Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
Installing and Configuring a Cisco SNS-3400 Series Appliance
Downloads: This chapterpdf (PDF - 248.0KB) The complete bookPDF (PDF - 8.01MB) | Feedback

Table of Contents

Installing and Configuring a Cisco SNS-3400 Series Appliance

Installing the SNS-3400 Series Appliance in a Rack

Downloading the Cisco ISE, Release 1.2 ISO Image

Installing Release 1.2 Software on SNS-3400 Series Appliance

Cisco Integrated Management Controller

Configuring CIMC

Creating a Bootable USB Drive

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance

Cisco ISE Setup Program Parameters

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Supported Time Zones

Setup Process Verification

Installing and Configuring a Cisco SNS-3400 Series Appliance

This chapter describes how to install and configure a Cisco Identity Services Engine (ISE) 3400 Series appliance, and contains the following topics:


Note Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE software on a Cisco SNS-3400 series appliance. See Prerequisites for Configuring a Cisco SNS-3400 Series Appliance for more information.


Installing the SNS-3400 Series Appliance in a Rack

Refer to Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack,” for information on safety guidelines, site requirements, and guidelines that you must observe before installing the Cisco SNS-3400 series appliance.

Downloading the Cisco ISE, Release 1.2 ISO Image

You can download the Cisco ISE, Release 1.2 ISO image from Cisco.com .


Note For Inline Posture nodes, you must download the Inline Posture Node, Release 1.2, ISO and continue with the installation process. See Inline Posture Node Installation for more information.



Step 1 Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.

Step 2 Click Download Software for this Product.

The Cisco ISE, Release 1.2, software image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.


 

Installing Release 1.2 Software on SNS-3400 Series Appliance

If your SNS-3400 series appliance is running Cisco ISE, Release 1.1.x, you have the option to upgrade it to Release 1.2 using the application upgrade command. Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2 . Alternatively, you can reimage your existing SNS-3400 Series appliance to perform a fresh installation of Release 1.2 and register it to an existing deployment.

After you download the ISO image, you can install it on your SNS-3400 Series appliance in any one of the following ways:

  • Install the ISO image using the CIMC Remote Management Utility. You must configure the CIMC to perform this remote installation.

1. Configure CIMC.

2. Install Cisco ISE, Release 1.2 remotely.

  • Install the ISO image using a USB flash drive.

1. Create a bootable USB flash drive using the iso-to-usb.sh script.

2. Connect the USB flash device to the SNS-3400 Series appliance.

3. Install Cisco ISE, Release 1.2 using the local KVM or remotely using the CIMC KVM.

  • Install the ISO using an external DVD drive with a USB port.

1. Burn the ISO image on to a DVD.

2. Connect the external USB DVD to the SNS-3400 Series appliance.

3. Install Cisco ISE 1.2, Release 1.2 via the local KVM or remotely using the CIMC KVM.


Note For installing Release 1.2 using a USB flash device or an external DVD with a USB port, CIMC configuration is optional. Choose one of these options if you do not prefer a remote installation.


Related Topics

Cisco Integrated Management Controller

You can monitor the server and system event logs using the built-in Cisco Integrated Management Controller (CIMC) GUI or CLI interfaces. See the user documentation for your release at the following URL:

http://www.cisco.com/en/US/products/ps10739/products_installation_and_configuration_guides
_list.html

Configuring CIMC

You can perform all operations on Cisco SNS-3400 series appliance through the CIMC. To do this, you must first configure an IP address and IP gateway to access the CIMC from a web-based browser.


Step 1 Plug in the power cord.

Step 2 Press the Power button to boot the server. Watch for the prompt to press F8 as shown in the following figure.

 

 

Step 3 During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following screen appears.

 

Step 4 Set the NIC mode to specify which ports access the CIMC for server management (see Figure 2-2 for identification of the ports). Cisco ISE can use up to four Gigabit Ethernet ports. Choose Dedicated NIC mode, set NIC redundancy to None as described in Step 5 , and select IP settings.

Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select NIC redundancy None and select IP settings.

Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the factory default setting, along with active-active NIC redundancy and DHCP enabled.

Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You must select a NIC redundancy and IP setting.


Note The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01) that is installed in PCIe slot 1. See Special Considerations for Cisco UCS Virtual Interface Cards.


Step 5 Specify the NIC redundancy setting:

None—The Ethernet ports operate independently and do not fail over if there is a problem.

Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.

Active-active—All Ethernet ports are utilized simultaneously.

Step 6 Choose whether to enable DHCP for dynamic network settings or to enter static network settings.


Note Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC addresses for the server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on the label is the beginning of the range of six contiguous MAC addresses.


Step 7 (Optional) Specify VLAN setting and set a default CIMC user password.


Note Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait until the new settings appear before you reboot the server in the next step.


Step 8 Press F10 to save your settings and reboot the server.


Note If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console screen during bootup.



 

What To Do Next

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Creating a Bootable USB Drive

The Cisco ISE, Release 1.2, ISO image contains an “images” directory that has a Readme file and a script to create a bootable USB drive to install Cisco ISE, Release 1.2.

Before You Begin

  • Ensure that you have read the Readme file in the “images” directory
  • You need the following:

Linux machine with RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.

If you are using a PC or MAC, ensure that you have installed a Linux virtual machine (VM) running RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.

An 8-GB USB drive

The iso-to-usb.sh script


Step 1 Plug the USB drive into the USB port.

Step 2 Unmount the USB drive from Linux CLI or GUI without removing the USB device. From the CLI, enter the following command: umount /dev/sdb where /dev/sdb is the USB device.


Note Do not choose the “Safely Remove Drive” or “Eject” options from the GUI.


Step 3 Copy the iso-to-usb.sh script and the Cisco ISE, Release 1.2, ISO image to a directory on the Linux machine.

Step 4 Change the permissions of the script using the chmod command.

For example, # chmod u+x iso-to-usb.sh .

Step 5 As root user, enter the following command:

iso-to-usb.sh source_iso usb_device

For example, # ./iso-to-usb.sh ise-1.2.0.434-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the script, ise-1.2.0.434-x86_64.iso is the name of the ISO image, and /dev/sdb is your USB device.

You might have to use the su command to switch to the root user account. You can also use the sudo command to execute the script with root permissions.

Step 6 Enter a value for the appliance that you want to install the image on.

Step 7 Enter Y to continue.

Step 8 A success message appears.

Step 9 Unplug the USB drive.


 

What To Do Next

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance

Cisco SNS-3400 series appliances are preinstalled with the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) and the Cisco ISE, Release 1.2, software.

Make sure that you identify all of the following configuration settings for each node in your deployment before proceeding:

  • Hostname
  • IP address for the Gigabit Ethernet 0 (eth0) interface
  • Netmask
  • Default gateway
  • Domain Name System (DNS) domain
  • Primary name server
  • Primary Network Time Protocol (NTP) server
  • System time zone
  • Username (username for CLI-admin user)
  • Password (password for CLI-admin user)

For details about the differences between the CLI-admin user and web-based admin user rights, see CLI-Admin and Web-Based Admin User Right Differences.

If you are installing Cisco ISE on an SNS-3400 series appliance, download the Cisco ISE, Release 1.2, ISO image, and use any one of the following options to configure the Cisco ISE, Release 1.2, software on the appliance:

  • Configure the Cisco Integrated Management Interface (CIMC) and use it to install Cisco ISE, Release 1.2. See Configuring CIMC.
  • Create a bootable USB Drive and use it to install Cisco ISE, Release 1.2. See Creating a Bootable USB Drive.

Note In case you have purposefully deleted the RAID configuration on the Cisco SNS-3400 series appliance, you must reinstall Cisco ISE, Release 1.2, using CIMC or the USB bootable drive. While using the USB bootable drive to reinstall Cisco ISE, you must manually configure RAID using the webBIOS. For more information on installing Cisco ISE using CIMC, see Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance. For more information on using the USB bootable drive to install Cisco ISE, see Creating a Bootable USB Drive.


If you are installing Cisco ISE on Cisco ISE-3300 series, Cisco Secure ACS, or Cisco NAC appliances, download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install Cisco ISE, Release 1.2. See Appendix 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances,” for the supported Cisco Secure ACS and Cisco NAC platforms.

Cisco ISE Setup Program Parameters

When the Cisco ISE software configuration begins, an interactive CLI prompts you to enter required parameters to configure the system. (See Table 3-1 ).

Ensure that the DNS and NTP servers are reachable after you run Setup and whenever a Cisco ISE node reboots in the deployment.


Note If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures VMware Tools, Version 8.3.2, during the initial setup. To verify the installation, see Verifying the Installation of VMware Tools.


 

Table 3-1 Cisco ISE Setup Program Parameters

Prompt
Description
Example

Hostname

Must not exceed 15 characters. Valid characters include alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The first character must be a letter.

Note We recommend that you use lowercase letters to ensure that certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verifications. You cannot use “localhost” as the hostname for a node.

isebeta1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14

Netmask

Must be a valid IPv4 netmask.

255.255.255.0

Default gateway

Must be a valid IPv4 address for the default gateway.

10.12.13.1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).

example.com

Primary name server

Must be a valid IPv4 address for the primary name server.

10.15.20.25

Add/Edit another name server

Must be a valid IPv4 address for an additional name server.

(Optional) Allows you to configure multiple name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP domain.

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x , which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or Coordinated Universal Time (UTC) minus 8 hours).

The time zones referenced in the CLI Reference Guide are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

UTC (default)

Username

Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and be composed of valid alphanumeric characters (A–Z, a–z, or 0–9).

admin (default)

Password

Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password because there is no default. The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

MyIseYPass2


Note For details about the web-based administrator username and password, see Verifying a Configuration Using a Web Browser.


Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

After you configure the CIMC for your appliance, you can use it to manage a Cisco SNS-3400 series appliance. You can perform all operations including BIOS configuration through the CIMC.


Note To configure VMware servers, see Configuring a VMware System to Boot From a Cisco ISE Software DVD.


Before You Begin

  • Ensure that you have configured the CIMC on your appliance. See Configuring CIMC for more information.
  • Ensure that you have properly installed, connected, and powered up the supported appliance by following the recommended procedures. See Connecting and Powering On the Server and Checking the LEDs.
  • Ensure that you have the Cisco ISE, Release 1.2, ISO image on the client machine from which you are accessing the CIMC or you have a bootable USB with the image for installation. See Creating a Bootable USB Drive.
  • Cisco ISE appliances track time internally using UTC time zones. If you do not know your specific time zone, you can enter one based on the city, region, or country where the Cisco ISE appliance is located. See Table 3-2 , Table 3-3 , and Table 3-4 for sample time zones. We recommend that you configure the preferred time zone (the default is UTC) during installation when the setup program prompts you to configure the setting.

Step 1 Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server using the ports selected by the Network Interface Card (NIC) Mode setting. The active-active and active-passive NIC redundancy settings require you to connect to two ports.

Step 2 Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is based on the CIMC configuration that you made (either a static address or the address assigned by the Dynamic Host Configuration Protocol (DHCP) server).


Note The default username for the server is admin. The default password is password.


Step 3 Click Launch KVM Console .

Step 4 Use your CIMC credentials to log in.

Step 5 Click the Virtual Media tab.

Step 6 Click Add Image to choose the Cisco ISE, Release 1.2, ISO image from the system running your client browser.

Step 7 Check the Mapped check box against the virtual CD/DVD drive that you have created.

Step 8 Click the KVM tab.

Step 9 Choose Macros > Ctrl-Alt-Del to boot the SNS-3400 series appliance using the ISO image. A screen similar to the one shown in the following figure appears.

 

Step 10 Press F6 to bring up the boot menu. A screen similar to the following one appears.

 

 

Step 11 Choose the CD/DVD that you mapped and press Enter . A screen similar to the following one appears.

 

 

Step 12 At the boot prompt, enter 1 and press Enter .

**********************************************

Please type 'setup' to configure the appliance

**********************************************

Step 13 At the prompt, type setup to start the setup program. You are prompted to enter networking parameters and credentials. The following illustrates a sample setup program and default prompts:

Enter hostname[]: ise-server-1
Enter IP address[]: 10.1.1.10
Enter Netmask[]: 255.255.255.0
Enter IP default gateway[]: 172.10.10.10
Enter default DNS domain[]: cisco.com
Enter Primary nameserver[]: 200.150.200.150
Add/Edit another nameserver? Y/N: n
Enter primary NTP domain[]: clock.cisco.com
Add/Edit another NTP domain? Y/N: n
Enable SSH?: Y/N
Enter system time zone[]: UTC
Enter username [admin]: admin
Enter password:
Enter password again:
Bringing up the network interface...
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Virtual machine detected, configuring VMware tools...
Appliance is configured
Installing applications...
Installing ISE...
Application bundle (ise) installed successfully
 
===Initial Setup for Application: ise===
 
Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup is non-interactive, and will take roughly 15 minutes to complete.
 
Running database cloning script...
Running database network config assistant tool...
Extracting ISE database contents...
Starting ISE database processes...
 
...

Note An “Installing ISE-IPEP” message appears when you install the Inline Posture node, Release 1.2, ISO image and you will see an “Application bundle (ISE-IPEP) installed successfully” message.



Note A “Virtual machine detected, configuring VMware tools...” message appears only if Cisco ISE is installed on a virtual machine.


After the Cisco ISE or Inline Posture node software is configured, the Cisco ISE system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup.

Step 14 If you installed the Inline Posture node ISO image, go to Configuring Certificates for Inline Posture Nodes.

Step 15 If you installed the Cisco ISE, Release 1.2, ISO image, log in to the Cisco ISE CLI shell, and run the following CLI command to check the status of the Cisco ISE application processes:

ise-server/admin# show application status ise
 

ISE Database listener is running, PID: 4845

ISE Database is running, number of processes: 27

ISE Application Server is running, PID: 6344

ISE M&T Session Database is running, PID: 4502

ISE M&T Log Collector is running, PID: 6652

ISE M&T Log Processor is running, PID: 6738

ISE M&T Alert Process is running, PID: 6542

ise-server/admin#

Step 16 After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user interface by using one of the supported web browsers. (See Accessing Cisco ISE Using a Web Browser.)

To log in to the Cisco ISE user interface using a web browser, enter https://<your-ise-hostname or IP address>/admin/ in the Address field:

Here “your-ise-hostname or IP address” represents the hostname or IP address that you configured for the Cisco SNS-3400 series appliance during setup.

Step 17 At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials (username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process.

After you log in to the Cisco ISE user interface, you can then configure your devices, user stores, policies, and other components.

The username and password credentials that you use for web-based access to the Cisco ISE user interface are not the same as the CLI-admin user credentials that you created during the setup for accessing the Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users, see CLI-Admin and Web-Based Admin User Right Differences.


 


Caution Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.2.

Supported Time Zones

This section provides three tables that provide more information about common Coordinated Universal Time (UTC) time zones for Europe, the United States and Canada, Australia, and Asia.


Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with regard to the time stamps.


The format for time zones is POSIX or System V. POSIX time zone format syntax looks like America/Los_Angeles, and System V time zone syntax looks like PST8PDT.

 

Table 3-2 Europe, United States, and Canada Time Zones

Acronym or Name
Time Zone Name
Europe

GMT, GMT0, GMT-0, GMT+0, UTC, Greenwich, Universal, Zulu

Greenwich Mean Time, as UTC

GB

British

GB-Eire, Eire

Irish

WET

Western Europe Time, as UTC

CET

Central Europe Time, as UTC plus 1 hour

EET

Eastern Europe Time, as UTC plus 2 hours

United States and Canada

EST, EST5EDT

Eastern Standard Time, as UTC minus 5 hours

CST, CST6CDT

Central Standard Time, as UTC minus 6 hours

MST, MST7MDT

Mountain Standard Time, as UTC minus 7 hours

PST, PST8PDT

Pacific Standard Time, as UTC minus 8 hours

HST

Hawaiian Standard Time, as UTC minus 10 hours

 

 

Table 3-3 Australia Time Zones

Australia 1

ACT2

Adelaide

Brisbane

Broken_Hill

Canberra

Currie

Darwin

Hobart

Lord_Howe

Lindeman

LHI3

Melbourne

North

NSW4

Perth

Queensland

South

Sydney

Tasmania

Victoria

West

Yancowinna

1.Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.

2.ACT = Australian Capital Territory

3.LHI = Lord Howe Island

4.NSW = New South Wales

 

Table 3-4 Asia Time Zones

Asia 5

Aden6

Almaty

Amman

Anadyr

Aqtau

Aqtobe

Ashgabat

Ashkhabad

Baghdad

Bahrain

Baku

Bangkok

Beirut

Bishkek

Brunei

Kolkata

Choibalsan

Chongqing

Columbo

Damascus

Dhakar

Dili

Dubai

Dushanbe

Gaza

Harbin

Hong_Kong

Hovd

Irkutsk

Istanbul

Jakarta

Jayapura

Jerusalem

Kabul

Kamchatka

Karachi

Kashgar

Katmandu

Kuala_Lumpur

Kuching

Kuwait

Krasnoyarsk

5.The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.

6.Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.


Note The Cisco ISE CLI show timezones command displays a list of all time zones available to you. Choose the most appropriate one for your network location.


Setup Process Verification

To verify that you have correctly completed the initial setup process, use one of the following two methods to log in to the Cisco ISE appliance:

  • Web browser
  • Cisco ISE CLI

After you log in to the Cisco ISE user interface, you should perform the following tasks: