Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 First Published: February 15, 2015 Last Modified: March 30, 2015 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.

USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks.

Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2015 Cisco Systems, Inc. All rights reserved.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

C O N T E N T S C H A P T E R 1 Network Deployments in Cisco ISE 1 Cisco ISE Network Architecture 1 Cisco ISE Deployment Terminology 2 Node Types and Personas in Distributed Deployments 3 Administration Node 3 Policy Service Node 4 Monitoring Node 4 Inline Posture Node 4 Installing an Inline Posture Node 5 Inline Posture Node Reuse 5 Standalone and Distributed ISE Deployments 5 Distributed Deployment Scenarios 6 Small Network Deployments 6 Split Deployments 7 Medium-Sized Network Deployments 7 Large Network Deployments 8 Centralized Logging 8 Load Balancers 8 Dispersed Network Deployments 9 Considerations for Planning a Network with Several Remote Sites 10 Deployment Size and Scaling Recommendations 11 Inline Posture Planning Considerations 13 Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions 14 C H A P T E R 2 Cisco SNS-3400 Series Appliances 15 Cisco SNS Support for Cisco ISE 15 Cisco SNS-3400 Series Appliance Hardware Specifications 15 Cisco SNS-3400 Series Front Panel 16 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 iii

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Cisco SNS-3400 Series Rear Panel 16 C H A P T E R 3 Installing and Configuring a Cisco SNS-3400 Series Appliance 19 Prerequisites for Installing the SNS-3400 Series Appliance 19 Downloading the Cisco ISE ISO Image from Cisco.com 20 Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance 20 Configuring Cisco Integrated Management Controller 21 Creating a Bootable USB Drive 22 Cisco ISE Setup Program Parameters 23 Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC 25 Supported Time Zones 28 Setup Process Verification 30 C H A P T E R 4 Installing ISE on a VMware Virtual Machine 31 ISE Features Not Supported in a Virtual Machine 31 Supported VMware Versions 31 Support for VMware vMotion 32 Support for Open Virtualization Format 32 Virtual Machine Requirements 32 Virtual Machine Appliance Size Recommendations 34 Disk Space Requirements 35 Disk Space Guidelines 35 Virtual Machine Resource and Performance Checks 36 On Demand Virtual Machine Performance Check Using the Show Tech Support Command 37 Virtual Machine Resource Check from the Cisco ISE Boot Menu 37 Obtaining the Cisco ISE Evaluation Software 38 Installing Cisco ISE on Virtual Machines 39 Deploying Cisco ISE on Virtual Machines Using OVA Templates 39 Installing Cisco ISE on Virtual Machines Using the ISO File 39 Prerequisites for Configuring a VMware ESXi Server 40 Virtualization Technology Check 41 Enabling Virtualization Technology on an ESXi Server 41 Configuring VMware Server Interfaces for the Cisco ISE Profiler Service 42 Connecting to the VMware Server Using the Serial Console 42 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 iv Contents

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Configuring a VMware Server 43 Configuring a VMware System to Boot From a Cisco ISE Software DVD 44 Installing Cisco ISE Software on a VMware System 44 Cisco ISE ISO Installation on Virtual Machine Fails 46 Cloning a Cisco ISE Virtual Machine 46 Cloning a Cisco ISE Virtual Machine Using a Template 47 Creating a Virtual Machine Template 47 Deploying a Virtual Machine Template 48 Changing the IP Address and Hostname of a Cloned Virtual Machine 48 Connecting a Cloned Cisco Virtual Machine to the Network 50 Migrating Cisco ISE VM from Evaluation to Production 50 C H A P T E R 5 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances 53 Supported Cisco ISE, Secure ACS, and NAC Appliances 53 Installing Cisco ISE Software from a DVD 54 Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance 54 Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance 55 Installing Cisco ISE Software on a Re-imaged Cisco NAC Appliance 56 Resetting the Existing RAID Configuration on a Cisco NAC Appliance 57 C H A P T E R 6 Managing Administrator Accounts 59 CLI-Admin and Web-Based Admin User Right Differences 59 CLI Admin Users Creation 60 Web-Based Admin Users Creation 60 C H A P T E R 7 Post-Installation Tasks 61 Logging in to the Cisco ISE Web-Based Interface 61 Cisco ISE Configuration Verification 62 Verifying a Configuration Using a Web Browser 63 Verifying a Configuration Using the CLI 63 VMware Tools Installation Verification 64 Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client 65 Verify VMWare Tools Installation Using the CLI 65 Support for Upgrading VMware Tools 66 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 v Contents

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Administrator Password Reset 66 Resetting a Lost, Forgotten, or Compromised Password using the DVD 66 Resetting a Password Due to Administrator Lockout 67 Changing the IP Address of a Cisco ISE Appliance 68 Viewing Installation and Upgrade History 69 Configuring RAID on SNS-3415 Appliance 70 Configuring RAID on SNS-3495 Appliance Using CIMC 70 Performing a System Erase 71 A P P E N D I X A Cisco SNS-3400 Series Server Specifications 75 Physical Specifications 75 Environmental Specifications 75 Power Specifications 76 450-Watt Power Supply 76 650-Watt Power Supply 77 A P P E N D I X B Cisco SNS-3400 Series Appliance Ports Reference 79 Cisco ISE Infrastructure 79 Cisco ISE Administration Node Ports 81 Cisco ISE Monitoring Node Ports 82 Cisco ISE Policy Service Node Ports 84 Inline Posture Node Ports 87 Cisco ISE pxGrid Service Ports 88 OCSP and CRL Service Ports 89 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 vi Contents

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

C H A P T E R 1 Network Deployments in Cisco ISE • Cisco ISE Network Architecture, page 1 • Cisco ISE Deployment Terminology, page 2 • Node Types and Personas in Distributed Deployments, page 3 • Standalone and Distributed ISE Deployments, page 5 • Distributed Deployment Scenarios, page 6 • Small Network Deployments, page 6 • Medium-Sized Network Deployments, page 7 • Large Network Deployments, page 8 • Deployment Size and Scaling Recommendations, page 11 • Inline Posture Planning Considerations, page 13 • Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions, page 14 Cisco ISE Network Architecture Cisco ISE architecture includes the following components: • Nodes and persona types ◦Cisco ISE node—A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, Monitoring, or pxGrid ◦Inline Posture node—A gatekeeping node that takes care of access policy enforcement • Network resources • Endpoints The policy information point represents the point at which external information is communicated to the Policy Service persona.

For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 1

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

The following figure shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an Inline Posture node, and a policy information point. Figure 1: Cisco ISE Architecture Cisco ISE Deployment Terminology This guide uses the following terms when discussing Cisco ISE deployment scenarios: Definition Term A specific feature that a persona provides such as network access, profiling, posture, security group access, monitoring, and troubleshooting. Service An individual instance that runs the Cisco ISE software.

Cisco ISE is available as an appliance and as software that can be run on VMware.

Node A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node type and persona determine the type of functionality provided by a node Node Type Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 2 Network Deployments in Cisco ISE Cisco ISE Deployment Terminology

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Definition Term Determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. The menu options that are available through the administrative user interface depend on the role and personas that a node assumes.

Persona Determines if a node is a standalone, primary, or secondary node and applies only to Administration and Monitoring nodes. Role Node Types and Personas in Distributed Deployments In a Cisco ISE distributed deployment, there are two types of nodes: • Cisco ISE node (Administration, Policy Service, Monitoring) • Inline Posture node A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment, with the exception of the Inline Posture node, can assume the Administration, Policy Service, and Monitoring personas. In a distributed deployment, you can have the following combination of nodes on your network: • Primary and secondary Administration nodes for high availability • A pair of Monitoring nodes for automatic failover • One or more Policy Service nodes for session failover • A pair of Inline Posture nodes for high availability Related Topics Administration Node, on page 3 Policy Service Node, on page 4 Monitoring Node, on page 4 Inline Posture Node, on page 4 Administration Node A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE.

It handles all system-related configurations that are related to functionality such as authentication, authorization, and accounting. In a distributed deployment, you can have a maximum of two nodes running the Administration persona. The Administration persona can take on the standalone, primary, or secondary role.

Related Topics Node Types and Personas in Distributed Deployments, on page 3 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 3 Network Deployments in Cisco ISE Node Types and Personas in Distributed Deployments

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

Policy Service Node A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and provides network access to endpoints based on the result of the policy evaluation. Typically, there is more than one Policy Service node in a distributed deployment.

All Policy Service nodes that reside behind a load balancer share a common multicast address and can be grouped to form a node group. If one of the nodes in a node group goes down, the other nodes detect the failure and reset any pending sessions.

At least one node in your distributed setup should assume the Policy Service persona. Related Topics Node Types and Personas in Distributed Deployments, on page 3 Monitoring Node A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports.

Cisco ISE allows you to have a maximum of two nodes with this persona, and they can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary Monitoring node.

At least one node in your distributed setup should assume the Monitoring persona. We recommend that you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the Monitoring node be dedicated solely to monitoring for optimum performance. Related Topics Node Types and Personas in Distributed Deployments, on page 3 Inline Posture Node An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate.

Cisco ISE allows you to have two Inline Posture nodes, and they can take on primary or secondary roles for high availability.

The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service, and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. For example, it cannot act as an Administration node (offering administration service), or a Policy Service node (offering network access, posture, profile, and guest services), or a Monitoring node (offering monitoring and troubleshooting services). Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture on any one of the following supported platforms: • Cisco ISE 3315 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 4 Network Deployments in Cisco ISE Policy Service Node

• Cisco ISE 3355 • Cisco ISE 3395 • Cisco SNS 3415 Related Topics Node Types and Personas in Distributed Deployments, on page 3 Installing an Inline Posture Node Before You Begin • Download the Inline Posture ISO image from Cisco.com • Configure a certificate for it and register it with the primary Administration node Procedure Step 1 Install the Inline Posture ISO image on one of the supported platforms. Step 2 Log into the CLI. Step 3 Configure the certificates for the node. Step 4 Log into the user interface of the primary Administration node. Step 5 Register the Inline Posture node.

Related Topics Configuring Certificates for Inline Posture Nodes Inline Posture Node Reuse If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it, but you can change it to a Cisco ISE node and then assign any persona to it.

If you want to reuse an Inline Posture node, you must first deregister it and then reimage the appliance and install Cisco ISE on it. Standalone and Distributed ISE Deployments A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas.

A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a distributed fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. A Cisco ISE node can assume any of the following personas: Administration, Policy Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 5 Network Deployments in Cisco ISE Standalone and Distributed ISE Deployments

Service, and Monitoring. An Inline Posture node cannot assume any other persona, due to its specialized nature and it must be a dedicated node. Distributed Deployment Scenarios • Small Network Deployments • Medium-Sized Network Deployments • Large Network Deployments Small Network Deployments The smallest Cisco ISE deployment consists of two Cisco ISE nodes with one Cisco ISE node functioning as the primary appliance in a small network. The primary node provides all the configuration, authentication, and policy capabilities that are required for this network model, and the secondary Cisco ISE node functions in a backup role.

The secondary node supports the primary node and maintains a functioning network whenever connectivity is lost between the primary node and network appliances, network resources, or RADIUS.

Centralized authentication, authorization, and accounging (AAA) operations between clients and the primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus, your secondary node is current with the state of your primary node. In a small network deployment, this type of configuration model allows you to configure both your primary and secondary nodes on all RADIUS clients by using this type of deployment or a similar approach.

Figure 2: Small Network Deployment Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 6 Network Deployments in Cisco ISE Distributed Deployment Scenarios

As the number of devices, network resources, users, and AAA clients increases in your network environment, you should change your deployment configuration from the basic small model and use more of a split or distributed deployment model. Split Deployments In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload if there are any problems with AAA connectivity.

Neither the primary node nor the secondary nodes handles all AAA requests during normal network operations because this workload is distributed between the two nodes.

The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In addition, splitting the load provides better loading while the functional status of the secondary node is maintained during the course of normal network operations. In split Cisco ISE deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions in the event of a failure. If you have two Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector.

In addition, the split Cisco ISE deployment design provides an advantage because it allows for growth. Figure 3: Split Network Deployment Medium-Sized Network Deployments As small networks grow, you can keep pace and manage network growth by adding Cisco ISE nodes to create a medium-sized network. In medium-sized network deployments, you can dedicate the new nodes for all AAA functions, and use the original nodes for configuration and logging functions. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 7 Network Deployments in Cisco ISE Split Deployments

As the amount of log traffic increases in a network, you can choose to dedicate one or two of the secondary Cisco ISE nodes for log collection in your network. Figure 4: Medium-Sized Network Deployment Large Network Deployments Centralized Logging We recommend that you use centralized logging for large Cisco ISE networks. To use centralized logging, you must first set up a dedicated logging server that serves as a Monitoring persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy network can generate. Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog appliance can serve as the collector for outbound logging traffic.

A dedicated logging server enables you to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes. You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoring persona on the Cisco ISE node goes down.

Load Balancers In large centralized networks, you should use a load balancer, which simplifies the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes the routing of AAA requests to the available servers. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 8 Network Deployments in Cisco ISE Large Network Deployments

However, having only a single load balancer introduces the potential for having a single point of failure. To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover.

This configuration requires you to set up two AAA server entries in each AAA client, and this configuration remains consistent throughout the network. Figure 5: Large Network Deployment Dispersed Network Deployments Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and users in different geographical regions and locations.

Large remote sites can have their own AAA infrastructure for optimal AAA performance. A centralized management model helps maintain a consistent, synchronized AAA policy. A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 9 Network Deployments in Cisco ISE Dispersed Network Deployments

Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique network requirements.

Figure 6: Dispersed Deployment Considerations for Planning a Network with Several Remote Sites • Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the external database that is available for Cisco ISE to access for optimizing AAA performance. • The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible to the AAA clients to reduce network latency effects and the potential for loss of access that is caused by WAN failures.

• Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site, which allows for direct, secure console access that bypasses network access to each node. • If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, consider using a Cisco ISE node as a backup for the local site to provide redundancy. • Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access to the external databases.

Related Topics Cisco ISE Setup Program Parameters, on page 23 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 10 Network Deployments in Cisco ISE Considerations for Planning a Network with Several Remote Sites

Deployment Size and Scaling Recommendations The following table provides guidance on the type of deployment, number of Cisco ISE nodes, and the type of appliance (small, medium, large) that you need based on the number of endpoints that connect to your network. Table 1: Cisco ISE Deployment—Size and Scaling Recommendations Number of Active Endpoints Maximum Number of Dedicated Policy Service Nodes Appliance Platform Number of Nodes/Personas Deployment Type Maximum of 2,000 endpoints Cisco ISE 3300 Series (3315, 3355, 3395) Standalone or redundant (2) nodes with Administration, Policy Service, and Monitoring personas enabled Small Maximum of 5,000 endpoints Cisco ISE 3415 Maximum of 10,000 endpoints Cisco ISE 3495 Maximum of 5,000 endpoints 5 Cisco ISE-3355 or Cisco SNS 3415 appliances for Administration and Monitoring personas Administration and Monitoring personas on single or redundant nodes.

Maximum of 2 Administration and Monitoring nodes. Medium Maximum of 10,000 endpoints 5 Cisco ISE 3395 or Cisco SNS 3495 appliances for Administration and Monitoring personas Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 11 Network Deployments in Cisco ISE Deployment Size and Scaling Recommendations

Number of Active Endpoints Maximum Number of Dedicated Policy Service Nodes Appliance Platform Number of Nodes/Personas Deployment Type Maximum of 100,000 endpoints 40 Cisco ISE 3395 appliances for Administration and Monitoring personas Dedicated Administration node/nodes. Maximum of 2 Administration nodes. Dedicated Monitoring node/nodes. Maximum of 2 Monitoring nodes. Dedicated Policy Service nodes. Maximum of 40 Policy Service nodes. Large Maximum of 250,000 endpoints 40 Cisco SNS 3495 appliances for Administration and Monitoring personas The following table provides guidance on the type of appliance that you would need for a dedicated Policy Service node based on the number of active endpoints the node services.

Table 2: Policy Service Node Size Recommendations Maximum Endpoints Appliance Platform Size Form Factor 3,000 Cisco ISE-3315 Small Physical 5,000 Cisco SNS-3415 6,000 Cisco ISE-3355 Medium 10,000 Cisco ISE-3395 Large 20,000 Cisco SNS-3495 3,000 to 20,000 Comparable to physical appliance Small/Medium/Large Virtual Machine The following table provides the maximum throughput and the maximum number of endpoints that a single Inline Posture node can support. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 12 Network Deployments in Cisco ISE Deployment Size and Scaling Recommendations

Table 3: Inline Posture Node Sizing Recommendations Performance Attribute 5,000 to 20,000 (gated by Policy Service nodes) Maximum number of endpoints per physical appliance 936 Mbps Maximum throughput per any physical appliance Related Topics Virtual Machine Requirements, on page 32 Migrating Cisco ISE VM from Evaluation to Production, on page 50 Inline Posture Planning Considerations A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes: • Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.

• What type of Inline Posture operating modes will you choose? The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets flooded out of the untrusted interface. This multicast event can potentially bring down devices that are connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode. Caution Do not change the CLI password for Inline Posture node once it has been added to the deployment.

If the password is changed, when you access the Inline Posture node through the Administration node, a Java exception error is displayed and the CLI gets locked. You need to recover the password by using the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original one. If you need to change the password, then deregister the Inline Posture node from the deployment, modify the password, and then add the node to the deployment with the new credentials.

Caution Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 13 Network Deployments in Cisco ISE Inline Posture Planning Considerations

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are successful across the network segment, you must configure your network switches with certain required Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and other settings. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 14 Network Deployments in Cisco ISE Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

C H A P T E R 2 Cisco SNS-3400 Series Appliances • Cisco SNS Support for Cisco ISE, page 15 • Cisco SNS-3400 Series Appliance Hardware Specifications, page 15 • Cisco SNS-3400 Series Front Panel, page 16 • Cisco SNS-3400 Series Rear Panel, page 16 Cisco SNS Support for Cisco ISE The Cisco ISE software run on a dedicated Cisco SNS-3400 series appliance or on a VMware server. Cisco ISE software does not support the installation of any other packages or applications on this dedicated platform. This Cisco ISE software is also supported on Cisco ISE 3300 series, Cisco NAC 3300 series, and Cisco Secure ACS 1121 appliances.

You can upgrade an existing Cisco ISE 3300 series appliance to the latest release. Related Topics Installing Cisco ISE Software on a VMware System, on page 44 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances, on page 53 Cisco SNS-3400 Series Appliance Hardware Specifications Cisco SNS-3400 series appliance hardware consists of Cisco SNS 3415 and 3495 appliances. See the Cisco Identity Services Engine (ISE) Data Sheet for the appliance hardware specifications (Table 3). Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 15

Cisco SNS-3400 Series Front Panel Figure 7: Cisco SNS 3415/3495 Front Panel Power supply status LED 6 Power button/power status LED 1 Network link activity LED 7 Identification button LED 2 Asset tag (serial number) 8 System status LED 3 Keyboard, video, mouse (KVM) connector (used with the KVM cable that provides two USBs, one Video Graphics Adapter (VGA), and one serial connector) 9 Fan status LED 4 Drives (up to eight hot-swappable, 2 to 5-inch drives) 10 Temperature status LED 5 Cisco SNS-3400 Series Rear Panel Figure 8: SNS 3415/3495 Rear Panel Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 16 Cisco SNS-3400 Series Appliances Cisco SNS-3400 Series Front Panel

Serial port (RJ-45 connector) 7 Power supplies (up to two) 1 1-GB Ethernet dedicated management port used to access CIMC (labeled M) 8 Slot 2: Low-profile Peripheral Component Interconnect Express (PCIe) slot on riser (half-height, half-length, x16 connector, x16 lane width) 2 1-GB Ethernet port 1 (GigE0) for Cisco ISE management communication 9 Slot 1: PCIe1 card containing 1-GB Ethernet ports (GigE2 and GigE3) 3 1-GB Ethernet port 2 (GigE1) 10 1-GB Ethernet port 3 (GigE2) 4 USB ports 11 1-GB Ethernet port 4 (GigE3) 5 Rear identification button 12 VGA video connector 6 Serial Number Location The serial number for the server is printed on a label on the top of the server, near the front.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 17 Cisco SNS-3400 Series Appliances Cisco SNS-3400 Series Rear Panel

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 18 Cisco SNS-3400 Series Appliances Cisco SNS-3400 Series Rear Panel

C H A P T E R 3 Installing and Configuring a Cisco SNS-3400 Series Appliance • Prerequisites for Installing the SNS-3400 Series Appliance, page 19 • Downloading the Cisco ISE ISO Image from Cisco.com, page 20 • Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, page 20 • Configuring Cisco Integrated Management Controller, page 21 • Creating a Bootable USB Drive, page 22 • Cisco ISE Setup Program Parameters, page 23 • Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC, page 25 • Setup Process Verification, page 30 Prerequisites for Installing the SNS-3400 Series Appliance Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE software on a Cisco SNS-3400 series appliance, as well as the physical, environmental, and power specifications later in this guide.

For information about regulatory compliance and safety, refer to the RCSI for Cisco SNS-3415 and Cisco SNS-3495 Appliances.

Cisco SNS-3400 series appliances are preinstalled with the Cisco Application Deployment Engine operating system (ADE-OS) and the Cisco ISE software. Make sure that you identify all of the following configuration settings for each node in your deployment before proceeding: • Hostname • IP address for the Gigabit Ethernet 0 (eth0) interface • Netmask • Default gateway • Domain Name System (DNS) domain Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 19

• Primary name server • Primary Network Time Protocol (NTP) server • System time zone • Username (username for CLI-admin user) • Password (password for CLI-admin user) See the Cisco ISE Setup Program Parameters, on page 23 for a description of these parameters with example values.

The Cisco SNS-3400 series appliance must have the RAID configured before you can install Cisco ISE on it. In case you have deleted the RAID configuration on the Cisco SNS-3400 series appliance, you must reconfigure it. See Configuring RAID on SNS-3415 Appliance, on page 70 and Configuring RAID on SNS-3495 Appliance Using CIMC, on page 70 for more information.

Note Related Topics Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance Downloading the Cisco ISE ISO Image from Cisco.com Download the ISO image to install Cisco ISE on Cisco SNS-3400 series appliance. Before You Begin For Inline Posture nodes, you must download the Inline Posture Node ISO and continue with the installation process. Step 1 Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link. Step 2 Click Download Software for this Product The Cisco ISE software image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.

Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance If your SNS-3400 series appliance is running an earlier version of Cisco ISE, you have the option to upgrade it using the application upgrade command. Alternatively, you can reimage your existing SNS-3400 Series appliance to perform a fresh installation of Cisco ISE and register it to an existing deployment. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 20 Installing and Configuring a Cisco SNS-3400 Series Appliance Downloading the Cisco ISE ISO Image from Cisco.com

After you download the ISO image, you can install it on your SNS-3400 Series appliance in any one of the following ways: • Install the ISO image using the CIMC Remote Management Utility.

You must configure the CIMC to perform this remote installation. 1 Configure CIMC. 2 Install the Cisco ISE software remotely. • Install the ISO image using a USB flash drive. 1 Create a bootable USB flash drive using the iso-to-usb.sh script. 2 Connect the USB flash device to the SNS-3400 Series appliance. 3 Install the Cisco ISE software using the local KVM or remotely using the CIMC KVM. • Install the ISO using an external DVD drive with a USB port. 1 Burn the ISO image on to a DVD.

2 Connect the external USB DVD to the SNS-3400 Series appliance. 3 Install the Cisco ISE software via the local KVM or remotely using the CIMC KVM. For installing the Cisco ISE software using a USB flash device or an external DVD with a USB port, CIMC configuration is optional. Note Related Topics Configuring Cisco Integrated Management Controller, on page 21 Creating a Bootable USB Drive, on page 22 Cisco ISE Setup Program Parameters, on page 23 Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC, on page 25 Configuring Cisco Integrated Management Controller You can perform all operations on Cisco SNS-3400 series appliance through the CIMC, including monitoring the server and system event logs.

To do this, you must first configure an IP address and IP gateway to access the CIMC from a web-based browser.

Step 1 Plug in the power cord. Step 2 Press the Power button to boot the server. Step 3 During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility. Step 4 Set the NIC mode to specify which ports access the CIMC for server management. Cisco ISE can use up to four Gigabit Ethernet ports. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 21 Installing and Configuring a Cisco SNS-3400 Series Appliance Configuring Cisco Integrated Management Controller

• Dedicated—The 1-Gb Ethernet management port is used to access the CIMC.

You must select NIC redundancy None and select IP settings. • Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the factory default setting, along with active-active NIC redundancy and DHCP enabled. • Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You must select a NIC redundancy and IP setting. The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01) that is installed in PCIe slot 1.

Note Step 5 Specify the NIC redundancy setting: • None—The Ethernet ports operate independently and do not fail over if there is a problem. • Active-standby—If an active Ethernet port fails, traffic fails over to a standby port. • Active-active—All Ethernet ports are utilized simultaneously. Step 6 Choose whether to enable DHCP for dynamic network settings or to enter static network settings. Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC addresses for the server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC addresses assigned to the CIMC.

The MAC address printed on the label is the beginning of the range of six contiguous MAC addresses.

Note Step 7 (Optional) Specify VLAN setting and set a default CIMC user password. Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait until the new settings appear before you reboot the server in the next step. Note Step 8 Press F10 to save your settings and reboot the server. If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console screen during bootup. Note What to Do Next Configuring ISE on a Cisco SNS-3400 Series Appliance using CIMC Related Topics Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20 Creating a Bootable USB Drive The Cisco ISE ISO image contains an “images” directory that has a Readme file and a script to create a bootable USB drive to install Cisco ISE.

Before You Begin • Ensure that you have read the Readme file in the “images” directory • You need the following: Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 22 Installing and Configuring a Cisco SNS-3400 Series Appliance Creating a Bootable USB Drive

◦Linux machine with RHEL-6.4, CentOS 6.4. If you are going to use a PC or MAC, ensure that you have installed a Linux virtual machine (VM) on it. ◦An 8-GB USB drive ◦The iso-to-usb.sh script Step 1 Plug the USB drive into the USB port. Step 2 Copy the iso-to-usb.sh script and the Cisco ISE ISO image to a directory on the Linux machine.

Step 3 Enter the following command: iso-to-usb.sh source_iso usb_device For example . / iso-to-usb.sh ise-1.4.0.253-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the script, ise-1.4.0.253-x86_64.iso /dev/sdb is the name of the ISO image, and /dev/sdb is your USB device. Step 4 Enter a value for the appliance that you want to install the image on. Step 5 Enter Y to continue.

Step 6 A success message appears. Step 7 Unplug the USB drive. What to Do Next Configuring ISE on a Cisco SNS-3400 Series Appliance using CIMC Related Topics Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20 Cisco ISE Setup Program Parameters When the Cisco ISE software configuration begins, an interactive CLI prompts you to enter required parameters to configure the system. If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures VMware Tools, Version 8.3.2, during the initial setup.

Note Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 23 Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco ISE Setup Program Parameters

Table 4: Cisco ISE Setup Program Parameters Example Description Prompt isebeta1 Must not exceed 15 characters. Valid characters include alphanumerical (A–Z, a–z, 0–9), and the hyphen . The first character must be a letter. We recommend that you use lowercase letters to ensure that certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verifications. You cannot use "localhost" as hostname for a node. Note Hostname 10.12.13.14 Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

(eth0) Ethernet interface address 255.255.255.0 Must be a valid IPv4 netmask.

Netmask 10.12.13.1 Must be a valid IPv4 address for the default gateway. Default gateway example.com Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen , and the period (.). DNS domain name 10.15.20.25 Must be a valid IPv4 address for the primary name server. Primary name server (Optional) Allows you to configure multiple name servers. To do so, enter y to continue. Must be a valid IPv4 address for an additional name server. Add/Edit another name server clock.nist.gov Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.

Primary NTP server (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue. Must be a valid NTP domain. Add/Edit another NTP server Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 24 Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco ISE Setup Program Parameters

Example Description Prompt UTC (default) Must be a valid time zone. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or Coordinated Universal Time (UTC) minus 8 hours). You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

Note System Time Zone admin (default) Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and be composed of valid alphanumeric characters (A–Z, a–z, or 0–9). Username MyIseYPass2 Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password because there is no default. The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

Password Related Topics Considerations for Planning a Network with Several Remote Sites, on page 10 Verifying a Configuration Using a Web Browser, on page 63 VMware Tools Installation Verification, on page 64 Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20 Installing Cisco ISE Software from a DVD Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance Installing Cisco ISE Software on a VMware System, on page 44 Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC After you configure the CIMC for your appliance, you can use it to manage a Cisco SNS-3400 series appliance.

You can perform all operations including BIOS configuration through the CIMC. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 25 Installing and Configuring a Cisco SNS-3400 Series Appliance Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC

Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. Caution Before You Begin • Ensure that you have configured the CIMC on your appliance. • Ensure that you have properly installed, connected, and powered up the supported appliance by following the recommended procedures. • Ensure that you have the Cisco ISE ISO image on the client machine from which you are accessing the CIMC or you have a bootable USB with the image for installation.

• Cisco ISE appliances track time internally using UTC time zones. If you do not know your specific time zone, you can enter one based on the city, region, or country where the Cisco ISE appliance is located.

We recommend that you configure the preferred time zone (the default is UTC) during installation when the setup program prompts you to configure the setting. • Research how to configure certificates on an Inline Posture node. Step 1 Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server using the ports selected by the Network Interface Card (NIC) Mode setting. The active-active and active-passive NIC redundancy settings require you to connect to two ports.

Step 2 Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is based on the CIMC configuration that you made (either a static address or the address assigned by the Dynamic Host Configuration Protocol (DHCP) server). The default username for the server is admin. The default password is password. Note Step 3 Click Launch KVM Console. Step 4 Use your CIMC credentials to log in. Step 5 Click the Virtual Media tab. Step 6 Click Add Image to choose the Cisco ISE ISO image from the system running your client browser. Step 7 Check the Mapped check box against the virtual CD/DVD drive that you have created.

Step 8 Click the KVM tab.

Step 9 Choose Macros > Ctrl-Alt-Del to boot the SNS-3400 series appliance using the ISO image. Step 10 Press F6 to bring up the boot menu. Step 11 Choose the CD/DVD that you mapped and press Enter. Step 12 At the boot prompt, enter 2 and press Enter. * * Please type 'setup' to configure the appliance * * Step 13 At the prompt, type setup to start the setup program. You are prompted to enter networking parameters and credentials. The following illustrates a sample setup program and default prompts: Press 'Ctrl-C' to abort setup Enter hostname[]: ise-server-1 Enter IP address[]: 10.1.1.10 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 26 Installing and Configuring a Cisco SNS-3400 Series Appliance Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC

Enter IP netmask[]: 255.255.255.0 Enter IP default gateway[]: 172.10.10.10 Enter default DNS domain[]: cisco.com Enter primary nameserver[]: 200.150.200.150 Add secondary nameserver? Y/N [N]: n Enter NTP server[time.nist.gov]: 200.150.200.151 Add another NTP server? Y/N[N]: n Enter system time zone[UTC]: UTC Enable SSH service?: Y/N [N]: Y Enter username [admin]: admin Enter password: Enter password again: Copying first CLI user to be first ISE admin GUI user... Bringing up the network interface... Pinging the gateway...

Pinging the primary nameserver... Do not use `Ctrl-C' from this point on...

Installing Applications... Installing ISE... Unbundling Application Package... Initiating Application Install... Application bundle (ISE) installed successfully ===Initial Setup for Application: ISE === Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup is non-interactive, and will take roughly 15 minutes to complete. Running database cloning script... Running database network config assistant tool... Extracting ISE database contents... Starting ISE database processes... ...

After the Cisco ISE node software is configured, the Cisco ISE system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup. Step 14 Log in to the Cisco ISE CLI shell, and run the following CLI command to check the status of the Cisco ISE application processes: ise-server/admin# show application status ise ISE PROCESS NAME STATE PROCESS ID - - Database Listener running 3638 Database Server running 45 PROCESSES Application Server running 5992 Profiler Database running 4481 AD Connector running 6401 M&T Session Database running 2319 M&T Log Collector running 6245 M&T Log Processor running 6286 Certificate Authority Service running 6211 pxGrid Infrastructure Service disabled pxGrid Publisher Subscriber Service disabled pxGrid Connection Manager disabled pxGrid Controller disabled Identity Mapping Service disabled Step 15 After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user interface by using one of the supported web browsers.

To log in to the Cisco ISE user interface using a web browser, enter https:///admin/ in the Address field: Here “your-ise-hostname or IP address” represents the hostname or IP address that you configured for the Cisco SNS-3400 series appliance during setup. Enter Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 27 Installing and Configuring a Cisco SNS-3400 Series Appliance Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC

the web-based admin login credentials (username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. The username and password credentials that you use for web-based access to the Cisco ISE user interface are not the same as the CLI-admin user credentials that you created during the setup for accessing the Cisco ISE CLI interface. After you log in to the Cisco ISE user interface, you can then configure your devices, user stores, policies, and other components.

Related Topics Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20 Supported Time Zones This section provides three tables that provide more information about common Coordinated Universal Time (UTC) time zones for Europe, the United States and Canada, Australia, and Asia. The Cisco ISE CLI show timezones command displays a list of all time zones available to you. We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with regard to the time stamps.

Note The format for time zones is POSIX or System V. POSIX time zone format syntax looks like America/Los_Angeles, and System V time zone syntax looks like PST8PDT. Table 5: Europe, United States, and Canada Time Zones Time Zone Name Acronym or Name Europe Greenwich Mean Time, as UTC GMT, GMT0, GMT-0, GMT+0, UTC, Greenwich, Universal, Zulu British GB Irish GB-Eire, Eire Western Europe Time, as UTC WET Central Europe Time, as UTC plus 1 hour CET Eastern Europe Time, as UTC plus 2 hours EET United States and Canada Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 28 Installing and Configuring a Cisco SNS-3400 Series Appliance Supported Time Zones

Time Zone Name Acronym or Name Eastern Standard Time, as UTC minus 5 hours EST, EST5EDT Central Standard Time, as UTC minus 6 hours CST, CST6CDT Mountain Standard Time, as UTC minus 7 hours MST, MST7MDT Pacific Standard Time, as UTC minus 8 hours PST, PST8PDT Hawaiian Standard Time, as UTC minus 10 hours HST Table 6: Australia Time Zones Australia Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie. Broken_Hill Brisbane Adelaide ACT (Australian Capital Territory) Hobart Darwin Currie Canberra Melbourne LHI (Lord Howe Island) Lindeman Lord_Howe Queensland Perth NSW (New South Wales) North Victoria Tasmania Sydney South — — Yancowinna West Table 7: Asia Time Zones Asia Anadyr Amman Almaty Aden Ashkhabad Ashgabat Aqtobe Aqtau Bangkok Baku Bahrain Baghdad Kolkata Brunei Bishkek Beirut Damascus Columbo Chongqing Choibalsan Dushanbe Dubai Dili Dhakar Hovd Hong_Kong Harbin Gaza Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 29 Installing and Configuring a Cisco SNS-3400 Series Appliance Supported Time Zones

Asia Jayapura Jakarta Istanbul Irkutsk Karachi Kamchatka Kabul Jerusalem Kuching Kuala_Lumpur Katmandu Kashgar — — Krasnoyarsk Kuwait The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia. Enter the region and city or country together separated by a forward slash ; for example, Asia/Aden Note Setup Process Verification To verify that you have correctly completed the initial setup process, use one of the following two methods to log in to the Cisco ISE appliance: • Web browser • Cisco ISE CLI After you log in to the Cisco ISE user interface, you should perform the following tasks: • Register a license—Refer to the Register Licenses section in the Cisco ISE Administrator Guide for more information.

• Configure the Cisco ISE System—Refer to the Cisco ISE Administrator Guide for the configuration tasks. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 30 Installing and Configuring a Cisco SNS-3400 Series Appliance Setup Process Verification

C H A P T E R 4 Installing ISE on a VMware Virtual Machine • ISE Features Not Supported in a Virtual Machine, page 31 • Supported VMware Versions, page 31 • Support for VMware vMotion, page 32 • Support for Open Virtualization Format, page 32 • Virtual Machine Requirements, page 32 • Virtual Machine Resource and Performance Checks, page 36 • Obtaining the Cisco ISE Evaluation Software, page 38 • Installing Cisco ISE on Virtual Machines, page 39 • Migrating Cisco ISE VM from Evaluation to Production, page 50 ISE Features Not Supported in a Virtual Machine The Inline Posture node is supported only on Cisco SNS-3415 and Cisco ISE 3300 series appliances.

It is not supported on Cisco SNS-3495 series or VMware server systems. All the other designated roles are supported for use on VMware virtual machines.

Supported VMware Versions Cisco ISE supports the following VMware servers and clients: • VMware version 8 (default) for ESXi 5.x • VMware version 11 (default) for ESXi 6.0 (requires Cisco ISE 1.4 Patch 3) Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 31

Support for VMware vMotion Cisco ISE supports the VMware vMotion feature that allows you to migrate live virtual machine (VM) instances (running any persona) between hosts. For the VMware vMotion feature to be functional, the following conditions must be met: • Shared storage—The storage for the VM must reside on a storage area network (SAN), and the SAN must be accessible by all the VMware hosts that can host the VM being moved.

• VMFS volume sharing—The VMware host must use shared virtual machine file system (VMFS) volumes. • Gigabit Ethernet interconnectivity—The SAN and the VMware hosts must be interconnected with Gigabit Ethernet links.

• Processor compatibility—A compatible set of processors must be used. Processors must be from the same vendor and processor family for vMotion compatibility. Support for Open Virtualization Format Cisco ISE supports the Open Virtualization Format (OVF) and offers OVA templates that you can use to install and deploy Cisco ISE on virtual machines (VMs). The following OVA templates are available: • ISE-1.4.xxx.xxx-eval.ova—Use this template if you are evaluating Cisco ISE and the evaluation license would support up to 100 endpoints.

• ISE-1.4.xxx.xxx-virtual-SNS3415.ova—Use this template if your VMware appliance specification is comparable with an SNS-3415 appliance.

• ISE-1.4.xxx.xxx-virtual-SNS3495.ova—Use this template if your VMware appliance specification is comparable with an SNS-3495 appliance. The following table provides OVA template reservations. CPU Memory OVA Template 2300 MHz (no reservation) 4 GB RAM Virtual Eval OVA 8000 MHz 16 GB RAM Virtual SNS-3415 OVA 16000 MHz 32 GB RAM Virtual SNS-3495 OVA Virtual Machine Requirements To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the VMware virtual machine should be allocated system resources equivalent to the Cisco SNS 3415 and 3495 appliances. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 32 Installing ISE on a VMware Virtual Machine Support for VMware vMotion

Table 8: Minimum VMware System Requirements Minimum Requirements Requirement Type Single Quad-Core; 2.0 GHz or faster. Cisco ISE supports Hyperthreading. You can install ISE on VMware hosts that have the Hyperthreading option enabled or disabled. Even though Hyperthreading might improve overall VM performance, it does not change the supported scaling limits per VM appliance. Additionally, you must still allocate CPU resources based on the required number of physical cores, not the number of logical processors.

Note CPU 16 to 32 GB RAM Memory 200 GB to 2 TB of disk storage (size depends on deployment and tasks).

We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM. Note When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the storage requirement. If you use more than one virtual disk to meet the disk space requirement, the installer may not recognize all the disk space. Note Hard disks The storage system for the Cisco ISE virtual appliance requires a minimum write performance of 50 MB per second and a read performance of 300 MB per second. Deploy a storage system that meets these performance criteria and is supported by VMware server.

Cisco ISE provides a number of methods to verify if your storage system meets these minimum requirements before, during, and after Cisco ISE installation. See Virtual Machine Resource and Performance Checks, on page 36 for more information. We recommend the VMFS file system because it is most extensively tested, but other file systems, transports, and media can also be deployed provided they meet the above requirements. Storage and File System Paravirtual (default for RHEL 64-bit) or LSI Logic Parallel For best performance and redundancy, a caching RAID controller is recommended. Controller options such as RAID 10 (also known as 1+0) can offer higher overall write performance and redundancy than RAID 5, for example.

Additionally, battery-backed controller cache can significantly improve write operations. Disk controller 1 GB NIC interface required (two or more NICs are recommended). Cisco ISE supports E1000 and VMXNET3 adapters.

We recommend that you select E1000 to ensure correct adapter order by default. If you choose VMXNET3, you might have to remap the ESXi adapter to synchronize it with the ISE adapter order. Note NIC • VMware version 8 (default) for ESXi 5.x • VMware version 11 (default) for ESXi 6.0 (requires Cisco ISE 1.4 Patch 3) Hypervisor Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 33 Installing ISE on a VMware Virtual Machine Virtual Machine Requirements

Related Topics Deployment Size and Scaling Recommendations, on page 11 Virtual Machine Appliance Size Recommendations, on page 34 Disk Space Requirements, on page 35 Configuring a VMware Server, on page 43 Cloning a Cisco ISE Virtual Machine, on page 46 Obtaining the Cisco ISE Evaluation Software, on page 38 Virtual Machine Appliance Size Recommendations When sizing the Cisco ISE deployment, see the Deployment Size and Scaling Recommendations, on page 11 section for details on the number and size of appliances required for your deployment.

The virtual machine (VM) appliance specifications should be comparable with physical appliances run in a production environment. The following table provides the minimum resources required to size your virtual appliance comparable to that of an SNS-3415 or SNS-3495 physical appliance.

Keep the following guidelines in mind when allocating resources for the appliance: • It is highly recommended that VM resources be dedicated and not shared or oversubscribed across multiple VMs. Deploying Cisco ISE virtual appliances using the OVF templates will ensure that adequate resources are assigned to each VM. • Policy Service nodes on VMs can be deployed with less disk space than Administration or Monitoring nodes. The minimum disk space for any production Cisco ISE node is 200 GB. See Disk Space Requirements, on page 35 for details on the disk space required for various Cisco ISE nodes and personas.

• VMs can be configured with 1 to 4 NICs. The recommendation is to allow for 2 or more NICs. Additional interfaces can be used to support various services such as profiling, guest services, or RADIUS. Table 9: Minimum VM Appliance Specifications for a Production Environment Large VM Appliance (based on SNS-3495) Small VM Appliance (based on SNS-3415) Platform 8 total cores (at 2.0 GHz or above) or a total minimum CPU allocation of 16000 MHz. 4 total cores (at 2.0 GHz or above) or a total minimum CPU allocation of 8000 MHz.

Processor 32 GB 16 GB Memory 200 GB to 2 TB. See Disk Space Requirements, on page 35 for more information.

200 GB to 2 TB. See Disk Space Requirements, on page 35 for more information. Total Disk Space Up to 4 Gigabit Ethernet NICs Up to 4 Gigabit Ethernet NICs Ethernet NICs Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 34 Installing ISE on a VMware Virtual Machine Virtual Machine Appliance Size Recommendations

Related Topics Virtual Machine Requirements, on page 32 Cisco SNS-3400 Series Appliance Ports Reference, on page 79 Configuring a VMware Server, on page 43 Disk Space Requirements The following table lists the Cisco ISE disk-space allocation recommended for running a virtual machine in a production deployment. Table 10: Recommended Disk Space for Virtual Machines Recommended Disk SpaceforProduction Maximum Disk Space Minimum Disk Space ISE Persona 600 GB to 2 TB 2 TB 200 GB Standalone ISE 250 to 300 GB 2 TB 200 GB Distributed ISE—Administration only 600 GB to 2 TB 2 TB 200 GB Distributed ISE—Monitoring only 200 GB 2 TB 200 GB Distributed ISE—Policy Service only 600 GB to 2 TB 2 TB 200 GB Distributed ISE—Administration and Monitoring 600 GB to 2 TB 2 TB 200 GB Distributed ISE—Administration, Monitoring, and Policy Service Related Topics Prerequisites for Configuring a VMware ESXi Server, on page 40 Virtual Machine Requirements, on page 32 Cloning a Cisco ISE Virtual Machine, on page 46 Configuring a VMware Server, on page 43 Deploying a Virtual Machine Template, on page 48 Disk Space Guidelines Keep the following guidelines in mind when deciding the disk space for Cisco ISE: • You can allocate only up to 2 TB of disk space for a Cisco ISE VM.

• Cisco ISE must be installed on a single disk in virtual machine. • Disk allocation varies based on logging retention requirements. On any node that has the Monitoring persona enabled, 30 percent of the VM disk space is allocated for log storage. A deployment with 25,000 endpoints generates approximately 1 GB of logs per day.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 35 Installing ISE on a VMware Virtual Machine Disk Space Requirements

For example, if you have a Monitoring node with 600-GB VM disk space, 180 GB is allocated for log storage. If 100,000 endpoints connect to this network every day, it generates approximately 4 GB of logs per day. In this case, you can store 38 days of logs in the Monitoring node, after which you must transfer the old data to a repository and purge it from the Monitoring database. For extra log storage, you can increase the VM disk space.

For every 100 GB of disk space that you add, you get 30 GB more for log storage. Depending on your requirements, you can increase the VM disk size up to a maximum of 2 TB or 614 GB of log storage.

If you increase the disk size of your virtual machine, you must not perform an upgrade, but instead do a fresh installation of Cisco ISE on your virtual machine. Table 11: Days that Logs can be Stored in a Monitoring Node lists the number of days that logs can be retained on your Monitoring node based on the allocated disk space and the number of endpoints that connect to your network. The numbers are based on having log suppression and anomalous client detection enabled. Table 11: Days that Logs can be Stored in a Monitoring Node 2048 GB 1024 GB 600 GB 400 GB 200 GB No. of Endpoints 1,289 645 378 252 126 10,000 645 323 189 126 63 20,000 430 215 126 84 42 30,000 323 162 95 63 32 40,000 258 129 76 51 26 50,000 129 65 38 26 13 100,000 86 43 26 17 9 150,000 65 33 19 13 7 200,000 52 26 16 11 6 250,000 Virtual Machine Resource and Performance Checks Before installing Cisco ISE on a virtual machine, the installer performs hardware integrity checks by comparing the available hardware resources on the virtual machine with the recommended specifications.

During a VM resource check, the installer checks for the hard disk space, number of CPU cores allocated to the VM, CPU clock speed, and RAM allocated to the VM. If the VM resources do not meet the recommended specifications, the installation aborts. This resource check is applicable only for ISO-based installations. When you run the Setup program, a VM performance check is done, where the installer checks for disk I/O performance. If the disk I/O performance does not meet the recommended specifications, a warning appears on screen, but it allows you to continue with the installation. This performance verification check is applicable for both ISO-based and OVA (VMware) installations.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 36 Installing ISE on a VMware Virtual Machine Virtual Machine Resource and Performance Checks

The VM performance check is done periodically (every hour) and the results are averaged for a day. If the disk I/O performance does not meet the recommended specification, an alarm is generated. The VM performance check can also be done on demand from the Cisco ISE CLI using the show tech-support command. The VM resource and performance checks can be run independent of Cisco ISE installation.

You can perform this test from the Cisco ISE boot menu. OnDemandVirtualMachinePerformanceCheckUsingtheShowTechSupport Command You can run the show tech-support command from the CLI to check the VM performance at any point of time. The output of this command will be similar to the following: ise-vm123/admin# show tech | begin "disk IO perf" Measuring disk IO performance * * Average I/O bandwidth writing to disk device: 48 MB/second Average I/O bandwidth reading from disk device: 193 MB/second WARNING: VM I/O PERFORMANCE TESTS FAILED!

WARNING: The bandwidth writing to disk must be at least 50 MB/second, WARNING: and bandwidth reading from disk must be at least 300 MB/second. WARNING: This VM should not be used for production use until disk WARNING: performance issue is addressed. Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 314572800 bytes (315 MB) copied, 7.81502 s, 40.3 MB/s Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 314572800 bytes (315 MB) copied, 0.416897 s, 755 MB/s Virtual Machine Resource Check from the Cisco ISE Boot Menu You can check for virtual machine resources independent of Cisco ISE installation from the boot menu.

The CLI transcript appears as follows: Welcome to the Cisco Identity Services Engine Installer Cisco ISE Version: 1.4.0.205 Available boot options: [1] Cisco ISE Installation (Keyboard/Monitor) [2] Cisco ISE Installation (Serial Console) [3] System Utilities (Keyboard/Monitor) [4] System Utilities (Serial Console) Boot existing OS from hard disk. Enter boot option and press . From the CLI boot menu, enter 3 or 4 to go to the System Utilities menu. Cisco ISE System Utilities Menu Available System Utilities: [1] Recover administrator password [2] Virtual Machine Resource Check [3] System Erase [4] Install Media Check [q] Exit and reload Enter option and press Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 37 Installing ISE on a VMware Virtual Machine On Demand Virtual Machine Performance Check Using the Show Tech Support Command

Enter 2 to check for VM resources. The output will be similar to the following: ***** * Virtual Machine host detected… * Hard disk(s) total size detected: 322 Gigabyte * Physical RAM size detected: 40443664 Kbytes * Number of network interfaces detected: 1 * Number of CPU cores: 2 * CPU Mhz: 2300.00 * Verifying CPU requirement… * Verifying RAM requirement… * Writing disk partition table… Obtaining the Cisco ISE Evaluation Software To obtain the Cisco ISE evaluation software (R-ISE-EVAL-K9=), contact your Cisco Account Team or your Authorized Cisco Channel Partner.

To migrate a Cisco ISE configuration from an evaluation system to a fully licensed production system, you need to complete the following tasks: • Back up the configuration of the evaluation version.

• Ensure that your production VM has the required amount of disk space. See Deployment Size and Scaling Recommendations, on page 11 for details. • Install a production deployment license. • Restore the configuration to the production system. For evaluation, the minimum allocation requirements for a hard disk on a VM is 200 GB. When you move the VM to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size or higher (up to the allowed maximum of 2 TB).

Note Before You Begin For evaluation purposes, Cisco ISE can be installed on any supported VMs that complies with the VM requirements. When evaluating Cisco ISE, you can configure less disk space in the VM, but you must allocate a minimum disk space of 200 GB. Step 1 Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link. Step 2 Click Download Software for this Product. The software image comes with a 90-days evaluation license already installed, so you can begin evaluating all Cisco ISE services when the installation and initial configuration are complete.

Related Topics Virtual Machine Requirements, on page 32 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 38 Installing ISE on a VMware Virtual Machine Obtaining the Cisco ISE Evaluation Software

Installing Cisco ISE on Virtual Machines You can install Cisco ISE on VMs in any one of the following ways. We recommend that you download and deploy Cisco ISE OVA templates. • Deploying Cisco ISE on Virtual Machines Using OVA Templates , on page 39 • Installing Cisco ISE on Virtual Machines Using the ISO File, on page 39 • Cloning a Cisco ISE Virtual Machine, on page 46 Deploying Cisco ISE on Virtual Machines Using OVA Templates You can use OVA templates to install and deploy Cisco ISE software on a virtual machine.

Download the OVA template from Cisco.com.

Before You Begin You can use OVA templates to install and deploy Cisco ISE software on a virtual machine Step 1 Open VMware vSphere client. Step 2 Log in to VMware host. Step 3 Choose File > Deploy OVF Template from the VMware vSphere Client. Step 4 Click Browse to select the OVA template, and click Next. Step 5 Confirm the details in the OVF Template Details page, and click Next. Step 6 Enter a name for the virtual machine in the Name and Location page to uniquely identify it, and click Next. Step 7 Choose a data store to host the OVA.

Step 8 Click the Thick Provision radio button in the Disk Format page, and click Next.

Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioning for better performance, especially for Monitoring nodes. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion. Step 9 Verify the information in the Ready to Complete page. Check the Power on after deployment check box. Step 10 Click Finish.

Installing Cisco ISE on Virtual Machines Using the ISO File To install Cisco ISE on a VM using the ISO file: Before You Begin • Ensure that you read and allocate VM resources according to the requirements specified in this chapter. • Ensure that you have read the Prerequisites for Configuring a VMware ESXi Server, on page 40 section. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 39 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines

• Download the Cisco ISE ISO image from Cisco.com. Step 1 Configure a VMware server.

See Configuring a VMware Server, on page 43. Step 2 Configure a VMware system to boot from a software DVD. See Configuring a VMware System to Boot From a Cisco ISE Software DVD, on page 44. Step 3 Install Cisco ISE software on the VM. See Installing Cisco ISE Software from a DVD. Prerequisites for Configuring a VMware ESXi Server Review the following configuration prerequisites listed in this section before you attempt to configure a VMWare ESXi server: • Remember to log in to the ESXi server as a user with administrative privileges (root user). • Cisco ISE is a 64-bit system. Before you install a 64-bit system, ensure that Virtualization Technology (VT) is enabled on the ESXi server.

You must also ensure that your guest operating system type is set to Red Hat Enterprise Linux 6 (64-bit).

• For Red Hat Enterprise Linux 6, the default NIC type is VMXNET3 Adapter. You can add up to four NICs for your Cisco ISE virtual machine, but ensure that you choose the same Adapter for all the NICs. Cisco ISE supports the E1000 Adapter. If you choose the default network driver (VMXNET3 ) as the Network Adapter, check the physical adapter mappings. Ensure that you map the Cisco ISE GigabitEthernet 0 interface to the 4th interface (NIC 4) in ESXi server. If you choose the E1000 Adapter, by default, the ESXi adapters and Cisco ISE adapters are mapped correctly. Note • Ensure that you allocate the recommended amount of disk space on the VMware virtual machine.

See the Disk Space Requirements, on page 35 section for more information.

• If you have not created a VMware virtual machine file system (VMFS), you must create one to support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured on the VMware host. For VMFS5, the 1-MB block size supports up to 2 TB virtual disk size. Table 12: VMFS Block Size Virtual Disk Size Block Size 256 GB 1 MB 512 GB 2 MB 1 TB 4 MB 2 TB 8 MB Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 40 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines Using the ISO File

Related Topics Disk Space Requirements, on page 35 Configuring VMware Server Interfaces for the Cisco ISE Profiler Service, on page 42 Enabling Virtualization Technology on an ESXi Server, on page 41 Virtualization Technology Check If you have an ESXi server installed already, you can check if VT is enabled on it without rebooting the machine.

To do this, use the esxcfg-info command. Here is an example: ~ # esxcfg-info |grep "HV Support" |----HV Support . . 3 |----World Command Line . . grep HV Support If HV Support has a value of 3, then VT is enabled on the ESXi server and you can proceed with the installation. If HV Support has a value of 2, then VT is supported, but not enabled on the ESXi server. You must edit the BIOS settings and enable VT on the server.

Enabling Virtualization Technology on an ESXi Server You can reuse the same hardware that you used for hosting a previous version of Cisco ISE virtual machine. However, before you install the latest release, you must enable Virtualization Technology (VT) on the ESXi server. Step 1 Reboot the SNS-3400 series appliance. Step 2 Press F2 to enter setup. Step 3 Choose Advanced > Processor Configuration. Step 4 Select Intel(R) VT and enable it. Step 5 Press F10 to save your changes and exit. Related Topics Prerequisites for Configuring a VMware ESXi Server, on page 40 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 41 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines Using the ISO File

Configuring VMware Server Interfaces for the Cisco ISE Profiler Service Configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service. Step 1 Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance)VMswitch0 (one of your VMware ESXi server interfaces) Properties Security. Step 2 In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box. Step 3 In the Promiscuous Mode drop-down list, choose Accept and click OK.

Repeat the same steps on the other VMware ESXi server interface used for profiler data collection of SPAN or mirrored traffic.

Related Topics Prerequisites for Configuring a VMware ESXi Server, on page 40 Connecting to the VMware Server Using the Serial Console Step 1 Power down the particular VMware server (for example ISE-120). Step 2 Right-click the VMware server and choose Edit. Step 3 Click Add on the Hardware tab. Step 4 Choose Serial Port and click Next. Step 5 In the Serial Port Output area, click the Use physical serial port on the host or the Connect via Network radio button and click Next. • If you choose the Connect via Network option, you must open the firewall ports over the ESXi server. • If you select the Use physical serial port on the host, choose the port.

You may choose one of the following two options: ◦/dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1). ◦/dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2). Step 6 Click Next.

Step 7 In the Device Status area, check the appropriate check box. The default is Connected. Step 8 Click OK to connect to the VMware server. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 42 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines Using the ISO File

Configuring a VMware Server Before You Begin Ensure that you have read the details in the Prerequisites for Configuring a VMware ESXi Server, on page 40 section. Step 1 Log in to the ESXi server. Step 2 In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual Machine.

Step 3 In the Configuration dialog box, choose Custom for the VMware configuration and click Next. Step 4 Enter a name for the VMware system and click Next. Tip Use the hostname that you want to use for your VMware host.

Tip Step 5 Choose a datastore that has the recommended amount of space available and click Next. Step 6 (Optional) If your VM host or cluster supports more than one VMware virtual machine version, choose a Virtual Machine version such as Virtual Machine Version 7, and click Next. Step 7 Choose Linux and Red Hat Enterprise Linux 6 (64-bit) from the Version drop-down list. Step 8 Choose 2 from the Number of virtual sockets and the Number of cores per virtual socket drop-down list. Total number of cores should be 4.

(Optional; appears in some versions of ESXi server. If you see only the Number of virtual processors, choose 4).

Step 9 Choose the amount of memory and click Next. Step 10 Choose the E1000 NIC driver from the Adapter drop-down list and click Next. The SCSI controller dialog box appears. Step 11 Choose Paravirtual as the SCSI controller and click Next. Step 12 Choose Create a new virtual disk and click Next. Step 13 In the Disk Provisioning dialog box, click Thick Provision radio button, and click Next to continue. Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioning for better performance, especially for Monitoring nodes. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion.

Step 14 Uncheck the Support clustering features such as Fault Tolerance check box. Step 15 Choose the advanced options, and click Next.

Step 16 Verify the configuration details, such as Name, Guest OS, CPUs, Memory, and Disk Size of the newly created VMware system. You must see the following values: • Guest OS—Red Hat Enterprise Linux 6 (64-bit) • CPUs—4 • Memory—16 GB or 16384 MB • Disk Size—200 GB to 2 TB based on the recommendations for VMware disk space For the Cisco ISE installation to be successful on a virtual machine, ensure that you adhere to the recommendations given in this document.

Step 17 Click Finish. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 43 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines Using the ISO File

The VMware system is now installed. What to Do Next To activate the newly created VMware system, right-click VM in the left pane of your VMware client user interface and choose Power > Power On. Related Topics Virtual Machine Requirements, on page 32 Virtual Machine Appliance Size Recommendations, on page 34 Disk Space Requirements, on page 35 Configuring a VMware System to Boot From a Cisco ISE Software DVD After configuring the VMware system, you are ready to install the Cisco ISE software. To install the Cisco ISE software from a DVD, you need to configure the VMware system to boot from it.

This requires the VMware system to be configured with a virtual DVD drive.

Before You Begin You must download the Cisco ISE ISO, burn the ISO image on a DVD, and use it to install Cisco ISE on the virtual machine. Step 1 In the VMware client, highlight the newly created VMware system and choose Edit Virtual Machine Settings. Step 2 In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1. Step 3 Click the Host Device radio button and choose the DVD host device from the drop-down list. Step 4 Choose the Connect at Power On option and click OK to save your settings. You can now use the DVD drive of the VMware ESXi server to install the Cisco ISE software.

What to Do Next After you complete this task, click the Console tab in the VMware client user interface, right-click VM in the left pane, choose Power, and choose Reset to restart the VMware system.

Installing Cisco ISE Software on a VMware System Before You Begin • After installation, if you do not install a permanent license, Cisco ISE automatically installs a 90-day evaluation license that supports a maximum of 100 endpoints. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 44 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines Using the ISO File

• Download the Cisco ISE software from the Cisco Software Download Site at http://www.cisco.com/en/ US/products/ps11640/index.html and burn it on a DVD.

You will be required to provide your Cisco.com credentials. Step 1 Log in to the VMware client. Step 2 Ensure that the Coordinated Universal Time (UTC) is set in BIOS: a) If the VMware system is turned on, turn the system off. b) Turn on the VMware system. c) Press F1to enter the BIOS Setup mode. d) Using the arrow keys, navigate to the Date and Time field and press Enter. e) Enter the UTC/Greenwich Mean Time (GMT) time zone.

This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps. f) Press Escto exit to the main BIOS menu. g) Press Esc to exit from the BIOS Setup mode. Step 3 Insert the Cisco ISE software DVD into the VMware ESXi host CD/DVD drive and turn on the virtual machine. When the DVD boots, the console displays: Welcome to the Cisco Identity Services Engine Installer Cisco ISE Version: 1.4.0.205 Available boot options: [1] Cisco ISE Installation (Keyboard/Monitor) [2] Cisco ISE Installation (Serial Console) [3] System Utilities (Keyboard/Monitor) [4] System Utilities (Serial Console) Boot existing OS from hard disk.

Enter boot option and press . boot: 2 Loading vmlinuz . . Loading initrd.img . . ready. Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Linux version 2.6.32-431.el6.x86_64 (mockbuild@x86-023.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Sun Nov 10 22:19:54 EST 2013 You can choose either the monitor and keyboard port, or the console port to perform the initial setup. Step 4 At the system prompt, enter 1 to choose a monitor and keyboard port or 2 to choose a console port and press Enter. The installer starts the installation of the Cisco ISE software on the VMware system.

Allow 20 minutes for the installation process to complete. When the installation process finishes, the virtual machine reboots automatically. When the VM reboots, the console displays: Type 'setup' to configure your appliance localhost: Step 5 At the system prompt, type setup and press Enter. The Setup Wizard appears and guides you through the initial configuration. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 45 Installing ISE on a VMware Virtual Machine Installing Cisco ISE on Virtual Machines Using the ISO File

Related Topics Cisco ISE Setup Program Parameters, on page 23 Cisco ISE ISO Installation on Virtual Machine Fails If a fresh installation of Cisco ISE on a virtual machine fails, and you have the default network driver (VMXNET3 ) chosen as the Network Adapter, check the physical adapter mappings. Ensure that you map the Cisco ISE GigabitEthernet 0 interface to the 4th interface (NIC 4) in ESXi. The workaround is to use the E1000 driver as the Network Adapter. Cloning a Cisco ISE Virtual Machine You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node.

For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually. You can also clone a Cisco ISE VM using a template.

Before You Begin • Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest. • Ensure that you change the IP Address and Hostname of the cloned machine before you power it on and connect it to the network. Step 1 Log in to the ESXi server as a user with administrative privileges (root user). Step 2 Right-click the Cisco ISE VM you want to clone, and click Clone. Step 3 Enter a name for the new machine that you are creating in the Name and Location dialog box and click Next.

This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your reference. Step 4 Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next. Step 5 Select a datastore for the new Cisco ISE VM that you are creating and click Next. This datastore could be the local datastore on the ESXi server or a remote storage. Ensure that the datastore has enough disk space.

Step 6 Click the Same format as source radio button in the Disk Format dialog box and click Next. This option copies the same format that is used in the Cisco ISE VM that you are cloning this new machine from. Step 7 Click the Do not customize radio button in the Guest Customization dialog box and click Next. Step 8 Click Finish. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 46 Installing ISE on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

What to Do Next • Changing the IP Address and Hostname of a Cloned Virtual Machine • Connecting a Cloned Cisco Virtual Machine to the Network Related Topics Cloning a Cisco ISE Virtual Machine Using a Template, on page 47 Virtual Machine Requirements, on page 32 Disk Space Requirements, on page 35 Cloning a Cisco ISE Virtual Machine Using a Template If you are using vCenter, then you can use a VMware template to clone a Cisco ISE virtual machine (VM).

You can clone the Cisco ISE node to a template and use that template to create multiple new Cisco ISE nodes. Cloning a virtual machine using a template is a two-step process: Step 1 Creating a Virtual Machine Template, on page 47 Step 2 Deploying a Virtual Machine Template, on page 48 Related Topics Cloning a Cisco ISE Virtual Machine, on page 46 Deploying a Virtual Machine Template, on page 48 Creating a Virtual Machine Template Before You Begin • Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.

• We recommend that you create a template from a Cisco ISE VM that you have just installed and not run the setup program on. You can then run the setup program on each of the individual Cisco ISE nodes that you have created and configure IP address and hostnames individually. Step 1 Log in to the ESXi server as a user with administrative privileges (root user). Step 2 Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template. Step 3 Enter a name for the template, choose a location to save the template in the Name and Location dialog box, and click Next.

Step 4 Choose the ESXi host that you want to store the template on and click Next. Step 5 Choose the datastore that you want to use to store the template and click Next. Ensure that this datastore has the required amount of disk space. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 47 Installing ISE on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

Step 6 Click the Same format as source radio button in the Disk Format dialog box and click Next. The Ready to Complete dialog box appears. Step 7 Click Finish. Deploying a Virtual Machine Template After you create a virtual machine template, you can deploy it on other virtual machines (VMs).

Step 1 Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from this template. Step 2 Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog box, and click Next.

Step 3 Choose the ESXi host where you want to store the new Cisco ISE node and click Next. Step 4 Choose the datastore that you want to use for the new Cisco ISE node and click Next. Ensure that this datastore has the required amount of disk space. Step 5 Click the Same format as source radio button in the Disk Format dialog box and click Next. Step 6 Click the Do not customize radio button in the Guest Customization dialog box. The Ready to Complete dialog box appears. Step 7 Check the Edit Virtual Hardware check box and click Continue. The Virtual Machine Properties page appears.

Step 8 Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click OK.

Step 9 Click Finish. You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the network. What to Do Next • Changing the IP Address and Hostname of a Cloned Virtual Machine • Connecting a Cloned Cisco Virtual Machine to the Network Related Topics Cloning a Cisco ISE Virtual Machine Using a Template, on page 47 Disk Space Requirements, on page 35 Changing the IP Address and Hostname of a Cloned Virtual Machine After you clone a Cisco ISE virtual machine (VM), you have to power it on and change the IP address and hostname.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 48 Installing ISE on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

Before You Begin • Ensure that the Cisco ISE node is in the standalone state. • Ensure that the network adapter on the newly cloned Cisco ISE VM is not connected when you power on the machine. Uncheck the Connected and Connect at power on check boxes. Otherwise, if this node comes up, it will have the same IP address as the source machine from which it was cloned. Figure 9: Disconnecting the Network Adapter • Ensure that you have the IP address and hostname that you are going to configure for the newly cloned VM as soon as you power on the machine.

This IP address and hostname entry should be in the DNS server. You cannot use "localhost" as the hostname for a node. • Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname. Procedure Step 1 Right-click the newly cloned Cisco ISE VM and choose Power > Power On. Step 2 Select the newly cloned Cisco ISE VM and click the Console tab. Step 3 Enter the following commands on the Cisco ISE CLI: configure terminal hostname hostname The hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted. Step 4 Enter the following commands: interface gigabit 0 ip address ip_address netmask Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 49 Installing ISE on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

The ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services. Refer to the Cisco Identity Services Engine CLI Reference Guide, for the ip address and hostname commands. Step 5 Enter Y to restart Cisco ISE services. Connecting a Cloned Cisco Virtual Machine to the Network After you power on and change the ip address and hostname, you must connect the Cisco ISE node to the network.

Step 1 Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.

Step 2 Click Network adapter in the Virtual Machine Properties dialog box. Step 3 In the Device Status area, check the Connected and Connect at power on check boxes. Step 4 Click OK. Migrating Cisco ISE VM from Evaluation to Production After evaluating the Cisco ISE release, you can migrate the from an evaluation system to a fully licensed production system. Before You Begin • When you move the VMware server to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size or higher (up to the allowed maximum of 2 TB).

• Please not that you cannot migrate data to a production VM from a VM created with less than 200 GB of disk space. You can only migrate data from VMs created with 200 GB or more disk space to a production environment. Step 1 Back up the configuration of the evaluation version. Step 2 Ensure that your production VM has the required amount of disk space. Step 3 Install a production deployment license. Step 4 Restore the configuration to the production system. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 50 Installing ISE on a VMware Virtual Machine Migrating Cisco ISE VM from Evaluation to Production

Related Topics Deployment Size and Scaling Recommendations, on page 11 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 51 Installing ISE on a VMware Virtual Machine Migrating Cisco ISE VM from Evaluation to Production

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 52 Installing ISE on a VMware Virtual Machine Migrating Cisco ISE VM from Evaluation to Production

C H A P T E R 5 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances • Supported Cisco ISE, Secure ACS, and NAC Appliances, page 53 • Installing Cisco ISE Software from a DVD, page 54 • Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance, page 54 • Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance, page 55 • Installing Cisco ISE Software on a Re-imaged Cisco NAC Appliance, page 56 Supported Cisco ISE, Secure ACS, and NAC Appliances You can install the Cisco ISE software from a DVD on the following certain Cisco appliances, if the appliances have been reimaged.

The appliance types include: • Cisco ISE-3315 • Cisco ISE-3355 • Cisco ISE-3395 • Cisco Secure ACS-1121 • Cisco NAC-3315 • Cisco NAC-3355 • Cisco NAC-3395 Installing the software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because the underlying hardware on which the Cisco ISE software will be installed is the same physical device type. To reuse a Cisco Secure ACS or Cisco NAC appliance as a Cisco ISE appliance, reimage the appliance and then install the ISE software.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 53

For specific details about the Cisco ISE 3300 series hardware platforms, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2. Installing Cisco ISE Software from a DVD Before You Begin • Download the Cisco ISE Release, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install the software on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances. • Review the Cisco ISE setup parameters and have this information ready before you run the setup program.

Step 1 Connect a keyboard and a VGA monitor to the appliance.

Step 2 Ensure that a power cord is connected to the appliance, insert the DVD in the appliance CD/DVD drive, and turn on the appliance. The console displays the boot options. Step 3 At the boot prompt, enter 1 and press Enter. Step 4 At the prompt, type setup to start the setup program. Step 5 Enter the values for the setup program parameters. After the Cisco ISE or IPN software is configured, the system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup.

What to Do Next • If you installed the IPN ISO, you must configure certificates for inline posture nodes.

• If you installed the Cisco ISE ISO image, after you log in to the Cisco ISE CLI shell, you can run the show application status ise CLI command to check the status of the Cisco ISE application processes. Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance Before You Begin • Download the Cisco ISE or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install the software on the Cisco appliance.

• Review the prerequisites for configuring a Cisco SNS-3400 appliance. • Review the Cisco ISE Setup program parameters and have this information ready before you run the setup program. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 54 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances Installing Cisco ISE Software from a DVD

• Review the DVD installation instructions. Step 1 If the Cisco ISE appliance is on, turn it off. Step 2 Turn on the Cisco ISE appliance. Step 3 Press F1 to enter the BIOS setup mode.

Step 4 Use the arrow keys to navigate to the Date and Time field and press Enter. Step 5 Set the time to the UTC/GMT time zone. We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps. Note Step 6 Press Esc to exit to main BIOS menu. Step 7 Press Esc to exit from the BIOS setup mode. Step 8 Install the software from the DVD. What to Do Next Log in to the Cisco ISE Admin portal and install a license. Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance Before You Begin • Download the Cisco ISE or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Cisco ISE or IPN software on the legacy Cisco Secure ACS appliance.

• Review the prerequisites for configuring a Cisco appliance. • Review the Cisco ISE Setup program parameters and have this information ready before you run the setup program.

• Review the DVD installation instructions. Step 1 If the Cisco Secure ACS appliance is on, turn it off. Step 2 Turn on the Cisco Secure ACS appliance. Step 3 Press F1 to enter the BIOS setup mode. Step 4 Use the arrow keys to navigate to the Date and Time field and press Enter. Step 5 Set the time for your appliance to the UTC/GMT time zone. We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps. Note Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 55 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance

Step 6 Press Esc to exit to main BIOS menu. Step 7 Press Esc to exit from the BIOS setup mode. Step 8 Install the software from the DVD. What to Do Next Log in to the Cisco ISE Admin portal and install a license. Installing Cisco ISE Software on a Re-imaged Cisco NAC Appliance Before You Begin • Download the Cisco ISE software or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install the software on the legacy Cisco NAC appliance. • Review the prerequisites for configuring a Cisco appliance. • Review the Cisco ISE Setup program parameters and have this information ready before you run the setup program.

• Review the DVD installation instructions. Step 1 If the Cisco NAC appliance is on, turn it off. Step 2 Turn on the Cisco NAC appliance. Step 3 Press F1 to enter the BIOS setup mode. Step 4 Using the arrow keys, navigate to the Date and Time field and press Enter. Step 5 Set the time for your appliance to the UTC/GMT time zone. We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps. Note Step 6 Press Esc to exit to main BIOS menu. Step 7 Press Esc to exit from the BIOS setup mode.

Step 8 Install the software from the DVD. What to Do Next If the Cisco ISE DVD installation process returns a message indicating that “The installer requires at least 600GB disk space for this appliance type,” you may need to reset the RAID settings on the appliance to facilitate installation.

Log in to the Cisco ISE Admin portal and install a license. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 56 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances Installing Cisco ISE Software on a Re-imaged Cisco NAC Appliance

Resetting the Existing RAID Configuration on a Cisco NAC Appliance It may be necessary to reset the RAID settings on your NAC appliance to facilitate the Cisco ISE software installation. Step 1 Reboot the Cisco NAC appliance with the Cisco ISE Software DVD. Step 2 When you see the RAID controller version information appear in the CLI, press Ctrl-C.

The RAID controller version information appears, displaying a label like LSI Corporation MPT SAS BIOS, and the LSI Corp Config Utility becomes active. Step 3 Press Enter to specify the default controller. (The highlighted controller name should read something similar to SR-BR10i.) A screen containing the Cisco NAC appliance adapter information appears.

Step 4 Use the arrow keys to navigate to “RAID properties” and press Enter. Step 5 Use the arrow keys to navigate to “Manage Array” and press Enter. Step 6 Use the arrow keys to navigate to “Delete Array” and press Enter. Step 7 Enter Y to confirm that you want to delete the existing RAID array. Step 8 Press Esc twice to exit the RAID configuration utility. The system prompts you with an Exit the Configuration Utility and Reboot? prompt. Step 9 Press Enter. The Cisco NAC appliance reboots. As long as the Cisco ISE Software DVD is still inserted, the appliance automatically boots to the install menu.

Step 10 Press 1 to begin the Cisco ISE installation. Related Topics Installing Cisco ISE Software on a Re-imaged Cisco NAC Appliance Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 57 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances Resetting the Existing RAID Configuration on a Cisco NAC Appliance

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 58 Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances Resetting the Existing RAID Configuration on a Cisco NAC Appliance

C H A P T E R 6 Managing Administrator Accounts • CLI-Admin and Web-Based Admin User Right Differences, page 59 • CLI Admin Users Creation, page 60 • Web-Based Admin Users Creation, page 60 CLI-Admin and Web-Based Admin User Right Differences The username and password that you configure when using the Cisco ISE setup program are intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface. The administrator that has access to the Cisco ISE CLI is called the CLI-admin user. By default, the username for the CLI-admin user is admin and the password is user-defined during the setup process.

There is no default password. You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. There is no default username and password for a web-based admin. The CLI-admin user is copied to the Cisco ISE web-based admin user database. Only the first CLI-admin user is copied as the web-based admin user. You should keep the CLI- and web-based admin user stores synchronized, so that you can use the same username and password for both admin roles. The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin user and can perform other administrative tasks.

Table 13: Tasks Performed by CLI-Admin and Web-Based Admin Users Tasks Admin User Type • Back up the Cisco ISE application data. • Display any system, application, or diagnostic logs on the Cisco ISE appliance. • Apply Cisco ISE software patches, maintenance releases, and upgrades. • Set the NTP server configuration. Both CLI-Admin and Web-Based Admin Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 59

Tasks Admin User Type • Start and stop the Cisco ISE application software. • Reload or shut down the Cisco ISE appliance. • Reset the web-based admin user in case of a lockout.

• Access the ISE CLI. CLI-Admin only Related Topics Cisco ISE Configuration Verification, on page 62 Resetting a Password Due to Administrator Lockout, on page 67 Logging in to the Cisco ISE Web-Based Interface, on page 61 CLI Admin Users Creation Cisco ISE allows you to create additional CLI-admin user accounts other than the one you created during the setup process. To protect the CLI-admin user credentials, create the minimum number of CLI-admin users needed to access the Cisco ISE CLI.

You can add the CLI-admin user by entering into the configuration mode in the CLI and using the username command. Web-Based Admin Users Creation For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup. You can add web-based admin users through the user interface itself. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 60 Managing Administrator Accounts CLI Admin Users Creation

C H A P T E R 7 Post-Installation Tasks • Logging in to the Cisco ISE Web-Based Interface, page 61 • Cisco ISE Configuration Verification, page 62 • VMware Tools Installation Verification, page 64 • Administrator Password Reset, page 66 • Changing the IP Address of a Cisco ISE Appliance, page 68 • Viewing Installation and Upgrade History, page 69 • Configuring RAID on SNS-3415 Appliance, page 70 • Configuring RAID on SNS-3495 Appliance Using CIMC, page 70 • Performing a System Erase, page 71 Logging in to the Cisco ISE Web-Based Interface When you log in to the Cisco ISE web-based interface for the first time, you will be using the preinstalled Evaluation license.

We recommend that you use the Cisco ISE user interface to periodically reset your administrator login password. Note For security reasons, we recommend that you log out when you complete your administrative session. If you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data. Caution Before You Begin The Cisco ISE Admin portal supports the following HTTPS-enabled browsers: • Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 61

• Mozilla Firefox versions 31.x ESR, 36.x, and 37.x • Microsoft Internet Explorer 10.x and 11.x Adobe Flash Player 11.1.0.0 or above must be installed on the system running the client browser.

The minimum required screen resolution to view the Cisco ISE GUI is 1280 x 800 pixels. Note Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers. Step 2 In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following format and press Enter.

https:///admin/ Step 3 Enter a username and password that you defined during setup. Step 4 Click Login. Related Topics Resetting a Password Due to Administrator Lockout, on page 67 Resetting a Lost, Forgotten, or Compromised Password using the DVD, on page 66 CLI-Admin and Web-Based Admin User Right Differences, on page 59 Cisco ISE Configuration Verification There are two methods that each use a different set of username and password credentials for verifying Cisco ISE configuration by using a web browser and CLI.

A CLI-admin user and a web-based admin user credentials are different in Cisco ISE.

Note Related Topics Verifying a Configuration Using a Web Browser, on page 63 Verifying a Configuration Using the CLI, on page 63 CLI-Admin and Web-Based Admin User Right Differences, on page 59 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 62 Post-Installation Tasks Cisco ISE Configuration Verification

Verifying a Configuration Using a Web Browser Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers. Step 2 In the Address field, enter the IP address (or host name) of the Cisco ISE appliance using the following format and press Enter. Step 3 In the Cisco ISE Login page, enter the username and password that you have defined during setup and click Login. For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page. https:///admin/ For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup.

Note Step 4 Use the Cisco ISE dashboard to verify that the appliance is working correctly. What to Do Next By using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE system to suit your needs. For details on configuring Cisco ISE, see Cisco Identity Services Engine Administrator Guide. Related Topics Cisco ISE Configuration Verification, on page 62 Cisco ISE Setup Program Parameters, on page 23 Verifying a Configuration Using the CLI Before You Begin To get the latest Cisco ISE patches and keep Cisco ISE up-to-date, visit the following web site: http:// www.cisco.com/public/sw-center/index.shtml Step 1 After the Cisco ISE appliance reboot has completed, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.

Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open. Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter. Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter. Step 5 At the system prompt, enter show application version ise and press Enter. The Version field lists the currently installed version of Cisco ISE software.

Note Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 63 Post-Installation Tasks Verifying a Configuration Using a Web Browser

The console output appears as shown below: ise-vm123/admin# show application version ise Cisco Identity Services Engine - - Version : 1.4.0.205 Build Date : Tue Mar 3 19:31:27 2015 Install Date : Tue Mar 3 21:06:31 2015 Step 6 To check the status of the Cisco ISE processes, enter show application status ise and press Enter. The console output appears as shown below: ise-server/admin# show application status ise ISE PROCESS NAME STATE PROCESS ID - - Database Listener running 3638 Database Server running 45 PROCESSES Application Server running 5992 Profiler Database running 4483 AD Connector running 6401 M&T Session Database running 2313 M&T Log Collector running 6247 M&T Log Processor running 6274 Certificate Authority Service running 6213 pxGrid Infrastructure Service disabled pxGrid Publisher Subscriber Service disabled pxGrid Connection Manager disabled pxGrid Controller disabled Identity Mapping Service disabled Related Topics Cisco ISE Configuration Verification, on page 62 VMware Tools Installation Verification Related Topics Cisco ISE Setup Program Parameters, on page 23 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 64 Post-Installation Tasks VMware Tools Installation Verification

VerifyVMWareToolsInstallationUsingtheSummaryTabinthevSphereClient Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware Tools field should be OK. Figure 10: Verifying VMware Tools in the vSphere Client Verify VMWare Tools Installation Using the CLI You can also verify if the VMware tools are installed using the show inventory command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware Virtual Ethernet driver will be listed in the Driver Descr field.

vm36/admin# show inventory NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis" PID: ISE-VM-K9, VID: V01 , SN: 8JDCBLIDLJA Total RAM Memory: 4016564 kB CPU Core Count: 1 CPU 0: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz Hard Disk Count(*): 1 Disk 0: Device Name: /dev/sda Disk 0: Capacity: 64.40 GB Disk 0: Geometry: 255 heads 63 sectors/track 7832 cylinders NIC Count: 1 NIC 0: Device Name: eth0 NIC 0: HW Address: 00:0C:29:BA:C7:82 NIC 0: Driver Descr: VMware Virtual Ethernet driver (*) Hard Disk Count may be Logical.

vm36/admin# Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 65 Post-Installation Tasks Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client

Support for Upgrading VMware Tools The Cisco ISE ISO image (regular, upgrade, or patch) contains the supported VMware tools. Upgrading VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE (regular, upgrade, or patch release).

Administrator Password Reset Resetting a Lost, Forgotten, or Compromised Password using the DVD Before You Begin Make sure you understand the following connection-related conditions that can cause a problem when attempting to use the Cisco ISE Software DVD to start up a Cisco ISE appliance: • You have a terminal server associated with the serial console connection to the Cisco ISE appliance that is set to exec. Setting it to no exec allows you to use a KVM connection and a serial console connection. • You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can be either a remote KVM or a VMware vSphere client console connection).

• You have a serial console connection to the Cisco ISE appliance. Step 1 Ensure that the Cisco ISE appliance is powered up. Step 2 Insert the Cisco ISE Software DVD. For example, the Cisco ISE 3415 console displays the following message: Welcome to the Cisco Identity Services Engine Installer Cisco ISE Version: 1.4.0.205 Available boot options: [1] Cisco ISE Installation (Keyboard/Monitor) [2] Cisco ISE Installation (Serial Console) [3] System Utilities (Keyboard/Monitor) [4] System Utilities (Serial Console) Boot existing OS from hard disk. Enter boot option and press . Step 3 At the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or enter 4 if you use a local serial console port connection.

The system displays the ISO utilities menu as shown below. Cisco ISE System Utilities Menu Available System Utilities: Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 66 Post-Installation Tasks Support for Upgrading VMware Tools

[1] Recover administrator password [2] Virtual Machine Resource Check [3] System Erase [4] Install Media Check [q] Exit and reload Enter option and press Step 4 Enter 1 to recover the administrator password. The console displays: Admin username: [1]:admin [2]:admin2 [3]:admin3 [4]:admin4 Enter number of admin for password recovery:2 Password: Verify password: Save change and reboot? [Y/N]: Step 5 Enter the number corresponding to the admin user whose password you want to reset.

Step 6 Enter the new password and verify it.

Step 7 Enter Y to save the changes. Related Topics Logging in to the Cisco ISE Web-Based Interface, on page 61 Resetting a Password Due to Administrator Lockout An administrator can enter an incorrect password enough times to disable the account. The minimum and default number of attempts is five. Use these instructions to reset the administrator user interface password with the application reset-passwd ise command in the Cisco ISE CLI. It does not affect the CLI password of the administrator. After you successfully reset the administrator password, the credentials are immediately active and you can log in without having to reboot the system.

.

Cisco ISE adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you reset the password associated with that administrator ID. Step 1 Access the direct-console CLI and enter: application reset-passwd ise administrator_ID Step 2 Specify and confirm a new password that is different from the previous two passwords that were used for this administrator ID: Enter new password: Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 67 Post-Installation Tasks Resetting a Password Due to Administrator Lockout

Confirm new password: Password reset successfully Related Topics Logging in to the Cisco ISE Web-Based Interface, on page 61 CLI-Admin and Web-Based Admin User Right Differences, on page 59 Changing the IP Address of a Cisco ISE Appliance Before You Begin • Ensure that the Cisco ISE node is in a standalone state before you change the IP address. If the node is part of a distributed deployment, deregister the node from the deployment and make it a standalone node. • Do not use the no ip address command when you change the Cisco ISE appliance IP address. Step 1 Log in to the Cisco ISE CLI.

Step 2 Enter the following commands: a) configure terminal b) interface GigabitEthernet 0 c) ip address new_ip_address new_subnet_mask The system prompts you for the IP address change.

Enter Y. A screen similar to the following one appears. ise-13-infra-2/admin(config-GigabitEthernet)# ip address a.b.c.d 255.255.255.0 % Changing the IP address might cause ISE services to restart Continue with IP address change? Y/N [N]: y Stopping ISE Monitoring & Troubleshooting Log Collector... Stopping ISE Monitoring & Troubleshooting Log Processor... Stopping ISE Identity Mapping Service...

Stopping ISE pxGrid processes... Stopping ISE Application Server... Stopping ISE Certificate Authority Service... Stopping ISE Profiler Database... Stopping ISE Monitoring & Troubleshooting Session Database... Stopping ISE AD Connector... Stopping ISE Database processes... Starting ISE Monitoring & Troubleshooting Session Database... Starting ISE Profiler Database... Starting ISE pxGrid processes... Starting ISE Application Server... Starting ISE Certificate Authority Service... Starting ISE Monitoring & Troubleshooting Log Processor... Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 68 Post-Installation Tasks Changing the IP Address of a Cisco ISE Appliance

Starting ISE Monitoring & Troubleshooting Log Collector... Starting ISE Identity Mapping Service... Starting ISE AD Connector... Note: ISE Processes are initializing. Use 'show application status ise' CLI to verify all processes are in running state. Cisco ISE prompts you to restart the system. Step 3 Enter Y to restart the system. Viewing Installation and Upgrade History Cisco ISE provides a Command Line Interface (CLI) command to view the details of installation, upgrade, and uninstallation of Cisco ISE releases and patches. The show version history command provides the following details: • Date—Date and time at which the installation or uninstallation was performed • Application—Cisco ISE application • Version—Version that was installed or removed.

• Action—Installation, Uninstallation, Patch Installation, or Patch Uninstallation • Bundle Filename—Name of the bundle that was installed or removed • Repository—Repository from which the Cisco ISE application bundle was installed. Not applicable for uninstallation.

Step 1 Log in to the Cisco ISE CLI. Step 2 Enter the following command: show version history. The following output appears: Positron/admin# Show version history - - Install Date: Tue Mar 03 20:25:58 UTC 2015 Application: ise Version: 1.4.0.205 Install type: Application Install Bundle filename: ise.tar.gz Repository: SystemDefaultPkgRepos Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 69 Post-Installation Tasks Viewing Installation and Upgrade History

Configuring RAID on SNS-3415 Appliance On the SNS-3415 appliance, you must manually configure the Redundant Array of Independent Disks (RAID) before installing Cisco ISE.

Step 1 Press Ctrl + Alt + Del to reboot the appliance. Step 2 Press Ctrl+M to enter the LSI Software RAID Configuration menu. Step 3 From the Management menu, select Configure. Step 4 Select Clear Configuration and confirm your selection. Step 5 Select Easy Configuration. A box with READY label appears. Step 6 Press the space bar to select that volume. The label changes to ONLIN A00-xx.

Step 7 Press F10 to configure the volume and press the space bar to select the array. Step 8 Press F10 to configure the array. A box appears specifying the volume data including the size (557.8 GB) and RAID 0. Step 9 Use the arrow keys to navigate to Accept and press Enter. Step 10 Press the Escape key and save the configuration. Step 11 Press the Escape key thrice to exit all menus. You will be prompted to reboot the appliance. Step 12 Reboot the appliance. Step 13 After you install Cisco ISE and reboot the appliance, press F6 to enter in to the Boot Order menu. Step 14 Select Embedded SCU RAID to boot from the hard disk.

Configuring RAID on SNS-3495 Appliance Using CIMC You must configure the Redundant Array of Independent Disks (RAID) using CIMC, before installing Cisco ISE. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 70 Post-Installation Tasks Configuring RAID on SNS-3415 Appliance

Before You Begin You must have configured CIMC before you can configure the RAID on the SNS-3495 appliance. Refer to Configuring Cisco Integrated Management Controller, on page 21 Step 1 In the CIMC user interface, choose Server > BIOS > Configure BIOS Parameter.

Step 2 Click the Advanced tab. In the Onboard Storage area, set the Onboard SCU Storage Support option to Enabled. Step 3 Click Save Changes. The following message appears: Reboot Host Immediately option is not selected. BIOS settings will be applied only on next host reboot. Continue?

Step 4 Click Yes. Step 5 Choose Server > Summary > Power Cycle Server. Step 6 Click OK. Step 7 Choose Server > Summary > Launch KVM Console. The console screen of the kernal-based virtual machine (KVM) appears. Step 8 Choose Server > Summary > Power Cycle Server. Step 9 During bootup, press Ctrl+H to access the WebBIOS. Step 10 In the KVM WebBIOS, click Start. Step 11 In the BIOS Config Utility Physical Configuration pane, click Configuration Wizard. Step 12 Click Add Configuration, and then click Next.

Step 13 Click Automatic Configuration. Step 14 In the Redundancy drop-down list, select the Redundancy When Possible option, and then click Next.

Step 15 Click Yes to save the configuration. Step 16 Click Yes to initialize the new virtual drive. Step 17 Click Set Boot Drive, and then click Go. Step 18 Click Home. Step 19 Click Exit. Step 20 Click Yes. Step 21 Reboot the server. Step 22 Choose Inventory > Storage > Virtual Drive Info. Ensure that the newly added virtual drive is listed in the Virtual Drive info tab.

Performing a System Erase You can perform a system erase to securely erase all information from your Cisco ISE appliance or VM. This option to perform a system erase ensures that Cisco ISE is compliant with the NIST Special Publication 800-88 data destruction standards. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 71 Post-Installation Tasks Performing a System Erase

Before You Begin Make sure you understand the following connection-related conditions that can cause a problem when attempting to use the Cisco ISE Software DVD to start up a Cisco ISE appliance: • You have a terminal server associated with the serial console connection to the Cisco ISE appliance that is set to exec.

Setting it to no exec allows you to use a KVM connection and a serial console connection. • You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can be either a remote KVM or a VMware vSphere client console connection).

• You have a serial console connection to the Cisco ISE appliance. Step 1 Ensure that the Cisco ISE appliance is powered up. Step 2 Insert the Cisco ISE Software DVD. For example, the Cisco ISE 3415 console displays the following message: Welcome to the Cisco Identity Services Engine Installer Cisco ISE Version: 1.4.0.205 Available boot options: [1] Cisco ISE Installation (Keyboard/Monitor) [2] Cisco ISE Installation (Serial Console) [3] System Utilities (Keyboard/Monitor) [4] System Utilities (Serial Console) Boot existing OS from hard disk. Enter boot option and press . Step 3 At the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or enter 4 if you use a local serial console port connection.

The system displays the ISO utilities menu as shown below. Cisco ISE System Utilities Menu Available System Utilities: [1] Recover administrator password [2] Virtual Machine Resource Check [3] System Erase [4] Install Media Check [q] Exit and reload Enter option and press Step 4 Enter 3 to perform a system erase. The console displays: * W A R N I N G * * YOU ARE ABOUT TO PERFORM A SYSTEM ERASE. THIS ACTION WILL DELETE ALL CONTENT OF THE HARD DISK BY WRITING A SEQUENCE OF RANDOM BYTES, FOLLOWED BY ZEROS DIRECTLY TO THE HARD DISK DEVICE.

ARE YOU SURE YOU WANT TO PROCEED? [Y/N] Y Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 72 Post-Installation Tasks Performing a System Erase

Step 5 Enter Y. The console prompts you with another warning: THIS IS YOUR LAST CHANGE TO ABORT. PROCEED WITH SYSTEM ERASE? [Y/N] Y Step 6 Enter Y to perform a system erase. The console displays: Deleting system disk, please wait… Writing random data to all sectors of disk device (/dev/sda)… Writing zeros to all sectors of disk device (/dev/sda)… Completed! System is now erased. Press to reboot. After you perform a system erase, if you want to reuse the appliance, you must boot the system using the Cisco ISE DVD and choose the install option from the boot menu.

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 73 Post-Installation Tasks Performing a System Erase

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 74 Post-Installation Tasks Performing a System Erase

A P P E N D I X A Cisco SNS-3400 Series Server Specifications • Physical Specifications, page 75 • Environmental Specifications, page 75 • Power Specifications, page 76 Physical Specifications Table 14: Cisco SNS-3400 Series Server Physical Specifications Specification Description 1.7 in. (4.3 cm) Height 16.9 in. (42.9 cm) Width 28.5 in. (72.4 cm) Depth 35.6 lb. (16.1 Kg) Weight (fully loaded chassis) Environmental Specifications Table 15: Cisco SNS-3400 Series Server Environmental Specifications Specification Description 41 to 104°F (5 to 40°C) Derate the maximum temperature by 1°C per every 305 meters of altitude above sea level.

Temperature, operating –40 to 149°F (–40 to 65°C) Temperature, non-operating Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 75

Specification Description 10 to 90 percent Humidity (RH), noncondensing 0 to 10,000 feet Altitude, operating 0 to 40,000 feet Altitude, non-operating 5.4 Sound power level Measure A-weighted per ISO7779 LwAd (Bels) Operation at 73°F (23°C) 37 Sound pressure level Measure A-weighted per ISO7779 LpAm (dBA) Operation at 73°F (23°C) Power Specifications Related Topics Connecting and Powering On the Server 450-Watt Power Supply You can get more specific power information for your exact server configuration by using the Cisco UCS Power Calculator.

Note Do not mix power supply types in the server. Both power supplies must be 450W. Note Table 16: Cisco SNS-3400 Series Server 450-Watt Power Supply Specifications Specification Description Low range: 100 VAC to 120 VAC High range: 200 VAC to 240 VAC AC input voltage range Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal) AC input frequency 6.0 A peak at 100 VAC 3.0 A peak at 208 VAC AC line input current (steady state) 450 Watts Maximum output power for each power supply Main power: 12 VDC Standby power: 12 VDC Power supply output voltage Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 76 Cisco SNS-3400 Series Server Specifications Power Specifications

650-Watt Power Supply You can get more specific power information for your exact server configuration by using the Cisco UCS Power Calculator. Note Do not mix power supply types in the server. Both power supplies must be either 650W. Note Table 17: Cisco SNS-3400 Series Server 650-Watt Power Supply Specifications Specification Description 90 to 264 VAC (self-ranging, 180 to 264 VAC nominal) AC input voltage range Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal) AC input frequency 7.6 A peak at 100 VAC 3.65 A peak at 208 VAC AC line input current (steady state) 650 Watts Maximum output power for each power supply Main power: 12 VDC Standby power: 12 VDC Power supply output voltage Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 77 Cisco SNS-3400 Series Server Specifications 650-Watt Power Supply

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 78 Cisco SNS-3400 Series Server Specifications 650-Watt Power Supply

A P P E N D I X B Cisco SNS-3400 Series Appliance Ports Reference • Cisco ISE Infrastructure, page 79 • Cisco ISE Administration Node Ports, page 81 • Cisco ISE Monitoring Node Ports, page 82 • Cisco ISE Policy Service Node Ports, page 84 • Inline Posture Node Ports, page 87 • Cisco ISE pxGrid Service Ports, page 88 • OCSP and CRL Service Ports, page 89 Cisco ISE Infrastructure This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices.

The Cisco ISE ports listed in this appendix must be open on the corresponding firewall.

Keep in mind the following information when configuring services on a Cisco ISE network: • Cisco ISE management is restricted to Gigabit Ethernet 0. • RADIUS listens on all network interface cards (NICs). • Cisco ISE communicates with the Network Access Devices (NADs) at Layer 3. Use the logical Layer 3 VLAN interface or the physical layer 3 interface when connecting Cisco ISE with a switch. • All NICs can be configured with IP addresses. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 79

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 80 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Infrastructure

Cisco ISE Administration Node Ports Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service Outbound traffic from Cisco ISE to external authentication stores (Admin User Interface Authentication): • LDAP: TCP/389, 3268, UDP/389 • SMB: TCP/445 • KDC: TCP/88, UDP/88 • KPASS: TCP/464 HTTPS and SSH access to Cisco ISE is restricted to Gigabit Ethernet 0. Note • HTTP: TCP/80, HTTPS: TCP/443 (TCP/80 redirected to TCP/443; not configurable) • SSH Server: TCP/22 • External RESTful Services (ERS) REST API: TCP/9060 • TCP:9002 (to display Sponsor portal from the Admin GUI) As Inline Posture nodes do not support Administration persona, they will not have access to port 80 and 443.

Note Ports 80 and 443 support Admin web applications and are enabled by default. Note Administration — — — • HTTPS (SOAP): TCP/443 • Data synchronization/ Replication (JGroups): TCP/12001 (Global) Replication and Synchronization SNMP Query: UDP/161 This port is route table dependent.

Note Monitoring Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 81 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Administration Node Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service • Syslog: UDP/20514, TCP/1468 • Secure Syslog: TCP/6514 Default ports are configurable for external logging. Note • SNMP Traps: UDP/162 Logging (Outbound) • Admin User Interface and Endpoint Authentications: ◦LDAP: TCP/389, 3268, UDP/389 ◦SMB: TCP/445 ◦KDC: TCP/88, UDP/88 ◦KPASS: TCP/464 • NTP: UDP/123 • DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly.

Note External Identity Sources and Resources (Outbound) Guest account expiry email notification: SMTP: TCP/25 Guest Cisco ISE Monitoring Node Ports Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service — — — • HTTP: TCP/80, HTTPS: TCP/443 • SSH Server: TCP/22 Administration Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 82 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Monitoring Node Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service Oracle DB Listener: TCP/1521 Oracle DB Listener: TCP/1521 Oracle DB Listener: TCP/1521 • HTTPS (SOAP): TCP/443 • Oracle DB Listener: TCP/1521 • Data S y n c h r o n i z a t i o n / R e p l i c a t i o n (JGroups): TCP/12001 (Global) Replication and Synchronization Simple Network Management Protocol [SNMP]: UDP/161 This port is route table dependent. Note Monitoring • Syslog: UDP/20514, TCP/1468 • Secure Syslog: TCP/6514 Default ports are configurable for external logging.

Note • SMTP: TCP/25 • SNMP Traps: UDP/162 Logging • Admin User Interface and Endpoint Authentications: ◦LDAP: TCP/389, 3268, UDP/389 ◦SMB: TCP/445 ◦KDC: TCP/88, UDP/88 ◦KPASS: TCP/464 • NTP: UDP/123 • DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Note External Identity Sources and Resources (Outbound) SSL: TCP/8910 Bulk Download for pxGrid Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 83 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Monitoring Node Ports

Cisco ISE Policy Service Node Ports Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service Cisco ISE management is restricted to Gigabit Ethernet 0. Cisco ISE management is restricted to Gigabit Ethernet 0. Cisco ISE management is restricted to Gigabit Ethernet 0. • HTTP: TCP/80, HTTPS: TCP/443 • SSH Server: TCP/22 • OCSP: TCP/2560 Administration — — — • HTTPS(SOAP): TCP/443 • Data Synchronization / Replication (JGroups): TCP/12001 (Global) Replication and Synchronization — — — • Node Groups/JGroups: TCP/7800 • Node Failure Detection: TCP/7802 Clustering (Node Group) Simple Network Management Protocol [SNMP]: UDP/161 This port is route table dependent.

Note Monitoring • Syslog: UDP/20514, TCP/1468 • Secure Syslog: TCP/6514 Default ports are configurable for external logging. Note • SNMP Traps: UDP/162 Logging (Outbound) Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 84 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Policy Service Node Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service • RADIUS Authentication: UDP/1645, 1812 • RADIUS Accounting: UDP/1646, 1813 • RADIUS Change of Authorization (CoA) Send: UDP/1700 • RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 UDP port 3799 is not configurable.

Note Session • Admin User Interface and Endpoint Authentications: ◦LDAP: TCP/389, 3268 ◦SMB: TCP/445 ◦KDC: TCP/88 ◦KPASS: TCP/464 • NTP: UDP/123 • DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Note External Identity Sources and Resources (Outbound) HTTPS (Interface must be enabled for service in Cisco ISE): • Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.) • Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.) • My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.) • Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.) • SMTP Notification: TCP/25 Web Portal Services: - Guest/Web Authentication - Guest Sponsor Portal - My Devices Portal - Client Provisioning - BlackListing Portal Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 85 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Policy Service Node Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service • Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS) By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning. Note • Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS) • Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning • Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning.

• Provisioning - NAC Agent Install: TCP/8443 • Provisioning - NAC Agent Update Notification: UDP/8905 (SWISS) • Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS) • Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS) • Assessment - PRA/Keep-alive: UDP/8905 (SWISS) Posture - Discovery - Provisioning - Assessment/ Heartbeat • Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning • Provisioning - Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal and Client Provisioning • Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443 • Provisioning - Wizard Install from Google Play (Android): TCP/443 • Provisioning - Supplicant Provisioning Process: TCP/8905 • SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration) Bring Your Own Device (BYOD) / Network Service Protocol (NSP) - Redirection - Provisioning - SCEP • URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning • API: Vendor specific • Agent Install and Device Registration: Vendor specific Mobile Device Management (MDM) API Integration Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 86 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE Policy Service Node Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service • NetFlow: UDP/9996 This port is configurable. Note • DHCP: UDP/67 This port is configurable. Note • DHCP SPAN Probe: UDP/68 • HTTP: TCP/80, 8080 • DNS: UDP/53 (lookup) This port is route table dependent. Note • SNMP Query: UDP/161 This port is route table dependent. Note • SNMP TRAP: UDP/162 This port is configurable. Note Profiling Inline Posture Node Ports As Inline Posture nodes do not support the Administration persona, they will not have access to ports TCP 80 and 443.

Inline Posture node High Availability does not apply to any other Cisco ISE node types. Note Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service — — — • HTTPS: TCP/8443 TCP: 8443 is used by the Administration node.

Note • SSH Server: TCP/22 Administration Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 87 Cisco SNS-3400 Series Appliance Ports Reference Inline Posture Node Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service — — • RADIUS Proxy for Authentication: UDP/1645, 1812 • RADIUS Proxy for Accounting: UDP/1646, 1813 • RADIUS CoA: Not applicable • Redirect: TCP/9090 • RADIUS Proxy for Authentication: UDP/1645, 1812 • RADIUS Proxy for Accounting: UDP/1646, 1813 • RADIUS CoA: UDP/1700, 3799 UDP port 3799 is not configurable.

Note • Redirect: TCP/9090 Inline Posture — — Syslog: UDP/20154 This port is configurable. Note Syslog: UDP/20154 This port is configurable. Note Logging (Outbound) Heartbeat: UDP/694 Heartbeat: UDP/694 (Heartbeat) — — High Availability Cisco ISE pxGrid Service Ports Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service — — — • SSL: TCP/5222 (Inter-Node Communication) • SSL: TCP/7400 (Node Group Communication) Administration Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 88 Cisco SNS-3400 Series Appliance Ports Reference Cisco ISE pxGrid Service Ports

Ports on Gigabit Ethernet 3 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 0 Cisco ISE Service — — — Data Synchronization and Replication (JGroups): TCP/12001 (Global) Replication and Synchronization OCSP and CRL Service Ports For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the ports are dependent on the CA Server or on service hosting OCSP/CRL although references to the Cisco ISE services and ports list basic ports that are used in Cisco ISE Administration Node, Policy Service Node, Monitoring Node, and Inline Posture Node separately.

For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE Admin portal expects http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports. For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and 389 respectively. The actual port is contingent on the CRL server. Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 89 Cisco SNS-3400 Series Appliance Ports Reference OCSP and CRL Service Ports

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 90 Cisco SNS-3400 Series Appliance Ports Reference OCSP and CRL Service Ports

I N D E X C Cisco ISE deployment 1 D DHCP, enabling 22 E environmental specifications 75 I installation 21, 22, 30 IP settings 22 NIC modes 21 NIC redundancy 22 verification 30 installing Cisco ISE 23, 61 setup program 23, 61 post-installation tasks 61 IP settings, DHCP or static 22 N NIC modes, setting 21 NIC redundancy 22 P physical specifications 75 post-installation tasks 61 power 76 specifications 76 Procedure 43 S setting NIC modes 21 setting NIC redundancy 22 specifications 75, 76 environmental 75 physical 75 power 76 static IP, setting 22 U upgrading 61 post-installation tasks 61 V VMware 31, 32, 43, 44 configuring 43 hardware requirements 32 installing 31 installing the Cisco ISE appliance 44 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 IN-1

Cisco Identify Services Engine Hardware Installation Guide, Release 1.4 IN-2 Index

You can also read