Common System Maintenance Tasks
Bond ethernet interfaces for high availability
Reset a lost, forgotten, or compromised password using a DVD
Reset a disabled password due to administrator lockout
Change the IP address of a Cisco ISE appliance
View installation and upgrade history
Perform a system erase

Common System Maintenance Tasks

Bond ethernet interfaces for high availability

Cisco ISE supports bonding two ethernet interfaces into a single virtual interface, providing high availability for the physical interfaces. This feature is called Network Interface Card (NIC) bonding or NIC teaming. When two interfaces are bonded, they appear as a single device with one MAC address.

You can use NIC bonding in Cisco ISE only for high availability. It does not support load balancing or link aggregation.

Bonding interfaces ensures that the Cisco ISE services are not affected by:

Physical interface failure
Loss of switch port connectivity due to shutdown or failure
Switch line card failure

When two interfaces are bonded, one becomes the primary interface and the other becomes the backup interface. All traffic flows through the primary interface. If the primary interface fails, the backup interface then routes all traffic. The bond uses the IP address and MAC address of the primary interface.

When you configure the NIC bonding feature, Cisco ISE pairs fixed physical NICs into bonded NICs. The table lists the NIC pairs that can form a bonded interface.

Table 1. Physical NICs bonded together to form an interface
Cisco ISE physical NIC name	Linux physical NIC name	Role in bonded NIC	Bonded NIC name
Gigabit Ethernet 0	Eth0	Primary	bond 0
Gigabit Ethernet 1	Eth1	Backup	bond 0
Gigabit Ethernet 2	Eth2	Primary	bond 1
Gigabit Ethernet 3	Eth3	Backup	bond 1
Gigabit Ethernet 4	Eth4	Primary	bond 2
Gigabit Ethernet 5	Eth5	Backup	bond 2

Supported platforms

You can use the NIC bonding feature on all supported platforms and node personas. The supported platforms are:

SNS hardware appliances—bond 0, 1, and 2.
You can configure bond 0, 1, and 2 on virtual machines if six NICs are available.

Guidelines for bonding ethernet interfaces

As Cisco ISE supports up to six Ethernet interfaces, it can have only three bonds, bond 0, bond 1, and bond 2.
You cannot change the interfaces that are part of a bond or change the role of the interface in a bond. See the above table for information on which NICs can be bonded together and their role in the bond.
The Eth0 interface acts as both the management interface as well as the runtime interface. The other interfaces act as runtime interfaces.
Before you create a bond, the primary interface (primary NIC) must be assigned an IP address. The Eth0 interface must be assigned an IPv4 address before you create bond 0. Similarly, before you create bond 1 and 2, Eth2 and Eth4 interfaces must be assigned an IPv4 or IPv6 address, respectively.
Before you create a bond, if the backup interface (Eth1, Eth3, and Eth5 ) has an IP address assigned, remove the IP address from the backup interface. The backup interface should not be assigned an IP address.
You can choose to create only one bond (bond 0) and allow the rest of the interfaces to remain as is. In this case, bond 0 acts as the management interface and runtime interface, and the rest of the interfaces act as runtime interfaces.
You can change the IP address of the primary interface in a bond. The new IP address is assigned to the bonded interface because it assumes the IP address of the primary interface.
When you remove the bond between two interfaces, the IP address assigned to the bonded interface is assigned back to the primary interface.
If you want to configure the NIC bonding feature on a Cisco ISE node that is part of a deployment, you must deregister the node from the deployment, configure NIC bonding, and then register the node back to the deployment.
If a physical interface that acts as a primary interface in a bond (Eth0, Eth2, or Eth4 interface) has static route configured, the static routes are automatically updated to operate on the bonded interface instead of the physical interface.

Configure NIC bonding

You can configure NIC bonding from the Cisco ISE CLI for bond 0 between Eth0 and Eth1 interfaces.

Before you begin

If a physical interface, such as Eth1, Eth3, or Eth5, serves as a backup and is configured with an IP address, remove the IP address from that interface. Leave the backup interface without an IP address.

Procedure

Step 1	Log in to Cisco ISE CLI with your administrator account.
Step 2	Enter configure terminal to enter the configuration mode.
Step 3	Enter the interface GigabitEthernet 0 command.
Step 4	Enter the backup interface GigabitEthernet 1 command. The console displays: `% Warning: IP address of interface eth1 will be removed once NIC bonding is enabled. Are you sure you want to proceed? Y/N [N]:`
Step 5	Enter Y and press Enter. After you configure bond 0, Cisco ISE restarts automatically. Wait until all services are running. Enter the show application status ise command from the CLI to check whether all services are running. ise/admin# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ise/admin(config)# interface gigabitEthernet 0 ise/admin(config-GigabitEthernet)# backup interface gigabitEthernet 1 Changing backup interface configuration may cause ISE services to restart. Are you sure you want to proceed? Y/N [N]: Y Stopping ISE Monitoring & Troubleshooting Log Collector... Stopping ISE Monitoring & Troubleshooting Log Processor... ISE PassiveID Service is disabled ISE pxGrid processes are disabled Stopping ISE Application Server... Stopping ISE Certificate Authority Service... Stopping ISE EST Service... ISE Sxp Engine Service is disabled Stopping ISE Profiler Database... Stopping ISE Indexing Engine... Stopping ISE Monitoring & Troubleshooting Session Database... Stopping ISE AD Connector... Stopping ISE Database processes... Starting ISE Monitoring & Troubleshooting Session Database... Starting ISE Profiler Database... Starting ISE Application Server... Starting ISE Indexing Engine... Starting ISE Certificate Authority Service... Starting ISE EST Service... Starting ISE Monitoring & Troubleshooting Log Processor... Starting ISE Monitoring & Troubleshooting Log Collector... Starting ISE AD Connector... Note: ISE Processes are initializing. Use 'show application status ise' CLI to verify all processes are in running state. ise/admin(config-GigabitEthernet)#

Verify NIC bonding configuration

To verify if NIC bonding feature is configured, run the show running-config command from the Cisco ISE CLI. You will see an output similar to this example:


!        
interface GigabitEthernet 0
  ipv6 address autoconfig
  ipv6 enable
  backup interface GigabitEthernet 1
  ip address 192.168.118.214 255.255.255.0
!

In the output, the entry "backup interface GigabitEthernet 1" indicates that NIC bonding is configured on Gigabit Ethernet 0. Gigabit Ethernet 0 is the primary interface, and Gigabit Ethernet 1 is the backup interface. The ADE-OS configuration does not display an IP address for the backup interface in the running configuration. The same IP address is used for both the primary and backup interfaces.

You can also run the show interface command to see the bonded interfaces.


ise/admin# show interface  
bond0: flags=5187<UP,BROADCAST,RUNNING,PRIMARY,MULTICAST>  mtu 1500
        inet 10.126.107.60  netmask 255.255.255.0  broadcast 10.126.107.255
        inet6 fe80::8a5a:92ff:fe88:4aea  prefixlen 64  scopeid 0x20<link>
        ether 88:5a:92:88:4a:ea  txqueuelen 0  (Ethernet)
        RX packets 1726027  bytes 307336369 (293.0 MiB)
        RX errors 0  dropped 844  overruns 0  frame 0
        TX packets 1295620  bytes 1073397536 (1023.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

GigabitEthernet 0
        flags=6211<UP,BROADCAST,RUNNING,SUBORDINATE,MULTICAST>  mtu 1500
        ether 88:5a:92:88:4a:ea  txqueuelen 1000  (Ethernet)
        RX packets 1726027  bytes 307336369 (293.0 MiB)
        RX errors 0  dropped 844  overruns 0  frame 0
        TX packets 1295620  bytes 1073397536 (1023.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xfab00000-fabfffff  

GigabitEthernet 1
        flags=6211<UP,BROADCAST,RUNNING,SUBORDINATE,MULTICAST>  mtu 1500
        ether 88:5a:92:88:4a:ea  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xfaa00000-faafffff

Remove NIC bonding

Use the no form of the backup interface command to remove a NIC bond.

Before you begin

Procedure

Step 1	Log in to Cisco ISE CLI with your administrator account.
Step 2	Enter configure terminal to enter the configuration mode.
Step 3	Enter the interface GigabitEthernet 0 command.
Step 4	Enter the no backup interface GigabitEthernet 1 command. `% Notice: Bonded Interface bond 0 has been removed.`
Step 5	Enter Y and press Enter. Bond 0 is now removed. Cisco ISE restarts automatically. Wait until all services are running successfully. Enter the show application status ise command from the CLI to verify that all the services are running. ise/admin# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ise/admin(config)# interface gigabitEthernet 0 ise/admin(config-GigabitEthernet)# no backup interface gigabitEthernet 1 Changing backup interface configuration may cause ISE services to restart. Are you sure you want to proceed? Y/N [N]: Y Stopping ISE Monitoring & Troubleshooting Log Collector... Stopping ISE Monitoring & Troubleshooting Log Processor... ISE PassiveID Service is disabled ISE pxGrid processes are disabled Stopping ISE Application Server... Stopping ISE Certificate Authority Service... Stopping ISE EST Service... ISE Sxp Engine Service is disabled Stopping ISE Profiler Database... Stopping ISE Indexing Engine... Stopping ISE Monitoring & Troubleshooting Session Database... Stopping ISE AD Connector... Stopping ISE Database processes... Starting ISE Monitoring & Troubleshooting Session Database... Starting ISE Profiler Database... Starting ISE Application Server... Starting ISE Indexing Engine... Starting ISE Certificate Authority Service... Starting ISE EST Service... Starting ISE Monitoring & Troubleshooting Log Processor... Starting ISE Monitoring & Troubleshooting Log Collector... Starting ISE AD Connector... Note: ISE Processes are initializing. Use 'show application status ise' CLI to verify all processes are in running state. ise/admin(config-GigabitEthernet)#

Reset a lost, forgotten, or compromised password using a DVD

Before you begin

Understand these connection-related conditions that can cause problems when you use the Cisco ISE software DVD to start device.

If your terminal server associated with the serial console connection to the Cisco ISE appliance is set to exec, only one connection method is available. After you set it to no exec, you can use both a keyboard and video monitor connection and a serial console connection.
If you have a keyboard and video monitor connection to the Cisco ISE appliance, you can use a remote keyboard and video monitor connection or a VMware vSphere client console connection.
Ensure you have a serial console connection to the Cisco ISE appliance.

Procedure

Step 1	Ensure that the Cisco ISE device is powered up.
Step 2	Insert the Cisco ISE software DVD.
Step 3	Use the arrow keys to select System Utilities (Serial Console) if you use a local serial console port connection or select System Utilities (Keyboard/Monitor) if you use a keyboard and video monitor connection to the appliance, and press Enter. The system displays the ISO uses menu as shown here. `Available System Utilities: [1] Recover Administrator Password [2] Virtual Machine Resource Check [3] Perform System Erase [q] Quit and reload Enter option [1 - 3] q to Quit:`
Step 4	Enter `1` to recover the administrator password. The console displays: `Admin Password Recovery This utility will reset the password for the specified ADE-OS administrator. At most the first five administrators will be listed. To cancel without saving changes, enter [q] to Quit and return to the utilities menu. [1]:admin [2]:admin2 [3]:admin3 [4]:admin4 Enter choice between [1 - 4] or q to Quit: 2 Password: Verify password: Save change and reboot? [Y/N]:`
Step 5	Enter the number for the admin user whose password you want to reset.
Step 6	Enter the new password and verify it.
Step 7	Enter `Y` to save the changes.

Reset a disabled password due to administrator lockout

If you enter an incorrect password five times, your account becomes disabled.

Use these instructions to reset the administrator user interface password with the application reset-passwd ise command in the Cisco ISE CLI. Resetting the administrator password activates new credentials immediately and allows you to log in without rebooting the system. This process does not affect the administrator's CLI password.

Cisco ISE adds a log entry in the Administrator Logins window. To view this window, click the Menu icon () and choose Operations > Reports > Reports > Audit > Administrator Logins. Reset your administrator ID password to regain access to your credentials.

Procedure

Step 1

Access the direct-console CLI and enter:

application reset-passwd ise administrator_ID

Step 2

Specify and confirm a new password that is different from the passwords that were used most recently for this administrator ID.


Enter new password:
Confirm new password:

Password reset successfully

Change the IP address of a Cisco ISE appliance

Before you begin

Deregister your Cisco ISE node from the distributed deployment. Then, convert it to a standalone node before you change the IP address
Do not use the no ip address command when changing the Cisco ISE device's IP address.

Procedure

Step 1

Step 2

Enter these commands:

configure terminal
interface GigabitEthernet 0
ip address new_ip_address new_subnet_mask

When prompted for the IP address change, enter Y . A similar screen appears.

ise-13-infra-2/admin(config-GigabitEthernet)# ip address a.b.c.d 255.255.255.0

% Changing the IP address might cause ISE services to restart
Continue with IP address change? Y/N [N]: y
Stopping ISE Monitoring & Troubleshooting Log Collector...
Stopping ISE Monitoring & Troubleshooting Log Processor...
Stopping ISE Identity Mapping Service...
Stopping ISE pxGrid processes...
Stopping ISE Application Server...
Stopping ISE Certificate Authority Service...
Stopping ISE Profiler Database...
Stopping ISE Monitoring & Troubleshooting Session Database...
Stopping ISE AD Connector...
Stopping ISE Database processes...
Starting ISE Monitoring & Troubleshooting Session Database...
Starting ISE Profiler Database...
Starting ISE pxGrid processes...
Starting ISE Application Server...
Starting ISE Certificate Authority Service...
Starting ISE Monitoring & Troubleshooting Log Processor...
Starting ISE Monitoring & Troubleshooting Log Collector...
Starting ISE Identity Mapping Service...
Starting ISE AD Connector...
Note: ISE Processes are initializing. Use 'show application status ise'
CLI to verify all processes are in running state.

When the process is complete, restart the system when prompted.

Step 3

To restart the system, enter Y .

View installation and upgrade history

You can use a CLI command in Cisco ISE to view the details of installing, upgrading, and uninstalling releases and patches. To view these details, enter the show version history command.

Date: Indicates date and time at which the installation or uninstallation was performed.
Application: The Cisco ISE application used for installation or upgrade.
Version: Version that was installed or removed.
Action: Installation, uninstallation, patch installation, or patch uninstallation.
Bundle Filename: Specifies the name of the bundle that was installed or removed.
Repository: The repository you used to install the Cisco ISE application bundle. This does not apply if you uninstall the application..

Procedure

Step 1

Step 2

Enter this command: show version history.

This output appears:


ise/admin# show version history
---------------------------------------------
Install Date: Fri Nov 30 21:48:58 UTC 2022 
Application: ise 
Version: 3.x.0.xxx 
Install type: Application Install 
Bundle filename: ise.tar.gz 
Repository: SystemDefaultPkgRepos 

ise/admin#

Perform a system erase

You can securely erase all information from your Cisco ISE appliance or VM by performing a system erase. This method helps you comply with NIST Special Publication 800-88 data destruction standards.

This method ensures Cisco ISE compliance with NIST Special Publication 800-88 data destruction standards.

Before you begin

Understand these connection-related conditions that may cause problems when you use the Cisco ISE software DVD to start a Cisco ISE appliance:

If your terminal server is associated with the serial console connection to the Cisco ISE appliance and is set to exec, change the setting to no exec. This change allows you to use both a KVM connection and a serial console connection.
Set up a keyboard and video monitor (KVM) connection to the Cisco ISE appliance. Use either a remote KVM connection or a VMware vSphere client console connection.
Set up a serial console connection to the Cisco ISE appliance.

Procedure

Step 1	Ensure that the Cisco ISE device is powered up.
Step 2	Insert the Cisco ISE software DVD.
Step 3	Use the arrow keys to select System Utilities (Serial Console), and press Enter. The system displays the ISO utilities menu as shown here: `Available System Utilities: [1] Recover administrator password [2] Virtual Machine Resource Check [3] System Erase [q] Quit and reload Enter option [1 - 3] q to Quit:`
Step 4	Enter `3` to perform a system erase. The console displays: `******** W A R N I N G ******** THIS UTILITY WILL PERFORM A SYSTEM ERASE ON THE DISK DEVICE(S). THIS PROCESS CAN TAKE UP TO 5 HOURS TO COMPLETE. THE RESULT WILL BE COMPLETE DATA LOSS OF THE HARD DISK. THE SYSTEM WILL NO LONGER BOOT AND WILL REQUIRE A RE-IMAGE FROM INSTALL MEDIA TO RESTORE TO FACTORY DEFAULT STATE. ARE YOU SURE YOU WANT TO CONTINUE? [Y/N] Y`
Step 5	Enter `Y`. The console prompts with another warning: `THIS IS YOUR LAST CHANGE TO CANCEL. PROCEED WITH SYSTEM ERASE? [Y/N] Y`
Step 6	Enter `Y` to perform a system erase. The console displays: `Deleting system disk, please wait… Writing random data to all sectors of disk device (/dev/sda)… Writing zeros to all sectors of disk device (/dev/sda)… Completed! System is now erased. Press <Enter> to reboot.` To reuse the appliance after performing a system erase, boot the system using the Cisco ISE DVD and choose the install option from the boot menu.

Cisco Identity Services Engine Installation Guide, Release 3.4

Bias-Free Language

Book Title