- Preface
-
- Administration User Interface Reference
- Guest Access User Interface Reference
- Web Portals Customization Reference
- Policy User Interface Reference
- Operations User Interface Reference
- Network Access Flows
- Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
- Supported Management Information Bases in Cisco ISE
- Backup Data Type
- Backup and Restore Repositories
- On-Demand and Scheduled Backups
- Cisco ISE Restore Operation
- Export Authentication and Authorization Policy Configuration
- Synchronize Primary and Secondary Nodes in a Distributed Environment
- Recovery of Lost Nodes in Standalone and Distributed Deployments
- Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment
- Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment
- Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment
- Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment
- Configuration Rollback
- Recovery of Primary Node in Case of Failure in a Distributed Deployment
- Recovery of Secondary Node in Case of Failure in a Distributed Deployment
Backup and Restore Operations
This chapter describes the Cisco Identity Services Engine (ISE) database backup and restore operations, which include Cisco ISE application configuration, Cisco Application Deployment Engine operating system (ADE operating system) configuration and Cisco ISE Monitoring and Troubleshooting database.
 Note | Backup and restore is not available for Inline Posture nodes in Cisco ISE, Release 1.2. |
- Backup Data Type
- Backup and Restore Repositories
- On-Demand and Scheduled Backups
- Cisco ISE Restore Operation
- Export Authentication and Authorization Policy Configuration
- Synchronize Primary and Secondary Nodes in a Distributed Environment
- Recovery of Lost Nodes in Standalone and Distributed Deployments
Backup Data Type
Cisco ISE allows you to back up data from the primary or standalone Administration node and from the Monitoring node. Backup can be done from the CLI or user interface.
Cisco ISE allows you to back up the following type of data:
Configuration data—Contains both application-specific and Cisco ADE operating system configuration data.
Operational Data—Contains monitoring and troubleshooting data.
Restore operation, can be performed with the backup files of previous versions of Cisco ISE and restored on a later version, for example, if you have a backup from an ISE node from Cisco ISE, Release 1.1, you can restore it on Cisco ISE, Release 1.2.
Backup and Restore Repositories
Cisco ISE allows you to create and delete repositories through the Admin portal. You can create the following types of repositories:
For the SNS 3415 and SNS 3495 Appliances, there is no physical CD-ROM available. You can create the repository type as CD-ROM for the virtual CD-ROM created using the KVM.
Note | Repositories are local to each device. |
Note | We recommend that you have a repository size of 10 GB for small deployments (100 endpoints or less), 100 GB for medium deployments, and 200 GB for large deployments. |
Create Repositories
You can use the CLI and GUI to create repositories. We recommend that you use the GUI due to the following reasons:
To perform the following task, you must be a Super Admin or System Admin.
What to Do Next
-
Ensure that the repository that you created is working by executing the following command from the Cisco ISE command-line interface:
show repository repository_name
where repository_name is the name of the repository that you have created.
Note
If the path that you provided while creating the repository does not exist, then you will get the following error: %Invalid Directory.
On-Demand and Scheduled Backups
Cisco ISE provides on-demand backups of the primary administration node and the primary monitoring node. Perform an on-demand backup when you want to backup data immediately.
Cisco ISE also allows you to schedule system-level backups that can be scheduled to run once, daily, weekly, or monthly. Because backup operations can be lengthy, you can schedule them so they are not a disruption. You can schedule a backup from the Cisco ISE CLI or through the Cisco ISE Admin portal.
Note | If you upgrade to Cisco ISE, Release 1.2, the scheduled backup jobs need to be recreated. |
Perform an On-Demand Backup
You can perform an On-demand backup to instantly backup the configuration or monitoring (operational) data. The restore operation restores Cisco ISE to the configuration state that existed at the time of obtaining the backup.
When performing a backup and restore, the restore overwrites the list of trusted certificates on the target system with the list of certificates from the source system. It is critically important to note that backup and restore functions do not include private keys associated with the Internal Certificate Authority (CA) certificates.
If you are performing a backup and restore from one system to another, you will have to choose from one of these options to avoid errors:
-
Option 1:
Export the CA certificates from the source ISE node through the CLI and import them in to the target system through the CLI.
Pros:Any certificates issued to endpoints from the source system will continue to be trusted. Any new certificates issued by the target system will be signed by the same keys.
Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.
-
Option 2:
After the restore process, generate all new certificates for the internal CA.
Pros:This option is the recommended and clean method, where neither the original source certificates or the original target certificates will be used. Certificates issued by the original source system will continue to be trusted.
Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.
-
Before you perform this task, you should have a basic understanding of the backup data types in Cisco ISE.
-
Ensure that you have created repositories for storing the backup file.
-
Do not back up using a local repository. You cannot back up the monitoring data in the local repository of a remote Monitoring node.
-
Ensure that you perform all certificate-related changes before you obtain the backup.
-
To perform the following task, you must be a Super Admin or System Admin.
Schedule a Backup
You can use this page to schedule configuration or monitoring backups.
When performing a backup and restore, the restore overwrites the list of trusted certificates on the target system with the list of certificates from the source system. It is critically important to note that backup and restore functions do not include private keys associated with the Internal Certificate Authority (CA) certificates.
If you are performing a backup and restore from one system to another, you will have to choose from one of these options to avoid errors:
-
Option 1:
Export the CA certificates from the source ISE node through the CLI and import them in to the target system through the CLI.
Pros:Any certificates issued to endpoints from the source system will continue to be trusted. Any new certificates issued by the target system will be signed by the same keys.
Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.
-
Option 2:
After the restore process, generate all new certificates for the internal CA.
Pros:This option is the recommended and clean method, where neither the original source certificates or the original target certificates will be used. Certificates issued by the original source system will continue to be trusted.
Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.
-
Before you perform this task, you should have a basic understanding of the types of data that can be backed up and on-demand and scheduled backups.
-
Do not back up using a local repository. You cannot back up the monitoring data in the local repository of a remote Monitoring node.
-
To perform the following task, you must be a Super Admin or System Admin.
-
If you have upgraded to Cisco ISE 1.2 from Cisco ISE 1.1 or earlier releases, you should reconfigure your scheduled backups. See the Known Upgrade Issues section in the Cisco Identity Services Engine Upgrade Guide, Release 1.2.
Backup Using the CLI
Although you can schedule backups both from the CLI as well as the GUI, it is recommended to use GUI for better options. But, you can perform Operational backup on the secondary monitoring node only from the CLI.
Backup History
Backup history provides basic information about scheduled and on-demand backups. It lists the name of the backup, backup file size, repository where the backup is stored, and time stamp that indicates when the backup was obtained. This information is available in the Operations Audit report and on the Backup and Restore page in the History table.
For failed backups, Cisco ISE triggers an alarm. The backup history page provides the failure reason. The failure reason is also cited in the Operations Audit report. If the failure reason is missing or is not clear, you can run the backup-logs command from the Cisco ISE CLI and look at the ADE.log for more information.
While the backup operation is in progress, you can use the show backup status CLI command to check the progress of the backup operation.
Backup history is stored along with the Cisco ADE operating system configuration data. It remains there even after an application upgrade and are only removed when you reimage the primary administration node.
Backup Failures
If backup fails, check the following:
Check the available disk space for the configured repository.
Monitoring backup fails if the monitoring data takes up more than 75% of the allocated monitoring database size. For example, if your Monitoring node is allocated 600 GB, and the monitoring data takes up more than 450 GB of storage, then monitoring backup fails.
If the database disk usage is greater than 90%, a purge occurs to bring the database size to less than or equal to 75% of its allocated size.
Verify if a purge is in progress. Backup and restore operations will not work while a purge is in progress.
Cisco ISE Restore Operation
You can restore configuration data on a primary or standalone administration node. After you restore data on the primary administration node, you must manually synchronize the secondary nodes with the primary administration node.
The process for restoring the operational data is different depending on the type of deployment.
- Guidelines for Data Restoration
- Restoration of Configuration or Monitoring Backup from the CLI
- Restore Configuration Backups from the GUI
- Restoration of Monitoring Database
- Restore History
Guidelines for Data Restoration
Following are guidelines to follow when you restore Cisco ISE backup data.
-
If you obtain a backup from your primary Administration node in one timezone and try to restore it on another Cisco ISE node in another timezone, the restore process might fail. This failure happens if the timestamp in the backup file is later than the system time on the Cisco ISE node on which the backup is restored. If you restore the same backup a day after it was obtained, then the timestamp in the backup file is in the past and the restore process succeeds.
-
When you restore a backup on a primary Cisco ISE node with a different hostname than the one from which the backup was obtained, the primary Cisco ISE node becomes a standalone node. The deployment is broken and the secondary nodes become nonfunctional. You must make the standalone node the primary node, reset the configuration on the secondary nodes, and reregister them with the primary node. To reset the configuration on Cisco ISE nodes, enter the following command from the Cisco ISE CLI:
-
We recommend that you do not change the system timezone after the initial Cisco ISE installation and setup.
-
If you changed the certificate configuration on one or more nodes in your deployment, you must obtain another backup to restore the data from the standalone Cisco ISE node or primary Administration node (PAN). Otherwise, if you try to restore data using an older backup, the communication between the nodes might fail.
-
After you restore the configuration backup on the PAN, you can import the Cisco ISE CA certificates and keys that you exported earlier.
Note
If you did not export the Cisco ISE CA certificates and keys, then after you restore the configuration backup on the PAN, generate the root CA and subordinate CAs on the PAN and Policy Service Nodes (PSNs).
-
You need a data repository, which is the location where Cisco ISE saves your backup file. You must create a repository before you can run an on-demand or scheduled backup.
-
If you have a standalone administration node that fails, you must run the configuration backup to restore it. If your primary Administration node fails, you can use the distributed setup to promote your secondary Administration node to become the primary. You can then restore data on your primary Administration node after it comes up.
Note
Cisco ISE also provides the backup-logs CLI command that you can use to collect log and configuration files for troubleshooting purposes.
Restoration of Configuration or Monitoring Backup from the CLI
Defaults
To restore configuration data through the Cisco ISE CLI, use the restore command in the EXEC mode. Use the following command to restore data from a configuration or operational backup:
restore filename repository repository-name encryption-key hash|plain encryption-key name include-adeos
No default behavior or values.
When you use restore commands in Cisco ISE, the Cisco ISE server restarts automatically.
The encryption key is optional while restoring data. To support restoring earlier backups where you have not provided encryption keys, you can use the restore command without the encryption key.
ise/admin# restore mybackup-100818-1502.tar.gpg repository myrepository encryption-key plain Lab12345 Restore may require a restart of application services. Continue? (yes/no) [yes] ? yes Initiating restore. Please wait... ISE application restore is in progress. This process could take several minutes. Please wait... Stopping ISE Application Server... Stopping ISE Monitoring & Troubleshooting Log Processor... Stopping ISE Monitoring & Troubleshooting Log Collector... Stopping ISE Monitoring & Troubleshooting Alert Process... Stopping ISE Monitoring & Troubleshooting Session Database... Stopping ISE Database processes... Starting ISE Database processes... Starting ISE Monitoring & Troubleshooting Session Database... Starting ISE Application Server... Starting ISE Monitoring & Troubleshooting Alert Process... Starting ISE Monitoring & Troubleshooting Log Collector... Starting ISE Monitoring & Troubleshooting Log Processor... Note: ISE Processes are initializing. Use 'show application status ise' CLI to verify all processes are in running state. ise/admin#
| backup |
Performs a backup (Cisco ISE and Cisco ADE OS) and places the backup in a repository. |
| backup-logs | |
| repository | |
| show repository |
Displays the available backup files located on a specific repository. |
| show backup history | |
| show backup status | |
| show restore status |
If the sync status and replication status after application restore for any secondary node is Out of Sync, you have to reimport the certificate of that secondary node to the primary administration node and perform a manual synchronization.
Restore Configuration Backups from the GUI
You can restore a configuration backup from the Admin portal. The GUI lists only the backups that are taken from Cisco ISE, Release 1.2. To restore backups that are prior to this release, use the restore command from the CLI.
What to Do Next
If you are using the Cisco ISE CA service, you must:
-
Regenerate the entire Cisco ISE CA root chain.
-
Obtain a backup of the Cisco ISE CA certificates and keys from the PAN and restore it on the secondary Administration node. This ensures that the secondary Administration node can function as the root CA or subordinate CA of an external PKI in case of a PAN failure and you promote the secondary Administration node to be the PAN.
Restoration of Monitoring Database
The process for restoring the Monitoring database is different depending on the type of deployment. The following sections explain how to restore the Monitoring database in standalone and distributed deployments.
You must use the CLI to restore an on-demand Monitoring database backup from Cisco ISE, Release 1.0, 1.0.4, or 1.1, to Cisco ISE, Release 1.2. Restoring a scheduled backup across Cisco ISE releases is NOT supported.
Note | If you attempt to restore data to a node other than the one from which the data was taken, you must configure the logging target settings to point to the new node. This ensures that the monitoring syslogs are sent to the correct node. |
- Restore a Monitoring Backup in a Standalone Environment
- Restore a Monitoring Backup with Administration and Monitor Personas
- Restore a Monitoring Backup with a Monitoring Persona
Restore a Monitoring Backup in a Standalone Environment
The GUI lists only the backups that are taken from Cisco ISE, Release 1.2. To restore backups that are prior to this release, use the restore command from the CLI.
Restore a Monitoring Backup with Administration and Monitor Personas
You can restore a Monitoring backup in a distributed environment with Administration and Monitor personas.
| Step 1 | Prepare to promote another
Cisco ISE node as the primary Administration node, by syncing the node with the
existing primary node you want to backup.
This ensures that the configuration of the Cisco ISE node you are going to promote is up to date. |
| Step 2 | Promote the newly synced Administration node to primary status. |
| Step 3 | Prepare to deregister the
node to be backed up by assigning the Monitoring persona to another node in the
deployment.
A deployment must have at least one functioning Monitoring node. |
| Step 4 | Deregister the node to be backed up. |
| Step 5 | Restore the Monitoring backup to the newly deregistered node. |
| Step 6 | Register the newly restored node with the current Administration node. |
| Step 7 | Promote the newly restored and registered node as the primary Administration node. |
Restore a Monitoring Backup with a Monitoring Persona
You can restore a Monitoring backup in a distributed environment with only Monitoring persona.
| Step 1 | Prepare to deregister the
node to be restored by assigning the Monitoring persona to another node in the
deployment.
A deployment must have at least one functioning Monitoring node. | ||
| Step 2 | Deregister the node to be
restored.
| ||
| Step 3 | Restore the Monitoring backup to the newly deregistered node. | ||
| Step 4 | Register the newly restored node with the current Administration node. | ||
| Step 5 | Promote the newly restored and registered node as the primary Administration node. |
Restore History
You can obtain information about all restore operations, log events, and statuses from the Operations Audit report.
Note | However, the Operations Audit report does not provide information about the start times corresponding to the previous restore operations. |
For troubleshooting information, you have to run the backup-logs command from the Cisco ISE CLI and look at the ADE.log file.
While the restore operation is in progress, all Cisco ISE services are stopped. You can use the show restore status CLI command to check the progress of the restore operation.
Export Authentication and Authorization Policy Configuration
You can export authentication and authorization policy configuration in the form of an XML file that you can read offline to identify any configuration errors and use for troubleshooting purposes. This XML file includes authentication and authorization policy rules, simple and compound policy conditions, dACLs, and authorization profiles. You can choose to email the XML file or save it to your local system.
Synchronize Primary and Secondary Nodes in a Distributed Environment
In a distributed environment, sometimes the Cisco ISE database in the primary and secondary nodes are not synchronized automatically after restoring a backup file on the primary administration node. It this happens, you can manually force a full replication from the primary administration node to the secondary ISE nodes. You can force a synchronization only from a primary to secondary nodes. During the sync-up operation, you cannot make any configuration changes. Cisco ISE allows you to navigate to other Cisco ISE Admin portal pages and make any configuration changes only after the synchronization is complete.
To perform the following task, you must be a Super Admin or System Admin.
| Step 1 | Choose . |
| Step 2 | Check the check boxes next to the secondary ISE nodes with an Out of Sync replication status. |
| Step 3 | Click Syncup and wait until the nodes are synchronized with the primary administration node. You will have to wait until this process is complete before you can access the Cisco ISE Admin portal again. |
Recovery of Lost Nodes in Standalone and Distributed Deployments
This section provides troubleshooting information that you can use to recover lost nodes in standalone and distributed deployments. Some of the following use cases use the backup and restore functionality and others use the replication feature to recover lost data.
- Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment
- Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment
- Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment
- Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment
- Configuration Rollback
- Recovery of Primary Node in Case of Failure in a Distributed Deployment
- Recovery of Secondary Node in Case of Failure in a Distributed Deployment
Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment
Scenario
In a distributed deployment, a natural disaster leads to a loss of all the nodes. After recovery, you want to use the existing IP addresses and hostnames.
For example, you have two nodes: N1 (primary Administration node) and N2 (secondary Administration node.) A backup of the N1 node, which was taken at time T1, is available. Later, both N1 and N2 nodes fail because of a natural disaster.
Assumption
All Cisco ISE nodes in the deployment were destroyed. The new hardware was imaged using the same hostnames and IP addresses.
Resolution Steps
-
You have to replace both the N1 and N2 nodes. N1 and N2 nodes will now have a standalone configuration.
-
Obtain a license with the UDI of the N1 and N2 nodes and install it on the N1 node.
-
You must then restore the backup on the replaced N1 node. The restore script will try to sync the data on N2, but N2 is now a standalone node and the sync will fail. Data on N1 will be reset to time T1.
-
You must log in to the N1 Admin portal to delete and reregister the N2 node. Both the N1 and N2 nodes will have data reset to time T1.
Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment
Scenario
In a distributed deployment, a natural disaster leads to loss of all the nodes. The new hardware is reimaged at a new location and requires new IP addresses and hostnames.
For example, you have two ISE nodes: N1 (primary Administration node) and N2 (secondary Policy Service node.) A backup of the N1 node which was taken at time T1, is available. Later, both N1 and N2 nodes fail because of a natural disaster. The Cisco ISE nodes are replaced at a new location and the new hostnames are N1A (primary Administration node) and N2A (secondary Policy Service node). N1A and N2A are standalone nodes at this point in time.
Assumptions
All Cisco ISE nodes in the deployment were destroyed. The new hardware was imaged at a different location using different hostnames and IP addresses.
Resolution Steps
-
Obtain the N1 backup and restore it on N1A. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.
-
You must log in to the Cisco ISE Admin portal on N1A, choose , and do the following:
Register the new N2A node as a secondary node. Data from the N1A node will be replicated to the N2A node.
Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment
Scenario
A standalone administration node is down.
For example, you have a standalone administration node, N1. A backup of the N1 database was taken at time T1. The N1 node goes down because of a physical failure and must be reimaged or a new hardware is required. The N1 node must be brought back up with the same IP address and hostname.
Assumptions
This deployment is a standalone deployment and the new or reimaged hardware has the same IP address and hostname.
Resolution Steps
Once the N1 node is up after a reimage or you have introduced a new Cisco ISE node with the same IP address and hostname, you must restore the backup taken from the old N1 node. You do not have to make any role changes.
Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment
Scenario
A standalone administration node is down.
For example, you have a standalone administration node, N1. A backup of the N1 database taken at time T1 is available. The N1 node is down because of a physical failure and will be replaced by a new hardware at a different location with a different IP address and hostname.
Assumptions
This is a standalone deployment and the replaced hardware has a different IP address and hostname.
Resolution Steps
Configuration Rollback
Problem
There may be instances where you inadvertently make configuration changes that you later determine were incorrect. For example, you may delete several NADs or modify some RADIUS attributes incorrectly and realize this issue several hours later. In this case, you can revert back to the original configuration by restoring a backup that was taken before you made the changes.
Possible Causes
There are two nodes: N1 (primary Administration node) and N2 (secondary Administration node) and a backup of the N1 node is available. You made some incorrect configuration changes on N1 and want to remove the changes.
Solution
Obtain a backup of the N1 node that was taken before the incorrect configuration changes were made. Restore this backup on the N1 node. The restore script will sync the data from N1 to N2.
Recovery of Primary Node in Case of Failure in a Distributed Deployment
Scenario
In a multinode deployment, the primary administration node fails.
For example, you have two Cisco ISE nodes, N1 (primary Administration node) and N2 (secondary Administration node). N1 fails because of hardware issues.
Assumptions
Only the primary node in a distributed deployment has failed.
Resolution Steps
-
Log in to the N2 Admin portal. Choose and configure N2 as your primary node.
The N1 node is replaced with a new hardware, reimaged, and is in the standalone state.
-
From the N2 Admin portal, register the new N1 node as a secondary node.
Now, the N2 node becomes your primary node and the N1 node becomes your secondary node.
If you wish to make the N1 node the primary node again, log in to the N1 Admin portal and make it the primary node. N2 automatically becomes a secondary server. There is no data loss.
Recovery of Secondary Node in Case of Failure in a Distributed Deployment
Scenario
In a multinode deployment, a single secondary node has failed. No restore is required.
For example, you have multiple nodes: N1 (primary Administration node), N2 (secondary Administration node), N3 (secondary Policy Service node), N4 (secondary Policy Service node). One of the secondary nodes, N3, fails.
Feedback