Configure Repository on ISE

Available Languages

Download Options

  • PDF     (1.0 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.0 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 13, 2023
Document ID:215348

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure a repository on the Identity Services Engine (ISE).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic knowledge of the Identity Services Engine (ISE)
    • Basic knowledge of File Transfer Protocol (FTP) server & SSH File transfer protocol (SFTP) server

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Identity Service Engine version 2.x
    • A functional FTP server and SFTP server

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Cisco allows you to create and delete repositories through the Admin portal. You can create these types of repositories:

    • DISK
    • FTP
    • SFTP
    • NFS
    • CD-ROM
    • HTTP
    • HTTPS

    Note: It is recommended that you have a repository size of 10 GB for small deployments (100 endpoints or less), 100 GB for medium deployments, and 200 GB for large deployments.

    ISE Repositories can be configured from both the GUI and the CLI of the ISE and can be used for these purposes:

    • Backup and Restore of ISE Configuration and Operational data
    • Upgrade of ISE nodes
    • Patch installation
    • Export of data (Reports) from the ISE
    • Export of support bundle from the ISE node

    Note: Repositories configured from CLI of the ISE node are local to each node and are removed upon reload of the node. Repositories configured from the GUI of the ISE are replicated to all nodes in deployment and are not removed upon reload of the node.

    Configuration

    Configure FTP Repository

    Configure FTP Repository from the GUI

    Step 1. In order to configure a repository on the ISE, log in to the ISE GUI and navigate to Administration > System > Maintenance > Repository. Then click Add, as shown in the image.

    Click Add to add an item to the Repository list

    Step 2. Provide Repository Name and choose FTP as the protocol. Then enter Server Name, Path, User Name, and Password, and click Submit, as shown in the image.

    Enter configuration parameters for an FTP repository and click Submit

    Configure FTP Repository from the CLI

     Log in to the CLI of the ISE node via SSH and run these commands.

    ise/admin#
ise/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# repository FTP-Repo
ise/admin(config-Repository)# url ftp://10.106.37.174/

ise/adminconfig-Repository)# user <Username> password plain <Password>
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#

    Configure SFTP Repository

    Configure the SFTP Repository from the GUI

    Step 1. In order to configure a repository on the ISE, log in to the ISE GUI and navigate to Administration > System > Maintenance > Repository. Then click Add, as shown in the image.

    Click Add to add an item to the Repository list

    Step 2. Provide Repository Name and choose SFTP as the protocol. Then enter Server Name, Path, User Name, and Password, and click Submit, as shown in the image.

    Enter configuration parameters for an SFTP repository and click Submit

    Step 3. After you click Submit, a pop-up message appears. The message prompts you to use CLI to add the host-key of the SFTP server, as shown in the image.

    A message prompts you to use CLI to add the host key of the SFTP server

    Step 4. Log in to the CLI of the ISE node via SSH and use the command crypto host_key add host <ip address of the server> to add the host key.

    ise/admin# crypto host_key add host 10.106.37.34 
host key fingerprint added
Operating in CiscoSSL FIPS mode

# Host 10.106.37.34 found: line 1 
10.106.37.34 RSA SHA256:exFnNITDhafaNPFr35x6kC1pR0iTP6xS+LBmtIXPfnk 
ise/admin#

    Configure SFTP Repository from the CLI

    Log in to the CLI of the ISE node via SSH and run these commands:

    ise/admin#

ise/admin# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# repository SFTP-Repo
ise/admin(config-Repository)# url sftp://10.106.37.34/

ise/adminconfig-Repository)# user <Username> password plain <Password>
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#

    Configure NFS Repository

    Configure NFS Repository from the GUI

    Step 1. In order to configure a repository on the ISE, log in to the ISE GUI and navigate to Administration > System > Maintenance > Repository. Then click Add, as shown in the image.

    Click Add to add an item to the Repository list

    Step 2. Provide Repository Name and choose NFS as the protocol. Then enter Server Name and Path, and click Submit, as shown in the image.

    Enter configuration parameters for an NFS repository and click Submit

    Configure NFS Repository from the CLI

    Log in to the CLI of the ISE node via SSH and run these commands:

    ise/admin#

ise/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# repository NFS-Repo
ise/admin(config-Repository)#  url nfs://10.106.37.200:/nfs-repo
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#

    Configure ISE Local Repository

    Configure Local Repository from the GUI

    Step 1. In order to configure a repository on the ISE, log in to the ISE GUI and navigate to Administration > System > Maintenance > Repository. Then click Add, as shown in the image.

    Click Add to add an item to the Repository list

    Step 2. Provide Repository Name and choose DISK as the protocol. Then enter the Path and click Submit, as shown in the image.

    Enter configuration parameters for a local repository and click Submit

    Configure Local Repository from the CLI

    Log in to the CLI of the ISE node via SSH and run these commands:

    ise/admin#

ise/admin# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# repository Local-Repo
ise/admin(config-Repository)# url disk:/
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#

    Note: Local repository store data locally on ISE disk.

    Verify

    The repository can be verified from both GUI and CLI of the ISE server.

    Verify with GUI

    In order to use GUI to validate the repository, navigate to Administration > System > Maintenance > Repository, select the repository, and click Validate, as shown in the image.

    Select the repository to verify and click Validate

    After you click Validate, you must get the Repository validated successfully response on the GUI, as shown in the image.

    Repository validated successfully message

    Verify with CLI

    In order to validate the repository from the CLI, log in to the ISE node via SSH and run the command show repository <name of the repository>. The output of the command lists the files present in the repository.

    ise/admin# 
ise/admin# show repository FTP-Repo
Config-Backup-CFG10-200307-1043.tar.gpg 
ise/admin#

    Troubleshoot

    In order to debug the repository on ISE, use these debugs:

    ise-1/pan# debug copy 7
ise-1/pan# debug transfer 7
ise-1/pan# 
ise-1/pan# 6 [25683]:[info] transfer: cars_xfer.c[220] [system]: ftp dir of repository FTP-Repo requested
7 [25683]:[debug] transfer: cars_xfer_util.c[2017] [system]: ftp get dir for repos FTP-Repo
7 [25683]:[debug] transfer: cars_xfer_util.c[2029] [system]: initializing curl
7 [25683]:[debug] transfer: cars_xfer_util.c[2040] [system]: full url is ftp://10.106.37.174/ISE/
7 [25683]:[debug] transfer: cars_xfer_util.c[1928] [system]: initializing curl
7 [25683]:[debug] transfer: cars_xfer_util.c[1941] [system]: full url is ftp://10.106.37.174/ISE/Config-Backup-CFG10-200307-1043.tar.gpg
7 [25683]:[debug] transfer: cars_xfer_util.c[1962] [system]: res: 0
7 [25683]:[debug] transfer: cars_xfer_util.c[1966] [system]: res: 0-----filetime Config-Backup-CFG10-200307-1043.tar.gpg: Sat Mar  7 10:55:39 2020
7 [25683]:[debug] transfer: cars_xfer_util.c[1972] [system]: filetime Config-Backup-CFG10-200307-1043.tar.gpg: Sat Mar  7 10:55:39 2020
7 [25683]:[debug] transfer: cars_xfer_util.c[1976] [system]: filesize Config-Backup-CFG10-200307-1043.tar.gpg: 181943580 bytes
6 [25683]:[info] transfer: cars_xfer.c[130] [system]: ftp copy out of /opt/backup/backup-Config-Backup-1587433372/Config-Backup-CFG10-200421-0712.tar.gpg requested
6 [25683]:[info] transfer: cars_xfer_util.c[787] [system]: curl version: libcurl/7.29.0 OpenSSL/1.0.2s zlib/1.2.7 libidn/1.28 libssh2/1.4.2
7 [25683]:[debug] transfer: cars_xfer_util.c[799] [system]: full url is ftp://10.106.37.174/ISE/Config-Backup-CFG10-200421-0712.tar.gpg

    Debugs are disabled as shown here:

    ise-1/pan# 
ise-1/pan# no debug copy 7
ise-1/pan# no debug transfer 7
ise-1/pan#

    To ensure that there is proper communication between the ISE and the configured repository server, set up a packet capture from the ISE GUI:

    1. Navigate to Operations > Troubleshoot > Diagnostic tools > TCP Dump.
    2. Enter the appropriate value in Filter and select Format.
    3. Click Start.

    Enter parameters for TCP Dump

    In order to trigger some traffic to the repository which needs to be tested, navigate to Administration > System > Maintenance > Repository, select the repository, and click Validate. Then navigate to Operations > Troubleshoot > Diagnostic tools > TCP Dump, click Stop, and download the packet capture as shown in the image.

    Download the TCP Dump file

    Revision History

    Revision Publish Date Comments
    3.0
    13-Jun-2023
    Updated formatting to meet requirements. Provided some clarity in alt text.
    2.0
    20-May-2022
    Updated the Troubleshoot section. Edited for consistency and clarity.
    1.0
    24-Mar-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Pankaj Kumar
      Cisco TAC Engineer
    • Prashant Joshi
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products