Configure CSSM on Prem and Register Licenses with ISE

Available Languages

Download Options

  • PDF     (4.9 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (5.3 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (3.7 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 25, 2024
Document ID:222207

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the integration of CSSM On-Prem with Cisco Identity Service Engine (ISE) and Cisco Smart Account, ensuring a seamless setup.

    Prerequisites

    Requirements

    ISE 3.X

    Cisco Smart Software Manager(CSSM) Version 8 Release 202304 +

    Components Used

    • Identity Service Engine 3.2 patch 2
    • SSM On Prem 8.20234
    • Windows Active Directory 2016 (DNS and Certificate Authority services)
    • VMWare ESXi version 7

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    General topologyGeneral topology

    Install CSSM On-Prem on VMWARE ESXi.

    1. Download the Cisco IOS®. You can use the next link: https://software.cisco.com/download/home/286285506/type/286326948/release/8-202304

    2. Upload the ISO in VMWARE ESXi.

    Navigate to Storage > Datastore Browser.

    Data browser sectionData browser section

    3. Click Create Directory to create a new folder (optional).

    Creation of directoryCreation of directory

    In this example, the CSSM folder was created:

    Creation of foldersCreation of folders

    4. Click Upload and then choose your ISO file.

    Uploading ISOUploading ISO

    Now the ISO file is in the CSSM folder:

    The ISO upload is completedThe ISO upload is completed

    5. Create the Virtual Machine. navigate to Virtual Machine > Create / Register VM.

    Creating a new VM step 01Creating a new VM step 01

    6. Choose Create a new virtual machine and click next.

    Creating a new VM step 02Creating a new VM step 02

    7. Then configure the next parameters:

    • Name: Enter the name of your virtual machine.
    • Compatibility: Select either ESXi 6.0 or later or ESXi 6.5 or later. 
    • Guest OS family: Linux.
    • Guest OS version: Choose either CentOS 7 (64 bit) or Other 2.6x Linux (64 bit)

    Click next.

    VM name and IOSVM name and IOS

    8. Select your storage and click next.

    Storage listStorage list

    9. Configure the next parameters:

    • CPU: 4 as minimum. The actual vCPU setting depends on your scale requirement
    note-icon

    Note: The amount of cores per socket needs to be set to 1 regardless of the number of virtual sockets selected. For example, a 4 vCPU configuration needs to be configured as 4 sockets and 1 core per socket.

    Configuration of CoresConfiguration of Cores

    • Memory: 8 GB
    • Hard Disk: 200 GB and and verify provisioning is set to Thin Provision.

    Configuration of diskConfiguration of disk

    • Network Adapter: Select E1000 adapter type and select Connect at Power On.

    Configuration of network settingsConfiguration of network settings

    • CD / DVD Drive: Choose “Data ISO file” and select the ISO file.

    ISO imageISO image

    You can verify the summary of the settings once you have completed the previous steps.

    Summary VM configuration 01Summary VM configuration 01

    Click next.

    10. Click Finish.

    Summary VM configuration 02Summary VM configuration 02

    Initial Configuration of CSSM On-Prem .

    1. In VMWARE ESXi, navigate to  Virtual Machines and select your VM and then click Power On.

    Power on optionPower on option

    1. You have multiple options to manage the VM console. Select Console >  Open browser console.

    Options to manage the VMOptions to manage the VM

    1. Configure your network settings.
    note-icon

    Note: It’s important to configure the IP address of the DNS Server that resolves the CSSM FQDN.

    Configuration of CSSM network settingsConfiguration of CSSM network settings

    Click Ok to configure your new CLI password.

    1. Then the installation process starts and is finished until you can see the access prompt.

    CSSM initial configuration completedCSSM initial configuration completed

    1. Open a browser and enter https://<ip_address_CSSM>.

    CSSM login pageCSSM login page

    Use the default credentials:

    Username: admin

    Password: CiscoAdmin!2345

    1. Select your language.
    2. Create a new GUI password.
    3. Configure the Host Common Name. (example: hostname.yourdomain).

    In this case, the cssm.testlab.local was configured as Host Common Name.

    Host common name configurationHost common name configuration

    1. Validate your configuration and click Apply.

    CSSM initial settings completedCSSM initial settings completed.

    Integrate CSSM On-Prem with Smart Account

    You need to associate your Smart Account with your CSSM On Prem Server.

    1. Open your Cisco Smart Account using the next link:

    https://software.cisco.com/

    1. Then choose Manage Licenses under the Smart Software Manager section.
    Manage licenses optionManage licenses option
    1. Navigate to Inventory and copy the name of your Smart Account name and Virtual Account. In this guide, this is InternalTestDemoAccount67 and AAA MEX TEST.

    Software Cisco pageSoftware Cisco page

    1. Open the CSSM GUI and select the Admin Workspace option.

    Main CSSM menuMain CSSM menu.

    1. Then select Accounts.

    CSSM AccountsAccounts.

    1. Select New Account to create a new registration request.

    Creation of CSSM accountCreation of CSSM account.

    1. Enter the next information:
    • Account name: This is a custom name of the new register.
    • Cisco Smart Account: Paste your Smart Account name.
    • Cisco Virtual Account: Paste your Virtual Account name.
    • Email for notification: Type your email.

    Account registrationAccount registration.

    Click Submit.

    1. Then click on Account Requests.

    You can see the request done on the previous step in this section.

    Account request.Account request.

    1. Click actions.

    Actions optionActions option.

    You have three options:

    • Approve: Use this option to register the CSSM On-Prem with your Smart Account through Internet.
    • Reject: Drop the request.
    • Manual Registration: Use this option to register the CSSM On-Prem with your Smart Account without Internet.

     OPTION 1: Register your CSSM On-Prem through Internet connection.

    1. If you choose Approve, you need to enter your username and password of your Cisco Smart Account and click Submit.

    Approve optionApprove option.

    Then click next to accept the account registration.

    Account registrationAccount registration.

    To confirm the status of the registration, navigate to Account and the Account status must be as active.

    Account statusAccount status.

    Now open your Smart Account (https://software.cisco.com/). Then select the On-Prem Accounts option to see the new register.

    On Prem Account.On Prem Account.

    OPTION 2: Register your CSSM On-Prem without an Internet connection.

    If you choose Manual Registration, click Generate Registration File. This creates a Registration Request that is going to be downloaded to your computer.

    Manual registration.Manual registration.

    Then open your Smart Account (https://software.cisco.com/) and navigate to On-Prem Accounts.

    Click New On-Prem

    Adding new On-Prem.Adding new On-Prem.

    Then configure the next parameters:

    • On-Prem Name: This is a custom name of the new register.
    • Registration File: Click Choose File and select the Registration Request.
    • Virtual Account: Paste your Virtual Account name.

    Authorization file.Authorization file.

    And click Generate Authorization File.

    Then Download the Authorization File.

    Downloading authorization fileDownloading authorization file.

    Open the CSSM GUI to upload the Authorization File. Click Browse, choose the file, and then click Upload.

    Uploading authorization file.Uploading authorization file.

    Then navigate to Synchronization and click Actions > Manual Synchronization > Full Synchronization.

    Manual Sync.Manual Sync.

    Download the Sync request file.

    Downloading file SyncDownloading file Sync.

    Open your Smart Account and select On-Prem Account, then look for your CSSM On-Prem name in the list, and click Actions > File Sync

    Uploading file SyncUploading file Sync.

    Then upload the Sync request file, and click Generate Response File.

    Generating a response fileGenerate a response file.

    Then click Download Synch Response File

    Sync fileSync file.

    And finally, upload the Synch Response File in the CSSM on Premise.

    Sync completedSync completed.

     Integrate CSSM On-Prem with ISE.

    1. Open the CSSM GUI and select Admin Workspace.

    Main CSSM menu.Main CSSM menu.

    1. Navigate to Security > Certificates > Generate CSR
    note-icon

    Note: It’s important to have the hostname + domain configured on the Host Common Name  because ISE uses this parameter in order to establish a connection with the CSSM. You can use an IP address  instead of the hostname + domain, however the recommendation is to use the hostname + domain

    note-icon

    Note: The next steps describe the procedure to install  the GUI certificate in the CSSM. If you want to protect the management connection to your GUI CSSM by using a certificate signed by your personal Certification Authority (CA) you need to check the next steps. Otherwise, check directly the step 9.

    CSR optionCSR option.

    1. Then enter your personal information. Be aware the Subject Alternative Name is created automatically by using the same value as the Common Name. The CSR is downloaded automatically after clicking Generate.

    CSR detailsCSR details.

    1. Sign the CSR: For more information check the “ Create certificates from Windows CA.” on this document.
    1. Upload the root CA certificate.

    Uploading Root CAUploading Root CA.

    Click Proceed.

    Proceed optionProceed option.

    1. Enter a description and choose the root certificate and click Ok.

    Description root CADescription root CA.

    1. Upload the CSR signed by the CA (CSSM Identity Certificate).

    Uploading CSSM Identity CertUploading CSSM Identity Cert.

    note-icon

    Note: NOTE: In our case, the Intermediate certificate does not exist in our CA. However, if you use an intermediate certificate in your architecture, the intermediate certificate is mandatory.

    8. Then, confirm that both certificates have been installed.

    Certificates validationCertificates validation.

    1. Create a token on the SSM On-Prem: Select licensing Workspace.

    Workspace pageWorkspace page.

    1. navigate to Smart Licensing.

    CSSM Smart licensing pageCSSM Smart licensing page

    1. Look for your Local Virtual Account, then click New Token and click Proceed.

    New token optionNew token option.

    1. Select Create Token and copy it.

    Creation of new tokenCreation of new token.

    Token detailsToken details.

    1. Open the ISE GUI and navigate to Administration > Systems > Licensing, then click Registration details, select the SSM On-Prem server Host method, and paste the token.

    Registration of licensesRegistration of licenses.

    1. Enter the SSM On-Prem FQDN on SSM On-Prem server Host and click  Register.

    CSSM and ISE settingsCSSM and ISE settings.

    note-icon

    Note: It’s important to have the hostname + domain configured on the Host Common Name because ISE uses this parameter in order to establish a connection with the CSSM. You can use an IP address instead of the hostname + domain, however the recommendation is to use the hostname + domain

    1. And finally, the registration has been completed.

    Registration completedRegistration completed.

     Create certificates from Windows CA.

    If you are the administrator of the Certificate Authority, you must do the next:

    1. Open a web browser and navigate to http://localhost/certsrv/
    2. Click on Request a certificate.

    Request certificateRequest certificate.

    1. Click advanced certificate request.

    Advanced certificate requestAdvanced certificate request.

    1. Open the CSR generated previously.  Then copy the information and paste it on Saved request.

    Submit certificateSubmit certificate.

    After clicking Submit the certificate is downloaded automatically.

    1. Now download the CA certificate root. navigate back to  http://localhost/certsrv/ and select Download a CA Certificate, Certificate Chain, or CRL.

    Download root CADownload root CA.

    1. Download the CA certificate by using the encoding method as Base64.

    Base 64 optionBase 64 option.

    Add DNS records on Windows Server.

    If you are the administrator, add the ISE and CSSM FQDNs.

    1. Open the DNS Manager: Type “DNS” on the Windows finder and open the DNS app.

    DNS optionDNS option.

    1. Navigate to Forward Lookup Zones > And choose your domain.

    DNS managerDNS manager.

    1. Right-click on a black space over the screen and select “New Host (A or AAAA)

    Adding recordAdding record.

    1. Configure the record DNS as the next:
    • Name: It means the name of the host.
    • The IP Address of the device.

    Click on “Add Host

    Record settingsRecord settings.

    Troubleshoot

    Host/IP Address is not reachable.  (Error on ISE)

    Not reachable errorReachable error.

    Solution 1: Check and fix the DNS configuration in the ISE node.

    1. Open the ISE CLI and type “nslookup <CSSM_FQDN>

    On the next example, we can see that cssm.testlab.local wasn’t resolved from the ISE node.

    CSSM resolution failedCSSM resolution failed.

    The correct resolution would be:

    CSSM resolution successfullyCSSM resolution successfully.

    Action Plan:

    1. Check the DNS configuration topic on this document.
    2. Enter the show running-config command  on the ISE CLI in order to check the “ip name-server”. The “ip name-server” needs to match with the IP address of the DNS Server.

    Solution 2: Open the CSSM GUI to confirm that the Host Common Name and Browser Certificate are the same as CSSM On-Prem server Host parameter on the ISE side.

    Wrong scenario:

    CSSM resolution and ISE setting are incorrectCSSM resolution and ISE setting are incorrect.

    Correct scenario:

    CSSM resolution and ISE setting are correctCSSM resolution and ISE setting are correct.

    Action Plan: See “ISE and CSSM configuration” in this guide for more information.

    SSO service: Unable to reach Cisco. (Error on CSSM On-Prem)

    Account registration failedAccount registration failed.

    Solution: Check your connectivity to the Internet.

    Action Plan:

    1. If you need a proxy to get access to the Internet, navigate to Network > Proxy and enable the Use A Proxy Server option and click Apply.

    Proxy configurationProxy configuration.

    The Common Name in the CSR is not a DNS-resolvable hostname or IP address, please try again. (Error on CSSM On-Prem)

    CSR errorCSR error.

    Solution: Check and fix the DNS resolution on the CSSM Server.

    1. Open the CSSM CLI and type “nslookup <CSSM_FQDN>

    On the next example, we can see that cssm.testlab.local wasn’t resolved from the CSSM Server.

    The DNS server is not reachableThe DNS server is not reachable.

    The correct output would be the next:

    The DNS server is reachableThe DNS server is reachable.

    Action Plan:

    Check the DNS configurations on the CSSM On-Prem.

    1. navigate to Network > General > DNS Setting.

    The Primary or Alternate DNS needs to be the same as the IP address of the DNS Server.

    DNS settingsDNS settings.

    Revision History

    Revision Publish Date Comments
    1.0
    25-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Oscar de Jesus Tegoma Aguilar

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products