Install Cisco ISE-PIC

Download and Run the ISO Image

Before you begin

Before you install Cisco ISE-PIC on any of the supported appliances, ensure you have:

  1. Created and accessed the virtual machine correctly.

  2. Complied with all firmware and virtual machine requirements as follows:

    • Virtual Machine—install an OVA template prior to ISE-PIC installation and ensure your virtual machine server is configured correctly.

    • Linux KVM—ensure all virtualization technology and hardware requirements are met.

For more information about requirements, see Cisco ISE-PIC Administrator Guide, Cisco Secure Network Server Data Sheet, and Cisco Identity Services Engine Installation Guide.

Procedure

Step 1

Boot the virtual machine on which to install ISE-PIC.

  1. Map the CD/DVD to an ISO image. A screen similar to the following one appears. The following message and installation menu are displayed.

    Example:

    Please wait, preparing to boot........................................................................
...............................................................................................................

    The following options appear: 

    [1] Cisco ISE-PIC Installation (Keyboard/Monitor)
[2] Cisco ISE-PIC Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
Step 2

At the boot prompt, press 2 and Enter to install Cisco ISE-PIC using a serial console.

The following message appears. 

**********************************************
Please type 'setup' to configure the appliance
**********************************************
Step 3

At the prompt, type setup to start the Setup program. See for details about the Setup program parameters.

Step 4

After you enter the network configuration parameters in the Setup mode, the appliance automatically reboots, and returns to the shell prompt mode.

Step 5

Exit from the shell prompt mode. The appliance comes up.

Step 6

Continue with Verify the Installation Process.

Run the Setup Program of Cisco ISE

This section describes the setup process to configure the ISE-PIC server.

The setup program launches an interactive command-line interface (CLI) that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ISE-PIC server using the setup program. This setup process is a one-time configuration task.


Note

If you are integrating with Active Directory (AD), it is best to use the IP and subnet addresses from a dedicated Site created specifically for ISE. Consult with the staff in your organization responsible for AD and retrieve the relevant IP and subnet addresses for your ISE nodes prior to installation and configuration.


Note

It is not recommended to attempt offline installation of Cisco ISE as this can lead to system instability. When you run the Cisco ISE installation script offline, the following error is shown:

Sync with NTP server failed' Incorrect time could render the system unusable until it is re-installed. Retry? Y/N [Y]:

Choose Yes to continue with the installation. Choose No to retry syncing with the NTP server.

It is recommended to establish network connectivity with both the NTP server and the DNS server while running the installation script.

To run the setup program:

Procedure

Step 1

Turn on the appliance that is designated for the installation.

The setup prompt appears: 

Please type ‘setup’ to configure the appliance
localhost login:
Step 2

At the login prompt, enter setup and press Enter.

The console displays a set of parameters. You must enter the parameter values as described in the table that follows.

Note 

The eth0 interface of ISE must be statically configured with an IPv6 address if you want to add a Domain Name Server or an NTP Server with an IPv6 address.

Table 1. Cisco ISE-PIC Setup Program Parameters

Prompt

Description

Example

Hostname

Must not exceed 19 characters. Valid characters include alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The first character must be a letter.

isebeta1

(eth0) Ethernet interface address

Must be a valid IPv4 or Global IPv6 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14/ 2001:420:54ff:4::458:121:119

Netmask

Must be a valid IPv4or IPv6 netmask.

255.255.255.0/ 2001:420:54ff:4::458:121:119/122

Default gateway

Must be a valid IPv4or Global IPv6 address for the default gateway.

10.12.13.1/ 2001:420:54ff:4::458:1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).

example.com

Primary name server

Must be a valid IPv4 or Global IPv6 address for the primary name server.

10.15.20.25 / 2001:420:54ff:4::458:118

Add/Edit another name server

Must be a valid IPv4 or Global IPv6 address for the primary name server.

(Optional) Allows you to configure multiple name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 or Global IPv6 address or hostname of a Network Time Protocol (NTP) server.

Note 

Ensure that the primary NTP server is reachable.

clock.nist.gov / 10.15.20.25 / 2001:420:54ff:4::458:117

Add/Edit another NTP server

Must be a valid NTP domain.

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or Coordinated Universal Time (UTC) minus 8 hours).

Note 

Ensure that the system time and time zone match with the CIMC or Hypervisor Host OS time and time zone. System performance might be affected if there is any mismatch between the time zones.

You can run the show timezones command from the Cisco ISE-PIC CLI for a complete list of supported time zones.

UTC (default)

Username

Identifies the administrative username used for CLI access to the Cisco ISE-PIC system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and comprise of valid alphanumeric characters (A–Z, a–z, or 0–9).

admin (default)

Password

Identifies the administrative password that is used for CLI access to the Cisco ISE-PIC system. You must create this password in order to continue because there is no default password. The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

MyIseYPass2

Note 

When you create a password for the administrator during installation or after installation in the CLI, do not use the $ character in your password, unless it is the last character of the password. If it is the first or one of the subsequent characters, the password is accepted, but cannot be used to log in to the CLI.

If you inadvertently create such a password, reset your password by logging into the console and using the CLI command, or by getting an ISE CD or ISO file. Instructions for using an ISO file to reset the password are explained in the following document: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html

After the setup program is run, the system reboots automatically.

Now, you can log in to Cisco ISE-PIC using the username and password that was configured during the setup process.

Verify the Installation Process

To verify that you have correctly completed the installation process:

Procedure

Step 1

Once the system automatically reboots after installation, enter the username you configured during the setup at the login prompt, and press Enter.

Step 2

At password prompt, enter the password you configured during setup, and press Enter.

Step 3

Verify that the application has been installed properly by entering the show application command, and press Enter.

Step 4

Check the status of the ISE-PIC processes by entering the show application status ise command, and press Enter.

The following message is displayed: 
ise-server/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          5072        
Database Server                        running          90 PROCESSES
Application Server                     running          9117        
AD Connector                           running          14187        
Certificate Authority Service          running          9947        
M&T Session Database                   running          6408        
M&T Log Collector                      running          10166       
M&T Log Processor                      running          10057       
pxGrid Infrastructure Service          running          22303           
pxGrid Publisher Subscriber Service    running          22575           
pxGrid Connection Manager              running          22516           
pxGrid Controller                      running          22625           
PassiveID WMI Service                  running          10498
PassiveID Syslog Service               running          11483
PassiveID API Service                  running          12176
PassiveID Agent Service                running          13046
PassiveID Endpoint Service             running          13557
PassiveID SPAN Service                 running          13993
snsbu-c220-ORX/admin#