Additional Installation Information

Tools used to create a bootable USB device from Installation ISO File

The following table shows the tools to be used to create a bootable USB device from the installation ISO file in different Cisco ISE versions.

Table 1. Tools Used to Create Bootable USB Device

Cisco ISE release

Tool

Cisco ISE 3.4

  • Rufus for ise-3.4.0.608.SPA.x86_64.iso file

  • Rufus, Fedora Media Writer, and balenaEtcher for ise-3.4.0.608a.SPA.x86_64.iso

Cisco ISE 3.3

Rufus

Cisco ISE 3.2

Rufus

Cisco ISE 3.1

Fedora LiveUSB-creator for SNS 3500 and SNS 3600 series appliances.

Rufus for SNS 3700 series appliances

Note

Cisco ISE 3.1 patch 6 and later and Cisco ISE 3.2 patch 2 and later versions support Cisco SNS 3700 series appliances.

You can download Rufus from this location:

https://rufus.ie/downloads/

You can download Fedora Media Writer from this location:

https://github.com/FedoraQt/MediaWriter/releases/tag/5.0.6

You can download balenaEtcher from this location:

https://github.com/balena-io/etcher/releases/tag/v1.19.21

SNS Appliance Reference

Create a Bootable USB Device Using Rufus

Before you begin

  • Download the Cisco ISE installation ISO file to the local system.

  • Use a 16 GB or 32 GB USB device.

Procedure

Step 1

Reformat the USB device using FAT16 or FAT32 to free up all the space.

Step 2

Plug in the USB device to the local system and launch Rufus.

Step 3

From the Boot Selection drop-down list, choose Disk or ISO Image.

Step 4

Click Select and choose the Cisco ISE ISO file.

Step 5

From the Partition Scheme drop-down list, choose MBR.

Step 6

From the Target System drop-down list, choose BIOS or UEFI.

Step 7

Click Start.

You can view the status of the bootable USB creation in the progress bar. After the process completes, you can access the contents of the USB drive on your local system.

Step 8

If you are using the ise-3.4.0.608.SPA.x86_64.iso file, complete these steps:

  • Replace the term "cdrom" with "hd:sdb1" in the following files:

    • isolinux/isolinux.cfg or syslinux/syslinux.cfg

    • EFI/BOOT/grub.cfg

  • Open ks.cfg file and replace the term “cdrom” with “harddrive --partition=/dev/disk/by-label/ADEOS --dir=/

If you are using the ise-3.4.0.608a.SPA.x86_64.iso file, then this step is not required.

Step 9

Remove the USB device from the local system safely.

Step 10

Plug in the bootable USB device to the Cisco ISE appliance, restart the appliance, and install Cisco ISE by booting from the USB drive.

Create a Bootable USB Device Using Fedora Media Writer

Before you begin

  • Download the Cisco ISE installation ISO file to the local system.

    You must use the ISO file for Cisco ISE Release 3.4:

    ise-3.4.0.608a.SPA.x86_64.iso

  • Download Fedora Media Writer from this location:

    https://github.com/FedoraQt/MediaWriter/releases/tag/5.0.6

  • Use a 16-GB or 32-GB USB device.

  • Reformat the USB device using FAT16 or FAT32 to free up all the space.

Procedure

Step 1

Open the Fedora Media Writer application.

Step 2

In the Select Image Source tab, click Select .iso file, choose the ISO file, and click Next.

Step 3

Plug in the USB device to the local system and launch Fedora Media Writer.

Step 4

Choose the ISO file and click Write.

Wait for the process to complete. This process may take several minutes, depending on the speed of your USB device. When the process finishes, the application displays a notification message.

Step 5

Safely remove the USB device from the local system.

Step 6

Plug the bootable USB device into the Cisco ISE appliance. Restart the appliance. Boot from the USB drive to install Cisco ISE.

Create a Bootable USB Device Using balenaEtcher

Before you begin

  • Download the Cisco Identity Services Engine (ISE) installation ISO file to your local system.

    You must use this ISO file for Cisco ISE Release 3.4:

    ise-3.4.0.608a.SPA.x86_64.iso

  • Download balenaEtcher from this location:

    https://github.com/balena-io/etcher/releases/tag/v1.19.21

  • Use a 16 GB or 32 GB USB device.

  • Reformat your USB device using the FAT-16 or FAT-32 file system to ensure all space is available.

Procedure

Step 1

Run the balenaEtcher application.

Step 2

Click Flash from file. Choose the ISO file from your local system.

If a Missing Partition Table message appears, click Continue.

Step 3

Click Select Target. Choose the USB device.

Step 4

Click Flash to start the process.

You will see a notification message when the process is complete.

Step 5

Plug in the bootable USB device into the Cisco ISE appliance. Restart the appliance. Boot from the USB drive to install Cisco ISE.

Reimage the Cisco SNS Hardware Appliance

The Cisco SNS hardware appliances do not have built-in DVD drives. Therefore, to reimage a Cisco ISE hardware appliance with Cisco ISE software, you can do one of these options:


Note

Cisco SNS hardware appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed ISE image can be installed on the SNS hardware appliances, and prevents installation of any unsigned operating system even with physical access to the device. For example, generic operating systems, such as Red Hat Enterprise Linux or Microsoft Windows cannot boot on this appliance.

  • Use the Cisco Integrated Management Controller (Cisco IMC) interface to map the installation .iso file to the virtual DVD device.

  • Create an install DVD with the installation .iso file. Plug in a USB external DVD drive, then boot the appliance from the DVD drive.

  • Create a bootable USB device using the installation .iso file. Boot the appliance from the USB drive.

VMware Virtual Machine


Note

The VMware form factor instructions provided in this document are also applicable for Cisco Identity Services Engine (ISE) installed on Hyperflex.

Virtual Machine Resource and Performance Checks

Before installing Cisco ISE on a virtual machine, the installer performs hardware integrity checks by comparing the available hardware resources on the virtual machine with the recommended specifications.

During a virtual machine (VM) resource check, the installer verifies the hard disk space, number of CPU cores, CPU clock speed, and RAM allocated to the VM. If the VM resources do not meet the basic evaluation specifications, installation terminates. This check applies only to ISO-based installations.

When you run the Setup program, the installer performs a VM performance check for disk I/O. If disk I/O performance does not meet the recommended specifications, the installer displays a warning, but you can continue with installation.

The VM performance check is done periodically (every hour), and the results are averaged over one day. If the disk I/O performance does not meet the recommended specification, an alarm is generated.

The VM performance check can also be done on demand from the Cisco ISE CLI using the show tech-support command.

You can run VM resource and performance checks outside Cisco ISE installation. Use the Cisco ISE boot menu to perform these tests.

Install Cisco ISE on VMware Virtual Machine Using the ISO File

This section describes how to install Cisco ISE on a VMware virtual machine using the ISO file.

Prerequisites for Configuring a VMware ESXi Server

Review the following configuration prerequisites listed in this section before you attempt to configure a VMWare ESXi server:

  • Remember to log in to the ESXi server as a user with administrative privileges (root user).

  • Cisco ISE is a 64-bit system. Before you install a 64-bit system, ensure that Virtualization Technology (VT) is enabled on the ESXi server.

  • Ensure that you allocate the recommended amount of disk space on the VMware virtual machine.

  • If you have not created a VMware virtual machine file system (VMFS), you must create one to support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured on the VMware host. For VMFS5, the 1-MB block size supports up to 1.999 TB virtual disk size.

Virtualization Technology Check

If you already have an ESXi server installed, you can check whether Virtualization Technology (VT) is enabled without rebooting the machine. Use the esxcfg-info command to perform this check. 


~ # esxcfg-info |grep "HV Support"
|----HV Support............................................3
|----World Command Line.................................grep HV Support

If HV Support has a value of 3, VT is enabled on the ESXi server. You can proceed with the installation.

If HV Support has a value of 2, VT is supported, but not enabled on the ESXi server. Edit the BIOS settings and enable VT on the server.

Enable Virtualization Technology on an ESXi Server

You can reuse the same hardware that hosted a previous version of the Cisco ISE virtual machine. However, you must enable Virtualization Technology (VT) on the ESXi server before installing the latest release.

Procedure

Step 1

Reboot the appliance.

Step 2

Press F2 to enter setup.

Step 3

Choose Advanced > Processor Configuration.

Step 4

Select Intel(R) VT and enable it.

Step 5

Press F10 to save your changes and exit.

Configure VMware Server Interfaces for the Cisco ISE Profiler Service

Configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service.

Procedure

Step 1

Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance)VMswitch0 (one of your VMware ESXi server interfaces) Properties Security.

Step 2

In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.

Step 3

In the Promiscuous Mode drop-down list, choose Accept and click OK.

Perform these steps on any other VMware ESXi server interface that collects SPAN or mirrored profiler traffic.

Connect to the VMware Server Using the Serial Console

Procedure

Step 1

Power off the specific VMware server (for example, ISE-120).

Step 2

Right-click the VMware server, and choose Edit.

Step 3

Click Add on the Hardware tab.

Step 4

Choose Serial Port and click Next.

Step 5

In the Serial Port Output area, select the Use physical serial port on the host radio button or the Connect via Network radio button and then click Next.

  • If you choose the Connect via Network option, you must open the firewall ports over the ESXi server.

  • If you select the Use physical serial port on the host, choose the port. You must choose the port. There are two options available:

    • /dev/ttyS0 (In the DOS or Windows operating system, this appears as COM1).

    • /dev/ttyS1 (In the DOS or Windows operating system, this appears as COM2).

Step 6

Click Next.

Step 7

Check the appropriate check box in the Device Status area. By default, Connected is selected.

Step 8

Click OK to connect to the VMware server.

Configure a VMware Server

Before you begin

Ensure that you have read the Prerequisites for configuring a VMware Server.

Procedure

Step 1

Log in to the ESXi server.

Step 2

In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual Machine.

Step 3

In the Select a Creation Type area, click Create a new virtual machine and click Next.

Step 4

In the Select a Name and Folder area, enter a name for the VMware system, select a location from the displayed list, and click Next.

Tip

 

Use the hostname that you want to use for your VMware host.

Step 5

In the Select a compute resource area, choose a destination compute resource and click Next.

Step 6

In the Select storage area, choose a datastore that has the recommended amount of space available and click Next.

Step 7

In the Select compatibility area, from the Compatible with drop-down list, choose an ESXi version that is compatible with your Cisco ISE version and click Next.

For information about the ESXi versions compatible with your Cisco ISE release, see "Supported Virtual Environments" in the Release Notes for Cisco Identity Services Engine for your release.

Step 8

In the Select a guest OS area, complete these steps and then click Next:

  1. From the Guest OS Family drop-down list, choose Linux.

  2. From the Guest OS Version drop-down list, choose the supported Red Hat Enterprise Linux (RHEL) version. Cisco ISE Release 3.1 and later use RHEL 8.

Step 9

In the Customize hardware area, in the Virtual Hardware tab, carry out the following configurations and then click Next.

  1. Choose the required values from the CPU and Memory drop-down lists based on the SNS series appliance you use:

    SNS 3600 Series Appliance:

    • Small: 16 vCPU cores, 32 GB

    • Medium: 24 vCPU cores, 96 GB

    • Large: 24 vCPU cores, 256 GB

      The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3600 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU Cores or 16 Threads.

    SNS 3700 Series Appliance:

    • Small: 24 vCPU cores, 32 GB

    • Medium: 40 vCPU cores, 96 GB

    • Large: 40 vCPU cores, 256 GB

      The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3700 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 24 vCPU cores to meet the CPU specification of SNS 3715, which has 12 CPU Cores or 24 Threads.

    SNS 3800 Series Appliance:

    • Small: 32 vCPU cores, 64 GB

    • Medium: 48 vCPU cores, 128 GB

    • Large: 48 vCPU cores, 256 GB

      The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3800 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 32 vCPU cores to meet the CPU specification of SNS 3815, which has 16 CPU Cores or 48 Threads.

    Note

     

    Reserve vCPU and memory resources equal to the configured vCPU cores and memory allocations. If you do not do this, Cisco ISE performance and stability can be significantly impacted. Click the CPU and Memory collapsible areas and update the reservation fields for each setting.

  2. From the New SCSI Controller drop-down list, choose Paravirtual.

  3. From the New Network and New CD/DVD Drive drop-down lists, choose the required network and ISO files.

Step 10

Choose the NIC driver from the Adapter drop-down list and click Next.

Step 11

Choose Create a new virtual disk and click Next.

Step 12

In the Disk Provisioning dialog box, click Thick provisioned, eagerly zeroed radio button, and click Next to continue.

Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioned, eagerly zeroed for better performance, especially for Monitoring nodes. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion.

Step 13

Clear the check box for Support clustering features such as Fault Tolerance check box.

Step 14

In the Ready to complete area, verify the configuration details, such as name, guest OS, CPUs, memory, and disk size of the newly created VMware system.

Step 15

Click Finish.

The VMware system is now installed.
What to do next

To activate the newly created VMware system, right-click VM in the left pane of your VMware client user interface and choose Power > Power On.

Increase Virtual Machine Power-On Boot Delay Configuration

On a VMware virtual machine, the boot delay is set to 0 by default. You can change the boot delay to make it easier to choose boot options, such as when resetting the Administrator password.

Procedure

Step 1

From the VSphere client, right click the virtual machine and choose Edit Settings.

Step 2

Click the Options tab.

Step 3

Choose Advanced > Boot Options.

Step 4

From the Power on Boot Delay area, select the time in milliseconds to delay the boot operation.

Step 5

Select the check box in the Force BIOS Setup area to enter into the BIOS setup screen when the VM boots the next time.

Step 6

Click OK to save your changes.

Install Cisco ISE Software on a VMware System

Before you begin

  • After installation, if you do not install a permanent license, Cisco ISE automatically installs a 90-day evaluation license that supports a maximum of 100 endpoints.

  • Download the Cisco ISE software from the Cisco Software Download Site at http://www.cisco.com/en/US/products/ps11640/index.html . Then, burn the software on a DVD. You must provide your Cisco.com site credentials.

  • (Optional; applicable only if you are installing Cisco ISE on VMware Cloud) The process of installing Cisco ISE on VMware Cloud is identical to the process for installing Cisco ISE on a VMware virtual machine.

    • Cisco ISE virtual machine deployed on VMware cloud in Amazon Web Services (AWS): Cisco ISE can be hosted on software-defined data center (SDDC) provided by VMware Cloud on AWS. Ensure that appropriate security group policies are configured on VMware Cloud (under Networking and Security > Security > Gateway Firewall Settings) to enable access to the on-premises deployment, required devices, and services.

    • Cisco ISE virtual machine deployed on Azure VMware Solution (AVS): AVS runs VMware workloads natively on Microsoft Azure, where Cisco ISE can be hosted as a VMware virtual machine.

Procedure

Step 1

Log in to the VMware client.

Step 2

For the VM to enter the BIOS setup mode, right-click the VM and select Edit Settings.

Step 3

Click the Options tab.

Step 4

Click Boot Options, and in the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.

Note

 

You must change the firmware from BIOS to EFI in the boot mode of VM settings to boot GPT partitions with 2 TB or more capacity.

If you have selected Guest OS RHEL 8 and EFI boot mode, disable the Enable UEFI Secure Boot option. This option is enabled by default for Guest operating system RHEL 8 VM.

Step 5

Click OK.

Step 6

Set the Coordinated Universal Time (UTC) and the correct boot order in BIOS.

  1. If the VM is turned on, turn the system off.

  2. Turn on the VM.

    The system enters BIOS setup mode.

  3. In the Main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the UTC/Greenwich Mean Time (GMT) time zone.

    This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

  5. Using the arrow keys, navigate to the Boot menu and press Enter.

  6. Using the arrow keys, select CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes.

  8. Choose Yes to save the changes and exit.

Step 7

Insert the Cisco ISE software DVD into the VMware ESXi host CD/DVD drive and turn on the virtual machine.

When the DVD boots, the console shows: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:

Step 8

Use the arrow keys to select Cisco ISE Installation (Serial Console) or Cisco ISE Installation (Keyboard/Monitor) and press Enter. If you choose the serial console option, you should have a serial console set up on your virtual machine. See the VMware vSphere Documentation for information on how to create a console.

The installer starts the installation of the Cisco ISE software on the VMware system. Allow 20 minutes for the installation process to complete. When the installation process finishes, the virtual machine reboots automatically. When the VM reboots, the console displays: 
Type 'setup' to configure your appliance
localhost:

Step 9

At the system prompt, type setup and press Enter.

The Setup Wizard appears and guides you through the initial configuration.

VMware Tools Installation Verification

Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client

Go to the Summary tab of the specified VMware host in the vSphere Client. Verify that the value in the VMware Tools field displays "OK".

Figure 1. Verifying VMware Tools in the vSphere Client
This image shows how to verify whether VMware tools are installed using the vSphere
Verify VMware Tools Installation Using the CLI
To check if VMware Tools are installed, run the show inventory command. The output displays NIC driver information. If VMware Tools are installed, you see "VMware Virtual Ethernet driver" in the Driver Description field. 
NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"
PID: ISE-VM-K9       , VID: A0  , SN: FCH184X9XXX
Total RAM Memory: 65700380 kB
CPU Core Count: 16
CPU 0: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 1: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 2: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 3: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 4: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 5: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 6: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 7: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 8: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 9: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 10: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 11: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 12: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 13: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 14: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 15: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /xxx/abc
Disk 0: Capacity: 1198.00 GB
NIC Count: 6
NIC 0: Device Name: eth0:
NIC 0: HW Address: xx:xx:xx:xx:xx:xx
NIC 0: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 1: Device Name: eth1:
NIC 1: HW Address: xx:xx:xx:xx:xx:xx
NIC 1: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 2: Device Name: eth2:
NIC 2: HW Address: xx:xx:xx:xx:xx:xx
NIC 2: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 3: Device Name: eth3:
NIC 3: HW Address: xx:xx:xx:xx:xx:xx
NIC 3: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 4: Device Name: eth4:
NIC 4: HW Address: xx:xx:xx:xx:xx:xx
NIC 4: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 5: Device Name: eth5:
NIC 5: HW Address: xx:xx:xx:xx:xx:xx
NIC 5: Driver Descr: Intel(R) Gigabit Ethernet Network Driver

(*) Hard Disk Count may be Logical.
Support for Upgrading VMware Tools

The ISE ISO image contains the supported VMware tools. You cannot upgrade VMware tools using the VMware client user interface. To use a newer version of VMware tools, upgrade ISE to a newer version.

Clone a Cisco ISE Virtual Machine

You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually.

You can also clone a Cisco ISE VM using a template.


Note

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program.

Before you begin

  • Shut down the Cisco ISE VM that you plan to clone. In the vSphere client, right-click the Cisco ISE VM and choose Power > Shut Down Guest.

  • Change the IP address and hostname of the cloned machine before powering it on and connecting it to the network

Procedure

Step 1

Log in to the ESXi server as a user with administrative privileges (root user).

VMware vCenter is required to perform this step.

Step 2

Right-click the Cisco ISE VM you want to clone, and click Clone.

Step 3

In the Name and Location dialog box, enter a name for the new machine and click Next.

This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your reference.

Step 4

Select a host or cluster to run the new Cisco ISE VM, and click Next.

Step 5

Select a datastore for the new Cisco ISE VM and click Next.

The datastore may be the local option on the ESXi server, or remote storage. Ensure the datastore has sufficient disk space.

Step 6

In the Disk Format dialog box, select the Same format as source radio button, and click Next.

This option copies the format used in the Cisco ISE VM that you are cloning.

Step 7

In the Guest Customization dialog box, select the Do not customize radio button, then click Next.

Step 8

Click Finish.

What to do next

  • Changing the IP Address and Hostname of a Cloned Virtual Machine

  • Connecting a Cloned Cisco Virtual Machine to the Network

Clone a Cisco ISE Virtual Machine Using a Template

If you use vCenter, you can use a VMware template to clone a Cisco ISE virtual machine (VM). You can create a template by cloning a Cisco ISE node, then use the template to create multiple Cisco ISE nodes. Cloning a virtual machine using a template involves two steps.

Before you begin

Note

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program.
Procedure

Step 1

Create a Virtual Machine Template

Step 2

Deploy a Virtual Machine Template

Create a Virtual Machine Template
Before you begin

  • Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.

  • We recommend that you create a template from a Cisco ISE VM that you have just installed and not run the setup program on. You can then run the setup program on each of the individual Cisco ISE nodes that you have created and configure IP address and hostnames individually.

Procedure

Step 1

Log in to the ESXi server as a user with administrative privileges (root user).

VMware vCenter is required to perform this step.

Step 2

Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.

Step 3

Enter a name for the template, choose a location to save the template in the Name and Location dialog box, and click Next.

Step 4

Choose the ESXi host that you want to store the template on and click Next.

Step 5

Choose the datastore that you want to use to store the template and click Next.

Ensure that this datastore has the required amount of disk space.

Step 6

Click the Same format as source radio button in the Disk Format dialog box and click Next.

The Ready to Complete dialog box appears.

Step 7

Click Finish.

Deploy a Virtual Machine Template

After you create a virtual machine template, deploy it on other virtual machines (VMs)

Procedure

Step 1

Right-click the ISE VM template that you have created and choose Deploy Virtual Machine from this template.

Step 2

Enter a name for the new Cisco ISE node. Choose a location for the node in the Name and Location dialog box, and click Next.

Step 3

Choose either theESXi host where you want to store the new Cisco ISE node and click Next.

Step 4

Choose the datastore that you want to use for the new Cisco ISE node and click Next.

Verify that the datastore has enough disk space.

Step 5

Click the Same format as source radio button in the Disk Format dialog box and click Next.

Step 6

Click the Do not customize radio button in the Guest Customization dialog box.

The Ready to Complete dialog box is displayed.

Step 7

Check the Edit Virtual Hardware check box and click Continue.

The Virtual Machine Properties page is displayed.

Step 8

Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click OK.

Step 9

Click Finish.

Power on the Cisco ISE node, configure its IP address and hostname, and connect it to the network.
What to do next

Change the IP Address and Hostname of a Cloned Virtual Machine

After cloning a Cisco ISE virtual machine (VM), power it on and change its IP address and hostname.

Before you begin

  • Make sure your Cisco ISE node is in the standalone state.

  • Before you power on the newly cloned Cisco ISE VM, make sure its network adapter is not connected. Uncheck the Connected and Connect at power on check boxes. This prevents the node from using the same IP address as the original source machine.

    Figure 2. Disconnecting the Network Adapter
    This image shows how to disconnect the network adaptor.

  • Before powering on the newly cloned VM, prepare the IP address and hostname you want to assign. Add this IP address and hostname in the DNS server. Do not use “localhost” as a hostname.

  • Obtain certificates for the Cisco ISE nodes using the new IP address or hostname.

Procedure

Step 1

Right-click the newly cloned Cisco ISE VM and choose Power > Power On.

Step 2

Select the newly cloned Cisco ISE VM and click the Console tab.

Step 3

Enter the following commands on the Cisco ISE CLI: 

configure terminal
hostname hostname

Enter the new hostname you want to configure. Cisco ISE services restart after this step.

Step 4

Enter the following commands:

interface gigabit 0
ip address ip_address netmask

Assign an IP address that matches the hostname you entered. Enter the appropriate netmask for this IP address. After you finish, Cisco ISE prompts you to restart services. For details on the ip address and hostname commands, refer to theCisco Identity Services Engine CLI Reference Guide.

Step 5

Enter Y to restart Cisco ISE services.

Connect a Cloned Cisco VM to the Network

After you power on the system and change the IP address and hostname, connect the Cisco ISE node to the network.

Procedure

Step 1

Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.

Step 2

Click Network adapter in the Virtual Machine Properties dialog box.

Step 3

In the Device Status area, check the Connected and Connect at power on check boxes.

Step 4

Click OK.

Migrate Cisco ISE VM from Evaluation to Production

After evaluating the Cisco ISE release, you can migrate the system from an evaluation environment to a fully licensed production environment.

Before you begin

  • When you move the VMware server to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size or higher (up to the allowed maximum of 2.4 TB).

  • Please note that you cannot migrate data to a production VM from a VM created with less than 300 GB of disk space. Data can only be migrated from VMs created with 300 GB or more disk space to a production environment.

Procedure

Step 1

Back up the configuration of the evaluation version.

Step 2

Ensure that your production VM has the required amount of disk space.

Step 3

Install a production deployment license.

Step 4

Restore the configuration to the production system.

Check Virtual Machine Performance On-Demand

You can run the show tech-support command from the CLI to check VM performance at any time. The output of this command is similar to this example: 

ise-vm123/admin# show tech | begin "disk IO perf"
Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 48 MB/second 
Average I/O bandwidth reading from disk device: 193 MB/second 
WARNING: VM I/O PERFORMANCE TESTS FAILED!
WARNING: The bandwidth writing to disk must be at least 50 MB/second,
WARNING: and bandwidth reading from disk must be at least 300 MB/second.
WARNING: This VM should not be used for production use until disk 
WARNING: performance issue is addressed. 
Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 
314572800 bytes (315 MB) copied, 7.81502 s, 40.3 MB/s
Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 
314572800 bytes (315 MB) copied, 0.416897 s, 755 MB/s

Virtual Machine Resource Check from the Cisco ISE Boot Menu

You can check virtual machine resources from the boot menu without installing Cisco ISE.

The CLI transcript appears in this example: 


  Cisco ISE Installation (Serial Console)
  Cisco ISE Installation (Keyboard/Monitor)
  System Utilities (Serial Console)
  System Utilities (Keyboard/Monitor)

Use the arrow keys to select System Utilities (Serial Console) or System Utilities (Keyboard/Monitor) and press Enter. The screen appears: 



Available System Utilities:

  [1] Recover administrator password
  [2] Virtual Machine Resource Check
  [3] Perform System Erase
  [q] Quit and reload

Enter option [1 - 3] q to Quit

Enter 2 to check for VM resources. The output will resemble this example: 

*****
***** Virtual Machine host detected…
***** Hard disk(s) total size detected: 600 Gigabyte
***** Physical RAM size detected: 16267516 Kbytes
***** Number of network interfaces detected: 6
***** Number of CPU cores: 12
***** CPU Mhz: 2300.00
***** Verifying CPU requirement…
***** Verifying RAM requirement…
***** Writing disk partition table…

Linux KVM

KVM Virtualization Check

Your host processor must support KVM virtualization. For Intel, check for VT-x. For AMD, check for AMD-V. Open a terminal window on your host and run the cat /proc/cpuinfo command. You should see either the "vmx" flag or the "svm" flag displayed in the command output.

  • For Intel VT-x: 
    # cat /proc/cpuinfo
flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx
pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor
ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm arat epb xsaveopt
pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
  • For AMD-V: 
    # cat /proc/cpuinfo
flags: fpu tsc msr pae mce cx8 apic mtrr mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow
 pni cx16 lahf_lm cmp_legacy svm cr8_legacy

Install Cisco ISE on KVM

This procedure explains how to create a KVM on RHEL and install Cisco ISE on it using the Virtual Machine Manager (virt-manager).

If you choose to install Cisco ISE through the CLI, enter a command similar to this one: 

#virt-install --name= kvm-ise1  --arch=x86_64 --cpu=host --vcpus=2 --ram=4096 
--os-type=linux --os-variant=rhel6 --hvm --virt-type=kvm --cdrom= /home/admin/Desktop/ise-3.x.0.x.SPA.x86_64.iso  
--disk= /home/libvirt-images/kvm-ise1.img,size=300  
--network type=direct,model=virtio,source= eth2 ,source_mode=bridge

where ise-3.4.0.x.SPA.x86_64.iso is the name of the Cisco ISE ISO image.

Before you begin

Download the Cisco ISE ISO image to your local system.

Procedure

Step 1

From the Virtual Machine Manager window, click File and navigate to New Virtual Machine. In the Create a new virtual machine dialog box, complete these actions:

  1. Click Local install media (ISO media or CDROM) and click Forward.

  2. Uncheck the Automatically detect from the installation media/source check box.

  3. Choose Red Hat Enterprise Linux 8.2 from the OS drop-down list.

  4. Click Browse and choose the disk file system directory from the storage pools navigation pane.

  5. Click Browse Local and select the ISO image from your local system and click Open.

  6. Click Forward.

  7. Choose the Memory and CPU settings and click Forward.

  8. Check the Enable storage for the virtual machine check box.

  9. Click Select or create custom storage.

  10. Click Manage. In the Choose Storage Volume dialog box, complete these actions:

    1. Click + icon next to Volumes.

    2. Choose qcow2 from the Format drop-down list.

    3. Enter the Max Capacity as 200 GB.

    4. Click Finish.

  11. Choose the volume that you created and click Choose Volume.

  12. Click Forward.

  13. Check the Customize configuration before install check box and click Finish.

The installation screen appears.

Step 2

Click NIC:61:25:78 from the left navigation menu. Under Details tab, perform these actions:

  1. Choose Host device eno1:macvtap as the Network source.

  2. Choose Bridge as the Source mode.

  3. Choose virtio as the Device model.

  4. Click Apply.

Step 3

Click Overview from the left navigation menu. Under Details tab, perform these actions:

  1. Choose the required firmware from the Firmware drop-down list.

  2. Click Apply.

Step 4

Click Begin Installation to install Cisco ISE on KVM.

The Cisco ISE installation boot menu appears.

Step 5

At the system prompt, enter 1 to continue with the installation.

Step 6

At the system prompt, type setup and press Enter.

The Setup Wizard appears and guides you through the initial configuration.

Note

You must add the following text to the VM settings XML file (under vcpu information) while installing Cisco ISE on Ubuntu Linux KVM. Otherwise, serial number will not be properly displayed in the About ISE and Server window: 

<sysinfo type="smbios">
  <system>
    <entry name="product">KVM</entry>
  </system>
  <baseBoard>
    <entry name="product">KVM</entry>
  </baseBoard>
</sysinfo>
<OS>
  <type arch="x86_64" machine="pc-q35-6.2">hvm</type>
  <boot dev="hd"/>
  <smbios mode="sysinfo"/>
</os>

Microsoft Hyper-V

Create a Cisco ISE Virtual Machine on Hyper-V

This section explains how to create a new virtual machine, map the ISO image, edit CPU settings, and install Cisco ISE on Hyper-V.


Note

Cisco ISE does not support Multipath I/O (MPIO). If you use MPIO for the VM, installation will fail.

Before you begin

Download the Cisco ISE ISO image from cisco.com to your computer.

Procedure

Step 1

Launch Hyper-V Manager on a supported Windows server.

Figure 3. Hyper-V Manager Console
This image shows the Hyper-V Manager Console.

Step 2

Right-click the VM host and click New > Virtual Machine.

Figure 4. Create New Virtual Machine
This image shows how to create a VM.

Step 3

Click Next to customize the VM configuration.

Figure 5. New Virtual Machine Wizard
This image shows the New Virtal Machine Wizard

Step 4

Enter a name for the VM. Choose a different path to store the VM. Click Next.

Figure 6. Specify Name and Location
Specify name and location for the virtual machine.

Step 5

Click the Generation 1 radio button and click Next.

If you create a Generation 2 Cisco ISE VM, disable the Secure Boot option in the VM settings.

Figure 7. Specify Generation
Choose the generation for the virtual machine.

Step 6

Allocat memory to the VM, for example, 16,000 MB. Click Next.

Figure 8. Assign Memory
Assign memory for the virtual machine.

Step 7

Select your network adapter and click Next.

Figure 9. Configure Networking
Configure networking for the virtual machine.

Step 8

Click the Create a virtual hard disk radio button and click Next.

Figure 10. Connect Virtual Hard Disk

Step 9

Click the Install an operating system from a bootable CD/DVD-ROM radio button.

  1. In the Media area, click the Image file (.iso) radio button.

  2. Click Browse to select the ISE ISO image from the local system and click Next.

Figure 11. Installation Options

Step 10

Click Finish.

Figure 12. Complete the New Virtual Machine Wizard

You have created the Cisco ISE VM on Hyper-V.

Figure 13. New Virtual Machine created
New Virtual Machine created.

Step 11

Select the VM and edit the VM settings.

  1. Select Processor. Enter the number of virtual processors (such as 6). Click OK.

    Figure 14. Edit VM Settings
    Edit virtual machine settings.

Step 12

Select the VM and click Connect to launch the VM console. Click Start to power on the Cisco ISE VM.

Figure 15. Start the Cisco ISE VM
Start the virtual machine.

The Cisco ISE installation menu appears.

Figure 16. Cisco ISE installation menu
Virtual Machine installation menu.

Step 13

Enter 1 to install Cisco ISE using a keyboard and monitor.

Zero Touch Provisioning

Use Zero Touch Provisioning (ZTP) to automate Cisco ISE installation, patches, hot patches, and infrastructure service enablement without manual steps.

ZTP is available starting with Cisco ISE Release 3.1. There are two options available in ZTP:

  • Mapping .img file: Use this method for virtual-machine (VM) automatic installations, appliances, and OVA installations. Configure the required parameters: hostname, IP address, netmask, default gateway, DNS domain, primary name server, NTP server, system timezone, SSH, username, and password. Optionally, configure IPv6, patch, hot patch, services, and repository details. See the ZTP Configuration Image File for more information.


    Note

    For ZTP on Microsoft Hyper-V, use an .iso file and create a Generation 2 VM. Do not use an .img file.

  • VM User Data: Set mandatory parameters: hostname, IP address, IP netmask, IP default gateway, DNS domain, primary name server, NTP server, system timezone, SSH, username, and password when using this method. For more information, see VM User Data.


Note

  • Enable the serial console for both the VM and appliance to track installation progress during ZTP.

  • Ensure you have a ZTP Configuration Image File.

Provisioning Cisco ISE with ZTP makes these security features available:


Note

Use TFTP, HTTP, HTTPS, or NFS repositories to install hot patches and patches on Cisco ISE with ZTP. Repositories created during ZTP are not visible or accessible from the Cisco ISE GUI. You can use only repositories with anonymous access (no username or password) during ZTP.

Configure Public Key Authentication

Users can be authenticated using public key authentication when you add the public key to the ZTP configuration file. Enabling public key authentication disables password-based user authentication. You can disable public key authentication at any time.

To switch back to password-based authentication, use this command in the Cisco ISE CLI: 
conf t
no service sshd PubkeyAuthentication
For more details about this command, refer to the 'Service' section in the chapter 'Cisco ISE CLI Commands in Configuration Mode' of the Cisco Identity Services Engine CLI Reference Guide for your Cisco ISE release.

Note

Do not execute the command service sshd PubkeyAuthentication unless you have included the public key in the ZTP configuration image file before installation. This disables password-based authentication, requiring you to log in using a private key. If you encounter this issue, use the console port to log in to Cisco ISE and revert the configuration.

Procedure

Step 1

Generate a public and private RSA key pair using a third-party application.

Step 2

Include the public key that is generated in the ZTP configuration image file.

Step 3

Install Cisco ISE using ZTP.

Step 4

Log in to the CLI of Cisco ISE using the private key that is generated, using the following command:

ssh -i <path to private key> <username>@<ise-ip>
You can now successfully log in to the CLI of Cisco ISE using your private key.

First Login Password Change

After successfully installing Cisco ISE using ZTP, you are prompted to reset the password the first time you log in to the Cisco ISE GUI. The password must be changed because it is specified in plain text in the ZTP configuration image file. By default, this feature is enabled when you install Cisco ISE using ZTP.

Automatic Installation in Virtual Machine

These subsections provide information about automatic installation in the VM.

These settings are applicable for all on-prem hypervisors:

  • VMware

  • Linux KVM

  • Microsoft Hyper-V

  • Nutanix AHV

Automatic Installation in Virtual Machine Using the ZTP Configuration Image File

Procedure

Step 1

Log in to the VMware client.

Note

 

If you already have an existing VM setup, proceed to Step 2 and continue to Step 6. For a new VM setup, go directly to Step 8.

Step 2

To enter BIOS setup mode, right-click the VM and select Edit Settings.

Step 3

Click the Options tab.

Step 4

Click Boot Options.

Step 5

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.

Note

 

You must change the firmware from BIOS to EFI in the VM boot mode settings. This allows you to boot GPT partitions with 2 TB or greater capacity.

Step 6

Click OK.

Step 7

Ensure that the time zone and the correct boot order are set in BIOS or EFI:

  1. If the VM is turned on, turn the system off.

  2. Turn on the VM.

    The system enters the BIOS setup mode.

  3. In the main BIOS menu, use the arrow keys to go to the Date and Time field and press Enter.

  4. Enter the time zone.

    This time zone setting ensures your reports, logs, and posture-agent log files from all nodes stay synchronized by timestamp.

  5. Using the arrow keys, navigate to the boot menu and press Enter.

  6. Using the arrow keys, select the CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes. (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

Step 8

Insert the Cisco ISE software DVD into the primary CD or DVD drive on the VMware ESXi host.

Step 9

Insert the ZTP configuration image file into a secondary CD or DVD drive.

Step 10

Power on the VM.

When the DVD starts, the console displays this message: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:

Note

 

From Cisco ISE 3.1 onwards, pressing Enter choosing a boot option triggers ZTP instead of starting installation with the hard disk.

Step 11

After 150 seconds, the boot process automatically starts if your system meets the prerequisites.

Note

 

  • Monitor installation logs through the serial console while ZTP is running. When the setup prompt appears, you can monitor logs from the VM console.

  • After the Cisco ISE services are started, you must manually unmount the ZTP configuration image file from the CD or DVD.

Perform this procedure using ZTP from the setup prompt with the keyboard until the setup prompt appears.

1. Install Cisco ISE manually until setup (using boot option 1 or 2) and use the procedure steps to create the ZTP configuration image file.

2. Power off the VM and map the ZTP configuration image file to the CD or DVD drive.

3. Power on the VM.

The installation process uses the setup details from the ZTP configuration file you mapped to the CD or DVD drive.

Troubleshooting

Issue: If the automatic installation in the VM is triggered without mapping the .img file, after 150 seconds, the installation fails with this message. 


***** The ZTP configuration image is missing or improper. Automatic installation flow
 exited.
***** Power off and attach the proper ZTP configuration image or choose manual boot to
 proceed.

Solution: This error message is displayed only on the serial console and not on the VM console. If this happens in an existing VM where Cisco ISE is already installed, the hard disk will not be formatted in this state. The existing VM can be recovered by performing these steps:

1. Turning off the VM.

2. Powering on the VM.

3. Press option five to boot from the hard disk within 150 seconds to load the existing VM.

Issue: If the setup details are invalid in the configuration file, ZTP installation is stopped and the following message is displayed on the VM Console:
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:

1. Create a new configuration .img file with valid details.

2. Power off the VM.

3. Map the new valid image to the CD or DVD drive.

4. Power on the VM.

Installation begins from the setup.

Automatic Installation in Virtual Machine using VM User Data

Procedure

Step 1

Log in to the VMware client.

Note

 

If you already have an existing VM setup, proceed to Step 2 and continue till Step 6. For a new VM setup, go directly to Step 8.

Step 2

For the VM to enter the BIOS setup mode, right-click the VM and select Edit Settings.

Step 3

Click the Options tab.

Step 4

Click Boot Options.

Step 5

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.

Note

 

You must change the firmware from BIOS to EFI in the the boot mode of VM settings in order to boot GPT partitions with 2 TB or more capacity.

Step 6

Click OK.

Step 7

Ensure that the time zone and the correct boot order are set in BIOS/EFI:

  1. If the VM is turned on, turn the system off.

  2. Turn on the VM.

    The system enters the BIOS setup mode.

  3. In the main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the time zone.

    This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

  5. Using the arrow keys, navigate to the boot menu and press Enter.

  6. Using the arrow keys, select the CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

Step 8

Insert the Cisco ISE software DVD into the VMware ESXi host's primary CD/DVD drive.

Step 9

Configure the VM user data options.

Note

 

If both the .img file and VM user data options are configured in the VM, the user data option is considered.

Step 10

Turn on the VM.

When the DVD boots, the console displays the following message: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:

Note

 

From Cisco ISE 3.1 onwards, pressing Enter without entering a boot option does not trigger the installation using the hard disk option. Instead it triggers ZTP.

Step 11

After 150 seconds, the bootup process automatically starts if the prerequisites are met.

Note

 

  • Installation logs can be monitored only through the serial console because ZTP works only through the serial console. It can be monitored from the VM console after the setup prompt is displayed.

  • After the Cisco ISE services are started, you must manually unmount the ZTP configuration image file from the CD/DVD.

To leverage ZTP from the setup prompt (ZTP is carried out using the keyboard until the setup prompt apprears) perform this procedure:

1. Power off the VM.

2. Configure user-data option mentioned above.

3. Power on the VM .

The setup details are picked from the VM options.

Troubleshooting

Issue: If invalid setup details are entered in the user data option, the ZTP installation stops and the following message is displayed on the VM console:
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:

1. Power off the VM.

2. Update user data details with valid data.

3. Power on the VM.

Installation begins from the setup.

Automatic Installation in Appliance

The following subsections provide information about automatic installation in an appliance.

Automatic Installation in Appliance Using the ZTP Configuration Image File

Procedure

Step 1

Log in to the SNS Appliance.

Step 2

Shut down the host system.

Step 3

Choose Compute > Remote Management > Virtual media.

Step 4

Map the Cisco ISE software ISO and the ZTP configuration image file to the primary CD or DVD drive and the secondary CD or DVD drive.

Step 5

Start the host system.

When the appliance boots, the console displays this message:


Please select boot device:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Cisco ISE Installation Through ZTP Configuration (Serial Console)

Step 6

After 2 minutes and 30 seconds, the process starts automatically if the prerequisites are met.

Note

 

  • ZTP works on the SNS appliance through virtual media only.

  • Before mapping the ISO file, ensure the .img file is mapped in virtual media.

    Installation logs can be monitored only through the serial console because ZTP works through the serial console. The logs can be monitored through the KVM console after the setup prompt appears

  • Only the .img file supports automatic installation in the appliance.

To use ZTP from the setup prompt (ZTP uses the keyboard until the setup prompt appears), complete these steps:

1. Install Cisco ISE manually till setup (using boot option 1 or 2) and create the ZTP configuration image file using the steps described in the previous.

2. Shut down the host system and map the ZTP configuration image file that is created, to the CD or DVD drive.

3. Start the host system.

The setup details are picked from the ZTP configuration file that is mapped to the CD or DVD drive.

Troubleshooting

Issue: If the automatic installation in the appliance is triggered without mapping the image file, after 150 seconds, the installation fails with the this message: 


***** The ZTP configuration image is missing or improper. Automatic installation flow
 exited.
***** Power off and attach the proper ZTP configuration image or choose manual boot to
 proceed.

Solution:

1. Turn off the VM.

2. Turn on the VM.

3. To load the existing VM, press option 5 to boot from the hard disk, within 150 seconds.

Issue: If the setup details are invalid in the config file, ZTP installation is stopped and the following message is displayed on the Keyboard, video, and mouse (KVM) console: 
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:

1. Create a new configuration .img file with valid details.

2. Power off the VM.

3. Map the new valid image to the CD or DVD drive.

4. Power on the VM.

Installation begins from the setup prompt.

Trigger Automatic Installation using UCS XML APIs

To trigger automatic installation:


Note

The API URL and the request header are the same for all the methods:
API URL 
https://<ucs_server_ip>/nuova

Header 

 headers["Accept"] = "application/xml" 
headers["Content-Type"] = "application/xml"
Procedure

Step 1

Obtain the login session cookie to authenticate the session.

The aaaLogin method initiates the login process and is required to begin a session. This method establishes the HTTP or HTTPS session between the client and Cisco IMC. The session cookie is then used in subsequent requests to maintain authentication.

Request 

<aaaLogin inName='admin' inPassword='password'/>

Response 

<aaaLogin cookie="" response="yes" outCookie="<real_cookie>" outRefreshPeriod="600" outPriv="admin" outSessionId="17" outVersion="3.0(0.149)"> </aaaLogin>

Step 2

Configure the Cisco ISE ISO file as virtual media.

This configures a Cisco ISE ISO file as a virtual media volume.

Request 

<configConfMo cookie='<real_cookie>' dn='sys/svc-ext/vmedia-svc/vmmap-ISE_ISO' inHierarchical='false'>
<inConfig>
<commVMediaMap dn='sys/svc-ext/vmedia-svc/vmmap-ISE_ISO' 
 map=’nfs’ 
 remoteFile=‘<ise_iso_file>’ 
 remoteShare=‘<nfs_server_path>' 
 status='created' volumeName='ISE_ISO' />
</inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/svc-ext/vmedia-svc/vmmap-ISE_ISO" 
 cookie="<real_cookie>" response="yes">
<outConfig>
 <commVMediaMap volumeName="ISE_ISO" map=“nfs” 
  remoteShare=‘<nfs_server_path>' 
  remoteFile="<ise_iso_file>" 
  mappingStatus="In Progress"
  dn="sys/svc-ext/vmedia-svc/vmmap-ISE_ISO" status="created"/>
  </outConfig>
</configConfMo>

Step 3

Configure the configuration image file as a virtual media volume.

This configures a configuration image as a vMedia volume.

Request 

<configConfMo cookie='<real_cookie>' 
dn='sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG’ inHierarchical='false'>
<inConfig>
<commVMediaMap dn='sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG' 
  map=’nfs’ 
  remoteFile=‘<config_img_file>’ 
  remoteShare=‘<nfs_server_path>' 
  status='created' volumeName='CONFIG-IMG' />
</inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG" 
 cookie="<real_cookie>" response="yes">
<outConfig>
 <commVMediaMap volumeName="CONFIG-IMG" map=“nfs” 
  remoteShare=‘<nfs_server_path>' 
  remoteFile="<config_img_file>" 
  mappingStatus="In Progress"
  dn="sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG" status="created"/>
  </outConfig>
</configConfMo>

Step 4

Set the CD-ROM as the first device in the boot order.

This maps the Cisco ISE ISO file that is picked for installation during the power restart.

Request 

<configConfMo cookie="<real_cookie>" 
inHierarchical="true" dn="sys/rack-unit-1/boot-policy">
  <inConfig>
    <lsbootDef dn="sys/rack-unit-1/boot-policy"  rebootOnUpdate=“yes”>
      <lsbootVirtualMedia access="read-only" order=“1” dn="sys/rack-unit-1/boot-policy/vm-read-only"/>
     </lsbootDef>
  </inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/rack-unit-1/boot-policy" cookie="<real_cookie>" response="yes">
<outConfig>
  <lsbootDef dn="sys/rack-unit-1/boot-policy" name="boot-policy" purpose="operational" rebootOnUpdate="no" status="modified" >
  </lsbootDef>
</outConfig>
</configConfMo>

Step 5

Enable the SoL (Serial over LAN).

This enables the SoL to view installation logs through Telnet.

Request 

<configConfMo cookie='<real_cookie>' 
dn='sys/rack-unit-1/sol-if'>
<inConfig>
  <solIf dn='sys/rack-unit-1/sol-if' adminState=‘enable'/>
 </inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/rack-unit-1/sol-if" cookie="<real_cookie>" response="yes">
<outConfig>
<solIf dn="sys/rack-unit-1/sol-if" adminState="enable" name="SoLInterface" speed="115200" comport="com0" sshPort="2400" status="modified" ></solIf></outConfig>
</configConfMo>

Step 6

Power restart.

This triggers Cisco ISE installation in automatic mode.

Request 

<configConfMo cookie='<real_cookie>' dn='sys/rack-unit-1'>
<inConfig><computeRackUnit
dn='sys/rack-unit-1' 
adminPower='cycle-immediate'/>
</inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/rack-unit-1" cookie="<real_cookie>" response="yes">
<outConfig>
   <computeRackUnit dn="sys/rack-unit-1" adminPower="policy" availableMemory="262144" model="SNS-3695-K9" memorySpeed="2400" name="SNS-3695-K9" numOfAdaptors="0" numOfCores="12" numOfCoresEnabled="12" numOfCpus="1" numOfEthHostIfs="0" numOfFcHostIfs="0" numOfThreads="24" operPower="on" originalUuid="1935836B-B968-4031-8A98-7984F1D35449" presence="equipped" serverId="1" serial="WZP2228085W" totalMemory="262144" usrLbl="" uuid="1935836B-B968-4031-8A98-7984F1D35449" vendor="Cisco Systems Inc" cimcResetReason="graceful-reboot
" assetTag="Unknown" adaptorSecureUpdate="Enabled" resetComponents="components" storageResetStatus="NA" vicResetStatus="NA" bmcResetStatus="NA" smartUsbAccess="disabled" smartUsbStatus="Disabled" biosPostState="completed" status="modified" >
  </computeRackUnit>
</outConfig>
</configConfMo>

Step 7

Log out to end the session.

Request 

<aaaLogout
    cookie="<real_cookie>"
    inCookie="<real_cookie>"
</aaaLogout>

Response: 

<aaaLogout cookie="" response="yes" outStatus="success"> </aaaLogout>

For more information, see UCS API methods.

OVA Automatic Installation

Use these sections to automatically install the OVA.

Automatic OVA Installation Using the ZTP Configuration Image File

Procedure

Step 1

Log in to the VMware client.

Note

 

If you already have an existing virtual machine setup, complete Steps 2 through 6. For a new virtual machine setup, start with Step 8.

Step 2

To enter BIOS setup mode, right-click the virtual machine and select Edit Settings.

Step 3

Click the Options tab.

Step 4

Click Boot Options.

Step 5

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.

Note

 

Change the firmware from BIOS to EFIin the VM’s boot mode to enable GPT partitions of 2 TB or more.

Step 6

Click OK.

Step 7

Ensure that the Coordinated Universal Time (UTC) is set and the boot order is correct in BIOS.

  1. If the virtual machine is turned on, turn the system off.

  2. Turn on the VM.

    The system enters the BIOS setup mode.

  3. In the main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the UTC or Greenwich Mean Time (GMT) time zone.

    This time zone setting keeps reports, logs, and posture-agent log files from all nodes in your deployment synchronized for timestamps.

  5. Use the arrow keys to open the boot menu and press Enter.

  6. Using the arrow keys, select the CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

Step 8

Import the Cisco ISE OVA file into your VMware ESXi host.

Step 9

Insert the ZTP configuration image file into the primary CD drive or DVD drive of your VMware ESXi host.

Step 10

Turn on your virtual machine.

When the DVD boots, the console displays a message:


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:

Note

 

If you press Enter without selecting a boot option in Cisco ISE 3.1 or later, the system initiates ZTP instead of installing using the hard disk option.

Step 11

After 150 seconds, the bootup process automatically starts if the prerequisites are met.

Note

 

  • Monitor the installation logs through the serial console while ZTP runs. After the setup prompt appears, view the logs in your virtual machine console.

  • After the Cisco ISE services are started, you must manually unmount the ZTP configuration image file from the CD or DVD.

Use the keyboard to perform ZTP until the setup prompt appears. Then, follow this procedure:

  1. Install Cisco ISE manually using boot option 1 or 2, and create the ZTP configuration image file using the steps in this procedure.

  2. Power off the virtual machine.

  3. Map the ZTP configuration image file to the CD or DVD drive.

  4. Power on the virtual machine.

    The system uses the setup details from the ZTP configuration file that mapped to the CD or DVD drive.

Troubleshooting

Issue: If the setup details are invalid in the configuration file, ZTP installation stops and the following message is displayed on the VM console: 

==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution: This can be resolved by performing the following steps:

  1. Create a new configuration .img file with valid details.

  2. Power off the VM.

  3. Map the new valid image to the CD or DVD drive.

  4. Power on the VM.

OVA Automatic Installation Using the VM User Data

Procedure

Step 1

Log in to the VMware client.

Note

 

If you already set up a VM, start at Step 2 and continue to Step 6. If you are setting up a new VM, start at Step 8.

Step 2

Right-click the VM and select Edit Settings to enter the BIOS setup mode.

Step 3

Click the Options tab.

Step 4

Click Boot Options.

Step 5

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.

Note

 

Change the firmware from BIOS to EFIin the VM’s boot mode settings so you can boot GPT partitions larger than 2 TB.

Step 6

Click OK.

Step 7

Ensure that the Coordinated Universal Time (UTC) and the correct boot order are set in BIOS:

  1. If the VM is turned on, turn the system off.

  2. Power off the VM.

    You see the BIOS setup mode.

  3. In the main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) zone.

    With this time zone setting, the reports, logs, and posture-agent log files from the nodes in your deployment always have synchronized timestamps.

  5. Using the arrow keys, navigate to the boot menu and press Enter.

  6. Select the compact disc read-only memory (CD-ROM) drive using the arrow keys and press+ to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

Step 8

Import the Cisco ISE OVA file into the VMware ESXi.

Step 9

Configure the VM user data options.

Note

 

The VM uses the user data option if both the image file and the VM user data options are configured.

Step 10

Turn on the VM.

When the DVD boots, the console displays the following message: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:

Note

 

From Cisco ISE 3.1 onwards, pressing Enter without entering a boot option does not trigger the installation using the hard disk option. Instead, it triggers ZTP.

Step 11

If the prerequisites are met, the bootup process starts automatically after 150 seconds.

Note

 

  • To monitor installation logs, use the serial console. ZTP interacts only through the serial console. Monitoring from the VM console is possible after the setup prompt is displayed.

  • After Cisco ISE services have started, manually unmount the ZTP configuration image file from the CD or DVD.

To use ZTP from the setup prompt, perform this procedure. ZTP is carried out using the keyboard until the setup prompt appears.

  1. Power off the VM.

  2. Configure user-data option mentioned above.

  3. Power on the VM .

    The VM options provide the setup details.

Troubleshooting information

Issue: If invalid setup details are entered in the user data option, the ZTP installation stops and this message is displayed on the VM console:
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:To resolve this issue, complete the following steps.

  1. Power off the VM.

  2. Update user data details with valid data.

  3. Power on the VM.

    Installation begins from the setup.

Create a ZTP Configuration Image File

Create the ZTP configuration image file using the ./create_ztp_image.sh ise-ztp.conf ise-ztp.img command. The script can be executed on Red Hat Enterprise Linux (RHEL), CentOS, or Ubuntu.

To skip the ICMP, DNS, and NTP checks, set the flags to True in the configuration image file:

  • ICMP: SkipIcmpChecks=true

  • DNS: SkipDnsChecks=true

  • NTP: SkipNtpChecks=true


Note

The default value for each flag is false. By default, during the ZTP installation performs these checks if the flags are not explicitly mentioned in the configuration file.

create_ztp_image.sh script creation 

#!/bin/bash
###########################################################
# This script is used to generate ise ztp image with ztp
# configuration file.
#
# Need to pass ztp configuration file as input.
#
# Copyright (c) 2021 by Cisco Systems, Inc.
# All rights reserved.
# Note:
# To mount the image use below command
# mount ise_ztp_config.img /ztp
# To mount the image from cdrom
# mount -o ro /dev/sr1 /ztp
#############################################################
if [ -z "$1" ];then
echo "Usage:$0 <ise-ztp.conf> [out-ztp.img]"
exit 1
elif [ ! -f $1 ];then
echo "file $1 not exist"
exit 1
else
conf_file=$1
fi
if [ -z "$2" ] ;then
image=ise_config.img
else
image=$2
fi
mountpath=/tmp/ise_ztp
ztplabel=ISE-ZTP
rm -fr $mountpath
mkdir -p $mountpath
dd if=/dev/zero of=$image bs=1k count=1440 > /dev/null 2>&1
if [ `echo $?` -ne 0 ];then
echo "Image creation failed\n"
exit 1
fi
mkfs.ext4 $image -L $ztplabel -F > /dev/null 2>&1
mount -o rw,loop $image $mountpath
cp $conf_file $mountpath/ise-ztp.conf
sync
umount $mountpath
sleep 1
# Check for automount and unmount
automountpath=$(mount | grep $ztplabel | awk '{print $3}')
if [ -n "$automountpath" ];then
umount $automountpath
fi
echo "Image created $image"

VM User Data

You can use VM user data with Cisco ISE installation on ESXi version 6.5 and later.

Paste the contents that are in the ise-ztp.conf file into the Base64 encode tool. Use the base64encode tool to obtain the encoded string.

Enter the encoded Base64 string in the VM with the VM user data. In VMware ESXi, go to VM Options > Advanced > Configuration Parameters > Edit Configuration > guestinfo.ise.ztp = [Value] Base Encoded ZTP Configuration with the Base Encoded ZTP Configuration string.


Note

When configuring ZTP to deploy a patch or hot patch, you must use http (lowercase) instead of HTTP. Otherwise, the patch files cannot be downloaded from the repository.