Cisco ISE on Amazon Web Services

Overview of Cisco ISE on Amazon Web Services

Extend the Cisco ISE policies in your home network to new remote deployments securely through Amazon Web Services (AWS).

You can configure and launch Cisco ISE in AWS through AWS CloudFormation Templates (CFTs) or Amazon Machine Images (AMIs). To launch Cisco ISE on AWS, follow one of these procedures:

Overview of CFTs

CFTs are AWS solutions that allow you to easily create and manage cloud deployments. Extend your network into the cloud by creating a virtual private cloud in AWS and configure a virtual private gateway to enable communication with your organization's network over an IPsec tunnel.

Example of a deployment connected to AWS cloud

This illustration is only an example. You can place common services such as Certificate Authority (CA), Active Directory (AD), Domain Name System (DNS) servers, and Lightweight Directory Access Protocol (LDAP) on premises or in AWS, based on the requirements of your organization.

Figure 1. Example of a deployment connected to AWS cloud

References

For more information on using CFTs in AWS, refer to AWS CloudFormation User Guide.

Cisco ISE instances and intended usage

This table contains details of the Cisco ISE instances that are currently available. You must purchase a Cisco ISE VM license to use any of these instances. For information on EC2 instance pricing for your specific requirements, refer to Amazon EC2 On-Demand Pricing.

Table 1. Cisco ISE instances

Cisco ISE instance type

CPU cores

RAM (in GB)

t3.xlarge

This instance supports the Cisco ISE evaluation use case. 100 concurrent active endpoints are supported.

Note

 

From Cisco ISE release 3.5, t3.xlarge instance type is not supported.

4

16

m5.2xlarge

8

32

c5.4xlarge

16

32

m5.4xlarge

Note

 

From Cisco ISE release 3.3, m5.4xlarge instance type is not supported.

16

64

c5.9xlarge

36

72

m5.8xlarge

32

128

m5.16xlarge

64

256

c7i.4xlarge*

16

32

m7i.2xlarge*

8

32

m7i.8xlarge*

32

128

m7i.16xlarge*

64

256

*Cisco ISE releases 3.4 patch 4, 3.5, and later support M7i and C7i instance types on AWS.

You can leverage the AWS S3 storage service to easily store backup and restore files, monitoring and troubleshooting reports, and more.

This table categorizes some of the instance types and their intended usage.

Table 2. Instance types and their intended usage

Instance category

Instance type example

Intended use

Compute-optimized instances

c5.4xlarge

c5.9xlarge

c7i.4xlarge

  • Compute-intensive tasks or applications

  • Policy Service Node (PSN) use

General purpose instances

m5.4xlarge (This instance is available only in Cisco ISE release 3.2 and earlier releases.)

m5.8xlarge

m5.16xlarge

m7i.8xlarge

m7i.16xlarge

  • Data processing tasks and database operations

  • Policy Administration Node (PAN) or Monitoring and Troubleshooting (MnT) nodes, or both

Attention

  • If you use a general purpose instance as a PSN, the performance numbers are lower than the performance of a compute-optimized instance as a PSN.

  • m5.2xlarge and m7i.2xlarge instances must be used as Extra Small PSN only.

References

For information on the scale and performance data for AWS instances, refer to Cisco ISE Performance and Scale guide.

Intended use of specific instance types

The following table categorizes some examples of instance types and their intended usage.

Table 3. Instance types and their intended usage

Instance category

Instance type example

Intended use

Compute-optimized instances

c5.4xlarge

c5.9xlarge

  • Compute-intensive tasks or applications

  • Policy Service Node (PSN) use

General purpose instances

m5.4xlarge

m5.8xlarge

m5.16xlarge

  • Data processing tasks and database operations

  • Policy Administration Node (PAN) or Monitoring and Troubleshooting (MnT) nodes, or both

Attention

  • If you use a general purpose instance as a PSN, the performance numbers are lower than the performance of a compute-optimized instance as a PSN.

  • The m5.2xlarge instance must be used as an extra small PSN only.

References

Refer to the Cisco ISE Performance and Scale guide for information on the scale and performance data for AWS instances.

Multi-node Cisco ISE deployments on AWS

In addition to the procedures explained earlier, you can also use these Cisco-developed solutions to install and automatically create multi-node Cisco ISE deployments on AWS.

Prerequisites to create a Cisco ISE AWS instance

These are the prerequisites to create a Cisco ISE AWS instance.

Familiarity with AWS cloud concepts

You must be familiar with

  • managing AWS service quotas, and

  • AWS solutions such as Amazon Elastic Compute Cloud (EC2) instances, Amazon Elastic Block Store (EBS) volumes, and concepts such as Regions, Availability Zones, Security Groups, Virtual Private Cloud (VPC), and so on.

References

Refer to AWS documentation for information on AWS solutions.

Configuration prerequisites

You must

  • configure VPC in AWS

  • create encrypted EBS volumes, and

  • create security groups, subnets, and key pairs in AWS before you configure a Cisco ISE instance.

    To successfully deploy Cisco ISE on AWS, your AWS Identity and Access Management (IAM) policy must allow access to Key Management Service (KMS) resources. When configuring a security group for Cisco ISE, you must create rules for all the ports and protocols for the Cisco ISE services you want to use. From Cisco ISE release 3.5, to deploy Cisco ISE AWS instances on an IPv6 single-stack network, you must have a subnet configured for IPv6 within your AWS Virtual Private Cloud (VPC).

IP address prerequisites

These are the IP address prerequisites.

  • To configure an IPv6 address for the network interface, the subnet must have an IPv6 Classless Inter-Domain Routing (CIDR) pool that is enabled in AWS.

  • The IP address that you enter in the Management Network field in the Cisco ISE CloudFormation template must not be an IP address that exists as a network interface object in AWS.

  • You can configure a static IP as a private IP in your deployment. However, the static IP must be configured with a DNS-resolvable hostname.

Known limitations of using Cisco ISE on AWS

These are the known limitations with using Cisco ISE in AWS.

Support limitations

  • The Amazon VPC supports only Layer 3 features. Cisco ISE nodes on AWS instances do not support Cisco ISE functions that depend on Layer 1 and Layer 2 capabilities. For example, working with DHCP SPAN profiler probes and CDP protocols that use the Cisco ISE CLI is currently not supported.

    The communication from on-prem devices to the VPC must be secure.

  • NIC bonding is not supported.

  • Dual NIC is supported with only two NICs—Gigabit Ethernet 0 and Gigabit Ethernet 1. To configure a secondary NIC in your Cisco ISE instance, you must

    1. Create a network interface object in AWS.

    2. Power off your Cisco ISE instance.

    3. Attach this network interface object to Cisco ISE.

    4. Install and launch Cisco ISE on AWS.

    5. Use the Cisco ISE CLI to manually configure the IP address of the network interface object as the secondary NIC.

  • Amazon EC2 user data scripts are not supported.

Configuration limitations

You cannot

  • take an Amazon EBS snapshot of a Cisco ISE instance and then create another EBS volume with the snapshot

  • configure an IPv6-based NTP server when launching Cisco ISE through AWS. From Cisco ISE release 3.5, IPv6-based NTP servers are supported for both dual-stack and pure IPv6 instances.

  • change the IP address of an instance after it has been created successfully, and

  • generate the initial administrator user account name. An initial administrator user account name, iseadmin, is generated by default. This user account name is used for both SSH and GUI access to Cisco ISE after the installation process is complete.

Cisco ISE sends traffic to AWS Cloud through IP address 169.254.169.254 to obtain the instance details. This is to check if it is a cloud instance and can be ignored in on-prem deployments.

CLI limitations

These are the CLI limitations.

  • SSH access to Cisco ISE CLI using password-based authentication is not supported in AWS. You can only access the Cisco ISE CLI through a secured key pair. If you use a private key (or PEM) file and you lose the file, you will not be able to access the Cisco ISE CLI. Any integration that uses a password-based authentication method to access Cisco ISE CLI is not supported, for example, Cisco Catalyst Center release 2.1.2 and earlier.

  • In Cisco ISE release 3.1, when you run the show inventory command through a Cisco ISE instance that is launched through AWS, the output does not display the instance type of the Cisco ISE on AWS. This issue is resolved in Cisco ISE release 3.1 patch 1 and later releases.

Memory, disk size, and volume limitations

These are the memory, disk size, and volume limitations:

  • You cannot resize an EC2 instance.

  • You cannot convert the Cisco ISE Disk EBS Volume as an AMI and then relaunch another EC2 instance with this AMI.

  • In the Cisco ISE CFT that you configure, you define volume size in GB. However, AWS creates EBS storage volumes in Gibibyte (GiB). Therefore, when you enter 600 as the Volume Size in the Cisco ISE CFT, AWS creates 600 GiB (or 644.25 GB) of EBS volume.

  • You might receive an Insufficient Virtual Machine Resources alarm when Cisco ISE is in idle state. You can ignore this alarm because the CPU frequency is maintained lower than the required baseline frequency (2 GHz) for effective power conservation.

Deployment limitations

These are two deployment types supported, but you must ensure that internode latencies are less than 300 milliseconds.

  • Hybrid deployments with some Cisco ISE nodes on premises and some nodes in AWS.

  • Interregional deployments through VPC peering connections.

Upgrade limitations

Cisco ISE upgrade workflow is not available in Cisco ISE on AWS. Only fresh installs are supported. However, you can carry out backup and restore of configuration data.

References

Refer to Upgrade Guidelines for Hybrid Deployments for information on upgrading hybrid Cisco ISE deployments.

Latency limitation

You can integrate the external identity sources that are located on the premises. However, because of latency, when on-premises identity sources are used, Cisco ISE's performance is not at par with Cisco ISE's performance when AWS-hosted identity sources or the Cisco ISE internal user database is used.

User data backup and restore limitations

These are the user data backup and restore limitations.

  • User data retrieval only works for Metadata V1 (IMDSv1); it does not work with V2.

  • When restore operation is run during a configuration data backup through the Cisco ISE CLI or GUI, ADE-OS parameter should not be included.

Launch a Cisco ISE CFT through AWS Marketplace

You can use this method to launch standalone Cisco ISE instances.

The Cisco ISE CFT creates an instance of the General Purpose SSD (gp2) volume type.

Follow these steps to launch a Cisco ISE CFT through AWS marketplace.

Procedure

Step 1

Configure a Cisco ISE instance.

Step 2

Launch CFT and specify the parameters.

Configure a Cisco ISE instance

Follow these steps to configure a Cisco ISE instance.

Procedure

Step 1

Log in to the Amazon Management Console at https://console.aws.amazon.com/.

Step 2

Search for AWS Marketplace Subscriptions.

Step 3

In the Manage Subscriptions screen, click Discover Products.

Step 4

Click the product name.

Step 5

Click Continue to Configuration.

Step 6

In the Configure this Software area, click Learn More.

Step 7

Click Download CloudFormation Template to download the Cisco ISE CFT to your local system.

You can use the downloaded CFT to automate the configuration of other Cisco ISE instances, as required.

You can click View Template in the Learn More dialog box to view the CFT in the AWS CloudFormation Designer.

Step 8

Choose the required values from the Software Version and AWS Region drop-down lists.

Step 9

Click Continue to Launch. For more information, refer to Launch CFT and specify the parameters.

Automate the configuration of Cisco ISE instances

You can use the downloaded CFT to automate the configuration of other Cisco ISE instances, as required.

View CFT in AWS CloudFormation Designer

You can click View Template in the Learn More dialog box to view the CFT in the AWS CloudFormation Designer.

Launch CFT and specify the parameters

Follow these steps to launch the CFT and configure the parameters.

Procedure

Step 1

From the Choose Action drop-down list, choose Launch CloudFormation.

Step 2

Click Launch.

Step 3

In the Create Stack window, click the Template Is Ready and Amazon S3 URL radio buttons.

Step 4

Click Next.

Step 5

Enter a value in the Stack Name field.

Step 6

Enter the required details in the Parameters area. For more information about the parameters, refer to Configure the parameters for the Cisco ISE instance.

Step 7

Click Next to initiate the instance-creation process.

References

Refer to Chapter "Deployment" in the Cisco ISE Administrator Guide for your release to create a Cisco ISE deployment.

Configure the parameters for the Cisco ISE instance

You can configure these parameters for the Cisco ISE instance:

Field name Field description

Hostname

This field only supports alphanumeric characters and hyphen (-).

The length of the hostname should not exceed 19 characters.

Instance Key Pair

To access the Cisco ISE instance through SSH, choose the PEM file that you created in AWS for the username iseadmin. For Cisco ISE release 3.1, the username is admin.

Create a PEM key pair in AWS now, if you have not configured one already.

Example:

ssh -i mykeypair.pem iseadmin@myhostname.compute-1.amazonaws.com

Management Security Group

Choose the security group from the drop-down list. You must create the security group in AWS before configuring this CFT.

You can add only one security group in this step. You can add additional security groups in Cisco ISE after installation.

Management Network

Choose the subnet to be used for the Cisco ISE interface.

To enable IPv6 addresses, you must associate an IPv6 CIDR block with your VPC and subnets.

Create a subnet in AWS now if you have not configured one already.

Management Private IP

(renamed as Management Interface IPv4 Address from Cisco ISE release 3.5)

Enter the IPv4 address from the subnet that you selected earlier. If this field is left blank, the AWS DHCP assigns an IP address.

After the Cisco ISE instance is created, copy the private IP address from the Instance Summary window. Then, map the IP and hostname in your DNS server before you create a Cisco ISE deployment.

Create IPv6-only Instance

(from Cisco ISE release 3.5)

Choose whether to create an IPv6-only instance. If yes, no IPv4 address will be assigned.

Management Private IPv6 Address

(from Cisco ISE release 3.5)

Enter the IPv6 address from the subnet that you chose earlier. If this field is left blank, the AWS DHCP assigns an IPv6 address.

Timezone

Choose a system time zone from the drop-down list.

Instance Type

Choose a Cisco ISE instance type from the drop-down list.

EBS Encryption

Choose True from the drop-down list to enable encryption.

In Cisco ISE release 3.3 and later releases, the default value for this field is True.

(Optional) KMS Key

Enter the KMS Key or Amazon Resource Name or alias for data encryption.

This is an optional field applicable for Cisco ISE release 3.3 and later releases.

  • If the KMS Key is provided, it will be used for data encryption.

  • If the KMS Key is not provided, the default key will be used for data encryption.

Volume Size

Specify the volume size, in GB. The accepted range is 300 GB to 2400 GB.

We recommend 600 GB for production use. Configure a volume size lesser than 600 GB only for evaluation purposes.

When you terminate the instance, the volume is also deleted.

AWS creates EBS storage volumes in Gibibyte (GiB). For example, when you enter 600 in the Volume Size field, AWS creates 600 GiB (or 644.25 GB) of EBS volume.

DNS Domain

Accepted values for this field are ASCII characters, numerals, hyphen (-), and period (.).

Primary Name Server

(Name Server before Cisco ISE release 3.4)

Enter the IP address of the name server.

(Optional) Secondary Name Server

(from Cisco ISE release 3.4)

Enter the IP address of the secondary name server to be configured for Cisco ISE.

(Optional) Tertiary Name Server

(from Cisco ISE release 3.4)

Enter the IP address of the tertiary name server to be configured for Cisoc ISE.

Primary NTP Server

(NTP Server before Cisco ISE release 3.4)

Enter the IP address or hostname of the Primary NTP server, for example, time.nist.gov. If you use the wrong syntax, Cisco ISE services might not come up on launch.

If the IP address or the hostname that you enter here is incorrect, Cisco ISE cannot synchronize with the NTP server. Use an SSH terminal to log in to Cisco ISE and then use the Cisco ISE CLI to configure the correct NTP server.

(Optional) Secondary NTP Server

(from Cisco ISE release 3.4)

Enter the IP address or hostname of the secondary NTP server, for example, time.nist.gov. If you use the wrong syntax, Cisco ISE services might not come up on launch.

(Optional) Tertiary NTP Server

(from Cisco ISE release 3.4)

Enter the IP address or hostname of the tertiary NTP server, for example, time.nist.gov. If you use the wrong syntax, Cisco ISE services might not come up on launch.

ERS

To enable ERS services at Cisco ISE launch, enter yes. The default value for this field is no.

OpenAPI

To enable OpenAPI services at Cisco ISE launch, enter yes. The default value for this field is no.

From Cisco ISE release 3.4, OpenAPI services are enabled by default.

pxGrid

To enable pxGrid services at Cisco ISE launch, enter yes. The default value for this field is no.

pxGrid Cloud

The default value for this field is no.

From Cisco ISE release 3.5, pxGrid Cloud can be enabled only from the Cisco ISE GUI. Therefore, this field is unavailable.

Password

Enter the administrative password that must be used for the Cisco ISE GUI. The password must be compliant with the Cisco ISE password policy.

The password is displayed in plain text in the User Data area of the instance settings window in the AWS console.

References

Refer to the "User Password Policy" section in the chapter "Basic Setup" of the Cisco ISE Administrator Guide for your release.

Add multiple DNS or NTP servers

From Cisco ISE release 3.4, you can configure up to three DNS or NTP servers through the CFT, but you can only add one server at a time. To add additional DNS or NTP servers after deploying a Cisco ISE instance, you must use the Cisco ISE CLI.

From Cisco ISE release 3.5, you can configure IPv6 DNS and NTP servers directly through the CFT. To configure IPv6 servers in earlier Cisco ISE releases, use the Cisco ISE CLI.

Launch Cisco ISE with CFT

You can use this method to launch standalone Cisco ISE instances.

The Cisco ISE CFT creates an instance of the General Purpose SSD (gp2) volume type.

Follow these steps to launch Cisco ISE with CFT.

Before you begin

Procedure

Step 1

Configure a Cisco ISE instance.

Step 2

Upload a CFT file and configure the parameters.

Configure a Cisco ISE instance

Follow these steps to configure a Cisco ISE instance.

Procedure

Step 1

Log in to the Amazon Management Console at https://console.aws.amazon.com/.

Step 2

Search for AWS Marketplace Subscriptions.

Step 3

In the Manage Subscriptions screen, click Discover Products.

Step 4

Enter Cisco Identity Services Engine (ISE) in the search bar.

Step 5

Click the product name.

Step 6

In the new window that is displayed, click Continue to Subscribe.

Step 7

Click Continue to Configuration.

Step 8

In the Configure this Software area, click Learn More.

Upload a CFT file and configure the parameters

Follow these steps to upload a CFT file and configure the parameters.

Procedure

Step 1

Click Download CloudFormation Template to download the Cisco ISE CFT to your local system.

Step 2

Using the AWS search bar, search for CloudFormation.

Step 3

From the Create Stack drop-down list, choose With new resources (standard).

Step 4

In the Create Stack window, choose Template Is Ready and Upload a Template File.

Step 5

Click Choose File and upload the CFT file that you downloaded in Configure a Cisco ISE instance.

Step 6

Click Next.

Step 7

Enter a value in the Stack Name field.

Step 8

Enter the required details in the Parameters area. For more information about the parameters, refer to Configure the parameters for the Cisco ISE instance.

Launch a Cisco ISE AMI

Follow these steps to launch a Cisco ISE AMI:

  1. Navigate to the Cisco ISE option on the Amazon EC2 console

  2. Configure instance details

  3. Configure advanced details

  4. Add storage

  5. Add tags

  6. Configure security group

  7. Review and launch

  8. Select an existing key pair or create a new key pair

  9. Launch instances

Navigate to the Cisco ISE option on the Amazon EC2 console

Follow these steps to navigate to the Cisco Identity Engine (ISE) option on the AWS EC2 console:

Procedure

Step 1

Log in to your Amazon EC2 console at https://console.aws.amazon.com/ec2/.

Step 2

In the left pane, click Instances.

Step 3

In the Instances window, click Launch Instances.

Step 4

In the Step 1: Choose AMI window, in the left menu, click AWS Marketplace.

Step 5

In the search field, enter Cisco Identity Services Engine.

Step 6

In the Cisco Identity Services Engine (ISE) option, click Select.

A Cisco Identity Services Engine (ISE) dialog box is displayed with various details of the AMI.

Step 7

Review the information and click Continue to proceed.

Configure instance details

Follow these steps to add and configure Cisco ISE instance details on the AWS EC2 console:

Procedure

Step 1

In the Step 2: Choose an Instance Type window, click the radio button next to the instance type that you want to use.

Step 2

Click Next: Configure Instance Details.

Step 3

In the Step 3: Configure Instance Details window, enter the required information in each field as described in the guidelines:

Table 4. Configuration guidelines for instance details

Field name

Field description

Number of Instances

Enter 1 in this field.

Network

Choose the VPC in which you want to launch the Cisco ISE instance.

Subnet

Choose the subnet in which you want to launch the Cisco ISE instance.

Note

 

From Cisco ISE release 3.5, you can launch a Cisco ISE AWS instance on an IPv6-only network using an IPv6-only AWS subnet.

Network Interfaces

 The drop-down list displays New Network Interface by default, which means that an IP address is auto-assigned to Cisco ISE by the connected DHCP server. You can choose to enter an IP address in this field to assign a fixed IP address to Cisco ISE. You can also choose an existing network interface from the same subnet, from the Network Interfaces drop-down list. You can only configure one interface during the setup process. After Cisco ISE is installed, you can add more interfaces through Cisco ISE.

What to do next

Review the information and proceed to Configure advanced details.

Configure advanced details

Follow these steps to add and configure advanced Cisco ISE instance details on the AWS EC2 console.

Procedure

In the Advanced Details area, click the As Text radio button in the User Data section and enter the key-value pairs in the correct format. From Cisco ISE release 3.5, to launch a Cisco ISE AWS instance on an IPv6 single-stack network, you must enable the Metadata IPv6 endpoint option in Advanced Details.

You must use the correct syntax for each of the fields that you configure through the user data entry. The information you enter in the User data field is not validated when it is entered. Using incorrect syntax may cause Cisco ISE services to fail to start when launching the image. These are the guidelines for the configurations that you submit through the user data field:

Table 5. Configuration guidelines for User Data field

Field Name

Field Description

 Compliance and Behavior Changes

hostname

Enter a hostname that contains only alphanumeric characters and hyphen (-). The length of the hostname must be less than 19 characters and must not contain underscores (_).

Syntax must meet recommendations.

primarynameserver

Enter the IP address of the primary name server. Only IPv4 addresses are supported.

From Cisco ISE release 3.5, IPv6-based name servers are supported on AWS instances in IPv6 single-stack networks.

dnsdomain

Enter the FQDN of the DNS domain. The entry can contain ASCII characters, numerals, hyphens (-), and periods (.).

 Syntax must meet recommendations.

ntpserver

Enter the IPv4 address or FQDN of the NTP server that must be used for synchronization, for example, time.nist.gov.

From Cisco ISE release 3.5, IPv6-based NTP servers are also supported in this field for dual-stack and IPv6 single-stack network-based AWS instances.

timezone

Enter a timezone, for example, Etc/UTC. We recommend that you set all the Cisco ISE nodes to the Coordinated Universal Time (UTC) timezone, especially if your Cisco ISE nodes are installed in a distributed deployment. This procedure ensures that the timestamps of the reports and logs from the various nodes in your deployment are always synchronized.

Syntax must meet recommendations.

username

The default username that you configure must be admin. If you configure a username other than admin, you will not be able to access the Cisco ISE CLI when you launch the AMI.

From Cisco ISE release 3.2, the mandatory username is iseadmin; therefore, the tag username=<admin> is not supported.

password

Configure a password for GUI-based login to Cisco ISE. The password that you enter must comply with the Cisco ISE password policy. The password must contain 6 to 25 characters and include at least one numeral, one uppercase letter, and one lowercase letter. The password cannot contain or be the same as the username or its reverse (iseadmin or nimdaesi), cisco, or ocsic. The allowed special characters are @~*!,+=_-.  .

Refer to "User Password Policy" section in the chapter "Basic Setup" of the Cisco ISE Administrator Guide for your release.

ersapi

Enter yes to enable ERS, or no to disallow ERS.

Syntax must meet recommendations.

openapi

Enter yes to enable OpenAPI, or no to disallow OpenAPI.

From Cisco ISE release 3.4, OpenAPI services are enabled by default. You don't have to specify OpenAPI-related options when launching an instance.

pxGrid

Enter yes to enable pxGrid, or no to disallow pxGrid.

Syntax must meet recommendations.

pxGrid_cloud

Enter yes to enable pxGrid Cloud or no to disallow pxGrid Cloud.

To enable pxGrid Cloud, you must enable pxGrid. If you disallow pxGrid, but enable pxGrid Cloud, pxGrid Cloud services are not enabled at launch.

From Cisco ISE release 3.5, pxGrid Cloud can be enabled only from Cisco ISE Cisco ISE GUI. Therefore, this field is not included in the user data.

What to do next

Review the information and proceed to Add storage.

User data parameters

Field Format Cisco ISE release 3.1 Cisco ISE release 3.2 Cisco ISE release 3.3 Cisco ISE release 3.4 Cisco ISE release 3.5
hostname hostname=<hostname of Cisco ISE> Supported Supported Supported Supported Supported
primarynameserver primarynameserver=<IPv4 address>

(primarynameserver=<IPv6 address> supported for AWS from Cisco ISE release 3.5)

 Supported Supported Supported Supported Supported

Cisco ISE release 3.5 and later support IPv6 addresses in AWS deployments.
secondarynameserver secondarynameserver=<IPv4 address>

(secondarynameserver=<IPv6 address> supported for AWS from Cisco ISE release 3.5)

 Not supported Not supported Not supported Supported.

You must enter a value in this field if you want to use the tertiarynameserver field.

 Supported.

You must enter a value in this field if you want to use the tertiarynameserver field.

Cisco ISE release 3.5 and later support IPv6 addresses in AWS deployments.
tertiarynameserver tertiarynameserver=<IPv4 address>

(tertiarynameserver=<IPv6 address> supported for AWS from Cisco ISE release 3.5)

 Not supported Not supported Not supported Supported.

You must first enter a value in the secondarynameserver field if you want to use this field.

 Supported.

You must first enter a value in the secondarynameserver field if you want to use this field.

Cisco ISE release 3.5 and later support IPv6 addresses in AWS deployments.
dnsdomain dnsdomain=<example.com> Supported Supported Supported Supported Supported
ntpserver ntpserver=<IPv4 address or FQDN of the NTP server>

(ntpserver=<IPv6 address or FQDN of the NTP server> supported for AWS from Cisco ISE release 3.5)

 Supported Supported Supported Not supported.

This field is replaced by primaryntpserver in Cisco ISE release 3.4 and later. Using ntpserver may prevent Cisco ISE services from starting.

Not supported. Use primaryntpserver instead.
primaryntpserver primaryntpserver=<IPv4 address or FQDN>

(primaryntpserver=<IPv6 address or FQDN of the NTP server> supported for AWS from Cisco ISE release 3.5)

 Not supported Not supported Not supported Supported.

This field replaces ntpserver in Cisco ISE release 3.4 and later.

 Supported.

Cisco ISE release 3.5 and later support IPv6 addresses in AWS deployments.
secondaryntpserver secondaryntpserver=<IPv4 address or FQDN>

(secondaryntpserver=<IPv6 address or FQDN of the NTP server> supported for AWS from Cisco ISE release 3.5)

 Not supported Not supported Not supported Supported.

You must enter a value in this field if you want to use the tertiaryntpserver field.

 Supported.

You must enter a value in this field if you want to use the tertiaryntpserver field.

Cisco ISE release 3.5 and later support IPv6 addresses in AWS deployments.
tertiaryntpserver tertiaryntpserver=<IPv4 address or FQDN>

(tertiaryntpserver=<IPv6 address or FQDN of the NTP server> supported for AWS from Cisco ISE release 3.5)

 Not supported Not supported Not supported Supported.

You must first enter a value in the secondaryntpserver field if you want to use this field.

 Supported.

You must first enter a value in the secondaryntpserver field if you want to use this field.

Cisco ISE release 3.5 and later support IPv6 addresses in AWS deployments.
timezone timezone=<timezone> Supported Supported Supported Supported Supported
username username=<admin> Supported (example: <admin>)

Supported from Cisco ISE release 3.1 patch 1.

 Not supported.

iseadmin is the default user.

 Not supported.

iseadmin is the default user.

 Not supported.

iseadmin is the default user.

 Not supported.

iseadmin is the default user.
username username=iseadmin Not mandatory Mandatory Mandatory Mandatory Mandatory
password password=<password> Supported Supported Supported Supported Supported
ersapi ersapi=<yes/no> Supported Supported Supported Supported Supported
openapi openapi=<yes/no> Supported Supported Supported OpenAPI is enabled by default. OpenAPI is enabled by default.
pxGrid pxGrid=<yes/no> Supported Supported Supported Supported Supported
pxgrid_cloud pxgrid_cloud=<yes/no> Not supported Not supported Supported.

This is only supported for Cisco ISE releases 3.3 and 3.4.

 Supported.

This is only supported for Cisco ISE releases 3.3 and 3.4.

 Not supported.

From Cisco ISE release 3.5, pxGrid Cloud can be enabled only from the Cisco ISE GUI.

Parameter syntax requirements

When specifying user data parameters for Cisco ISE on Cloud, do not enclose any attribute or value in single or double quotes. You must enter all values in plain text, without quotes.

Invalid entry

Valid entry

hostname="i34a"

hostname=i34a

primarynameserver="9.9.9.9"

primarynameserver=9.9.9.9

dnsdomain="example.com"

dnsdomain=example.com

primaryntpserver="north-america.pool.ntp.org"

primaryntpserver=north-america.pool.ntp.org

From Cisco ISE release 3.3, validation output messages are displayed in the serial console. These messages are visible only if the serial console is open at the time the output is generated.

Add storage

Follow these steps to add storage to the Cisco ISE instance:

Procedure

Step 1

Click Next: Add Storage.

Step 2

In the Step 4: Add Storage window:

  1. Enter a value in the Size (GiB) column.

    The valid range for this field is 279.4 to 2235.2 GiB. In a production environment, you must configure storage equal to or greater than 558.8 GiB. Storage lesser than 558.8 GiB only supports an evaluation environment. Note that Cisco ISE is created with storage defined in GB. The GiB value that you enter here is automatically converted into GB values during the Cisco ISE image-creation process. In GB, the valid storage range is 300 to 2400 GB, with 600 GB as the minimum value for a Cisco ISE in a production environment.

  2. From the Volume Type drop-down list, select General Purpose SSO (gp2).

  3. To enable EBS encryption, from the Encryption drop-down list, select an encryption key.

Warning

 

Do not click the Add New Volume button that is displayed on this window.

What to do next

Review the information and proceed to Add tags.

Add tags

Procedure

Step 1

Click Next: Add Tags.

Step 2

(Optional) In the Step 5: Add Tags window, click Add Tag and enter the required information in the Key and Value fields. The check boxes in the Instances, Volumes, and Network Interfaces columns are checked by default. If you have chosen a specific network interface in the Step 3: Configure Instance Details window, you must uncheck the Network Interfaces check box for each tag that you add in this window.

What to do next

Review the information and proceed to Configure security group.

Configure security group

Follow these steps to create a new security group or add an existing security group:

Procedure

Step 1

Click Next: Configure Security Group.

Step 2

In the Step 6: Configure Security Group window, in the Assign a security group area area, you can choose to create a new security group or choose an existing security group by clicking the corresponding radio button.

  1. If you choose Create a new security group, enter the required details in the Type, Protocol, Port Range, Source, and Description fields.

  2. If you choose Select an existing security group, check the check boxes next to the security groups you want to add.

What to do next

Review the information and proceed to Review and launch.

Review and launch

Follow these steps to review the configurations you have created so far and to launch a Cisco ISE AMI:

Procedure

Step 1

Click Review and Launch.

Step 2

In the Step 7: Review Instance Launch window, review all the configurations that you have created in this workflow. You can edit the values of these sections by clicking the corresponding Edit link.

Step 3

Click Launch.

What to do next

Proceed to Select an existing key pair or create a new key pair.

Select an existing key pair or create a new key pair

Follow this step to select an existing key pair or create a new key pair:

Procedure

In the Select an existing key pair or create a new key pair dialog box, select one of these options from the drop-down list:

  • Choose an existing key pair

  • Create a new key pair

Note

 

To use SSH to log in to Cisco ISE, use a key pair where the username is iseadmin. The key pair must be kept intact. If the key pair is lost or corrupted, you cannot recover your Cisco ISE because you cannot map a new key pair to the existing instance.

What to do next

Review the information and proceed to Launch instances.

Launch the Cisco ISE AMI instance

Launch the Cisco ISE AMI instance:

Procedure

Check the check box for the acknowledgment statement and click Launch Instances.

The Launch Status window displays the progress of the instance creation.

What to do next

You can create more Cisco ISE AMI instances using the same procedure.

Postinstallation notes and tasks

To check the status of the instance launch, in the left pane of the AWS console, click Instances. The Status Check column for the instance displays Initializing while the instance is being configured. When the instance is ready and available, the column displays x checks done.

You can access the Cisco ISE GUI or CLI about 30 minutes after the Cisco ISE EC2 instance is built. You can access the CLI and GUI of Cisco ISE with the IP address that AWS provides for your instance and log in to the Cisco ISE administration portal or console.

When the Cisco ISE instance is ready and available for use, carry out these steps:

  1. When you create a key pair in AWS, you are prompted to download the key pair into your local system. Download the key pair because it contains specific permissions that you must update to successfully log in to your Cisco ISE instance from an SSH terminal.

    Do one of these based on the operating system that you use:

    Table 6.

    If you are using...

    Then...

    Linux or macOS

    Run this command from your CLI.

    sudo chmod 0400 mykeypair.pem

    Windows

    1. Right-click the key file in your local system.

    2. Choose Properties > Security > Advanced.

    3. In the Permissions tab, assign full control to the appropriate user by clicking the corresponding option, and click Disable Inheritance.

    4. In the Block Inheritance dialog box, click Convert inherited permissions into explicit permissions on this object.

    5. In the Permissions tab, in the Permissions entries area, choose system and administrator users by clicking the corresponding entries, and then click Remove.

    6. Click Apply, and then click OK.

  2. Access the Cisco ISE CLI by running these command in your CLI application:

    ssh -i mykeypair.pem iseadmin@<Cisco ISE Private IP Address>

  3. At the login prompt, enter iseadmin as the username.

  4. At the system prompt, enter show application version ise and press Enter.

  5. To check the status of the Cisco ISE processes, enter show application status ise and press Enter.

    If the output displays that an application server is in Running state, Cisco ISE is ready for use.

  6. You can then log in to the Cisco ISE GUI.

  7. Carry out the postinstallation tasks listed in the topic "List of Postinstallation Tasks" in the Chapter "Installation Verification and Postinstallation Tasks" in the Cisco ISE Installation Guide for your release.

Check the status of the instance launch

To check the status of the instance launch, in the left pane of the AWS console, click Instances. The Status Check column for the instance displays Initializing while the instance is being configured. When the instance is ready and available, the column displays x checks done.

How and when to access the Cisco ISE GUI or CLI

You can access the Cisco ISE GUI or CLI about 30 minutes after the Cisco ISE EC2 instance is built. You can access the CLI and GUI of Cisco ISE with the IP address that AWS provides for your instance and log in to the Cisco ISE administration portal or console.

Download the key pair

When the Cisco ISE instance is ready and available for use, carry out the following steps to download the key pair:

  1. When you create a key pair in AWS, you are prompted to download the key pair into your local system.

    Download the key pair because it contains specific permissions that you must update to successfully log in to your Cisco ISE instance from an SSH terminal.

  2. Do one of the following based on the operating system that you use:

    Table 7.

    If you are using...

    Then...

    Linux or macOS

    Run the following command from your CLI:

    sudo chmod 0400 mykeypair.pem

    Windows

    1. Right-click the key file in your local system.

    2. Choose Properties > Security > Advanced.

    3. In the Permissions tab, assign full control to the appropriate user by clicking the corresponding option, and click Disable Inheritance.

    4. In the Block Inheritance dialog box, click Convert inherited permissions into explicit permissions on this object.

    5. In the Permissions tab, in the Permissions entries area, choose system and administrator users by clicking the corresponding entries, and then click Remove.

    6. Click Apply, and then click OK.

Check the status of the Cisco ISE processes

Follow these steps to check the status of the Cisco ISE processes.

Procedure

Step 1

Access the Cisco ISE CLI by running the following command in your CLI application:

ssh -i mykeypair.pem iseadmin@<Cisco ISE Private IP Address>

Step 2

At the login prompt, enter iseadmin as the username.

Step 3

At the system prompt, enter show application version ise and press Enter.

Step 4

To check the status of the Cisco ISE processes, enter show application status ise and press Enter.

If the output displays that an application server is in Running state, Cisco ISE is ready for use.

What to do next

Log in to the Cisco ISE GUI and carry out the post-installation tasks listed in the topic "List of Post-Installation Tasks" in the Chapter "Installation Verification and Post-Installation Tasks" in the Cisco ISE Installation Guide.

Compatibility information for Cisco ISE on AWS

This section provides compatibility information that is unique to Cisco ISE on AWS. For general compatibility details for Cisco ISE, refer to Cisco Identity Services Engine Network Component Compatibility.

Cisco Catalyst Center integration support

You can connect your Cisco ISE to Cisco Catalyst Center release 2.2.1 and later releases.

Load balancer integration support

You can integrate the AWS-native network load balancer with Cisco ISE for load balancing the RADIUS and TACACS traffic. However, these limitations are applicable:

  • The Change of Authorization (CoA) feature is supported only when you enable client IP preservation in network load balancer.

  • Unequal load balancing might occur because network load balancer only supports source IP affinity and not the calling station ID-based sticky sessions.

  • Traffic can be sent to a Cisco ISE PSN even if the RADIUS service is not active on the node because network load balancer does not support RADIUS-based health checks.

You can integrate the AWS-native network load balancer with Cisco ISE for load balancing TACACS traffic. However, traffic might be sent to a Cisco ISE PSN even if the TACACS service is not active on the node because network load balancer does not support health checks based on TACACS+ services.

NIC jumbo frame support

Cisco ISE supports jumbo frames. The Maximum Transmission Unit (MTU) for Cisco ISE is 9,001 bytes, while the MTU of Network Access Devices is typically 1,500 bytes. Cisco ISE supports and receives both standard and jumbo frames without issue. You can reconfigure the Cisco ISE MTU as required, through the Cisco ISE CLI in configuration mode.

Password recovery and reset on AWS

Password reset on AWS

The following tasks guide you through resetting your Cisco ISE virtual machine password.

Change Cisco ISE password through AWS serial console

Follow these steps to change Cisco ISE GUI password through serial console on AWS:

Procedure

Step 1

Log in to your AWS account and go to the EC2 dashboard.

Step 2

Click Instances from the left-side menu.

Step 3

Click the Cisco ISE instance ID for which you need to change the password. If you know the password, skip to Step 5 of this task.

Step 4

To log in to the serial console, you must use the original password that was set at the installation of the Cisco ISE instance. To view the password, refer to View the configured password.

Step 5

Click Connect.

The EC2 serial console tab is displayed.

Step 6

Click Connect.

Step 7

A new browser tab is displayed. If the screen is black, press Enter to view the login prompt.

Step 8

Log in to the serial console. If the password that was displayed in Step 4 does not work, refer to the Password Recovery section.

Step 9

Use the application reset-passwd ise iseadmin command to set a new web UI password for the iseadmin account.

The iseadmin account's web UI password is reset.

View configured password

Follow these steps to view the configured password.

Procedure

Step 1

Click Actions in EC2 dashboard.

Step 2

Go to Instance Settings.

Step 3

Choose Edit user data to view the current password.

Create a new public key pair

The existing key pair that was created at the time of Cisco ISE instance configuration is not replaced by the new public key that you create.

Follow these steps to create a new public key pair:

Procedure

Step 1

Create a new public key in AWS. For information on how to create public key pairs, refer to Create key pairs.

Step 2

Log in to the AWS serial console as detailed in the preceding task.

Step 3

To create a new repository to save the public key, refer to Creating a private repository.

If you already have a repository that is accessible through the CLI, skip to the next step.

Step 4

To import the new public key, use the command crypto key import <public key filename> repository <repository name>.

When the import is complete, you can log in to Cisco ISE through SSH using the new public key.

Password recovery on AWS

There is no mechanism for password recovery for Cisco ISE on AWS. You may need to create new Cisco ISE instances and perform backup and restore of configuration data. Editing the user data for an EC2 instance in AWS does not change the CLI password that is used to log in to the serial console, as the setup script is not run. The Cisco ISE virtual instance is not affected.