Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
Performing Post Installation Tasks
Downloads: This chapterpdf (PDF - 278.0KB) The complete bookPDF (PDF - 9.43MB) | Feedback

Table of Contents

Performing Post-Installation Tasks

Accessing Cisco ISE Using a Web Browser

Logging In to the Cisco ISE Web-Based Interface

Administrator Lockout Following Failed Login Attempts

Logging Out of the Cisco ISE Web-Based Interface

Installing a License

Installing Certificates

Verifying a Cisco ISE Configuration

Verifying a Configuration Using a Web Browser

Verifying a Configuration Using the CLI

Verifying the Installation of VMware Tools

Upgrading VMware Tools

Resetting the Administrator Password

Resetting a Lost, Forgotten, or Compromised Password

Resetting a Password Due to Administrator Lockout

Changing the IP Address of a Cisco ISE Appliance

Configuring the Cisco ISE System

Enabling System Diagnostic Reports in Cisco ISE

Performing Post-Installation Tasks

This chapter describes several tasks that you must perform after successfully completing the installation and configuration of the Cisco Identity Services Engine (ISE), Release 1.2, software. This chapter contains information about the following topics:

Accessing Cisco ISE Using a Web Browser

Cisco SNS-3400 series appliances support a web interface using the following HTTPS-enabled browsers:

  • Mozilla Firefox version 3.6.x and above
  • Microsoft Internet Explorer 8.x and above

Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7 compatibility mode (Microsoft IE8 is supported in IE8 mode only).


  • Apple Safari 4.x and above

Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser.

This section provides information about the following topics:

Logging In to the Cisco ISE Web-Based Interface

When you log in to the Cisco ISE web-based interface for the first time, you will be using the preinstalled Evaluation license. You must use only the supported HTTPS-enabled browsers listed in the previous section. After you have installed Cisco ISE as described in this guide, you can log in to the Cisco ISE web-based interface.


Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.

 

Step 2 In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following format and press Enter .

https://<IP address or host name>/admin/
 

For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.

 

Step 3 Enter a username and password that you defined during setup.

Step 4 Click Login .


 


Note To recover or reset the Cisco ISE CLI-admin username or password, see the Resetting the Administrator Password.



Tip The minimum required screen resolution to view the Cisco ISE GUI is 1280 x 800 pixels.


CLI admin and web-based admin username and password values are not the same. when logging into the Cisco ISE. For more information about the differences between them, see CLI-Admin and Web-Based Admin User Right Differences.


Note The license page only appears the first time that you log in to Cisco ISE after the evaluation license has expired.



Note We recommend that you use the Cisco ISE user interface to periodically reset your administrator login password. See the Cisco Identity Services Engine User Guide, Release 1.2 for more information.


Administrator Lockout Following Failed Login Attempts

If you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE user interface “locks you out” of the system. Cisco ISE adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you reset the password associated with that administrator ID, as described in Resetting a Password Due to Administrator Lockout. The number of failed attempts required to disable the administrator account is configurable according to the guidelines that are described in the “Managing Administrators and Admin Access Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 . After an administrator user account gets locked out, an email is sent to the associated admin user.

Logging Out of the Cisco ISE Web-Based Interface

To log out of the Cisco ISE web-based interface, click Log Out on the Cisco ISE main window toolbar. This ends your administrative session and logs you out.


Caution For security reasons, we recommend that you log out when you complete your administrative session. If you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data.

For more information on using the Cisco ISE web-based web interface, see the Cisco Identity Services Engine User Guide, Release 1.2 .


 

Installing a License

Refer to Appendix 1, “Cisco ISE Licenses” for information on licenses.

Installing Certificates

Refer to Appendix 1, “Certificate Management in Cisco ISE” for information on certificates.

Verifying a Cisco ISE Configuration

This section provides two methods that each use a different set of username and password credentials for verifying Cisco ISE configuration:


Note For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup. For CLI-based access to a Cisco ISE system, the administrator username by default is admin and the administrator password (is user-defined because there is no default).


To better understand the differences between a CLI-admin user and a web-based admin user, see CLI-Admin and Web-Based Admin User Right Differences.

Verifying a Configuration Using a Web Browser

To verify that you successfully configured your Cisco SNS-3400 Series appliance, complete the following steps using a web browser:


Step 1 After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.

Step 2 In the Address field, enter the IP address (or host name) of the Cisco ISE appliance using the following format and press Enter .

https://<IP address or host name>/admin/
 

For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.

Step 3 In the Cisco ISE Login page, enter the username and password that you have defined during setup and click Login .

The Cisco ISE dashboard appears.


Note We recommend that you use the Cisco ISE user interface to periodically reset the administrator password. To reset the administrator password, see Cisco Identity Services Engine User Guide, Release 1.2 for details.



 

Verifying a Configuration Using the CLI

To verify that you successfully configured your Cisco ISE appliance, use the Cisco CLI and complete the following steps:


Step 1 After the Cisco ISE appliance reboot has completed, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.

Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open .

Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter .

Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter .

Step 5 At the system prompt, enter show application version ise and press Enter .

The console displays the following screen.

 


Note The Version field lists the currently installed version of Cisco ISE software.


Step 6 To check the status of the Cisco ISE processes, enter show application status ise and press Enter .

The console displays the following screen.

 


Note To get the latest Cisco ISE patches and keep Cisco ISE up-to-date, visit the following web site: http://www.cisco.com/public/sw-center/index.shtml


Step 7 To check the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) version, enter show version and press Enter .

The console displays output similar to the following:

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.5.083

ADE-OS System Architecture: i386


 

Verifying the Installation of VMware Tools

You can verify the Installation of the VMware tools in the following two ways:

Using the Summary Tab in the vSphere Client

Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware Tools field should be OK. (See Figure 1-1.)

Figure 1-1 Verifying VMware Tools in the vSphere Client

 

Using the CLI

You can also verify if the VMware tools are installed using the show inventory command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware Virtual Ethernet driver will be listed in the Driver Descr field.

vm36/admin# show inventory

NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"

PID: ISE-VM-K9 , VID: V01 , SN: 8JDCBLIDLJA

Total RAM Memory: 4016564 kB

CPU Core Count: 1

CPU 0: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz

Hard Disk Count(*): 1

Disk 0: Device Name: /dev/sda

Disk 0: Capacity: 64.40 GB

Disk 0: Geometry: 255 heads 63 sectors/track 7832 cylinders

NIC Count: 1

NIC 0: Device Name: eth0

NIC 0: HW Address: 00:0C:29:BA:C7:82

NIC 0: Driver Descr: VMware Virtual Ethernet driver

(*) Hard Disk Count may be Logical.

vm36/admin#

Upgrading VMware Tools

The Cisco ISE ISO image (regular, upgrade, or patch) contains the supported VMware tools. Upgrading VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE (regular, upgrade, or patch release).

Resetting the Administrator Password

There are two ways to reset the Cisco ISE administrator password:

Resetting a Lost, Forgotten, or Compromised Password

If no one is able to log in to the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, you can use the Cisco ISE Software DVD to reset the administrator password.

Before You Begin

Make sure you understand the following connection-related conditions that can cause a problem when attempting to use the Cisco ISE Software DVD to start up a Cisco ISE appliance:

  • You have a terminal server associated with the serial console connection to the Cisco ISE appliance that is set to exec. Setting it to no exec allows you to use a KVM connection and a serial console connection.
  • You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can be either a remote KVM or a VMware vSphere client console connection).
  • You have a serial console connection to the Cisco ISE appliance.

Step 1 Ensure that the Cisco ISE appliance is powered up.

Step 2 Insert the Cisco ISE Software DVD.

Step 3 Reboot the Cisco ISE appliance to boot from the DVD.

The console displays the following message (this example shows a Cisco ISE 3355):

Welcome to Cisco Identity Services Engine - ISE 3355

To boot from hard disk press <Enter>

Available boot options:

[1] Cisco Identity Services Engine Installation (Keyboard/Monitor)

[2] Cisco Identity Services Engine Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

<Enter> Boot from hard disk

Please enter boot option and press <Enter>.

boot:

Step 4 At the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or enter 4 if you use a local serial console port connection.

The console displays a set of parameters.

Step 5 Enter the parameters by using the descriptions that are listed in Table 1-1 .

 

Table 1-1 Password Reset Parameters

Parameter
Description

Admin username

Enter the number of the administrator whose password you want to reset.

Password

Enter a new password.

Verify password

Enter the password again.

Save change and reboot

Enter Y to save.

The console displays:

Admin username:

[1]:admin

[2]:admin2

[3]:admin3

[4]:admin4

Enter number of admin for password recovery:2

Password:

Verify password:

Save change and reboot? [Y/N]:


 

See the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 more information.

Resetting a Password Due to Administrator Lockout

An administrator can enter an incorrect password enough times to disable the account. The minimum and default number of attempts is five.


Note Use this command to reset the administrator user interface password. It does not affect the CLI password of the administrator.



Step 1 Access the direct-console CLI and enter:

application reset-passwd ise administrator_ID

Step 2 Specify and confirm a new password that is different from the previous two passwords that were used for this administrator ID:

Enter new password:
Confirm new password:
 
Password reset successfully
 

After you successfully reset the administrator password, the credentials are immediately active and you can log in without having to reboot the system.

For more details on using the application reset-passwd ise command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 .


 

Changing the IP Address of a Cisco ISE Appliance

To change the IP address of a Cisco SNS-3400 series appliance, complete the following steps:

Before You Begin

Ensure that the Cisco ISE node is in a standalone state before you change the IP address. If the node is part of a distributed deployment, deregister the node from the deployment and make it a standalone node.


Step 1 Log in to the Cisco ISE CLI.

Step 2 Enter the following:

configure terminal

interface GigabitEthernet 0

ip address new_ip_address new_subnet_mask

exit


 


Note Do not use the no ip address command when you change the Cisco ISE appliance IP address.



Note All Cisco ISE services have to be restarted after changing the Cisco ISE appliance IP address.


Configuring the Cisco ISE System

By using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE system to suit your needs. For details on configuring authentication and authorization policies, and other features, menus, and options, see the Cisco Identity Services Engine User Guide, Release 1.2 .

For details on each of the Cisco ISE operations and other administrative functions, such as monitoring and reporting, see the Cisco Identity Services Engine User Guide, Release 1.2.

For the most current information about this release, see the Release Notes for Cisco Identity Service Engine, Release 1.2 .

Enabling System Diagnostic Reports in Cisco ISE

After installing Cisco ISE the first time or reimaging an appliance, you can choose to enable the system-level diagnostic reports using the Cisco ISE CLI (the logging function that reports on system diagnostics is not enabled in Cisco ISE by default).

To enable system diagnostic reports, do the following:


Step 1 Log in to the Cisco ISE CLI console using the default administrator user ID and password.

Step 2 Enter the following commands:

a. configure terminal

b. logging 127.0.0.1:20514

c. end

d. write memory


 

You can configure system diagnostic settings through the Cisco ISE user interface ( Administration > System > Logging > Logging Categories > System Diagnostics ).