Installation Verification and Post-Installation Tasks

Log in to the Cisco ISE Web-Based Interface

When you log in to the Cisco ISE web-based interface for the first time, you use the preinstalled Evaluation license.

When you log in to the Cisco ISE web-based interface for the first time, You use the pre-installed Evaluation license.


Note
For security, log out when you complete your administrative session.

Caution

For security, log out when you complete your administrative session. If you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data.

For information about validated browsers, see the “Validated Browsers” section in the Cisco ISE Release Notes.


Note

If Cisco ISE is installed in the cloud or using the ZTP process, you will be prompted to change the web-based admin user password during the first login.

Procedure

Step 1

After the Cisco ISE appliance finishes rebooting, launch one of the supported web browsers.

Step 2

In the Address field, enter the IP address or hostname of the Cisco ISE appliance in this format, then press Enter. 

https://<IP address or host name>/admin/

Step 3

Enter your username and password.

Step 4

Click Login.

Differences Between CLI Admin and Web-Based Admin Users Tasks

The username and password that you configure when using the Cisco Identity Services Engine (ISE) setup program are intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface. The administrator with access to the Cisco ISE CLI is called the CLI-admin user. By default, the CLI-admin username is admin. The administrator sets the password during the setup process; there is no default password.

You can initially access the Cisco ISE web interface by using the CLI-admin username and password that you defined during the setup process. There is no default username and password for a web-based administrator.

The CLI-admin user is copied to the Cisco ISE web-based admin user database. Only the first CLI-admin user is copied as the web-based admin user. Keep the CLI and web-based administrator user stores synchronized. Using the same username and password for both roles makes administration simpler.

The Cisco ISE CLI-admin user has different rights and capabilities from the Cisco ISE web-based admin user and can perform additional administrative tasks.

Table 1. Tasks Performed by CLI-Admin and Web-Based Admin Users

Admin User Type

Tasks

Both CLI-Admin and Web-Based Admin

  • Back up the Cisco ISE application data.

  • Display any system, application, or diagnostic logs on the Cisco ISE appliance.

  • Apply Cisco ISE software patches, maintenance releases, and upgrades.

  • Set the NTP server configuration.

CLI-Admin only

  • Start and stop the Cisco ISE application software.

  • Reload or shut down the Cisco ISE appliance.

  • Reset the web-based admin user in case of a lockout.

  • Access the ISE CLI.

Create a CLI Admin

Cisco ISE lets you create additional CLI-admin user accounts besides the one created during the setup process. Create the minimum number of CLI-admin users needed to access Cisco ISE CLI. This helps protect user credentials.

You can add the CLI-admin user by using the this command in the configuration mode: 
username <username> password [plain/hash] <password> role admin

Create a Web-Based Admin

For initial web-based access to the Cisco ISE system, use the administrator username and password that were configured during CLI setup.

To add an administrator user, perform these steps:

  1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Users.

  2. Choose Add > Create an Admin User.

  3. Use the user interface to add web-based administrator users.

  4. Click Submit.

Reset a Disabled Password Due to Administrator Lockout

Your account is disabled if you enter an incorrect password five times.

Use these instructions to reset the administrator user interface password with the application reset-passwd ise command in the Cisco ISE CLI. This process does not affect the CLI password of the administrator. After you reset the administrator password, the new credentials become active immediately, and you can log in without rebooting the system.

Cisco ISE adds a log entry in the Administrator Logins window. To view this window, click the Menu icon () and choose Operations > Reports > Reports > Audit > Administrator Logins. You must reset the password for your administrator ID before you can use your credentials again.

Procedure

Step 1

Access the direct console CLI and enter:

application reset-passwd ise administrator_ID

Step 2

Specify and confirm a new password that is different from the passwords that were used most recently for this administrator ID. 


Enter new password:
Confirm new password:

Password reset successfully

Cisco ISE Configuration Verification

Verify the Cisco ISE configuration using one of two methods. Each method uses a different set of username and password credentials. Perform verification using a web browser or the CLI.


Note

The command-line interface (CLI) administrator user credentials and the web-based administrator user credentials are different in Cisco ISE.

Verify Configuration Using a Web Browser

Procedure

Step 1

After the Cisco ISE appliance reboots, open a supported web browser.

Step 2

In the Address field, In the Address field, enter the IP address or host name of the Cisco ISE appliance using this format, and press Enter.

Step 3

On the Cisco ISE Login page, enter the username and password you defined during setup. Click Login.

For example, enter https://192.0.2.10/admin/, displays the Cisco ISE Login page appears. 

https://<IP address or host name>/admin/

Note

 
For first-time access to the Cisco ISE system using a web browser, the administrator username and password are the same as the credentials you configured for command-line interface access during setup.

Step 4

Use the Cisco ISE dashboard to verify that the appliance is working correctly.

What to do next

By using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE system to suit your needs. For details on configuring Cisco ISE, see Cisco Identity Services Engine Administrator Guide.

Verify Configuration Using the CLI

Before you begin

Download and install the latest Cisco ISE patch to keep Cisco ISE up-to-date.

Procedure

Step 1

After the Cisco ISE appliance has rebooted, launch a supported application, such as PuTTY, to establish a Secure Shell (SSH) connection to the Cisco ISE appliance.

Step 2

In the Host Name (or IP Address) field, enter the hostname or IP address (in dotted decimal format) for your Cisco ISE appliance, and click Open.

Step 3

At the login prompt, enter the CLI-admin username you configured during setup (admin is the default). PressEnter.

Step 4

At the password prompt, enter the CLI-admin password you configured during setup. Press Enter.

Step 5

At the system prompt, enter show application version ise and press Enter.

Step 6

To check the status of the Cisco ISE processes, enter show application status ise and press Enter.

The console output appears as shown: 

ise-server/admin# show application status ise 

ISE PROCESS NAME                       STATE            PROCESS ID
--------------------------------------------------------------------
Database Listener                      running          4930
Database Server                        running          66 PROCESSES
Application Server                     running          8231
Profiler Database                      running          6022
ISE Indexing Engine                    running          8634
AD Connector                           running          9485
M&T Session Database                   running          3059
M&T Log Collector                      running          9271
M&T Log Processor                      running          9129
Certificate Authority Service          running          8968
EST Service                            running          18887
SXP Engine Service                     disabled
TC-NAC Docker Service                  disabled
TC-NAC MongoDB Container               disabled
TC-NAC RabbitMQ Container              disabled
TC-NAC Core Engine Container           disabled
VA Database                            disabled
VA Service                             disabled
pxGrid Infrastructure Service          disabled
pxGrid Publisher Subscriber Service    disabled
pxGrid Connection Manager              disabled
pxGrid Controller                      disabled
PassiveID Service                      disabled
DHCP Server (dhcpd)                    disabled
DNS Server (named)                     disabled

List of Post-Installation Tasks

After you install Cisco ISE, you must perform these mandatory tasks:

Table 2. Mandatory Post-Installation Tasks

Task

Link in the Administration Guide

Apply the latest patches, if any

See "Software Patch Installation Guidelines" in the "Maintain and Monitor" chapter of the Cisco ISE Administrator Guide for your release.

Install Licenses

See the Cisco ISE Licensing Guide for more information. See Chapter "Licensing" in the Cisco ISE Administrator Guide for your release.

Install Certificates

See the section "Certificate Management in Cisco ISE" in Chapter "Basic Setup" in the Cisco ISE Administrator Guide for your release.

Create Repository for Backups

See "Create Repositories" in the "Maintain and Monitor" chapter of the Cisco ISE Administrator Guide for your release

Configure Backup Schedules

See "Schedule a Backup" in the "Maintain and Monitor" chapter of the Cisco ISE Administrator Guide for your release.

Deploy Cisco ISE Personas

See the section "Cisco ISE Distributed Deployment" in Chapter "Deployment" in the Cisco ISE Administrator Guide for your release.