Install Cisco ISE-PIC

Download and Run the ISO Image

Before you begin

Before you install Cisco ISE-PIC on any of the supported appliances, ensure you have:

  1. Created and accessed the virtual machine correctly.

  2. Complied with all firmware and virtual machine requirements as follows:

    • Virtual Machine—install an OVA template prior to ISE-PIC installation and ensure your virtual machine server is configured correctly.

    • Linux KVM—ensure all virtualization technology and hardware requirements are met.

For more information about requirements, see Cisco ISE-PIC Administrator Guide, Cisco Secure Network Server Data Sheet, and Cisco Identity Services Engine Installation Guide.

Procedure

Step 1

Boot the virtual machine on which to install ISE-PIC.

  1. Map the CD/DVD to an ISO image. A screen similar to the following one appears. The following message and installation menu are displayed.

    Example:

    Please wait, preparing to boot........................................................................
...............................................................................................................

    The following options appear: 

    [1] Cisco ISE-PIC Installation (Keyboard/Monitor)
[2] Cisco ISE-PIC Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)

Step 2

At the boot prompt, press 2 and Enter to install Cisco ISE-PIC using a serial console.

The following message appears. 

**********************************************
Please type 'setup' to configure the appliance
**********************************************

Step 3

At the prompt, type setup to start the Setup program. See for details about the Setup program parameters.

Step 4

After you enter the network configuration parameters in the Setup mode, the appliance automatically reboots, and returns to the shell prompt mode.

Step 5

Exit from the shell prompt mode. The appliance comes up.

Step 6

Continue with Verify the Installation Process.

Run the Setup Program of Cisco ISE

This section explains how to configure the ISE-PIC server.

The setup program launches an interactive command-line interface (CLI) that prompts for required parameters. Use the console or a dumb terminal to configure initial network settings and provide administrator credentials for the ISE-PIC server. This setup process is a one-time-configuration task.


Note

If you are integrating with Active Directory (AD), it is best to use the IP and subnet addresses from a dedicated site created specifically for Cisco ISE. Consult the AD staff in your organization to retrieve the relevant IP and subnet addresses for your ISE nodes before installation and configuration.


Note

It is not recommended to attempt offline installation of Cisco ISE as this can lead to system instability. If you run the installation script offline, this error appears:

Sync with NTP server failed' Incorrect time could render the system unusable until it is re-installed. Retry? Y/N [Y]:

Select Yes to continue with the installation.

Select No to try syncing with the NTP server.

It is recommended to establish network connectivity with both the NTP server and the DNS server while running the installation script.

To run the setup program:

Procedure

Step 1

Turn on the appliance designated for the installation.

The Setup prompt appears: 

Type 'setup' to configure the appliance
localhost login:

Step 2

At the login prompt, enter setup and press Enter.

The console displays a set of parameters. You must enter the parameter values for each prompt in the table.

Note

 

The eth0 interface of Cisco ISE must be statically configured with an IPv6 address if you want to add a Domain Name Server or an NTP Server with an IPv6 address.

Table 1. Cisco ISE-PIC Setup Program Parameters

Prompt

Description

Example

Hostname

  • Must not exceed characters 19

  • Length: Must not exceed 19 characters

  • Valid characters: Alphanumeric (A–Z, a–z, 0–9) and hyphen

  • The first character must be a letter

isebeta1

Ethernet interface address

Address must be a valid IPv4 or Global IPv6 for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14/ 2001:420:54ff:4::458:121:119

Netmask

Must be a valid IPv4 or IPv6 netmask.

255.255.255.0/ 2001:420:54ff:4::458:121:119/122

Default gateway

Must be a valid IPv4 or Global IPv6 address for the default gateway.

10.12.13.1/ 2001:420:54ff:4::458:1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).

example.com

Primary name server

Must be a valid IPv4 or Global IPv6 address for the primary name server.

10.15.20.25 / 2001:420:54ff:4::458:118

Add/Edit another name server

Must be a valid IPv4 or Global IPv6 address for the primary name server.

(Optional) Allows you to configure multiple name servers. To configure multiple name servers, enter y to continue.

Primary NTP server

Must be a valid IPv4 or Global IPv6 address or hostname of a Network Time Protocol (NTP) server.

Note

 

Ensure that the primary NTP server is reachable.

clock.nist.gov / 10.15.20.25 / 2001:420:54ff:4::458:117

Add/Edit another NTP server

Must be a valid NTP domain.

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT, or Coordinated Universal Time (UTC) minus 8 hours (UTC–08:00).

Note

 

Ensure that the system time and time zone match with the CIMC or Hypervisor Host OS time and time zone. System performance might be affected if there is any mismatch between the time zones.

UTC (default)

Username

Identifies the administrative username used for CLI access to the Cisco ISE-PIC system. If you choose not to use the default (admin), you must create a new username. The Username must be 3 to 8 characters in length and consist of valid alphanumeric characters (A–Z, a–z, or 0–9).

admin (default)

Password

Identifies the administrative password that is used for CLI access to the Cisco ISE-PIC system. You must create this password in order to continue because there is no default password. The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

MyIseYPass2

Note

 

When you create a password for the administrator during installation or after installation in the CLI, do not use the $ character in your password, unless it is the last character of the password. If it is the first or one of the subsequent characters, the password is accepted, but cannot be used to log in to the CLI.

If you create such a password by mistake, reset your password by logging into the console and using the CLI command, or by using an ISE CD or ISO file. See this document for instructions on resetting your password using an ISO file: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html

After you run the setup program, the system reboots automatically.

Now, log in to Cisco ISE-PIC using the username and password you configured during the setup process.

Verify the Installation Process

To verify that you have correctly completed the installation process:

Procedure

Step 1

Once the system automatically reboots after installation, enter the username you configured during the setup at the login prompt, and press Enter.

Step 2

At password prompt, enter the password you configured during setup, and press Enter.

Step 3

Verify that the application has been installed properly by entering the show application command, and press Enter.

Step 4

Check the status of the ISE-PIC processes by entering the show application status ise command, and press Enter.

The following message is displayed: 
ise-server/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          5072        
Database Server                        running          90 PROCESSES
Application Server                     running          9117        
AD Connector                           running          14187        
Certificate Authority Service          running          9947        
M&T Session Database                   running          6408        
M&T Log Collector                      running          10166       
M&T Log Processor                      running          10057       
pxGrid Infrastructure Service          running          22303           
pxGrid Publisher Subscriber Service    running          22575           
pxGrid Connection Manager              running          22516           
pxGrid Controller                      running          22625           
PassiveID WMI Service                  running          10498
PassiveID Syslog Service               running          11483
PassiveID API Service                  running          12176
PassiveID Agent Service                running          13046
PassiveID Endpoint Service             running          13557
PassiveID SPAN Service                 running          13993
snsbu-c220-ORX/admin#