page 3-3
• Creating a Bootable USB Drive, page 3-5
• Cisco ISE Setup Program Parameters, page 3-7

3-2 OL-27044-01
Cisco Integrated Management Controller
• Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
Cisco Integrated Management Controller

You can monitor the server and system event logs using the built-in Cisco Integrated Management
Controller (CIMC) GUI or CLI interfaces. See the user documentation for your release at the following
URL:
http://www.cisco.com/en/US/products/ps10739/products_installation_and_configuration_guides
_list.html
Configuring CIMC
You can perform all operations on Cisco SNS-3400 series appliance through the CIMC. To do this, you
must first configure an IP address and IP gateway to access the CIMC from a web-based browser.
Step 1 Plug in the power cord.

Step 2 Press the Power button to boot the server. Watch for the prompt to press F8 as shown in the following
figure.
Step 3 During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following
screen appears.

OL-27044-01 3-3
Configuring CIMC
Step 4 Set the NIC mode to specify which ports access the CIMC for server management (see Figure 2-2 on
page 2-2 for identification of the ports). Cisco ISE can use up to four Gigabit Ethernet ports. Choose
Dedicated NIC mode, set NIC redundancy to None as described in Step 5, and select IP settings.
– Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select
NIC redundancy None and select IP settings.
– Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the
factory default setting, along with active-active NIC redundancy and DHCP enabled.
– Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You
must select a NIC redundancy and IP setting.
Note The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC
(N2XX-ACPCI01) that is installed in PCIe slot 1. See Special Considerations for Cisco UCS
Virtual Interface Cards.
Step 5 Specify the NIC redundancy setting:

– None—The Ethernet ports operate independently and do not fail over if there is a problem.
– Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.
– Active-active—All Ethernet ports are utilized simultaneously.
Step 6 Choose whether to enable DHCP for dynamic network settings or to enter static network settings.
Note Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC
addresses for the server. The MAC address is printed on a label on the rear of the server. This
server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on
the label is the beginning of the range of six contiguous MAC addresses.
Step 7 (Optional) Specify VLAN setting and set a default CIMC user password.

3-4 OL-27044-01
Creating a Bootable USB Drive
Note Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait
until the new settings appear before you reboot the server in the next step.
Step 8 Press F10 to save your settings and reboot the server.
Note If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on
the console screen during bootup.
What To Do Next
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
Creating a Bootable USB Drive

The Cisco ISE, Release 1.2, ISO image contains an “images” directory that has a Readme file and a script
to create a bootable USB drive to install Cisco ISE, Release 1.2.
Before You Begin

• Ensure that you have read the Readme file in the “images” directory
• You need the following:
– Linux machine with RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.
If you are using a PC or MAC, ensure that you have installed a Linux virtual machine (VM)
running RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.
– An 8-GB USB drive
– The iso-to-usb.sh script
Step 1 Plug the USB drive into the USB port.

Step 2 Unmount the USB drive from Linux CLI or GUI without removing the USB device. From the CLI, enter
the following command: umount /dev/sdb where /dev/sdb is the USB device.
Note Do not choose the “Safely Remove Drive” or “Eject” options from the GUI.
Step 3 Copy the iso-to-usb.sh script and the Cisco ISE, Release 1.2, ISO image to a directory on the Linux
machine.
Step 4 Change the permissions of the script using the chmod command.
For example, # chmod u+x iso-to-usb.sh.
Step 5 As root user, enter the following command:
iso-to-usb.sh source_iso usb_device
For example, # ./iso-to-usb.sh ise-1.2.0.434-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the
script, ise-1.2.0.434-x86_64.iso is the name of the ISO image, and /dev/sdb is your USB device.

OL-27044-01 3-5
Prerequisites for Configuring a Cisco SNS-3400 Series Appliance
You might have to use the su command to switch to the root user account. You can also use the sudo
command to execute the script with root permissions.
Step 6 Enter a value for the appliance that you want to install the image on.
Step 7 Enter Y to continue.
Step 8 A success message appears.
Step 9 Unplug the USB drive.
What To Do Next
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9
Prerequisites for Configuring a Cisco SNS-3400 Series

Appliance
Cisco SNS-3400 series appliances are preinstalled with the Cisco Application Deployment Engine,
Release 2.0.5, operating system (ADE-OS) and the Cisco ISE, Release 1.2, software.
Make sure that you identify all of the following configuration settings for each node in your deployment
before proceeding:
• Hostname
• IP address for the Gigabit Ethernet 0 (eth0) interface
• Netmask
• Default gateway
• Domain Name System (DNS) domain
• Primary name server
• Primary Network Time Protocol (NTP) server
• System time zone
• Username (username for CLI-admin user)
• Password (password for CLI-admin user)
For details about the differences between the CLI-admin user and web-based admin user rights, see
CLI-Admin and Web-Based Admin User Right Differences, page 6-1.
If you are installing Cisco ISE on an SNS-3400 series appliance, download the Cisco ISE, Release 1.2,
ISO image, and use any one of the following options to configure the Cisco ISE, Release 1.2, software
on the appliance:
• Configure the Cisco Integrated Management Interface (CIMC) and use it to install Cisco ISE,
Release 1.2. See Configuring CIMC, page 3-3.
• Create a bootable USB Drive and use it to install Cisco ISE, Release 1.2. See Creating a Bootable
USB Drive, page 3-5.

3-6 OL-27044-01
Cisco ISE Setup Program Parameters
Note In case you have purposefully deleted the RAID configuration on the Cisco SNS-3400 series
appliance, you must reinstall Cisco ISE, Release 1.2, using CIMC or the USB bootable drive.
While using the USB bootable drive to reinstall Cisco ISE, you must manually configure RAID
using the webBIOS. For more information on installing Cisco ISE using CIMC, see Using CIMC
to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9. For more
information on using the USB bootable drive to install Cisco ISE, see Creating a Bootable USB
Drive, page 3-5.
If you are installing Cisco ISE on Cisco ISE-3300 series, Cisco Secure ACS, or Cisco NAC appliances,
download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install
Cisco ISE, Release 1.2. See Appendix 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series,
Cisco NAC, and Cisco Secure ACS Appliances,” for the supported Cisco Secure ACS and Cisco NAC
platforms.

When the Cisco ISE software configuration begins, an interactive CLI prompts you to enter required
parameters to configure the system. (See Table 3-1).
Ensure that the DNS and NTP servers are reachable after you run Setup and whenever a
Cisco ISE node reboots in the deployment.
Note If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures
VMware Tools, Version 8.3.2, during the initial setup. To verify the installation, see Verifying the
Installation of VMware Tools, page 7-6.
Table 3-1 Cisco ISE Setup Program Parameters
Prompt Description Example

Hostname Must not exceed 15 characters. Valid characters include isebeta1
alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The first
character must be a letter.
Note We recommend that you use lowercase letters to ensure that
certificate authentication in Cisco ISE is not impacted by
minor differences in certificate-driven verifications. You
cannot use “localhost” as the hostname for a node.
(eth0) Ethernet Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) 10.12.13.14
interface address interface.
Netmask Must be a valid IPv4 netmask. 255.255.255.0
Default gateway Must be a valid IPv4 address for the default gateway. 10.12.13.1
DNS domain name Cannot be an IP address. Valid characters include ASCII characters, example.com
any numerals, the hyphen (-), and the period (.).
Primary name Must be a valid IPv4 address for the primary name server. 10.15.20.25
server

OL-27044-01 3-7
Table 3-1 Cisco ISE Setup Program Parameters (continued)
Prompt Description Example

Add/Edit another Must be a valid IPv4 address for an additional name server. (Optional) Allows you to
name server configure multiple name
servers. To do so, enter y to
continue.
Primary NTP Must be a valid IPv4 address or hostname of a Network Time Protocol clock.nist.gov
server (NTP) server.
Add/Edit another Must be a valid NTP domain. (Optional) Allows you to
NTP server configure multiple NTP
servers. To do so, enter y to
continue.
System Time Zone Must be a valid time zone. For details, see Cisco Identity Services UTC (default)
Engine CLI Reference Guide, Release 1.1.x, which provides a list of
time zones that Cisco ISE supports. For example, for Pacific
Standard Time (PST), the System Time Zone is PST8PDT (or
Coordinated Universal Time (UTC) minus 8 hours).
The time zones referenced in the CLI Reference Guide are the most
frequently used time zones. You can run the show timezones
command from the Cisco ISE CLI for a complete list of supported
time zones.
Note We recommend that you set all Cisco ISE nodes to the UTC
time zone. This time zone setting ensures that the reports,
logs, and posture agent log files from the various nodes in
your deployment are always synchronized with regard to the
time stamps.
Username Identifies the administrative username used for CLI access to the admin (default)
Cisco ISE system. If you choose not to use the default (admin), you
must create a new username. The username must be three to eight
characters in length and be composed of valid alphanumeric
characters (A–Z, a–z, or 0–9).
Password Identifies the administrative password that is used for CLI access to MyIseYPass2
the Cisco ISE system. You must create this password because there
is no default. The password must be a minimum of six characters in
length and include at least one lowercase letter (a–z), one uppercase
letter (A–Z), and one numeral (0–9).
Note For details about the web-based administrator username and password, see Verifying a Configuration
Using a Web Browser, page 7-4.

3-8 OL-27044-01
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance
Using CIMC to Configure Release 1.2 on a Cisco SNS-3400

Series Appliance
After you configure the CIMC for your appliance, you can use it to manage a Cisco SNS-3400 series
appliance. You can perform all operations including BIOS configuration through the CIMC.
Note To configure VMware servers, see Configuring a VMware System to Boot From a Cisco ISE Software
DVD, page 4-17.
Before You Begin

• Ensure that you have configured the CIMC on your appliance. See Configuring CIMC, page 3-3 for
more information.
• Ensure that you have properly installed, connected, and powered up the supported appliance by
following the recommended procedures. See Connecting and Powering On the Server, page A-7 and
Checking the LEDs, page A-8.
• Ensure that you have the Cisco ISE, Release 1.2, ISO image on the client machine from which you
are accessing the CIMC or you have a bootable USB with the image for installation. See Creating a
Bootable USB Drive, page 3-5.
• Cisco ISE appliances track time internally using UTC time zones. If you do not know your specific
time zone, you can enter one based on the city, region, or country where the Cisco ISE appliance is
located. See Table 3-2, Table 3-3, and Table 3-4 for sample time zones. We recommend that you
configure the preferred time zone (the default is UTC) during installation when the setup program
prompts you to configure the setting.
Step 1 Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server
using the ports selected by the Network Interface Card (NIC) Mode setting. The active-active and
active-passive NIC redundancy settings require you to connect to two ports.
Step 2 Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is
based on the CIMC configuration that you made (either a static address or the address assigned by the
Dynamic Host Configuration Protocol (DHCP) server).
Note The default username for the server is admin. The default password is password.
Step 3 Click Launch KVM Console.

Step 4 Use your CIMC credentials to log in.
Step 5 Click the Virtual Media tab.
Step 6 Click Add Image to choose the Cisco ISE, Release 1.2, ISO image from the system running your client
browser.
Step 7 Check the Mapped check box against the virtual CD/DVD drive that you have created.
Step 8 Click the KVM tab.
Step 9 Choose Macros > Ctrl-Alt-Del to boot the SNS-3400 series appliance using the ISO image. A screen
similar to the one shown in the following figure appears.

OL-27044-01 3-9
Step 10 Press F6 to bring up the boot menu. A screen similar to the following one appears.
Step 11 Choose the CD/DVD that you mapped and press Enter. A screen similar to the following one appears.

3-10 OL-27044-01
Step 12 At the boot prompt, enter 1 and press Enter.

**********************************************
Please type 'setup' to configure the appliance
**********************************************
Step 13 At the prompt, type setup to start the setup program. You are prompted to enter networking parameters
and credentials. The following illustrates a sample setup program and default prompts:
Enter hostname[]: ise-server-1
Enter IP address[]: 10.1.1.10
Enter Netmask[]: 255.255.255.0
Enter IP default gateway[]: 172.10.10.10
Enter default DNS domain[]: cisco.com
Enter Primary nameserver[]: 200.150.200.150
Add/Edit another nameserver? Y/N: n
Enter primary NTP domain[]: clock.cisco.com
Add/Edit another NTP domain? Y/N: n
Enable SSH?: Y/N
Enter system time zone[]: UTC
Enter username [admin]: admin
Enter password:
Enter password again:
Bringing up the network interface...
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Virtual machine detected, configuring VMware tools...
Appliance is configured
Installing applications...
Installing ISE...
Application bundle (ise) installed successfully
===Initial Setup for Application: ise===
Welcome to the ISE initial setup. The purpose of this setup is to provision the
internal ISE database. This setup is non-interactive, and will take roughly 15
minutes to complete.

OL-27044-01 3-11
Running database cloning script...

Running database network config assistant tool...
Extracting ISE database contents...
Starting ISE database processes...
...
Note An “Installing ISE-IPEP” message appears when you install the Inline Posture node, Release 1.2, ISO
image and you will see an “Application bundle (ISE-IPEP) installed successfully” message.
Note A “Virtual machine detected, configuring VMware tools...” message appears only if Cisco ISE is
installed on a virtual machine.
After the Cisco ISE or Inline Posture node software is configured, the Cisco ISE system reboots
automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you
configured during setup.
Step 14 If you installed the Inline Posture node ISO image, go to Configuring Certificates for Inline Posture
Nodes, page E-34.
Step 15 If you installed the Cisco ISE, Release 1.2, ISO image, log in to the Cisco ISE CLI shell, and run the
following CLI command to check the status of the Cisco ISE application processes:
ise-server/admin# show application status ise
ISE Database listener is running, PID: 4845

ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 6344
ISE M&T Session Database is running, PID: 4502
ISE M&T Log Collector is running, PID: 6652
ISE M&T Log Processor is running, PID: 6738
ISE M&T Alert Process is running, PID: 6542
ise-server/admin#
Step 16 After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user
interface by using one of the supported web browsers. (See Accessing Cisco ISE Using a Web Browser,
page 7-1.)
To log in to the Cisco ISE user interface using a web browser, enter https://<your-ise-hostname
or IP address>/admin/ in the Address field:
Here “your-ise-hostname or IP address” represents the hostname or IP address that you configured for
the Cisco SNS-3400 series appliance during setup.
Step 17 At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials
(username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE
web interface by using the CLI-admin user’s username and password that you defined during the setup
process.
After you log in to the Cisco ISE user interface, you can then configure your devices, user stores,
policies, and other components.

3-12 OL-27044-01
The username and password credentials that you use for web-based access to the Cisco ISE user interface
are not the same as the CLI-admin user credentials that you created during the setup for accessing the
Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users,
see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.
Caution Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on
that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in
Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.2.
Supported Time Zones

This section provides three tables that provide more information about common Coordinated Universal
Time (UTC) time zones for Europe, the United States and Canada, Australia, and Asia.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting
ensures that the reports, logs, and posture agent log files from the various nodes in the
deployment are always synchronized with regard to the time stamps.
The format for time zones is POSIX or System V. POSIX time zone format syntax looks like
America/Los_Angeles, and System V time zone syntax looks like PST8PDT.
• For time zones in Europe, the United States, and Canada, see Table 3-2.
• For time zones in Australia, see Table 3-3.
• For time zones in Asia, see Table 3-4.
Table 3-2 Europe, United States, and Canada Time Zones
Acronym or Name Time Zone Name

Europe
GMT, GMT0, GMT-0, Greenwich Mean Time, as UTC
GMT+0, UTC,
Greenwich, Universal,
Zulu
GB British
GB-Eire, Eire Irish
WET Western Europe Time, as UTC
CET Central Europe Time, as UTC plus 1 hour
EET Eastern Europe Time, as UTC plus 2 hours
United States and Canada
EST, EST5EDT Eastern Standard Time, as UTC minus 5 hours
CST, CST6CDT Central Standard Time, as UTC minus 6 hours
MST, MST7MDT Mountain Standard Time, as UTC minus 7 hours

OL-27044-01 3-13
Table 3-2 Europe, United States, and Canada Time Zones (continued)
Acronym or Name Time Zone Name

PST, PST8PDT Pacific Standard Time, as UTC minus 8 hours
HST Hawaiian Standard Time, as UTC minus 10 hours
Table 3-3 Australia Time Zones
Australia1
ACT2 Adelaide Brisbane Broken_Hill
Canberra Currie Darwin Hobart
3
Lord_Howe Lindeman LHI Melbourne
4
North NSW Perth Queensland
South Sydney Tasmania Victoria
West Yancowinna — —
1. Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.
2. ACT = Australian Capital Territory
3. LHI = Lord Howe Island
4. NSW = New South Wales
Table 3-4 Asia Time Zones
Asia1
Aden2 Almaty Amman Anadyr
Aqtau Aqtobe Ashgabat Ashkhabad
Baghdad Bahrain Baku Bangkok
Beirut Bishkek Brunei Kolkata
Choibalsan Chongqing Columbo Damascus
Dhakar Dili Dubai Dushanbe
Gaza Harbin Hong_Kong Hovd
Irkutsk Istanbul Jakarta Jayapura
Jerusalem Kabul Kamchatka Karachi
Kashgar Katmandu Kuala_Lumpur Kuching
Kuwait Krasnoyarsk — —
1. The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.
2. Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.
Note The Cisco ISE CLI show timezones command displays a list of all time zones available to you. Choose
the most appropriate one for your network location.

3-14 OL-27044-01
Setup Process Verification

To verify that you have correctly completed the initial setup process, use one of the following two
methods to log in to the Cisco ISE appliance:
• Web browser
• Cisco ISE CLI
After you log in to the Cisco ISE user interface, you should perform the following tasks:
• “Installing a License” section on page 7-3
• “Configuring the Cisco ISE System” section on page 7-10

OL-27044-01 3-15

3-16 OL-27044-01
CHAPTER 4
Installing Release 1.2 Software on a VMware
Virtual Machine
This chapter describes the system requirements for installing the Cisco Identity Services Engine (ISE),
Release 1.2 software on a VMware virtual machine (VM). The following topics provide information
about the installation process:
• Supported VMware Versions, page 4-1
• Support for VMware vMotion in Release 1.2, page 4-2
• Virtual Machine Requirements, page 4-2
• Evaluating Release 1.2, page 4-5
• Configuring a VMware ESX or ESXi Server, page 4-6
• Preparing a VMware System for Cisco ISE Software Installation, page 4-16
• Installing Cisco ISE Software on a VMware System, page 4-18
• Connecting to a Cisco ISE VMware Server Using the Serial Console, page 4-20
• Cloning a Cisco ISE Virtual Machine, page 4-23
Note The Inline Posture node is supported only on Cisco SNS-3415 and Cisco ISE 3300 series appliances. It is not
supported on Cisco SNS-3495 series or VMware server systems. All the other designated roles are supported
for use on VMware virtual machines.
Supported VMware Versions

Cisco ISE supports the following VMware servers and clients:
• VMware Elastic Sky X (ESX), version 4.0, 4.0.1, and 4.1
• VMware ESXi, version 4.x and 5.x
• VMware vSphere Client 4.x and 5.x
Note Cisco ISE, Release 1.2, supports the VMware vMotion feature (live migration of virtual machines from
one server to another).

OL-27044-01 4-1
Chapter 4 Installing Release 1.2 Software on a VMware Virtual Machine
Support for VMware vMotion in Release 1.2
Support for VMware vMotion in Release 1.2

Cisco ISE, Release 1.2, supports the VMware vMotion feature that allows you to migrate live virtual
machine (VM) instances (running any persona) between hosts. For the VMware vMotion feature to be
functional, the following conditions must be met:
• Shared storage—The storage for the VM must reside on a storage area network (SAN), and the SAN
must be accessible by all the VMware hosts that can host the VM being moved.
• VMFS volume sharing—The VMware host must use shared virtual machine file system (VMFS)
volumes.
• Gigabit Ethernet interconnectivity—The SAN and the VMware hosts must be interconnected with
Gigabit Ethernet links.
• Processor compatibility—A compatible set of processors must be used. Processors must be from the
same vendor and processor family for vMotion compatibility.
Virtual Machine Requirements

Table 4-1 lists the minimum system requirements to install Cisco ISE, Release 1.2, software on a
VMware virtual machine and support 100 endpoints.
To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the VMware
virtual machine should be allocated system resources equivalent to the Cisco SNS 3415 and 3495
appliances. Refer to the Deployment Size and Scaling Recommendations, page 1-10 and VMware
Appliance Size Recommendations, page 4-3 for details.
Table 4-1 Minimum VMware System Requirements
Requirement Type Minimum Requirements

CPU Single Quad-Core; 2.0 GHz or faster
Memory 4 to 32 GB RAM
Hard disks 200 GB to 1.999 TB of disk storage (size depends on deployment and tasks). Refer to Table 4-3 for
more details.
We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM. The
Cisco ISE VM requires a minimum write bandwidth of 50 MB per second. This write bandwidth can
be easily achieved if the hosting environment uses 10,000 RPM disks.
Note When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the
storage requirement. If you use more than one disk to meet the disk space requirement, the
installer may not recognize all the disk space.
Storage • File System—VMFS
We recommend that you use VMFS for storage. Other storage protocols are not tested and might
result in some file system errors.
• Internal Storage—SCSI/SAS
• External Storage—iSCSI/SAN
We do not recommend the use of NFS storage.
Disk controller SCSI controller

4-2 OL-27044-01
Table 4-1 Minimum VMware System Requirements (continued)
Requirement Type Minimum Requirements

NIC 1 GB NIC interface required (two or more NICs are recommended)
Note When creating network connections for any NICs that you configure, we recommend that you
select E1000 from the Adapter drop-down list. Cisco ISE, Release 1.2, supports the E1000
and VMXNET3 adapters for all NICs. It does not support any other virtual NIC drivers. See
Step 11 in Configuring a VMware Server, page 4-9.
Hypervisor See Supported VMware Versions, page 4-1.
VMware Appliance Size Recommendations

The VMware appliance specification should be comparable with the physical appliances. Table 4-2 lists
the recommended VMware specification for the physical appliances in a production environment.
Table 4-2 VMware Appliance Specifications for a Production Environment
Platform SNS-3415 SNS-3495

1
Processor Single socket Intel E5-2609 2.4 Ghz CPU Dual socket Intel E5-2609 2.4 Ghz CPU
4 total cores 8 total cores
Memory 16 GB 32 GB
2
Total Disk Space 600 GB 600 GB
3
Ethernet NICs 4 x Integrated Gigabit NICs 4 x Integrated Gigabit NICs
1. Virtual machine resources should be dedicated. The VM resources should not be shared or oversubscribed across multiple VMs.
2. Policy Service nodes on virtual machines can be deployed with less disk space than Administration or Monitoring nodes. It is recommended to have 150
to 200 GB of disk space for Policy Service nodes. Refer to “Recommended VMware Disk Space” for information on the amount of disk space required
for the various personas.
3. Virtual machines can be configured with 1 to 4 NICs. The recommendation is to allow for 2 or more NICs. Additional interfaces can be used to support
various services such as profiling or RADIUS. Refer to Appendix C, “Cisco SNS-3400 Series Appliance Ports Reference” for details about the services
that are supported on each of the ports.
Cisco ISE, Release 1.2 can be installed on virtual machines based on legacy appliance specifications,
but for better performance, we recommend that you deploy new virtual machines based on the SNS-3400
series appliance specifications.

OL-27044-01 4-3
Disk Space Requirements

Table 4-3 lists the Cisco ISE disk-space allocation recommended for running a VMware server in a
production deployment. Use the supported VMware ESX and ESXi server versions listed in Table 4-1
for running the Cisco ISE software.
Table 4-3 Recommended VMware Disk Space
Recommended
Minimum Maximum Disk Space for
ISE Persona Disk Space Disk Space Production
Standalone ISE 200 GB 1.999 TB 600 GB to 1.999
TB1
Distributed ISE — Administration only2 200 GB 1.999 TB 250 to 300 GB
Distributed ISE —Monitoring only 200 GB 1.999 TB 600 GB to 1.999
TB1
Distributed ISE — Policy Service only2 100 GB 1.999 TB 150 to 200 GB
Distributed ISE — Administration and 200 GB 1.999 TB 600 GB to 1.999
Monitoring TB1
Distributed ISE — Administration, 200 GB 1.999 TB 600 GB to 1.999 TB
Monitoring, and Policy Service
1. Disk allocation varies based on logging retention requirements. See Table 4-4 for details.
2. Additional disk space may be allocated to support local logging, and to store the backup and upgrade files on the local disk.
Cisco ISE must be installed on a single disk in VMware.
Note You can allocate only up to 1.999 TB of disk space for a Cisco ISE, Release 1.2, virtual machine (VM).
On any node that has the Monitoring persona enabled, 30 percent of the VM disk space is allocated for
log storage. A deployment with 25,000 endpoints generates approximately 1 GB of logs per day.
For example, if you have a Monitoring node with 600-GB VM disk space, 180 GB is allocated for log
storage. If 100,000 endpoints connect to this network every day, it generates approximately 4 GB of logs
per day. In this case, you can store 38 days of logs in the Monitoring node, after which you must transfer
the old data to a repository and purge it from the Monitoring database.
For extra log storage, you can increase the VM disk space. For every 100 GB of disk space that you add,
you get 30 GB more for log storage. Depending on your requirements, you can increase the VM disk
size up to a maximum of 1.999 TB or 614 GB of log storage.
If you increase the disk size of your virtual machine, you must not upgrade to Cisco ISE 1.2, but instead
do a fresh installation of Cisco ISE 1.2 on your virtual machine.
Table 4-4 provides the number of days that logs can be retained on your Monitoring node based on the
disk space allotted to it and the number of endpoints that connect to your network.

4-4 OL-27044-01
Evaluating Release 1.2
Table 4-4 Days that Logs can be Stored in a Monitoring Node1
No. of Endpoints 200 GB 400 GB 600 GB 1024 GB 2048 GB

10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65
250,000 6 11 16 26 52
1. Numbers are based on having log suppression and anomalous client detection enabled.
Evaluating Release 1.2

For evaluation purposes, Cisco ISE, Release 1.2, can be installed on any supported VMware virtual
machines (VMs) that comply with the requirements shown in Table 4-1. When evaluating Release 1.2,
you can configure less disk space in the VM, but you still are required to allocate a minimum disk space
of 100 GB.
Note You cannot migrate data to a production VM from a VM created with less than 200 GB of disk space.
You can migrate data only from VMs created with 200 GB or more disk space to a production
environment.
To obtain the Cisco ISE, Release 1.2 evaluation software (R-ISE-EVAL-K9=), contact your Cisco
Account Team or your Authorized Cisco Channel Partner.
To migrate a Cisco ISE configuration from an evaluation system to a fully licensed production system,
you need to complete the following tasks:
• Back up the configuration of the evaluation version.
• Ensure that your production VM has the required amount of disk space. Refer to Deployment Size
and Scaling Recommendations, page 1-10 for details.
• Install a production deployment license.
• Restore the configuration to the production system.
Note For evaluation, the minimum allocation requirements for a hard disk on a VMware server that supports
100 users is 100 GB. When you move the VMware server to a production environment that supports a
larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum
disk size that is listed in Table 4-3 or higher (up to the allowed maximum of 1.999 TB).

OL-27044-01 4-5
Configuring a VMware ESX or ESXi Server

This section describes how to configure a VMware ESX or ESXi server on a VMware virtual machine.
To perform the following procedures, you must log in to the ESXi server as a user with administrative
privileges (root user). The values that are provided in the following procedures and illustrations are
examples only. Actual values depend on your deployment requirements.
Before You Begin

Before you configure a VMware ESX or ESXi server, read the following:
• Cisco ISE, Release 1.2, is a 64-bit system. Before you install a 64-bit system, ensure that
Virtualization Technology (VT) is enabled on the ESX/ESXi server. Also, ensure that the virtual
machine’s guest operating system is set to 64 bits. See Enabling Virtualization Technology on an
ESX or ESXi Server, page 4-7 for more information. For information on hardware and firmware
requirements to support 64-bit, guest-operating systems, refer to the following VMware Knowledge
Base:
http://kb.vmware.com/selfservice/microsites/search.do?language=en
_US&cmd=displayKC&externalId=1011712
• You must also ensure that your guest operating system type is set to Red Hat Enterprise Linux 5
(64-bit). Refer to http://kb.vmware.com/selfservice/microsites/search.do?language=en
_US&cmd=displayKC&externalId=1005870 for information on how to set your guest operating
system type.
• For Red Hat Enterprise Linux 5, the default NIC type is E1000. We recommend that you choose
E1000 Adapter. Cisco ISE also supports VMXNET3 Adapter. You can add up to four NICs for your
Cisco ISE virtual machine, but ensure that you choose the same Adapter for all the NICs. Cisco ISE,
Release 1.2, does not support the VMXNET2 Adapter.
• Ensure that you allocate the recommended amount of disk space on the VMware virtual machine.
See Table 4-3 on page 4-4 for more details.
• If you have not created a VMware virtual machine file system (VMFS), you must create one to
support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured
on the VMware host.
– If you use VMFS5, the 1-MB block size supports up to 1.999 TB virtual disk size.
– If you use VMFS3, you must choose a VMFS block size based on the largest virtual-disk size
hosted on the VMware host. After you configure the VMFS block size, you cannot change it
without reformatting the VMFS partitions. For VMFS3, the VMFS block size should be based
on the size of the largest virtual disk:
Table 4-5 VMFS Block Size
Block Size Virtual Disk Size

1 MB 256 GB
2 MB 512 GB
4 MB 1 TB
8 MB 1.999 TB

4-6 OL-27044-01
• Do not choose VMware thin provisioning as a storage type. This release of the Cisco ISE software
does not support using VMware thin provisioning as a storage type on any of the supported VMware
servers. Thin provisioning is not a default setting and Cisco advises against selecting it in Step 14
(as shown in Figure 4-12).
• If you are enabling the Profiler service, ensure that you have read and performed the tasks described
in Configuring VMware Server Interfaces for the Cisco ISE Profiler Service, page 4-8.
Enabling Virtualization Technology on an ESX or ESXi Server

Cisco ISE, Release 1.2, is a 64-bit system, and supports VMware ESX versions 4.0, 4.0.1, and 4.1, and
ESXi versions 4.x and 5.x. These ESX and ESXi versions can be installed only on 64-bit hardware.
Therefore, you can reuse the same hardware that you used for hosting a Cisco ISE, Release 1.1.x, virtual
machine with Release 1.2. However, before you install Release 1.2, you must enable Virtualization
Technology (VT) on the ESX or ESXi server.
If you have an ESX or ESXi server installed already, you can check if VT is enabled on it without
rebooting the machine. To do this, use the esxcfg-info command. Here is an example:
~ # esxcfg-info |grep "HV Support"
|----HV Support............................................3
|----World Command Line.................................grep HV Support
If HV Support has a value of 3, then VT is enabled on the ESX or ESXi server and you can proceed with
the installation. If HV Support has a value of 2, then VT is supported, but not enabled on the ESX or
ESXi server. You must edit the BIOS settings and enable VT on the ESX or ESXi server. For more
information about the esxcfg-info command, refer to the VMware Knowledge Base at:
This section describes how to edit the BIOS settings and enable VT on an SNS-3400 series appliance.
The instructions and illustrations in this section are examples only. The BIOS menu for your hardware
might vary from what you see in this example. Refer to the following VMware Knowledge Base for
enabling VT on your ESX or ESXi server:
Step 1 Reboot the SNS-3400 series appliance.

Step 2 Press F2 to enter setup.
Step 3 Choose Advanced > Processor Configuration.

OL-27044-01 4-7
Figure 4-1 Editing the BIOS Setting on an SNS-3400 Series Appliance
Step 4 Select Intel(R) VT and enable it.
Figure 4-2 Enabling VT on an SNS-3400 Series Appliance
Step 5 Press F10 to save your changes and exit.
Configuring VMware Server Interfaces for the Cisco ISE Profiler Service
To configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or
mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service, perform the following
steps:

4-8 OL-27044-01
Step 1 Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server
instance) > VMswitch0 (one of your VMware ESXi server interfaces) > Properties > Security.
Step 2 In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.
Step 3 In the Promiscuous Mode drop-down list, choose Accept and click OK.
Repeat the same steps on the other VMware ESX server interface used for profiler data collection of
SPAN or mirrored traffic.
Figure 4-3 VMNetwork Properties Window
Configuring a VMware Server

This section describes how to configure VMware servers by using the VMware vSphere Client.
Step 1 Log in to the ESXi server.

Step 2 In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual
Machine.
Step 3 In the Configuration dialog box, choose Custom for the VMware configuration, as shown in Figure 4-4,
and click Next.

OL-27044-01 4-9
Figure 4-4 Virtual Machine Configuration Dialog Box
The Name and Location dialog box appears (see Figure 4-5).
Step 4 Enter a name for the VMware system and click Next.
Tip Use the hostname that you want to use for your VMware host.
Figure 4-5 Name and Location Dialog Box

4-10 OL-27044-01
The Datastore dialog box appears (see Figure 4-6).

Step 5 Choose a datastore that has the recommended amount of space available and click Next. Refer to
Table 4-3 for details.
Figure 4-6 Datastore Dialog Box
The Virtual Machine Version dialog box appears.

Step 6 (Optional) If your VM host or cluster supports more than one VMware virtual machine version, choose
a Virtual Machine version such as Virtual Machine Version 7, and click Next (see Figure 4-7).

OL-27044-01 4-11
Figure 4-7 Virtual Machine Version
The Guest Operating System dialog box appears (see Figure 4-8).
Step 7 Choose Linux and Red Hat Enterprise Linux 5 (64-bit) from the Version drop-down list.
Figure 4-8 Guest Operating System Dialog Box
The Number of Virtual Processors dialog box appears (see Figure 4-9).

4-12 OL-27044-01
Step 8 Choose 2 from the Number of virtual sockets and the Number of cores per virtual socket drop-down list.
Total number of cores should be 4. Refer to “VMware Appliance Specifications for a Production
Environment” for details. Click Next.
Figure 4-9 Number of Virtual Processors Dialog Box
(Optional; appears in some versions of ESX server. If you see only the Number of virtual processors,
choose 4).
The Memory Configuration dialog box appears.
Step 9 Enter a value based on the recommendations in Table 4-2, and click Next.
Step 10 The Network Interface Card (NIC) Configuration dialog box appears (see Figure 4-10).
Step 11 Choose a NIC and adapter and click Next.
Note We recommend that you choose the E1000 adapter. Cisco ISE, Release 1.2, supports only the
E1000 and VMXNET3 adapters. It does not support any other virtual NIC drivers.

OL-27044-01 4-13
Figure 4-10 NIC Configuration Dialog Box
The SCSI controller dialog box appears.

Step 12 Choose LSI Logic Parallel as the SCSI controller and click Next.
The Select a Disk dialog box appears (see Figure 4-11).
Step 13 Choose Create a new virtual disk and click Next.
Figure 4-11 Select a Disk

4-14 OL-27044-01
The Virtual Disk Size and Provisioning Policy dialog box appears.
Step 14 In the Disk Provisioning dialog box, click the Thick Provisioning Lazy Zeroed radio button. Click Next
to continue. (See Figure 4-12.)
If you are using an earlier version of VMware client, uncheck the following options:
a. Uncheck the Allocate and commit space on demand (Thin Provisioning) check box.
b. Uncheck the Support clustering features such as Fault Tolerance check box.
Note When selecting the Thick Provisioned Lazy Zeroed option, the virtual disk is allocated all of its
provisioned space and immediately made accessible to the virtual machine. A lazy zeroed disk is not
zeroed up front, which makes the provisioning very fast. However, there is an added latency on first write
because each block is zeroed out before it is written to for the first time.
We recommend the Thick Provisioned Eager Zeroed (Recommended for I/O intensive workloads) option
when deploying an I/O intensive application on VMFS. The virtual disk is allocated all of its provisioned
space and the entire VMDK file is zeroed out before allowing the virtual machine access. This means
that the VMDK file will take longer to become accessible to the virtual machine, but will not incur the
additional latency of zeroing on first write.
Figure 4-12 Disk Provisioning Dialog Box
The Advanced Options dialog box appears.

Step 15 Choose the advanced options, and click Next.
The Ready to Complete New Virtual Machine dialog box appears (see Figure 4-13).
Step 16 Verify the configuration details, such as Name, Guest OS, CPUs, Memory, and Disk Size of the newly
created VMware system. You must see the following values:
• Guest OS—Red Hat Enterprise Linux 5 (64-bit)
• CPUs—4
• Memory—4 GB or 4096 MB

OL-27044-01 4-15
Preparing a VMware System for Cisco ISE Software Installation
• Disk Size—200 GB to 1.999 TB based on the recommendations for VMware disk space
For the Cisco ISE installation to be successful on a virtual machine, ensure that you adhere to the
recommendations given in this document.
Figure 4-13 Ready to Complete Dialog Box
Step 17 Click Finish.

The VMware system is now installed.
To activate the newly created VMware system, right-click VM in the left pane of your VMware client
user interface and choose Power > Power On.
Preparing a VMware System for Cisco ISE Software

Installation
After configuring the VMware system, you are ready to install the Cisco ISE software. To install the
Cisco ISE software from a DVD, you need to configure the VMware system to boot from it. This requires
the VMware system to be configured with a virtual DVD drive.
You can perform this installation by using different methods that are dependent upon your network
environment. See “Configuring a VMware System to Boot From a Cisco ISE Software DVD” to
configure the VMware system by using the DVD drive of a VMware ESX server host.
Note You must download the Cisco ISE 1.2 ISO, burn the ISO image on a DVD, and use it to install Cisco ISE
1.2 on the virtual machine.

4-16 OL-27044-01
Preparing a VMware System for Cisco ISE Software Installation
Configuring a VMware System to Boot From a Cisco ISE Software DVD

This section describes how to configure a VMware system to boot from the Cisco ISE software DVD by
using the DVD drive of the VMware ESX server host.
Step 1 In the VMware client, highlight the newly created VMware system and choose Edit Virtual
Machine Settings.
The Virtual Machine Properties window appears. Figure 4-14 displays the properties of a VMware
system that is created.
Figure 4-14 Virtual Machine Properties Dialog Box
Step 2 In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1.
The CD/DVD Drive1 properties dialog box appears.
Step 3 Click the Host Device radio button and choose the DVD host device from the drop-down list.

OL-27044-01 4-17
Installing Cisco ISE Software on a VMware System
Figure 4-15 Virtual Machine Properties - Host Device Option
Step 4 Choose the Connect at Power On option and click OK to save your settings.
You can now use the DVD drive of the VMware ESX server to install the Cisco ISE software.
After you complete this task, click the Console tab in the VMware client user interface, right-click VM
in the left pane, choose Power, and choose Reset to restart the VMware system.

Step 1 Log in to the VMware client.
Step 2 Ensure that the Coordinated Universal Time (UTC) is set in BIOS:
a. If the VMware system is turned on, turn the system off.
b. Turn on the VMware system.
c. Press F1 to enter the BIOS Setup mode.
d. Using the arrow keys, navigate to the Date and Time field and press Enter.
e. Enter the UTC/Greenwich Mean Time (GMT) time zone.
ensures that the reports, logs, and posture-agent log files from the various nodes in your
deployment are always synchronized with regard to the time stamps.
f. Press Esc to exit to the main BIOS menu.

g. Press Esc to exit from the BIOS Setup mode.

4-18 OL-27044-01
Note After installation, if you do not install a permanent license, Cisco ISE automatically installs a
90-day evaluation license that supports a maximum of 100 endpoints.
Step 3 Insert the Cisco ISE software DVD into the VMware ESX host CD/DVD drive and turn on the virtual
machine.
Note Download the Cisco ISE, Release 1.2, software from the Cisco Software Download Site at
http://www.cisco.com/en/US/products/ps11640/index.html and burn it on a DVD. You will be
required to provide your Cisco.com credentials.
When the DVD boots, the console displays:

Welcome to Cisco ISE
To boot from the hard disk press <Enter>
Available boot options:
[1] Cisco Identity Services Engine Installation (Monitor/Keyboard)
[2] Cisco Identity Services Engine Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.
boot: 1
You can choose either the monitor and keyboard port, or the console port to perform the initial setup.
Step 4 At the system prompt, enter 1 to choose a monitor and keyboard port or 2 to choose a console port and
press Enter.
The installer starts the installation of the Cisco ISE software on the VMware system.
Note Allow 20 minutes for the installation process to complete.
When the installation process finishes, the virtual machine reboots automatically.

OL-27044-01 4-19
Connecting to a Cisco ISE VMware Server Using the Serial Console
When the VM reboots, the console displays:

Type 'setup' to configure your appliance
localhost:
Step 5 At the system prompt, type setup and press Enter.
The Setup Wizard appears and guides you through the initial configuration. For more information about
the setup process, see Cisco ISE Setup Program Parameters, page 3-7.
Connecting to a Cisco ISE VMware Server Using the Serial

Console
To connect to the Cisco ISE VMWare server using the serial console, perform the following steps:
Step 1 Power down the particular VMware server (for example ISE-120).
Step 2 Right-click the VMware server and choose Edit.
Step 3 Click Add on the Hardware tab (see Figure 4-14).
Step 4 Choose Serial Port and click Next (see Figure 4-16).
Figure 4-16 Add Hardware - Device Type
Step 5 In the Serial Port Output area, click the Use physical serial port on the host or the Connect via
Network radio button and click Next (see Figure 4-17).

4-20 OL-27044-01
Figure 4-17 Add Hardware - Serial Port Type
a. If you choose the Connect via Network option, you must open the firewall ports over the ESX server.
b. If you select the Use physical serial port on the host, choose the port. You may choose one of the
following two options:
• /dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1).
• /dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).

OL-27044-01 4-21
Step 6 Click Next (see Figure 4-18).
Figure 4-18 Select a Physical Serial Port
Step 7 In the Device Status area, check the appropriate check box. The default is Connected (see Figure 4-19).
Figure 4-19 Hardware - Device Status

4-22 OL-27044-01
Cloning a Cisco ISE Virtual Machine
Step 8 Click OK to connect to the Cisco ISE VMware server.

You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node.
For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps
you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs
individually.
You can also clone a Cisco ISE VM using a template. See Cloning a Cisco ISE Virtual Machine Using
a Template, page 4-25 for more information.
Before You Begin

• Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client,
right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.
• Ensure that you change the IP Address and Hostname of the cloned machine before you power it on
and connect it to the network.
Step 1 Log in to the ESXi server as a user with administrative privileges (root user).
Step 2 Right-click the Cisco ISE VM you want to clone, and click Clone (see Figure 4-20).
Figure 4-20 Cloning a Cisco ISE Virtual Machine
Step 3 Enter a name for the new machine that you are creating in the Name and Location dialog box and click
Next.
This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your
reference.

OL-27044-01 4-23
Step 4 Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next.
Step 5 Select a datastore for the new Cisco ISE VM that you are creating and click Next.
This datastore could be the local datastore on the ESX or ESXi server or a remote storage. See Table 4-1
on page 4-2 for supported storage types. Ensure that the datastore has enough disk space as described in
Table 4-3 on page 4-4.
Step 6 Click the Same format as source radio button in the Disk Format dialog box and click Next.
This option copies the same format that is used in the Cisco ISE VM that you are cloning this new
machine from.
Step 7 Click the Do not customize radio button in the Guest Customization dialog box and click Next.
The Ready to Complete dialog box appears (see Figure 4-21)
Figure 4-21 Ready to Clone Dialog
What To Do Next
• Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-26
• Connecting a Cloned Cisco Virtual Machine to the Network, page 4-28
Related Topics
• Cloning a Cisco ISE Virtual Machine Using a Template, page 4-25

4-24 OL-27044-01
Cloning a Cisco ISE Virtual Machine Using a Template

If you are using vCenter, then you can use a VMware template to clone a Cisco ISE virtual machine
(VM). You can clone the Cisco ISE node to a template and use that template to create multiple new Cisco
ISE nodes. Cloning a virtual machine using a template is a two-step process:
1. Creating a Virtual Machine Template, page 4-25
2. Deploying a Virtual Machine Template, page 4-25
Creating a Virtual Machine Template

Before You Begin
• Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client,
right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.
• We recommend that you create a template from a Cisco ISE, Release 1.2, VM that you have just
installed and not run the setup program on. You can then run the setup program on each of the
individual Cisco ISE nodes that you have created and configure IP address and hostnames
individually.
Step 1 Log in to the ESXi server as a user with administrative privileges (root user).
Step 2 Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.
Step 3 Enter a name for the template, choose a location to save the template in the Name and Location dialog
box, and click Next.
Step 4 Choose the ESX host that you want to store the template on and click Next.
Step 5 Choose the datastore that you want to use to store the template and click Next.
Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more
details.
The Ready to Complete dialog box appears.
Deploying a Virtual Machine Template

After you create a virtual machine template, you can deploy it on other virtual machines (VMs).
Step 1 Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from
this template.
Step 2 Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog
box, and click Next.
Step 3 Choose the ESX host where you want to store the new Cisco ISE node and click Next.
Step 4 Choose the datastore that you want to use for the new Cisco ISE node and click Next.
Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more
details.

OL-27044-01 4-25
Step 6 Click the Do not customize radio button in the Guest Customization dialog box.
The Ready to Complete dialog box appears.
Step 7 Check the Edit Virtual Hardware check box and click Continue.
The Virtual Machine Properties page appears.
Step 8 Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click
OK.
You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the
network.
What To Do Next
• Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-26
• Connecting a Cloned Cisco Virtual Machine to the Network, page 4-28
Related Topics
• Cloning a Cisco ISE Virtual Machine Using a Template, page 4-25
Changing the IP Address and Hostname of a Cloned Virtual Machine

After you clone a Cisco ISE virtual machine (VM), you have to power it on and change the IP address
and hostname. You cannot use “localhost” as the hostname for a node.
Before You Begin

• Ensure that the Cisco ISE node is in the standalone state.
• Ensure that the network adapter on the newly cloned Cisco ISE VM is not connected when you
power on the machine. Uncheck the Connected and Connect at power on check boxes. See
Figure 4-22. Otherwise, if this node comes up, it will have the same IP address as the source machine
from which it was cloned.

4-26 OL-27044-01
Figure 4-22 Disconnecting the Network Adapter
• Ensure that you have the IP address and hostname that you are going to configure for the newly
cloned VM as soon as you power on the machine. This IP address and hostname entry should be in
the DNS server.
• Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname.
Step 1 Right-click the newly cloned Cisco ISE VM and choose Power > Power On.
Step 2 Select the newly cloned Cisco ISE VM and click the Console tab.
Step 3 Enter the following commands on the Cisco ISE CLI:
configure terminal
hostname hostname
hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted.
Step 4 Enter the following commands:
interface gigabit 0
ip address ip_address netmask
ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the
subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services.
Step 5 Enter Y to restart Cisco ISE services.
Related Topics
Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2, for the ip address and
hostname commands.

OL-27044-01 4-27
Connecting a Cloned Cisco Virtual Machine to the Network

After you power on and change the ip address and hostname, you must connect the Cisco ISE node to
the network.
Step 1 Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.
Step 2 Click Network adapter in the Virtual Machine Properties dialog box.
Step 3 In the Device Status area, check the Connected and Connect at power on check boxes.
Step 4 Click OK.

4-28 OL-27044-01
CHAPTER 5
Installing Release 1.2 Software on Cisco ISE
3300 Series, Cisco NAC, and Cisco Secure
ACS Appliances
This appendix describes the process for performing an initial (or fresh) installation of the Cisco ISE,
Release 1.2, software from a DVD on the following supported Cisco ISE-3300, Cisco Secure ACS, and
Cisco NAC appliance platforms:
• Cisco ISE-3315
• Cisco ISE-3355
• Cisco ISE-3395
• Cisco Secure ACS-1121
• Cisco NAC-3315
• Cisco NAC-3355
• Cisco NAC-3395
Note Download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install
Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.
Installing the software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because
the underlying hardware on which the Cisco ISE software will be installed is the same physical device
type.
• Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware
that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliances).
• Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are
used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395
appliances, respectively).
Note For specific details about the Cisco ISE 3300 series hardware platforms, see the Cisco Identity Services
Engine Hardware Installation Guide, Release 1.1.x.

OL-27044-01 5-1
Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS
Installing Cisco ISE, Release 1.2, Software from a DVD
This appendix describes the following procedures:

• Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2—Provides instructions for
installing the Cisco ISE, Release 1.2, software using a DVD.
• Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance, page 5-3—Provides
instructions for installing the Cisco ISE software with a DVD, configuring the appliance using the
Setup program, and verifying the configuration process.
• Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance, page 5-3—Provides
instructions for installing the Cisco ISE software with a DVD, configuring the appliance using the
Setup program, and verifying the configuration process.
• Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance, page 5-4—Provides
instructions for installing the Cisco ISE software with a DVD, including how to reset the RAID
configuration on the Cisco NAC appliance before you complete the reimage process.
Note To reuse a Cisco Secure ACS or Cisco NAC appliance as a Cisco ISE, Release 1.2 appliance, reimage
the Cisco Secure ACS or Cisco NAC appliance, install the Cisco ISE software, and use the Setup
program to configure the appliance.
Installing Cisco ISE, Release 1.2, Software from a DVD

Before You Begin
• Download the Cisco ISE 1.2, Release 1.2, or Inline Posture node ISO image, burn the ISO image on
a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and
Cisco Secure ACS appliances.
• Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before
you run the setup program.
Step 1 Connect a keyboard and a VGA monitor to the appliance.

Step 2 Ensure that a power cord is connected to the appliance, insert the DVD in the appliance CD/DVD drive,
and turn on the appliance.
The console displays the boot options.
Step 3 At the boot prompt, enter 1 and press Enter.
Step 4 At the prompt, type setup to start the setup program.
Step 5 Enter the values for the setup program parameters.
After the Cisco ISE or IPN software is configured, the system reboots automatically. To log back in to
the CLI, you must enter the CLI-admin user credentials that you configured during setup.
What To Do Next
• If you installed the IPN ISO, go to Configuring Certificates for Inline Posture Nodes, page E-34.
• If you installed the Cisco ISE, Release 1.2 ISO image, after you log in to the Cisco ISE CLI shell,
you can run the show application status ise CLI command to check the status of the Cisco ISE
application processes.

5-2 OL-27044-01
Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance
Installing Cisco ISE Software on a Reimaged Cisco ISE-3300

Series Appliance
This section provides the procedure for reimaging an existing Cisco ISE-3300 Series appliance as a
Cisco ISE 1.2 appliance.
Before You Begin

• Download the Cisco ISE, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a
DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and
• Review the information in Prerequisites for Configuring a Cisco SNS-3400 Series Appliance,
page 3-6.
Step 1 If the Cisco ISE appliance is on, turn it off.

Step 2 Turn on the Cisco ISE appliance.
Step 3 Press F1 to enter the BIOS setup mode.
Step 4 Use the arrow keys to navigate to the Date and Time field and press Enter.
Step 5 Set the time to the UTC/GMT time zone.
ensures that the reports and logs from the various nodes in a deployment are always in sync with
regard to the time stamps.
Step 6 Press Esc to exit to main BIOS menu.

Step 7 Press Esc to exit from the BIOS setup mode.
Step 8 Perform the instructions described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.
Step 9 Perform the instructions described in Setup Process Verification, page 3-15.
Installing Cisco ISE Software on a Reimaged Cisco Secure

ACS Appliance
This section provides the procedure for reimaging an existing Cisco Secure ACS appliance as a Cisco
ISE, Release 1.2, appliance.
Before You Begin

• Download the Cisco ISE, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a
DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and

OL-27044-01 5-3
Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance
page 3-6.
Step 1 If the Cisco Secure ACS appliance is on, turn it off.

Step 2 Turn on the Cisco Secure ACS appliance.
Step 4 Use the arrow keys to navigate to the Date and Time field and press Enter.
Step 5 Set the time for your appliance to the UTC/GMT time zone.

Step 8 Perform the instructions described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.
Step 9 Perform the instructions described in Setup Process Verification, page 3-15.
Installing Cisco ISE Software on a Reimaged Cisco NAC

Appliance
This section provides the procedure for reimaging an existing Cisco NAC appliance as a Cisco ISE 1.2
appliance.
Before You Begin

• Download the Cisco ISE 1.2, Release 1.2, or Inline Posture node ISO image, burn the ISO image on
a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and
page 3-6.
Step 1 If the Cisco NAC appliance is on, turn it off.

Step 2 Turn on the Cisco NAC appliance.
Step 4 Using the arrow keys, navigate to the Date and Time field and press Enter.
Step 5 Set the time for your appliance to the UTC/GMT time zone.

5-4 OL-27044-01

Note If the Cisco ISE DVD installation process returns a message indicating that “The installer
requires at least 600 GB disk space for this appliance type,” you may need to reset the RAID
settings on the appliance to facilitate installation as described in Resetting the Existing RAID
Configuration on a Cisco NAC Appliance.
Step 8 Perform the instructions that are described in Installing Cisco ISE, Release 1.2, Software from a DVD,
page 5-2.
Step 9 Perform the instructions that are described in Setup Process Verification, page 3-15.
Resetting the Existing RAID Configuration on a Cisco NAC Appliance

It may be necessary to reset the RAID settings on your NAC appliance to facilitate Cisco ISE 1.2
installation.
Step 1 Reboot the Cisco NAC appliance with the Cisco ISE Software DVD.
Step 2 When you see the RAID controller version information appear in the CLI, press Ctrl-C. The RAID
controller version information appears, displaying a label like LSI Corporation MPT SAS BIOS, and the
LSI Corp Config Utility becomes active.
Step 3 Press Enter to specify the default controller. (The highlighted controller name should read something
similar to SR-BR10i.) A screen containing the Cisco NAC appliance adapter information appears.
Step 4 Use the arrow keys to navigate to “RAID properties” and press Enter.
Step 5 Use the arrow keys to navigate to “Manage Array” and press Enter.
Step 6 Use the arrow keys to navigate to “Delete Array” and press Enter.
Step 7 Enter Y to confirm that you want to delete the existing RAID array.
Step 8 Press Esc twice to exit the RAID configuration utility.
The system prompts you with an Exit the Configuration Utility and Reboot? prompt.
Step 9 Press Enter. The Cisco NAC appliance reboots. As long as the Cisco ISE Software DVD is still inserted,
the appliance automatically boots to the install menu.
Step 10 Press 1 to begin the Cisco ISE, Release 1.2, installation.

OL-27044-01 5-5

5-6 OL-27044-01
CHAPTER 6
Managing Administrator Accounts
This chapter describes the two types of administrator accounts in Cisco ISE, their privileges, and how to
create these accounts. This chapter contains the following topics:
• CLI-Admin and Web-Based Admin User Right Differences, page 6-1
• Tasks Performed by CLI-Admin and Web-Based Admin Users, page 6-1
• Tasks Performed Only by the CLI-Admin User, page 6-2
• Creating CLI Admin Users, page 6-2
• Creating Web-Based Admin Users, page 6-2
CLI-Admin and Web-Based Admin User Right Differences

The username and password that you configure by using the Cisco ISE setup program are intended to be
used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface. The administrator that
has access to the Cisco ISE CLI is called the CLI-admin user. By default, the username for the CLI-admin
user is admin and the password is user-defined during the setup process. There is no default password.
You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and
password that you defined during the setup process. There is no default username and password for a
web-based admin.
The CLI-admin user is copied to the Cisco ISE web-based admin user database. Only the first CLI-admin
user is copied as the web-based admin user. You should keep the CLI- and web-based admin user stores
synchronized, so that you can use the same username and password for both admin roles.
The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin
user and can perform other administrative tasks.
Tasks Performed by CLI-Admin and Web-Based Admin

Users
• Back up the Cisco ISE application data.
• Display any system, application, or diagnostic logs on the Cisco ISE appliance.
• Apply Cisco ISE software patches, maintenance releases, and upgrades.
• Set the NTP server configuration.

OL-27044-01 6-1
Chapter 6 Managing Administrator Accounts
Tasks Performed Only by the CLI-Admin User
Tasks Performed Only by the CLI-Admin User

• Start and stop the Cisco ISE application software.
• Reload or shut down the Cisco ISE appliance.
• Reset the web-based admin user in case of a lockout. For additional details, see Resetting a Password
Due to Administrator Lockout, page 7-9.
Note Web-based admin users that are created by using the Cisco ISE user interface cannot automatically log
in to the Cisco ISE CLI. Only CLI-admin users can access the Cisco ISE CLI.
Refer to Accessing Cisco ISE Using a Web Browser, page 7-1 for information on the supported browsers.
Creating CLI Admin Users

Cisco ISE allows you to create additional CLI-admin user accounts other than the one you created during
the setup process. To protect the CLI-admin user credentials, create the minimum number of CLI-admin
users needed to access the Cisco ISE CLI.
Step 1 Log in by using the CLI-admin username and password that you created during the setup process.
Step 2 Enter the Configuration mode.
Step 3 Enter the username command.
Note For details about the username command, see the Cisco Identity Services Engine CLI Reference Guide,
Release 1.2.
Creating Web-Based Admin Users

For first-time web-based access to Cisco ISE system, the administrator username and password is the
same as the CLI-based access that you configured during setup.
You can add web-based admin users through the user interface itself. See the “Creating a New Cisco ISE
Administrator” section of the Cisco Identity Services Engine User Guide, Release 1.2 for additional
details.

6-2 OL-27044-01
CHAPTER 7
Performing Post-Installation Tasks
This chapter describes several tasks that you must perform after successfully completing the installation
and configuration of the Cisco Identity Services Engine (ISE), Release 1.2, software. This chapter
contains information about the following topics:
• Accessing Cisco ISE Using a Web Browser, page 7-1
• Verifying a Cisco ISE Configuration, page 7-4
• Verifying the Installation of VMware Tools, page 7-6
• Resetting the Administrator Password, page 7-7
• Configuring the Cisco ISE System, page 7-10
• Enabling System Diagnostic Reports in Cisco ISE, page 7-10
Accessing Cisco ISE Using a Web Browser

Cisco SNS-3400 series appliances support a web interface using the following HTTPS-enabled
browsers:
• Mozilla Firefox version 3.6.x and above
• Microsoft Internet Explorer 8.x and above
Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7
compatibility mode (Microsoft IE8 is supported in IE8 mode only).
• Apple Safari 4.x and above

Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser.
This section provides information about the following topics:
• Logging In to the Cisco ISE Web-Based Interface, page 7-2
• Logging Out of the Cisco ISE Web-Based Interface, page 7-3

OL-27044-01 7-1
Chapter 7 Performing Post-Installation Tasks
Accessing Cisco ISE Using a Web Browser
Logging In to the Cisco ISE Web-Based Interface

When you log in to the Cisco ISE web-based interface for the first time, you will be using the preinstalled
Evaluation license. You must use only the supported HTTPS-enabled browsers listed in the previous
section. After you have installed Cisco ISE as described in this guide, you can log in to the Cisco ISE
web-based interface.
Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.
Step 2 In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following
format and press Enter.
https://<IP address or host name>/admin/
For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.
Step 3 Enter a username and password that you defined during setup.
Step 4 Click Login.
Note To recover or reset the Cisco ISE CLI-admin username or password, see the Resetting the Administrator
Password, page 7-7.

7-2 OL-27044-01
Installing a License
Tip The minimum required screen resolution to view the Cisco ISE GUI is 1280 x 800 pixels.
CLI admin and web-based admin username and password values are not the same. when logging into the
Cisco ISE. For more information about the differences between them, see CLI-Admin and Web-Based
Admin User Right Differences, page 6-1.
Note The license page only appears the first time that you log in to Cisco ISE after the evaluation
license has expired.
Note We recommend that you use the Cisco ISE user interface to periodically reset your administrator login
password. See the Cisco Identity Services Engine User Guide, Release 1.2 for more information.
Administrator Lockout Following Failed Login Attempts

If you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE
user interface “locks you out” of the system. Cisco ISE adds a log entry in the Monitor > Reports >
Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that
administrator ID until you reset the password associated with that administrator ID, as described in
Resetting a Password Due to Administrator Lockout, page 7-9. The number of failed attempts required
to disable the administrator account is configurable according to the guidelines that are described in the
“Managing Administrators and Admin Access Policies” chapter of the Cisco Identity Services Engine
User Guide, Release 1.2. After an administrator user account gets locked out, an email is sent to the
associated admin user.
Logging Out of the Cisco ISE Web-Based Interface

To log out of the Cisco ISE web-based interface, click Log Out on the Cisco ISE main window toolbar.
This ends your administrative session and logs you out.
Caution For security reasons, we recommend that you log out when you complete your administrative session. If
you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity,
and does not save any unsubmitted configuration data.
For more information on using the Cisco ISE web-based web interface, see the Cisco Identity Services
Engine User Guide, Release 1.2.
Installing a License
Refer to Appendix D, “Cisco ISE Licenses” for information on licenses.

OL-27044-01 7-3
Installing Certificates
Installing Certificates
Refer to Appendix E, “Certificate Management in Cisco ISE” for information on certificates.
Verifying a Cisco ISE Configuration

This section provides two methods that each use a different set of username and password credentials
for verifying Cisco ISE configuration:
• Verifying a Configuration Using a Web Browser, page 7-4
• Verifying a Configuration Using the CLI, page 7-5
Note For first-time web-based access to Cisco ISE system, the administrator username and password is the same
as the CLI-based access that you configured during setup. For CLI-based access to a Cisco ISE system, the
administrator username by default is admin and the administrator password (is user-defined because there is
no default).
To better understand the differences between a CLI-admin user and a web-based admin user, see
CLI-Admin and Web-Based Admin User Right Differences, page 6-1.
Verifying a Configuration Using a Web Browser

To verify that you successfully configured your Cisco SNS-3400 Series appliance, complete the
following steps using a web browser:
Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.
Step 2 In the Address field, enter the IP address (or host name) of the Cisco ISE appliance using the following
format and press Enter.
https://<IP address or host name>/admin/
For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.
Step 3 In the Cisco ISE Login page, enter the username and password that you have defined during setup and
click Login.
The Cisco ISE dashboard appears.
Note We recommend that you use the Cisco ISE user interface to periodically reset the administrator
password. To reset the administrator password, see Cisco Identity Services Engine User Guide, Release
1.2 for details.

7-4 OL-27044-01
Verifying a Cisco ISE Configuration
Verifying a Configuration Using the CLI

To verify that you successfully configured your Cisco ISE appliance, use the Cisco CLI and complete
the following steps:
Step 1 After the Cisco ISE appliance reboot has completed, launch a supported product, such as PuTTY, for
establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.
Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format
of the Cisco ISE appliance) and click Open.
Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during
setup and press Enter.
Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is
user-defined and there is no default) and press Enter.
Step 5 At the system prompt, enter show application version ise and press Enter.
The console displays the following screen.
Note The Version field lists the currently installed version of Cisco ISE software.
Step 6 To check the status of the Cisco ISE processes, enter show application status ise and press Enter.
The console displays the following screen.

OL-27044-01 7-5
Verifying the Installation of VMware Tools
Note To get the latest Cisco ISE patches and keep Cisco ISE up-to-date, visit the following web site:
http://www.cisco.com/public/sw-center/index.shtml
Step 7 To check the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) version,
enter show version and press Enter.
The console displays output similar to the following:
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.5.083
ADE-OS System Architecture: i386
Verifying the Installation of VMware Tools

You can verify the Installation of the VMware tools in the following two ways:
• Using the Summary Tab in the vSphere Client
• Using the CLI
Using the Summary Tab in the vSphere Client

Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware
Tools field should be OK. (See Figure 7-1.)
Figure 7-1 Verifying VMware Tools in the vSphere Client

7-6 OL-27044-01
Resetting the Administrator Password
Using the CLI

You can also verify if the VMware tools are installed using the show inventory command. This
command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware
Virtual Ethernet driver will be listed in the Driver Descr field.
vm36/admin# show inventory
NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"

PID: ISE-VM-K9 , VID: V01 , SN: 8JDCBLIDLJA
Total RAM Memory: 4016564 kB
CPU Core Count: 1
CPU 0: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /dev/sda
Disk 0: Capacity: 64.40 GB
Disk 0: Geometry: 255 heads 63 sectors/track 7832 cylinders
NIC Count: 1
NIC 0: Device Name: eth0
NIC 0: HW Address: 00:0C:29:BA:C7:82
NIC 0: Driver Descr: VMware Virtual Ethernet driver
(*) Hard Disk Count may be Logical.

vm36/admin#
Upgrading VMware Tools

The Cisco ISE ISO image (regular, upgrade, or patch) contains the supported VMware tools. Upgrading
VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to
upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE
(regular, upgrade, or patch release).

There are two ways to reset the Cisco ISE administrator password:
• Resetting a Lost, Forgotten, or Compromised Password, page 7-8—Use this procedure if no one is
able to log in to the Cisco ISE system because the administrator password has been lost, forgotten,
or compromised.
• Resetting a Password Due to Administrator Lockout, page 7-9—Use this procedure if the
administrator account is locked due to too many failed login attempts..

OL-27044-01 7-7
Resetting a Lost, Forgotten, or Compromised Password

If no one is able to log in to the Cisco ISE system because the administrator password has been lost,
forgotten, or compromised, you can use the Cisco ISE Software DVD to reset the administrator
password.
Before You Begin

Make sure you understand the following connection-related conditions that can cause a problem when
attempting to use the Cisco ISE Software DVD to start up a Cisco ISE appliance:
• You have a terminal server associated with the serial console connection to the Cisco ISE appliance
that is set to exec. Setting it to no exec allows you to use a KVM connection and a serial console
connection.
• You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can be
either a remote KVM or a VMware vSphere client console connection).
• You have a serial console connection to the Cisco ISE appliance.
Step 1 Ensure that the Cisco ISE appliance is powered up.

Step 2 Insert the Cisco ISE Software DVD.
Step 3 Reboot the Cisco ISE appliance to boot from the DVD.
The console displays the following message (this example shows a Cisco ISE 3355):
Welcome to Cisco Identity Services Engine - ISE 3355
To boot from hard disk press <Enter>
Available boot options:
[1] Cisco Identity Services Engine Installation (Keyboard/Monitor)
[2] Cisco Identity Services Engine Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.
boot:
Step 4 At the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or
enter 4 if you use a local serial console port connection.
The console displays a set of parameters.
Step 5 Enter the parameters by using the descriptions that are listed in Table 7-1.
Table 7-1 Password Reset Parameters
Parameter Description
Admin username Enter the number of the administrator whose password you want
to reset.
Password Enter a new password.
Verify password Enter the password again.
Save change and reboot Enter Y to save.
The console displays:

7-8 OL-27044-01
Changing the IP Address of a Cisco ISE Appliance
Admin username:
[1]:admin
[2]:admin2
[3]:admin3
[4]:admin4
Enter number of admin for password recovery:2
Password:
Verify password:
Save change and reboot? [Y/N]:
See the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 more information.
Resetting a Password Due to Administrator Lockout

An administrator can enter an incorrect password enough times to disable the account. The minimum
and default number of attempts is five.
Note Use this command to reset the administrator user interface password. It does not affect the CLI password
of the administrator.
Step 1 Access the direct-console CLI and enter:

application reset-passwd ise administrator_ID
Step 2 Specify and confirm a new password that is different from the previous two passwords that were used
for this administrator ID:
Enter new password:
Confirm new password:
Password reset successfully
After you successfully reset the administrator password, the credentials are immediately active and you
can log in without having to reboot the system.
For more details on using the application reset-passwd ise command, see the Cisco Identity Services
Engine CLI Reference Guide, Release 1.2.
Changing the IP Address of a Cisco ISE Appliance

To change the IP address of a Cisco SNS-3400 series appliance, complete the following steps:
Before You Begin
Ensure that the Cisco ISE node is in a standalone state before you change the IP address. If the node is
part of a distributed deployment, deregister the node from the deployment and make it a standalone node.
Step 1 Log in to the Cisco ISE CLI.

OL-27044-01 7-9
Configuring the Cisco ISE System
Step 2 Enter the following:

configure terminal
interface GigabitEthernet 0
ip address new_ip_address new_subnet_mask
exit
Note Do not use the no ip address command when you change the Cisco ISE appliance IP address.
Note All Cisco ISE services have to be restarted after changing the Cisco ISE appliance IP address.
Configuring the Cisco ISE System

By using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE
system to suit your needs. For details on configuring authentication and authorization policies, and other
features, menus, and options, see the Cisco Identity Services Engine User Guide, Release 1.2.
For details on each of the Cisco ISE operations and other administrative functions, such as monitoring
and reporting, see the Cisco Identity Services Engine User Guide, Release 1.2.
For the most current information about this release, see the Release Notes for Cisco Identity Service
Engine, Release 1.2.
Enabling System Diagnostic Reports in Cisco ISE

After installing Cisco ISE the first time or reimaging an appliance, you can choose to enable the
system-level diagnostic reports using the Cisco ISE CLI (the logging function that reports on system
diagnostics is not enabled in Cisco ISE by default).
To enable system diagnostic reports, do the following:
Step 1 Log in to the Cisco ISE CLI console using the default administrator user ID and password.
Step 2 Enter the following commands:
a. configure terminal
b. logging 127.0.0.1:20514
c. end
d. write memory
You can configure system diagnostic settings through the Cisco ISE user interface (Administration >
System > Logging > Logging Categories > System Diagnostics).

7-10 OL-27044-01
A P P E NDIX A
Installing the Cisco SNS-3400 Series
Appliance in a Rack
This appendix describes the safety guidelines, site requirements, and guidelines that you must observe
before installing the Cisco SNS-3400 Series appliances, and also provides instructions on how to rack
mount a Cisco SNS-3400 Series appliance, connect all the cables, power up the appliance, and remove
or replace the server components.
This appendix contains the following sections:
• Unpacking and Inspecting the Server, page A-1
• Safety Guidelines, page A-2
• Installing a Cisco SNS-3400 Series Appliance in a Rack, page A-4
• Connecting and Powering On the Server, page A-7
• Checking the LEDs, page A-8
• Installing or Replacing Server Components, page A-11
Unpacking and Inspecting the Server

This section provides information on how you can prepare your site for safely installing the Cisco
SNS-3400 series appliance.
Caution When handling internal server components, wear an ESD strap and handle modules by the carrier edges
only.
Tip Keep the shipping container in case the server requires shipping in the future.
Note The chassis is thoroughly inspected before shipment. If any damage occurred during transportation or
any items are missing, contact your customer service representative immediately.
To inspect the shipment, follow these steps:
Step 1 Remove the server from its cardboard container and save all packaging material.

OL-27044-01 A-1
Appendix A Installing the Cisco SNS-3400 Series Appliance in a Rack
Safety Guidelines
Step 2 Compare the shipment to the equipment list provided by your customer service representative and
Figure A-1. Verify that you have all items.
Step 3 Check for damage and report any discrepancies or damage to your customer service representative. Have
the following information ready:
• Invoice number of shipper (see the packing slip)
• Model and serial number of the damaged unit
• Description of damage
• Effect of damage on the installation
Figure A-1 Shipping Box Contents
1 2
3 4
U
C -S
C
is e
S
co ri
C
es
331685
1 Server 3 Documentation
2 Power cord (optional, up to two) 4 KVM cable
Safety Guidelines
Note Before you install, operate, or service a Cisco SNS-3400 series appliance, review the Regulatory
Compliance and Safety Information for Cisco SNS 3400 Series Appliance for important safety
information.
Warning IMPORTANT SAFETY INSTRUCTIONS
This warning symbol means danger. You are in a situation that could cause bodily injury. Before
you work on any equipment, be aware of the hazards involved with electrical circuitry and be
familiar with standard practices for preventing accidents. Use the statement number provided at

A-2 OL-27044-01
Safety Guidelines
the end of each warning to locate its translation in the translated safety warnings that
accompanied this device.
Statement 1071
Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum
recommended ambient temperature of: 40° C (104° F).
Statement 1047
Warning The plug-socket combination must be accessible at all times, because it serves as the main
disconnecting device.
Statement 1019
Warning This product relies on the building’s installation for short-circuit (overcurrent) protection.
Ensure that the protective device is rated not greater than: 250 V, 15 A.
Statement 1005
Warning Installation of the equipment must comply with local and national electrical codes.
Statement 1074
When you are installing a server, use the following guidelines:

• Plan your site configuration and prepare the site before installing the server. See the Cisco UCS Site
Preparation Guide for the recommended site planning tasks.
• Ensure that there is adequate space around the server to allow for servicing the server and for
adequate airflow. The airflow in this server is from front to back.
• Ensure that the air-conditioning meets the thermal requirements listed in the Appendix B, “Cisco
SNS-3400 Series Server Specifications.”
• Ensure that the cabinet or rack meets the requirements listed in the “Rack Requirements” section on
page A-4.
• Ensure that the site power meets the power requirements listed in the Appendix B, “Cisco SNS-3400
Series Server Specifications.” If available, you can use an uninterruptible power supply (UPS) to
protect against power failures.
Caution Avoid UPS types that use ferroresonant technology. These UPS types can become unstable with systems
such as the Cisco SNS 3400 series appliances, which can have substantial current draw fluctuations from
fluctuating data traffic patterns.

OL-27044-01 A-3
Installing a Cisco SNS-3400 Series Appliance in a Rack

This section describes how to mount the ISE 3400 series appliance on a rack and contains the following
topics:
• Rack Requirements, page A-4
• Equipment Requirements, page A-4
• Slide Rail Adjustment Range, page A-4
• Installing the Server In a Rack, page A-4
Rack Requirements
The following are the requirements for standard open racks:
• A standard 19-in. (48.3-cm) wide, four-post EIA rack, with mounting posts that conform to English
universal hole spacing, per section 1 of ANSI/EIA-310-D-1992.
• The rack post holes can be square .38-inch (9.6 mm), round .28-inch (7.1 mm), #12-24 UNC, or
#10-32 UNC when you use the supplied slide rails.
• The minimum vertical rack space per server must be one RU, equal to 1.75 in. (44.45 mm).
Equipment Requirements
The slide rails supplied by Cisco Systems for this server do not require tools for installation. The inner
rails (mounting brackets) are preattached to the sides of the server.
Slide Rail Adjustment Range

The slide rails for this server have an adjustment range of 24 to 36 inches (610 to 914 mm).
Installing the Server In a Rack

This section describes how to install the server in a rack.
Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special
precautions to ensure that the system remains stable. The following guidelines are provided to
ensure your safety:
This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest
component at the bottom of the rack.
If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the
rack. Statement 1006

A-4 OL-27044-01
To install the slide rails and the server into a rack, follow these steps:
Step 1 Open the front securing latch (see Figure A-2). The end of the slide-rail assembly marked “FRONT” has
a spring-loaded securing latch that must be open before you can insert the mounting pegs into the
rack-post holes.
a. On the rear side of the securing-latch assembly, hold open the clip marked “PULL.”
b. Slide the spring-loaded securing latch away from the mounting pegs.
c. Release the clip marked “PULL” to lock the securing latch in the open position.
Figure A-2 Front Securing Latch
332061
1 Clip marked “PULL” on rear of assembly 3 Spring-loaded securing latch on front of
assembly
2 Front mounting pegs
Step 2 Install the slide rails on the rack:

a. Position a slide-rail assembly inside the two left-side rack posts (see Figure A-3).
Use the “FRONT” and “REAR” markings on the slide-rail assembly to orient the assembly correctly
with the front and rear rack posts.
b. Position the front mounting pegs so that they enter the desired front rack-post holes from the front.
Note The mounting pegs that protrude through the rack-post holes are designed to fit round or square holes,
or smaller #10-32 round holes when the mounting peg is compressed. If your rack has #10-32 rack-post
holes, align the mounting pegs with the holes and then compress the spring-loaded pegs to expose the
#10-32 inner peg.
c. Expand the length-adjustment bracket until the rear mounting pegs protrude through the desired
holes in the rear rack post.

OL-27044-01 A-5
Use your finger to hold the rear securing latch open when you insert the rear mounting pegs to their
holes. When you release the latch, it wraps around the rack post and secures the slide-rail assembly.
Figure A-3 Attaching a Slide-Rail Assembly
2 5 6
3
331689
1 Front-left rack post 4 Length-adjustment bracket
2 Front mounting pegs 5 Rear mounting pegs
3 Slide-rail assembly 6 Rear securing latch
d. Attach the second slide-rail assembly to the opposite side of the rack. Ensure that the two slide-rail
assemblies are level and at the same height with each other.
e. Pull the inner slide rails on each assembly out toward the rack front until they hit the internal stops
and lock in place.
Step 3 Insert the server into the slide rails:
Note The inner rails are preattached to the sides of the server at the factory. You can order replacement
inner rails if these are damaged or lost (Cisco PID UCSC-RAIL1-I).
a. Align the inner rails that are preattached to the server sides with the front ends of the empty slide
rails.
b. Push the server into the slide rails until it stops at the internal stops.
c. Push in the plastic release clip on each inner rail (labelled PUSH), and then continue pushing the
server into the rack until the front latches engage the rack posts.
Step 4 Attach the (optional) cable management arm (CMA) to the rear of the slide rails:
Note The CMA is designed for mounting on either the right or left slide rails. These instructions
describe an installation to the rear of the right slide rails, as viewed from the rear of server.
a. Slide the plastic clip on the inner CMA arm over the flange on the mounting bracket that attached
to the side of the server. See Figure A-4.

A-6 OL-27044-01
Connecting and Powering On the Server
Note Whether you are mounting the CMA to the left or right slide rails, be sure to orient the engraved
“UP” marking so that it is always on the upper side of the CMA. See Figure A-4.
b. Slide the plastic clip on the outer CMA arm over the flange on the slide rail. See Figure A-4.
c. Attach the CMA retaining bracket to the left slide rail. Slide the plastic clip on the bracket over the
flange on the end of the left slide rail. See Figure A-4.
Figure A-4 Attaching the Cable Management Arm (Rear of Server Shown)
1 4
7
2
331690
6
1 Flange on rear of outer left slide rail 5 Inner CMA arm attachment clip
2 CMA retaining bracket 6 “UP” orientation marking
3 Flange on rear of right mounting bracket 7 Outer CMA arm attachment clip
4 Flange on rear of outer right slide rail
Step 5 Continue with the “Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance”
section on page 3-9.
Connecting and Powering On the Server

This section describes how to power on the server and assign an IP address to connect to it. The server
is shipped with a default NIC mode called Shared LOM, default NIC redundancy is active-active, and
DHCP is enabled. Shared LOM mode enables the two 1-Gb Ethernet ports to access the Cisco Integrated
Management Interface (CIMC). If you want to use the 1-Gb Ethernet dedicated management port, or a
port on a Cisco UCS P81E Virtual Interface Card (VIC) to access the CIMC, you must first connect to
the server and change the NIC mode as described in Step 3 of the following procedure. In that step, you
can also change the NIC redundancy and set static IP settings.
Use the following procedure to perform the initial setup of the server:

OL-27044-01 A-7
Checking the LEDs
Step 1 Attach a supplied power cord to each power supply in the server and then attach the power cord to a
grounded AC power outlet. See the Power Specifications, page B-2 for power specifications.
Wait for approximately two minutes to let the server boot in standby power during the first bootup.
You can verify the power status by looking at the Power Status LED:
• Off—There is no AC power present in the server.
• Amber—The server is in standby power mode. Power is supplied only to the CIMC and some
motherboard functions.
• Green—The server is in main power mode. Power is supplied to all server components.
Note During bootup, the server beeps once for each USB device that is attached to the server. Even if
there are no external USB devices attached, there is a short beep for each virtual USB device
such as a virtual floppy drive, CD/DVD drive, keyboard, or mouse. A beep is also emitted if a
USB device is hot-plugged or hot-unplugged during BIOS power-on self-test (POST), or while
you are accessing the BIOS Setup utility or the EFI shell.
Step 2 Connect a USB keyboard and VGA monitor by using the supplied KVM cable connected to the KVM
connector on the front panel.
Note Alternatively, you can use the VGA and USB ports on the rear panel. However, you cannot use
the front panel VGA and the rear panel VGA at the same time. If you are connected to one VGA
connector and you then connect a video device to the other connector, the first VGA connector
is disabled.
Checking the LEDs

When the Cisco SNS-3400 series appliances have been started up and are running, observe the state of
the front-panel and rear-panel LEDs. The following topics describe the LED color, its power status,
activity, and other important status indicators that are displayed for the Cisco-SNS 3400 series
appliance:
• Front Panel LEDs and Buttons, page B-2
• Rear Panel LEDs and Buttons, page B-4

A-8 OL-27044-01
Checking the LEDs
Front Panel LEDs and Buttons

Table A-1 Front Panel LED States
LED Name State

Power button/Power status LED • Off—There is no AC power to the server.
• Amber—The server is in standby power mode. Power is supplied only to the CIMC
and some motherboard functions.
• Green—The server is in main power mode. Power is supplied to all server
components.
Identification • Off—The Identification LED is not in use.
• Blue—The Identification LED is activated.
System status • Green—The server is running in a normal operating condition.
• Green, blinking—The server is performing system initialization and memory checks.
• Amber, steady—The server is in a degraded operational state, which may be due to
one of the following:
– Power supply redundancy is lost.
– CPUs are mismatched.
– At least one CPU is faulty.
– At least one DIMM is faulty.
– At least one drive in a RAID configuration failed.
• Amber, blinking—The server is in a critical fault state, which may be due to one of
the following:
– Boot failed.
– Fatal CPU and/or bus error is detected.
– Server is in an over-temperature condition.
Fan status • Green—All fan modules are operating properly.
• Amber, steady—One fan module has failed.
• Amber, blinking—Critical fault, two or more fan modules have failed.
Temperature status • Green—The server is operating at normal temperature.
• Amber, steady—One or more temperature sensors have exceeded a warning
threshold.
• Amber, blinking—One or more temperature sensors have exceeded a critical
threshold.
Power supply status • Green—All power supplies are operating normally.
• Amber, steady—One or more power supplies are in a degraded operational state.
• Amber, blinking—One or more power supplies are in a critical fault state.
Network link activity • Off—The Ethernet link is idle.
• Green—One or more Ethernet LOM ports are link-active, but there is no activity.
• Green, blinking—One or more Ethernet LOM ports are link-active, with activity.

OL-27044-01 A-9
Checking the LEDs
Table A-1 Front Panel LED States (continued)
LED Name State

Hard drive fault • Off—The hard drive is operating properly.
• Amber—The hard drive has failed.
• Amber, blinking—The device is rebuilding.
Hard drive activity • Off—There is no hard drive in the hard drive sled (no access, no fault).
• Green—The hard drive is ready.
• Green, blinking—The hard drive is reading or writing data.
Rear Panel LEDs and Buttons

Table A-2 Rear Panel LED States
LED Name State

Power supply fault • Off—The power supply is operating normally.
• Amber, blinking—An event warning threshold has been reached, but the power
supply continues to operate.
• Amber, solid—A critical fault threshold has been reached, causing the power
supply to shut down (for example, a fan failure or an over-temperature condition).
Power supply AC OK • Off—There is no AC power to the power supply.
• Green, blinking—AC power OK, DC output not enabled.
• Green, solid—AC power OK, DC outputs OK.
1-Gb Ethernet dedicated • Off—link speed is 10 Mbps.
management link speed
• Amber—link speed is 100 Mbps.
• Green—link speed is 1 Gbps.
1-Gb Ethernet dedicated • Off—No link is present.
management link status
• Green—Link is active.
• Green, blinking—Traffic is present on the active link.
1-Gb Ethernet link speed • Off—link speed is 10 Mbps.
• Amber—link speed is 100 Mbps.
• Green—link speed is 1 Gbps.
1-Gb Ethernet link status • Off—No link is present.
• Green—Link is active.
• Green, blinking—Traffic is present on the active link.
Identification • Off—The Identification LED is not in use.
• Blue—The Identification LED is activated.

A-10 OL-27044-01
Installing or Replacing Server Components

Refer to the Cisco UCS C220 Server Installation and Service Guide for information on how to install or
replace the Cisco SNS 3415 or 3495 appliance components.

OL-27044-01 A-11

A-12 OL-27044-01
A P P E NDIX B
Cisco SNS-3400 Series Server Specifications
This appendix lists the technical specifications for the server and includes the following sections:
• Physical Specifications, page B-1
• Environmental Specifications, page B-1
• Power Specifications, page B-2
Physical Specifications
Table B-1 lists the physical specifications for the server.
Table B-1 Cisco SNS-3400 Series Server Physical Specifications
Description Specification
Height 1.7 in. (4.3 cm)
Width 16.9 in. (42.9 cm)
Depth 28.5 in. (72.4 cm)
Weight (fully loaded chassis) 35.6 lb. (16.1 Kg)
Environmental Specifications
Table B-2 lists the environmental specifications for the server.
Table B-2 Cisco SNS-3400 Series Server Environmental Specifications
Temperature, operating 41 to 104°F (5 to 40°C)
Derate the maximum temperature by 1°C per every
305 meters of altitude above sea level.
Temperature, non-operating –40 to 149°F (–40 to 65°C)
Humidity (RH), noncondensing 10 to 90 percent
Altitude, operating 0 to 10,000 feet

OL-27044-01 B-1
Appendix B Cisco SNS-3400 Series Server Specifications
Power Specifications
Table B-2 Cisco SNS-3400 Series Server Environmental Specifications
Altitude, non-operating 0 to 40,000 feet
Sound power level 5.4
Measure A-weighted per ISO7779 LwAd (Bels)
Operation at 73°F (23°C)
Sound pressure level 37
Measure A-weighted per ISO7779 LpAm (dBA)
Operation at 73°F (23°C)
The power specifications for the two power supply options are listed in the following sections:
• 450-Watt Power Supply, page B-2
• 650-Watt Power Supply, page B-2
Note Do not mix power supply types in the server. Both power supplies must be either 450W or 650W.
450-Watt Power Supply

Table B-3 lists the specifications for each 450W power supply (Cisco part number UCSC-PSU-450W).
Table B-3 Cisco SNS-3400 Series Server 450-Watt Power Supply Specifications
AC input voltage range Low range: 100 VAC to 120 VAC
High range: 200 VAC to 240 VAC
AC input frequency Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)
AC line input current (steady state) 6.0 A peak at 100 VAC
3.0 A peak at 208 VAC
Maximum output power for each power 450 Watts
supply
Power supply output voltage Main power: 12 VDC
Standby power: 12 VDC
650-Watt Power Supply

Table B-4 lists the specifications for each 650W power supply (Cisco part number UCSC-PSU-650W).

B-2 OL-27044-01
Table B-4 Cisco SNS-3400 Series Server 650-Watt Power Supply Specifications
AC input voltage range 90 to 264 VAC (self-ranging, 180 to 264 VAC nominal)
AC input frequency Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)
AC line input current (steady state) 7.6 A peak at 100 VAC
3.65 A peak at 208 VAC
Maximum output power for each power 650 Watts
supply
Power supply output voltage Main power: 12 VDC
Standby power: 12 VDC

OL-27044-01 B-3

B-4 OL-27044-01
A P P E NDIX C
Cisco SNS-3400 Series Appliance Ports
Reference
This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork
communications with external applications and devices.
Table C-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or
protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet
ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on
the corresponding firewall. The ports list provides information that can be useful when configuring a
firewall, creating access control lists (ACLs), and configuring services on a Cisco ISE network.
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
DNS: tcp-udp/53
NTP: udp/123
HTTPS: tcp/8443 MnT RADIUS Auth: ump/1645,1812
RADIUS Acct: udp/1646,1813
Email/SMS Syslog: udp/20514
Gateways SMTP: tcp/25
Syslog: udp/20514, tcp/1468 IPN
Logging Secure Syslog: tcp/6514
NetFlow: udp/9996
HTTPS; tcp/443
Syslog: udp/20514, tcp/1468
HTTPS: tcp/443 RADIUS Auth: Audp/1645,1812
Secure Syslog: tcp/6514
Syslog: udp/20514, RADIUS Acct: udp/1646,1813
Oracle DB (Secure JDBC): SSH: tcp/22
tcp/1468 RADIUS CoA: dp1700,3799
SMTP: tcp/25 tcp/2484
Secure Syslog: tcp/6514
JGroups: tcp12001
Query Attributes
PSN
PAN HTTPS: tcp/443 LDAP: tcp/389,3268
Syslog: udp/20514, JGroups: tcp12001 SMB:tcp/445
tcp/1468 KDC:tcp/88
Secure Syslog: tcp/6514 KPASS: tcp/464 PIP
SNMP Traps: udp/162 SCEP: tcp/80, tcp/443
NTP: udp/123
RADIUS Auth: udp/1645,1812
RADIUS Acct: udp/1646,1813
GUI: tcp/80,443 Guest: tcp/8443 RADIUS CoA: udp/1700,3799
SSH: tcp/22 Discovery: tcp/8443, tcp/8905 WebAuth: tcp:443,8443 Inter-Node Communications
Update: tcp/443 Sponsor: tcp/8443 Agent Install: tcp/8909 SNMP: udp/161
SNMP: udp/161 NAC Agent: tcp/8905; udp/8905 SNMP Trap: udp/162 Admin(P) - Admin(S): tcp/443,
ERS: tcp/9060 PRA/KA: SWISS udp/8905 NetFlow: udp/9996 tcp/12001(JGroups)
DHCP:udp/67, udp/68
SPAN:tcp/80,8080 Monitor(P) - Monitor(S): tcp/443
Cisco.com Policy - Policy: udp/45588,45990, tcp/7802

Perfigo.com (Node Groups/JGroups)
NADs
Admin/Sponsor Endpoint Inline(P) - Inline(S): udp/694 (Heartbeat)
360294

OL-27044-01 C-1
Appendix C Cisco SNS-3400 Series Appliance Ports Reference
Table C-1 Cisco ISE Services and Ports
Ports on
Cisco ISE Cisco ISE Ports on Gigabit Ports on Gigabit Ports on Gigabit Gigabit
Node Service Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3
Administration Administration • TCP: 22 (Secure Shell Cisco ISE Cisco ISE Cisco ISE
node [SSH] server) management is management is management is
1 restricted to Gigabit restricted to restricted to
• TCP: 80 (HTTP)
Ethernet 0. Gigabit Ethernet 0. Gigabit
• TCP: 4431 (HTTPS) Ethernet 0.
• TCP: 9060 (External
RESTful Services
(ERS) REST API)
Note Port 80 is redirected
to port 443 (not
configurable).
Note Ports 80 and 443

support Admin web
applications and are
enabled by default.
Replication and • TCP: 443 (HTTPS — — —
Synchronization SOAP)
• TCP: 12001 Global
(JGroups - Data
synchronization /
Data replication)
Monitoring • UDP: 161 (SNMP — — —
Query)
Note This port is route
table dependent.

C-2 OL-27044-01
Table C-1 Cisco ISE Services and Ports (continued)
Ports on
Logging • UDP: 20514, TCP: 1468 (Syslog)
(Outbound)
• TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
• UDP: 162 (SNMP Traps)—

External Identity • TCP: 389, 3268, — — —
Stores and UDP: 389 (LDAP)
Resources
• TCP: 445 (SMB)
• TCP: 88, UDP: 88
(KDC)
• TCP: 464 (KPASS)
• UDP: 123 (NTP)
• TCP: 53, UDP: 53
(DNS)
(Admin user interface
authentication)
Guest Guest account expiry email notification: SMTP: TCP/25

OL-27044-01 C-3
Ports on
Monitoring Administration • TCP: 22 (SSH server) — — —
node
• TCP: 801 (HTTP)
• TCP: 4431 (HTTPS)
Replication and • TCP: 443 (HTTPS • TCP: 1521 - • TCP: 1521 - • TCP: 1521
Synchronization SOAP) Oracle DB Oracle DB - Oracle
Listener Listener DB
• TCP: 1521 - Oracle
Listener
DB Listener
(JGroups - Data
synchronization /
Data replication)
Monitoring • UDP: 161 (SNMP)
table dependent.
• TCP: 6514 (Secure Syslog)
• TCP: 25 (SMTP)
• UDP: 162 (SNMP Traps)
External • TCP: 389, 3268, — — —
Resources UDP: 389 (LDAP)
• TCP: 445 (SMB)
• TCP: 88, UDP: 88
(KDC)
• UDP: 123 (NTP)
• TCP: 53, UDP: 53
(DNS)
authentication)

C-4 OL-27044-01
Ports on
Policy Service Administration • TCP: 22 (SSH server) — — —
node
• TCP: 801 (HTTP)
Replication and • TCP: 443 (HTTPS — — —
Synchronization SOAP)
(JGroups - Data
synchronization /
Data replication)
Clustering (Node • UDP: 45588, 45590 — — —
Group) (Local JGroup)
• TCP: 7802 (Local
JGroup failure
detection)
Monitoring • UDP: 161 (SNMP) — — —
table dependent.
(Outbound) • TCP: 6514 (Secure Syslog)
• UDP: 162 (SNMP Traps)

Session • UDP:1645, 1812 (RADIUS Authentication)
• UDP:1646, 1813 (RADIUS Accounting)
• UDP: 1700 (RADIUS change of authorization Send)
• UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
Note UDP port 3799 is not configurable.

OL-27044-01 C-5
Ports on
Policy Service External Identity • TCP: 389, 3268, — — —
node Stores and (LDAP)
(continued) Resources
• TCP: 445 (SMB)
• TCP: 88 (KDC)
• UDP: 123 (NTP)
• UDP: 53 (DNS)
authentication and
endpoint authentication)
Web Portal • HTTPS (Interface must be enabled for service in Cisco ISE.)
Services:
• TCP: 8000-8999 (Guest Portal and Client Provisioning. Default port is TCP: 8443.)
- Guest/Web
• TCP: 8000-8999 (Sponsor Portal. Default port is TCP: 8443.)
Auth
• TCP: 8000-8999 (My Devices Portal. Default port is TCP: 8443.)
- Guest Sponsor
portal • TCP: 8000-8999 (Blacklist Portal. Default port is TCP: 8444.)
- My Devices • TCP: 25 (SMTP Notification)
portal
- Client
Provisioning
- BlackListing
portal

C-6 OL-27044-01
Ports on
Policy Service Posture • TCP: 80 (HTTP) Discovery - Client side
node
- Discovery • TCP: 8905 (HTTPS) Discovery - Client side
(continued)
- Provisioning Note By default, TCP: 80 is redirected to TCP: 8443. See Web Portal Services: Guest
- Assessment/ Portal and Client Provisioning.
Heartbeat
• TCP: 8443, 8905 (HTTPS) Discovery - Policy Service node side
• URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client
Provisioning.
• Active-X and Java Applet Install including IP refresh, Web Agent install, and
launch NAC Agent install—Provisioning: See Web Portal Services: Guest Portal
and Client Provisioning
• TCP: 8443 Provisioning: NAC Agent Install
• UDP: 8905 (SWISS) Provisioning: NAC Agent update notification
• TCP: 8905 (HTTPS) Provisioning: NAC Agent and other package/module updates
• TCP: 8905 (HTTPS) Assessment: Posture Negotiation and Agent Reports
• UDP: 8905 (SWISS) Assessment: PRA/Keep-alive
Bring Your Own • URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client
Device (BYOD) / Provisioning
Network Service
• Active-X and Java Applet Install (includes the launch of Wizard
Protocol
Install)—Provisioning. See Web Portal Services: Guest Portal and Client
- Redirection Provisioning
- Provisioning • TCP: 8443 Provisioning: Wizard Install from Cisco ISE (Windows and Mac OS)
- SCEP • TCP: 443 Provisioning: Wizard Install from Google Play (Android)
• TCP: 8905 Provisioning: Supplicant Provisioning Process
• TCP: 80 or TCP: 443 SCEP Proxy to CA (Based on SCEP RA URL config)
Mobile Device • URL Redirection—See Web Portal Services: Guest Portal and Client Provisioning
Management
• API—Vendor-specific
(MDM) API
Integration • Agent Install and Device Registration—Vendor-specific

OL-27044-01 C-7
Ports on
Policy Service Profiling • UDP: 9996 (NetFlow)
node
Note This port is configurable.
(continued)
• UDP: 67 (DHCP)
• UDP: 68 (DHCP SPAN)

• TCP: 80, 8080 (HTTP)
• NMAP uses ports 0-655352 (outbound).
• UDP: 53 (DNS lookup)
Note This port is route table dependent.
• UDP: 161 (SNMP Query)

Note This port is route table dependent.
• UDP: 162 (SNMP Trap)

Inline Posture Administration • TCP: 22 (SSH server) — — —
node
Note TCP: 8443 is used
by the
Administration
node.
Inline Posture • UDP: 1645, 1812 • UDP: 1645, — —
(RADIUS proxy for 1812 (RADIUS
authentication) proxy for
authentication)
• UDP: 1646, 1813
(RADIUS proxy for • UDP: 1646,
accounting) 1813 (RADIUS
proxy for
• UDP: 1700, 3799
accounting)
(RADIUS CoA)
• RADIUS CoA:
Note UDP port 3799 is
Not Applicable
not configurable.
• TCP: 9090
• TCP: 9090 (Redirect) (Redirect)
Logging • UDP: 20154 (Syslog) • UDP: 20154 — —
(Syslog)
Note This port is
configurable. Note This port is
configurable.
Note Inline Posture node High Availability does not apply to any other Cisco ISE node types.

C-8 OL-27044-01
Ports on
Inline Posture High Availability — — UDP: 694 UDP: 694
node (Heartbeat) (Heartbeat)
(continued)
1. Because Inline Posture nodes do not support the Administration persona, they will not have access to this port.
2. NMAP OS Scan uses ports 0.65535 to detect endpoint operating system
Ports to be Used for OCSP and CRL

For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL),
the ports are dependent on the CA Server or service hosting OCSP/CRL although the Cisco ISE Services
and ports table above lists basic ports that are used in Cisco ISE.
For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE admin portal expects
http-based URL for OCSP services, and so, TCP 80 would be the default. You can also use non-default
ports.
For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports would
naturally be 80, 443, and 389 respectively. The actual port is contingent on the CRL server.
For more information, see OCSP Services and Certificate Store Edit Settings

OL-27044-01 C-9

C-10 OL-27044-01
A P P E NDIX D
Cisco ISE Licenses
This chapter describes the licensing mechanism and schemes that are available for Cisco ISE and how
to add and upgrade licensees.
• Cisco ISE Licensing, page D-1
• Obtaining a Cisco ISE License from Cisco.com, page D-3
• Adding or Upgrading a License, page D-5
• Removing a License, page D-5
Cisco ISE Licensing

Cisco ISE licensing provides the ability to manage the application features and access, such as the
number of concurrent endpoints that can use Cisco ISE network resources.
To help you select the features you want, licensing in Cisco ISE is granular. Cisco offers multiple license
packages, such as Base, Plus, and Advanced.
Table D-1 Cisco ISE License Packages
Perpetual or ISE Functionality

License Package Subscription Covered Notes
Base Perpetual • Basic network
access: AAA,
IEEE-802.1X
• Guest management
• Link encryption
(MACSec)
Plus Subscription (1, 3, or 5 • Bring Your Own Does not include Base
years) Device (BYOD) services. A Base license
is required for each Plus
• Profiling
license.
• Endpoint Protection
Service (EPS)
• TrustSec SGT

OL-27044-01 D-1
Appendix D Cisco ISE Licenses
Cisco ISE Licensing
Table D-1 Cisco ISE License Packages
Perpetual or ISE Functionality

License Package Subscription Covered Notes
Advanced Subscription (1, 3, or 5 • Bring Your Own Does not include Base
years) Device (BYOD) services. A Base license
is required for each
• Profiling
Advanced license. The
• Endpoint Protection Advanced license
Service (EPS) includes all the
• TrustSec SGT functionality of Plus
license.
• Mobile Device
Manager (MDM)
• Health Compliance
and Remediation
• Posture
Wireless Subscription (1, 3, or 5 A Wireless license turns Cannot coexist on a
years) on the functionality of Cisco Administration
Base and Advanced node with Base, Plus, or
licenses for wireless Advanced Licenses.
LAN deployments.
Wireless Upgrade Subscription (1, 3, or 5 A Wireless Upgrade You can only install a
years) license turns on the Wireless Upgrade
functionality of Base and License on top of an
Advanced licenses for all existing Wireless license.
wireless and
non-wireless
client-access methods,
including wired and VPN
Concentrator access.
Evaluation Temporary (90 days) Full Cisco ISE Limited use of Cisco ISE
functionality is provided product for pre-sale
for 100 endpoints. customer evaluations. All
Cisco ISE appliances are
supplied with an
Evaluation license.
All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE
services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints
on the network, you must obtain and register Base licenses for the number of concurrent users on your
system. If you require additional functionality, you will need Plus or Advanced licenses to enable that
functionality.
After you install the Cisco ISE software and initially configure the appliance as the primary
Administration node, you must obtain a license for Cisco ISE and then register that license.
Cisco ISE supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs
of both the primary and secondary Administration nodes. You register all licenses to the Cisco ISE
primary Administration node via the primary and secondary Administration node hardware ID. The
primary Administration node then centrally manages all the licenses that are registered for your
deployment.

D-2 OL-27044-01
Obtaining a Cisco ISE License from Cisco.com
Note You always require a Base license. However, you do not need a Plus license in order to have an Advanced
license or vice versa.
Cisco recommends installing the Base, Plus, and Advanced Licenses at the same time.
• When you install a Base License over a default Evaluation License, the Base License overrides only
the base license-related portion of the Evaluation License and keeps the Plus and Advanced License
capabilities available for the remainder of the default Evaluation License duration.
• You cannot upgrade the Evaluation License to a Plus or Advanced License without first installing
the Base License.
• When you install a Wireless License over a default Evaluation License, the Wireless License
overrides the Evaluation License parameters with the specific duration and user count associated
with the Wireless License.
License Count
A Cisco ISE user consumes a license during an active session. Once the sessions has ended, ISE releases
the license for reuse by another user.
The Cisco ISE license is counted as follows:
• A Base, Plus, or Advanced license is consumed based on the feature that is used.
• An endpoint with multiple network connections can consume more than one license per MAC
address. For example, a laptop connected to wired and also to wireless at the same time. Licenses
for VPN connections are based on the IP address.
• Licenses are counted against concurrent, active sessions. An active session is one for which a
RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
Note Sessions without RADIUS activity are automatically purged from Active Session list every
5 days or if the endpoint is deleted from the system.
To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license
entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on
the network and generate alarms when endpoint counts exceed the licensed amounts:
• 80% Info
• 90% Warning
• 100% Critical

To continue to use Cisco ISE services after the 90-day Evaluation License expires, and to support more
than 100 concurrent endpoints on the network, you must install a Base, Plus, Advanced, or Wireless
license package for Cisco ISE. License files are based on a combination of the Cisco ISE hardware ID
and Product Authorization Key (PAK). When you purchase Cisco ISE, or before the 90-day license
expires, you can research the licensing options on Cisco.com and order the package that is suitable for
your deployment of Cisco ISE.

OL-27044-01 D-3
Licenses are centrally managed by the Administration node. If you have two Administration nodes
deployed in a high-availability pair, obtain a license based on the hardware IDs (UIDs) of both the
primary and secondary Administration nodes. After you obtain the license, add it only to the primary
Administration node. The license gets replicated to the secondary Administration node.
Within an hour of ordering your license files from Cisco.com, you should receive an e-mail with the
Cisco Supplemental End-User License Agreement and a Claim Certificate containing a PAK for each
license that you order. After receiving the Claim Certificate, you can log in and access the Cisco Product
License Registration website at http://www.cisco.com/go/license and provide the appropriate hardware
ID information and PAK to generate your license.
You must supply the following specific information to generate your license file:
• Product identifier (PID) of both the primary and secondary Administration nodes
• Version identifier (VID)
• Serial number (SN)
• PAK
See the Cisco Identity Services Engine Licensing Note for more details.
The day after you submit your license information in the Cisco Product License Registration website,
you will receive an e-mail with your license file as an attachment. Save the license file to a known
location on a local machine and use the instructions in Adding or Upgrading a License, page D-5 to add
and update any product licenses for Cisco ISE.
For detailed information and license part numbers that are available for Cisco ISE, including licensing
options for new installations as well as migration from an existing Cisco security product like Cisco
Secure Access Control Server, see the Cisco Identity Services Engine Ordering Guidelines at http://
www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html.
Related Topics
• Determining Your Hardware ID Using the CLI, page D-4
• Determining Your Hardware ID Using the Admin Portal, page D-4
Determining Your Hardware ID Using the CLI

Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address.
To determine the Hardware ID, access the Cisco ISE direct-console CLI and enter the show inventory
command. The output includes a line showing the PID, VID, and SN, similar to the following:
PID: NAC3315, VID: V01, SN: ABCDEFG
Determining Your Hardware ID Using the Admin Portal

Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address.
If your current license has not expired, you can view the Administration node hardware ID by
completing the following steps:
Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing.
Step 2 In the License Operations navigation pane, click Current Licenses.

D-4 OL-27044-01
Adding or Upgrading a License
Step 3 Select the button corresponding to the Cisco ISE node that you want to check for the Administration
node hardware ID, and click Administration Node to view the PID, VID, and SN.
Adding or Upgrading a License

You can add a license only on a standalone or a primary Administration node. You can upgrade your
existing Evaluation License on or before the expiration of the 90-day evaluation period. You have two
options for upgrading or replacing your Evaluation License:
• Install a Base license and then choose whether to also install a Plus or Advanced license
• Install a Wireless license
A single endpoint with multiple network connections may consume more than one Base, Plus, or
Advanced License. This situation can occur, for example, if an endpoint has both a wired and a wireless
network connection. Each unique authenticated connection will require its own license.
Before You Begin

Make sure that you have obtained and installed an appropriate license on your Cisco ISE node. See
Obtaining a Cisco ISE License from Cisco.com, page D-3 for more information.
Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing > Current
Licenses.
Step 2 Click the radio button next to the license name that you want to upgrade, and click Edit.
Step 3 Click Add Services.
Step 4 Click Browse and select the Licence file.
Step 5 Click Import to import the new license file that supports the added service.
Step 6 Go back to the Current Licenses page to verify the addition of the upgraded license. For further
confirmation, check the features of the respective services for which the license has been upgraded.
Note The Current Licenses page displays the number of installed Plus and Advanced licenses in a combined
Advance/Plus Counter. For example, if you have installed 500 Plus licenses and 1000 Advanced licenses,
the Advance/Plus Counter displays 1500.
Related Topics
• Removing a License, page D-5
Removing a License
You can remove individual Base, Plus, Advanced, and Wireless licenses, but keep in mind the following
conditions:
• If the Plus or Advanced license count is greater than the Base license count, then the Base license
cannot be deleted.

OL-27044-01 D-5
Removing a License
• If you install a combined license, all related installations in the Base and Advanced packages are
also removed.
• If you remove a production-level license within the standard 90-day evaluation period, the
Evaluation License is automatically restored after you remove the production license.
• You cannot remove Evaluation Licenses.
Before You Begin

If you have installed a Wireless Upgrade license after a Wireless license, you must remove the Wireless
Upgrade license before you can remove the underlying Wireless license.
Step 1 Choose Administration > System > Licensing > Current Licenses.
Step 2 Click the radio button next to the relevant node name, and click Edit.
Step 3 Click the radio button next to the license name that you want to delete and click Remove.
Step 4 Click OK.

D-6 OL-27044-01
A P P E NDIX E
Certificate Management in Cisco ISE
Certificates are used in a network to provide secure access. Certificates are used to identify Cisco ISE
to an endpoint and also to secure the communication between that endpoint and the Cisco ISE node.
Certificates are used for all HTTPS communication and the Extensible Authentication Protocol (EAP)
communication.
HTTPS Communication Using the Cisco ISE Certificate

All Cisco ISE web portals from release 1.1.0 onwards are secured using the HTTPS (TLS-encrypted
HTTP communication) protocol:
• Administration Portal
• Centralized Web Authentication Portal
• Sponsor Portal
• Client Provisioning Portal
• My Devices Portal
Figure E-1 shows an TLS-encrypted process when communicating with the Admin portal.
Figure E-1 HTTPS (TLS-Encrypted HTTP Communication)

OL-27044-01 E-1
Appendix E Certificate Management in Cisco ISE
EAP Communication Using the Cisco ISE Certificate
EAP Communication Using the Cisco ISE Certificate

Certificates are used with almost all EAP methods. The following EAP methods are commonly used:
• EAP-TLS
• PEAP
• EAP-FAST
For tunneled EAP methods, such as PEAP and FAST, Transport Layer Security (TLS) is used to secure
the credential exchange. Similar to a request to a HTTPS web site, the client establishes a connection
with the server. The server presents its certificate to the client. If the client trusts the certificate, the TLS
tunnel is formed. The client’s credentials are not sent to the server until after the tunnel is established,
thereby ensuring a secure exchange. In a secure access deployment, the client is a supplicant, and the
server is an ISE Policy Service node. Figure E-2 shows an example using PEAP.
Figure E-2 EAP Communication
Certificates Enable Cisco ISE to Provide Secure Access

The Cisco Identity Services Engine (ISE) relies on public key infrastructure (PKI) to provide secure
communication with both endpoints and administrators, as well as between Cisco ISE nodes in a
multinode deployment. PKI relies on X.509 digital certificates to transfer public keys for encryption and
decryption of messages, and to verify the authenticity of other certificates representing users and
devices. Cisco ISE provides the Admin Portal to manage the following two categories of X.509
certificates:
• Local certificates—These are server certificates that identify a Cisco ISE node to client applications.
Every Cisco ISE node has its own local certificates, each of which are stored on the node along with
the corresponding private key.
• Certificate Store certificates—These are certificate authority (CA) certificates used to establish trust
for the public keys received from users and devices. The Certificate Store also contains certificates
that are distributed by the Simple Certificate Enrollment Protocol (SCEP), which enables
registration of mobile devices into the enterprise network. Certificates in the Certificate Store are
managed on the primary Administration node, and are automatically replicated to all other nodes in
an Cisco ISE deployment.

E-2 OL-27044-01
Enabling PKI in Cisco ISE
In a distributed deployment, you must import the certificate only in to the certificate trust list (CTL) of
the primary Administration node. The certificate gets replicated to the secondary nodes.
In general, to ensure certificate authentication in Cisco ISE is not impacted by minor differences in
certificate-driven verification functions, use lower case hostnames for all Cisco ISE nodes deployed in
a network.
Enabling PKI in Cisco ISE

You should enable PKI in Cisco ISE in the following way:
Step 1 Establish local certificates on each deployment node for TLS-enabled authentication protocols (for
example, EAP-TLS protocol), and for HTTPS, which is used by browser and REST clients to access the
Cisco ISE web portals.
By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for both purposes.
In a typical enterprise environment, this certificate is replaced with one or two server certificates that are
signed by a trusted CA.
Step 2 Populate the Certificate Store with the CA certificates that are necessary to establish trust with the user
as well as device certificates that will be presented to Cisco ISE.
If a certificate chain consisting of a root CA certificate plus one or more intermediate CA certificates is
required to validate the authenticity of a user or device certificate, you must import the entire chain into
the Certificate Store.
Related Topics
• See Local Certificates, page E-4 for details on how to generate a Certificate Signing Request and
import a CA-signed certificate.
• See Certificate Store, page E-24 for details on how to import these certificate chains.
The Cisco ISE nodes use HTTPS for inter-node communication, so an administrator must populate the
Certificate Store with the trust certificate(s) needed to validate the HTTPS local certificate belonging to
each node in the Cisco ISE deployment. If a default self-signed certificate is used for HTTPS, then you
must export this certificate from each Cisco ISE node and import it into the certificate store. If you
replace the self-signed certificates with CA-signed certificates, it is only necessary to populate the
Certificate Store with the appropriate root CA and intermediate CA certificates. Be aware that you
cannot register a node in a Cisco ISE deployment until you complete this step.
If a Cisco ISE deployment is to be operated in FIPS mode, you must ensure that all local and certificate
store certificates are FIPS-compliant. This means that each certificate must have a minimum key size of
2048 bytes, and use SHA-1 or SHA-256 encryption.
Note After you obtain a backup from a standalone Cisco ISE or primary Administration node, if you change
the certificate configuration on one or more nodes in your deployment, you must obtain another backup
to restore data. Otherwise, if you try to restore data using the older backup, communication between the
nodes might fail.

OL-27044-01 E-3
Local Certificates
This chapter contains the following sections:

• Local Certificates, page E-4
• Certificate Signing Requests, page E-23
• Certificate Store, page E-24
• Simple Certificate Enrollment Protocol Profiles, page E-29
• OCSP Services, page E-30
Local Certificates
Cisco ISE local certificates are server certificates that identify a Cisco ISE node to client applications.
Local certificates are:
• Used by browser and REST clients who connect to Cisco ISE web portals. You must use HTTPS
protocol for these connections.
• Used to form the outer TLS tunnel with PEAP and EAP-FAST. These certificates can be used for
mutual authentication with EAP-TLS, PEAP, and EAP-FAST.
You must install valid local certificates for HTTPS and EAP-TLS on each node in your Cisco ISE
deployment. By default, a self-signed certificate is created on a Cisco ISE node during installation time,
and this certificate is designated for HTTPS and EAP-TLS use (it has a key length of 1024 and is valid
for one year). It is recommended that you replace the self-signed certificate with a CA-signed certificate
for greater security.
Wildcard Certificates
A wildcard certificate uses a wildcard notation (an asterisk and period before the domain name) and
allows the certificate to be shared across multiple hosts in an organization. For example, the CN value
for the Certificate Subject would be some generic hostname such as aaa.ise.local and the SAN field
would include the same generic hostname and the wildcard notation such as DNS.1=aaa.ise.local and
DNS.2=*.ise.local
If you configure a wildcard certificate to use *.ise.local, you can use the same certificate to secure any
other host whose DNS name ends with “.ise.local,” such as:
• aaa.ise.local
• psn.ise.local
• mydevices.ise.local
• sponsor.ise.local
Figure E-3 shows an example of a wildcard certificate that is used to secure a web site.

E-4 OL-27044-01
Local Certificates
Figure E-3 Wildcard Certificate Example
Wildcard certificates secure communications in the same way as a regular certificate, and requests are
processed using the same validation methods.
Related Topics
• Wildcard Certificates for HTTPS and EAP Communication, page E-5
• Wildcard Certificate Support in Cisco ISE, Release 1.2, page E-6
• Fully Qualified Domain Name in URL Redirection, page E-6
• Wildcard Certificate Compatibility, page E-8
• Creating a Wildcard Certificate, page E-8
• Installing Wildcard Certificates in Cisco ISE, page E-10
Wildcard Certificates for HTTPS and EAP Communication

You can use wildcard server certificates in Cisco ISE for HTTPS (web-based services) and EAP
protocols that use SSL/TLS tunneling. With the use of wildcard certificates, you no longer have to
generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN
field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field
allows you to share a single certificate across multiple nodes in a deployment and helps prevent
certificate name mismatch warnings. However, use of wildcard certificates is considered less secure than
assigning a unique server certificate for each Cisco ISE node.

OL-27044-01 E-5
Local Certificates
Note If you use wildcard certificates, we strongly recommend that you partition your domain space for greater
security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do
not partition your domain, it can lead to serious security issues.
Wildcard certificate uses an asterisk (*) and a period before the domain name. For example, the CN value
for a certificate’s Subject Name would be a generic host name such as aaa.ise.local and the SAN field
would have the wildcard character such as *.ise.local. Cisco ISE supports wildcard certifications in
which the wildcard character (*) is the left most character in the presented identifier. For example,
*.example.com or *.ind.example.com. Cisco ISE does not support certificates in which the presented
identifier contains additional characters along with the wildcard character. For example,
abc*.example.com or a*b.example.com or *abc.example.com.
Wildcard Certificate Support in Cisco ISE, Release 1.2

Cisco ISE release 1.2 supports wildcard certificates. Prior to release 1.2, Cisco ISE verifies any
certificate enabled for HTTPS to ensure the CN field matches the Fully Qualified Domain Name (FQDN)
of the host exactly. If the fields did not match, the certificate could not be used for HTTPS
communication.
Prior to release 1.2, Cisco ISE uses that CN value to replace the variable in the url-redirect A-V pair
string. For all Centralized Web Authentication (CWA), onboarding, posture redirection, and so on, the
CN value is used.
Cisco ISE 1.2 uses the hostname as the CN instead of relying on the CN field.
Fully Qualified Domain Name in URL Redirection

When Cisco ISE builds an authorization profile redirect (for central web authentication, device
registration web authentication, native supplicant provisioning, mobile device management, and client
provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:
url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For
example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco
ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco
ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3,
which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can
use the ip host command in the configuration mode from the Cisco ISE CLI:
ISE /admin(config)# ip host IP_address host-alias FQDN-string
where IP_address is the IP address of the network interface (eth1 or eth2 or eth3)
host-alias is the name that you assign to the network interface
FQDN-string is the fully qualified domain name of the network interface
Using this command, you can assign a host-alias or an FQDN-string or both to a network interface.
Here is an example:
ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com
After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco
ISE using the application start ise command.

E-6 OL-27044-01
Local Certificates
Use the no form of this command to remove the association of the host alias with the network interface:
ISE/admin(config)# no ip-host IP_address host-alias FQDN-string
Use the show running-config command to view the host alias definitions.
If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you
provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to
form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a
network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.
When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows,
you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured
appropriately in the Policy Service node certificate's SAN fields.
Advantages of Using Wildcard Certificates

• Cost savings. Certificates signed by a third party Certificate Authority is expensive, especially as
the number of servers increase. Wildcard certificates may be used on multiple nodes in the Cisco
ISE deployment.
• Operational efficiency. Wildcard certificates allow all Policy Service Node (PSN) EAP and web
services to share the same certificate. In addition to significant cost savings, certificate
administration is also simplified by creating the certificate once and applying it on all the PSNs.
• Reduced authentication errors. Wildcard certificates address issues seen with Apple iOS devices
where the client stores trusted certificates within the profile, and does not follow the iOS keychain
where the signing root is trusted. When an iOS client first communicates with a PSN, it does not
explicitly trust the PSN certificate, even though a trusted Certificate Authority has signed the
certificate. Using a wildcard certificate, the certificate will be the same across all PSNs, so the user
only has to accept the certificate once and successive authentications to different PSNs proceed
without error or prompting.
• Simplified supplicant configuration. For example, Microsoft Windows supplicant with
PEAP-MSCHAPv2 and server certificate trust enabled requires that you specify each of the server
certificate to trust, or the user may be prompted to trust each PSN certificate when the client
connects using a different PSN. With wildcard certificates, a single server certificate can be trusted
rather than individual certificates from each PSN.
• Wildcard certificates result in an improved user experience with less prompting and more seamless
connectivity.
Disadvantages of Using Wildcard Certificates

The following are some of the security considerations related to wildcard certificates:
• Loss of auditability and nonrepudiation
• Increased exposure of the private key
• Not common or understood by administrators
Wildcard certificates are considered less secure than a unique server certificate per ISE node. But, cost
and other operational factors outweigh the security risk.
Security devices such as ASA also support wildcard certificates.

OL-27044-01 E-7
Local Certificates
You must be careful when deploying wildcard certificates. For example, if you create a certificate with
*.company.local and an attacker is able to recover the private key, that attacker can spoof any server in
the company.local domain. Therefore, it is considered a best practice to partition the domain space to
avoid this type of compromise.
To address this possible issue and to limit the scope of use, wildcard certificates may also be used to
secure a specific subdomain of your organization. Add an asterisk (*) in the subdomain area of the
common name where you want to specify the wildcard.
For example, if you configure a wildcard certificate for *.ise.company.local, that certificate may be used
to secure any host whose DNS name ends in “.ise.company.local”, such as:
• psn.ise.company.local
• mydevices.ise.company.local
• sponsor.ise.company.local
Wildcard Certificate Compatibility

Wildcard certificates are usually created with the wildcard listed as the Common Name (CN) of the
Certificate Subject, such as the example in Figure E-3. Cisco ISE release 1.2 supports this type of
construction. However, not all endpoint supplicants support the wildcard character in the Certificate
Subject.
All Microsoft native supplicants tested (including Windows Mobile) do not support wildcard character
in the Certificate Subject.
You can use another supplicant, such as Cisco AnyConnect Network Access Manager (NAM) that might
allow the use of wildcard character in the Subject field.
You can also use special wildcard certificates such as DigiCert's Wildcard Plus that is designed to work
with incompatible devices by including specific subdomains in the Subject Alternative Name of the
certificate.
Although the Microsoft supplicant limitation appears to be a deterrent to using wildcard certificates,
there are alternative ways to create the wildcard certificate that allow it to work with all devices tested
for secure access, including the Microsoft native supplicants.
To do this, instead of using the wildcard character in the Subject, you must use the wildcard character in
the Subject Alterative Name (SAN) field instead. The SAN field maintains an extension designed for
checking the domain name (DNS name). See RFCs 6125 and 2128 for more information.
For more information on Microsoft support of wildcard certificates, see:
http://technet.microsoft.com/en-US/cc730460
Creating a Wildcard Certificate

This section describes how to create a wildcard certificate. This procedure would work for most SSL
certificate providers.
However, if your SSL certificate provider does not support wildcard values in the SAN field of the
certificate, then you must populate the certificate SAN with the FQDN of each ISE node and interface
(per the alias specified using the ip host command). This certificate is known as a multi-domain
certificate. FQDNs for specific service aliases such as those used for the My Devices and Sponsor portals
should also be included in the certificate SAN. Some services such as Local Web Authentication to the

E-8 OL-27044-01
Local Certificates
ISE Admin portal, Sponsor portal, and the My Devices portal can use a load balancer. In these cases, the
FQDN assigned to the virtual IP address of the load-balanced service should be included in the SAN
field of the certificate.
Note It is possible to have separate certificates for HTTPS and EAP authentication. The certificate designated
for HTTPS is used to secure inter-node communications and all web portal services including Central
Web Authentication, DRW, Posture Discovery and Assessment, Mobile Device Management, Native
Supplicant Provisioning, Sponsor, and My Devices portals. The certificate designated for EAP is used
to secure all client authentication using EAP protocols including PEAP, EAP-TLS, and EAP-FAST.
For example, if you have an ISE deployment with two PSN nodes (psn1 and psn2 with eth0, eth1, and
eth2 interfaces enabled) and you want to create a multi-domain certificate without wildcards, then your
values would be:
CN=aaa.company.local (FQDN of an ISE node in the deployment)
SAN=DNS.1=aaa.company.local, DNS.2=psn1.company.local, DNS.3=psn2.company.local,
DNS.4=psn1-e1.company.local, DNS.5=psn2-e1.company.local, DNS.6=psn1-e2.company.local,
DNS.7=psn2-e2.company.local.
Tip If you are planning to deploy additional Policy Service nodes in the future, then you can add
additional DNS name entries in the SAN field so that you can reuse the same certificate at the time
of deploying the new nodes.
For cases where an IP address needs to be specified in the SAN field of the certificate (for example, DMZ
with a static IP address for URL re-direction), ensure that you specify the IP address of the policy service
node as the DNS Name and IP Address in the SAN field of the certificate. For example, CN=psn.ise.local
and SAN=DNS.1=psn.ise.local, DNS.2=*.ise.local, DNS.3=10.1.1.20, IP.1=10.1.1.20.
Before You Begin

For Microsoft native supplicants, use the wildcard character in the SAN field of the certificate.
Step 1 Enter a generic hostname for the CN field of the Subject. For example, CN=aaa.ise.local.
Step 2 Enter the same generic hostname and a wildcard notation in the SAN field of the certificate. For example,
DNS Name=aaa.ise.local, DNS Name=*.ise.local. See Figure E-3.
This method is successful with the majority of the tested public Certificate Authorities such as
Comodo.com and SSL.com. With these public CAs, you must request a “Unified Communications
Certificate (UCC).”
What To Do Next
Import the wildcard certificates in to the Policy Service nodes.
Related Topics
Installing Wildcard Certificates in Cisco ISE, page E-10

OL-27044-01 E-9
Local Certificates
Installing Wildcard Certificates in Cisco ISE

Before You Begin
If you have enabled non-eth0 interfaces, ensure that you map a host alias to that interface using the ip
host command from the CLI. See Fully Qualified Domain Name in URL Redirection for more
information.
To install wildcard certificates, you must perform the following tasks:
Step 1 Create the Certificate Signing Request for Wildcard Certificates. See Creating a Certificate Signing
Request for Wildcard Certificates, page E-10.
Step 2 Export the Certificate Signing Request. See Exporting the Certificate Signing Request, page E-11.
Step 3 Submit the Certificate Signing Request to a Certificate Authority. See Submitting the CSR to a
Certificate Authority, page E-11.
Step 4 Import the Root Certificates to the Certificate Store. See Importing the Root Certificates to the
Certificate Store, page E-12.
Step 5 Bind the Certificate Signing Request with the new public certificate. See Binding the CSR With the New
Public Certificate, page E-13.
Step 6 Export the CA-Signed Certificate and Private Key. See Exporting the CA-Signed Certificate and Private
Key, page E-13.
Step 7 Import the CA-Signed Certificate and Private Key in to all the Policy Service nodes. See Importing the
CA-Signed Certificate to the Policy Service Nodes, page E-13.
Creating a Certificate Signing Request for Wildcard Certificates
Step 1 Choose Administration > Certificates > Local Certificates.

Step 2 Click Add > Generate Certificate Signing Request.
Step 3 In the Certificate Subject, enter the generic FQDN of any one of your Policy Service nodes. For example,
CN=psn.ise.local.
Step 4 Enter two values for the SAN. One of the values must be same as the CN that you entered for the
Certificate Subject. The other value is the wildcard notation. For example, DNS name=psn.ise.local,
DNS name=*.ise.local.
Step 5 Check the Allow Wildcard Certificates check box.

E-10 OL-27044-01
Local Certificates
Figure E-4 Certificate Signing Request Using a Wildcard Notation
Step 6 Click Submit.
Exporting the Certificate Signing Request
Step 1 Choose Administration > Certificates > Certificate Signing Requests.

Step 2 Check the check box next to the CSR that you generated. For example, psn.ise.local.
Step 3 Click Export.
Step 4 Save the CSR to your local system.
Submitting the CSR to a Certificate Authority
Step 1 Open the CSR in a text editor such as Notepad.

Step 2 Copy all the text from “-----BEGIN CERTIFICATE REQUEST-----” through “-----END CERTIFICATE
REQUEST-----.”
Step 3 Paste the contents of the CSR in to the certificate request of a chosen CA. See Figure E-5.

OL-27044-01 E-11
Local Certificates
Figure E-5 CSR Content in a Certificate Request Form - Active Directory CA
Step 4 Download the signed certificate.

Some CAs might email the signed certificate to you. The signed certificate is in the form of a zip file
that contains the newly issued certificate and the public signing certificates of the CA that you must add
to the Cisco ISE trusted certificate store. See Figure E-6.
Figure E-6 Certificates Returned By the CA
Importing the Root Certificates to the Certificate Store

Before You Begin
Before we bind the newly signed certificate to the CSR on Cisco ISE, ensure that the signing root
certificates exist in the Cisco ISE Certificate Store.
Step 1 Choose Administration > Certificates > Certificate Store.

E-12 OL-27044-01
Local Certificates
Step 2 Click Import.

Step 3 Choose the root certificates returned by your CA.
Binding the CSR With the New Public Certificate

Step 2 Click Add > Bind CA signed Certificate.
Step 3 Choose the CA-signed certificate.
Step 4 Check the Allow Wildcard Certificates check box.
Step 5 Choose the protocol.
Exporting the CA-Signed Certificate and Private Key

Step 2 Check the check box next to the CA-signed certificate and click Export.
Step 3 Save the file to your local system.
Importing the CA-Signed Certificate to the Policy Service Nodes
Step 1 Choose Administration > Certificates > Certificate Store.

Step 2 Choose the CA-signed certificate that you exported.
Installing a CA-Signed Certificate in Cisco ISE

The procedure for installing a CA-signed certificate is as follows:
Step 1 In the Cisco ISE administration interface of the node requiring the CA-signed certificate, generate a
Certificate Signing Request (CSR).
Step 2 Export the CSR into a file.
Step 3 Provide the CSR file to the Certificate Authority and request the CA to create and sign a certificate using
the attributes specified in the CSR. The CA should return the certificate in a file.

OL-27044-01 E-13
Local Certificates
Step 4 In the Cisco ISE administration interface of the same node, bind the CA-signed certificate to its private
key, which is kept with the CSR on the node. Designate the certificate for HTTPS and/or EAP-TLS use.
Note If you are going to use the CA-signed certificate for HTTPS, the subject Common Name value specified
for the CSR must match the fully qualified domain name (FQDN) of the Cisco ISE node, or must match
the wildcard domain name specified in the SAN/CN field of the certificate.
Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN
contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco
ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain
in the Cisco ISE node’s FQDN.
2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name
(CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the
certificate must match the FQDN of the node.
3. If no match is found, the certificate is rejected.
Note X.509 certificates imported to Cisco ISE must be in privacy-enhanced mail (PEM) or distinguished
encoding rule (DER) format. Files containing a certificate chain, which is a local certificate along with
the sequence of trust certificates that sign it, can be imported, subject to certain restrictions. See
Importing Certificate Chains, page E-28 for more information.
X.509 certificates are only valid until a specific date. When a local certificate expires, the Cisco ISE
functionality that depends on the certificate is impacted. Cisco ISE will notify you about the pending
expiration of a local certificate when the expiration date is within 90 days. This notification appears in
several ways:
• Colored expiration status icons appear in the Local Certificates page.
• Expiration messages appear in the Cisco ISE System Diagnostic report.
• Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before
expiration.
If the expiring certificate is a self-signed certificate, you can extend its expiration date by editing the
certificate. For a CA-signed certificate, you must allow sufficient time to acquire replacement certificate
from your CA.
You can perform the following tasks from the Cisco ISE administration interface to manage local
certificates:
• View a list of the local certificates stored on an Cisco ISE node. The list shows the protocol
assignment (HTTPS, EAP-TLS) of each certificate, along with its expiration status.
• Generate a CSR
• Export a CSR
• Bind a CA-signed certificate to its private key
• Export a local certificate and, optionally, its private key
• Import a local certificate and its private key

E-14 OL-27044-01
Local Certificates
• Generate a self-signed local certificate

• Edit a local certificate, which includes extending the expiration date if the certificate is self-signed
• Delete a local certificate
• Delete a CSR
This section contains the following topics:
• Viewing Local Certificates, page E-15
• Adding a Local Certificate, page E-16
• Editing a Local Certificate, page E-21
• Exporting a Local Certificate, page E-22
Related Topics
• Wildcard Certificates, page E-4
• Fully Qualified Domain Name in URL Redirection, page E-6
• Importing a Local Certificate, page E-16
• Generating a Certificate Signing Request, page E-19
• Binding a CA-Signed Certificate, page E-20
Viewing Local Certificates

The Local Certificate page lists all the local certificates added to Cisco ISE.
Before You Begin

To perform the following task, you must be a Super Admin or System Admin.
Step 1 Choose Administration > System > Certificates > Local Certificates.
The Local Certificate page appears and provides the following information for the local certificates:
• Friendly Name—Name of the certificate.
• Protocol—Protocols for which to use this certificate.
• Issued To—Common Name of the certificate subject.
• Issued By—Common Name of the certificate issuer
• Valid From—Date on which the certificate was created, also know as the Not Before certificate
attribute.
• Expiration Date—Expiration date of the certificate, also known as the Not After certificate attribute.
• Expiration Status—Indicates when the certificate expires. There are five categories along with an
associated icon that appear here:
1. Expiring in more than 90 days (green icon)
2. Expiring in 90 days or less (blue icon)
3. Expiring in 60 days or less (yellow icon)
4. Expiring in 30 days or less (orange icon)

OL-27044-01 E-15
Local Certificates
5. Expired (red icon)
Related Topics
Adding a Local Certificate

You can add a local certificate to Cisco ISE in one of the following ways:
• Generating a Self-Signed Certificate, page E-18
• Generating a Certificate Signing Request, page E-19 and Binding a CA-Signed Certificate,
page E-20
If you are planning to import a wildcard certificate, ensure that you have read the following sections:
Note If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate
on a node, existing browser sessions connected to that node do not automatically switch over to the new
certificate. You must restart your browser to see the new certificate.
Importing a Local Certificate

You can add a new local certificate by importing a local certificate.
Before You Begin

Ensure that you have the local certificate and the private key file on the system that is running the client
browser.
If the local certificate that you import contains the basic constraints extension with the CA flag set to
true, ensure that the key usage extension is present, and the keyEncipherment bit or the keyAgreement
bit or both are set.
To import a local certificate to a secondary node, choose Administration > System > Server
Certificate.
Step 2 Choose Add > Import Local Server Certificate.
Step 3 Click Browse to choose the certificate file and the private key from the system that is running your client
browser.
If the private key is encrypted, enter the Password to decrypt it.

E-16 OL-27044-01
Local Certificates
Step 4 Enter a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically creates
a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit
number.
Step 5 Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate
certificate extensions.
If you check the Enable Validation of Certificate Extensions check box and the certificate that you are
importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage
extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.
Step 6 Check the Allow Wildcard Certificates check box if you want to import a wildcard certificate (a
certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the
Subject Alternative Name.
Step 7 In the Protocol group box:
• Check the EAP check box to use this certificate for EAP protocols to identify the Cisco ISE node.
• Check the HTTPS check box to use this certificate to authenticate the web server.
If you check the Management Interface check box, ensure that the Common Name value in the
Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard
notation if a wildcard certificate is used. Otherwise, the import process will fail.
Step 8 Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate.
A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as
an existing certificate. This option updates the content of the certificate, but retains the existing protocol
selections for the certificate.
Note If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or
greater in size and use either SHA-1 or SHA-256 hash algorithm.
Step 9 Click Submit to import the local certificate.

If you import a local certificate to your primary Cisco ISE node and the management interface option is
enabled on the node in your deployment, Cisco ISE automatically restarts the application server on the
node. Otherwise, you must restart the secondary nodes that are connected to your primary Cisco ISE
node.
To restart the secondary nodes from the CLI, enter the following commands in the given order:
a. application stop ise
b. application start ise
Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 for more information on
these commands.
Related Topics

OL-27044-01 E-17
Local Certificates
Generating a Self-Signed Certificate

You can add a new local certificate by generating a self-signed certificate. Cisco recommends that you
only employ self-signed certificates for your internal testing and evaluation needs. If you are planning
to deploy Cisco ISE in a production environment, be sure to use CA-signed certificates whenever
possible to ensure more uniform acceptance around a production network.
Before You Begin

To generate a self-signed certificate from a secondary node, choose Administration > System > Server
Certificate.
Step 2 Choose Add > Generate Self Signed Certificate.
Step 3 Enter the following information in the Generate Self Signed Certificate page:
• Certificate Subject—A distinguished name (DN) identifying the entity that is associated with the
certificate. The DN must include a Common Name (CN) value.
• Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.
• Required Key Length—Valid values are 512, 1024, 2048, and 4096. If you are deploying Cisco ISE
as a FIPS-compliant policy management-engine, you must specify a 2048-bit or larger key length.
• Digest to Sign With—You can choose to encrypt and decrypt certificates using either SHA-1 or
SHA-256.
• Certificate Expiration TTL. You can specify an expiration time period in days, weeks, months, or
years.
• If you would like to specify a Friendly Name for the certificate, enter it in the field below the private
key password. If you do not specify a name, Cisco ISE automatically creates a name in the format
<common name>#<issuer>#<nnnnn> where <nnnnn> is a unique five-digit number.
Step 4 Check the Allow Wildcard Certificates check box if you want to generate a self-signed wildcard
certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS
name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be
*.amer.cisco.com.
• Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.
• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE portals.
Certificate Subject matches the fully qualified domain name (FQDN) of the node. Otherwise, the
self-signed certificate will not be generated.
If the HTTPS check box is checked, then the application server on the Cisco ISE node will be
restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment,
then the application server on all other nodes in the deployment will also be restarted. They will
restart one node at a time, after the Primary Administration node restart has completed.
Step 6 In the Override Policy area, check the Replace Certificate check box to replace an existing certificate
with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and
the same serial number as an existing certificate. This option updates the content of the certificate, but
retains the existing protocol selections for the certificate.

E-18 OL-27044-01
Local Certificates
Step 7 Click Submit to generate the certificate.
Note If you are using a self-signed certificate and you must change the hostname of your Cisco ISE node, you
must log in to the Admin portal of the Cisco ISE node, delete the self-signed certificate that has the old
hostname, and generate a new self-signed certificate. Otherwise, Cisco ISE will continue to use the
self-signed certificate with the old hostname.
Related Topics
Generating a Certificate Signing Request

You can add a new local certificate by generating a certificate signing request and then binding a
CA-signed certificate.
Before You Begin

To generate a CSR from a secondary node, choose Administration > System > Server Certificate.
Step 2 Choose Add > Generate Certificate Signing Request.
Step 3 Enter the certificate subject and the required key length. The certificate subject is a distinguished name
(DN) identifying the entity that is associated with the certificate. The DN must include a common name
value. Elements of the distinguished name are:
• C = Country
• ST = Test state or province
• L = Test locality (City)
• O = Organization name
• OU = Organizational unit name
• CN = Common name
• E = E-mail address
For example, the Certificate Subject in a CSR can take the following values: “CN=Host-ISE.cisco.com,
OU=Cisco, O=security, C=US, ST=NC, L=RTP, e=test@test.com” or “CN=aaa.amer.cisco.com, DNS
name in SAN=*.amer.cisco.com, OU=Cisco, O=security, C=US, ST=NC, L=RTP, e=abc@xyz.com.”
Note When populating the Certificate Subject field, do not encapsulate the string in quotation marks.
If you intend to use the certificate generated from this CSR for HTTPS communication, ensure that the
common name value in the Certificate Subject is the FQDN of the node. Otherwise, you will not be able
to select Management Interface when binding the generated certificate.
Step 4 Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.

OL-27044-01 E-19
Local Certificates
Step 5 Choose to encrypt and decrypt certificates using either SHA-1 or SHA-256.
Note If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or
greater in size and use either SHA-1 or SHA-256 hash algorithm.
Step 6 Check the Allow Wildcard Certificates check box if the Certificate Subject contains a CN or SAN with
a wildcard FQDN.
Step 7 Click Submit to generate a CSR.
A CSR and its private key are generated and stored in Cisco ISE. You can view this CSR in the Certificate
Signing Requests page. You can export the CSR and send it to a CA to obtain a signature.
Related Topics
• Creating a Certificate Signing Request for Wildcard Certificates, page E-10
Binding a CA-Signed Certificate

After a Certificate Signing Request is signed by a Certificate Authority and returned to you, you must
bind the CA-signed certificate with its private key to complete the process of adding a local certificate
in Cisco ISE.
Before You Begin

• To perform the following task, you must be a Super Admin or System Admin.
To bind a CA-signed certificate to a secondary node, choose Administration > System > Server
Certificate.
Step 2 Choose Add > Bind CA Certificate.
Step 3 Click Browse to choose the CA-signed certificate and choose the appropriate CA-signed certificate.
Step 4 Specify a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically
creates a name in the format <common name>#<issuer>#<nnnnn> where <nnnnn> is a unique
five-digit number.
Step 5 Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate
certificate extensions.
Note If you enable the Enable Validation of Certificate Extensions option, and the certificate that
you are importing contains a basic constraints extension with the CA flag set to true, ensure that
the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit,
or both, are also set.
Step 6 Check the Allow Wildcard Certificates check box to bind a certificate that contains the wildcard
character, asterisk (*) in any CN in the Subject or DNS in the Subject Alternative Name.

E-20 OL-27044-01
Local Certificates
• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.
notation if a wildcard certificate is used. Otherwise, the bind operation will fail.
Step 8 Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate.
A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as
an existing certificate. This option updates the content of the certificate, but retains the existing protocol
selections for the certificate.
Step 9 Click Submit to bind the CA-signed certificate.
Related Topics
Editing a Local Certificate

You can use this page to edit local certificates.
Before You Begin

To edit a local certificate on a secondary node, choose Administration > System > Server Certificate.
Step 2 Check the check box next to the certificate that you want to edit, and click Edit.
Step 3 You can edit the following:
• Friendly name
• Description
• Protocols
• Expiration TTL (if the certificate is self-signed)
Step 4 Enter an optional friendly name and description to identify this certificate.
• Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.

OL-27044-01 E-21
Local Certificates
Note If you check the Management Interface check box, ensure that the Common Name value in the
notation if a wildcard certificate is used. If the Common Name value is blank, the edit operation
will fail.
For example, if local_certificate_1 is currently designated for EAP and you check the EAP check
box while editing local_certificate_2, then after you save the changes to local_certificate_2,
local_certificate_1 will no longer be associated with EAP.
Step 6 Check the Renew Self Signed Certificate check box if you are editing a self-signed certificate and want
to extend the Expiration Date.
Step 7 Enter the Expiration TTL (Time to Live) in days, weeks, months, or years.
Step 8 Click Save to save your changes.
Related Topics
Exporting a Local Certificate

You can export a selected local certificate or a certificate and its associated private key. If you export a
certificate and its private key for backup purposes, you can reimport them later if needed.
Before You Begin

To export a local certificate from a secondary node, choose Administration > System > Server
Certificate.
Step 2 Check the check box next to the certificate that you want to export and then click Export.
Step 3 Choose whether to export only the certificate, or the certificate and its associated private key.
Tip We do not recommend exporting the private key associated with a certificate because its value may
be exposed. If you must export a private key, specify an encryption password for the private key. You
will need to specify this password while importing this certificate into another Cisco ISE server to
decrypt the private key.
Step 4 Choose the certificate component that you want to export.

E-22 OL-27044-01
Certificate Signing Requests
Step 5 Enter the password if you have chosen to export the private key. The password should be at least 8
characters long.
Step 6 Click OK to save the certificate to the file system that is running your client browser.
If you export only the certificate, the certificate is stored in the privacy-enhanced mail format. If you
export both the certificate and private key, the certificate is exported as a .zip file that contains the
certificate in the privacy-enhanced mail format and the encrypted private key file.
Related Topics
Certificate Signing Requests

The list of Certificate Signing Requests (CSRs) that you have created is available in the Certificate
Signing Requests page. To obtain signatures from a CA, you must export the CSRs to the local file
system that is running your client browser. You must then send the certificates to a CA. The CA will sign
and return your certificates.
Note If your Cisco ISE deployment has multiple nodes in a distributed setup, you must export the CSRs from
each node in your deployment individually.
Related Topic
Exporting Certificate Signing Requests, page E-23
Exporting Certificate Signing Requests

You can use this page to export certificate signing requests.
Before You Begin

Step 1 Choose Administration > System > Certificates > Certificate Signing Requests.
If you want to export CSRs from a secondary node, choose Administration > System > Certificate
Signing Requests.
Step 2 Check the check box next to the certificates that you want to export, and click Export.
Step 3 Click OK to save the file to the file system that is running the client browser.
Related Topics

OL-27044-01 E-23
Certificate Store
Certificate Store
The Cisco ISE Certificate Store contains X.509 certificates that are used for trust and for Simple
Certificate Enrollment Protocol (SCEP). The certificates in the Certificate Store are managed on the
primary administration node, and are replicated to every node in the Cisco ISE deployment.
Cisco ISE supports wildcard certificates.
Cisco ISE uses the Certificate Store certificates for the following purposes:
• To verify client certificates used for authentication by endpoints, and by Cisco ISE administrators
accessing the Admin Portal using certificate-based administrator authentication.
• To enable secure communication between Cisco ISE nodes in a deployment. The Certificate Store
must contain the chain of CA certificates needed to establish trust with the local HTTPS server
certificate on each node in a deployment.
– If a self-signed certificate is used for the server certificate, the self-signed certificate from each
node must be placed in the Certificate Store of the primary Administration node.
– If a CA-signed certificate is used for the server certificate, the CA root certificate, as well as
any intermediate certificates in the trust chain, must be placed in the Certificate Store of the
• To enable secure LDAP authentication. A certificate from the Certificate Store must be selected
when defining an LDAP identity source that will be accessed over SSL.
• For distribution to mobile devices preparing to register in the network using the My Devices portal.
Cisco ISE implements the SCEP on Policy Service Nodes (PSN) to support mobile device
registration. A registering device uses the SCEP protocol to request a client certificate from a PSN.
The PSN contains a registration authority (RA) that acts as an intermediary; it receives and validates
the request from the registering device, and then forwards the request to a CA, which actually issues
the client certificate. The CA sends the certificate back to the RA, which returns it to the device.
Each SCEP CA used by Cisco ISE is defined by a SCEP RA Profile. When a SCEP RA Profile is
created, two certificates are automatically added to the Certificate Store:
a. A CA certificate (a self-signed certificate)
b. An RA certificate (a Certificate Request Agent certificate), which is signed by the CA.
The SCEP protocol requires that these two certificates be provided by the RA to a registering device.
By placing these two certificates in the Certificate Store, they are replicated to all PSN nodes for use
by the RA on those nodes.
Note X.509 certificates imported to Cisco ISE must be in Privacy-Enhanced Mail (PEM) or Distinguished
Encoding Rule (DER) format. Files containing a certificate chain, that is, a local certificate along with
the sequence of trust certificates that sign it, can be imported, subject to certain restrictions.
Related Topics
• Simple Certificate Enrollment Protocol Profiles, page E-29
• Importing Certificate Chains, page E-28
• Expiration of X.509 Certificates, page E-25
• CA Certificate Naming Constraint, page E-25
• Viewing Certificate Store Certificates, page E-26
• Changing the Status of a Certificate in Certificate Store, page E-26

E-24 OL-27044-01
Certificate Store
• Adding a Certificate to Certificate Store, page E-27

• Editing a Certificate Store Certificate, page E-27
• Exporting a Certificate from the Certificate Store, page E-27
Expiration of X.509 Certificates

X.509 certificates are only valid until a specific date. Once a Certificate Store certificate expires, the
Cisco ISE functionality that depends on the certificate is impacted. Cisco ISE notifies you about the
pending expiration of a certificate when the expiration date is within 90 days. This notification appears
in several ways:
• Colored expiration status icons appear in the Certificate Store page.
• Expiration messages appear in the Cisco ISE System Diagnostic report.
• Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before
expiration.
The Certificate Store is prepopulated with two Cisco CA certificates: a Manufacturing certificate and a
Root certificate. The Root certificate signs the Manufacturing certificate. These certificates are disabled
by default. If you have Cisco IP phones as endpoints in your deployment, you should enable these two
certificates so the Cisco-signed client certificates for the phones can be authenticated.
• Viewing Certificate Store Certificates, page E-26
• Editing a Certificate Store Certificate, page E-27
• Importing Certificate Chains, page E-28
• Installation of CA Certificates for Cisco ISE Inter-node Communication, page E-28
CA Certificate Naming Constraint

A CA certificate in CTL may contain a name constraint extension. This extension defines a namespace
for values of all subject name and subject alternative name fields of subsequent certificates in a
certificate chain. Cisco ISE does not check constraints specified in a root certificate.
The following name constraints are supported:
• Directory name
The Directory name constraint should be a prefix of the directory name in subject/SAN. For
example,
– Correct subject prefix:
CA certificate name constraint: Permitted: O=Cisco
Client certificate subject: O=Cisco,CN=Salomon
– Incorrect subject prefix:
CA certificate name constraint: Permitted: O=Cisco
Client certificate subject: CN=Salomon,O=Cisco

OL-27044-01 E-25
Certificate Store
• DNS
• E-mail
• URI (The URI constraint must start with a URI prefix such as http://, https://, ftp://, or ldap://).
The following name constraints are not supported:
• IP address
• Othername
When a CA certificate contains a constraint that is not supported and certificate that is being verified
does not contain appropriate field, it is rejected because Cisco ISE cannot verify unsupported
constraints.
The following is an example of the name constraints definition within the CA certificate:
X509v3 Name Constraints: critical
Permitted:
othername:<unsupported>
email:.abcde.at
email:.abcde.be
email:.abcde.bg
email:.abcde.by
DNS:.dir
DirName: DC = dir, DC = emea
DirName: C = AT, ST = EMEA, L = AT, O = ABCDE Group, OU = Domestic
DirName: C = BG, ST = EMEA, L = BG, O = ABCDE Group, OU = Domestic
DirName: C = BE, ST = EMEA, L = BN, O = ABCDE Group, OU = Domestic
DirName: C = CH, ST = EMEA, L = CH, O = ABCDE Group, OU = Service Z100
URI:.dir
IP:172.23.0.171/255.255.255.255
Excluded:
DNS:.dir
URI:.dir
An acceptable client certificate subject that matches the above definition is as follows:
Subject: DC=dir, DC=emea, OU=+DE, OU=OU-Administration, OU=Users, OU=X1,
CN=cwinwell
Viewing Certificate Store Certificates

The Certificate Store page lists all the CA certificates that have been added to Cisco ISE. To view the
CA certificates, you must be a Super Admin or System Admin.
To view all the certificates, choose Administration > System > Certificates > Certificate Store. The
Certificate Store page appears, listing all the CA certificates.
Changing the Status of a Certificate in Certificate Store

The status of a certificate must be enabled so that Cisco ISE can use the certificate for establishing trust.
When a certificate is imported into the Certificate Store, it is automatically enabled.
Step 1 Choose Administration > System > Certificates > Certificate Store.
Step 2 Check the check box next to the certificate you want to enable or disable, and click Change Status.

E-26 OL-27044-01
Certificate Store
Adding a Certificate to Certificate Store

The Certificate Store page allows you to add CA certificates to Cisco ISE.
Before You Begin

• To perform the following task, you must be a Super Admin or System Admin.
• Ensure that the certificate store certificate resides on the file system of the computer where your
browser is running. The certificate must be in PEM or DER format.
Step 2 Click Import.
Step 3 Configure the field values as necessary.
If client certificate-based authentication is enabled, then Cisco ISE will restart the application server on
each node in your deployment, starting with the application server on the primary Administration node
and followed, one-by-one, by each additional node.
Editing a Certificate Store Certificate

After you add a certificate to the Certificate Store, you can further edit it by using the edit settings.
Before You Begin

Step 2 Check the check box next to the certificate that you want to edit, and click Edit.
Step 3 Modify the editable fields as required.
Step 4 Click Save to save the changes you have made to the certificate store.
Exporting a Certificate from the Certificate Store

Before You Begin
Step 2 Check the check box next to the certificate that you want to export, and click Export. You can export
only one certificate at a time.
Step 3 Save the privacy-enhanced mail file to the file system that is running your client browser.

OL-27044-01 E-27
Certificate Store
Importing Certificate Chains

You can import multiple certificates from a single file that contains a certificate chain received from a
Certificate store. All certificates in the file must be in Privacy-Enhanced Mail (PEM) format, and the
certificates must be arranged in the following order:
• The last certificate in the file must be the client or server certificate being issued by the CA.
• All preceding certificates must be the root CA certificate plus any intermediate CA certificates in
the signing chain for the issued certificate.
Importing a certificate chain is a two-step process:
Step 1 Import the certificate chain file into the Certificate Store using the Adding a Certificate to Certificate
Store operation. This operation will import all certificates from the file except the last one into the
Certificate Store. You can perform this step only on the primary Administration node.
Step 2 Import the certificate chain file using the Binding a CA-Signed Certificate operation. This operation will
import the last certificate from the file as a local certificate.
Installation of CA Certificates for Cisco ISE Inter-node Communication

In a distributed deployment, before registering a secondary node, you must populate the primary node’s
CTL with the appropriate CA certificates that are used to validate the HTTPS certificate of the secondary
node. The procedure to populate the CTL of the primary node is different for different scenarios:
• If the secondary node is using a CA-signed certificate for HTTPS communication, you must import
the CA-signed certificate of the secondary node into the CTL of the primary node.
• If the secondary node is using a self-signed certificate for HTTPS communication, you can import
the self-signed certificate of the secondary node into the CTL of the primary node.
Note If you change the HTTPS certificate on the registered secondary node, after registering your secondary
node to the primary node, you must obtain appropriate CA certificates that can be used to validate the
secondary node’s HTTPS certificate.
Related Topics
• Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL, page E-28
• Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node,
page E-29
Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL
Before You Begin
Step 1 Log in to the Admin portal of the node that you are going to register as your secondary node, and export
the CA-signed certificate that is used for HTTPS communication to the file system running your client
browser.

E-28 OL-27044-01
Simple Certificate Enrollment Protocol Profiles
Step 2 In the Export dialog box, click the Export Certificate Only radio button.
Step 3 Log in to the Admin portal of your primary node, and import the CA-signed certificate of the secondary
node into the CTL of the primary node.
Related Topics
Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node
Before You Begin
Step 1 Log in to the Admin portal of the node that you are going to register as your secondary node and export
the self-signed certificate that is used for HTTPS communication to the file system running your client
browser.
Step 2 In the Export dialog box, click the Export Certificate Only radio button.
Step 3 Log in to the Admin portal of your primary node, and import the self-signed certificate of the secondary
node into the CTL of the primary node.
Related Topics
• Exporting a Local Certificate, page E-22
Simple Certificate Enrollment Protocol Profiles

To help enable certificate provisioning functions for the variety of mobile devices that users can register
on the network, Cisco ISE enables you to configure one or more Simple Certificate Enrollment Protocol
(SCEP) Certificate Authority (CA) profiles to point Cisco ISE to multiple CA locations. The benefit of
allowing for multiple profiles is to help ensure high availability and perform load balancing across the
CA locations that you specify. If a request to a particular SCEP CA goes unanswered three consecutive
times, Cisco ISE declares that particular server unavailable and automatically moves to the CA with the
next lowest known load and response times, then it begins periodic polling until the server comes back
online.
For details on how to set up your Microsoft SCEP server to interoperate with Cisco ISE, see
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certi
ficates.pdf.
Related Topics
• Adding Simple Certificate Enrollment Protocol Profiles, page E-30
• OCSP Services, page E-30

OL-27044-01 E-29
OCSP Services
Adding Simple Certificate Enrollment Protocol Profiles

Step 1 Choose Administration > System > Certificates > SCEP CA Profile.
Step 2 Specify a Name for the profile to distinguish it from other SCEP CS profile names.
Step 3 Enter an optional Description of the profile.
Step 4 Specify the URL of the SCEP CA server in question, where Cisco ISE can direct SCEP CA requests
when users access the network from their mobile devices.
You can optionally use the adjacent Test Connectivity button to verify that Cisco ISE is able to reach
the server at the URL that you specify, before clicking the Submit button to end the session. (Either way,
Cisco ISE will test the URL before allowing you to save the profile.)
For Reference:
Once users’ devices receive their validated certificate, they reside on the device as described in
Table E-1.
Table E-1 Device Certificate Location
Device Certificate Storage Location Access Method

iPhone/iPad Standard certificate store Settings > General > Profile
Android Encrypted certificate store Invisible to end users.
Note Certificates can be removed using
Settings > Location & Security >
Clear Storage.
Windows Standard certificate store Launch mmc.exe from the /cmd prompt or
view in the certificate snap-in.
Mac Standard certificate store Application > Utilities > Keychain Access
OCSP Services
The Online Certificate Status Protocol (OCSP) is a protocol that is used for checking the status of x.509
digital certificates. This protocol is an alternative to the Certificate Revocation List (CRL) and addresses
issues that result in handling CRLs.
Cisco ISE has the capability to communicate with OCSP servers over HTTP to validate the status of
certificates in authentications. The OCSP configuration is configured in a reusable configuration object
that can be referenced from any certificate authority (CA) certificate that is configured in Cisco ISE. See
Editing a Certificate Store Certificate, page E-27.
You can configure CRL and/or OCSP verification per CA. If both are selected, then Cisco ISE first
performs verification over OCSP. If a communication problem is detected with both the primary and
secondary OCSP servers, or if an unknown status is returned for a given certificate, Cisco ISE switches
to checking the CRL.
• OCSP Certificate Status Values, page E-31

E-30 OL-27044-01
OCSP Services
• OCSP High Availability, page E-31

• Adding OCSP Services, page E-32
• OCSP Statistics Counters, page E-33
• OCSP Failures, page E-31
• Monitoring OCSP, page E-34
OCSP Certificate Status Values

OCSP services return the following values for a given certificate request:
• Good—Indicates a positive response to the status inquiry. It means that the certificate is not revoked,
and the state is good only until the next time interval (time to live) value.
• Revoked—The certificate was revoked.
• Unknown—The certificate status is unknown. This can happen if the OCSP is not configured to
handle the given certificate CA.
• Error—No response was received for the OCSP request.
Related Topics
OCSP Statistics Counters, page E-33
OCSP High Availability

Cisco ISE has the capability to configure up to two OCSP servers per CA, and they are called primary
and secondary OCSP servers. Each OCSP server configuration contains the following parameters:
• URL—The OCSP server URL.
• Nonce—A random number that is sent in the request. This option ensures that old communications
cannot be reused in reply attacks.
• Validate response—Cisco ISE validates the response signature that is received from the OCSP
server.
In case of timeout (which is 5 seconds), when Cisco ISE communicates with the primary OCSP server,
it switches to the secondary OCSP server.
Cisco ISE uses the secondary OCSP server for a configurable amount of time before attempting to use
the primary server again.
OCSP Failures
The three general OCSP failure scenarios are as follows:
1. Failed OCSP cache or OCSP client side (Cisco ISE) failures.
2. Failed OCSP responder scenarios, for example:
a. The first primary OCSP responder not responding, and the secondary OCSP responder
responding to the Cisco ISE OCSP request.
b. Errors or responses not received from Cisco ISE OCSP requests.

OL-27044-01 E-31
OCSP Services
An OCSP responder may not provide a response to the Cisco ISE OCSP request or it may return an
OCSP Response Status as not successful. OCSP Response Status values can be as follows:
– tryLater
– signRequired
– unauthorized
– internalError
– malformedRequest
There are many date-time checks, signature validity checks and so on, in the OCSP request. For
more details, refer to RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status
Protocol - OCSP which describes all the possible states, including the error states.
3. Failed OCSP reports
Adding OCSP Services

You can use the add OCSP page to add new OCSP services to Cisco ISE.
Step 1 Choose Administration > System > Certificates > OCSP Services.
Step 2 Click Add
Step 3 Provide a name and description for the OCSP service.
Step 4 Check the Enable Secondary Server check box if you want to enable high availability.
Step 5 Select one of the following options for high availability:
• Always Access Primary Server First —Use this option to check the primary server before trying to
move to the secondary server. Even if the primary was checked earlier and found to be unresponsive,
Cisco ISE will try to send a request to the primary server before moving to the secondary server.
• Fallback to Primary Server After Interval—Use this option when you want Cisco ISE to move to the
secondary server and then fall back to the primary server again. In this case, all other requests are
skipped, and the secondary server is used for the amount of time that is configured in the text box.
The allowed time range is 1 to 999 minutes.
Step 6 Provide the URLs or IP addresses of the primary and secondary OCSP servers.
Step 7 Check or uncheck the following options:
• Nonce—You can configure a nonce to be sent as part of the OCSP request. The Nonce includes a
pseudo-random number in the OCSP request. It is verified that the number that is received in the
response is the same as the number that is included in the request. This option ensures that old
communications cannot be reused in replay attacks.
• Validate Response Signature—The OCSP responder signs the response with one of the following
signatures:
– The CA certificate
– A certificate different from the CA certificate
In order for Cisco ISE to validate the response signature, the OCSP responder needs to send the
response along with the certificate, otherwise the response verification fails, and the status of the
certificate cannot be relied on. According to the RFC, OCSP can sign the response using different

E-32 OL-27044-01
OCSP Services
certificates. This is true as long as OCSP sends the certificate that signed the response for Cisco ISE
to validate it. If OCSP signs the response with a different certificate that is not configured in Cisco
ISE, the response verification will fail.
Step 8 Provide the number of minutes for the Cache Entry Time to Live.
Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the
certificate will be updated next on the server. When the OCSP response is cached, the two values (one
from the configuration and another from response) are compared, and the response is cached for the
period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not
cached at all.
Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent,
so when Cisco ISE restarts, the cache is cleared.
The OCSP cache is used in order to maintain the OCSP responses and for the following reasons:
• To reduce network traffic and load from the OCSP servers on an already-known certificate
• To increase the performance of Cisco ISE by caching already-known certificate statuses
Step 9 Click Clear Cache to clear entries of all the certificate authorities that are connected to the OCSP
service.
In a deployment, Clear Cache interacts with all the nodes and performs the operation. This mechanism
updates every node in the deployment.
OCSP Statistics Counters

The OCSP counters are used for logging and monitoring the data and health of the OCSP servers.
Logging occurs every five minutes. A syslog message is sent to the Cisco ISE Monitoring node and is
preserved in the local store, which contains data from the previous five minutes. After the message is
sent, the counters are recalculated for the next interval. This means, after five minutes, a new five-minute
window interval starts again.
Table E-2 lists the OCSP syslog messages and their descriptions.
Table E-2 OCSP Syslog Messages
Message Description
OCSPPrimaryNotResponsiveCount The number of nonresponsive primary requests
OCSPSecondaryNotResponsiveCount The number of nonresponsive secondary requests
OCSPPrimaryCertsGoodCount The number of ‘good’ certificates that are returned for
a given CA using the primary OCSP server
OCSPSecondaryCertsGoodCount The number of ‘good’ statuses that are returned for a
given CA using the primary OCSP server
OCSPPrimaryCertsRevokedCount The number of ‘revoked’ statuses that are returned for
a given CA using the primary OCSP server
OCSPSecondaryCertsRevokedCount The number of ‘revoked’ statuses that are returned for
a given CA using the secondary OCSP server
OCSPPrimaryCertsUnknownCount The number of ‘Unknown’ statuses that are returned
for a given CA using the primary OCSP server

OL-27044-01 E-33
Configuring Certificates for Inline Posture Nodes
Table E-2 OCSP Syslog Messages
Message Description
OCSPSecondaryCertsUnknownCount The number of ‘Unknown’ statuses that are returned
for a given CA using the secondary OCSP server
OCSPPrimaryCertsFoundCount The number of certificates that were found in cache
from a primary origin
OCSPSecondaryCertsFoundCount The number of certificates that were found in cache
from a secondary origin
ClearCacheInvokedCount How many times clear cache was triggered since the
interval
OCSPCertsCleanedUpCount How many cached entries were cleaned since the t
interval
NumOfCertsFoundInCache Number of the fulfilled requests from the cache
OCSPCacheCertsCount Number of certificates that were found in the OCSP
cache
Monitoring OCSP
You can view the OCSP services data in the form of an OCSP Monitoring Report. For more information
on Cisco ISE reports, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

After you install the Inline Posture node, Release 1.2, ISO image on any of the supported appliance
platforms and run the setup program, you must configure certificates for Inline Posture nodes before you
can add them to the deployment. You configure Inline Posture node certificates only from the CLI.
Before You Begin

• The Inline Posture node must be certified from the same certificate authority (CA) that certified the
• If you wish to deploy an active-standby pair of Inline Posture nodes, you must configure the
certificates on both the active and standby Inline Posture nodes.
Step 1 Log in to the Inline Posture node through the CLI.

Step 2 Enter the following command:
pep certificate server generatecsr
Step 3 Enter n to use an existing private key file to use with the certificate signing request (CSR) or enter y to
generate a new one.
Step 4 Enter the desired key size.
Step 5 Enter the type of digest that you want to sign the certificate with.
Step 6 Enter a country code name (2 letter code).
Step 7 Enter values for the state, city, organization, organizational unit.

E-34 OL-27044-01
Step 8 Enter the Common Name. The Common Name is the same as your hostname. You must enter the fully
qualified domain name (FQDN). For example, if your hostname is IPN1 and your DNS domain name is
cisco.com, you must enter IPN1.cisco.com as your Common Name.
Step 9 Enter an e-mail address.
Step 10 Copy the entire block of text including the blank line after the END CERTIFICATE REQUEST tag (to
include the carriage return).
Step 11 Send this CSR to the CA that signed the primary Administration node certificate.
If you are using the Microsoft CA, choose Web Server as the certificate template while sending the
signing request.
Note Only server authentication is supported in Release 1.2. If you use other CAs to sign a certificate,
ensure that the extended key usage specifies server authentication alone.
Step 12 Download the signed certificate in the DER or base64 format and copy it to an FTP server.
Step 13 Enter the following command from the Inline Posture node CLI:
copy ftp://a.b.c.d/ipn1.cer disk:
where a.b.c.d is the IP address of the FTP server and ipn1.cer is the CA-signed certificate that you are
adding to the Inline Posture node.
Step 14 Enter the username and password for the FTP server.
Step 15 Enter the following command from the Inline Posture node CLI:
pep certificate server add
Step 16 Enter y for the application to restart.
Step 17 Enter y to bind the certificate to the last CSR.
Step 18 Enter the name of the CA-signed certificate.
The Inline Posture application restarts. You can now register this Inline Posture node with your primary
Administration node. Refer to the Cisco Identity Services Engine User Guide, Release 1.2 for more
information.

OL-27044-01 E-35

E-36 OL-27044-01
INDEX
setup program 3-7

B
post-installation tasks 7-1
beeps for USB devices A-8 IP settings, DHCP or static 3-4
C L
cable management arm installation A-6 location
Cisco ISE deployment 1-1 serial number 2-1
D M
DHCP, enabling 3-4 motherboard beeps A-8
E N
environmental specifications B-1 NIC modes, setting 3-4
NIC redundancy 3-4
I
P
installation
cable management arm A-6 packing list A-2
initial power-on and setup A-7 physical specifications B-1
IP settings 3-4 post-installation tasks 7-1
NIC modes 3-4 power
NIC redundancy 3-4 connecting power cords A-8
power cables A-8 specifications B-2
rack installation A-4
rack requirements A-4
required equipment A-4
R
slide rails A-5 rack installation A-4, A-5
unpacking and inspection A-2 rack requirements A-4
verification 3-15 required equipment
installing Cisco ISE installation A-4

OL-27044-01 IN-1
Index
serial number
location 2-1
setting NIC modes 3-4
setting NIC redundancy 3-4
slide rail installation A-5
specifications
environmental B-1
physical B-1
power B-2
static IP, setting 3-4
unpacking the server A-2

upgrading
post-installation tasks 7-1
VMware
configuring 4-9
hardware requirements 4-2
installing 4-1
installing the Cisco ISE appliance 4-19

IN-2 OL-27044-01

Ise Ig

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ise Ig

Uploaded by

Copyright:

Available Formats

Cisco Identity Services Engine

Hardware Installation Guide, Release 1.2

Cisco Systems, Inc.

Cisco has more than 200 offices worldwide.

Text Part Number: OL-27044-01

• Turn the television or radio antenna until the interference stops.

• Move the equipment farther away from the television or radio.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

CHAPTER 1 Network Deployments in Cisco ISE 1-1

Architecture Overview 1-1

Network Deployment Terminology 1-2

Node Types and Personas in Distributed Deployments 1-3

Inline Posture Planning Considerations 1-12

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

CHAPTER 2 Cisco SNS-3400 Series Appliances 2-1

Cisco SNS-3400 Series Appliance Hardware Specifications 2-1

CHAPTER 3 Installing and Configuring a Cisco SNS-3400 Series Appliance 3-1

Installing the SNS-3400 Series Appliance in a Rack 3-1

Downloading the Cisco ISE, Release 1.2 ISO Image 3-1

Installing Release 1.2 Software on SNS-3400 Series Appliance 3-2

Cisco Integrated Management Controller 3-3

Configuring CIMC 3-3

Creating a Bootable USB Drive 3-5

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance 3-6

Cisco ISE Setup Program Parameters 3-7

CHAPTER 4 Installing Release 1.2 Software on a VMware Virtual Machine 4-1

Supported VMware Versions 4-1

Support for VMware vMotion in Release 1.2 4-2

Virtual Machine Requirements 4-2

Installing Cisco ISE Software on a VMware System 4-19

Cloning a Cisco ISE Virtual Machine 4-24

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

Changing the IP Address and Hostname of a Cloned Virtual Machine 4-27

Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance 5-4

CHAPTER 6 Managing Administrator Accounts 6-1

CLI-Admin and Web-Based Admin User Right Differences 6-1

Tasks Performed by CLI-Admin and Web-Based Admin Users 6-1

Tasks Performed Only by the CLI-Admin User 6-2

Creating CLI Admin Users 6-2

Creating Web-Based Admin Users 6-2

CHAPTER 7 Performing Post-Installation Tasks 7-1

Accessing Cisco ISE Using a Web Browser 7-1

Verifying a Cisco ISE Configuration 7-4

Configuring the Cisco ISE System 7-10

Enabling System Diagnostic Reports in Cisco ISE 7-10

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

APPENDIX A Installing the Cisco SNS-3400 Series Appliance in a Rack A-1

Unpacking and Inspecting the Server A-1

Safety Guidelines A-2

Installing a Cisco SNS-3400 Series Appliance in a Rack A-4

Checking the LEDs A-8

APPENDIX B Cisco SNS-3400 Series Server Specifications B-1

Physical Specifications B-1

Environmental Specifications B-1

Power Specifications B-2

APPENDIX C Cisco SNS-3400 Series Appliance Ports Reference C-1

APPENDIX D Cisco ISE Licenses D-1

Cisco ISE Licensing D-1

Adding or Upgrading a License D-5

Removing a License D-5

APPENDIX E Certificate Management in Cisco ISE E-1

HTTPS Communication Using the Cisco ISE Certificate E-1

EAP Communication Using the Cisco ISE Certificate E-2