Cisco Identity Services Engine Installation Guide, Release 3.5

PDF

Zero Touch Provisioning

Updated: May 28, 2026

Want to summarize with AI?

Log in

Overview

Provides instructions on how to automate Cisco ISE installations using ZTP configuration files, public key authentication, and initial password management across virtual machines, physical appliances, and OVA-based environments.

Use Zero Touch Provisioning (ZTP) to automate Cisco ISE installation, patches, hot patches, and infrastructure service enablement without manual steps.

ZTP is available starting with Cisco ISE release 3.1. There are two options available in ZTP:

  • Mapping .img file: Use this method for virtual-machine (VM) automatic installations, appliances, and OVA installations.

    Configure the required parameters.

    • Hostname

    • IP address

    • Netmask

    • Default gateway

    • DNS domain

    • Primary name server

    • NTP server

    • System timezone

    • SSH

    • Username

    • Password.

    Optionally, configure IPv6, patch, hot patch, services, and repository details. For more information, refer to ZTP Configuration Image File.

    Note

    For ZTP on Microsoft Hyper-V, use an .iso file and create a Generation 2 VM. Do not use an .img file.

  • VM User Data:

    Configure the required parameters.

    • Hostname

    • IP address

    • Netmask

    • Default gateway

    • DNS domain

    • Primary name server

    • NTP server

    • System timezone

    • SSH

    • Username

    • Password.

For more information, refer to VM User Data.
Note

  • Enable the serial console for both the VM and appliance to track installation progress during ZTP.

  • Ensure you have a ZTP Configuration Image File.

  • From Cisco ISE release 3.5, a new attribute, management_interface, has been added to the ZTP configuration file. Use this attribute to configure the management interface.

Provisioning Cisco ISE with ZTP makes these security features available:

Note

Use TFTP, HTTP, HTTPS, or NFS repositories to install hot patches and patches on Cisco ISE with ZTP. Repositories created during ZTP are not visible or accessible from the Cisco ISE GUI. You can use only repositories with anonymous access (no username or password) during ZTP.

Configure public key authentication

You can enable public key authentication by adding the public key to the ZTP configuration file. When you enable public key authentication, password-based authentication is disabled. You can disable public key authentication at any time.

To switch back to password-based authentication, use this command in the Cisco ISE CLI: 
conf t
no service sshd PubkeyAuthentication
For more details about this command, refer to the 'Service' section in the chapter 'Cisco ISE CLI Commands in Configuration Mode' of the Cisco Identity Services Engine CLI Reference Guide for your Cisco ISE release.
Note

Do not execute the command service sshd PubkeyAuthentication unless you have included the public key in the ZTP configuration image file before installation. This disables password-based authentication, requiring you to log in using a private key. If you cannot log in with a private key, connect to Cisco ISE using the console port and revert the configuration.

Procedure

1.

Generate a public and private RSA key pair using a third-party application.
2.

Include the public key that is generated in the ZTP configuration image file.
3.

Install Cisco ISE using ZTP.
4.

Log in to the CLI of Cisco ISE using the private key that is generated using this command:

ssh -i <path to private key> <username>@<ise-ip>
You can now successfully log in to the CLI of Cisco ISE using your private key.

First login password change

After successfully installing Cisco ISE using ZTP, you are prompted to reset the password the first time you log in to the Cisco ISE GUI. The password must be changed because it is specified in plain text in the ZTP configuration image file. By default, this feature is enabled when you install Cisco ISE using ZTP.

Automatic installation in virtual machine

These subsections provide information about automatic installation in the VM.

These settings are applicable for all on-prem hypervisors.

  • VMware

  • Linux KVM

  • Microsoft Hyper-V

  • Nutanix AHV

Automatic installation in virtual machine using the Zero Touch Provisioning configuration image file

Procedure

1.

Log in to the VMware client.

Note

If you already have an existing VM setup, proceed to step 2 and then continue to step 4.

For a new VM setup, proceed directly to step 6.
2.

To enter BIOS setup mode, right-click the VM and select Edit Settings.

3.

Click the Options tab and choose Boot Options.
4.

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots and click OK

Note

You must change the firmware from BIOS to EFI in the VM boot mode settings. This allows you to boot GPT partitions with 2 TB or greater capacity.
5.

Ensure that the time zone and the correct boot order are set in BIOS or EFI.

  1. If the VM is turned on, turn the system off.

  2. Turn on the VM.

    The system enters the BIOS setup mode.

  3. In the main BIOS menu, use the arrow keys to go to the Date and Time field and press Enter.

  4. Enter the time zone.

    This time zone setting ensures your reports, logs, and posture-agent log files from all nodes stay synchronized by timestamp.

  5. Using the arrow keys, navigate to the boot menu and press Enter.

  6. Using the arrow keys, select the CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes. (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

6.

Insert the Cisco ISE software DVD into the primary CD or DVD drive of the VMware ESXi host.
7.

Insert the ZTP configuration image file into the secondary CD or DVD drive.
8.

Power on the VM.

When the DVD starts, the console displays this message: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:
Note

From Cisco ISE release 3.1 onwards, pressing Enter choosing a boot option triggers ZTP instead of starting installation with the hard disk.
9.

After 150 seconds, the boot process automatically starts if your system meets the prerequisites.

Note

  • Monitor installation logs through the serial console while ZTP is running. After the setup prompt appears, monitor logs from the VM console.

  • After Cisco ISE services start, manually unmount the ZTP configuration image file from the CD or DVD drive.

Perform this procedure using ZTP at the setup prompt with the keyboard until the prompt appears.

1. Install Cisco ISE manually until setup (using boot option 1 or 2) and use the procedure steps to create the ZTP configuration image file.

2. Power off the VM and map the ZTP configuration image file to the CD or DVD drive.

3. Power on the VM.

The installation process uses the setup details from the ZTP configuration file you mapped to the CD or DVD drive.

Troubleshooting

Issue: If the automatic installation in the VM is triggered without mapping the .img file, after 150 seconds, the installation fails with this error.


***** The ZTP configuration image is missing or improper. Automatic installation flow
 exited.
***** Power off and attach the proper ZTP configuration image or choose manual boot to
 proceed.

Solution: This error message appears only on the serial console and not on the VM console. If this occurs in an existing VM where Cisco ISE is already installed, the hard disk is not formatted in this state.

1. Turning off the VM.

2. Powering on the VM.

3. Press option five to boot from the hard disk within 150 seconds to load the existing VM.

Issue: If the setup details are invalid in the configuration file, ZTP installation is stopped and this message appears on the VM console: 
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:

1. Create a new configuration .img file with valid details.

2. Power off the VM.

3. Map the new valid image to the CD or DVD drive.

4. Power on the VM.

Installation starts at the setup prompt.

Automatic installation in virtual machine using VM user data

Procedure

1.

Log in to the VMware client.

Note

If you already have an existing VM setup, proceed to step 2 and then continue to step 4.

For a new VM setup, proceed directly to step 6.
2.

For the VM to enter the BIOS setup mode, right-click the VM and select Edit Settings.

3.

Click the Options tab and choose Boot Options.
4.

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots. Then click OK

Note

You must change the firmware from BIOS to EFI in the boot mode of VM settings to boot GPT partitions with 2 TB or greater capacity.
5.

Ensure that the time zone and the correct boot order are set in BIOS/EFI.

  1. If the VM is turned on, turn the system off.

  2. Turn on the VM.

    The system enters the BIOS setup mode.

  3. In the main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the time zone.

    This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

  5. Using the arrow keys, navigate to the boot menu and press Enter.

  6. Using the arrow keys, select the CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes (Press the enter or return key to select your choice).

  8. Choose Yes to save the changes and exit.

6.

Insert the Cisco ISE software DVD into the VMware ESXi host's primary CD/DVD drive.
7.

Configure the VM user data options.

Note

If both the .img file and VM user data options are configured in the VM, the user data option is considered.
8.

Turn on the VM.

When the DVD boots, the console displays this message: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:
Note

From Cisco ISE 3.1 onwards, pressing Enter without entering a boot option does not trigger the installation using the hard disk option. Instead it triggers ZTP.
9.

After 150 seconds, the bootup process automatically starts if the prerequisites are met.

Note

  • ZTP installation logs can be monitored only through the serial console. After the setup prompt is displayed, you can monitor logs from the VM console.

  • After the Cisco ISE services are started, you must manually unmount the ZTP configuration image file from the CD/DVD.

To use ZTP from the setup prompt (ZTP is carried out using the keyboard until the setup prompt appears), perform this procedure:

1. Power off the VM.

2. Configure user-data option mentioned above.

3. Power on the VM .

The setup details are picked from the VM options.

Troubleshooting

Issue: If invalid setup details are entered in the user data option, the ZTP installation stops and this message is displayed on the VM console: 
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:

1. Power off the VM.

2. Update user data details with valid data.

3. Power on the VM.

Installation begins from the setup.

Automatic installation in appliance

These subsections provide information about automatic installation in an appliance.

Automatic installation in appliance using the Zero Touch Provisioning configuration image file

Procedure

1.

Log in to the SNS Appliance.
2.

Shut down the host system.
3.

Choose Compute > Remote Management > Virtual media.
4.

Map the Cisco ISE software ISO and the ZTP configuration image file to the primary CD or DVD drive and the secondary CD or DVD drive.
5.

Start the host system.

When the appliance boots, the console displays this message:


Please select boot device:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Cisco ISE Installation Through ZTP Configuration (Serial Console)
6.

If the prerequisites are met, the process starts automatically after 2 minutes and 30 seconds.

Note

  • ZTP works on the SNS appliance through virtual media only.

  • Before mapping the ISO file, ensure the .img file is mapped in virtual media.

    Installation logs can be monitored through the serial console because ZTP operates through this interface. Once the setup prompt appears, logs can also be monitored through the KVM console.

  • Only the .img file supports automatic installation in the appliance.

To use ZTP from the setup prompt (ZTP uses the keyboard until the setup prompt appears), complete these steps:
7.

Install Cisco ISE manually up to the setup step (using boot option 1 or 2). Create the ZTP configuration image file using the steps described in the previous section.
8.

Shut down the host system and map the ZTP configuration image file that is created, to the CD or DVD drive.
9.

Start the host system.

The system retrieves setup details from the ZTP configuration file mapped to the CD or DVD drive.

Troubleshooting

Issue: If the automatic installation is triggered without mapping the image file, the installation fails after 150 seconds and displays this message:


***** The ZTP configuration image is missing or improper. Automatic installation flow
 exited.
***** Power off and attach the proper ZTP configuration image or choose manual boot to
 proceed.

Solution:

1. Turn off the VM.

2. Turn on the VM.

3. To load the existing VM, press option 5 to boot from the hard disk, within 150 seconds.

Issue: If the setup details are invalid in the configuration file, ZTP installation stops, and a message appears on the Keyboard, video, and mouse (KVM) console: 
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:

1. Create a new configuration .img file with valid details.

2. Power off the VM.

3. Map the new valid image to the CD or DVD drive.

4. Power on the VM.

The installation starts at the setup prompt.

Trigger automatic installation using UCS XML APIs

To trigger automatic installation:

Note

The API URL and the request header are identical for every method.

API URL 
https://<ucs_server_ip>/nuova

Header 

 headers["Accept"] = "application/xml" 
headers["Content-Type"] = "application/xml"

Procedure

1.

Obtain the login session cookie to authenticate the session.

The aaaLogin method initiates the login process and is required to begin a session. This method establishes the HTTP or HTTPS session between the client and Cisco IMC. The session cookie is then used in subsequent requests to maintain authentication.

Request 

<aaaLogin inName='admin' inPassword='password'/>

Response 

<aaaLogin cookie="" response="yes" outCookie="<real_cookie>" outRefreshPeriod="600" outPriv="admin" outSessionId="17" outVersion="3.0(0.149)"> </aaaLogin>
2.

Configure the Cisco ISE ISO file as virtual media.

This step configures a Cisco ISE ISO file as a virtual media volume.

Request 

<configConfMo cookie='<real_cookie>' dn='sys/svc-ext/vmedia-svc/vmmap-ISE_ISO' inHierarchical='false'>
<inConfig>
<commVMediaMap dn='sys/svc-ext/vmedia-svc/vmmap-ISE_ISO' 
 map=’nfs’ 
 remoteFile=‘<ise_iso_file>’ 
 remoteShare=‘<nfs_server_path>' 
 status='created' volumeName='ISE_ISO' />
</inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/svc-ext/vmedia-svc/vmmap-ISE_ISO" 
 cookie="<real_cookie>" response="yes">
<outConfig>
 <commVMediaMap volumeName="ISE_ISO" map=“nfs” 
  remoteShare=‘<nfs_server_path>' 
  remoteFile="<ise_iso_file>" 
  mappingStatus="In Progress"
  dn="sys/svc-ext/vmedia-svc/vmmap-ISE_ISO" status="created"/>
  </outConfig>
</configConfMo>
3.

Configure the configuration image file as a virtual media volume.

This step configures a configuration image as a vMedia volume.

Request 

<configConfMo cookie='<real_cookie>' 
dn='sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG’ inHierarchical='false'>
<inConfig>
<commVMediaMap dn='sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG' 
  map=’nfs’ 
  remoteFile=‘<config_img_file>’ 
  remoteShare=‘<nfs_server_path>' 
  status='created' volumeName='CONFIG-IMG' />
</inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG" 
 cookie="<real_cookie>" response="yes">
<outConfig>
 <commVMediaMap volumeName="CONFIG-IMG" map=“nfs” 
  remoteShare=‘<nfs_server_path>' 
  remoteFile="<config_img_file>" 
  mappingStatus="In Progress"
  dn="sys/svc-ext/vmedia-svc/vmmap-CONFIG-IMG" status="created"/>
  </outConfig>
</configConfMo>
4.

Set the CD-ROM as the first device in the boot order.

This step maps the Cisco ISE ISO file, which is selected for installation during the power restart.

Request 

<configConfMo cookie="<real_cookie>" 
inHierarchical="true" dn="sys/rack-unit-1/boot-policy">
  <inConfig>
    <lsbootDef dn="sys/rack-unit-1/boot-policy"  rebootOnUpdate=“yes”>
      <lsbootVirtualMedia access="read-only" order=“1” dn="sys/rack-unit-1/boot-policy/vm-read-only"/>
     </lsbootDef>
  </inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/rack-unit-1/boot-policy" cookie="<real_cookie>" response="yes">
<outConfig>
  <lsbootDef dn="sys/rack-unit-1/boot-policy" name="boot-policy" purpose="operational" rebootOnUpdate="no" status="modified" >
  </lsbootDef>
</outConfig>
</configConfMo>
5.

Enable the SoL (Serial over LAN).

his step enables SoL (Serial over LAN), allowing users to view installation logs through Telnet.

Request 

<configConfMo cookie='<real_cookie>' 
dn='sys/rack-unit-1/sol-if'>
<inConfig>
  <solIf dn='sys/rack-unit-1/sol-if' adminState=‘enable'/>
 </inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/rack-unit-1/sol-if" cookie="<real_cookie>" response="yes">
<outConfig>
<solIf dn="sys/rack-unit-1/sol-if" adminState="enable" name="SoLInterface" speed="115200" comport="com0" sshPort="2400" status="modified" ></solIf></outConfig>
</configConfMo>
6.

Power restart.

This action triggers automatic mode installation of Cisco ISE.

Request 

<configConfMo cookie='<real_cookie>' dn='sys/rack-unit-1'>
<inConfig><computeRackUnit
dn='sys/rack-unit-1' 
adminPower='cycle-immediate'/>
</inConfig>
</configConfMo>

Response 

<configConfMo dn="sys/rack-unit-1" cookie="<real_cookie>" response="yes">
<outConfig>
   <computeRackUnit dn="sys/rack-unit-1" adminPower="policy" availableMemory="262144" model="SNS-3695-K9" memorySpeed="2400" name="SNS-3695-K9" numOfAdaptors="0" numOfCores="12" numOfCoresEnabled="12" numOfCpus="1" numOfEthHostIfs="0" numOfFcHostIfs="0" numOfThreads="24" operPower="on" originalUuid="1935836B-B968-4031-8A98-7984F1D35449" presence="equipped" serverId="1" serial="WZP2228085W" totalMemory="262144" usrLbl="" uuid="1935836B-B968-4031-8A98-7984F1D35449" vendor="Cisco Systems Inc" cimcResetReason="graceful-reboot
" assetTag="Unknown" adaptorSecureUpdate="Enabled" resetComponents="components" storageResetStatus="NA" vicResetStatus="NA" bmcResetStatus="NA" smartUsbAccess="disabled" smartUsbStatus="Disabled" biosPostState="completed" status="modified" >
  </computeRackUnit>
</outConfig>
</configConfMo>
7.

Log out to end the session.

Request 

<aaaLogout
    cookie="<real_cookie>"
    inCookie="<real_cookie>"
</aaaLogout>

Response: 

<aaaLogout cookie="" response="yes" outStatus="success"> </aaaLogout>

For more information, refer to UCS API methods.

OVA automatic installation

Use these sections to automatically install the OVA.

Automatic OVA installation using the Zero Touch Provisioning configuration image file

Procedure

1.

Log in to the VMware client.

Note

If you already have an existing virtual machine setup, complete steps 2, 3, and 4.

For a new virtual machine setup, proceed to step 6.
2.

To enter BIOS setup mode, right-click the virtual machine and select Edit Settings.

3.

Click the Options tab and choose Boot Options.
4.

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots. Then click OK to apply the changes.

Note

Change the firmware from BIOS to EFI in the VM's boot mode. This enables GPT partitions of 2 TB or greater.
5.

Ensure that the Coordinated Universal Time (UTC) is set and the boot order is correct in BIOS.

  1. If the virtual machine is turned on, turn the system off.

  2. Turn on the VM.

    The system enters the BIOS setup mode.

  3. In the main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the UTC or Greenwich Mean Time (GMT) time zone.

    This time zone setting keeps reports, logs, and posture-agent log files from all nodes in your deployment synchronized for timestamps.

  5. Use the arrow keys to open the boot menu and press Enter.

  6. Using the arrow keys, select the CD-ROM drive and press + to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

6.

Import the Cisco ISE OVA file into your VMware ESXi host.
7.

Insert the ZTP configuration image file into the primary CD drive or DVD drive of your VMware ESXi host.
8.

Turn on your virtual machine.

When the DVD boots, the console displays a message:


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:
Note

If you press Enter without selecting a boot option in Cisco ISE release 3.1 or later, the system initiates ZTP instead of installing using the hard disk option.
9.

After 150 seconds, the bootup process automatically starts if the prerequisites are met.

Note

  • Monitor the installation logs using the serial console during ZTP. After the setup prompt appears, view the logs in your virtual machine console.

  • After the Cisco ISE services start, manually unmount the ZTP configuration image file from the CD or DVD.

Use the keyboard to perform ZTP until the setup prompt appears. Then, follow this procedure:

  1. Install Cisco ISE manually using boot option 1 or 2. Create the ZTP configuration image file using the steps in this procedure.

  2. Power off the virtual machine.

  3. Map the ZTP configuration image file to the CD or DVD drive.

  4. Power on the virtual machine.

    The system uses the setup details from the ZTP configuration file that mapped to the CD or DVD drive.

Troubleshooting

Issue: If the setup details are invalid in the configuration file, ZTP installation stops and this message is displayed on the VM console:

==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution: This can be resolved by performing these steps:

  1. Create a new configuration .img file with valid details.

  2. Power off the VM.

  3. Map the new valid image to the CD or DVD drive.

  4. Power on the VM.

OVA automatic installation using the VM user data

Procedure

1.

Log in to the VMware client.

Note

If you already have an existing virtual machine setup, complete steps 2, 3, and 4.

For a new virtual machine setup, proceed to step 6.
2.

Right-click the VM and select Edit Settings to enter the BIOS setup mode.
3.

Click the Options tab and choose Boot Options.
4.

In the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots. Then click OK to apply the changes.

Note

Change the firmware from BIOS to EFI in the VM’s boot mode settings. This change allows you to boot GPT partitions larger than 2 TB.

5.

Ensure that the Coordinated Universal Time (UTC) and the correct boot order are set in BIOS:

  1. If the VM is turned on, turn the system off.

  2. Power off the VM.

    You see the BIOS setup mode.

  3. In the main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.

  4. Enter the Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) zone.

    With this time zone setting, the reports, logs, and posture-agent log files from the nodes in your deployment always have synchronized timestamps.

  5. Using the arrow keys, navigate to the boot menu and press Enter.

  6. Select the compact disc read-only memory (CD-ROM) drive using the arrow keys and press+ to move the CD-ROM drive up the order.

  7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes (Press the Enter or Return key to select your choice).

  8. Choose Yes to save the changes and exit.

6.

Import the Cisco ISE OVA file into the VMware ESXi.
7.

Configure the VM user data options.

Note

The VM uses the user data option if both the image file and the VM user data options are configured.
8.

Turn on the VM.

When the DVD boots, the console displays this message: 


Automatic installation starts in 150 seconds.
Available boot options:
[1] Cisco ISE Installation (Keyboard/Monitor)
[2] Cisco ISE Installation (Serial Console)
[3] System Utilities (Keyboard/Monitor)
[4] System Utilities (Serial Console)
[5] Hard Disk
Enter boot option and press <Enter>.
boot:
Note

From Cisco ISE release 3.1 onwards, pressing Enter without entering a boot option does not trigger the installation using the hard disk option. Instead, it triggers ZTP.
9.

If the prerequisites are met, the bootup process starts automatically after 150 seconds.

Note

  • To monitor installation logs, use the serial console. ZTP interacts only through the serial console. Monitoring from the VM console is possible after the setup prompt is displayed.

  • After Cisco ISE services have started, manually unmount the ZTP configuration image file from the CD or DVD.

To use ZTP from the setup prompt, perform this procedure. ZTP is carried out using the keyboard until the setup prompt appears.

  1. Power off the VM.

  2. Configure user-data option mentioned above.

  3. Power on the VM .

    The VM options provide the setup details.

Troubleshooting information

Issue: If invalid setup details are entered in the user data option, the ZTP installation stops and this message is displayed on the VM console: 
==============================================================================

Cisco ISE Installation Failed

==============================================================================

Error: Sync with NTP server failed.

Check the setup details in your configuration image and reboot Cisco ISE

with proper ZTP configuration.

==============================================================================

Solution:To resolve this issue, complete these steps.

  1. Power off the VM.

  2. Update user data details with valid data.

  3. Power on the VM.

Installation starts at the setup prompt.

Create a Zero Touch Provisioning configuration image file

Create the ZTP configuration image file using the ./create_ztp_image.sh ise-ztp.conf ise-ztp.img command. The script can be executed on Red Hat Enterprise Linux (RHEL), CentOS, or Ubuntu.

To skip the ICMP, DNS, and NTP checks, set the flags to true in the configuration image file:

  • ICMP: SkipIcmpChecks=true

  • DNS: SkipDnsChecks=true

  • NTP: SkipNtpChecks=true

Note

The default value for each flag is false. If the flags are not explicitly mentioned in the configuration file, the ZTP installation performs these checks by default.

create_ztp_image.sh script creation

#!/bin/bash
###########################################################
# This script is used to generate ise ztp image with ztp
# configuration file.
#
# Need to pass ztp configuration file as input.
#
# Copyright (c) 2021 by Cisco Systems, Inc.
# All rights reserved.
# Note:
# To mount the image use below command
# mount ise_ztp_config.img /ztp
# To mount the image from cdrom
# mount -o ro /dev/sr1 /ztp
#############################################################
if [ -z "$1" ];then
echo "Usage:$0 <ise-ztp.conf> [out-ztp.img]"
exit 1
elif [ ! -f $1 ];then
echo "file $1 not exist"
exit 1
else
conf_file=$1
fi
if [ -z "$2" ] ;then
image=ise_config.img
else
image=$2
fi
mountpath=/tmp/ise_ztp
ztplabel=ISE-ZTP
rm -fr $mountpath
mkdir -p $mountpath
dd if=/dev/zero of=$image bs=1k count=1440 > /dev/null 2>&1
if [ `echo $?` -ne 0 ];then
echo "Image creation failed\n"
exit 1
fi
mkfs.ext4 $image -L $ztplabel -F > /dev/null 2>&1
mount -o rw,loop $image $mountpath
cp $conf_file $mountpath/ise-ztp.conf
sync
umount $mountpath
sleep 1
# Check for automount and unmount
automountpath=$(mount | grep $ztplabel | awk '{print $3}')
if [ -n "$automountpath" ];then
umount $automountpath
fi
echo "Image created $image"

VM user data

You can use VM user data with Cisco ISE installation on ESXi version 6.5 and later.

Paste the contents that are in the ise-ztp.conf file into the Base64 encode tool. Use the base64encode tool to obtain the encoded string.

Enter the encoded Base64 string in the VM with the VM user data. In VMware ESXi, go to VM Options > Advanced > Configuration Parameters > Edit Configuration > guestinfo.ise.ztp = [Value] Base Encoded ZTP Configuration with the base encoded ZTP configuration string.

Note

When configuring ZTP to deploy a patch or hot patch, you must use http (lowercase) instead of HTTP. Otherwise, the patch files cannot be downloaded from the repository.