Cisco Identify Services Engine Hardware Installation Guide, Release 1.4

 
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Cisco Identify Services Engine Hardware Installation Guide, Release
1.4
First Published: February 15, 2015
Last Modified: March 30, 2015

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
     800 553-NETS (6387)
Fax: 408 527-0883
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)

© 2015   Cisco Systems, Inc. All rights reserved.
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
CONTENTS

CHAPTER 1   Network Deployments in Cisco ISE 1
                 Cisco ISE Network Architecture 1
                 Cisco ISE Deployment Terminology 2
                 Node Types and Personas in Distributed Deployments 3
                   Administration Node 3
                   Policy Service Node 4
                   Monitoring Node 4
                   Inline Posture Node 4
                       Installing an Inline Posture Node 5
                       Inline Posture Node Reuse 5
                 Standalone and Distributed ISE Deployments 5
                 Distributed Deployment Scenarios 6
                 Small Network Deployments 6
                   Split Deployments 7
                 Medium-Sized Network Deployments 7
                 Large Network Deployments 8
                   Centralized Logging 8
                   Load Balancers 8
                   Dispersed Network Deployments 9
                   Considerations for Planning a Network with Several Remote Sites 10
                 Deployment Size and Scaling Recommendations 11
                 Inline Posture Planning Considerations 13
                 Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions 14

CHAPTER 2   Cisco SNS-3400 Series Appliances 15
                 Cisco SNS Support for Cisco ISE 15
                 Cisco SNS-3400 Series Appliance Hardware Specifications 15
                 Cisco SNS-3400 Series Front Panel 16

                                             Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                       iii
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Contents

                                     Cisco SNS-3400 Series Rear Panel 16

CHAPTER 3                     Installing and Configuring a Cisco SNS-3400 Series Appliance 19
                                     Prerequisites for Installing the SNS-3400 Series Appliance 19
                                     Downloading the Cisco ISE ISO Image from Cisco.com 20
                                     Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance 20
                                     Configuring Cisco Integrated Management Controller 21
                                     Creating a Bootable USB Drive 22
                                     Cisco ISE Setup Program Parameters 23
                                     Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC 25
                                         Supported Time Zones 28
                                     Setup Process Verification 30

CHAPTER 4                     Installing ISE on a VMware Virtual Machine 31
                                     ISE Features Not Supported in a Virtual Machine 31
                                     Supported VMware Versions 31
                                     Support for VMware vMotion 32
                                     Support for Open Virtualization Format 32
                                     Virtual Machine Requirements 32
                                         Virtual Machine Appliance Size Recommendations 34
                                         Disk Space Requirements 35
                                         Disk Space Guidelines 35
                                     Virtual Machine Resource and Performance Checks 36
                                         On Demand Virtual Machine Performance Check Using the Show Tech Support
                                             Command 37
                                         Virtual Machine Resource Check from the Cisco ISE Boot Menu 37
                                     Obtaining the Cisco ISE Evaluation Software 38
                                     Installing Cisco ISE on Virtual Machines 39
                                         Deploying Cisco ISE on Virtual Machines Using OVA Templates 39
                                         Installing Cisco ISE on Virtual Machines Using the ISO File 39
                                              Prerequisites for Configuring a VMware ESXi Server 40
                                                    Virtualization Technology Check 41
                                                    Enabling Virtualization Technology on an ESXi Server 41
                                                    Configuring VMware Server Interfaces for the Cisco ISE Profiler Service 42
                                              Connecting to the VMware Server Using the Serial Console 42

             Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
  iv
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Contents

                           Configuring a VMware Server 43
                           Configuring a VMware System to Boot From a Cisco ISE Software DVD 44
                           Installing Cisco ISE Software on a VMware System 44
                           Cisco ISE ISO Installation on Virtual Machine Fails 46
                       Cloning a Cisco ISE Virtual Machine 46
                           Cloning a Cisco ISE Virtual Machine Using a Template 47
                               Creating a Virtual Machine Template 47
                               Deploying a Virtual Machine Template 48
                           Changing the IP Address and Hostname of a Cloned Virtual Machine 48
                           Connecting a Cloned Cisco Virtual Machine to the Network 50
                    Migrating Cisco ISE VM from Evaluation to Production 50

CHAPTER 5      Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS
                        Appliances 53
                    Supported Cisco ISE, Secure ACS, and NAC Appliances 53
                    Installing Cisco ISE Software from a DVD 54
                    Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance 54
                    Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance 55
                    Installing Cisco ISE Software on a Re-imaged Cisco NAC Appliance 56
                       Resetting the Existing RAID Configuration on a Cisco NAC Appliance 57

CHAPTER 6      Managing Administrator Accounts 59
                    CLI-Admin and Web-Based Admin User Right Differences 59
                    CLI Admin Users Creation 60
                    Web-Based Admin Users Creation 60

CHAPTER 7      Post-Installation Tasks 61
                    Logging in to the Cisco ISE Web-Based Interface 61
                    Cisco ISE Configuration Verification 62
                       Verifying a Configuration Using a Web Browser 63
                       Verifying a Configuration Using the CLI 63
                    VMware Tools Installation Verification 64
                       Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client 65
                       Verify VMWare Tools Installation Using the CLI 65
                       Support for Upgrading VMware Tools 66

                                                 Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                           v
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Contents

                                     Administrator Password Reset 66
                                         Resetting a Lost, Forgotten, or Compromised Password using the DVD 66
                                         Resetting a Password Due to Administrator Lockout 67
                                     Changing the IP Address of a Cisco ISE Appliance 68
                                     Viewing Installation and Upgrade History 69
                                     Configuring RAID on SNS-3415 Appliance 70
                                     Configuring RAID on SNS-3495 Appliance Using CIMC 70
                                     Performing a System Erase 71

APPENDIX A                      Cisco SNS-3400 Series Server Specifications 75
                                     Physical Specifications 75
                                     Environmental Specifications 75
                                     Power Specifications 76
                                         450-Watt Power Supply 76
                                         650-Watt Power Supply 77

APPENDIX B                      Cisco SNS-3400 Series Appliance Ports Reference 79
                                     Cisco ISE Infrastructure 79
                                     Cisco ISE Administration Node Ports 81
                                     Cisco ISE Monitoring Node Ports 82
                                     Cisco ISE Policy Service Node Ports 84
                                     Inline Posture Node Ports 87
                                     Cisco ISE pxGrid Service Ports 88
                                     OCSP and CRL Service Ports 89

             Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
  vi
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
CHAPTER                    1
          Network Deployments in Cisco ISE
            • Cisco ISE Network Architecture, page 1
            • Cisco ISE Deployment Terminology, page 2
            • Node Types and Personas in Distributed Deployments, page 3
            • Standalone and Distributed ISE Deployments, page 5
            • Distributed Deployment Scenarios, page 6
            • Small Network Deployments, page 6
            • Medium-Sized Network Deployments, page 7
            • Large Network Deployments, page 8
            • Deployment Size and Scaling Recommendations, page 11
            • Inline Posture Planning Considerations, page 13
            • Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions, page
              14

Cisco ISE Network Architecture
          Cisco ISE architecture includes the following components:
              • Nodes and persona types
                   ◦Cisco ISE node—A Cisco ISE node can assume any or all of the following personas: Administration,
                    Policy Service, Monitoring, or pxGrid
                   ◦Inline Posture node—A gatekeeping node that takes care of access policy enforcement

              • Network resources
              • Endpoints

          The policy information point represents the point at which external information is communicated to the Policy
          Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP)
          attribute.

                                              Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                        1
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Network Deployments in Cisco ISE
     Cisco ISE Deployment Terminology

                       The following figure shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring),
                       an Inline Posture node, and a policy information point.

                       Figure 1: Cisco ISE Architecture

Cisco ISE Deployment Terminology
                       This guide uses the following terms when discussing Cisco ISE deployment scenarios:

                        Term                                                Definition
                        Service                                             A specific feature that a persona provides such as network access,
                                                                            profiling, posture, security group access, monitoring, and
                                                                            troubleshooting.

                        Node                                                An individual instance that runs the Cisco ISE software. Cisco
                                                                            ISE is available as an appliance and as software that can be run
                                                                            on VMware.

                        Node Type                                           A node can be one of two types: A Cisco ISE node or an Inline
                                                                            Posture node. The node type and persona determine the type of
                                                                            functionality provided by a node

           Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
 2
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Network Deployments in Cisco ISE
                                                                                      Node Types and Personas in Distributed Deployments

                        Term                                         Definition
                        Persona                                      Determines the services provided by a node. A Cisco ISE node
                                                                     can assume any or all of the following personas: Administration,
                                                                     Policy Service, and Monitoring. The menu options that are
                                                                     available through the administrative user interface depend on the
                                                                     role and personas that a node assumes.

                        Role                                         Determines if a node is a standalone, primary, or secondary node
                                                                     and applies only to Administration and Monitoring nodes.

Node Types and Personas in Distributed Deployments
                       In a Cisco ISE distributed deployment, there are two types of nodes:
                           • Cisco ISE node (Administration, Policy Service, Monitoring)
                           • Inline Posture node

                       A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment,
                       with the exception of the Inline Posture node, can assume the Administration, Policy Service, and Monitoring
                       personas. In a distributed deployment, you can have the following combination of nodes on your network:
                           • Primary and secondary Administration nodes for high availability
                           • A pair of Monitoring nodes for automatic failover
                           • One or more Policy Service nodes for session failover
                           • A pair of Inline Posture nodes for high availability

                       Related Topics
                           Administration Node, on page 3
                           Policy Service Node, on page 4
                           Monitoring Node, on page 4
                           Inline Posture Node, on page 4

Administration Node
                       A Cisco ISE node with the Administration persona allows you to perform all administrative operations on
                       Cisco ISE. It handles all system-related configurations that are related to functionality such as authentication,
                       authorization, and accounting. In a distributed deployment, you can have a maximum of two nodes running
                       the Administration persona. The Administration persona can take on the standalone, primary, or secondary
                       role.

                       Related Topics
                           Node Types and Personas in Distributed Deployments, on page 3

                                                             Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                           3
Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
Network Deployments in Cisco ISE
      Policy Service Node

Policy Service Node
                        A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client
                        provisioning, and profiling services. This persona evaluates the policies and provides network access to
                        endpoints based on the result of the policy evaluation. Typically, there is more than one Policy Service node
                        in a distributed deployment. All Policy Service nodes that reside behind a load balancer share a common
                        multicast address and can be grouped to form a node group. If one of the nodes in a node group goes down,
                        the other nodes detect the failure and reset any pending sessions.
                        At least one node in your distributed setup should assume the Policy Service persona.

                        Related Topics
                             Node Types and Personas in Distributed Deployments, on page 3

Monitoring Node
                        A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from
                        all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring
                        and troubleshooting tools that you can use to effectively manage a network and resources. A node with this
                        persona aggregates and correlates the data that it collects, and provides you with meaningful reports. Cisco
                        ISE allows you to have a maximum of two nodes with this persona, and they can take on primary or secondary
                        roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In case
                        the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary
                        Monitoring node.
                        At least one node in your distributed setup should assume the Monitoring persona. We recommend that you
                        do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend
                        that the Monitoring node be dedicated solely to monitoring for optimum performance.

                        Related Topics
                             Node Types and Personas in Distributed Deployments, on page 3

Inline Posture Node
                        An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless
                        LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access policies after
                        a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a
                        WLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline Posture nodes, and they
                        can take on primary or secondary roles for high availability.
                        The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service, and
                        cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its
                        service, an Inline Posture node cannot assume any persona. For example, it cannot act as an Administration
                        node (offering administration service), or a Policy Service node (offering network access, posture, profile,
                        and guest services), or a Monitoring node (offering monitoring and troubleshooting services).
                        Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture on any
                        one of the following supported platforms:
                             • Cisco ISE 3315

            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
  4
Network Deployments in Cisco ISE
                                                                                                Standalone and Distributed ISE Deployments

                             • Cisco ISE 3355
                             • Cisco ISE 3395
                             • Cisco SNS 3415

                         Related Topics
                             Node Types and Personas in Distributed Deployments, on page 3

      Installing an Inline Posture Node
                         Before You Begin
                             • Download the Inline Posture ISO image from Cisco.com
                             • Configure a certificate for it and register it with the primary Administration node
                               Procedure

Step 1       Install the Inline Posture ISO image on one of the supported platforms.
Step 2       Log into the CLI.
Step 3       Configure the certificates for the node.
Step 4       Log into the user interface of the primary Administration node.
Step 5       Register the Inline Posture node.

                         Related Topics
                             Configuring Certificates for Inline Posture Nodes

      Inline Posture Node Reuse
                         If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it, but
                         you can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline Posture
                         node, you must first deregister it and then reimage the appliance and install Cisco ISE on it.

Standalone and Distributed ISE Deployments
                         A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the
                         Administration, Policy Service, and Monitoring personas.
                         A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover
                         and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a distributed
                         fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are centralized, and
                         processing is distributed across the Policy Service nodes. Depending on your performance needs, you can
                         scale your deployment. A Cisco ISE node can assume any of the following personas: Administration, Policy

                                                              Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                             5
Network Deployments in Cisco ISE
     Distributed Deployment Scenarios

                       Service, and Monitoring. An Inline Posture node cannot assume any other persona, due to its specialized
                       nature and it must be a dedicated node.

Distributed Deployment Scenarios
                            • Small Network Deployments
                            • Medium-Sized Network Deployments
                            • Large Network Deployments

Small Network Deployments
                       The smallest Cisco ISE deployment consists of two Cisco ISE nodes with one Cisco ISE node functioning as
                       the primary appliance in a small network.
                       The primary node provides all the configuration, authentication, and policy capabilities that are required for
                       this network model, and the secondary Cisco ISE node functions in a backup role. The secondary node supports
                       the primary node and maintains a functioning network whenever connectivity is lost between the primary
                       node and network appliances, network resources, or RADIUS.
                       Centralized authentication, authorization, and accounging (AAA) operations between clients and the primary
                       Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of the
                       content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus, your secondary
                       node is current with the state of your primary node. In a small network deployment, this type of configuration
                       model allows you to configure both your primary and secondary nodes on all RADIUS clients by using this
                       type of deployment or a similar approach.

                       Figure 2: Small Network Deployment

           Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
 6
Network Deployments in Cisco ISE
                                                                                                                        Split Deployments

                       As the number of devices, network resources, users, and AAA clients increases in your network environment,
                       you should change your deployment configuration from the basic small model and use more of a split or
                       distributed deployment model.

Split Deployments
                       In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a small
                       Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize the
                       AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload
                       if there are any problems with AAA connectivity. Neither the primary node nor the secondary nodes handles
                       all AAA requests during normal network operations because this workload is distributed between the two
                       nodes.
                       The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In
                       addition, splitting the load provides better loading while the functional status of the secondary node is
                       maintained during the course of normal network operations.
                       In split Cisco ISE deployments, each node can perform its own specific operations, such as network admission
                       or device administration, and still perform all the AAA functions in the event of a failure. If you have two
                       Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we
                       recommend that you set up one of the Cisco ISE nodes to act as a log collector.
                       In addition, the split Cisco ISE deployment design provides an advantage because it allows for growth.

                       Figure 3: Split Network Deployment

Medium-Sized Network Deployments
                       As small networks grow, you can keep pace and manage network growth by adding Cisco ISE nodes to create
                       a medium-sized network. In medium-sized network deployments, you can dedicate the new nodes for all AAA
                       functions, and use the original nodes for configuration and logging functions.

                                                            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                            7
Network Deployments in Cisco ISE
      Large Network Deployments

                        As the amount of log traffic increases in a network, you can choose to dedicate one or two of the secondary
                        Cisco ISE nodes for log collection in your network.

                        Figure 4: Medium-Sized Network Deployment

Large Network Deployments

Centralized Logging
                        We recommend that you use centralized logging for large Cisco ISE networks. To use centralized logging,
                        you must first set up a dedicated logging server that serves as a Monitoring persona (for monitoring and
                        logging) to handle the potentially high syslog traffic that a large, busy network can generate.
                        Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog appliance
                        can serve as the collector for outbound logging traffic. A dedicated logging server enables you to use the
                        reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes.
                        You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE node
                        and a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoring
                        persona on the Cisco ISE node goes down.

Load Balancers
                        In large centralized networks, you should use a load balancer, which simplifies the deployment of AAA clients.
                        Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes the
                        routing of AAA requests to the available servers.

            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
  8
Network Deployments in Cisco ISE
                                                                                                         Dispersed Network Deployments

                       However, having only a single load balancer introduces the potential for having a single point of failure. To
                       avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover. This
                       configuration requires you to set up two AAA server entries in each AAA client, and this configuration remains
                       consistent throughout the network.

                       Figure 5: Large Network Deployment

Dispersed Network Deployments
                       Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with
                       regional, national, or satellite locations elsewhere. The main campus is where the primary network resides,
                       is connected to additional LANs, ranges in size from small to large, and supports appliances and users in
                       different geographical regions and locations.
                       Large remote sites can have their own AAA infrastructure for optimal AAA performance. A centralized
                       management model helps maintain a consistent, synchronized AAA policy. A centralized configuration model
                       uses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate

                                                            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                         9
Network Deployments in Cisco ISE
       Considerations for Planning a Network with Several Remote Sites

                          Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique network
                          requirements.

                          Figure 6: Dispersed Deployment

Considerations for Planning a Network with Several Remote Sites
                              • Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight
                                Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the external
                                database that is available for Cisco ISE to access for optimizing AAA performance.
                              • The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible
                                to the AAA clients to reduce network latency effects and the potential for loss of access that is caused
                                by WAN failures.
                              • Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site,
                                which allows for direct, secure console access that bypasses network access to each node.
                              • If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, consider
                                using a Cisco ISE node as a backup for the local site to provide redundancy.
                              • Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access to
                                the external databases.

                          Related Topics
                              Cisco ISE Setup Program Parameters, on page 23

             Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
  10
Network Deployments in Cisco ISE
                                                                                         Deployment Size and Scaling Recommendations

Deployment Size and Scaling Recommendations
                       The following table provides guidance on the type of deployment, number of Cisco ISE nodes, and the type
                       of appliance (small, medium, large) that you need based on the number of endpoints that connect to your
                       network.

                       Table 1: Cisco ISE Deployment—Size and Scaling Recommendations

                        Deployment Type      Number of              Appliance Platform Maximum Number Number of Active
                                             Nodes/Personas                            of Dedicated Policy Endpoints
                                                                                       Service Nodes
                        Small                Standalone or          Cisco ISE 3300      0                                Maximum of 2,000
                                             redundant (2) nodes    Series (3315, 3355,                                  endpoints
                                             with                   3395)
                                             Administration,
                                             Policy Service, and    Cisco ISE 3415            0                          Maximum of 5,000
                                             Monitoring personas                                                         endpoints
                                             enabled
                                                                    Cisco ISE 3495            0                          Maximum of 10,000
                                                                                                                         endpoints

                        Medium               Administration and     Cisco ISE-3355 or 5                                  Maximum of 5,000
                                             Monitoring personas    Cisco SNS 3415                                       endpoints
                                             on single or           appliances for
                                             redundant nodes.       Administration and
                                             Maximum of 2           Monitoring personas
                                             Administration and
                                             Monitoring nodes.      Cisco ISE 3395 or 5                                  Maximum of 10,000
                                                                    Cisco SNS 3495                                       endpoints
                                                                    appliances for
                                                                    Administration and
                                                                    Monitoring personas

                                                           Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                       11
Network Deployments in Cisco ISE
     Deployment Size and Scaling Recommendations

                        Deployment Type            Number of                 Appliance Platform Maximum Number Number of Active
                                                   Nodes/Personas                               of Dedicated Policy Endpoints
                                                                                                Service Nodes
                        Large                      Dedicated                 Cisco ISE 3395      40                       Maximum of
                                                   Administration            appliances for                               100,000 endpoints
                                                   node/nodes.               Administration and
                                                   Maximum of 2              Monitoring personas
                                                   Administration
                                                   nodes.                    Cisco SNS 3495      40                       Maximum of
                                                   Dedicated                 appliances for                               250,000 endpoints
                                                   Monitoring                Administration and
                                                   node/nodes.               Monitoring personas
                                                   Maximum of 2
                                                   Monitoring nodes.
                                                   Dedicated Policy
                                                   Service nodes.
                                                   Maximum of 40
                                                   Policy Service
                                                   nodes.

                       The following table provides guidance on the type of appliance that you would need for a dedicated Policy
                       Service node based on the number of active endpoints the node services.

                       Table 2: Policy Service Node Size Recommendations

                        Form Factor             Platform Size                        Appliance                   Maximum Endpoints
                        Physical                Small                                Cisco ISE-3315              3,000

                                                                                     Cisco SNS-3415              5,000

                                                Medium                               Cisco ISE-3355              6,000

                                                Large                                Cisco ISE-3395              10,000

                                                                                     Cisco SNS-3495              20,000

                        Virtual Machine         Small/Medium/Large                   Comparable to physical      3,000 to 20,000
                                                                                     appliance

                       The following table provides the maximum throughput and the maximum number of endpoints that a single
                       Inline Posture node can support.

           Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
12
Network Deployments in Cisco ISE
                                                                                                   Inline Posture Planning Considerations

                       Table 3: Inline Posture Node Sizing Recommendations

                        Attribute                                   Performance
                        Maximum number of endpoints per             5,000 to 20,000 (gated by Policy Service nodes)
                        physical appliance

                        Maximum throughput per any physical         936 Mbps
                        appliance

                       Related Topics
                           Virtual Machine Requirements, on page 32
                           Migrating Cisco ISE VM from Evaluation to Production, on page 50

Inline Posture Planning Considerations
                       A network or system architect must address the following basic questions when planning to deploy Inline
                       Posture nodes:
                           • Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE
                             networks support up to two Inline Posture nodes configured on a network at any one time.
                           • What type of Inline Posture operating modes will you choose?

                              Caution   The untrusted interface on an Inline Posture node should be disconnected when an Inline
                                        Posture node is being configured. If the trusted and untrusted interfaces are connected
                                        to the same VLAN during initial configuration, and the Inline Posture node boots up
                                        after changing persona, multicast packet traffic gets flooded out of the untrusted interface.
                                        This multicast event can potentially bring down devices that are connected to the same
                                        subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.

                              Caution   Do not change the CLI password for Inline Posture node once it has been added to the
                                        deployment. If the password is changed, when you access the Inline Posture node through
                                        the Administration node, a Java exception error is displayed and the CLI gets locked.
                                        You need to recover the password by using the installation DVD and rebooting the
                                        Inline Posture node. Or, you can set the password to the original one.
                                        If you need to change the password, then deregister the Inline Posture node from the
                                        deployment, modify the password, and then add the node to the deployment with the
                                        new credentials.

                                                            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                            13
Network Deployments in Cisco ISE
      Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Switch and Wireless LAN Controller Configuration Required to
Support Cisco ISE Functions
                         To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are
                         successful across the network segment, you must configure your network switches with certain required
                         Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and
                         other settings.

            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
 14
CHAPTER                    2
          Cisco SNS-3400 Series Appliances
            • Cisco SNS Support for Cisco ISE, page 15
            • Cisco SNS-3400 Series Appliance Hardware Specifications, page 15
            • Cisco SNS-3400 Series Front Panel, page 16
            • Cisco SNS-3400 Series Rear Panel, page 16

Cisco SNS Support for Cisco ISE
          The Cisco ISE software run on a dedicated Cisco SNS-3400 series appliance or on a VMware server. Cisco
          ISE software does not support the installation of any other packages or applications on this dedicated platform.
          This Cisco ISE software is also supported on Cisco ISE 3300 series, Cisco NAC 3300 series, and Cisco Secure
          ACS 1121 appliances. You can upgrade an existing Cisco ISE 3300 series appliance to the latest release.

          Related Topics
              Installing Cisco ISE Software on a VMware System, on page 44
              Installing Cisco ISE Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances,
            on page 53

Cisco SNS-3400 Series Appliance Hardware Specifications
          Cisco SNS-3400 series appliance hardware consists of Cisco SNS 3415 and 3495 appliances. See the Cisco
          Identity Services Engine (ISE) Data Sheet for the appliance hardware specifications (Table 3).

                                               Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                         15
Cisco SNS-3400 Series Appliances
      Cisco SNS-3400 Series Front Panel

Cisco SNS-3400 Series Front Panel
                         Figure 7: Cisco SNS 3415/3495 Front Panel

                          1    Power button/power status LED                          6   Power supply status LED

                          2    Identification button LED                              7   Network link activity LED

                          3    System status LED                                      8   Asset tag (serial number)

                          4    Fan status LED                                         9   Keyboard, video, mouse (KVM) connector (used
                                                                                          with the KVM cable that provides two USBs,
                                                                                          one Video Graphics Adapter (VGA), and one
                                                                                          serial connector)

                          5    Temperature status LED                                 10 Drives (up to eight hot-swappable, 2 to 5-inch
                                                                                         drives)

Cisco SNS-3400 Series Rear Panel
                         Figure 8: SNS 3415/3495 Rear Panel

            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
 16
Cisco SNS-3400 Series Appliances
                                                                                                        Cisco SNS-3400 Series Rear Panel

                       1           Power supplies (up to two)            7             Serial port (RJ-45 connector)

                       2           Slot 2: Low-profile Peripheral       8              1-GB Ethernet dedicated management port used
                                   Component Interconnect Express                      to access CIMC (labeled M)
                                   (PCIe) slot on riser (half-height,
                                   half-length, x16 connector, x16 lane
                                   width)

                       3           Slot 1: PCIe1 card containing 1-GB 9                1-GB Ethernet port 1 (GigE0) for Cisco ISE
                                   Ethernet ports (GigE2 and GigE3)                    management communication

                       4           1-GB Ethernet port 3 (GigE2)          10            1-GB Ethernet port 2 (GigE1)

                       5           1-GB Ethernet port 4 (GigE3)          11            USB ports

                       6           VGA video connector                   12            Rear identification button

                      Serial Number Location
                      The serial number for the server is printed on a label on the top of the server, near the front.

                                                            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                           17
Cisco SNS-3400 Series Appliances
     Cisco SNS-3400 Series Rear Panel

           Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
18
CHAPTER                    3
          Installing and Configuring a Cisco SNS-3400
          Series Appliance
            • Prerequisites for Installing the SNS-3400 Series Appliance, page 19
            • Downloading the Cisco ISE ISO Image from Cisco.com, page 20
            • Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, page 20
            • Configuring Cisco Integrated Management Controller, page 21
            • Creating a Bootable USB Drive, page 22
            • Cisco ISE Setup Program Parameters, page 23
            • Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC, page 25
            • Setup Process Verification, page 30

Prerequisites for Installing the SNS-3400 Series Appliance
          Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE
          software on a Cisco SNS-3400 series appliance, as well as the physical, environmental, and power specifications
          later in this guide. For information about regulatory compliance and safety, refer to the RCSI for Cisco
          SNS-3415 and Cisco SNS-3495 Appliances.
          Cisco SNS-3400 series appliances are preinstalled with the Cisco Application Deployment Engine operating
          system (ADE-OS) and the Cisco ISE software.
          Make sure that you identify all of the following configuration settings for each node in your deployment
          before proceeding:
              • Hostname
              • IP address for the Gigabit Ethernet 0 (eth0) interface
              • Netmask
              • Default gateway
              • Domain Name System (DNS) domain

                                               Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                         19
Installing and Configuring a Cisco SNS-3400 Series Appliance
         Downloading the Cisco ISE ISO Image from Cisco.com

                                • Primary name server
                                • Primary Network Time Protocol (NTP) server
                                • System time zone
                                • Username (username for CLI-admin user)
                                • Password (password for CLI-admin user)

                           See the Cisco ISE Setup Program Parameters, on page 23 for a description of these parameters with example
                           values.

                  Note      The Cisco SNS-3400 series appliance must have the RAID configured before you can install Cisco ISE
                            on it. In case you have deleted the RAID configuration on the Cisco SNS-3400 series appliance, you must
                            reconfigure it. See Configuring RAID on SNS-3415 Appliance, on page 70 and Configuring RAID on
                            SNS-3495 Appliance Using CIMC, on page 70 for more information.

                           Related Topics
                                Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance

Downloading the Cisco ISE ISO Image from Cisco.com
                           Download the ISO image to install Cisco ISE on Cisco SNS-3400 series appliance.

                           Before You Begin
                           For Inline Posture nodes, you must download the Inline Posture Node ISO and continue with the installation
                           process.

Step 1         Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.
Step 2         Click Download Software for this Product
               The Cisco ISE software image comes with a 90-day evaluation license already installed, so you can begin testing all
               Cisco ISE services when the installation and initial configuration is complete.

Methods for Installing the Cisco ISE Software on a SNS-3400
Series Appliance
                           If your SNS-3400 series appliance is running an earlier version of Cisco ISE, you have the option to upgrade
                           it using the application upgrade command. Alternatively, you can reimage your existing SNS-3400 Series
                           appliance to perform a fresh installation of Cisco ISE and register it to an existing deployment.

               Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
   20
Installing and Configuring a Cisco SNS-3400 Series Appliance
                                                                                            Configuring Cisco Integrated Management Controller

                          After you download the ISO image, you can install it on your SNS-3400 Series appliance in any one of the
                          following ways:
                               • Install the ISO image using the CIMC Remote Management Utility. You must configure the CIMC to
                                 perform this remote installation.
                                 1 Configure CIMC.
                                 2 Install the Cisco ISE software remotely.

                               • Install the ISO image using a USB flash drive.
                                 1 Create a bootable USB flash drive using the iso-to-usb.sh script.
                                 2 Connect the USB flash device to the SNS-3400 Series appliance.
                                 3 Install the Cisco ISE software using the local KVM or remotely using the CIMC KVM.

                               • Install the ISO using an external DVD drive with a USB port.
                                 1 Burn the ISO image on to a DVD.
                                 2 Connect the external USB DVD to the SNS-3400 Series appliance.
                                 3 Install the Cisco ISE software via the local KVM or remotely using the CIMC KVM.

                 Note      For installing the Cisco ISE software using a USB flash device or an external DVD with a USB port,
                           CIMC configuration is optional.

                          Related Topics
                               Configuring Cisco Integrated Management Controller, on page 21
                               Creating a Bootable USB Drive, on page 22
                               Cisco ISE Setup Program Parameters, on page 23
                               Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC, on page 25

Configuring Cisco Integrated Management Controller
                          You can perform all operations on Cisco SNS-3400 series appliance through the CIMC, including monitoring
                          the server and system event logs. To do this, you must first configure an IP address and IP gateway to access
                          the CIMC from a web-based browser.

Step 1       Plug in the power cord.
Step 2       Press the Power button to boot the server.
Step 3       During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility.
Step 4       Set the NIC mode to specify which ports access the CIMC for server management. Cisco ISE can use up to four Gigabit
             Ethernet ports.

                                                                  Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                                 21
Installing and Configuring a Cisco SNS-3400 Series Appliance
         Creating a Bootable USB Drive

                   • Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select NIC redundancy
                     None and select IP settings.
                   • Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the factory default
                     setting, along with active-active NIC redundancy and DHCP enabled.
                   • Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You must select a NIC
                     redundancy and IP setting.
                     Note      The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01)
                               that is installed in PCIe slot 1.

Step 5         Specify the NIC redundancy setting:
                   • None—The Ethernet ports operate independently and do not fail over if there is a problem.
                   • Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.
                   • Active-active—All Ethernet ports are utilized simultaneously.

Step 6         Choose whether to enable DHCP for dynamic network settings or to enter static network settings.
               Note    Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC addresses for the
                       server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC
                       addresses assigned to the CIMC. The MAC address printed on the label is the beginning of the range of six
                       contiguous MAC addresses.
Step 7         (Optional) Specify VLAN setting and set a default CIMC user password.
               Note    Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait until the new
                       settings appear before you reboot the server in the next step.
Step 8         Press F10 to save your settings and reboot the server.
               Note    If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console
                       screen during bootup.

                            What to Do Next
                            Configuring ISE on a Cisco SNS-3400 Series Appliance using CIMC

                            Related Topics
                                Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20

Creating a Bootable USB Drive
                            The Cisco ISE ISO image contains an “images” directory that has a Readme file and a script to create a bootable
                            USB drive to install Cisco ISE.

                            Before You Begin
                                • Ensure that you have read the Readme file in the “images” directory
                                • You need the following:

               Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
   22
Installing and Configuring a Cisco SNS-3400 Series Appliance
                                                                                                            Cisco ISE Setup Program Parameters

                                      ◦Linux machine with RHEL-6.4, CentOS 6.4. If you are going to use a PC or MAC, ensure that
                                       you have installed a Linux virtual machine (VM) on it.
                                      ◦An 8-GB USB drive
                                      ◦The iso-to-usb.sh script

Step 1       Plug the USB drive into the USB port.
Step 2       Copy the iso-to-usb.sh script and the Cisco ISE ISO image to a directory on the Linux machine.
Step 3       Enter the following command:
             iso-to-usb.sh source_iso usb_device
             For example, # ./iso-to-usb.sh ise-1.4.0.253-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the script,
             ise-1.4.0.253-x86_64.iso /dev/sdb is the name of the ISO image, and /dev/sdb is your USB device.

Step 4       Enter a value for the appliance that you want to install the image on.
Step 5       Enter Y to continue.
Step 6       A success message appears.
Step 7       Unplug the USB drive.

                          What to Do Next
                          Configuring ISE on a Cisco SNS-3400 Series Appliance using CIMC

                          Related Topics
                               Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20

Cisco ISE Setup Program Parameters
                          When the Cisco ISE software configuration begins, an interactive CLI prompts you to enter required parameters
                          to configure the system.

                 Note      If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures
                           VMware Tools, Version 8.3.2, during the initial setup.

                                                                  Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                                 23
Installing and Configuring a Cisco SNS-3400 Series Appliance
     Cisco ISE Setup Program Parameters

                       Table 4: Cisco ISE Setup Program Parameters

                        Prompt                 Description                                                         Example
                        Hostname               Must not exceed 15 characters. Valid characters include             isebeta1
                                               alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The
                                               first character must be a letter.
                                               Note       We recommend that you use lowercase letters to
                                                          ensure that certificate authentication in Cisco ISE
                                                          is not impacted by minor differences in
                                                          certificate-driven verifications. You cannot use
                                                          "localhost" as hostname for a node.
                        (eth0) Ethernet        Must be a valid IPv4 address for the Gigabit Ethernet 0             10.12.13.14
                        interface              (eth0) interface.
                        address

                        Netmask                Must be a valid IPv4 netmask.                                       255.255.255.0

                        Default gateway Must be a valid IPv4 address for the default gateway.                      10.12.13.1

                        DNS domain             Cannot be an IP address. Valid characters include ASCII       example.com
                        name                   characters, any numerals, the hyphen (-), and the period (.).

                        Primary name           Must be a valid IPv4 address for the primary name server. 10.15.20.25
                        server

                        Add/Edit               Must be a valid IPv4 address for an additional name server. (Optional) Allows you to
                        another name                                                                       configure multiple name
                        server                                                                             servers. To do so, enter y to
                                                                                                           continue.

                        Primary NTP            Must be a valid IPv4 address or hostname of a Network               clock.nist.gov
                        server                 Time Protocol (NTP) server.

                        Add/Edit               Must be a valid NTP domain.                                         (Optional) Allows you to
                        another NTP                                                                                configure multiple NTP
                        server                                                                                     servers. To do so, enter y to
                                                                                                                   continue.

           Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
24
Installing and Configuring a Cisco SNS-3400 Series Appliance
                                                                              Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC

                         Prompt                 Description                                                            Example
                         System Time            Must be a valid time zone. For example, for Pacific Standard UTC (default)
                         Zone                   Time (PST), the System Time Zone is PST8PDT (or
                                                Coordinated Universal Time (UTC) minus 8 hours).
                                                You can run the show timezones command from the Cisco
                                                ISE CLI for a complete list of supported time zones.
                                                Note      We recommend that you set all Cisco ISE nodes
                                                          to the UTC time zone. This time zone setting
                                                          ensures that the reports, logs, and posture agent log
                                                          files from the various nodes in your deployment
                                                          are always synchronized with regard to the time
                                                          stamps.
                         Username               Identifies the administrative username used for CLI access admin (default)
                                                to the Cisco ISE system. If you choose not to use the default
                                                (admin), you must create a new username. The username
                                                must be three to eight characters in length and be composed
                                                of valid alphanumeric characters (A–Z, a–z, or 0–9).

                         Password               Identifies the administrative password that is used for CLI MyIseYPass2
                                                access to the Cisco ISE system. You must create this
                                                password because there is no default. The password must
                                                be a minimum of six characters in length and include at least
                                                one lowercase letter (a–z), one uppercase letter (A–Z), and
                                                one numeral (0–9).

                        Related Topics
                             Considerations for Planning a Network with Several Remote Sites, on page 10
                             Verifying a Configuration Using a Web Browser, on page 63
                             VMware Tools Installation Verification, on page 64
                             Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20
                             Installing Cisco ISE Software from a DVD
                             Installing Cisco ISE Software on a Re-imaged Cisco ISE-3300 Series Appliance
                             Installing Cisco ISE Software on a Re-imaged Cisco Secure ACS Appliance
                             Installing Cisco ISE Software on a VMware System, on page 44

Configuring ISE on a Cisco SNS-3400 Series Appliance Using
CIMC
                        After you configure the CIMC for your appliance, you can use it to manage a Cisco SNS-3400 series appliance.
                        You can perform all operations including BIOS configuration through the CIMC.

                                                                  Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                                25
Installing and Configuring a Cisco SNS-3400 Series Appliance
         Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC

               Caution     Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on
                           that node to be unusable.

                           Before You Begin
                                • Ensure that you have configured the CIMC on your appliance.
                                • Ensure that you have properly installed, connected, and powered up the supported appliance by following
                                  the recommended procedures.
                                • Ensure that you have the Cisco ISE ISO image on the client machine from which you are accessing the
                                  CIMC or you have a bootable USB with the image for installation.
                                • Cisco ISE appliances track time internally using UTC time zones. If you do not know your specific time
                                  zone, you can enter one based on the city, region, or country where the Cisco ISE appliance is located.
                                  We recommend that you configure the preferred time zone (the default is UTC) during installation when
                                  the setup program prompts you to configure the setting.
                                • Research how to configure certificates on an Inline Posture node.

Step 1         Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server using the ports
               selected by the Network Interface Card (NIC) Mode setting. The active-active and active-passive NIC redundancy settings
               require you to connect to two ports.
Step 2         Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is based on the CIMC
               configuration that you made (either a static address or the address assigned by the Dynamic Host Configuration Protocol
               (DHCP) server).
               Note     The default username for the server is admin. The default password is password.

Step 3         Click Launch KVM Console.
Step 4         Use your CIMC credentials to log in.
Step 5         Click the Virtual Media tab.
Step 6         Click Add Image to choose the Cisco ISE ISO image from the system running your client browser.
Step 7         Check the Mapped check box against the virtual CD/DVD drive that you have created.
Step 8         Click the KVM tab.
Step 9         Choose Macros > Ctrl-Alt-Del to boot the SNS-3400 series appliance using the ISO image.
Step 10        Press F6 to bring up the boot menu.
Step 11        Choose the CD/DVD that you mapped and press Enter.
Step 12        At the boot prompt, enter 2 and press Enter.
               **********************************************
               Please type 'setup' to configure the appliance
               **********************************************

Step 13        At the prompt, type setup to start the setup program. You are prompted to enter networking parameters and credentials.
               The following illustrates a sample setup program and default prompts:
               Press 'Ctrl-C' to abort setup
               Enter hostname[]: ise-server-1
               Enter IP address[]: 10.1.1.10

               Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
   26
Installing and Configuring a Cisco SNS-3400 Series Appliance
                                                                              Configuring ISE on a Cisco SNS-3400 Series Appliance Using CIMC

             Enter IP netmask[]: 255.255.255.0
             Enter IP default gateway[]: 172.10.10.10
             Enter default DNS domain[]: cisco.com
             Enter primary nameserver[]: 200.150.200.150
             Add secondary nameserver? Y/N [N]: n
             Enter NTP server[time.nist.gov]: 200.150.200.151
             Add another NTP server? Y/N[N]: n
             Enter system time zone[UTC]: UTC
             Enable SSH service?: Y/N [N]: Y
             Enter username [admin]: admin
             Enter password:
             Enter password again:
             Copying first CLI user to be first ISE admin GUI user...
             Bringing up the network interface...
             Pinging the gateway...
             Pinging the primary nameserver...

             Do not use `Ctrl-C' from this point on...

             Installing      Applications...
             Installing      ISE...
             Unbundling      Application Package...
             Initiating      Application Install...

             Application bundle (ISE) installed successfully

             ===Initial Setup for Application: ISE ===

             Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database.
               This setup is non-interactive, and will take roughly 15 minutes to complete.

             Running database cloning script...
             Running database network config assistant tool...
             Extracting ISE database contents...
             Starting ISE database processes...

             ...
             After the Cisco ISE node software is configured, the Cisco ISE system reboots automatically. To log back in to the CLI,
             you must enter the CLI-admin user credentials that you configured during setup.

Step 14      Log in to the Cisco ISE CLI shell, and run the following CLI command to check the status of the Cisco ISE application
             processes:
             ise-server/admin#         show application status ise

             ISE PROCESS NAME                       STATE            PROCESS ID
             --------------------------------------------------------------------
             Database Listener                      running          3638
             Database Server                        running          45 PROCESSES
             Application Server                     running          5992
             Profiler Database                      running          4481
             AD Connector                           running          6401
             M&T Session Database                   running          2319
             M&T Log Collector                      running          6245
             M&T Log Processor                      running          6286
             Certificate Authority Service          running          6211
             pxGrid Infrastructure Service          disabled
             pxGrid Publisher Subscriber Service    disabled
             pxGrid Connection Manager              disabled
             pxGrid Controller                      disabled
             Identity Mapping Service               disabled

Step 15      After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user interface by
             using one of the supported web browsers. To log in to the Cisco ISE user interface using a web browser, enter
             https:///admin/ in the Address field: Here “your-ise-hostname or IP address”
             represents the hostname or IP address that you configured for the Cisco SNS-3400 series appliance during setup. Enter

                                                                  Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                                27
Installing and Configuring a Cisco SNS-3400 Series Appliance
      Supported Time Zones

           the web-based admin login credentials (username and password) to access the Cisco ISE user interface. You can initially
           access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the
           setup process. The username and password credentials that you use for web-based access to the Cisco ISE user interface
           are not the same as the CLI-admin user credentials that you created during the setup for accessing the Cisco ISE CLI
           interface. After you log in to the Cisco ISE user interface, you can then configure your devices, user stores, policies, and
           other components.

                        Related Topics
                             Methods for Installing the Cisco ISE Software on a SNS-3400 Series Appliance, on page 20

Supported Time Zones
                        This section provides three tables that provide more information about common Coordinated Universal Time
                        (UTC) time zones for Europe, the United States and Canada, Australia, and Asia. The Cisco ISE CLI show
                        timezones command displays a list of all time zones available to you.

               Note      We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures
                         that the reports, logs, and posture agent log files from the various nodes in the deployment are always
                         synchronized with regard to the time stamps.

                        The format for time zones is POSIX or System V. POSIX time zone format syntax looks like
                        America/Los_Angeles, and System V time zone syntax looks like PST8PDT.

                        Table 5: Europe, United States, and Canada Time Zones

                         Acronym or Name                Time Zone Name
                         Europe

                         GMT, GMT0, GMT-0, Greenwich Mean Time, as UTC
                         GMT+0, UTC,
                         Greenwich, Universal,
                         Zulu

                         GB                             British

                         GB-Eire, Eire                  Irish

                         WET                            Western Europe Time, as UTC

                         CET                            Central Europe Time, as UTC plus 1 hour

                         EET                            Eastern Europe Time, as UTC plus 2 hours

                         United States and Canada

            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
 28
Installing and Configuring a Cisco SNS-3400 Series Appliance
                                                                                                                           Supported Time Zones

                        Acronym or Name                Time Zone Name
                        EST, EST5EDT                   Eastern Standard Time, as UTC minus 5 hours

                        CST, CST6CDT                   Central Standard Time, as UTC minus 6 hours

                        MST, MST7MDT                   Mountain Standard Time, as UTC minus 7 hours

                        PST, PST8PDT                   Pacific Standard Time, as UTC minus 8 hours

                        HST                            Hawaiian Standard Time, as UTC minus 10 hours

                       Table 6: Australia Time Zones

                        Australia
                        Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.
                        ACT (Australian Capital Adelaide                                 Brisbane                         Broken_Hill
                        Territory)

                        Canberra                         Currie                          Darwin                           Hobart

                        Lord_Howe                        Lindeman                        LHI (Lord Howe Island) Melbourne

                        North                            NSW (New South Wales) Perth                                      Queensland

                        South                            Sydney                          Tasmania                         Victoria

                        West                             Yancowinna                      —                                —

                       Table 7: Asia Time Zones

                        Asia
                        Aden                             Almaty                          Amman                            Anadyr

                        Aqtau                            Aqtobe                          Ashgabat                         Ashkhabad

                        Baghdad                          Bahrain                         Baku                             Bangkok

                        Beirut                           Bishkek                         Brunei                           Kolkata

                        Choibalsan                       Chongqing                       Columbo                          Damascus

                        Dhakar                           Dili                            Dubai                            Dushanbe

                        Gaza                             Harbin                          Hong_Kong                        Hovd

                                                                   Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                                                  29
Installing and Configuring a Cisco SNS-3400 Series Appliance
      Setup Process Verification

                          Asia
                          Irkutsk                         Istanbul                    Jakarta                         Jayapura

                          Jerusalem                       Kabul                       Kamchatka                       Karachi

                          Kashgar                         Katmandu                    Kuala_Lumpur                    Kuching

                          Kuwait                          Krasnoyarsk                 —                               —

                          Note      The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central
                                    Asia. Enter the region and city or country together separated by a forward slash (/); for example,
                                    Asia/Aden

Setup Process Verification
                         To verify that you have correctly completed the initial setup process, use one of the following two methods
                         to log in to the Cisco ISE appliance:
                              • Web browser
                              • Cisco ISE CLI

                         After you log in to the Cisco ISE user interface, you should perform the following tasks:
                              • Register a license—Refer to the Register Licenses section in the Cisco ISE Administrator Guide for
                                more information.
                              • Configure the Cisco ISE System—Refer to the Cisco ISE Administrator Guide for the configuration
                                tasks.

            Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
 30
CHAPTER                    4
          Installing ISE on a VMware Virtual Machine
           • ISE Features Not Supported in a Virtual Machine, page 31
           • Supported VMware Versions, page 31
           • Support for VMware vMotion, page 32
           • Support for Open Virtualization Format, page 32
           • Virtual Machine Requirements, page 32
           • Virtual Machine Resource and Performance Checks, page 36
           • Obtaining the Cisco ISE Evaluation Software, page 38
           • Installing Cisco ISE on Virtual Machines, page 39
           • Migrating Cisco ISE VM from Evaluation to Production, page 50

ISE Features Not Supported in a Virtual Machine
          The Inline Posture node is supported only on Cisco SNS-3415 and Cisco ISE 3300 series appliances. It is not
          supported on Cisco SNS-3495 series or VMware server systems. All the other designated roles are supported
          for use on VMware virtual machines.

Supported VMware Versions
          Cisco ISE supports the following VMware servers and clients:
             • VMware version 8 (default) for ESXi 5.x
             • VMware version 11 (default) for ESXi 6.0 (requires Cisco ISE 1.4 Patch 3)

                                              Cisco Identify Services Engine Hardware Installation Guide, Release 1.4
                                                                                                                        31
You can also read
NEXT SLIDES ... Cancel