Ise Ig

Cisco Identity Services Engine Hardware Installation Guide, Release 1.
March 2012
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-25540-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFT WARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFT WARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. Modifying the equipment without written authorization from Cisco may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: Turn the television or radio antenna until the interference stops. Move the equipment to one side or the other of the television or radio. Move the equipment farther away from the television or radio. Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOT WITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFT WARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Cisco Identity Services Engine Hardware Installation Guide, Release 1.1 Copyright 2012 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface
ix ix
Overview of Cisco Identity Services Engine Purpose Audience

x xi
Document Organization xi Installation Reference xii Document Conventions

xii
Related Documentation xiii Release-Specific Documents xiii Platform-Specific Documents xiv Documentation Updates
xiv xiv
Obtaining Documentation and Submitting a Service Request

1
CHAPTER
Before Deploying Cisco ISE 1-1 Understanding Node Types, Personas, Roles, and Services Cisco ISE Deployment Terminology 1-2 Types of Nodes 1-2 Understanding Distributed Deployment 1-3 Guidelines for Setting Up a Distributed Deployment 1-6 Cisco ISE Architecture Overview 1-7 Deployment Scenarios 1-8 Small Cisco ISE Network Deployments 1-8 Medium Cisco ISE Network Deployments 1-10 Large Cisco ISE Network Deployments 1-11 Configuration of a Cisco ISE Node Primary Node 1-14 Secondary Node 1-14 Logging Server 1-15
1-13
1-1
Switch Configurations Required to Support Cisco ISE Functions Planning an Inline Posture Deployment 1-15 Inline Posture Planning Considerations 1-15
2
1-15
CHAPTER
Cisco ISE Series Appliances
2-1
Cisco Identity Services Engine Hardware Installation Guide, Release 1.1 OL-25540-01
iii
Contents
Cisco ISE 3300 Series Appliance Hardware Summary Cisco ISE 3315 Serial Number Location 2-5 Cisco ISE 3315 Front and Rear Panels 2-5 Cisco ISE 3355 Serial Number Location 2-8 Cisco ISE 3355 Front and Rear Panels 2-8 Cisco ISE 3395 Serial Number Location 2-12 Cisco ISE 3395 Front and Rear Panels 2-12
3
2-1
CHAPTER
Before Configuring a Cisco ISE 3300 Series Appliance 3-1 Admin Rights Differences: CLI-Admin and Web-Based Admin Users Understanding the Setup Program Parameters Verifying the Configuration Process
3-10 3-3 3-5
3-2
Configuring a Cisco ISE 3300 Series Hardware Appliance
CHAPTER
Virtual Machine Requirements
4-1 4-3 4-4
Evaluating the Cisco ISE Release 1.1 Configuring the VMware Server Prerequisite 4-7
4-7
Configuring a VMware ESX or ESXi Server
Preparing a VMware System for Cisco ISE Software Installation 4-11 Configuring a VMware System Using the Cisco Identity Services Engine ISE Software DVD Installing the Cisco ISE Software on a VMware System
4-12 4-14
4-11
Connecting to the Cisco ISE VMware Server Using Serial Console

5
CHAPTER
Upgrading the Cisco ISE Node 5-1 Performing an Application Upgrade from the CLI 5-2 Performing a Split Deployment Upgrade 5-4 Replacing the Cisco ISE Appliance Running ISE 1.0 Software with the Cisco ISE Appliance Running ISE 1.1 5-6 Recovering from Upgrade Failures 5-8 Recovering from Upgrade Failures on a Standalone Node 5-9 Recovering the Appliance if SSH Session Quit During Upgrade 5-9
CHAPTER
Installing a License 6-1 Types of Licenses 6-3 Obtaining a License 6-6 Autoinstallation of the Evaluation License Accessing Cisco ISE Using a Web Browser
6-7
6-7
Cisco Identity Services Engine Hardware Installation Guide, Release 1.1
iv
OL-25540-01
Contents
Logging In 6-8 Logging Out 6-9 Verifying the Cisco ISE Configuration 6-10 Verifying the Configuration Using a Web Browser Verifying the Configuration Using the CLI 6-11 Verifying the Installation of VMware Tools
6-12 6-10
Resetting the Administrator Password 6-14 Lost, Forgotten, or Compromised Password 6-14 Password Negated Due to Administrator Lockout 6-16 Changing the IP Address of a Cisco ISE 3300 Series Appliance Reimaging a Cisco ISE 3300 Series Appliance Configuring the Cisco ISE System Installing New Cisco ISE Software
A
6-18 6-18 6-17 6-16
Enabling System Diagnostic Reports in Cisco ISE

6-18
APPENDIX
Preparing to Install the Cisco ISE 3300 Series Hardware Safety Guidelines A-1 General Precautions A-1 Safety with Equipment A-3 Safety with Electricity A-3 Preventing ESD Damage A-5 Lifting Guidelines A-5 Preparing Your Site for Installation A-6 Site Planning A-6 Unpacking and Checking the Contents of Your Shipment Required Tools and Equipment A-13 Installation Checklist A-14 Creating a Site Log A-14 Ethernet Connector and Console Port Guidelines
A-15
A-1
A-11
CHAPTER
Installing the Cisco ISE 3300 Series Hardware Rack-Mounting Configuration Guidelines
B-1
B-1
Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack Using a Four-Post Rack-Mount Hardware Kit B-3 Installing the Slide Rails in a Rack B-4 Installing the Appliance into the Slide Rails B-6 Connecting Cables B-8 Connecting the Network Interface
B-10
B-2
Contents
Connecting the Console B-11 Connecting the Keyboard and Video Monitor Cable Management B-14 Powering Up the Cisco ISE 3300 Series Appliance Power-Up Checklist B-14 Power-Up Procedure B-15 Checking the LEDs B-16
C
B-13
B-14
APPENDIX
Troubleshooting the Cisco ISE 3300 Series Appliance Troubleshooting Overview

C-1
C-1
Problem Solving C-2 Troubleshooting the Power and Cooling Systems C-3 Troubleshooting Adapter Cards, Cables, and Connections Reading the LEDs C-5 Front-Panel LEDs C-5 Rear-Panel LEDs C-5 Locating Appliance Serial Numbers
D
C-5
C-4
APPENDIX
Maintaining the Cisco ISE 3300 Series Appliance
D-1
Maintaining Your Site Environment and Appliance D-1 General Exterior Cleaning and Inspection D-2 Cooling D-3 Temperature D-3 Humidity D-4 Altitude D-4 ESD D-4 EMI and RFI D-4 Magnetism D-5 Power Source Interruptions D-5 Maintaining Your Cisco ISE 3300 Series Appliance D-6 Preparing to Transport the Rack Cabinet D-6 Removing or Replacing the Cisco ISE 3300 Series Appliance
E
D-7
APPENDIX
Cisco ISE 3300 Series Appliance Ports Reference
E-1
APPENDIX
Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance
F-2 F-2
F-1
vi
OL-25540-01
Contents
Resetting the Existing RAID Configuration on a Cisco NAC Appliance

INDEX
F-3
vii
Contents
viii
OL-25540-01
Preface
Revised: March 21, 2012, OL-25540-01
This preface provides the following information about the Cisco Identity Services Engine (ISE) 3300 Series appliance:

Overview of Cisco Identity Services Engine, page ix Purpose, page x Audience, page xi Document Organization, page xi Document Conventions, page xii Related Documentation, page xiii Documentation Updates, page xiv Obtaining Documentation and Submitting a Service Request, page xiv
Overview of Cisco Identity Services Engine

Cisco Identity Services Engine (ISE), as a next-generation identity and access control policy platform enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. Cisco ISE's unique architecture allows enterprises to gather real-time contextual information from networks, users, and devices in order to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches. Cisco ISE is a key component of the Cisco Security Group Access Solution. Cisco ISE is a consolidated policy-based access control solution that:

Combines authentication, authorization, accounting (AAA), posture, profiler, and guest management services into one appliance Enforces endpoint compliance by checking the device posture of all endpoints accessing the network, including 802.1X environments Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network Enables consistent policy in centralized and distributed deployments allowing services to be delivered where they are needed
ix
Preface
Employs advanced enforcement capabilities including Security Group Access (SGA) through the use of Security Group Tags (SGTs) and Security Group (SG) Access Control Lists (ACLs) Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
The Cisco ISE software comes preinstalled on a range of physical appliances with various performance characterizations. The inherent scalability of Cisco ISE allows you to add appliances to a deployment and increase performance and resiliency, as needed. The Cisco ISE architecture supports standalone and distributed deployments, along with high-availability options. Cisco ISE allows you to configure and manage your network from a centralized portal for efficiency and ease of use. Cisco ISE also incorporates distinct configurable roles and services, so that you can create and apply Cisco ISE services where they are needed in the network. The result being a comprehensive Cisco ISE deployment that operates as an fully functional and integrated system.
Purpose
This installation guide provides the following types of information about the Cisco ISE Release 1.1:

Prerequisites for installation Procedures for installing the Cisco ISE software on a supported Cisco ISE appliance Procedures for installing the Cisco ISE software on a supported VMware virtual machine Procedures for installing the Cisco ISE software on a supported Cisco Network Admission Control (NAC) Appliance or Cisco Secure Access Control System (ACS) Appliance
Cisco ISE Release 1.1 offers a choice of three appliance platforms, depending upon the size of your deployment:

Small networkCisco ISE 3315 Medium networkCisco ISE 3355 Large networkCisco ISE 3395
The Cisco ISE software runs on the Cisco Application Deployment Engine (ADE) Release 2.0 operating system (ADE-OS). The Cisco ADE-OS and Cisco ISE software run on either a dedicated Cisco ISE 3300 Series Appliance or on a VMware server (Cisco ISE VM). For VMware-based installations, configure the VMware environment to meet a specific set of minimal system requirements and install the Cisco ISE Release 1.1 software. The supported VMware versions include the following:

VMware Elastic Sky X (ESX), version 4.0, 4.0.1, and 4.1, VMware ESXi, version 4.0, 4.0.1, and 4.1
Note
For more information about VMware-based installations, see Chapter 4, Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine.
Note
VMware server, version 2.0, is only supported only for demonstrating the features of Cisco ISE Release 1.1, and is not supported for production environments.
OL-25540-01
Preface
Audience
This guide is designed for network administrators, system integrators, or network deployment personnel who install and configure the Cisco ISE software on Cisco ISE 3300 Series appliances or on VMware servers. As a prerequisite to using this hardware installation guide, you should be familiar with networking equipment and cabling and have a basic knowledge of electronic circuitry, wiring practices, and equipment rack installations.
Warning
Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030
Document Organization
Table 1 lists the organization of the Cisco ISE Hardware Installation Guide, Release 1.1.
Table 1 Cisco ISE Hardware Installation Guide Organization
Chapter/Appendix and Title Chapter 1, Understanding the Cisco ISE Network Deployment Chapter 2, Introducing the Cisco ISE 3300 Series Hardware Chapter 3, Configuring the Cisco ISE 3300 Series Appliance
Description Provides an overview of the Cisco ISE 3300 Series appliance deployments and their components. Read this chapter before planning a new Cisco ISE 3300 Series deployment. Provides an overview of the Cisco ISE 3300 Series hardware. Describes how to perform an initial installation of the Cisco ISE software on the Cisco ISE 3300 Series hardware.
Chapter 4, Installing the Cisco ISE 3300 Series Software Describes how to install Cisco ISE software on the VMware in a VMware Virtual Machine ESX or ESXi virtual machines. Chapter 5, Upgrading the Cisco ISE Chapter 6, Performing Post-Installation Tasks Describes how to upgrade Cisco ISE software and appliance. Provides information on installing a Cisco ISE 3300 Series license and lists the configuration tasks that you need to perform following installation. Describes the necessary safety instructions, site requirements, and tasks that you need to perform before installing the Cisco ISE 3300 Series hardware. Provides detailed instructions on performing the rack-mounting of a Cisco ISE 3300 Series appliance, connecting all cables, powering up the appliance, and removing or replacing the appliance.
Appendix A, Preparing to Install the Cisco ISE 3300 Series Hardware Appendix B, Installing the Cisco ISE 3300 Series Hardware
Appendix C, Troubleshooting the Cisco ISE 3300 Series Provides techniques for troubleshooting the initial start up of a Appliance Cisco ISE 3300 Series appliance. Appendix D, Maintaining the Cisco ISE 3300 Series Appliance Provides recommendations for maintaining the Cisco ISE 3300 Series appliance following installation.
xi
Preface
Table 1
Cisco ISE Hardware Installation Guide Organization (continued)
Chapter/Appendix and Title Appendix E, Cisco ISE 3300 Series Appliance Ports Reference Appendix F, Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances
Description Provides a reference list of ports that are used by the Cisco ISE 3300 Series appliance services, applications, and devices. Describes how to install Cisco ISE software on a supported Cisco NAC appliance or a Cisco Secure ACS Appliance.
Installation Reference
Table 2 lists reference material that may be useful to review before attempting to install the Cisco ISE 3300 Series Release 1.1 software. For each of the installation processes, see the corresponding chapter, appendix, or guide.
Table 2 Cisco ISE 3300 Series Installation Scenarios
Installation Process Introducing the Cisco ISE appliance and predeployment requirements Installing the initial Cisco ISE appliance and configuring the Cisco ISE software Installing the initial Cisco ISE software on the VMware server Licensing and using the web interface to log in Installing Cisco ISE software on a Cisco NAC Appliance or on a Cisco Secure ACS Appliance
Reference
1. 2. 1. 2. 1. 1. 1.
Chapter 2, Introducing the Cisco ISE 3300 Series Hardware Appendix A, Preparing to Install the Cisco ISE 3300 Series Hardware Appendix B, Installing the Cisco ISE 3300 Series Hardware Chapter 3, Configuring the Cisco ISE 3300 Series Appliance Chapter 4, Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Chapter 6, Performing Post-Installation Tasks Appendix F, Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances
Document Conventions
This guide uses the following conventions to convey instructions and information. Item Commands, keywords, special terminology, and options that should be chosen during procedures Convention boldface font
Variables for which you supply values and new or italic font important terminology Displayed session and system information, paths, and file names Information you enter Variables you enter
screen
font font
boldface screen
italic screen
font
xii
OL-25540-01
Preface
Item Menu items and button names Indicates menu items to choose, in the order in which you choose them.
Convention boldface font Option > Network Preferences
Note
Means reader take note. Notes contain helpful suggestions or references to material that is not covered in this guide
Caution
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Related Documentation
Release-Specific Documents
Table 3 lists the product documentation available for the Cisco ISE Release. General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Table 3 Product Documentation for Cisco Identity Services Engine
Document Title Release Notes for the Cisco Identity Services Engine, Release 1.1 Cisco Identity Services Engine Network Component Compatibility, Release 1.1 Cisco Identity Services Engine User Guide, Release 1.1 Cisco Identity Services Engine Hardware Installation Guide, Release 1.1 Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1 Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.1 Cisco Identity Services Engine CLI Reference Guide, Release 1.1 Cisco Identity Services Engine API Reference Guide, Release 1.1 Cisco Identity Services Engine Troubleshooting Guide, Release 1.1
Location http://www.cisco.com/en/US/products/ps11640/pr od_release_notes_list.html http://www.cisco.com/en/US/products/ps11640/pr oducts_device_support_tables_list.html http://www.cisco.com/en/US/products/ps11640/pr oducts_user_guide_list.html http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html http://www.cisco.com/en/US/products/ps11640/pr oducts_user_guide_list.html http://www.cisco.com/en/US/products/ps11640/pr od_command_reference_list.html http://www.cisco.com/en/US/products/ps11640/pr od_command_reference_list.html http://www.cisco.com/en/US/products/ps11640/pr od_troubleshooting_guides_list.html
xiii
Preface
Table 3
Product Documentation for Cisco Identity Services Engine (continued)
Document Title Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card
Location http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html
http://www.cisco.com/en/US/products/ps11640/pr oducts_documentation_roadmaps_list.html
Platform-Specific Documents
Links to Policy Management Business Unit documentation are available on www.cisco.com at the following locations:

Cisco ISE http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html Cisco Secure ACS http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html Cisco NAC Appliance http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html Cisco NAC Profiler http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html Cisco NAC Guest Server http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html
Documentation Updates
Table 4 lists the documentation updates for this Cisco ISE product release.
Table 4 Updates for Cisco Identity Services Engine Hardware Installation Guide, Release 1.1
Date 3/19/12
Description Cisco Identity Services Engine Hardware Installation Guide, Release 1.1
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop by using a reader application. The RSS feeds are a free service, and Cisco currently supports RSS Version 2.0.
xiv
OL-25540-01
CH A P T E R
Understanding the Cisco ISE Network Deployment

This chapter provides information on how to deploy the Cisco Identity Services Engine (ISE) 3300 Series appliance and its related components, several network deployment scenarios, and describes the switch configurations that are needed to support Cisco ISE. This chapter contains the following topics:

Before Deploying Cisco ISE, page 1-1 Deployment Scenarios, page 1-8 Configuration of a Cisco ISE Node, page 1-13 Switch Configurations Required to Support Cisco ISE Functions, page 1-15 Planning an Inline Posture Deployment, page 1-15
Before Deploying Cisco ISE

This section provides the following reference information that aids you in better understanding what is needed before you deploy the Cisco ISE appliances in your network environment:

Understanding Node Types, Personas, Roles, and Services, page 1-1 Types of Nodes, page 1-2 Understanding Distributed Deployment, page 1-3 Guidelines for Setting Up a Distributed Deployment, page 1-6 Cisco ISE Architecture Overview, page 1-7
Understanding Node Types, Personas, Roles, and Services

Cisco ISE provides a highly available and scalable architecture that supports both standalone and distributed deployments. In a distributed environment, you configure one primary Administration ISE node and the rest are secondary nodes. The topics in this section provide information about Cisco ISE terminology, supported node types, distributed deployment, and the basic architecture.
1-1
Chapter 1 Before Deploying Cisco ISE
Cisco ISE Deployment Terminology

Table 1-1 describes some of the common terms used in Cisco ISE deployment scenarios.
Table 1-1 Cisco ISE Deployment Terminology
Term Service Node
Description A service is a specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring. A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as a software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node. A node can be of two types: ISE node and Inline Posture node. The node type and persona determine the type of functionality provided by that node. The persona or personas of a node determine the services provided by a node. An ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. Determines if a node is a standalone, primary, or secondary node. Applies only to Administration ISE and Monitoring ISE nodes. Multiple Policy Service ISE nodes that are located behind a load balancer to distribute the requests evenly. To detect node failure and to reset sessions in pending state on the failed node, two or more Policy Service ISE nodes can be placed in the same node group.
Node type Persona
Role Node groups
Types of Nodes
A Cisco ISE network has only two types of nodes:
ISE nodeAn ISE node could assume any of the following three personas:
AdministrationAllows you to perform all administrative operations on ISE. It handles all
system-related configuration and configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have only one or a maximum of two nodes running the Administration persona. The Administration persona can take on any one of the following roles: standalone, primary, or secondary. If the primary Administration ISE node goes down, then you must manually promote the secondary Administration ISE node. There is no automatic failover for the Administration persona.
Note
At least one node in your distributed setup should assume the Administration persona.
Policy ServiceProvides network access, posture, guest access, client provisioning, and
profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there would be more than one Policy Service persona in a distributed deployment. All Policy Service ISE nodes that reside behind a load balancer share a common multicast address and can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes detect the failure and reset any pending sessions.
1-2
OL-25540-01
Chapter 1
Understanding the Cisco ISE Network Deployment Before Deploying Cisco ISE
Note
At least one node in your distributed setup should assume the Policy Service persona.
MonitoringEnables ISE to function as the log collector and store log messages from all the
Administration and Policy Service personas on the ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources. A node with this persona aggregates and correlates the data that it collects to provide you with meaningful information in the form of reports. Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.
Note
At least one node in your distributed setup should assume the Monitoring persona. Inline Posture nodeA gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate. Cisco ISE allows you to have two Inline Posture nodes that can take on primary or secondary roles for high availability.
Note
An Inline Posture node is dedicated solely to that service, and cannot operate concurrently with other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.
Note
Each ISE node in a deployment can assume more than one of the three personas (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role. In a distributed deployment, you can have the following combination of nodes on your network:

Primary and secondary Administration ISE nodes Primary and secondary Monitoring ISE nodes One or more Policy Service ISE nodes One or more Inline Posture nodes
Understanding Distributed Deployment

An ISE distributed deployment consists of one primary Administration ISE node and multiple secondary nodes. Each ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring.
1-3
Note
The Inline Posture node cannot assume any other persona, due to its specialized nature. The Inline Posture node must be a dedicated node. Inline Posture nodes are not supported on VMware server systems. For more information, see the Cisco Identity Services Engine User Guide, Release 1.1. After you install ISE on all your nodes as described in this guide, the nodes come up in a standalone state. You must then define one node to be your primary Administration ISE node. After defining a primary Administration ISE node, you can choose to configure other personas on that node, such as Policy Service or Monitoring. After you define personas on the primary Administration ISE node, you can register other secondary nodes with the primary Administration ISE node and then define personas for the secondary nodes. When you register an ISE node as a secondary node, ISE immediately creates a database link from the primary to the secondary node and begins the process of replicating or sharing ISE configuration data from the primary to the secondary nodes. This process ensures consistency between the configuration data that is present in all the ISE nodes that are part of your deployment. A full replication typically occurs when you first register an ISE node as a secondary node. An incremental replication occurs after a full replication, and ensures that any new changes such as additions, modifications, or deletions to the configuration data in the primary Administration ISE node are reflected in the secondary nodes. The process of replication ensures that all ISE nodes in a deployment are in sync. You can view the status of replication from the deployment pages of the ISE administrative user interface. The Policy Service ISE nodes that reside in a single location behind a load balancer and share a common multicast address can be grouped together. In such scenarios, you can define node groups and assign the nodes to the particular group. To remove a node from a deployment, you must deregister it. When you deregister a secondary node from the primary Administration ISE node, the status of the deregistered node changes to standalone and the connection between the primary and the secondary node will be lost. Replication updates are no longer sent to the deregistered secondary node.
Note
You cannot deregister a primary Administration ISE node.
Note
You can detain the primary node as standalone from the Deployment page. Edit the primary node and click Make Standalone. You can do this only after deregistering all the secondary nodes in the deployment. The application server in an ISE node restarts when you make any of the following changes:

Register a node (standalone to secondary) Deregister a node (secondary to standalone) Primary node is changed to standalone (if no other nodes are registered with it; primary to standalone) Administration ISE node is promoted (secondary to primary) Change the personas (when you assign or remove the Policy Service or Monitoring persona from a node) Modify the services in the Policy Service ISE node (enable or disable the session and profiler services)
1-4
OL-25540-01
Chapter 1
Restore a backup on the primary and a sync up operation is triggered to replicate data from the primary to secondary nodes
Note
For example, if your deployment has two nodes and you deregister the secondary node, both nodes in this primary-secondary pair are restarted. (The former primary and secondary nodes become standalone.)
Note
When you make any of these changes, the application services are restarted. You must expect a delay while these services restart.
Note
You can have only one primary node in your deployment. The other Cisco ISE nodes are secondary nodes that can be configured for one or more of the roles previously described. When the primary node is lost, you must promote one of the secondary nodes to become the primary. Cisco ISE supports the promotion of any secondary appliance to serve as the primary node. When the Cisco ISE installation has been completed, you must configure one of your Cisco ISE instances as the primary node. You can edit the primary node and enable any service that you want to run on the primary.
Before Registering Secondary Nodes

Prerequisites:
The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be Domain Name System (DNS)-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes that are part of your distributed deployment in the DNS server. The primary Administration ISE node and the standalone node that you are about to register as a secondary node should be running the same version of Cisco ISE. Use the username and password that were created during the initial setup or the password if it was changed later. Database passwords of the primary and secondary nodes should be the same. If they are set differently during node installation, you can modify them by using the following commands:
application reset-passwd ise internal-database-admin application reset-passwd ise internal-database-user
See the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for more details on how to use the CLI commands.
You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. See Cisco ISE Admin Group Roles and Responsibilities in Chapter 4 of the Cisco Identity Services Engine User Guide, Release 1.1, for more information on the various administrative roles and the privileges that are associated with each of them.
1-5
If you plan to register a secondary Administration ISE node for high availability, we recommend that you register the secondary Administration ISE node with the primary first before you register other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart the secondary ISE nodes after you promote the secondary Administration ISE node as your primary. If you plan to register multiple Policy Service ISE nodes running Session services and you require mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group. You must create the node group first before you register the nodes because you need to select the node group to be used on the registration page. See Creating, Editing, and Deleting Node Groups in Chapter 9 of the Cisco Identity Services Engine User Guide, Release 1.1, for more information. Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the standalone node (that you are going to register as the secondary node). See Creating Certificate Trust Lists in the Primary Cisco ISE Node in Chapter 12 of the Cisco Identity Services Engine User Guide, Release 1.1, for more information. After registering your secondary node to the primary node, if you change the HTTPS certificate on the registered secondary node, you must obtain appropriate CA certificates that can be used to validate the secondary nodes HTTPS certificate and import it to the CTL of the primary node. See Creating Certificate Trust Lists in the Primary Cisco ISE Node in Chapter 12 of the Cisco Identity Services Engine User Guide, Release 1.1, for more information.
Note
We recommend that you set all Cisco ISE nodes to the UTC time zone. This procedure ensures that the reports and logs from the various nodes in your deployment are always in sync with regard to the timestamps. You can register the secondary nodes and edit their configuration profiles by using the user interface of the primary node. After you install a secondary node, Cisco ISE immediately creates a database link between the primary and the secondary node for replicating and synchronizing all changes. In addition, you can remove a node from the deployment by deregistering it. This action deletes it from the deployment. When you deregister a node from the primary, the status of the deregistered node changes to standalone. Any connection between the primary and the secondary nodes is lost, no replication updates are sent to the secondary node.
Next Steps:
For more information on configuring Cisco ISE nodes, see:
Cisco Identity Services Engine User Guide, Release 1.1

Chapter 9, Setting Up ISE in a Distributed Environment and Registering and Configuring a
Secondary Node
Guidelines for Setting Up a Distributed Deployment

Observe the following guidelines before you attempt to set up Cisco ISE appliances in a distributed deployment:

You must have a properly configured, working DNS for a distributed deployment to work correctly. A Cisco ISE node can run any of the ISE node personas at the same time. A Cisco ISE node can be designated to perform as a standalone node, or as either a primary or a secondary node in a primary-secondary pair, depending upon configuration and settings.
1-6
OL-25540-01
Chapter 1
You can have only one primary Cisco ISE node in your deployment.
Note
Other Cisco ISE nodes are considered to be secondary nodes that can be configured for one or more other roles depending upon licenses and settings. When the primary node is lost, you need to promote a valid secondary node to become the primary. Cisco ISE only supports the promotion of a secondary node appliance with the Administration persona to serve as the new primary node. In addition, it must possess a valid license as a secondary node with an Administration persona. The primary Cisco ISE node must run the Administration persona. All Cisco ISE system-related configuration and configuration that is related to functionality should be made only on the primary Cisco ISE node. The configuration changes that you perform on the primary node are replicated to all the secondary nodes in your deployment. The Inline Posture node requires a dedicated Cisco ISE node. No other service can run on a node that is designated as an Inline Posture node.
Note
The Inline Posture node is not supported on VMware server systems. To avoid time zone issues among the nodes, you must provide the same NTP server name during the setup mode of each node.
When the Cisco ISE installation is complete, you must configure one of your Cisco ISE nodes as the primary node. You can edit the primary node and enable any service that you want to run on the primary. You can register secondary nodes and edit their configuration by using the user interface of the primary node. After you install a secondary node, Cisco ISE immediately creates a database link between the primary and secondary nodes for replicating and synchronizing all changes. When you deregister a node from the primary, the status of the deregistered node changes to standalone. To register a deregistered node back with the primary, you must first reset the database configuration on the node and bring it back to a freshly installed node state and then register it again.
For more information:
See the Cisco Identity Services Engine User Guide, Release 1.1 for more information about:

Cisco ISE Admin group roles and responsibilities Cisco ISE node services Resetting the configuration of a node
Cisco ISE Architecture Overview

Figure 1-1 illustrates a basic overview of the Cisco ISE architecture that includes the following components:
Nodes and persona types

ISE nodeAdministration, Policy Service, Monitoring Inline Posture nodeGatekeeping and access policy enforcer
Network resources
1-7
Chapter 1 Deployment Scenarios
Endpoints
Note
Figure 1-1 shows ISE nodes and persona types (Administration, Policy Service, and Monitoring), an Inline Posture node, and a policy information point. The policy information point represents the point at which external information is communicated to the Policy Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute.
Figure 1-1 Cisco ISE Architecture
Monitoring persona
Logging
View logs/ reports Administration persona Policy Services persona Request/ response context
Logging Policy information point
View/ configure policies
Query attributes Logging
Resource access Resource
IP
Deployment Scenarios
This section describes three scenarios in which Cisco ISE can be deployed in a distributed deployment:

Small Cisco ISE Network Deployments, page 1-8 Medium Cisco ISE Network Deployments, page 1-10 Large Cisco ISE Network Deployments, page 1-11
Small Cisco ISE Network Deployments

The smallest Cisco ISE deployment consists of two Cisco ISE nodes as shown in Figure 1-2, with one Cisco ISE node functioning as the primary appliance in a small network that supports up to 3,000 concurrent endpoints.
1-8
OL-25540-01
282088
Subject
Inline Posture node
Chapter 1
Understanding the Cisco ISE Network Deployment Deployment Scenarios
Note
Concurrent endpoints represent the total number of supported users and devices. This can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices. The primary node provides all the configuration, authentication, and policy capabilities that are required for this network model, while the secondary Cisco ISE node functions in a backup role. The secondary node supports the primary node and maintains a functioning network whenever connectivity is lost between secondary network appliances, network resources, or RADIUS. RADIUS is where the centralized AAA operations are performed between clients and the primary Cisco ISE node. As a result, the key requirement is to ensure that you can synchronize or replicate all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node(s). Being able to synchronize between the primary and secondary node makes it possible to keep the secondary node current with the state of your primary node. In a small network deployment, this type of configuration model allows you to configure both your primary and secondary node on all RADIUS clients by using this type of deployment or a similar approach.
Figure 1-2 Small Cisco ISE Network Deployment
Primary ISE node
Secondary ISE node
Replication Secondary AAA connection

282092
Primary AAA connection
As the number of devices, network resources, users, and AAA clients increases in your network environment, we recommend that you change your deployment configuration from the basic small model and use more of a split or distributed deployment model, as shown in Figure 1-3.
Note
Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration persona.
Split Cisco ISE Deployments

In the case of split Cisco ISE deployments, you will continue to maintain primary and secondary nodes as described in the small Cisco ISE deployment. However, the AAA load is split between these two Cisco ISE nodes to optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload if there are any problems with AAA connectivity. When running under normal network operations, neither the primary or secondary node carries the full load of handling AAA requests because this workload is distributed between the two nodes.
1-9
The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In addition, splitting the load also provides better loading while still maintaining the functional status of the secondary node during the course of normal network operations. Another advantage is that each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions in the event of a failure. If you have two Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector. Figure 1-3 shows the secondary Cisco ISE node in this role.
Figure 1-3 Split Cisco ISE Network Deployment
Primary ISE node
Secondary and log collector node Replication Primary AAA connection Secondary AAA connection Logging connection
In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for growth, as shown in Figure 1-4.
Medium Cisco ISE Network Deployments

As small, local networks grow, you can keep pace and manage network growth by adding additional Cisco ISE nodes to create a medium network that supports up to 6,000 concurrent endpoints. In medium network deployments, consider promoting one Cisco ISE node to perform as the primary to handle all the configuration services, and secondary Cisco ISE nodes to manage all your AAA functions. As the amount of log traffic increases in the network, you can choose to either use the primary Cisco ISE node as your centralized log collector or dedicate one of the secondary Cisco ISE nodes to serve in this capacity for your network.
1-10
282093
OL-25540-01
Chapter 1
Understanding the Cisco ISE Network Deployment Deployment Scenarios
Figure 1-4
Medium Cisco ISE Network Deployment

Primary ISE node and log collector
Add nodes to scale
Secondary ISE nodes
Replication Primary AAA connection Logging connection

282089
Secondary AAA connection
Large Cisco ISE Network Deployments

We recommend that you use centralized logging (as shown in Figure 1-5) for larger Cisco ISE networks that support up to 10,000 concurrent endpoints. To use centralized logging, you must set up a dedicated logging server that serves as a Monitoring persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy network can generate. Because syslog messages are generated for outbound log traffic, any RFC-3164-compliant syslog appliance can serve as the collector for outbound logging traffic. A dedicated logging server enables you to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes. See Understanding the Setup Program Parameters, page 3-3 when configuring the Cisco ISE software to support a dedicated logging server. You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoring persona on the Cisco ISE node goes down. In large centralized networks, you should use a load balancer (as shown in Figure 1-5), which simplifies the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes the routing of AAA requests to the available servers. However, having only a single load balancer introduces the potential for having a single point of failure. To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client, and this configuration remains consistent throughout the network.
1-11
Figure 1-5
Large Cisco ISE Network Deployment
Primary ISE node Dedicated ISE syslog or logging node
Secondary ISE nodes
Load balancer Replication Primary AAA connection Logging connection

282094
Dispersed Cisco ISE Network Deployments

Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and users in different geographical regions or distant locations. To optimize AAA performance, each remote site should have its own AAA infrastructure (as shown in Figure 1-6). A centralized management model helps maintain a consistent, synchronized AAA policy. A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique network requirements.
1-12
OL-25540-01
Chapter 1
Understanding the Cisco ISE Network Deployment Configuration of a Cisco ISE Node
Figure 1-6
Dispersed Cisco ISE Deployment
Primary ISE node
Dedicated ISE syslog or logging node
ISE transaction servers located at local or regional hot spots Replication Primary AAA connection Logging connection
282095
Secondary AAA connection
Some factors to consider when planning a network that has several remote sites include the following:
Verify if a central or external database is used, such as Microsoft Active Directory or LDAP. For optimizing the process, each remote site should have a synchronized instance of the external database that is available for Cisco ISE to access. Locating the AAA clients is important. You should locate your Cisco ISE nodes as close as possible to the AAA clients to reduce network latency effects and the potential for loss of access that is caused by WAN failures. Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site, which allows for direct, secure console access that bypasses network access to each node. If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, consider using a Cisco ISE node as a backup for the local site to provide redundancy. DNS should be properly configured on all Cisco ISE nodes to ensure access to the external databases.
Configuration of a Cisco ISE Node

This section briefly describes the roles that various Cisco ISE appliances play in a network deployment and how to configure them:

Primary Node, page 1-14 Secondary Node, page 1-14 Logging Server, page 1-15
1-13
Chapter 1 Configuration of a Cisco ISE Node
See the Setting Up Cisco ISE in a Distributed Environment chapter of the Cisco Identity Services Engine User Guide, Release 1.1, for more information on:

Configuring a Cisco ISE Node Configuring Administration Cisco ISE Nodes for High Availability Viewing Nodes in a Deployment Managing Node Groups Changing Node Personas and Services Configuring Monitoring ISE Nodes for Automatic Failover Removing a Node from Deployment Replacing the Cisco ISE Appliance Hardware
All Cisco ISE appliances have a similar installation procedure. For specific details, see the following sections:

Chapter 3, Configuring the Cisco ISE 3300 Series Appliance, for installing Cisco ISE software on the Cisco ISE 3300 Series appliance. Chapter 4, Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine, for installing Cisco ISE software on a VMware ESX server.
Note
For any Cisco ISE network deployment, your first hardware installation must be performed on the node that is designated as the primary node in your network.
Primary Node
In a Cisco ISE deployment, only one appliance can serve as a Cisco ISE primary node. This primary node provides configuration capabilities and is the source for all replication operations. When in a primary-secondary pair, only the primary and secondary nodes that operate as the Administration persona need to be configured in the license file. When you install the license file on the primary, the license requirements for the secondary node are met.
Secondary Node
Because the network can only have a single primary Cisco ISE node, all other Cisco ISE nodes function as secondary nodes. Although the Cisco ISE secondary nodes receive all the system configurations from the primary node, you must configure the following on each secondary node:

LicenseWhen the base license is installed on the primary, replication copies the license onto each of the Cisco ISE secondary nodes in the deployment. New local certificatesYou can either configure the local certificates on the secondary nodes or import the local certificates from the primary node onto each secondary node. Logging serverYou can configure either the primary or the secondary node to serve as the dedicated logging server for your Cisco ISE network. We strongly recommend that you configure a secondary Cisco ISE node as the dedicated logging server.
In a primary-secondary node pair, the secondary node is registered and it begins to receive the full synchronization of the configuration and replication updates from the primary node in the network.
1-14
OL-25540-01
Chapter 1
Understanding the Cisco ISE Network Deployment Switch Configurations Required to Support Cisco ISE Functions
Logging Server
You can configure to use either a primary node or one of the secondary nodes as the dedicated logging server for your network. In this role, the logging server receives logs from the primary node and all the secondary nodes deployed in the Cisco ISE network. We recommend that you designate one of the Cisco ISE secondary nodes as the Monitoring persona and exclude this particular secondary node from any of the AAA activities. Three main logging categories are captured:

Audit Accounting Diagnostics
For a complete description that provides more details on logging categories and best practices for configuring the logging server, see Chapter 13, Logging in the Cisco Identity Services Engine User Guide, Release 1.1.
Switch Configurations Required to Support Cisco ISE Functions

To ensure that Cisco ISE is able to interoperate with network switches, and functions from Cisco ISE are successful across the network segment, you must configure your network switches with certain required NTP, RADIUS/AAA, 802.1X, MAB, and other settings.
For more information:
For more switch configuration requirements, see Appendix C, Switch Configuration Required to Support Cisco ISE Functions in the Cisco Identity Services Engine User Guide, Release 1.1.
Planning an Inline Posture Deployment

This section is only intended to provide a brief overview of what is needed to plan and deploy Inline Posture in a Cisco ISE network. It is the responsibility of your network or system architect to research the issues involved in Inline Posture deployment to determine what best suits your network needs and requirements. Before you start any planning for deploying or configuring Inline Posture for your network, you must first understand what types of Inline Posture operating modes and deployment options are supported.
Note
For more details about Inline Posture operating modes, filters, managed subnets, and Inline Posture high availability as these topics correspond to the Cisco ISE network, see Chapter 10, Setting Up an Inline Posture Node, in the Cisco Identity Services Engine User Guide, Release 1.1.
Inline Posture Planning Considerations

This section poses some basic questions and considerations that must be addressed by your network or system architect when planning to deploy Inline Posture nodes. Ensure that you have understood the following planning and deployment issues prior to starting any Inline Posture node configuration in a distributed Cisco ISE network deployment:
1-15
Chapter 1 Planning an Inline Posture Deployment
How do you plan to deploy your Inline Posture node? How will you deploy your Inline Posture node(s)? Will the Inline Posture node be run as a standalone node, or as part of a primary-secondary pair of Inline Posture nodes?
Note
Cisco ISE networks support up to two Inline Posture nodes configured on your network at any one time. If you plan to deploy an Inline Posture high-availability primary-secondary pair, then two Inline Posture nodes must be configured. In this mode, one node is designated as the primary and the other as the secondary node. The primary node assumes the primary role when both nodes come up at the same time. Will your deployment plans include an Inline Posture primary-secondary pair configuration? If so, be aware that all configuration related to functionality can only be done from the primary node of this pair (the Cisco ISE user interface only shows basic configuration tables for the secondary node in this configuration). Note that you can synchronize an Inline Posture primary node configuration with its peer secondary node using the Failover tab of the primary node in this Inline Posture pair. For more information, see Chapter 10, Setting Up an Inline Posture Node, in the Cisco Identity Services Engine User Guide, Release 1.1.
The following topics in this section provide some basic information on Inline Posture nodes, but these topics are not intended to provide you with all the information needed to complete a comprehensive deployment plan for your network.
Choosing an Inline Posture Operating Mode

Which Inline Posture operating mode you choose largely depends on your existing network architecture. The choice you make limits many of the other configuration options you may want in your Cisco ISE deployment. Therefore, you need to fully understand each of the following primary Inline Posture operating modes:
Routed modeThis mode acts as a Layer 3 hop in the network connections. The routed mode selectively forwards packets to specified addresses. The routed mode ensures it can segregate network traffic, which allows you to specify access to users who can access selected destination addresses. Bridged modeThis mode acts as a Layer 2 bump in the wire in the network connections. The bridged mode forwards packets regardless of the destination address.
Note
Inline Posture nodes also support a maintenance mode, which takes the node offline so that you can perform administrative procedures. This mode is also the default when an Inline Posture node is initially brought online in the network.
Inline Posture Routed Mode

In the routed mode, an Inline Posture node operates as a Layer 3 router and functions as the default gateway for an untrusted (outside Cisco ISE) network with its managed clients. All traffic between an untrusted and trusted network passes through this Inline Posture routed mode. The routed mode applies IP filtering rules, the configured access policies, and other traffic-based policies you have set up for your network.
1-16
OL-25540-01
Chapter 1
Understanding the Cisco ISE Network Deployment Planning an Inline Posture Deployment
When you configure an Inline Posture node in its routed mode, specify the IP addresses of its two interfaces:

Trusted (Eth0) Untrusted (Eth1)
The trusted and untrusted addresses should be on different subnets. An Inline Posture node can manage one or more subnets, and the untrusted interface acts as a gateway for the managed subnets. Figure 1-7 illustrates an example of an Inline Posture routed mode configuration.
Figure 1-7 Inline Posture Routed Mode Configuration
VPN outside subnet 10.20.80.0/24 Inline Posture 1
Inline Posture HA pair Enterprise subnet 10.20.50.0/24
eth1 eth2
eth0 eth3
VPN gateway
Enterprise subnet 10.20.70.0/24
ISE Policy Services persona
eth2 eth1
eth3 eth0
282090
VPN outside subnet 10.20.90.0/24
Inline Posture 2
Inline Posture Bridged Mode

When operating in a bridged mode, the Inline Posture node operates like a standard Ethernet bridge. This configuration is used most often when the untrusted network already contains a gateway, and you do not want or plan to make any changes to the existing configuration. Figure 1-8 shows the Inline Posture node acting as a bridge for the Layer 2 client traffic from the WLC into the Cisco ISE network. While in this configuration, the Inline Posture node requires subnet entries for the subnets to be able to respond to and send ARP broadcasts to the correct VLANs. The Layer 2 flow of traffic from the three example subnets (10.20.80.0/24, 10.20.90.0/24, and 10.20.60.0/24) all reflect the use of the bridged mode on the Inline Posture node using VLAN mapping. The only difference between the three subnet examples is that for the 10.20.60.0/24 subnet, the Inline Posture main interfaces reside within this subnet.
1-17
Figure 1-8
Inline Posture Bridged Mode Configuration
Subnet 10.20.80.0/24 Inline Posture persona
WLC gateway
ISE Policy Services persona
Subnet 10.20.90.0/24
Enterprise subnet 10.20.90.0/24 L2 flow of subnet 10.20.80.0/24 bridged by Inline Posture using VLAN mapping. L2 flow of subnet 10.20.90.0/24 bridged by Inline Posture using VLAN mapping.
282091
L2 flow of subnet 10.20.60.0/24 bridged by Inline Posture using VLAN mapping. The Inline Posture main interfaces are in this subnet.
Deploying Inline Posture as Standalone or High Availability

The most important decision you may make about your Inline Posture deployment is whether to deploy it as a single, standalone Inline Posture node, or as a primary-secondary pair to ensure high availability and provide redundancy for network reliability. A standalone Inline Posture node is a single Inline Posture node that provides Inline Posture services, while working independently of all other nodes in your Cisco ISE network. You may decide to deploy a single standalone Inline Posture node for a network that serves a smaller facility or for a small network where network redundancy is not a major concern. When you configure a pair of Inline Posture nodes for high availability, they act as primary-secondary pair to provide additional redundancy and reliability. This primary-secondary pair ensures that your network continues functioning even if one node in the pair fails. If the primary node fails, the secondary node takes over and provides the needed Inline Posture functionality.
About Inline Posture High Availability

Inline Posture high availability consists of two Inline Posture nodes that are configured as a primary-secondary pair. In this configuration, the primary node acts as the RADIUS proxy and forwards all network packets. If the primary node fails, the secondary Inline Posture node in this pair takes over.
1-18
OL-25540-01
Chapter 1
Understanding the Cisco ISE Network Deployment Planning an Inline Posture Deployment
In an Inline Posture stateless high-availability deployment that has a primary-secondary pair configuration, the secondary node acts as a backup unit and does not forward any packets between the interfaces. Stateless means that sessions that have been authenticated and authorized by the primary node are automatically authorized again once a failover occurs. The secondary node monitors the primary node using the heartbeat protocol (on the eth2 and eth3 interfaces). The heartbeat protocol requires that messages are sent at regular intervals between the two nodes. If the heartbeat stops or does not receive a response back in the allotted time, failover occurs and recovery action takes place. When the heartbeat protocol is active in an Inline Posture high-availability configuration, it requires a network connection between the eth2 and eth3 interfaces of the Inline Posture primary-secondary pair. The eth2 and eth3 interfaces of each node in an Inline Posture high-availability pair (primary and secondary) are configured to use heartbeat protocol exchanges between the two nodes. For this reason, you must make a direct cable connection between the eth2 interfaces of both Inline Posture nodes, and likewise, there must also be a direct cable connection between the eth3 interfaces of both nodes to ensure redundancy.
Note
The heartbeat protocol requires a direct cable connection between the eth2 interfaces of both nodes in a high-availability pair, as well as a direct cable connection between the eth3 interfaces of the two nodes. You can use any Ethernet cable to make these connections. Figure 1-9 illustrates this cable requirement.
Heartbeat Protocol: eth2 and eth3 Interface Ethernet Cable Connections
Inline PEP HA Pair Inline Posture 1
SSC
Figure 1-9
VPN Outside Subnet 10.20.80.0/24

SSC
Enterprise Subnet 10.20.50.0/24
Eth1 Eth2 Enterprise Subnet 10.20.70.0/24 VPN Gateway Eth2 Eth3 Eth1 Eth3
Eth0
Enterprise Subnet 10.20.60.0/24
ISE PDP
Eth0
Inline Posture 2 Enterprise Subnet 10.20.40.0/24

SSC
SSC
VPN Outside Subnet 10.20.90.0/24
1-19
281860
1-20
OL-25540-01
CH A P T E R
Introducing the Cisco ISE 3300 Series Hardware

This chapter introduces the Cisco Identity Services Engine (ISE) 3300 Series appliance hardware and provides descriptions of the support appliance hardware, the major components, controls, connectors, and front-panel and rear-panel LED indicators. This chapter contains information about the following topics:

Cisco ISE Series Appliances, page 2-1 Cisco ISE 3300 Series Appliance Hardware Summary, page 2-1
Cisco ISE Series Appliances

The Cisco Application Deployment Engine (ADE) Release 2.0 operating system (ADE-OS) and Cisco ISE software run on either a dedicated Cisco ISE 3300 Series appliance or on a VMware server (Cisco ISE VM). The Cisco ISE Release 1.1 software does not support the installation of any other packages or applications on this dedicated platform. See the Release Notes for Cisco Identity Service Engine, Release 1.1 for additional hardware compatibility information.
Cisco ISE 3300 Series Appliance Hardware Summary

Table 2-1, Table 2-2, and Table 2-3 summarize the hardware specifications for each of the supported Cisco ISE appliances. See the Diagrams column for hyperlinks to detailed diagrams that show network interface card (NIC) ports, power supply sockets, LEDs, and important controls or buttons on the corresponding panel.
2-1
Chapter 2 Cisco ISE 3300 Series Appliance Hardware Summary
Table 2-1
Cisco ISE 3315 Appliance Hardware Summary
Hardware and Support Specifications

Diagrams
1
Supports up to 3,000 concurrent endpoints 4 gigabyte (GB) RAM 2 x 250 GB SATA2 hard disk drive (HDD)
Single processor: Quad-core Intel Xeon (Core 2 quad)
Figure 2-2 on page 2-5, Cisco ISE 3315 Front-Panel Features Figure 2-3 on page 2-6, Cisco ISE 3315 Front-Panel LEDs and Buttons Figure 2-4 on page 2-7,Cisco ISE 3315 Rear-Panel Features Figure 2-5 on page 2-7, Cisco ISE 3315 Rear-Panel LEDs
Four 10/100/1000 LAN ports [two integrated NICs; 2 gigabit (Gb) NICs (PCI-E)] CD/DVD-ROM drive Four USB ports (two on the front panel, two on the rear panel) Two Gb Ethernet ports on rear panel One serial port on the rear panel One Video Graphics Array (VGA) port on the front panel WeightFrom 24.25 lb (11.0 kg) to 28.0 lb (12.7 kg), depending on what options are installed. Dimensions1.75 in. H 17.3 in. W x 22.0 in. D (44.5 mm x 440.0 mm x 559.0 mm); these dimensions do not include the rack handles. Cooling fansFive (plus two on the power supply). Rack mountingUses slide rails (see Installing the Slide Rails in a Rack, page B-4); mounts in a standard 19-inch (48.3 cm), four-post equipment rack (by using the provided rack-mount brackets). Maximum operating altitude7000 feet (2133 meters). Operating temperature range50 to 90 F (10 to 35 C) up to 3,000 feet (914.4 meters); 50 to 90 F (10 to 32 C) 3000 to 7000 feet (914.4 to 2133 meters). PowerConfigured for AC-input power; has a single autoranging AC-input power supply (350 Watts). The Cisco ISE 3315 appliance is normally shipped with a rack-mount hardware kit that includes brackets or rails for mounting it in a four-post equipment rack. For more information, see Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack, page B-2.

Note
1. Concurrent endpoints represent the total number of supported users and devices. This can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices. 2. SATA = serial advanced technology attachment.
2-2
OL-25540-01
Chapter 2
Introducing the Cisco ISE 3300 Series Hardware Cisco ISE 3300 Series Appliance Hardware Summary
Table 2-2

Diagrams
Supports up to 6,000 concurrent endpoints Single processor: Quad-core Intel Xeon (Nehalem) 4 GB RAM 2 x 300 GB SAS1 RAID2 HDD Four 10/100/1000 LAN ports [two integrated NICs; 2 Gb NICs (PCI-E)] CD/DVD-ROM drive Four USB ports (one on the front panel, one internal, two on the rear panel) Two Gb Ethernet ports on the rear panel One serial port on the rear panel Two VGA ports (one on front panel and one on rear panel) Cavium CN-1620-400-NHB-G accelerator card WeightFrom 28 lb (12.7 kg) to 34.5 lb (15.6 kg) depending on what options are installed. Dimensions1.7 in. H x 17.3 in. W x 28.0 in. D (43 mm x 440.0 mm x 711.4 mm); these dimensions do not include the rack handles. Cooling fansSix for single-processor (Cisco ISE 3355) or dual-processor (Cisco ISE 3395). Rack mountingUses slide rails (see Installing the Slide Rails in a Rack, page B-4); mounts in a standard 19-inch (48.3 cm), four-post equipment rack (by using the provided rack-mount brackets). Maximum operating altitude7000 feet (2133 meters). Operating temperature range50 to 90 F (10 to 35 C) up to 3000 feet (914.4 meters); 50 to 90 F (10 to 32 C) 3000 to 7000 feet (914.4 to 2133 meters). PowerConfigured for AC-input power; has dual redundant auto-switching power supplies (675 Watts). The Cisco ISE 3355 and Cisco ISE 3395 appliances are normally shipped with a rack-mount hardware kit that includes brackets or rails for mounting it in a four-post equipment rack. For more information, see Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack, page B-2. The rack-mount hardware kits for Cisco ISE 3300 Series appliances do not include a two-post equipment rack.
Figure 2-7 on page 2-8, Cisco ISE 3355 Front-Panel Features Figure 2-8 on page 2-9, Cisco ISE 3355 Front-Panel LEDs and Buttons Figure 2-9 on page 2-10, Cisco ISE 3355 Rear-Panel Features Figure 2-10 on page 2-11, Cisco ISE 3355 Rear-Panel LEDs
Note
1. SAS = single-attachment station. 2. RAID = redundant array of independent disks.
2-3
Table 2-3

Diagrams
Supports up to 10,000 concurrent endpoints Dual processor: 2 x Quad-core Intel Xeon (Nehalem) 4 GB RAM 4 x 300 GB SAS RAID HDD 4 10/100/1000 LAN ports [two integrated NICs; 2 Gb NICs (PCI-E)] CD/DVD-ROM drive Four USB ports (one on the front panel, one internal, two on the rear panel) Two Gb Ethernet ports on the rear panel One serial port on the rear panel Two VGA ports (one on front panel and one on rear panel) Cavium CN-1620-400-NHB-G accelerator card WeightFrom 28 lb (12.7 kg) to 34.5 lb (15.6 kg) depending on what options are installed. Dimensions1.7 in. H x 17.3 in. W x 28.0 in. D (43 mm x 440.0 mm x 711.4 mm); these dimensions do not include the rack handles. Cooling fansSix for single-processor (Cisco ISE 3355) or dual-processor (Cisco ISE 3395). Rack mountingUses slide rails (see Installing the Slide Rails in a Rack, page B-4); mounts in a standard 19-inch (48.3 cm), four-post equipment rack (by using the provided rack-mount brackets). Maximum operating altitude7000 feet (2133 meters). Operating temperature range50 to 90 F (10 to 35 C) up to 3000 feet (914.4 meters); 50 to 90 F (10 to 32 C) 3000 to 7000 feet (914.4 to 2133 meters). PowerConfigured for AC-input power; has dual redundant auto-switching power supplies (675 Watts).
Figure 2-12 on page 2-12, Cisco ISE 3395 Front-Panel Features Figure 2-13 on page 2-13, Cisco ISE 3395 Front-Panel LEDs and Buttons Figure 2-14 on page 2-14, Cisco ISE 3395 Rear-Panel Features Figure 2-15 on page 2-15, Cisco ISE 3395 Rear-Panel LEDs
2-4
OL-25540-01
Chapter 2
Cisco ISE 3315 Serial Number Location

The serial number label is located at the lower left of the front panel of the Cisco ISE 3315 (see Figure 2-1).
Figure 2-1 Cisco ISE 3315 Appliance Serial Number Location
XXXXXXX
Cisco ISE 3315 Series Identity Services Engine
CISCO
Note
The serial number for the Cisco ISE 3315 is defined by and observes the Cisco unique device identifier (UDI) specifications.
Cisco ISE 3315 Front and Rear Panels

The Cisco ISE 3315 platform is recommended for deployments that serve up to 3,000 concurrent endpoints and that manage up to three additional appliances or three high-availability pairs. The Cisco ISE 3315 comes equipped with four network interfaces that provide flexibility in NIC interface selection and also enables it for use in high-availability configurations. For additional details, see Cisco ISE Series Appliances, page 2-1.
Note
Concurrent endpoints represent the total number of supported users and devices. This can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.
Cisco ISE 3315 Front-Panel Features

Figure 2-2, Figure 2-3, and the accompanying tables illustrate and describe the Cisco ISE 3315 front-panel features, LEDs, and buttons.
Figure 2-2 Cisco ISE 3315 Front-Panel Features
1 2
4
CISCO
237484
2-5
279775
1 2 3
Front USB port 1 Front USB port 2 Hard disk drive (HDD) bay 0
4 5
HDD bay 1 CD-ROM/DVD drive
Figure 2-3
Cisco ISE 3315 Front-Panel LEDs and Buttons
4 3 2 1
CISCO
5 6
1 2 3 4 5 6
Power status LED Power button Reset button HDD activity LED Locator button or LED System health LED
Green = Appliance has AC power and is powered on. Off = Appliance is powered off (AC power disconnected). (Recessed.) (Recessed.) Flashing green = Ongoing drive activity. Off = No drive activity. Flashing blue = Locator button has been pressed. Off = System health is normal. Amber = Prefailure system threshold has been reached, which can be caused by any of the following conditions:

At least one fan failure (system or processor fan). At least one of the temperature sensors reached critical level (system or processor thermal sensors). At least one memory module failed. A power supply unit error has occurred.
2-6
237485
OL-25540-01
Chapter 2
Cisco ISE 3315 Rear-Panel Features

Figure 2-4, Figure 2-5, and the accompanying tables illustrate and describe the Cisco ISE 3315 rear-panel features and LEDs.
Figure 2-4 Cisco ISE 3315 Rear-Panel Features
3 1 2
237631
9 8
1 2 3 4 5
7 6
AC Power supply cable socket NIC 3 (eth2) add-on card NIC 4 (eth3) add-on card Serial port Video port
Cisco ISE 3315 Rear-Panel LEDs
6 7 8 9
NIC 2 (eth1) Gigabit Ethernet interface NIC 1 (eth0) Gigabit Ethernet interface Rear USB port 4 Rear USB port 3
Figure 2-5
1 2
1
4 3
NIC 1 (eth0) activity LED
Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Green = Link exists. Off = No link exists. Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Green = Link exists. Off = No link exists.
2 3
NIC 1 (eth0) link LED NIC 2 (eth1) activity LED
NIC 2 (eth1) link LED
199790
2-7

XXNNNXX
CISCO
Note
The serial number for the Cisco ISE 3355 is defined by and observes the Cisco UDI specifications.

The Cisco ISE 3355 platform provides enhanced capability for enterprise-wide deployments that serve up to 6,000 concurrent endpoints and manage up to 20 other appliances or high-availability pairs. Similar to the Cisco ISE 3315, the Cisco ISE 3355 comes equipped with four network interfaces that provide flexibility in NIC interface selection and also make it capable for use in high-availability configurations. The Cisco ISE 3355 also provides 4 GB of RAM, two SAS drives that are configured in RAID 0 and 1, dual power supplies, and a Cavium CN-1620-400-NHB-G accelerator card that supports Secure Sockets Layer (SSL) for larger network deployments and provides added reliability for centralized management of the deployment in the network core. For details, see Cisco ISE Series Appliances, page 2-1.

7 8
CISCO
13
1 2 3 4 HDD bay 0
12
11
8 9
1
10
Front USB port 1 Front USB port 2
Empty (unused) HDD bay1 Empty (unused) HDD bay Power button with LED indicator (bi-color: green or amber)
10 CD-ROM/DVD drive 11 Empty (unused) HDD bay1
2-8
237486
OL-25540-01
279776
Chapter 2
5 6 7
Operator information panel Operator information panel release switch Video port
12 Empty (unused) HDD bay1 13 HDD bay 1
1. We do not support installing additional hard drives in the Cisco ISE 3355 appliance.
Figure 2-8
3 1 2
10
8
CISCO
HDD activity LED
Green = Hard disk drive activity. Flashing Green = Hard disk drive activity. Off = Hard disk drive is idle or disabled. Amber = Hard disk drive is in error state. Off = Hard disk drive is functioning or disconnected from power. Cover slides left or right to expose or protect the power switch. Green = Ethernet interfaces are configured and up. Off = No Ethernet interfaces are currently configured or Ethernet interfaces are all down. Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Amber = A noncritical system event has occurred. Off = System is functioning normally. Off = System health is normal. Amber = A prefailure system threshold has been reached, which can be caused by any of the following conditions:

HDD status LED
3 4
Power switch button cover Ethernet icon LED
Ethernet interface activity LEDs (NIC 1 and NIC 2) Information LED System health LED
6 7
237487
2-9
8 9
Front locator button or LED Ethernet interface activity LEDs (NIC 3 and NIC 4) Power button with LED
Flashing blue = Locator button has been pressed. Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Green = The appliance has AC power and is powered up. Rapidly flashing green = The appliance is turned off and is not yet ready to be turned on. The appliance typically only remains in this state for 1 to 3 minutes. Slowly flashing green = The appliance is currently turned off and ready to be turned on. Slowly fading on or off green = The appliance is in power-save mode and is ready to be turned on. Off = The appliance is turned off (AC power is disconnected).
10

10
1 2 3 4 5
6
6 7 8 9
Empty (unused) PCI Express slot Video port Rear USB port 4 AC Power supply cable sockets Rear USB port 3
Serial port (serial console, DB9 connection) NIC 2 (eth1) Gigabit Ethernet interface NIC 1 (eth0) Gigabit Ethernet interface NIC 4 (eth3) add-on card
10 NIC 3 (eth2) add-on card
2-10
OL-25540-01
237632
Chapter 2
Figure 2-10
1 2
7 6
Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Green = Link exists. Off = No link exists. Green = AC power source is connected to power supply. Off = No AC power source is connected to power supply. Green = DC power source is connected to power supply. Off = No DC power source is connected to power supply. Amber = Power source to power supply is present, but power supply is in error state. Off = Power supply is functioning normally (if AC and DC power indicators are green) or power supply is disconnected. Amber = Indicates that a system error has occurred. Off = The system is functioning normally. Flashing blue = Front locator button has been pressed. Green = The appliance has AC power and is turned on. Rapidly flashing green = The appliance is turned off and is not yet ready to be turned on. The appliance typically only remains in this state for 1 to 3 minutes. Slowly flashing green = The appliance is currently turned off and ready to be turned on. Slowly fading on or off green = The appliance is in power-save mode and is ready to be turned on. Off = The appliance is turned off (AC power is disconnected).
2 3 4 5
NIC 1 (eth0) link LED AC power LED DC power LED Power supply error LED
6 7 8
System error LED Rear locator LED Power LED
199792
2-11

XXNNNXX
CISCO
Note
The serial number for the Cisco ISE 3395 is defined by and observes the Cisco UDI specifications.

The Cisco ISE 3395 appliance provides the enhanced processing, memory, and power necessary for an enterprise-wide deployment serving up to 10,000 concurrent endpoints and managing up to 40 additional appliances or HA pairs. The Cisco ISE 3395 features dual processors, dual power supplies, 4 GB of RAM, four HDDs, four network interfaces, and a Cavium CN-1620-400-NHB-G accelerator card that supports SSL for larger network deployments and provides added reliability for centralized management of the deployment in the network core. For details, see Cisco ISE Series Appliances, page 2-1.

8
CISCO
13
12
11
10
2-12
237488
OL-25540-01
279777
Chapter 2
1 2 3 4 5 6 7
HDD bay 0 HDD bay 2 Empty (unused) HDD bay

1
8 9
Front USB port 1 Front USB port 2
10 CD-ROM/DVD drive 11 Empty (unused) HDD bay1 12 HDD bay 3 13 HDD bay 1
Power button with LED indicator (bi-color: green or amber) Operator information panel Operator information panel release switch Video port
1. We do not support installing additional hard drives in the Cisco ISE 3395 appliance.
Figure 2-13
3 1 2
10
8
CISCO
HDD activity LED
Green = Hard disk drive activity. Flashing Green = Hard disk drive activity. Off = Hard disk drive is idle or disabled. Amber = Hard disk drive is in an error state. Off = Hard disk drive is functioning or disconnected from power. Cover slides left or right to expose or protect power switch. Green = Ethernet interfaces are configured and up. Off = No Ethernet interfaces are currently configured or the Ethernet interfaces are all down. Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Amber = A noncritical system event has occurred. Off = System is functioning normally.
HDD status LED
3 4
Power switch button cover Ethernet icon LED
Ethernet interface activity LEDs (NIC 1 and NIC 2) Information LED
237489
2-13
System health LED
Off = System health is normal. Amber = A prefailure system threshold has been reached, which can be caused by any of the following conditions:

8 9
Locator button or LED Ethernet interface activity LEDs (NIC 3 and NIC 4) Power button or LED
Flashing blue = Locator button has been pressed. Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Green = The appliance has AC power and is turned on. Rapidly flashing green = The appliance is turned off and is not yet ready to be turned on. The appliance typically only remains in this state for 1 to 3 minutes. Slowly flashing green = The appliance is currently turned off and ready to be turned on. Slowly fading on or off green = The appliance is in power-save mode and is ready to be turned on. Off = The appliance is turned off (AC power is disconnected).
10

10
1 2 3 4 5
6
6 7 8 9
Empty (unused) PCI Express slot Video port Rear USB port 4 AC Power supply cable sockets Rear USB port 3
Serial port (serial console, DB9 connection) NIC 2 (eth1) Gigabit Ethernet interface NIC 1 (eth0) Gigabit Ethernet interface NIC 4 (eth3) add-on card
10 NIC 3 (eth2) add-on card
2-14
OL-25540-01
237632
Chapter 2
Figure 2-15
1 2
7 6
Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. Green = Link exists. Off = No link exists. Green = AC power source is connected to the power supply. Off = No AC power source is connected to the power supply. Green = DC power source is connected to the power supply. Off = No DC power source is connected to the power supply. Amber = Power source to power supply is present, but power supply is in error state. Off = Power supply is functioning normally (if AC and DC power indicators are green) or power supply is disconnected. Amber = Indicates that a system error has occurred. Off = The system is functioning normally. Flashing blue = Front locator button has been pressed. Green = The appliance has AC power and is turned on. Rapidly flashing green = The appliance is turned off and is not yet ready to be turned on. The appliance typically only remains in this state for 1 to 3 minutes. Slowly flashing green = The appliance is currently turned off and ready to be turned on. Slowly fading on or off green = The appliance is in power-save mode and is ready to be turned on. Off = The appliance is turned off (AC power is disconnected).
2 3 4 5
NIC 1 (eth0) link LED AC power LED DC power LED Power supply error LED
6 7 8
System error LED Rear locator LED Power LED
199792
2-15
2-16
OL-25540-01
CH A P T E R
Configuring the Cisco ISE 3300 Series Appliance

This chapter describes how to perform an initial configuration of a Cisco Identity Services Engine (ISE) 3300 Series appliance, and it contains the following topics:

Before Configuring a Cisco ISE 3300 Series Appliance, page 3-1 Understanding the Setup Program Parameters, page 3-3 Configuring a Cisco ISE 3300 Series Hardware Appliance, page 3-5 Verifying the Configuration Process, page 3-10
Note
Cisco requires you to review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE software on a Cisco ISE 3300 Series appliance.
Before Configuring a Cisco ISE 3300 Series Appliance

The Cisco ISE 3300 Series appliances are preinstalled with the Cisco Application Deployment Engine (ADE) Release 2.0 operating system (ADE-OS) and the Cisco ISE Release 1.1 software. The Cisco ADE-OS and the Cisco ISE software are preinstalled on a dedicated Cisco ISE appliance (Cisco ISE 3300 Series) or can be installed on a VMware server in this release. Make sure that you identify all of the following configuration settings for each appliance or VMware instance before proceeding:

Hostname IP address for the Gigabit Ethernet 0 (eth0) interface Netmask Default gateway DNS domain Primary name server Primary Network Time Protocol (NTP) server System time zone
3-1
Chapter 3 Before Configuring a Cisco ISE 3300 Series Appliance
Username (username for CLI-admin user) Password (password for CLI-admin user) Database administrator password and database user password (one-time entry only)
For details about the differences between the CLI-admin user and web-based admin user rights, see Admin Rights Differences: CLI-Admin and Web-Based Admin Users, page 3-2.
Admin Rights Differences: CLI-Admin and Web-Based Admin Users

The username and password that you configure by using the Cisco ISE Setup program is intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface. The administrator that has access to the Cisco ISE CLI is called as the CLI-admin user. By default, the username for the CLI-admin user is admin and the password is user-defined during the setup process. There is no default password. You can initially access the Cisco ISE web interface by using the CLI-admin users username and password that you defined during the setup process. There is no default username and password for a web-based admin. The CLI-admin user is copied to the Cisco ISE web-based admin user database. Only the first CLI-admin user is copied as the web-based admin user. You should keep the CLI- and web-based admin User Stores in sync, so that you can use the same user name and password for both admin roles. You can add additional web-based admin users through the user interface itself. See the Configuring Cisco ISE Administrators section of the Cisco Identity Services Engine User Guide, Release 1.1 for additional details. The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin user, and can perform additional tasks.
Tasks Performed by CLI-Admin and Web-Based Admin Users
The CLI-admin user and the web-based admin user can perform the following Cisco ISE system-related tasks:

Back up the Cisco ISE application data. Display any system, application, or diagnostic logs on the Cisco ISE appliance. Apply Cisco ISE software patches, maintenance releases, and upgrades. Set the NTP server configuration.
Tasks Performed Only by the CLI-Admin User
Only the CLI-admin user can perform the following Cisco ISE system-related tasks:

Start and stop the Cisco ISE application software. Reload or shut down the Cisco ISE appliance. Reset the web-based admin user in case of a lockout. For additional details, see Password Negated Due to Administrator Lockout, page 6-16.
Cisco recommends that you protect the CLI-admin user credentials by explicitly creating only those users that you want to access the Cisco ISE CLI.
Note
Web-based admin users that are created by using the Cisco ISE user interface cannot automatically log into the Cisco ISE CLI. Only CLI-admin users that were explicitly created to have these privileges can access the Cisco ISE CLI.
3-2
OL-25540-01
Chapter 3
Configuring the Cisco ISE 3300 Series Appliance Understanding the Setup Program Parameters
Refer to Accessing Cisco ISE Using a Web Browser, page 6-7 for additional details.
To create other CLI-admin users, you must first log into the Cisco ISE CLI as the CLI-admin user and complete the following tasks:
Step 1 Step 2 Step 3
Log in by using the CLI-admin username and password that you created during the setup process. Enter the Configuration mode. Run the username command.
Note
For details, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.
Understanding the Setup Program Parameters

When you run the Cisco ISE Setup program to configure the Cisco ISE software, it launches an interactive CLI that prompts you to enter required parameters to configure the system (see Table 3-1). There are several ways you can make a connection to the supported hardware appliances to run the Setup program:

Using a network-based console connection to the hardware appliance. Using a local serial console cable connection to the rear panel of the appliance. Using a local keyboard and video (VGA) connection to the appliance.
These methods let you configure the initial network settings that create the initial set of administrator credentials for the appliance. Using the Setup program is a one-time configuration task.
Note
The following procedure assumes that you have properly installed, connected, and powered up the supported appliance by following the recommended procedures. For configuring VMware servers, see Configuring a VMware System Using the Cisco Identity Services Engine ISE Software DVD, page 4-11.
Table 3-1
Identity Services Engine Network Configuration Parameters for Setup
Prompt Hostname
Description
Example
Must be not exceed 19 characters. Valid characters include isebeta1 alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the first character must be an alphabetic character. Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface. Must be a valid IPv4 netmask. Must be a valid IPv4 address for the default gateway. 10.12.13.14 255.255.255.0 10.12.13.1
(eth0) Ethernet interface address Netmask Default gateway
DNS domain name Cannot be an IP address. Valid characters include ASCII characters, mycompany.com any numbers, hyphen (-), and period (.). Primary name server Must be a valid IPv4 address for the primary name server. 10.15.20.25
3-3
Chapter 3 Understanding the Setup Program Parameters
Table 3-1
Identity Services Engine Network Configuration Parameters for Setup (continued)
Prompt Add/Edit another name server
Description Must be a valid IPv4 address for an additional name server.
Example (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue. clock.nist.gov (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.
Primary NTP server Add/Edit another NTP server
Must be a valid IPv4 address or hostname of an NTP server. Must be a valid NTP domain.
UTC (default) System Time Zone Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST) it is PST8PDT (or UTC-8 hours).
Note
The time zones referenced in this hyperlink are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.
Username
admin (default) Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9). Identifies the administrative password that is used for CLI access to MyIseYP@@ss the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).
Password
3-4
OL-25540-01
Chapter 3
Configuring the Cisco ISE 3300 Series Appliance Configuring a Cisco ISE 3300 Series Hardware Appliance
Table 3-1
Identity Services Engine Network Configuration Parameters for Setup (continued)
Prompt Database Administrator Password
Description
Example
Identifies the Cisco ISE database system-level password. You must ISE4adbp_ss create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also include underscore (_) and pound (#) keys.
Note
All nodes in a distributed environment require the same password, so you must be sure to configure all of them by using the same entry. After you configure this password, Cisco ISE uses it internally; that is, you do not have to enter it when logging into the system.
Database User Password
Identifies the Cisco ISE database access-level password. You must ISE5udbp#ss create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also includes underscore (_) and pound (#) keys.
Note
All nodes in a distributed environment require the same password, so you must be sure to configure all of them using the same entry. After you configure this password, Cisco ISE uses it internally; that is, you do not have to enter it when logging into the system.
Note
For details about the web-based administrator username and password, see Verifying the Configuration Using a Web Browser, page 6-10. If you are installing the Cisco ISE software on a VMware server, the Cisco ISE also installs and configures VMware tools during the initial setup. The Cisco ISE will install VMware tools version 8.3.2. To verify that the VMware tools have installed correctly, see Verifying the Installation of VMware Tools, page 6-12.
Configuring a Cisco ISE 3300 Series Hardware Appliance

This section describes running the Cisco ISE Setup program to configure the Cisco ISE 3300 Series software for the supported hardware appliances.
To configure a Cisco ISE 3300 Series appliance by using the Setup program, complete the following steps:
Step 1 Step 2
Connect a keyboard and a VGA monitor to the Cisco ISE 3300 Series appliance. Ensure that a power cord is connected to the Cisco ISE 3300 Series and turn on the appliance.
3-5
Chapter 3 Configuring a Cisco ISE 3300 Series Hardware Appliance
Note
The Cisco ISE software is already preinstalled on the appliance. Do not insert the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD. The DVD is provided only for performing appliance reimage or for CLI password recovery. In about 2 minutes, the following prompt is displayed, which means that the boot sequence is complete:
********************************************** Please type 'setup' to configure the appliance **********************************************
Step 3
At the prompt, type setup to start the Setup program. You are prompted to enter networking parameters and first credentials. The following illustrates a sample Setup program and default prompts:
Note
Cisco ISE appliances track time internally using UTC time zones. If you do not know your own specific time zone, you can enter one based on the city, region, or country where your Cisco ISE appliance is located. See Tables Table 3-2, Table 3-3, and Table 3-4 for sample time zones. It is recommended to configure the preferred time zone (the default is UTC) during installation when Setup prompts you to configure this setting.
Caution
Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see clock time zone in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.
Enter hostname[]: ise-server-1 Enter IP address[]: 10.1.1.10 Enter Netmask[]: 255.255.255.0 Enter IP default gateway[]: 172.10.10.10 Enter default DNS domain[]: cisco.com Enter Primary nameserver[]: 200.150.200.150 Add/Edit another nameserver? Y/N: n Enter primary NTP domain[]: clock.cisco.com Add/Edit another NTP domain? Y/N: n Enter system time zone[]: UTC Enter username [admin]: admin Enter password: Enter password again: Bringing up the network interface... Pinging the gateway... Pinging the primary nameserver... Do not use `Ctrl-C' from this point on... Virtual machine detected, configuring VMware tools... Appliance is configured Installing applications... Installing ISE... Application bundle (ise) installed successfully ===Initial Setup for Application: ise=== Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup requires you to create database administrator password and also create a database user password.
3-6
OL-25540-01
Chapter 3
Please follow the prompts below to create the database administrator password. Enter new database admin password: Confirm new database admin password: Successfully created database administrator password. Please follow the prompts below to create the database user password. Enter new database user password: Confirm new database user password: Successfully created database user password. Running database cloning script... Generating configuration... Rebooting... Welcome to the ISE initial setup. The purpose of this setup is to provision the internal database. This setup is non-interactive and will take roughly 15 minutes to complete. Please be patient. Running database cloning script... Running database network config assistant tool... Extracting ISE database contents... Starting ISE database processes... ... Note
Virtual machine detected, configuring VMware tools... message will display only if Cisco ISE is installed on a virtual machine. This message is not displayed if Cisco ISE is installed on a physical machine. After the Cisco ISE software is configured, the Cisco ISE system reboots automatically. To log back into the Cisco ISE CLI, you must enter the CLI-admin user credentials that you configured during setup.
Step 4
After Cisco ISE reboots, you are prompted to enter and confirm the new database administrator and database user passwords. (All nodes in a distributed environment require the same password, so be sure to configure all of them by using the same entry.) You will see this prompt:
Welcome to the ISE initial setup. The purpose of this setup is to provision the internal database. This setup requires you to create a database administrator password and also create a database user password. Please follow the prompts below to create the database administrator password. Enter new database admin password: Confirm new database admin password: Successfully created database administrator password. Please follow the prompts below to create the database user password. Enter new database user password: Confirm new database user password: Successfully created database user password. Running database cloning script... Running database network config assistant tool...
3-7
Chapter 3 Configuring a Cisco ISE 3300 Series Hardware Appliance
Extracting ISE database contents... Starting ISE database processes... ... Step 5
After you log into the Cisco ISE CLI shell, you can run the following CLI command to check the status of the Cisco ISE application processes:
ise-server/admin# show application status ise ISE Database listener is running, PID: 4845 ISE Database is running, number of processes: 27 ISE Application Server is running, PID: 6344 ISE M&T Session Database is running, PID: 4502 ISE M&T Log Collector is running, PID: 6652 ISE M&T Log Processor is running, PID: 6738 ISE M&T Alert Process is running, PID: 6542 ise-server/admin#
Step 6
After you confirm that the Cisco ISE Application Server is running, you can log into the Cisco ISE user interface by using one of the supported web browsers (see Accessing Cisco ISE Using a Web Browser, page 6-7). To log into the Cisco ISE user interface by using a web browser, enter the following in the Address field:
https://<your-ise-hostname or IP address>/admin/
Here your-ise-hostname or IP address represents the hostname or IP address that you configured for the Cisco ISE 3300 Series appliance during setup.
Step 7
At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials (username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE web interface by using the CLI-admin users username and password that you defined during the setup process. After you log into the Cisco ISE user interface, you can then configure your devices, user stores, policies, and other components. The username and password credentials that you use for web-based access to the Cisco ISE user interface are not the same as the CLI-admin user credentials that you created during setup for accessing the Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users, see Admin Rights Differences: CLI-Admin and Web-Based Admin Users, page 3-2.
Supported Time Zones
This section provides three tables that provide more information on common UTC time zones for Europe, the United States and Canada, Australia, and Asia.
Note
The format for time zones is POSIX or System V. POSIX time zone format syntax looks like America/Los_Angeles, while System V time zone syntax looks like PST8PDT.
For time zones in Europe, the United States, and Canada, see Table 3-2.
3-8
OL-25540-01
Chapter 3
For time zones in Australia, see Table 3-3. For time zones in Asia, see Table 3-4.
Common Time Zones
Table 3-2
Acronym or name
Europe
Time Zone Name
GMT, GMT0, GMT-0, Greenwich Mean Time, as UTC GMT+0, UTC, Greenwich, Universal, Zulu GB GB-Eire, Eire WET CET EET
United States and Canada
British Irish Western Europe Time, as UTC Central Europe Time, as UTC + 1 hour Eastern Europe Time, as UTC + 2 hours Eastern Standard Time, as UTC -5 hours Central Standard Time, as UTC -6 hours Mountain Standard Time, as UTC -7 hours Pacific Standard Time, as UTC -8 hours Hawaiian Standard Time, as UTC -10 hours
EST, EST5EDT CST, CST6CDT MST, MST7MDT PST, PST8PDT HST
Table 3-3
Australia Time Zones
Australia1 ACT2 Canberra Lord_Howe North South West Adelaide Currie Lindeman NSW
4
Brisbane Darwin LHI

3
Broken_Hill Hobart Melbourne Queensland Victoria
Perth Tasmania
Sydney Yancowinna
1. Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie. 2. ACT = Australian Capital Territory 3. LHI = Lord Howe Island 4. NSW = New South Wales
Table 3-4
Asia Time Zones
Asia1 Aden2 Aqtau Almaty Aqtobe Amman Ashgabat Anadyr Ashkhabad
3-9
Chapter 3 Verifying the Configuration Process
Table 3-4
Asia Time Zones (continued)
Asia1 Baghdad Beirut Choibalsan Dhakar Gaza Irkutsk Jerusalem Kashgar Kuwait Bahrain Bishkek Chongqing Dili Harbin Istanbul Kabul Katmandu Krasnoyarsk Baku Brunei Columbo Dubai Hong_Kong Jakarta Kamchatka Kuala_Lumpur Bangkok Kolkata Damascus Dushanbe Hovd Jayapura Karachi Kuching
1. The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia. 2. Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.
Note
Additional time zones are available if you use the Cisco ISE CLI show timezones command. This CLI command displays a list of all time zones available to you. Choose the most appropriate one for your network location.
Verifying the Configuration Process

To verify that you have correctly completed the configuration process, use one of the following two methods to log into the Cisco ISE 3300 Series appliance:

Web browser Cisco ISE CLI
Note
To perform post-installation verification of configuration, see Chapter 6, Performing Post-Installation Tasks.
3-10
OL-25540-01
CH A P T E R
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine
This chapter describes the system requirements for installing the Cisco Identity Services Engine (ISE) 3300 Series appliance software in a VMware virtual machine. The following topics provides information about the installation process:

Virtual Machine Requirements, page 4-1 Evaluating the Cisco ISE Release 1.1, page 4-3 Configuring a VMware ESX or ESXi Server, page 4-4 Configuring the VMware Server, page 4-7 Preparing a VMware System for Cisco ISE Software Installation, page 4-11 Installing the Cisco ISE Software on a VMware System, page 4-12 Connecting to the Cisco ISE VMware Server Using Serial Console, page 4-14
Note
The Inline Posture node is supported only on Cisco ISE 3300 Series appliances. It is not supported on VMware server systems. All the other designated roles are supported for use on VMware virtual machines.
Virtual Machine Requirements

The minimum system requirements for the virtual machine must be similar to the Cisco ISE 3300 Series appliance hardware configuration. Table 4-1 lists the minimum system requirements to install Cisco ISE 3300 Series software on a VMware virtual machine.
Table 4-1 Minimum VMware System Requirements
Requirement Type CPU Memory Hard disks
Minimum Requirements Intel Dual-Core; 2.13 GHz or faster 4 GB RAM 60 to 600 GB of disk storage (size depends on deployment and tasks)
Note
The Cisco ISE must be installed on a single disk in VMware. If you use several small disks to meet the disk space requirement for installation you could experience some unexpected behavior.
4-1
Chapter 4 Virtual Machine Requirements
Table 4-1
Minimum VMware System Requirements (continued)
Requirement Type Disk controller NIC
Minimum Requirements SCSI controller 1 GB NIC interface required (four NICs are recommended)
Note
When creating network connections for any NICs that you configure, make sure to select the corresponding Flexible network adapter from the Adapter drop-down list. For this release, Cisco ISE supports the Flexible network adapter for all NICs. See Step 9 in Configuring the VMware Server, page 4-7.
Hypervisor
Supported VMware versions include:

VMware ESX 4.0, 4.0.1, 4.1 VMware ESXi 4.0, 4.0.1, 4.1
Note
VMware server, version 2.0, is only supported for demonstrating the features of Cisco ISE Release 1.0, and is not supported for production environments.
Note
Different type of licenses are needed when you run Cisco ISE software on a VMware server for evaluation or production purposes. For license details, see Installing a License, page 6-1. Table 4-2 lists the minimum Cisco ISE hard disk space allocation requirements for running on a VMware server in a production deployment. Use the supported VMware ESX and ESXi server versions listed in Table 4-1 for running Cisco ISE software in a production deployment.
Table 4-2 Minimum VMware Production Disk Space Requirements
ISE Persona Standalone ISE Administration Monitoring Administration and Monitoring Policy Service
Minimum Disk Space Requirements for Production 200 GB 200 GB 200 GB 200 GB 60 GB
Note
For a Cisco ISE software running on a VMware server with the Monitoring persona enabled, the minimum supported hard disk space allocation for small, medium, and large production deployments is 200 GB. The Cisco ISE must be installed on a single disk in VMware. If you use several small disks to meet the disk space requirement for installation you could experience some unexpected behavior.
4-2
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Evaluating the Cisco ISE Release 1.1
The Cisco ISE Release 1.0 installer is designed to make use of all disk space that is allocated to a VMware server, up to a maximum that is equal to the maximum that is supported by the Cisco ISE hardware appliance. This means that if you create a VMware server with more than 600 GB, the maximum disk space that Cisco ISE will allocate for all deployment types is 600 GB. Any remaining disk space remains unpartitioned. For example:

If a VMware server is created with a 200 GB disk space allocation, the Cisco ISE installer will allocate 200 GB for use. If a VMware server is created with a 1 terabyte (TB) disk space allocation, the Cisco ISE installer will allocate up to its maximum allowed (600 GB). If a VMware server is created with a 40 GB disk space allocation, the Cisco ISE installer will fail because that size allocation is below the minimum supported disk space allocation of 60 GB.
Note
The minimum Cisco ISE hard disk space allocation requirements for running on a VMware servers in an evaluation environments that support only 100 users is 60 GB. When you move your VMware server to a production environment that support a larger number of users, however, be sure to reconfigure your Cisco ISE installation to the recommended minimum disk size that is listed in Table 4-2 or higher (up to the allowed maximum of 600 GB).
Evaluating the Cisco ISE Release 1.1

For evaluation purposes, Cisco ISE Release 1.0 can be installed in any of the supported VMware server virtual machines that meet the Virtual Machine Requirements, page 4-1. When evaluating Cisco ISE Release 1.0, you can configure less disk space in the virtual machine, but you still are required to allocate a minimum disk space of 60 GB. To download the Cisco ISE Release 1.0 software for evaluation, complete the following steps:
Step 1
Go to the following link: http://cisco.com/go/ise (You must already have valid Cisco.com login credentials to access this link.) Click Download Software. The Cisco ISE Release 1.0 software image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services once your installation and initial configuration are complete.
Step 2
Note
VMware server installations are supported for evaluation environments. There is no distinction between the minimum disk space requirements that are required for VMware servers that are used for evaluation or production deployments. The minimum supported VMware server installation of Cisco ISE requires 60 GB of disk space.
4-3
Chapter 4 Configuring a VMware ESX or ESXi Server
To migrate a Cisco ISE configuration from an evaluation system to a fully licensed production system, you need to complete the following tasks:

Back up the configuration of the evaluation version Install a production deployment license Restore the configuration to the production system Increase disk space for installation (possibly)
Note
The minimum Cisco ISE hard disk space allocation requirements for running on a VMware servers in an evaluation environments that support only 100 users is 60 GB. When you move your VMware server to a production environment that support a larger number of users, however, be sure to reconfigure your Cisco ISE installation to the recommended minimum disk size that is listed in Table 4-2 or higher (up to the allowed maximum of 600 GB).
Configuring a VMware ESX or ESXi Server

To install Cisco ISE on a supported VMware server, you must allocate a minimum disk space of 60 GB on the VMware virtual machine. This section describes how to set the minimum required disk space on the VMware virtual machine (to change the disk space size on the VMware virtual machine, log into the VMware ESX server). This section provides procedures for performing some important configuration-related tasks.
Caution
Do not select VMware thin provisioning as a storage type. This release of the Cisco ISE software does not support using VMware thin provisioning as a storage type on any of the supported VMware servers (VMware versions ESX 4.x or ESXi 4.x). This is not a default setting and Cisco advises against selecting the check box for thin provisioning in Step 10 (as shown in Figure 4-11).
Note
To perform the following procedures, you must be logged in. For details on performing an initial login, see Logging In, page 6-8.
To verify or change disk allocation, complete the following steps:
Step 1
Choose Configuration > Memory, and click Properties. If the block size is 256 MB, you must change it to 4 GB. Change the memory size to 4 GB by choosing Configuration > Memory.
Step 2
Note
It is important to note that the VMware virtual file system (VMFS) is set for each of the storage volumes configured in the VMware host. This means that your choice of the VMFS block size will need to take into account the largest virtual disk sizes hosted on the VMware host. Once the block size is set it cannot be changed without having to reformat the VMFS partitions.
4-4
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Configuring a VMware ESX or ESXi Server
To remove the default configuration, complete the following steps:

Step 1
Click Remove. A confirmation window appears.
Step 2
Click Yes. The default configuration is removed.
To create a new virtual file size, complete the following steps:

Step 1
Choose Configuration > Storage > Add Storage Wizard. You can find the Add Storage wizard at the upper-right corner of the configuration window.
Figure 4-1 Configuration Window
Step 2 Step 3
From the Storage Type drop-down list, choose Disk/LUN and click Next. Choose 60 GB for disk space size, 2 MB as the VMFS block size, and click Next. 60 GB is the minimum disk space size that is required for installing VMware with Cisco ISE. However, Cisco ISE will only use up to a maximum of 600 GB, even if you assign extra space in your VMware system. The value that you set should be between 60 and 600 GB, depending on your deployment.
Note
If you specify the default VMFS 1 MB block size, you will not be able to create a 600 GB disk space for your virtual machine on the VMware host. Only by selecting a VMFS block size of 2 MB when the VMFS file system is being created are you able to configure up to 600 GB of disk space for your virtual machine. Click Finish. The new VMware system with a 60 GB virtual disk size and a 2 MB block size is created successfully.
Step 4
To check the new file size, choose Configuration > Memory, and click Properties. Figure 4-2 displays the properties of a disk space created with the name ds1.
4-5
Chapter 4 Configuring a VMware ESX or ESXi Server
Figure 4-2
Disk Space Properties Window
To ensure proper operation of the Cisco ISE Profiler service on a VMware system, you need to configure the VMswitch0 and VMswitch1 interfaces on your VMware ESX or ESXi server (see Figure 4-3 on page 4-7).
To configure the VMware server interfaces to support the Cisco ISE Profiler service, complete the following steps:
Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance) > VMswitch0 (one of your VMware ESX server interfaces) > Properties > Security. In the Policy Exceptions pane under the Security tab, check the Promiscuous Mode check box. In the adjacent drop-down list box, choose Accept, and click OK. Repeat the same steps on VMswitch1 (the other VMware ESX server interface).
4-6
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Configuring the VMware Server
Figure 4-3
VMNetwork Properties Window
Configuring the VMware Server

This section describes how to configure VMware servers by using the VMware Infrastructure Client.
Prerequisite
Before installing the Cisco ISE software, verify that the VMware virtual machine has a minimum of at least 60 GB of disk space allocated. For more information, see Configuring a VMware ESX or ESXi Server, page 4-4.
To configure the VMware server by using the VMware Infrastructure Client, complete the following steps:
Step 1 Step 2
Log into the ESX Server. In the VMware Infrastructure Client, in the left pane, right-click your host container and choose New Virtual Machine. The New Virtual Machine Wizard appears.
4-7
Chapter 4 Configuring the VMware Server
Step 3
In the Configuration Type dialog box, choose Typical as the VMware configuration, as shown in Figure 4-4, and click Next.
Figure 4-4 Virtual Machine Configuration Dialog Box
The Name and Location dialog box appears. (Figure 4-5)

Step 4
Enter a name that you want for referencing the VMware system, and click Next.
Figure 4-5 Name and Location Dialog Box
Tip
Use the hostname that you want to use for your VMware host. The Datastore dialog box appears. (Figure 4-6)
Step 5
Choose a datastore that has a minimum of 60 GB of free space available, and click Next.
Figure 4-6 Datastore Dialog Box
The Guest Operating System dialog box appears. (Figure 4-7)

Step 6
Click Linux, and from the Version drop-down list, choose Red Hat Enterprise Linux 5 (32-bit).
Figure 4-7 Guest Operating System Dialog Box
The Number of Virtual Processors dialog box appears. (Figure 4-8)
4-8
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Configuring the VMware Server
Step 7
From the Number of Virtual Processors drop-down list, choose 2 (if 2 is available); or you can choose 1. Click Next.
Figure 4-8 Number of Virtual Processors Dialog Box
The Memory Configuration dialog box appears. (Figure 4-9)

Step 8
Enter 4096 MB, and click Next.

Figure 4-9 Memory Configuration Dialog Box
The NIC Configuration dialog box appears. (Figure 4-10)

Step 9
Choose NIC 1, and click Next.
Note
When creating network connections for any NICs that you configure, make sure to select the corresponding Flexible network adapter from the Adapter drop-down list. For this release, Cisco ISE supports the Flexible network adapter for all NICs.
NIC Configuration Dialog Box
Figure 4-10
The Virtual Disk Capacity dialog box appears. (Figure 4-12).
4-9
Chapter 4 Configuring the VMware Server
Figure 4-11
Disk Provisioning Dialog Box
Step 10
Do not check the Allocate and commit space on demand (Thin Provisioning) check box in the Disk Provisioning dialog box (Figure 4-11). Click Next to continue. The Virtual Disk Capacity dialog box appears. (Figure 4-12)
Caution
Do not select VMware thin provisioning as a storage type. This release of the Cisco ISE software does not support using VMware thin provisioning as a storage type on any of the supported VMware servers (VMware versions ESX 4.x or ESXi 4.x). This is not a default setting and Cisco advises against selecting the check box for thin provisioning in Figure 4-11. In the Disk Size field, enter 500 GB, and click Next.
Figure 4-12 Virtual Disk Capacity Dialog Box
Step 11
The Ready to Complete New Virtual Machine dialog box appears. (Figure 4-13)
Step 12
Verify the configuration details, such as Name, Guest OS, Virtual CPU, Memory, and Virtual Disk Size of the newly created VMware system.
4-10
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Preparing a VMware System for Cisco ISE Software Installation
Figure 4-13
Ready to Complete Dialog Box
Step 13
Click Finish. The VMware system is now installed.
To activate the newly created VMware system, right-click VM in the left pane and choose Power On.
Preparing a VMware System for Cisco ISE Software Installation

After configuring the VMware system, you are ready to install the Cisco ISE software. To install the Cisco ISE software from your Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD, you need to configure the VMware system to boot from this Cisco ISE DVD. This requires that the VMware system be configured with a virtual DVD drive to boot from the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD. You can do this by using different methods that are dependent upon your network environment. See Configuring a VMware System Using the Cisco Identity Services Engine ISE Software DVD, page 4-11 to configure the VMware system by using the DVD drive of your VMware ESX server host.
Configuring a VMware System Using the Cisco Identity Services Engine ISE Software DVD
This section describes how to configure a VMware system to boot from the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD by using the DVD drive of the VMware ESX server host.
To configure the VMware system by using the DVD drive, complete the following steps:
Step 1
In the VMware Infrastructure Client, highlight the newly created VMware system, and choose Edit Virtual Machine Settings. The Virtual Machine Properties window appears. Figure 4-14 displays the properties of a VMware system created with the name Cisco ISE Release 1.0.
4-11
Chapter 4 Installing the Cisco ISE Software on a VMware System
Figure 4-14
Virtual Machine Properties Dialog Box
Step 2
In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1. The CD/DVD Drive1 properties dialog box appears. Choose the Host Device option, and from the drop-down list, choose your DVD host device. Choose the Connect at Power On option, and click OK to save your settings. You can now use the DVD drive of the VMware ESX server to install the Cisco ISE software.
Step 3 Step 4
When you complete the configuration, click the Console tab, right-click VM in the left pane, choose Power, and choose Reset to restart the VMware system.
Installing the Cisco ISE Software on a VMware System

This section describes the installation process for the Cisco ISE software on VMware ESX 4.x.
To install the Cisco ISE software on a VMware system, complete the following steps:
Step 1 Step 2
Log into the VMware Infrastructure Client. Ensure that Universal Time Coordinated (UTC) is set in BIOS:
a. b.
If the VMware system is turned on, turn the system off. Turn on the VMware system.
4-12
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Installing the Cisco ISE Software on a VMware System
c. d. e.
Press F1 to enter the BIOS Setup mode. Using the arrow key, navigate to Date and Time and press Enter. Enter the time for your appliance to the UTC/Greenwich Mean Time (GMT) time zone.
Note
We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in your deployment are always in sync with regard to the timestamps. Press Esc to exit to the main BIOS menu. Press Esc to exit from the BIOS Setup mode.
f. g.
Note
After installation, if you do not install a permanent license, Cisco ISE automatically installs a 90-day evaluation license that supports a maximum of 100 endpoints.
Step 3
Insert the Cisco ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD into the VMware ESX host CD/DVD drive, and turn on the virtual machine.
Note
If you do not have access to this DVD, you can download the Cisco ISE Release 1.1 software from the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will be required to provide your Cisco.com credentials.
When the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD boots, the console displays:
Welcome to Cisco ISE To boot from the hard disk press <Enter> Available boot options: [1] Cisco Identity Services Engine Installation (Monitor/Keyboard) [2] Cisco Identity Services Engine Installation (Serial Console) [3] Reset Administrator Password (Keyboard/Monitor) [4] Reset Administrator Password (Serial Console) <Enter> Boot from hard disk Please enter boot option and press <Enter>. boot: 1
You can choose either the monitor and keyboard port, or the console port to perform the initial setup.
Step 4
At the system prompt, type 1 to choose a monitor and keyboard port, or type 2 to choose a console port, and press Enter. This starts the installation of the Cisco ISE software on the VMware system.
Note
Allow 20 minutes for the installation process to complete. When the installation process finishes, the virtual machine reboots automatically.
4-13
Chapter 4 Connecting to the Cisco ISE VMware Server Using Serial Console
When the VM reboots, the console displays:

Type 'setup' to configure your appliance localhost:
Step 5
At the system prompt, type setup, and press Enter. The Setup Wizard appears and guides you through the initial configuration. For more information on the setup process, see Understanding the Setup Program Parameters, page 3-3.
Connecting to the Cisco ISE VMware Server Using Serial Console

To connect to Cisco ISE VMWare server using the serial console, complete the following steps:
Power off the particular VMware server (for example ISE-120). Right click on the VMware server and choose Edit. Choose the Hardware tab and click Add.
Step 4
Choose Serial Port and click Next.
4-14
OL-25540-01
Chapter 4
Installing the Cisco ISE 3300 Series Software in a VMware Virtual Machine Connecting to the Cisco ISE VMware Server Using Serial Console
Step 5
For Serial Port Output choose Use physical serial port on the host. Click Next.
4-15
Chapter 4 Connecting to the Cisco ISE VMware Server Using Serial Console
Step 6
Choose the port. You may choose one of the following two options:

/dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1). /dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).
Step 7
Click Next.
Step 8
Check the device status. It will be shown as Connected.
4-16
OL-25540-01
CH A P T E R
Upgrading the Cisco ISE

You can upgrade the Cisco Identity Services Engine (ISE) from a previous major release or maintenance release to the latest Cisco ISE Maintenance Release 1.0.4. You can also migrate from the Cisco Secure Access Control System (ACS) 5.1 and 5.2 releases to the latest Cisco ISE Maintenance Release 1.0.4. You cannot migrate to the latest Cisco ISE release from Cisco Secure ACS 4.x or lower versions, or from a Cisco Network Admission Control (NAC) Appliance. For information on migrating from Cisco Secure ACS 5.1 and 5.2 releases to the latest Cisco ISE release, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.
Note
You can migrate to the latest Cisco ISE release only from the latest ACS 5.x release. You must upgrade to the latest ACS 5.x release before you plan to migrate to the latest Cisco ISE release. This chapter describes the following procedures:

Upgrading the Cisco ISE Node, page 5-1 Recovering from Upgrade Failures, page 5-8
Upgrading the Cisco ISE Node

Note
There is a known issue regarding default admin administrator user interface access following an upgrade from the Cisco ISE Release 1.0.3.377 to Cisco ISE Maintenance Release 1.0.4.573. See the Known Issues section of the Release Notes for Cisco Identity Service Engine, Release 1.1. for details. You can upgrade Cisco ISE from the previous release to the next release. The previous release may include patches that are already installed on it or it can be any maintenance release. For example, you can upgrade Cisco ISE, Release 1.0 to the latest Cisco ISE maintenance release and then upgrade the maintenance release to the next future release later. The following upgrade options are available:

Perform an application upgrade from the CLI. For more information, see Performing an Application Upgrade from the CLI, page 5-2. Perform a split deployment upgrade. For more information, see Performing a Split Deployment Upgrade, page 5-4
5-1
Chapter 5 Upgrading the Cisco ISE Node
Replace the old Cisco ISE, Release 1.0 or the Cisco ISE Maintenance Release 1.0.4 appliance with a new Cisco ISE appliance that runs the latest Cisco ISE Release 1.1. For more information, see the Replacing the Cisco ISE Appliance Running ISE 1.0 Software with the Cisco ISE Appliance Running ISE 1.1, page 5-6.
Note
We strongly recommend that you delay any deployment configuration changes like changing node personas, system synchronization, node registration or deregistration, and so on. until all nodes in your deployment are completely upgraded. (One exception to this recommendation, however, involves steps that are required to recover from a failed upgrade, as described in Recovering from Upgrade Failures on a Standalone Node, page 5-9.)
Note
When you upgrade or restore Cisco ISE Monitoring nodes from the older versions of Cisco ISE to Cisco ISE 1.1, the active sessions are not retained and are reset to 0.
Performing an Application Upgrade from the CLI

The Cisco ISE also provides you an application upgrade from the Cisco ISE, Release 1.0 and Cisco ISE Maintenance Release 1.0.4 to the latest Cisco ISE Maintenance Release 1.1 directly from the CLI. This option allows you to install the new Cisco ISE software on the appliance and simultaneously upgrade configuration and monitoring information databases. To perform an application upgrade, from the Cisco ISE CLI, enter: application upgrade application-bundle repository-name where

application-bundle is the name of the application bundle to upgrade the Cisco ISE application repository-name is the name of the repository
For more information, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.
Note
Before proceeding, we recommend that you review all of the following sections for information on how to perform an upgrade on different types of nodes. You can use the application upgrade command from the CLI to upgrade the Cisco ISE from the previous version to the current version in the following cases:

When upgrading the Cisco ISE on a standalone node that assumes Administration, Policy Service, and Monitoring personas. When upgrading the Cisco ISE on a distributed deployment.
Note
Perform an on-demand backup (manually) of the Primary administration node before upgrading the Cisco ISE.
To validate the upgrade process, do one of the following:
Check the ade.log file for the upgrade process. To download the ade.log file, see the Downloading Support Bundles section in Chapter 23 of the Cisco Identity Services Engine User Guide, Release 1.1.
5-2
OL-25540-01
Chapter 5
Upgrading the Cisco ISE Upgrading the Cisco ISE Node
Run the show version CLI command to verify the build version.
Upgrading the Cisco ISE on a Standalone Node

You can execute the application upgrade command from the CLI on a standalone Cisco ISE node that assumes the Administration, Policy Service, and Monitoring personas.
To upgrade the Cisco ISE on a standalone node:
Step 1
Perform an on-demand backup (manually) of the Primary Administration ISE node from the admin user interface or CLI and an on-demand backup of the Monitoring node from the admin user interface before upgrading the Cisco ISE. For more information on how perform an on-demand backup, see the On-Demand Backup section of the Cisco Identity Services Engine User Guide, Release 1.1.
Step 2
Launch the application upgrade command from the Cisco ISE CLI. This process internally upgrades the application binaries, the Database schema, and the datamodel module. It also handles upgrading any Cisco Application Deployment Engine (ADE) Release 2.0 operating system (ADE-OS) updates. If a system reload is required to complete the upgrade process, the Cisco ISE node is restarted automatically following a successful upgrade. The CLI transcript for a successful upgrade on a standalone node should look like the following:
ise-vm29/admin# application upgrade ise-appbundle-1.1.0.xxx.i386.tar.gz disk Save the current ADE-OS running configuration? (yes/no) [yes]? Generating configuration... Saved the ADE-OS running configuration to startup successfully Initiating Application Upgrade... ############################################################### NOTICE: ISE upgrade requires you to change the database administrator and database user password. You will be prompted to change these passwords after the system reboots. ############################################################### Stopping ISE application before upgrade... Running ISE Database upgrade... Upgrading ISE Database schema... ISE Database schema upgrade completed. Running ISE Global data upgrade as this node is a STANDALONE... Running ISE data upgrade for node specific data... This application Install or Upgrade requires reboot, rebooting now...
Step 3
After you upgrade from Cisco ISE Release 1.0.3.377 or Cisco ISE Maintenance Release 1.0.4.573 to Cisco ISE Release 1.1, you may be unable to use the SFTP repository until you accept the host key by using the host-key host <sftpservername> command. See the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for more information on the usage of the command. When the reboot process completes, you are prompted to log in with your login credentials and are asked immediately to provide new Cisco ISE internal database administrator and user passwords. (This part of the process is only successful if the user account that you are using to log in has administrator-level access privileges.)
login: admin password: % NOTICE: ISE upgrade requires you to change the database administrator and user passwords, before you can start the application. Enter new database admin password: Confirm new database admin password:
Step 4
5-3
Enter new database user password: Confirm new database user password: Starting database to update password... Starting database to update password... ISE Database processes already running, PID: 3323 Starting ISE Monitoring & Troubleshooting Session Database... Starting ISE Application Server... Starting ISE Monitoring & Troubleshooting Alert Process... Starting ISE Monitoring & Troubleshooting Log Collector... Starting ISE Monitoring & Troubleshooting Log Processor... Note: ISE Processes are initializing. Use 'show application status ise' CLI to verify all processes are in running state.
If there is any failure during an upgrade of application binaries and the Cisco ADE-OS, you can only remove and reinstall the previous version of the application bundle and restore the backup. See Recovering from Upgrade Failures on a Standalone Node, page 5-9 for details on how to recover from upgrade failures.
Note
After you upgrade from Cisco ISE Release 1.0.3.377 or Cisco ISE Maintenance Release 1.0.4.573 to Cisco ISE Release 1.1, the scheduled backup jobs need to be recreated because the older jobs will not work properly.
Performing a Split Deployment Upgrade

To upgrade the Cisco ISE nodes in a distributed deployment to Release 1.1, you must use the split deployment upgrade method. The configuration changes that are made to the Primary Administration ISE node database are applied to the secondary Administration ISE node, the Inline Posture node, and all the secondary nodes in your deployment. This allows you to replicate the database on all the nodes from the Primary Administration ISE node so that each node has a local copy of the configuration. Replication of configuration data across all nodes may introduce complications in terms of functionality changes that are implemented within the latest version and the required configuration. For more information on centralized configuration and management of Cisco ISE nodes in a distributed deployment, see Cisco Identity Services Engine User Guide, Release 1.1, Chapter 10, Setting Up ISE in a Distributed Environment.
Note
When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.
5-4
OL-25540-01
Chapter 5
Note
During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:

If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node. If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node. If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.
Assuming that you have a Primary Administration ISE node, a secondary Administration ISE node, an Inline Posture node, and a few Policy Service nodes in your Cisco ISE deployment, the Cisco ISE can be upgraded by using the split deployment upgrade methodology to overcome deployment issues. You can create a new deployment of the version that you intend to upgrade within your Cisco ISE deployment by splitting your deployment. First, move the secondary Administration ISE node to the new deployment and then move all the Policy Service nodes to the new deployment in a phased manner. After you upgrade all the Policy Service nodes to the new deployment, your Cisco ISE deployment is complete. When upgrading a complete Cisco ISE deployment to the next release, you create a new deployment that is based on the version to which you want the Cisco ISE to be upgraded and migrate all the nodes to the new deployment. Split deployment upgrade happens in two phases:

Upgrading the Secondary Administration ISE Node to a New Deployment, page 5-5 Upgrading the Policy Service Nodes to the New Deployment, page 5-6
Upgrading the Secondary Administration ISE Node to a New Deployment

Note
Before you upgrade any node in a deployment, you must obtain an on-demand backup of the primary Administration ISE node and the Monitoring node. You must also record the Inline Policy Enforcement Point (IPEP) node configuration before the upgrade so that you can reconfigure the IPEP node after the upgrade. When upgrading to a higher release, you should initially upgrade only the secondary Administration ISE node to the higher version. For example, if you have a deployment setup with one primary Administration node (Node A), one secondary Administration node (Node B), one IPEP node (Node C), and two PDPs (Node D and Node E), you can proceed with the upgrade procedure as follows:
Deregister the secondary node (Node B) from the deployment setup. After deregistration, it becomes a standalone node. Upgrade this standalone node to Cisco ISE Release 1.1.x.x. Deregister the PDP node (Node D) from the deployment setup. After deregistration, it becomes a standalone node. Upgrade this standalone node to Cisco ISE Release 1.1.x.x. Promote Node B as the primary node in the new deployment and register Node D as the PDP node.
5-5
Step 4 Step 5
Deregister the PDP node (Node D) from the deployment setup. After deregistration, it becomes a standalone node. Upgrade this standalone node to Cisco ISE Release 1.1.x.x. Deregister the IPEP node (Node C) from the deployment setup and make it as a standalone node. Upgrade this IPEP node to Cisco ISE Release 1.1.x.x.
Note
The upgrade process removes the IPEP nodes configuration. You must reconfigure the IPEP node after the upgrade.
Step 6 Step 7
Deregister the second PDP node (Node E) from the deployment and upgrade it to Cisco ISE Release 1.1.x.x. Register to Node B as the PDP node. Convert earlier deployments primary node (Node A) as a standalone node. Upgrade Node A to Cisco ISE Release 1.1.x.x and register to Node B in the the Cisco ISE Release 1.1 deployment setup as the secondary node. Exchange the IPEP node certificates with the new primary Administration node (Node B) certificates. Similarly, exchange the IPEP node certificates with the new secondary Administration node (Node A) certificates.
Step 8
Note
Certificates from both the primary and secondary Administration nodes should be installed on each IPEP node to trust the management interface certificate. For more details on certificate provisioning, see Deploying an Inline Posture Node section in the Cisco Identity Services Engine User Guide, Release 1.1.
Step 9
Register the IPEP node (Node C) to the new deployment setup; that is, to Node B.
Upgrading the Policy Service Nodes to the New Deployment

Any configuration that is applied to the primary Administration ISE node in the previous deployment should also be applied to the secondary Administration ISE node in the new deployment. This allows you to replicate the Policy Service nodes from the secondary Administration ISE node in the new deployment, and these nodes can operate on the new deployment. You must apply the configuration changes to the upgraded deployment version that are currently applied in the previous version. The changes in the configuration that are applied to the upgraded version need not be applied back to the previous version.
Replacing the Cisco ISE Appliance Running ISE 1.0 Software with the Cisco ISE Appliance Running ISE 1.1
Note
If you want to replace a Cisco ISE appliance that runs Cisco Identity Services Engine Maintenance Release 1.0.4.558 with a new Cisco ISE that runs Cisco Identity Services Engine Maintenance Release 1.0.4.573, you must upgrade the appliance that runs version 1.0.4.558 to 1.0.4.573 before creating a database backup image, which you can then restore on the new appliance that runs version 1.0.4.573.
5-6
OL-25540-01
Chapter 5
Note
When you restore data from the backup of a previous version, any existing configuration, regardless of old or new features, will be cleared after the restore. This section contains the following:

Replacing the Cisco ISE Standalone Appliance Running ISE 1.0 Software with the Cisco ISE Appliance Running Cisco ISE, Release 1.1, page 5-7 Replacing a Subset of Existing Cisco ISE Nodes with Cisco ISE Appliances Running Release 1.1 in a Distributed Deployment, page 5-8 Replacing All the Cisco ISE Appliances Running the ISE 1.0 Software with the Cisco ISE Appliances Running Cisco ISE 1.1 in a Distributed Deployment, page 5-8
Replacing the Cisco ISE Standalone Appliance Running ISE 1.0 Software with the Cisco ISE Appliance Running Cisco ISE, Release 1.1
This upgrade scenario is required only if you are upgrading your Cisco ISE, Release 1.0 or the Cisco ISE Maintenance Release 1.0.4 software to the Cisco ISE, Release 1.1 at the same time as you are replacing your existing Cisco ISE chassis. If you are using the same physical appliance or a virtual machine, we recommend that you use Performing an Application Upgrade from the CLI, instead of backup restore.
To replace a Cisco ISE standalone appliance that runs the Cisco ISE 1.0 software with Cisco ISE appliance that runs the Cisco ISE Release 1.1, complete the following steps:
Back up the Cisco ISE 1.0 appliance. Start up and configure the new Cisco ISE 1.1 appliance. Restore the Cisco ISE 1.0 backup. For more information on how to perform a backup and restore, see Cisco Identity Services Engine User Guide, Release 1.1, Chapter 14 Backing Up and Restoring Cisco ISE Data.
After you restore data, you must wait until all the application server processes are up and running. To verify that the Cisco ISE application server processes are running, enter the following command from the Cisco ISE CLI: show application status ise For more information on the CLI commands, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.
5-7
Chapter 5 Recovering from Upgrade Failures
Replacing a Subset of Existing Cisco ISE Nodes with Cisco ISE Appliances Running Release 1.1 in a Distributed Deployment
To replace a subset of the Cisco ISE 1.0 nodes with the Cisco ISE appliances that runs 1.1 in a distributed deployment, complete the following steps:
Step 1 Step 2
Perform an application upgrade to the Cisco ISE 1.1 on each node in the existing deployment. See Performing an Application Upgrade from the CLI, page 5-2. Deregister and register the new Cisco ISE 1.1 appliances into the deployment. In this case, the primary Administration ISE node remains on the original hardware. You can promote one of the newer Cisco ISE 1.1 appliances to be the new primary Administration ISE node.
Replacing All the Cisco ISE Appliances Running the ISE 1.0 Software with the Cisco ISE Appliances Running Cisco ISE 1.1 in a Distributed Deployment
To replace all Cisco ISE appliances that runs Cisco ISE, Release 1.0 of Cisco ISE Maintenance Release 1.0.4 software with Cisco ISE appliances that runs Cisco ISE, Release 1.1 in a distributed deployment, complete the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5
Perform an application upgrade to the Cisco ISE 1.1 on each node in the existing deployment. See Performing an Application Upgrade from the CLI, page 5-2. Deregister a secondary appliance and register to the first Cisco ISE 1.1 appliance. Repeat Step 2 for the remaining secondary nodes that you want to move from the Cisco ISE 1.0 hardware deployment to the Cisco ISE 1.1 hardware deployment. Promote one of the new Cisco ISE 1.1 appliances to be the new primary Administration ISE node. Deregister the last Cisco ISE 1.0 appliance and register it to the last Cisco ISE 1.1 appliance in the deployment.
Recovering from Upgrade Failures

This section contains:

Recovering from Upgrade Failures on a Standalone Node, page 5-9 Recovering the Appliance if SSH Session Quit During Upgrade, page 5-9
5-8
OL-25540-01
Chapter 5
Upgrading the Cisco ISE Recovering from Upgrade Failures
Recovering from Upgrade Failures on a Standalone Node

Before attempting any rollback or recovery on the node where an upgrade has failed, you must generate an application bundle by using the backup-logs CLI command and place it in a remote repository.
Scenario 1: Upgrade failed during database schema or datamodel upgrade
Detection: One of the following messages is shown in the console and ADE.log:

ISE Database schema upgrade failed! ISE Global data upgrade failed! ISE data upgrade for node specific data failed!
How to Roll back: Restore from the last backup to roll back. How to retry the upgrade:

Analyze the logs. To identify and resolve the problem, submit the application bundle that you generated to the Cisco Technical Assistance Center (TAC). You need a new application bundle each time you retry an upgrade.
Scenario 2: Upgrade failed during binary install
Detection: An application binary upgrade occurs after the database upgrade. If a binary upgrade failure happens, the following message displays in the console and ADE.log: % Application install/upgrade failed with system removing the corrupted install How to Roll back: Reimage the Cisco ISE Appliance by using the previous ISO image and restore from the backup. How to retry the upgrade:

Analyze the logs. To identify and resolve the problem, submit the application bundle that you generated to the Cisco Technical Assistance Center (TAC).
You need a new application bundle each time you retry an upgrade.
Recovering the Appliance if SSH Session Quit During Upgrade

Detection: The SSH session or console was disconnected or quit during an upgrade. How to Rollback: Reimage the Cisco ISE Appliance by using the previous ISO image and restore from the backup. How to retry the upgrade: Continue with the upgrade again. If your appliance is used as a secondary node in the new Cisco ISE version 1.1, directly install the new ISO version and register it to the new primary Administration ISE node.
5-9
Chapter 5 Recovering from Upgrade Failures
5-10
OL-25540-01
CH A P T E R
Performing Post-Installation Tasks

This chapter describes several tasks that you must perform after successfully completing the installation and configuration of the Cisco Identity Services Engine (ISE) 3300 Series appliance. This chapter contains information about the following topics:

Installing a License, page 6-1 Accessing Cisco ISE Using a Web Browser, page 6-7 Verifying the Cisco ISE Configuration, page 6-10 Verifying the Installation of VMware Tools, page 6-12 Resetting the Administrator Password, page 6-14 Reimaging a Cisco ISE 3300 Series Appliance, page 6-17 Configuring the Cisco ISE System, page 6-18 Enabling System Diagnostic Reports in Cisco ISE, page 6-18 Installing New Cisco ISE Software, page 6-18
Installing a License
To manage a Cisco ISE system, you must have a valid license. Licensing provides the ability to restrict the use of the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.
Note
Concurrent endpoints represent the total number of supported users and devices. Endpoints can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices. Cisco ISE software feature support is split into two functional sets:

Base PackageEnables basic services of network access, guest, and link encryption Advanced PackageEnables more advanced services like Profiler, Posture, and Security Group Access
6-1
Chapter 6 Installing a License
Each license package supports a specific number of concurrent endpoints that can connect and use the corresponding services. Services for each package type are enabled by installing corresponding licenses. There are two possible license-installation approaches:
Base and Advanced Licenses: Base and Advanced licenses can be installed to enable corresponding feature support, depending on your installation. Each license may be installed separately, and you can also choose to install multiple licenses of the same type to cumulatively increase the number of endpoints for the corresponding package. Wireless License: The Wireless license enables the same number of endpoints on both the base and advanced package. However, the devices that are e supported with this type of license are restricted to wireless devices. It is possible to subsequently remove this restriction by installing an Wireless Upgrade license that enables the base and advanced package feature support for all types of devices. Types of Licenses, page 6-3 Obtaining a License, page 6-6 Autoinstallation of the Evaluation License, page 6-7
The following sections provide information about these topics:

Built-In License
The Cisco ISE system includes an evaluation license that features both Base and Advanced package services, is valid for a 90-day period, and restricts the number of system base and advanced package users to 100. The Cisco ISE system prompts you before the evaluation license expires to download and install a valid production license. When the evaluation license expires at the end of its 90-day period, the Administration web application will prompt you to install a valid production license for Base, Base and Advanced, or Wireless. (Although the evaluation license allows you to provide support for both wired and wireless users, purchasing and applying a Wireless License option cuts off support for any wired users that you may have been supporting during the evaluation period.) For specific details on using the administrator user interface to add and modify license files, see the Managing Licenses chapter of the Cisco Identity Services Engine User Guide, Release 1.1.
Centrally-Managed Licenses
Licenses are centrally managed by the Administration ISE node within the Cisco ISE network and automatically distributed among all other Cisco ISE nodes (except Inline Posture nodes) in the deployment. For example, in a distributed deployment, there are two Administration persona instances deployed as primary and secondary. Upon the successful installation of the license file, the licensing information from the primary Administration ISE node is propagated to the secondary Administration ISE node (which eliminates the need to install the same license on each Administration ISE node within the deployment).
Note
All primary and secondary Administration ISE nodes require that their serial number information (which must be a unique base license within a distributed deployment) be included in the license that is installed on to the primary Administration ISE node. This does not apply to Wireless license options in the Cisco ISE, where only the serial number of the primary Administrative ISE node is required.
Concurrent Endpoint Counts
Each Cisco ISE license includes a count value for the Base, Base and Advanced, or Wireless packages that restricts the number of concurrent endpoints that can use Cisco ISE services. The count includes the total number of endpoints across the entire deployment that are concurrently connected to the network and accessing its services. License enforcement within Cisco ISE if the number of endpoints increases
6-2
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Installing a License
beyond the supported license count is a soft one, with the endpoint remaining unblocked from accessing services. For information about the alarms that are generated when endpoints exceed the licensed values, see License Enforcement, page 6-3.
License Enforcement
Cisco ISE tracks concurrent endpoints on the network and generates alarms when endpoint counts exceed the licensed amounts:
80% Info 90% Warning 100% Critical
Caution
Accurate endpoint accounting relies on RADIUS accounting.

License Expiration
Alarms will not be sent for license expiration notification. Upon logging into a Cisco ISE node with an expired license, administrators are not able to access the Cisco ISE dashboard or other services, and instead, are redirected to a license page on www.cisco.com.
Cisco ISE License Application Behavior
When you install a Wireless License over the default Evaluation License, the Wireless License overrides the Evaluation License parameters with the specific duration and user count associated with the Wireless License. When you install a Base License over the default Evaluation License, the Base License overrides only the Base portion of the Evaluation License; thus keeping the Advanced License capabilities available only for the remainder of time allowed by the default Evaluation License duration. When you install an Advanced License over the default Evaluation License, the Advanced License overrides only the Advanced portion of the Evaluation License; thus keeping the Base License capabilities available only for the remainder of time allowed by the default Evaluation License duration.
Note
To avoid expiration issues that are associated with Base or Advanced features in the Cisco ISE, we recommend replacing the default Evaluation License with both a Base and Advanced License at the same time.
Types of Licenses
This section describes the four types of licenses that are supported for use with Cisco ISE 3300 Series appliances:

Evaluation License, page 6-4 Base License, page 6-5 Advanced License, page 6-5 Wireless License, page 6-5
6-3
Generally speaking, Base and Advanced licenses are primarily focused on providing Cisco ISE services, and Wireless license options are focused on ensuring that you are able to deploy Cisco ISE more quickly and easily in a purely wireless endpoint environment. For detailed information on the features and stock-keeping units (SKUs) available in the Cisco ISE Base, Advanced, Wireless, and Wireless Upgrade licenses, see the Cisco Identity Services Engine Ordering Guidelines at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/ guide_c07-656177.html.
License Guidelines
The following are some license guidelines that you need to observe:

All licenses are centrally managed by the Cisco ISE node (Administration ISE node) per deployment. All licenses are applied on the Administration ISE node only. Deployments cannot have an Advanced license without the Base license. Wireless Licenses cannot coexist on an Administration ISE node with Base or Base and Advanced Licenses. Administration ISE nodes should ensure that networks cannot add more Advanced endpoint licenses than Base endpoint licenses. Inline Posture nodes do not require a separate license.
Inline Posture nodes are only supported on Cisco ISE 3300 Series appliances. They are not
supported on VMware server systems.

Only certain wireless LAN controller (WLC) versions are supported by Inline Posture. (See
Cisco Identity Services Engine Network Component Compatibility, Release 1.1 for details.)
Note
Inline Posture nodes are not supported on VMware server systems.
When you launch the Cisco ISE before a license has been applied, only a bootstrap configuration that includes a license page appears. When the evaluation license approaches expiration, you are prompted to download and install a production license (Base, Base and Advanced, or Wireless) when you attempt web-based access with the Cisco ISE system. When a Base license is applied, Cisco ISE user interface screens and tabs are displayed for basic network access and Guest access. When an Advanced license is applied, Cisco ISE user interface screens and tabs are displayed for Profiler, Posture, and Security Group Access.
Evaluation License
The evaluation license consists of both the Base and Advanced license packages. An evaluation license is limited to support only100 endpoints, and it expires in 90 days. This duration is not based on a real-time clock, but on the Cisco ISE system clock. The evaluation license comes preinstalled, and it does not require a separate installation.
6-4
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Installing a License
As the evaluation license approaches the end of its 90-day period, the Cisco ISE system prompts the user to download and install a valid product license (Base or Advanced) by generating an alarm to upgrade the license. Upon installing a regular license, the services are continued as per the chosen package.
Base License
Base licenses are installed by using the Cisco ISE administrative interface on the device. Like the evaluation license, the Base license usage is also recorded on the device. The Base licenses are perpetual licenses. The Base package includes Authentication, Authorization, Guest, and Sponsor services, and this license package never expires.
Advanced License
Advanced licenses can be installed only on top of the Base license. You cannot upgrade the evaluation license to an Advanced license without first installing the Base license. In addition to the features that are available in the Base license package, the Advanced license activates the Profiler, Posture, and Security Group Access services of the Cisco ISE. At any time, the total number of endpoints supported by the Advanced package cannot be higher than the Base license count (it can be equal to or less than Base license count).
Note
The Advanced Licenses are subscription-based and there are two valid subscription terms: three-year or five-year.
Wireless License
Wireless Licenses are designed to provide a flexible option to exclusively wireless service providers that not only offers the essential Base License functions like basic network access (authentication and authorization), Guest services, and link encryption, but also all Advanced License services, including Profiler, Posture, and Security Group Access services. The Cisco ISE ensures that only exclusively wireless customers are able to take advantage of the Wireless License options by only allowing RADIUS Wireless authentication requests that come from a wireless LAN controller (WLC) (Other authentication request methods are dropped.) In addition, the LiveLogs entries also indicate reasons for the dropped requests by indicating, Request from a non-wireless device was dropped due to installed Wireless license.
Note
Like Advanced License packages, Wireless Licenses are subscription-based. If you currently subscribe to a Wireless License model for your deployment and then decide you want to offer Cisco ISE support for non-wireless endpoints on your network, rather than revert to a Base and Advanced License scheme as described earlier, you can move to a Wireless Upgrade License. These licenses are designed to provide the full range of Cisco ISE functions and policy management capabilities for all wireless and non-wireless client access methods, including wired and VPN concentrator access.
Note
You can only install a Wireless Upgrade license option on top of an existing Wireless license with the same allowable endpoint count. You cannot install a Wireless Upgrade on top of a Base plus Advanced license package.
6-5
Obtaining a License
To continue to use Cisco ISE services after the 90-day evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and install your own Base or Base and Advanced license packages in the Cisco ISE. License files are based on a combination of the Cisco ISE hardware ID and Product Authorization Key (PAK). At the time you purchase your Cisco ISE, or before the 90-day license expires, you can access Cisco.com and order your Base or Base and Advanced licenses. Within an hour of ordering your license files from Cisco.com, you should receive an email with the Cisco Supplemental End-User License Agreement and a Claim Certificate containing a PAK for each license that you order. After receiving the Claim Certificate, you can log in and access the Cisco Product License Registration site at http://www.cisco.com/go/license and provide the appropriate hardware ID information and PAK to generate your license. You must supply the following specific information to generate your license file:

Product identifier (PID) Version identifier (VID) Serial number (SN) Product Authorization Key (PAK)
The day after you submit your license information in the Cisco Product License Registration site, you will receive an email with your license file as an attachment. Save the license file to a known location on your local machine and use the instructions in Managing Licenses in see the Managing Licenses chapter of the Cisco Identity Services Engine User Guide, Release 1.1 to add and update your product licenses in the Cisco ISE. To determine your primary Administration ISE node hardware ID, complete the following:
Step 1
Access the direct-console CLI and enter the show inventory command. The output includes a line that is similar to the following:
PID: NAC3315, VID: V01, SN: ABCDEFG
Step 2
(Optional) If the license has not expired, you can view the primary Administration ISE node hardware ID by completing the following steps:
a.
Choose Administration > System > Licensing. The License Operations navigation pane and Current Licenses page appears. In the License Operations navigation pane, click Current Licenses. The Current Licenses page appears. Select the button corresponding to the Cisco ISE node that you want to check for the primary Administration ISE node hardware ID, and click Administration Node. The product identifier, version identifier, and serial number appear.
b.
c.
Note
Cisco ISE licenses are generated based on the primary Administration ISE node hardware ID, not the MAC address.
6-6
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Accessing Cisco ISE Using a Web Browser
For detailed information and license part numbers that are available for Cisco ISE, including licensing options for new installations as well as migration from an existing Cisco security product like Cisco Secure Access Control System, see the Cisco Identity Services Engine Ordering Guidelines at http:// www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html.
Autoinstallation of the Evaluation License

If you are using a virtual machine for Cisco ISE with disk space between 60 and 600 GB, the Cisco ISE automatically installs the evaluation license. All Cisco ISE 3300 Series appliances ship with an evaluation license that is limited to 90 days and 100 endpoints. After you have installed the Cisco ISE software and initially configured the appliance as the primary Administration ISE node, you must obtain and apply a license for your Cisco ISE as described in Obtaining a License, page 6-6. You apply all licenses to the Cisco ISE primary Administration ISE node by using the primary Administration ISE node hardware ID. The primary Administration ISE node then centrally manages all the licenses that are installed for your deployment. If you have two Cisco ISE nodes configured for high availability, then you must include both the primary and secondary Administration ISE node hardware and IDs in the license file. However, the process of managing the licenses is the same for dual Administration ISE nodes as it is for a single Administration ISE node.
Next Steps:
To manage your licenses by using the Cisco ISE user interface, see the Managing Licenses chapter of the Cisco Identity Services Engine User Guide, Release 1.1 and complete the following tasks:

Adding and upgrading a license Editing a license
Accessing Cisco ISE Using a Web Browser

The Cisco ISE 3300 Series appliances support a web interface using the following HTTPS-enabled browsers:

Mozilla Firefox version 3.6 Mozilla Firefox version 9 Microsoft Internet Explorer 8 Microsoft Internet Explorer 9 (in Internet Explorer 8 compatibility mode)
Note
The Cisco ISE user interface does not support using the Microsoft IE8 browser in its IE7 compatibility mode (the Microsoft IE8 is supported in its IE8-only mode). This section provides information about the following topics:

Logging In, page 6-8 Logging Out, page 6-9
6-7
Chapter 6 Accessing Cisco ISE Using a Web Browser
Logging In
When you login to the Cisco ISE web-based interface for the first time, you will be using the preinstalled Evaluation license. You must use only the supported HTTPS-enabled browsers listed in the previous section. After you have installed Cisco ISE as described in this guide, you can log into the Cisco ISE web-based interface.
To log into Cisco ISE using the web-based interface, complete the following steps:
Step 1
After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.
Step 2
In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following format, and press Enter.
http://<IP address or host name>/admin/
For example, entering http://10.10.10.10/admin/ displays the Cisco ISE Login page.
Step 3 Step 4
In the Cisco ISE Login page, enter the username and password that you defined during setup. Click Login, and the Cisco ISE dashboard appears.
Note
To recover or reset the Cisco ISE CLI-admin username or password, see the Resetting the Administrator Password, page 6-14.
6-8
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Accessing Cisco ISE Using a Web Browser
Note
If you forget your CLI-admin username or password, use the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD, and choose Password Recovery. This option allows you to reset the CLI-admin username and password.
Tip
Recommended screen resolution to view the Cisco ISE GUI and for better user experience is 1280*800 pixels. CLI-based and web-based username and password values are not the same when logging into the Cisco ISE. For more information about the differences between the Cisco ISE CLI-admin user and the Cisco ISE web-based admin user, see Admin Rights Differences: CLI-Admin and Web-Based Admin Users, page 3-2.
Note
The license page appears only the first time that you log into Cisco ISE after the evaluation license has expired.
Note
We recommend that you use the Cisco ISE user interface to periodically reset your administrator login password after you successfully log into the Cisco ISE system. To reset your administrator password, see Configuring Cisco ISE Administrators in the Cisco Identity Services Engine User Guide, Release 1.1 for details.
Administrator Lockout Following Failed Login Attempts

If you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE user interface locks you out of the system, adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you have an opportunity to reset the password associated with that administrator ID, as described in Password Negated Due to Administrator Lockout, page 6-16. The number of failed attempts required to disable the administrator account is configurable according to the guidelines that are described in the Managing Identities chapter of the Cisco Identity Services Engine User Guide, Release 1.1. After an administrator user account gets locked out, an email is sent to the associated admin user.
Logging Out
To log out of the Cisco ISE web-based web interface, click Log Out in the Cisco ISE main window toolbar. This act ends your administrative session and logs you out.
Caution
For security reasons, we recommend that you log out of the Cisco ISE when you complete your administrative session. If you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data. For more information on using the Cisco ISE web-based web interface, see the Cisco Identity Services Engine User Guide, Release 1.1.
6-9
Chapter 6 Verifying the Cisco ISE Configuration
Verifying the Cisco ISE Configuration

This section provides two methods that each use a different set of username and password credentials for logging into and verifying your Cisco ISE configuration:

Verifying the Configuration Using a Web Browser, page 6-10 Verifying the Configuration Using the CLI, page 6-11
Note
For first time web-based access to the Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup. For CLI-based access to the Cisco ISE system, the administrator username by default is admin and the administrator password (which is user-defined because there is no default) represents the values that you configured during etup. To better understand the rights differences between the CLI-admin user and the web-based admin user, see Admin Rights Differences: CLI-Admin and Web-Based Admin Users, page 3-2.
Verifying the Configuration Using a Web Browser

To verify that you successfully configured your Cisco ISE 3300 Series appliance, complete the following steps using a web browser:
Step 1 Step 2
After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers. In the Address: field, enter the IP address (or host name) of the Cisco ISE appliance using the following format, and press Enter.
http://<IP address or host name>/admin/
For example, entering http://10.10.10.10/admin/ displays the Cisco ISE Login page.
Step 3
In the Cisco ISE Login page, enter the username and password that you have defined during setup, and click Login.
6-10
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Verifying the Cisco ISE Configuration
The Cisco ISE dashboard appears.
Note
We recommend that you use the Cisco ISE user interface to periodically reset your administrator login password after you have successfully logged into the Cisco ISE system. To reset your administrator password, see Configuring Cisco ISE Administrators in the Cisco Identity Services Engine User Guide, Release 1.1 for details.
Verifying the Configuration Using the CLI

To verify that you successfully configured your Cisco ISE 3300 Series appliance, use the Cisco CLI and complete the following steps:
Step 1
After the Cisco ISE appliance reboot has completed, launch a supported product for establishing a Secure Shell (SSH) connection to the ISE appliance (for example, by using PuTTY, an open source Telnet/SSH client). In the Host Name (or IP Address) field, type in the hostname (or the IP address of the Cisco ISE appliance by using dotted decimal formation), and click Open to display the system prompt for the Cisco ISE appliance. At the login prompt, enter the CLI-admin username (admin is the default) that you configured during Setup, and press Enter. At the password prompt, enter the CLI-admin password that you configured during Setup (this is user-defined and there is no default), and press Enter. To verify that the application has been installed properly, at the system prompt enter show application version ise and press Enter. The console displays the following screen.
Step 2
Note Step 6
The build number reflects the currently installed version of the Cisco ISE software. To check the status of the Cisco ISE processes, at the system prompt enter show application status ise and press Enter. The console displays the following screen.
6-11
Chapter 6 Verifying the Installation of VMware Tools
Note
To get the latest Cisco ISE patches and to keep your Cisco ISE up-to-date, visit the following web site: http://www.cisco.com/public/sw-center/index.shtml To check the Cisco Application Deployment Engine (ADE) Release 2.0 operating system (ADE-OS) version, at the system prompt, enter show version and press Enter. The console displays the following output:
Cisco Application Deployment Engine OS Release: 2.0 ADE-OS Build Version: 2.0.2.083 ADE-OS System Architecture: i386
Step 7
Verifying the Installation of VMware Tools

You can verify the Installation of the VMware tools in the following two ways:

Using Summary Tab in the vSphere Client Using the CLI
Using Summary Tab in the vSphere Client
Go to the Summary tab of the vSphere Client. The value for VMware Tools should be OK. The red arrow in Figure 6-1 indicates that the VMware tools are installed since the value is OK.
6-12
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Verifying the Installation of VMware Tools
Figure 6-1
Verifying VMware Tools in the vSphere Client
Using the CLI
You can also verify if the VMware tools are installed with the use of the show inventory CLI command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, the driver information will be listed as VMware Virtual Ethernet driver. Refer to the following example:
vm36/admin# show inv
NAME: "ISE-VM-K9 PID: ISE-VM-K9
chassis", DESCR: "ISE-VM-K9 , VID: V01 , SN: 8JDCBLIDLJA
chassis"
Total RAM Memory: 4016564 kB CPU Core Count: 1 CPU 0: Model Info: Intel(R) Xeon(R) CPU Hard Disk Count(*): 1 Disk 0: Device Name: /dev/sda Disk 0: Capacity: 64.40 GB Disk 0: Geometry: 255 heads 63 sectors/track 7832 cylinders NIC Count: 1 NIC 0: Device Name: eth0 NIC 0: HW Address: 00:0C:29:BA:C7:82 NIC 0: Driver Descr: VMware Virtual Ethernet driver E5504 @ 2.00GHz
(*) Hard Disk Count may be Logical. vm36/admin#
6-13
Chapter 6 Resetting the Administrator Password
Resetting the Administrator Password

There are two ways to reset the administrator password in Cisco ISE. Depending on the nature of your particular password loss, use one of the following sets of instructions:
Lost, Forgotten, or Compromised Password, page 6-14Use this procedure if no one is able to log into the Cisco ISE system because the administrator password has been lost, forgotten, or compromised. Password Negated Due to Administrator Lockout, page 6-16Use this procedure if your password has been rendered unusable because login failed the specified number of times in a row for the administrator ID.
Lost, Forgotten, or Compromised Password

If no one is able to log into the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, you can use the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD to reset the administrator password.
Prerequisites:
Make sure you understand the following connection-related conditions that can cause a problem when attempting to use the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD to start up a Cisco ISE appliance:
An error may occur if you attempt to start up a Cisco ISE appliance by using the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD under the following conditions:
You have a terminal server associated with the serial console connection to the Cisco ISE
appliance that includes the exec line setting (you are not using the no exec line setting).
You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can
be either a remote KVM or a VMware vSphere client console connection). and

You have a serial console connection to the Cisco ISE appliance.
Note
You can prevent these connection-related problems when using the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD to start up a Cisco ISE appliance by setting the terminal server setting for the serial console line to use the no exec setting. This allows you to use both a KVM connection and a serial console connection.
Resetting the Administrator Password for a Cisco ISE Appliance

To reset the administrator password, complete the following steps:
Step 1 Step 2
Ensure that the Cisco ISE appliance is powered up. Insert the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD in the appliance CD/DVD drive. The console displays the following message (this example shows a Cisco ISE 3355):
Welcome to Cisco Identity Services Engine - ISE 3355
6-14
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Resetting the Administrator Password
To boot from hard disk press <Enter> Available boot options: [1] Cisco Identity Services Engine Installation (Keyboard/Monitor) [2] Cisco Identity Services Engine Installation (Serial Console) [3] Reset Administrator Password (Keyboard/Monitor) [4] Reset Administrator Password (Serial Console) <Enter> Boot from hard disk Please enter boot option and press <Enter>. boot:
Step 3
To reset the administrator password, at the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or enter 4 if you use a local serial console port connection. The console displays a set of parameters. Enter the parameters by using the descriptions that are listed in Table 6-1.
Table 6-1 Password Reset Parameters
Step 4
Parameter Admin username Password Verify password Save change and reboot The console displays:
Admin username: [1]:admin [2]:admin2 [3]:admin3 [4]:admin4
Description Enter the number of the corresponding administrator whose password you want to reset. Enter the new password for the designated administrator. Enter the password again. Enter Y to save.
Enter number of admin for password recovery:2 Password: Verify password: Save change and reboot? [Y/N]:
See the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4, for commands to reset DB passwords and other CLI commands.
6-15
Chapter 6 Changing the IP Address of a Cisco ISE 3300 Series Appliance
Password Negated Due to Administrator Lockout

You might enter an incorrect password for your administrator user ID enough times to disable the administrator password. The minimum and default number is five. The Cisco ISE user interface locks you out of the system and suspends the credentials for that administrator ID until you have an opportunity to reset the password that is associated with that administrator ID.
Note
Use this command to reset the administrator user interface password. It does not affect the CLI password for the specified administrator ID.
To reset the password following administrator ID lockout, complete the following steps:
Step 1
Access the direct-console CLI and enter the following command:

admin# application reset-passwd ise <administrator ID>
Step 2
Specify a new password that is different from the previous two passwords that were used for this administrator ID:
Enter new password: Confirm new password: Password reset successfully
After you have successfully reset the administrator password, the credentials become immediately active in the Cisco ISE and you can log in with the new password without having to reboot your system. For more details on using the application reset-passwd ise command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.
Changing the IP Address of a Cisco ISE 3300 Series Appliance

To change the IP address of a Cisco ISE 3300 series appliance, complete the following steps:
Step 1 Step 2
Log into the Cisco ISE CLI. Enter the following:

cofigure terminal interface GigabitEthernet 0 ip address <new_ip_address> <new_subnet_mask> exit
Note
Do not use the no ip address command when you change the Cisco ISE appliance IP address.
Note
All the Cisco ISE services have to be restarted after changing the Cisco ISE appliance IP address.
6-16
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Reimaging a Cisco ISE 3300 Series Appliance
Reimaging a Cisco ISE 3300 Series Appliance

You might need to reimage a Cisco ISE 3300 Series appliance, or you might want to reimage an appliance that was previously used for a Cisco Secure ACS Release 5.1 installation. For example, you plan to migrate Cisco Secure ACS data to Cisco ISE and want to re-use the appliance. To reimage a Cisco ISE 3300 Series appliance, complete the following steps:
If the Cisco Secure ACS appliance is turned on, turn off the appliance. Turn on the Cisco Secure ACS appliance. Press F1 to enter the BIOS setup mode. Use the arrow key to navigate to Date and Time and press Enter. Set the time for your appliance to the UTC/GMT time zone.
Note
We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in your deployment are always in sync with regard to the timestamps.
Press Esc to exit to main BIOS menu. Press Esc to exit from the BIOS Setup mode. Perform the instructions described in Before Configuring a Cisco ISE 3300 Series Appliance, page 3-1. Perform the instructions described in Understanding the Setup Program Parameters, page 3-3. Insert the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD in the appliance CD/DVD drive. The console displays (this example shows a Cisco ISE 3315):
Welcome to Cisco Identity Services Engine - ISE 3315 To boot from hard disk press <Enter> Available boot options: [1] Cisco Identity Services Engine Installation (Keyboard/Monitor) [2] Cisco Identity Services Engine Installation (Serial Console) [3] Reset Administrator Password (Keyboard/Monitor) [4] Reset Administrator Password (Serial Console) <Enter> Boot from hard disk Please enter boot option and press <Enter>. boot:
Step 11
At the console prompt, enter 1 if you use a keyboard and video monitor, or enter 2 if you use a serial console port, and press Enter. The reimage process uninstalls the existing Cisco ADE-OS and software versions, and installs the latest Cisco ADE-OS and Cisco ISE software versions. For details about the installation and configuration process, see Before Configuring a Cisco ISE 3300 Series Appliance, page 3-1 and Understanding the Setup Program Parameters, page 3-3.
6-17
Chapter 6 Configuring the Cisco ISE System
For details about migrating Cisco Secure ACS Release 5.1/5.2 data to a Cisco ISE Release 1.0 appliance, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.
Configuring the Cisco ISE System

By using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE system to suit your needs. For details on configuring authentication policies, authorization, policies, and using all the features, menus, and options, see the Cisco Identity Services Engine User Guide, Release 1.1. For details on each of the Cisco ISE operations and other administrative functions, such as monitoring and reporting, see the Cisco Identity Services Engine User Guide, Release 1.1. For the most current information about this release, see the Release Notes for Cisco Identity Service Engine, Release 1.1.
Enabling System Diagnostic Reports in Cisco ISE

After installing Cisco ISE the first time or reimaging an appliance, you can choose to enable the system-level diagnostic reports using the Cisco ISE CLI (the logging function that reports on system diagnostics is not enabled in Cisco ISE by default). To enable system diagnostic reports, do the following:
Step 1 Step 2
Log into the Cisco ISE CLI console using your default administrator user ID and password. Enter the following commands:
admin# admin# admin# admin# configure terminal logging 127.0.0.1:20514 end write memory
You can configure system diagnostic settings through the Cisco ISE UI (Administration > System > Logging > Logging Categories > System Diagnostics).
Installing New Cisco ISE Software

Each Cisco ISE 3300 Series appliance comes preinstalled with Cisco ISE software. We recommend that should it be necessary to upgrade the preinstalled Cisco ISE ADE-OS and Cisco ISE software with a new version, that you make sure to preserve your existing system configuration information. Performing a new installation of Cisco ISE software on your appliance can take from between 10 minutes to 60 or more minutes (per deployed Cisco ISE node) depending on how much configuration data needs to be restored.
6-18
OL-25540-01
Chapter 6
Performing Post-Installation Tasks Installing New Cisco ISE Software
Note
After the new software installation is complete, clear the cache of any active browsers that have been used to access Cisco ISE before this installation process.
For more information
For details on installing the Cisco 3300 Series appliances with new Cisco ISE Release 1.0 software, see Installing Cisco ISE Software in the Release Notes for Cisco Identity Service Engine, Release 1.1.
6-19
Chapter 6 Installing New Cisco ISE Software
6-20
OL-25540-01
A P P E N D I X
Preparing to Install the Cisco ISE 3300 Series Hardware

This appendix briefly describes safety guidelines, site requirements, and Ethernet connector and console port guidelines that you must observe before installing the Cisco Identity Services Engine (ISE) 3300 Series appliance. This information is provided in the following topics:

Safety Guidelines, page A-1 Preparing Your Site for Installation, page A-6 Ethernet Connector and Console Port Guidelines, page A-15
Safety Guidelines
Before you begin installing the Cisco ISE 3300 Series appliance, review the safety guidelines in this appendix and Rack-Mounting Configuration Guidelines, page B-1 to avoid injuring yourself or damaging the equipment. In addition, before replacing, configuring, or maintaining the appliance, review the safety warnings that are listed in Related Documentation, page xiii. This section contains the following topics:

General Precautions, page A-1 Safety with Equipment, page A-3 Safety with Electricity, page A-3 Preventing ESD Damage, page A-5 Lifting Guidelines, page A-5
General Precautions
Observe the following general precautions for using and working with your appliance:
Observe and follow service markings. Do not service any Cisco product except as explained in your appliance documentation. Opening or removing covers that are marked with the triangular symbol with a lightning bolt can expose you to electrical shock. Components that are inside these compartments should be serviced only by an authorized service technician.
A-1
Appendix A Safety Guidelines
If any of the following conditions occur, unplug the product from the electrical outlet and replace the part, or contact your authorized service provider:
The power cable, extension cord, or plug is damaged. An object has fallen into the product. The product has been exposed to water. The product has been dropped or damaged. The product does not operate correctly when you follow the operating instructions.
Keep your appliance away from radiators and heat sources. Also, do not block cooling vents. Do not spill food or liquids on your appliance, and never operate the product in a wet environment. Do not push any objects into the openings of your appliance. Doing so can cause fire or electric shock by shorting out interior components. Use the product only with other equipment that is approved by Cisco. Allow the product to cool before removing covers or touching internal components. Use the correct external power source. Operate the product only from the type of power source that is indicated on the electrical ratings label of the product. If you are not sure of the type of power source required, consult your service representative or local power company. Use only approved power cables. If you have not been provided with a power cable for your appliance or for any AC-powered option that is intended for your appliance, purchase a power cable that is approved for use in your country. The power cable must be rated for the product and for the voltage and current that is marked on the products electrical ratings label. The voltage and current rating of the cable should be greater than the ratings that are marked on the product.
To help prevent electric shock, plug the appliance and power cables into properly grounded electrical outlets. These cables are equipped with three-prong plugs to help ensure proper grounding. Do not use adapter plugs or remove the grounding prong from a cable. If you must use an extension cord, use a three-wire cord with properly grounded plugs. Observe extension cord and power strip ratings. Make sure that the total ampere rating of all products that are plugged into the extension cord or power strip does not exceed 80 percent of the extension cord or power strip ampere ratings limit. Do not use appliance voltage converters, or kits that are sold for appliances with your product. To help protect your appliance from sudden, transient increases and decreases in electrical power, use a surge suppressor, line conditioner, or uninterruptible power supply (UPS). Position cables and power cords carefully; route cables and the power cord and plug so that they cannot be stepped on or tripped over. Be sure that nothing rests on your appliance cables or power cord. Do not modify power cables or plugs. Consult a licensed electrician or your power company for site modifications. Always follow your local or national wiring rules.
A-2
OL-25540-01
Appendix A
Preparing to Install the Cisco ISE 3300 Series Hardware Safety Guidelines
Safety with Equipment

The following guidelines help ensure your safety and protect the equipment. However, this list does not include all potentially hazardous situations, so be alert.
Warning
Read the installation instructions before connecting the system to the power source. Statement 1004

Always disconnect all power cords and interface cables before moving the appliance. Never assume that power is disconnected from a circuit; always check. Keep the appliance chassis area clear and dust-free before and after installation. Keep tools and assembly components away from walk areas where you or others could trip over them. Do not work alone if potentially hazardous conditions exist. Do not perform any action that creates a potential hazard to people or makes the equipment unsafe. Do not wear loose clothing that may get caught in the appliance chassis. Wear safety glasses when working under conditions that may be hazardous to your eyes.
Safety with Electricity

Warning
This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security. Statement 1017
Warning
To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Statement 1021
Warning
Do not touch the power supply when the power cord is connected. For systems with a power switch, line voltages are present within the power supply even when the power switch is off and the power cord is connected. For systems without a power switch, line voltages are present within the power supply when the power cord is connected. Statement 4
Warning
Before working on equipment that is connected to power lines, remove jewelry (including rings, necklaces, and watches). Metal objects will heat up when connected to power and ground and can cause serious burns or weld the metal object to the terminals. Statement 43
Warning
Before working on a chassis or working near power supplies, unplug the power cord on AC units; disconnect the power at the circuit breaker on DC units. Statement 12
A-3
Appendix A Safety Guidelines
Warning
Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001
Warning
This equipment is intended to be grounded. Ensure that the host is connected to earth ground during normal use. Statement 39
Warning
When installing or replacing the unit, the ground connection must always be made first and disconnected last. Statement 1046
Follow these guidelines when working on equipment powered by electricity:

Locate the rooms emergency power-off switch. Then, if an electrical accident occurs, you can quickly turn off the power. Disconnect all power before performing the following tasks:
Working on or near power supplies Installing or removing an appliance Performing most hardware upgrades
Never install equipment that appears damaged. Carefully examine your work area for possible hazards, such as moist floors, ungrounded power extension cables, and missing safety grounds. Never assume that power is disconnected from a circuit; always check. Never perform any action that creates a potential hazard to people or makes the equipment unsafe. Never work alone when potentially hazardous conditions exist. If an electrical accident occurs, proceed as follows:
Use caution, and do not become a victim yourself. Turn off power to the appliance. If possible, send another person to get medical aid. Otherwise, determine the condition of the
victim, and then call for help.

Determine whether the person needs rescue breathing, external cardiac compressions, or other
medical attention; then take appropriate action. In addition, use the following guidelines when working with any equipment that is disconnected from a power source but still connected to telephone wiring or network cabling:

Never install telephone wiring during a lightning storm. Never install telephone jacks in wet locations unless the jack is specifically designed for it. Never touch uninsulated telephone wires or terminals unless the telephone line is disconnected at the network interface. Use caution when installing or modifying telephone lines.
A-4
OL-25540-01
Appendix A
Preparing to Install the Cisco ISE 3300 Series Hardware Safety Guidelines
Preventing ESD Damage

ESD can damage equipment and impair electrical circuitry. ESD can occur when electronic printed circuit cards are improperly handled and can cause complete or intermittent failures. Always follow ESD-prevention procedures when removing and replacing modules:
When unpacking a static-sensitive component from its shipping carton, do not remove the component from the antistatic packing material until you are ready to install the component in your appliance. Just before unwrapping the antistatic packaging, be sure to discharge static electricity from your body. When transporting a sensitive component, first place it in an antistatic container or packaging. Handle all sensitive components in a static-safe area. If possible, use antistatic floor pads and workbench pads. Ensure that the Cisco ISE 3300 Series appliance is electrically connected to earth ground. Wear an ESD-preventive wrist strap, ensuring that it makes good skin contact. Connect the clip to an unpainted surface of the appliance to channel unwanted ESD voltages safely to ground. To guard against ESD damage and shocks, the wrist strap and cord must operate effectively. If no wrist strap is available, ground yourself by touching a metal part of the appliance.
Caution
For the safety of your equipment, periodically check the resistance value of the antistatic wrist strap. It should be between 1 and 10 Mohm.
Lifting Guidelines
The Cisco ISE 3300 Series appliance weighs between 15 lb (9.071 kg) and 33 lb (14.96 kg) depending on what hardware options are installed in the appliance. The appliance is not intended to be moved frequently. Before you install the appliance, ensure that your site is properly prepared so that you can avoid having to move the appliance later to accommodate power sources and network connections. Whenever you lift the appliance or any heavy object, follow these guidelines:

Always disconnect all external cables before lifting or moving the appliance. Ensure that your footing is solid, and balance the weight of the object between your feet. Lift the appliance slowly; never move suddenly or twist your body as you lift. Keep your back straight and lift with your legs, not your back. If you must bend down to lift the appliance, bend at the knees, not at the waist, to reduce the strain on your lower back muscles. Lift the appliance from the bottom; grasp the underside of the appliance exterior with both hands.
A-5
Appendix A Preparing Your Site for Installation
Preparing Your Site for Installation

This section contains information about site planning, site preparation, and preparing to install the Cisco ISE 3300 Series appliance in the following topics:

Site Planning, page A-6 Unpacking and Checking the Contents of Your Shipment, page A-11 Required Tools and Equipment, page A-13 Installation Checklist, page A-14 Creating a Site Log, page A-14
Before you install the Cisco ISE 3300 Series appliance, complete the following steps:
Prepare the site (see Site Planning, page A-6) and review any installation plans or deployment site survey documentation. Unpack and inspect the appliance. Gather the tools and test equipment that are required to properly install the appliance.
Site Planning
Warning
Typically, you should have prepared the installation site beforehand. As part of your preparation, obtain a floor plan of the site and the equipment rack where the Cisco ISE 3300 Series appliance will be housed. Determine the location of any existing appliances and their interconnections, including communications and power. Follow the airflow guidelines (see Airflow Guidelines, page A-8) to ensure that adequate cooling air is provided to the appliance. All personnel who are involved in the installation of the appliance, including installers, engineers, and supervisors, should participate in the preparation of a method of procedure (MOP) for approval by the customer. For more information, see Method of Procedure, page A-10. The following sections provide the site requirement guidelines that you must consider before installing the appliance:

Rack Installation Safety Guidelines, page A-7 Site Environment, page A-8 Airflow Guidelines, page A-8 Temperature and Humidity Guidelines, page A-9 Power Considerations, page A-9 Method of Procedure, page A-10
A-6
OL-25540-01
Appendix A
Preparing to Install the Cisco ISE 3300 Series Hardware Preparing Your Site for Installation
Rack Installation Safety Guidelines

The Cisco ISE 3300 Series appliance can be mounted in most four-post telephone company (telco-type), 19-inch equipment racks that comply with the EIA standard for equipment racks (EIA-310-D). The distance between the center lines of the mounting holes on the two mounting posts must be 18.31 inches +/- 0.06 inch (46.50 cm +/- 0.15 cm). The rack-mounting hardware that is included with the appliance is suitable for most 19-inch equipment racks or telco-type frames.
Note
Cisco strongly recommends using four-post racks whenever possible, but your rack must have at least two posts that provide mounting flanges for mounting an appliance. Figure A-1 shows a couple of common examples of four-post equipment racks.
Figure A-1 Four-Post Equipment Rack Types
Four-Post (Partially-Enclosed) Rack

Image 1 in Figure A-1 shows a freestanding, partially-enclosed rack with two mounting posts in the front and two more at the rear. The Cisco ISE 3300 Series appliance may be installed in this type of enclosed rack, because the appliance only requires an unobstructed flow of cooling air into the front of the chassis and pushed out of the rear to maintain acceptable operating temperatures for its internal components.
Four-Post (Open) Rack

Image 2 Figure A-1 shows a freestanding, four-post open rack with two mounting posts in front and two mounting posts at the back. The mounting posts in this type of rack are often adjustable so that you can position the rack-mounted unit within the depth of the rack rather than flush-mount it with the front of the rack. Before installing your Cisco ISE 3300 Series appliance in a rack, review the following guidelines:

Two or more people are required to install the appliance in a rack. Ensure that the room air temperature is below 95F (35C). Do not block any air vents; usually, 6 inches (15 cm) of space provides proper airflow.
310199
A-7
Plan the appliance installation starting from the bottom of the rack. Do not extend more than one appliance out of the rack at the same time. Connect the appliance to a properly grounded outlet. Do not overload the power outlet when installing multiple devices in the rack. Do not place any object weighing more than 110 lb (50 kg) on top of rack-mounted devices.
Site Environment
The location of your appliance and the layout of your equipment rack or wiring room are extremely important considerations for proper operation. Equipment that is placed too close together, inadequate ventilation, and inaccessible panels can cause malfunctions and shutdowns, and can make maintenance difficult. Plan for access to front panel and rear panel of the appliance. The following precautions will help you plan an acceptable operating environment for your appliance and will help you avoid environmentally caused equipment failures:
Ensure that the room in which your appliance operates has adequate circulation. Electrical equipment generates heat. Without adequate circulation, ambient air temperature may not cool equipment to acceptable operating temperatures. For more information, see Airflow Guidelines, page A-8. Ensure that the site of the rack includes provisions for source AC power, grounding, and network cables. Allow sufficient space to work around the rack during the installation. You need:
At least 3 feet (9.14 m) adjacent to the rack to move, align, and insert the appliance. At least 24 inches (61 cm) of clearance in front of and behind the appliance for maintenance
after installation.
To mount the appliance between two posts or rails, the usable aperture (the width between the inner edges of the two mounting flanges) must be at least 17.7 inches (45.0 cm).
Note
The rack-mount kit does not include a two-post equipment rack. Use appropriate strain-relief methods to protect cables and equipment connections. To avoid noise interference in network interface cables, do not route them directly across or along power cables. Always follow ESD-prevention procedures as described in Preventing ESD Damage, page A-5 to avoid damage to equipment. Damage from static discharge can cause immediate or intermittent equipment failure.
Airflow Guidelines
To ensure adequate airflow through the equipment rack, we recommend that you maintain a clearance of at least 6 inches (15.24 cm) at the front and the rear of the rack. If airflow through the equipment rack and the appliances that occupy it is blocked or restricted, or if the ambient air that is being drawn into the rack is too warm, the temperature within the equipment rack can get too high and the appliance(s) may overheat.
A-8
OL-25540-01
Appendix A
The site should also be as dust-free as possible. Dust tends to clog the appliance fans, which reduces the flow of cooling air through the equipment rack and the appliances that occupy it. This type of airflow reduction increases the risk that the temperature will get too high and the appliance(s) may overheat. Additionally, the following guidelines will help you plan your equipment rack configuration:

Besides airflow, you must allow clearance around the rack for maintenance. When mounting an appliance in an open rack, ensure that the rack frame does not block the front intakes or the rear exhausts.
Temperature and Humidity Guidelines

Table A-1 lists the operating and nonoperating environmental site requirements for the Cisco ISE 3300 Series appliance. The appliance normally operates within the ranges that are listed; however, a temperature measurement that approaches a minimum or maximum parameter indicates a potential problem. Maintain normal operation by anticipating and correcting environmental anomalies before they approach critical values by properly planning and preparing your site before you install the appliance.
Table A-1 Operating and Nonoperating Environmental Specifications
Specification Temperature, ambient operating Temperature, ambient nonoperating and storage Humidity, ambient (noncondensing) operating Humidity, ambient (noncondensing) nonoperating and storage Vibration, operating
Minimum 50F (10C) -40F (C) 10% 5% 5500 Hz, 2.20 g RMS random
Maximum 95F (35C) 158F (70C) 90% 95%
Power Considerations
You configure the Cisco ISE 3300 Series appliance with AC-input power only. Ensure that all power connections conform to the rules and regulations in the National Electrical Codes, as well as local codes. While planning power connections to your appliance, the following precautions and recommendations must be followed:

Check the power at your site before installation and periodically after installation to ensure that you are receiving clean power (free of spikes and noise). Install a power conditioner if necessary. The AC power supply includes the following features:
Autoselect feature for 110 V or 220 V operation. An electrical cord for all appliances. (A label near the power cord indicates the correct voltage,
frequency, current draw, and power dissipation for the appliance.)
Warning
This product relies on the building installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15 Amp U.S. (240 VAC, 10 Amp international) is used on the phase conductors (all current-carrying conductors). Statement 13
Install proper grounding to your host equipment rack to avoid damage from lightning and power surges.
A-9
Warning
This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024
Ensure that the AC-input power supply operates on input voltage and frequency within the ranges of 100 to 240 VRMS and 50 to 60 Hz without the need for operator adjustments. Table A-2 provides additional information on electrical inputs.
Electrical Input Specifications
Table A-2
Specifications Sine-wave input Input voltage low range Input voltage high range
Minimum 50 Hz 100 VAC 200 VAC
Maximum 60 Hz 127 VAC 240 VAC 0.55 kVA
Approximate input kilovolt-amperes (kVA) 0.102 kVA
Method of Procedure
As described previously, part of your preparation includes reviewing installation plans or MOPs. A MOP is a preinstallation checklist or list of tasks, guidelines, or considerations that need to be addressed and agreed upon before you proceed with the installation. The following example MOP serves as a guideline:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12
Assign personnel. Determine protection requirements for personnel, equipment, and tools. Evaluate potential hazards that may affect service. Schedule time for installation. Determine any space requirements. Determine any power requirements. Identify any required procedures or tests. In an equipment plan, make a preliminary decision that locates each Cisco ISE 3300 Series appliance that you plan to install. Read this hardware installation guide. Verify the list of replaceable parts for installation (screws, bolts, washers, and so on) so that the parts are identified. Check the required tools list to make sure the necessary tools and test equipment are available. For more information, see Required Tools and Equipment, page A-13. Perform the installation.
A-10
OL-25540-01
Appendix A
Unpacking and Checking the Contents of Your Shipment

The shipping package for the Cisco ISE 3300 Series appliance is designed to reduce the possibility of product damage that is associated with routine material handling that is experienced during shipment. To reduce the potential for damage to the product, transport the appliance in its original Cisco packaging. Failure to do so may result in damage to the appliance. Also, do not remove the appliance from its shipping container until you are ready to install it. The appliance, cables, and any optional equipment that you ordered may be shipped in more than one container. A Notes section has been provided to record damaged or missing items. Figure A-2 displays the shipment items with the Cisco ISE 3300 Series appliance.
Note
Do not discard the packaging materials that are used in shipping your Cisco ISE 3300 Series appliance. You will need the packaging materials in the future if you move or ship your appliance.
Figure A-2 Items Shipped with the Cisco ISE 3300 Series Appliance
USB to PS2 Dongle Cable Cisco ISE Appliance
AC Power Cord
Documentation Rack Mounting Kit

239148
Inspect all items for shipping damage. If anything appears to be damaged, or if you encounter problems installing or configuring your appliance, contact your customer service representative.
Note
The rack-mount kit does not include a two-post equipment rack.
Cisco Information Packet and Warranty

The Cisco Information Packet provides warranty, service, and support information. To access and download the Cisco Information Packet and your warranty and license agreements from Cisco.com, point your browser at the following location: http://www.cisco.com/univercd/cc/td/doc/es_inpck/cetrans.htm The Warranties and License Agreements page appears.
To read the Cisco Information Packet, complete the following steps:
Step 1
Click the Information Packet Number field, and ensure that the part number 78-5235-03D0 is highlighted.
A-11
Step 2 Step 3
Choose the language in which you would like to read the document. Click Go. The Cisco Limited Warranty and Software License page from the Information Packet appears. Read the document online, or click the PDF icon to download and print the document. You must have Adobe Acrobat Reader to view and print PDF files. You can download the reader from the Adobe website.
Step 4
To read translated and localized warranty information about your product, complete the following steps:
Step 1
Enter this part number in the Warranty Document Number field:

78-5236-01C0
Step 2 Step 3
Choose the language in which you would like to read the document. Click Go. The Cisco warranty page appears. Review the document online, or click the PDF icon to download and print the document in PDF.
Step 4
You can also contact the Cisco Service and Support website for assistance at: http://www.cisco.com/en/US/support/
Duration of Hardware Warranty
Ninety (90) days.

Replacement, Repair, or Refund Policy for Hardware
Cisco or its service center will use commercially reasonable efforts to ship a replacement part within ten (10) working days after receipt of the Return Materials Authorization (RMA) request. Actual delivery times can vary depending on the customer location.
Note
Cisco reserves the right to refund the purchase price as its exclusive warranty remedy.
To Receive an RMA Number
Contact the company from which you purchased the product. If you purchased the product directly from Cisco, contact your Cisco Sales and Service Representative.
A-12
OL-25540-01
Appendix A
Complete the following information, and keep it for reference: Product Information Company product was purchased from Company telephone number/website location Product model number Product serial number1 Maintenance contact number
1. See the Cisco ISE 3300 Series Appliance Hardware Summary section on page 2-1, Cisco ISE 3355 Serial Number Location section on page 2-8, Cisco ISE 3395 Serial Number Location section on page 2-12, and the Locating Appliance Serial Numbers section on page C-5 for more information.
Description
Required Tools and Equipment

Caution
The fastener pack in the rack-mount kit contains eight rack screws. You must check these screws to ensure that they are the appropriate size for the holes in your rack. Using the wrong-sized screws for your threaded rack holes can damage the rack. You need the following tools and equipment to install the Cisco ISE 3300 Series appliance in a four-post rack:
Warning

ESD-preventive cord and wrist strap. Number 2 Phillips screwdriver. Flat-blade screwdrivers (small, 3/16-in [0.476 cm] and medium, 1/4-inch [0.625 cm]) to remove the cover if you are upgrading memory or other components. Rack-mount kit. For more information on kit contents, see Using a Four-Post Rack-Mount Hardware Kit, page B-3. Cables for connection to the LAN ports (depending on the configuration). Ethernet switch for connection to the Ethernet (LAN) port or ports.
You must have either of the following for the initial configuration of the Cisco ISE 3300 Series appliance:
USB keyboard and VGA monitor. or Console terminal (an ASCII terminal or a PC that is running terminal-emulation software) that is configured for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control. Console cable for connection to the serial (console) port. A null-modem cable is recommended.
A-13
Installation Checklist
To assist you with your installation and to provide a historical record of what was done, and by whom, use the following installation checklist. Make a copy of this checklist and mark the entries as you complete each task. When the checklist is complete, include a copy of it for each Cisco ISE 3300 Series appliance in your site log along with other records for your new appliance. (See Creating a Site Log, page A-14 for information about creating a site log.) Installation Checklist for Site: Cisco ISE 3300 Series Appliance: Task Installation checklist copied Background information placed in site log Site power voltages verified Installation site power check completed Required tools availability verified Additional equipment availability verified Cisco ISE 3300 Series appliance received Cisco Information Packet publication received Appliance components verified Initial electrical connections established ASCII terminal (for local configuration) verified Signal distance limits verified Startup sequence steps completed Initial operation verified Verified by Date
Creating a Site Log

You can maintain a site log that serves as a record of all installation, maintenance, upgrade, replacement, and changes that are made to the Cisco ISE 3300 Series appliance. Keep the log in an accessible place near the appliance so that anyone who performs tasks has access to it. Use the installation checklist (see Installation Checklist, page A-14) to verify the steps in the installation and maintenance of your appliance. Site log entries might include the following:

Installation progressMake a copy of the appliance installation checklist, and insert it into the site log. Make entries as you complete each task. Upgrade, removal, and maintenance proceduresUse the site log as a record of ongoing appliance maintenance and expansion history. Each time a task is performed on the appliance, update the site log to reflect the following information:
Installation of new adapter cards Removal or replacement of adapter cards and other upgrades Configuration changes
A-14
OL-25540-01
Appendix A
Preparing to Install the Cisco ISE 3300 Series Hardware Ethernet Connector and Console Port Guidelines
Maintenance schedules and requirements Maintenance procedures performed Intermittent problems Comments and notes
Ethernet Connector and Console Port Guidelines

This section provides the following guidelines for the Ethernet connector and asynchronous serial console port for the Cisco ISE 3300 Series appliances:
Each Cisco ISE 3300 Series appliance provides an Ethernet connector on the rear panel, and the Gigabit Ethernet 0 port uses unshielded twisted-pair (UTP) cabling (we recommend using Category 6 UTP cable). The maximum segment distance is 328 feet (100 meters). UTP cables look like the cables that are used for ordinary telephones. However, UTP cables meet specific electrical standards that telephone cables do not meet (these UTP cables are not included in the installation package).
Each Cisco 3300 Series appliance provides an asynchronous serial console port on the rear panel that enables you to access the appliance locally (using a console terminal). It is important that you verify and use the proper cabling type before attempting to connect a console terminaleither an ASCII terminal or a PC running terminal-emulation softwareto the console port.
Caution
To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.
Note
The console cable is not included with the Cisco ISE 3300 Series appliance.
A-15
Appendix A Ethernet Connector and Console Port Guidelines
A-16
OL-25540-01
A P P E N D I X
Installing the Cisco ISE 3300 Series Hardware

This appendix describes how to install your Cisco Identity Services Engine (ISE) 3300 Series appliances and connect any of the three supported appliances (Cisco ISE 3315, Cisco ISE 3355, and Cisco ISE 3395) to the network. This information is contained in the following sections:

Rack-Mounting Configuration Guidelines, page B-1 Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack, page B-2 Connecting Cables, page B-8 Powering Up the Cisco ISE 3300 Series Appliance, page B-14
Warning
Warning
Rack-Mounting Configuration Guidelines

Each Cisco ISE 3300 Series appliance has a set of rack handles (installed at the factory). You will use these handles when installing the appliance in a four-post rack. You can front (flush) mount or mid-mount the appliance in a 19-inch (48.3-cm) equipment rack that conforms to the four-post rack specification.
Note
The inside width of the rack must be 17.5 inches (44.45 cm). The first task that you need to perform is to mount the appliance in the brackets. After the appliance is installed in the rack, it requires one EIA 1.75-inch (4.4-cm) vertical mounting space or 1 rack unit (RU) for mounting.
Caution
You must leave sufficient clearance in the front and rear of the Cisco ISE 3300 Series appliance to allow for cooling air to be drawn in through the front, circulated through the appliance, and exhausted out the rear of the appliance. For details, see Airflow Guidelines, page A-8.
B-1
Appendix B Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack
The Rack Installation Safety Guidelines, page A-7 and the following information will help you plan the equipment rack configuration:

When mounting an appliance in an equipment rack, ensure that the rack is firmly bolted to the floor. Because you may install one or more appliances in the rack, ensure that the weight of all the installed appliances does not exceed the weight capacity of the rack or make the rack unstable.
Caution
Some equipment racks are also secured to ceiling brackets because of the weight of the equipment in the rack. For this type of installation, make sure that the rack that you are using to install the appliances is firmly secured to the building structure.
As recommended in Airflow Guidelines, page A-8, maintain a 6-inch (15.2-cm) clearance at the front and rear of the appliance to ensure that it maintains an adequate space for air intake and exhaust. Avoid installing appliances in an overly congested rack. Air flowing to or from other appliances in the rack might potentially interfere with the normal flow of cooling air through the appliances, and thereby increasing the risk for causing the appliance(s) to overheat. Allow at least 24 inches (61 cm) of clearance at the front and rear of the rack for performing any appliance maintenance operations.
Caution
To prevent appliance overheating, never install an appliance in an enclosed rack or in a room that is not properly ventilated or supported by adequate air conditioning.
Follow your local best practices for cable management. Ensure that cables running to and from appliances do not impede access needed for performing equipment maintenance or upgrades.
Note
The rack-mount hardware kit does not include a two-post equipment rack.
Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack

Warning
When the appliance is installed in a rack and is fully extended on its slide rail, it is possible for the rack to become unstable and tip over, which could cause serious injury. To eliminate the risk of rack instability from extending the rail or in the event of an earthquake, you should affix the rack to the floor.
This section contains information about the following topics:

Using a Four-Post Rack-Mount Hardware Kit, page B-3 Installing the Slide Rails in a Rack, page B-4 Installing the Appliance into the Slide Rails, page B-6
B-2
OL-25540-01
Appendix B
Installing the Cisco ISE 3300 Series Hardware Mounting a Cisco ISE 3300 Series Appliance in a Four-Post Rack
Using a Four-Post Rack-Mount Hardware Kit

Figure B-1 displays the items that you need to install the Cisco ISE 3300 Series appliance in a four-post rack.
Figure B-1 Release Levers on the Slide Rail Hardware
The following table describes the callouts in Figure B-1. 1 2 3 Cable straps Slide rail Front of rail 4 5 6 M6 screws Shipping bracket Rear of rail
Table B-1 lists the contents of the rack-mount hardware kit.

Table B-1 Rack-Mount Hardware Kit
Item Slide rails Cable straps M6 screws
Quantity 2 6 6
B-3
Installing the Slide Rails in a Rack

To install the Cisco ISE 3300 Series appliance in a rack, complete the following steps:
Press on the rail-adjustment bracket on the rear of the slide rail (see Figure B-2) to prevent the bracket from moving. Press the adjustment tabs 1 and 2 (see Figure B-2) and slide the rail-locking carrier toward the front of the slide rail until it snaps into place. Press the adjustment Tabs 1 and 2 and slide the rail-locking carrier toward the rear of the slide until it snaps into place.
Figure B-2 Installing the Slide Rail into the Rack
The following table describes the callouts in Figure B-2. 1 2 Adjustment tab 1 Adjustment tab 2 3 Rail-adjustment bracket
If you need to adjust the slide-rail length, lift the release tab (see Figure B-3) and fully extend the rail-adjustment bracket from the rear of the slide rail until it snaps into place.
Step 4 Step 5
Align the pins on the rear rail-locking carrier with the holes on the rear mounting flange. Press the adjustment tab (see Figure B-3) to secure the rear of the slide rail to the rear mounting flange.
Note
Ensure that the pins are fully extended through the mounting flange and slide rail.
B-4
OL-25540-01
Appendix B
Figure B-3
Adjusting the Slide-rail Length
The following table describes the callouts in Figure B-3. 1 2 Adjustment tab Release tab 3 4 Pins (not extended through the mounting flange and slide rail) Pins (extending through the mounting flange and slide rail)
Step 6
Align the pins (see Figure B-4) on the front rail-locking carrier to the front mounting flange. If you have adjusted the rail length, push the rail-locking carrier back toward the rear of the slide rail to align the slide rail with the mounting flange.
Step 7
Press the adjustment tab to secure the front of the slide rail to the front mounting flange.
Note Step 8
Ensure that the pins are fully extended through the mounting flange and the slide rail.
Repeat these steps for the other slide rail.
B-5
Figure B-4
Aligning the Slide Rail with the Mounting Flange
The following table describes the callouts in Figure B-4. 1 2 3 Adjustment tab Mounting flange Pins 4 5 Pins (extending through the mounting flange and slide rail) Pins (not extending through the mounting flange and slide rail)
Installing the Appliance into the Slide Rails

To install the Cisco ISE 3300 Series appliance into the slide rails, complete the following steps:
Step 1 Step 2
Align the server on the slide rails and push it fully into the rack cabinet. Secure the server to the front mounting flanges with the captive thumbscrews (see Figure B-5).
Note
You must leave the shipping brackets attached to the slide rails unless the shipping brackets impede the server from sliding fully into the rack cabinet. If you need to remove the shipping brackets, see Step 3.
B-6
OL-25540-01
Appendix B
Figure B-5
Aligning the Server on the Slide Rails
The following table describes the callouts in Figure B-5. 1 2

Step 3 Step 4
Shipping brackets Cisco ISE 3300 Series appliance
Thumbscrews
Press the release tab (see Figure B-6) as indicated on the shipping bracket, and remove the shipping bracket from the slide rail. Repeat step 3 for the other shipping bracket. Store the shipping brackets for future use.
Note
You must reinstall the shipping brackets on the slide rails before you transport the rack cabinet with the server installed. To reinstall the shipping brackets, reverse the steps.
B-7
Appendix B Connecting Cables
Figure B-6
Removing the Shipping Brackets
The following table describes the callout in Figure B-6. 1 Release tab
Connecting Cables
This section describes how to connect your Cisco ISE 3300 Series appliance to the network and the appliance console. In the following example, Figure B-7 shows the Cisco ISE 3315 appliance. For the specific locations of the rear-panel features for the other Cisco ISE 3300 Series appliances, see the following topics:

Cisco ISE 3355 Rear-Panel Features, page 2-10 Cisco ISE 3395 Rear-Panel Features, page 2-14 Connecting the Network Interface, page B-10 Connecting the Console, page B-11 Connecting the Keyboard and Video Monitor, page B-13 Cable Management, page B-14
The following topics describe how to connect and manage cabling:

B-8
OL-25540-01
Appendix B
Installing the Cisco ISE 3300 Series Hardware Connecting Cables
Figure B-7
Cisco ISE 3315 Appliance Rear-Panel View
3 1 2
237631
9 8
7 6
The following table describes the callouts in Figure B-7.

.
1 2 3 4 5
AC Power supply cable socket NIC 3 (eth2) add-on card NIC 4 (eth3) add-on card Serial port Video port
6 7 8 9
NIC 2 (eth1) Gigabit Ethernet interface NIC 1 (eth0) Gigabit Ethernet interface Rear USB port 4 Rear USB port 3
Attach your cables (such as keyboard, monitor cables, if required) to the rear of the server. Route the cables to the left corner of the server (from a rear-panel perspective as shown in Figure B-8), and use the cable straps to secure the cables to the slide rails.
Figure B-8 Connecting the Cables
B-9
Connecting the Network Interface

Warning
This section describes how to connect the Cisco ISE 3300 Series appliance Ethernet port. The RJ-45 port supports standard straight-through and crossover Category 5 UTP cables.
Note
We do not supply Category 5 UTP cables; these cables are available commercially.
To connect the cable to the Cisco ISE 3300 Series appliance Ethernet port, complete the following steps:
Verify that the appliance is turned off. Connect one end of the cable to the Gigabit Ethernet 0 port on the appliance. Connect the other end to a switch in your network.
Ethernet Port Connector

Each supported Cisco ISE 3300 Series appliance comes with two integrated dual-port Ethernet controllers. These Ethernet controllers provide an interface for connecting to 10-, 100-, or 1000-Mb/s networks, and they provide full-duplex (FDX) capability that enables simultaneous transmission and reception of data on the Ethernet LAN. For the exact location of the Ethernet port connector on each appliance, see the following:

Cisco ISE 3315 Rear-Panel Features, page 2-7 Cisco ISE 3355 Rear-Panel Features, page 2-10 Cisco ISE 3395 Rear-Panel Features, page 2-14
To access the Ethernet port, connect at a minimum Category 5 or 5E (we recommend that you use Category 6) UTP cable to the RJ-45 connector on the back of the appliance. Table B-2 describes the UTP cable categories.
Table B-2 Ethernet to UTP Cabling Category Guidelines
Type 10BASE-T 100BASE-TX 1000BASE-T
Description EIA Categories 5 or 5E or higher UTP (2 or 4 pair) up to 328 ft (100 m) EIA Category 5 or 5E or higher UTP (2 pair) up to 328 ft (100 m) EIA Category 6 UTP (recommended), Category 5 or 5E UTP (2 pair) up to 328 ft (100 m)
Figure B-9 shows the Ethernet RJ-45 port and plug.
B-10
OL-25540-01
Appendix B
Figure B-9
RJ-45 Port and Plug
87654321
RJ-45 connector
Table B-3 lists and describes the RJ-45 pin signals used on the Ethernet connector.
Warning
To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Use caution when connecting cables. Statement 1021
Table B-3 Ethernet Port (RJ-45) Pinout
Ethernet Port Pin 1 2 3 4 5 6 7 8
Signal TxD+ TxD RxD+ Termination network Termination network RxD Termination network Termination network
Description Send data + Send data Receive data + No connection No connection Receive data No connection No connection
Connecting the Console

Warning
Caution
To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms. Each Cisco ISE 3300 Series appliance has a data circuit-terminating equipment mode console port that allows you to connect a console terminal directly to your appliance. The appliance uses a DB-9 serial connector for the console port.
210222
B-11
The console port on each Cisco ISE 3300 Series appliance includes an EIA/TIA-232 asynchronous serial (DB-9) connector. This serial console connector (port) allows you to access the appliance locally by connecting a terminaleither a PC that runs terminal-emulation software or an ASCII terminalto the console port, and this can be performed by using one of the following methods:

Connecting a PC that is running terminal-emulation software to the console port by using a DB-9 female to DB-9 female straight-through cable. Connecting an ASCII terminal to the console port by using a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer. Connecting a terminal or a PC running terminal-emulation software to the console port on the Cisco ISE 3300 Series appliance.
To connect a console terminal to your appliance, complete the following steps:

Step 1 Step 2
Connect the terminal by using a straight-through cable to the console port. Configure your terminal or terminal-emulation software to use the following settings:

9600 baud 8 data bits No parity 1 stop bit No hardware flow control
Serial (Console) Port Connector

Cisco ISE 3300 Series appliances have one serial port connector that is located on the rear panel of each appliance. For the exact location of each serial port connector on each appliance, see the following:

Figure B-10 shows the pin number assignments for the 9-pin, male, D-shell serial port connector that is located on the rear panel of each Cisco ISE 3300 Series appliance. The defined pin number assignments are those that conform to industry standards for the RS-232-C.
Figure B-10 Serial Port Connector
5
83193
Table B-4 lists and describes the serial (console) port pinout.
B-12
OL-25540-01
Appendix B
Table B-4
DB-9 Serial (Console) Port Pinout
Serial Port Pin 1 2 3 4 5 6 7 8 9
Signal DCD RXD TXD DTR GND DSR RTS CTS RI
Description Data carrier detect Receive data Send/transmit data Data terminal ready Signal ground Data set ready Request to send Clear to send Ring indicator
Connecting the Keyboard and Video Monitor

Warning
This section describes how you can connect a keyboard and video monitor to a Cisco ISE 3300 Series appliance. As an alternative to connecting a keyboard or video monitor, you can make a serial console connection to a Cisco ISE 3300 Series appliance. Note the following guidelines:

Cisco ISE 3300 Series appliances do not support the use of a mouse device. Cisco ISE 3300 Series appliances provide USB ports on both the front and rear panel on each appliance that can be used for making a keyboard (USB port) or video monitor (video port) connection. Cisco ISE 3315 Rear-Panel Features, page 2-7 Cisco ISE 3355 Rear-Panel Features, page 2-10 Cisco ISE 3395 Rear-Panel Features, page 2-14
For the specific location of the USB and video ports on each appliance, see the following:

To connect a keyboard and video monitor to your appliance, complete the following steps:
Verify that the appliance is turned off. Connect the end of the keyboard cable for the PS/2 (keyboard) to the supplied USB to the PS/2 dongle adapter that is located on the rear panel of the appliance. Connect the end of the video monitor cable to the PS/2 VGA port that is located on the appliance. In the Cisco ISE 3315, there is one video port on the rear panel; on the Cisco ISE 3355 and Cisco ISE 3395, there is one video port on the front panel and one video port on the rear panel. Turn on the appliance.
Step 4
B-13
Appendix B Powering Up the Cisco ISE 3300 Series Appliance
Cable Management
Cable management can be the most visual element that is part of setting up your appliance. However, the issue of cable management is often overlooked because the time spent is not considered a high-priority task. Because racks and enclosures typically house more equipment today than ever before, the increase in equipment installations per rack means you must better organize, route, and manage your cabling inside and outside the equipment rack. Poor cable management can lead not only to damaged cables or added time spent rerouting or changing cabling, but it also can impair critical airflow that cools your appliance or blocks access to it. These types of problems can lead to inefficiencies in performance or potentially even some downtime. However, solutions that address cable management issues range from simple cable management rings, to vertical or horizontal organizers, to the use of cable troughs and ladders. All Cisco ISE 3300 Series appliance cables should be properly dressed so as not to interfere with each other or with any other equipment in the rack. Use the best local or electrical practices to ensure that the cables that are attached to your appliance are properly dressed. You can now proceed to the next section, Powering Up the Cisco ISE 3300 Series Appliance, page B-14, to continue the installation process.
Powering Up the Cisco ISE 3300 Series Appliance

Warning
Do not touch the power supply when the power cord is connected. For systems with a power switch, line voltages are present within the power supply even when the power switch is off and the power cord is connected. For systems without a power switch, line voltages are present within the power supply when the power cord is connected. Statement 4
Warning
This equipment is intended to be grounded. Ensure that the host is connected to earth ground during normal use. Statement 39
This section contains the following topics:

Power-Up Checklist, page B-14 Power-Up Procedure, page B-15 Checking the LEDs, page B-16
Power-Up Checklist
You can proceed to power up the Cisco ISE 3300 Series appliance if you have met the following conditions:

The appliance is securely mounted. The appliance is properly grounded. All power, network, and interface cables have been properly connected.
B-14
OL-25540-01
Appendix B
Installing the Cisco ISE 3300 Series Hardware Powering Up the Cisco ISE 3300 Series Appliance
Power-Up Procedure
To power up a Cisco ISE 3300 Series appliance and verify its initialization and self-test, perform the following procedure. When the following procedure is completed, the appliance is ready to be configured. Figure B-12 shows the Cisco ISE 3315 appliance. For specific front- and rear-panel views and control descriptions for the other Cisco ISE 3300 Series appliances, see:
Cisco ISE 3355 Appliance:

Cisco ISE 3355 Front-Panel Features, page 2-8 Cisco ISE 3355 Rear-Panel Features, page 2-10
Cisco ISE 3395 Appliance:

Cisco ISE 3395 Front-Panel Features, page 2-12 Cisco ISE 3395 Rear-Panel Features, page 2-14
To power up a Cisco ISE 3300 Series appliance, complete the following steps:
Step 1 Step 2
Review the information in Safety Guidelines, page A-1. Plug the AC power cord into the AC power socket in the rear panel of the appliance. (Location 1 in Figure B-11 shows the Cisco ISE 3315 appliance.)
Figure B-11 Cisco ISE 3315 Appliance Rear-Panel View
3 1 2
237631
9 8
7 6
For the location of the AC power socket in the other Cisco ISE 3300 Series appliances, see:
Step 3 Step 4
Cisco ISE 3355 Rear-Panel Features, page 2-10 Cisco ISE 3395 Rear-Panel Features, page 2-14
Connect the other end of the AC power cord to an approved AC power source at your installation site. In the front panel of the appliance, press the AC power button On to begin the booting process. Location 2 in Figure B-12 shows the Cisco ISE 3315 appliance. For the location of the AC power button in the other Cisco ISE 3300 Series appliances, see:

Cisco ISE 3355 Front-Panel Features, page 2-8 Cisco ISE 3395 Front-Panel Features, page 2-12
Step 5
Observe the front-panel LEDs for the Cisco ISE 3300 Series appliances. For example, the Cisco ISE 3315 appliance is shown in Figure B-12. Checking the LEDs, page B-16 lists the status of the LEDs for all three Cisco ISE 3300 Series appliances.
B-15
Figure B-12
Cisco ISE 3315 Appliance Front-Panel View
4 3 2 1 5 6 7 8
Cisco 1121 Secure Accrss Control System
CISCO
9 10
The following table defines the front-panel features and LEDS shown in Figure B-12. 1 2 3 4 5 Appliance power LED AC power control button Reset button HDD activity LED Locator LED 6 7 8 9 System-error LED USB 1 connector USB 2 connector CD-eject button
10 CD drive activity LED
Checking the LEDs

When the Cisco ISE 3300 Series appliances have been started up and are running, observe the state of the front-panel LEDs. Table B-5 describes the LED color, its power status, activity, and other important status indicators that are displayed for each of the Cisco ISE 3300 Series appliances.
Table B-5 Cisco ISE 3300 Series Appliance LEDs
LED Type Power status
LED Color Green
Description

Cisco ISE 3315 Appliance Front-Panel LEDs
Lit when appliance has AC power and is powered on. Unlit when appliance is turned off, AC power is disconnected, or an error condition has been detected in the operating voltages.
B-16
OL-25540-01
195214
Appendix B
LED Type HDD activity
LED Color Green
Description

Flashing green when there is ongoing HDD activity. Unlit when there is no activity, the appliance has not yet booted, or an error condition has been detected in the boot process. Flashing blue when the locator button has been pressed. Unlit when the system is operating normally. Lit indicates a prefailure system threshold condition, such as:
At least one fan failure (system or
Locator (LED button) System health
Blue Amber
processor fan).
At least one of the temperature
sensors reached critical level (system or processor thermal sensor).

At least one memory module failed. A power supply unit error has
occurred.
Cisco ISE 3355 Appliance Front-Panel LEDs
HDD activity
Green
Lit when there is continuous HDD activity. Flashing green when there is ongoing HDD activity. Unlit when there is no activity, the HDD is idle, or the HDD has been disabled. Lit when HDD is in an error state. Unlit when HDD is functioning properly or when system is disconnected from AC power. Lit when Ethernet interfaces are configured and up. Unlit when no Ethernet interfaces are currently configured or when Ethernet interfaces are all down. Lit when activity exists on NIC 1 or NIC 2. Flashing green when there is ongoing activity on NIC 1 or NIC 2. Unlit when there is no activity on NIC 1 or NIC 2.
HDD status
Amber
Ethernet (icon)
Green
Ethernet interface activity (NIC 1 and NIC 2)
Green
B-17
LED Type Informational
LED Color Amber
Description

Lit when a noncritical system even has occurred. Unlit when system is functioning normally. Unlit when the system is operating normally. Lit indicates a prefailure system threshold condition, such as:
System health
Amber
processor fan).

occurred. Locator (button) Ethernet interface activity (NIC 3 and NIC 42) Blue Green

Flashing blue when locator button has been pressed. Lit when activity exists on NIC 3 or NIC 4. Flashing green when there is ongoing activity on NIC 3 or NIC 4. Unlit when there is no activity on NIC 3 or NIC 4. Lit when the appliance has AC power and is turned on. Rapidly flashing green indicates that the appliance is turned off and is not yet ready to be turned on. The appliance typically only remains in this state for 1 to 3 minutes. Slowly flashing green indicates that the appliance is currently turned off and is ready to be turned on. Slowly fading on or off indicates that the appliance is in power-save mode (and is ready to be turned on). Unlit when the appliance is turned off (AC power is disconnected).
Power (button)
Green
B-18
OL-25540-01
Appendix B
LED Type LED Color Cisco ISE 3395 Appliance Front-Panel LEDs HDD activity Green
Description

Lit when there is continuous HDD activity. Flashing green when there is ongoing HDD activity. Off when there is no activity, the HDD is idle, or the HDD has been disabled. Lit when HDD is in error state. Unlit when HDD is functioning properly or when system is disconnected from AC power. Lit when Ethernet interfaces are configured and up. Unlit when no Ethernet interfaces are currently configured or when Ethernet interfaces are all down. Lit when activity exists on NIC 1 or NIC 2. Flashing green when there is ongoing activity on NIC 1 or NIC 2. Unlit when there is no activity on NIC 1 or NIC 2. Lit when a noncritical system even has occurred. Unlit when system is functioning normally. Unlit when the system is operating normally. Lit indicates a prefailure system threshold condition, such as:
HDD status
Amber
Ethernet (icon)
Green
Ethernet interface activity (NIC 1 and NIC 2)
Green
Informational
Amber
System health
Amber
processor fan).

occurred. Locator (button) Blue
Flashing blue when locator button has been pressed.
B-19
LED Type Ethernet interface activity (NIC 3 and NIC 42)
LED Color Green
Description

Lit when activity exists on NIC 3 or NIC 4. Flashing green when there is ongoing activity on NIC 3 or NIC 4. Unlit when there is no activity on NIC 3 or NIC 4. Lit when the appliance has AC power and is turned on. Rapidly flashing green indicates that the appliance is turned off and is not yet ready to be turned on. The appliance typically only remains in this state for 1 to 3 minutes. Slowly flashing green indicates that the appliance is currently turned off and is ready to be turned on. Slowly fading on or off indicates that the appliance is in power-save mode (and is ready to be turned on). Unlit when the appliance is turned off (AC power is disconnected).
Power (button)
Green
For more detailed information about the Cisco ISE 3300 Series LEDs, see Troubleshooting Overview, page C-1. After the operating system boots, you are ready to initialize the basic software configuration. For configuration procedures, see Chapter 3, Configuring the Cisco ISE 3300 Series Appliance.
B-20
OL-25540-01
A P P E N D I X
Troubleshooting the Cisco ISE 3300 Series Appliance

The Cisco Identity Services Engine (ISE) 3300 Series appliance undergoes extensive testing before it leaves the factory. If you encounter problems, use the information in this appendix to help isolate problems or to determine whether the appliance is the source of the problem. Although conditions due to excessive temperatures or excessive power consumption are unlikely at initial startup, see the general environmental conditions that are required to support the Cisco ISE 3300 Series appliances as described in Maintaining Your Site Environment and Appliance, page D-1.
Note
The procedures in this appendix assume that you are troubleshooting the initial Cisco ISE 3300 Series appliance startup, and that the appliance is in the original factory configuration. If you have removed or replaced components, or changed any default settings, the recommendations in this appendix might not apply. This appendix does not cover every possible issue that might occur on an appliance, but instead it focuses on those events that are frequently seen by the customer. This appendix provides information on the following topics:

Troubleshooting Overview, page C-1 Problem Solving, page C-2 Reading the LEDs, page C-5 Locating Appliance Serial Numbers, page C-5
Troubleshooting Overview
At the initial system boot, you should verify the following:
The external power cable is connected, and the proper power source is being applied. For more information, see Power Considerations, page A-9, Powering Up the Cisco ISE 3300 Series Appliance, page B-14, and Troubleshooting the Power and Cooling Systems, page C-3. The appliance fan and blower are operating. See Airflow Guidelines, page A-8 and Troubleshooting the Power and Cooling Systems, page C-3. The appliance software boots successfully. The adapter cards (if installed) are properly installed in their slots, and each card initializes (and is enabled by the appliance software) without problems.
C-1
Appendix C Problem Solving
When each of these conditions is met, the hardware installation is complete, and you should proceed to perform the basic configuration. To understand the features that this release of Cisco ISE offers, see the Cisco Identity Services Engine User Guide, Release 1.1. To properly configure the Cisco ISE features, see Chapter 3, Configuring the Cisco ISE 3300 Series Appliance. If you cannot locate the source of a problem, contact a Cisco customer service representative for information on how to best proceed with resolving any issue. For more information on the Cisco Technical Assistance Center (TAC), see the Cisco Information Packet publication that is shipped with your appliance or visit the following website: http://www.cisco.com/tac/ Before you contact Cisco TAC, make sure that you have the following information ready:

The appliance chassis type and serial number. The maintenance agreement or warranty information (see the Cisco Information Packet). The name, type of software, and version or release number (if applicable). The date you received the new appliance. A brief description of the problem or condition you experienced, the steps you have taken to isolate or re-create the problem, and a description of any steps you took to resolve the problem.
Note
Be sure to provide the customer service representative with any upgrade or maintenance information that was performed on the Cisco ISE 3300 Series appliance after your initial installation. For site log information, see Creating a Site Log, page A-14.
Problem Solving
The key to problem solving is to isolate the problem to a specific location or task. Compare what the Cisco ISE 3300 Series appliance is doing with what it should normally be doing. So, when you are troubleshooting, you must define specific symptoms, and then identify potential problems that could be causing the symptoms. Next, you systematically run through each potential problem and try to eliminate it (from the most likely to the least likely) until the symptoms or conditions disappear.
Observe these guidelines when performing troubleshooting, by completing the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Analyze the problem, and define a clear problem statement. Define symptoms and potential causes. Gather the necessary facts as needed to help isolate possible or potential causes. Consider possible or potential causes that are based on the facts that you have gathered. Create an action plan that is based on those causes. Begin with the most likely problem and devise a plan that tests only one variable. Implement the action plan. Perform each step carefully while testing to see if the symptom disappears. Analyze the results to determine if the problem has been resolved. If the problem is resolved, consider the process complete. If the problem has not been resolved, create an action plan that is based on the next most probable cause on your list. Return to Step 4 and repeat the process until the problem is solved. Be sure to undo any changes you made while implementing your action plan.
C-2
OL-25540-01
Appendix C
Troubleshooting the Cisco ISE 3300 Series Appliance Problem Solving
Tip
Remember to change only one variable at a time.
Note
The LEDs on the front and back panel of the appliance enable you to determine the performance and operation of the appliance. For a description of these LEDs, see Reading the LEDs, page C-5. When troubleshooting, check the following appliance subsystems first:
Power and cooling systemsCheck external power sources, power cables, and appliance fans. In addition, check for inadequate ventilation, blocked air circulation, excessive dust or dirt, fan failures, or any environmental conditions that might affect the power or cooling systems. Adapter cardCheck the LEDs on the adapter card that can aid you to identify a failure. CablesVerify that the external cables connecting the appliance to the network are all secure and in good order.
Troubleshooting the Power and Cooling Systems

The power LED and the fans can help you troubleshoot a power problem. Check the following items to help isolate the problem:
When the Cisco ISE 3300 Series appliance is connected to the power source, is the appliance power LED on the front panel on? If not, check the AC power cord connection; if the power LED is still off, the problem might be caused by a power supply failure. Does the appliance shut down after being on for only a short time?
Check if this is an environmentally induced shutdown. For more information, see
Environmental Reporting Features, page C-4 section.

Check the cooling fans. If the cooling fans are not working, the appliance will overheat and shut
itself down. If the cooling fans are not working, you need to check the power supply connection to the cooling fans. Checking the power supply connection requires you to shut down the appliance, remove any external cables, and open up the appliance.
Ensure that the appliance intake and exhaust vents are all clear. Check that the environmental site requirements have been met (see the Temperature and
Humidity Guidelines, page A-9).
Does the appliance partially boot, but the LEDs do not light? Check for a power supply failure by inspecting the power LED on the front panel of the appliance:
If the LED is on, the power supply is functional. If the LED is off, see the Cisco Information Packet for warranty information, or contact your
Cisco customer service representative.
C-3
Appendix C Problem Solving
Environmental Reporting Features

The Cisco ISE 3300 Series appliance has protection circuits that monitor and detect excessive current, voltage, and temperature conditions inside the appliance. If the power supply shuts down or latches off, an AC power cycle switches off for 15 seconds and switches on for 1 second to reset the power supply. The following conditions can cause abnormally high appliance temperatures:

Cooling fan failure An air conditioner failure in the room where the appliance is installed Airflow blocked to cooling vents (intake or exhaust)
Take steps to correct any problems that you discover. For information about environmental operating conditions, see Temperature and Humidity Guidelines, page A-9.
Troubleshooting Adapter Cards, Cables, and Connections

Network problems can be caused by an adapter card, cables or cable connections, or external devices such as a hub, wall jack, WAN interface, or terminal. Check for the following symptoms to help isolate a problem:
Adapter card is not recognized by the Cisco ISE 3300 Series appliance:
Ensure that the adapter card is firmly seated in its slot. Check the LEDs on the adapter card. Each adapter card has its own set of LEDs. Verify that your software release supports the adapter card. See the documentation that was
included with your adapter card.
Adapter card is recognized, but interface ports do not initialize:

Ensure that the adapter card is firmly seated in its slot. Check external cable connections. Verify that your software release supports the adapter card. See the documentation that was
included with your adapter card.
The Cisco ISE 3300 Series appliance does not boot properly, or it constantly or intermittently reboots:
Ensure that the adapter card is firmly seated in its slot. Check the appliance chassis or the application software. For warranty information, see the Cisco
Information Packet publication that is shipped with your appliance or contact your Cisco customer service representative.
If you are using the console port with a terminal, and the Cisco ISE 3300 Series appliance boots, but the console screen is frozen:
Check the external console connection. Verify that the parameters for your terminal are set as follows:
(a) The terminal should have the same data rate that the appliance has (9600 bps is the default) (b) 8 data bits (c) No parity generated or checked (d) 1 stop bit
C-4
OL-25540-01
Appendix C
Troubleshooting the Cisco ISE 3300 Series Appliance Reading the LEDs
The Cisco ISE 3300 Series appliance powers on and boots only when an adapter card is removed. Check the adapter card. For warranty information, see the Cisco Information Packet publication that is shipped with your appliance or contact your customer service representative. The Cisco ISE 3300 Series appliance powers on and boots only when a particular cable is disconnected. There might be a problem with the cable. For warranty information, see the Cisco Information Packet publication that is shipped with your appliance or contact your Cisco customer service representative.
Reading the LEDs

The LEDs on the Cisco ISE 3300 Series appliance serve the following purposes:

Indicate that basic power is available to the appliance. Indicate the status of the hard disk drive, CD/DVD drive, and network activity.
Front-Panel LEDs
The front-panel LEDs for the supported Cisco ISE 3300 Series appliances are described in tables with supporting figures in the following locations:

Cisco ISE 3315 Front-Panel Features, page 2-5 Cisco ISE 3355 Front-Panel Features, page 2-8 Cisco ISE 3395 Front-Panel Features, page 2-12
Rear-Panel LEDs
The rear-panel LEDs for the supported Cisco ISE 3300 Series appliances are described in tables with supporting figures in the following locations:

Locating Appliance Serial Numbers

In Cisco ISE 3300 Series appliances, the serial number label is located on the front panel of each appliance, and these are shown in the following locations:

Cisco ISE 3315 Serial Number Location, page 2-5 Cisco ISE 3355 Serial Number Location, page 2-8 Cisco ISE 3395 Serial Number Location, page 2-12
C-5
Appendix C Locating Appliance Serial Numbers
C-6
OL-25540-01
A P P E N D I X

All Cisco Identity Services Engine (ISE) 3300 Series appliances are configured to order and are ready for installation when they leave the factory. After you install and configure an appliance in your own network environment, you may need to perform some specific maintenance procedures or operations to ensure that the appliance is operating properly and is integrated into your network. These types of preventive procedures maintain your appliance in good operating condition and minimize the need for costly, time-consuming service procedures.
Caution
To help prevent problems, before performing any procedures in this appendix, review all Related Documentation, page -xiii, and Safety Guidelines, page A-1. The following sections discuss various environmental factors that can adversely affect the performance and longevity of your appliance.
Maintaining Your Site Environment and Appliance

Good preventive maintenance includes regular visual inspections of the appliance, including exterior cleaning and inspection. This appendix provides the following topics that describe some best practices for maintaining your site and appliance:

General Exterior Cleaning and Inspection, page D-2 Cooling, page D-3 Temperature, page D-3 Humidity, page D-4 Altitude, page D-4 ESD, page D-4 EMI and RFI, page D-4 Magnetism, page D-5 Power Source Interruptions, page D-5 Preparing to Transport the Rack Cabinet, page D-6 Removing or Replacing the Cisco ISE 3300 Series Appliance, page D-7
D-1
Appendix D Maintaining Your Site Environment and Appliance
General Exterior Cleaning and Inspection

This section describes cleaning requirements for the exterior surfaces of your appliance. In addition, it also provides guidelines for inspecting cables and adapter cards.
Caution
Never spray cleaning solution on the surfaces of the appliance. Over-spray can penetrate the appliance, and this can increase the potential for electrical problems or corrosion of internal components.
Appliance
Use a lint-free, nonabrasive cloth to perform cleaning. Do not use a solvent, abrasive cleaning agents, or tissue paper. If the appliance is dirty (for example, with thick dust), use a soft, damp cloth and gently wipe the surface of the appliance. Make sure you immediately wipe any water or other liquid off the appliance.
Dust and Particles

A clean operating environment can greatly reduce the negative effects of dust and other particles, which act as insulators and can interfere with the operation of an appliances mechanical components. Besides performing regular and periodic cleaning, you should follow these guidelines to avoid contamination of the appliance:

Do not permit smoking anywhere near the appliance. Do not permit food or drink near the appliance.
Cables and Connectors

Periodically inspect all your cables and connectors that run to and from your appliance. This practice ensures that the cable and connectors are properly connected, provides a visual check for wear and condition, and detects any loose connections before they become a problem.
Adapter Cards
Check the connections on the adapter cards. Ensure that they are firmly secured to the appliance and have not been jarred loose or mechanically damaged.
Corrosion
Skin oil from fingers and hands, or prolonged exposure to high temperature or humidity, can corrode the gold-plated edge connectors and pin connectors on adapter cards. Because corrosion on adapter card connectors is a gradual process, this can eventually lead to intermittent failure of electrical circuits. To prevent corrosion, avoid touching contacts on adapter cards. Protecting the appliance from corrosive elements is especially important in damp, moist, and salty environments, all of which tend to promote corrosion. Also, as a further deterrent to corrosion, the appliance should not be used in extreme temperatures. For details, see Temperature, page D-3.
D-2
OL-25540-01
Appendix D
Maintaining the Cisco ISE 3300 Series Appliance Maintaining Your Site Environment and Appliance
Cooling
Exhaust fans in the power supply and in the appliance itself cool the power supply and the appliance by drawing air in through various intake openings in the front of the appliance and blowing it out the back through exhaust vents. However, these fans also draw dust and other particles into the appliance, which causes contaminant buildup, that can directly cause an increase in the internal temperature of the appliance. Increased temperatures and contaminants interfere with the proper operation of various appliance components. To avoid these conditions, we recommend keeping your work environment as clean as possible to reduce the amount of dust and dirt around the appliance. This best practice reduces the amount of contaminants that can be drawn into your appliance by the fans.
Temperature
Temperature extremes can cause a variety of problems, including premature aging and failure of integrated circuits or mechanical failure of devices. Extreme temperature fluctuations can cause integrated circuits to become loose in their sockets and can cause expansion and contraction of disk drive platters, which can directly result in read or write data errors. The heat emission of a Cisco ISE appliance is in the range of 341 to 1024 BTUs (100 to 300 W). To minimize the negative effects of temperature on appliance performance, observe the following guidelines:
Table D-1 lists the air temperature that you must maintain according to the altitude where your Cisco ISE appliance is located.
Air Temperature Maintenance
Table D-1
.
Appliance State On On Off Shipping
Altitude 3000 ft (0 to 914.4 m) 3000 ft to 7000 ft (914.4 m to 2133.6 m) Maximum altitude: 7000 ft (2133.6 m) Maximum altitude: 7000 ft (2133.6 m)
Air Temperature 50.0 to 95.0F (10 to 35C) 50.0 to 89.6F (10 to 32C) 50.0 to 109.4F (10 to 43C) -40 to 140F (-40 to 60C)
Ensure that the appliance has adequate ventilation. Do not place it within a closed-in wall unit or on top of cloth, which can act as insulation. Do not place the appliance where it receives direct sunlight, particularly in the afternoon. Do not place the appliance next to any heat source of any kind, including heating vents during winter.
Adequate ventilation is particularly important at higher altitudes. Your appliance performance may not be optimum when it is operating at high temperatures as well as high altitudes. Observe the following guidelines:

Ensure that all slots and openings on the appliance remain unobstructed, especially the fan vents on the rear panel of the appliance. Clean the appliance at regular intervals to avoid any buildup of dust, dirt, or debris, which can all contribute to causing the appliance to overheat.
D-3
Appendix D Maintaining Your Site Environment and Appliance
If the appliance has been exposed to abnormally cold temperatures, allow a two-hour warm-up period for it to come back up to a normal operating temperature range before powering it on. Failure to follow this practice can damage internal components, particularly the hard disk drive.
Humidity
High-humidity conditions can cause moisture migration and penetration into the appliance. This moisture can cause corrosion of internal components and degradation of properties such as electrical resistance, thermal conductivity, physical strength, and size. Extreme moisture buildup inside the appliance can result in electrical shorts, which can cause serious damage to the appliance. Each appliance is rated to operate at 8 to 80 percent relative humidity, with a humidity gradation of 10 percent per hour. Buildings in which climate is controlled by air conditioning in the warmer months and by heat during the colder months usually maintain an acceptable level of humidity for appliances. However, if an appliance is located in an unusually humid location, a dehumidifier can be used to maintain the humidity within an acceptable range.
Altitude
Operating an appliance at higher altitudes (with lower atmospheric pressure) reduces the efficiency of forced and convection cooling which can result in electrical problems related to arcing and coronal effects. This condition can also cause sealed components with internal pressure, such as electrolytic capacitors, to fail or perform at reduced efficiency.
ESD
ESD results from the buildup of static electricity on the human body and certain other objects. This static electricity is often produced by simple movements, such as walking across a carpet. ESD is a discharge of a static electrical charge that occurs when a person whose body contains such a charge touches a component in the appliance. This static discharge can cause components, especially integrated circuits (ICs), to fail. ESD is a problem particularly in dry environments where the relative humidity is below 50 percent. To reduce the effects of ESD, you should observe the following guidelines:

Wear a grounding wrist strap. If a grounding wrist strap is unavailable, touch an unpainted metal surface on the appliance chassis periodically to neutralize any static charge. Keep components in their antistatic packaging until they are installed. Avoid wearing clothing made of wool or synthetic materials.
EMI and RFI

EMI and RFI from an appliance can adversely affect devices such as radio and television receivers operating near the appliance. Radio frequencies emanating from an appliance can also interfere with cordless and low-power telephones.
D-4
OL-25540-01
Appendix D
Maintaining the Cisco ISE 3300 Series Appliance Maintaining Your Site Environment and Appliance
RFI is defined as any EMI with a frequency above 10 kHz. This type of interference can travel from the appliance to other devices through the power cable and power source, or through the air, like transmitted radio waves. The Federal Communications Commission (FCC) publishes specific regulations to limit the amount of EMI and RFI emitted by computing equipment. Each appliance meets these FCC regulations. To reduce the possibility of EMI and RFI, observe the following guidelines:

Operate the appliance only with the appliance cover installed. Ensure that the screws on all peripheral cable connectors are securely fastened to their corresponding connectors on the rear of the appliance. Always use shielded cables with metal connector shells for attaching peripherals to the appliance.
Magnetism
Hard disk drives are susceptible to the effects of magnetism as they store data magnetically. Hard disk drives should never be stored near the following types of magnetic sources:

Monitors Printers Telephones (with electrically driven bells) Fluorescent lights
Power Source Interruptions

Appliances are especially sensitive to variations in the voltage supplied by AC power sources. Problems with overvoltage, undervoltage, or transient voltages (spikes) can erase data from the memory or even cause some components to fail. To protect against these types of problems, power cables should always be properly grounded and one, or both, of the following methods should be used:

Place the appliance on a dedicated power circuit (rather than sharing a circuit with other electrical equipment). For best practices, do not allow the appliance to share a circuit with any of the following devices:
Photo-copier machines Teletype machines Laser printers Fax machines Any other motorized equipment
In addition to the equipment just noted, the greatest threat to an appliances power supply are the surges or blackouts caused by electrical storms. If a blackout occurseven a temporary onewhile the appliance is turned on, turn off the appliance immediately and disconnect it from the electrical outlet. Leaving the appliance on may cause problems when the power is restored.
D-5
Appendix D Maintaining Your Cisco ISE 3300 Series Appliance
Maintaining Your Cisco ISE 3300 Series Appliance

This section provides information about the following appliance-related topics:
Preparing to Transport the Rack Cabinet, page D-6
Preparing to Transport the Rack Cabinet

Ensure that you complete all necessary pre-transport tasks before you attempt to transport the Cisco ISE 3300 Series appliance to another location after the appliance has been installed.
To prepare the Cisco ISE 3300 Series appliance for transport, complete the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Remove the large screw (see Figure D-1) and discard it. Remove and save the front screw. Loosen the other two rear screws. Fully extend the rail and insert the screw you saved into the position where the large screw had been located. Tighten all screws to secure the rail. Repeat the steps from 1 to 5 for the other rail.
Figure D-1 Preparing to Transport the Rack Cabinet
The following table describes the callouts in Figure D-1. 1 2 Large screw Front screw 3 Rear screws (2)
D-6
OL-25540-01
Appendix D
Maintaining the Cisco ISE 3300 Series Appliance Maintaining Your Cisco ISE 3300 Series Appliance
Step 7
Secure the server to the rack:

a. b. c.
If necessary, disconnect the cables from the rear of the server. Slide the server out of the rack 150 mm (6 inches) and insert the M6 screws in each slide rail. Secure the server to the rack cabinet with the M6 screws (see Figure D-2).
Step 8
Ensure that the rails are fully extended to the rear of the rack cabinet. If you have removed the shipping brackets on the slide rails, you must reinstall them before you transport the rack cabinet with the server installed. Reverse the instructions on the shipping bracket to reinstall it, as shown in Figure B-6 on page B-8.
Figure D-2 Preparing to Move the Rack Cabinet to Another Location
Removing or Replacing the Cisco ISE 3300 Series Appliance

Warning
Before working on a system that has an On/Off switch, turn the AC power off and unplug the power cord. Statement 1
Warning
Ultimate disposal of this product should be handled according to all national laws and regulations. Statement 1040
This section contains information about the following topics:

Removing a Cisco ISE 3300 Series Appliance, page D-8 Replacing a Cisco ISE 3300 Series Appliance, page D-8
D-7
Appendix D Maintaining Your Cisco ISE 3300 Series Appliance
Removing a Cisco ISE 3300 Series Appliance

To remove a Cisco ISE 3300 Series appliance from your network, complete the following steps:
Turn off the appliance to be removed. Disconnect the power cords and network cables. Physically remove the appliance from the rack. Because a Cisco ISE 3300 Series appliance is typically in constant communication on your network, when the network notices that the appliance is no longer responding to it, the network stops sending any requests to the appliance. This change will be visible to users.
Note
If other appliances are attached to the network, the network continues sending requests to the other appliances.
Replacing a Cisco ISE 3300 Series Appliance

To replace an appliance, complete the following steps:
Ensure that the appliance being replaced has been removed from the network. Install a new appliance by using the same installation procedures that you used for the appliance that was removed. Configure the new appliance by using the same configuration parameters that you used for the appliance you removed.
D-8
OL-25540-01
A P P E N D I X

This appendix lists the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that Cisco ISE uses for intranetwork communications with external applications and devices. Table E-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on the corresponding firewall. The ports list provides information that can be useful when configuring a firewall, creating access control lists (ACL), and configuring services on a Cisco ISE network.
E-1
Appendix E
Table E-1
Cisco ISE Services and Ports
Cisco ISE Node ISE Service Administration Administration ISE node
Ports on Gigabit Ethernet 0
Ports on Gigabit Ethernet 2 Cisco ISE management is restricted to Gigabit Ethernet 0.
Ports on Gigabit Ethernet 3 Cisco ISE management is restricted to Gigabit Ethernet 0.
TCP: 22 (Secure Cisco ISE Shell [SSH] management is server) restricted to Gigabit Ethernet 0. 1 TCP: 80 (HTTP)
Note
TCP: 4431 (HTTPS)

Port 80 is redirected to port 443 (not configurable). Ports 80 and 443 support Admin web applications and are enabled by default.
Note
Replication and Syncronization
TCP: 443 (HTTPS SOAP) TCP: 15212 (Database Listener and AQ) Internet Control Message Protocol (ICMP) (Heartbeat) UDP: 161 (Simple Network Management Protocol [SNMP] QUERY) This port is route table dependent.
TCP:15212 (Database Listener and AQ)
Monitoring
Note
E-2
OL-25540-01
Appendix E
Table E-1
Cisco ISE Services and Ports (continued)
Cisco ISE Node ISE Service Monitoring ISE node Administration

TCP: 22 (SSH server) TCP: 801 (HTTP) TCP: 4431 (HTTPS) TCP: 443 (HTTPS) TCP: 15212 (Database Listener and AQ) ICMP (Heartbeat) UDP: 20514 (Syslog)

TCP: 15212 (Database Listener and AQ)
Logging
Note
UDP: 20514 (Syslog)
UDP: 20514 (Syslog)
UDP: 20514 (Syslog) Default ports are configurable for external logs.
Default ports Note are configurable for external logs. TCP: 22 (SSH server) TCP: 801 (HTTP) TCP: 4431 (HTTPS) TCP: 443 (HTTPS) TCP: 15212 (Database Listener and AQ) ICMP (Heartbeat)
Default ports Note are configurable for external logs.
Default ports Note are configurable for external logs.
Policy Service ISE node
Administration
E-3
Appendix E
Table E-1
Cisco ISE Node ISE Service Policy Service ISE node (continued) Session
UDP: 1645,1812 (RADIUS Authentication) UDP: 1646, 1813 (RADIUS Accounting) UDP: 1700, 3799 (RADIUS change of authorization [CoA])
UDP: 1645,1812 (RADIUS Authentication) UDP: 1646, 1813 (RADIUS Accounting) UDP: 1700, 3799 (RADIUS change of authorization [CoA]) UDP port 1700 is not configurable. TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP]) UDP: 30514 (Syslog) This is internal via session services. UDP: 45588, 45590 UDP ports 45588 and 45590 support Policy Service communication for clustering support. TCP: 8443 (HTTPS) TCP port 8443 is enabled by default and configurable.
OL-25540-01
Note
UDP port Note 1700 is not configurable. TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP]) UDP: 30514 (Syslog)) This is internal via session services. UDP: 45588, 45590
UDP port Note 1700 is not configurable. TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP]) UDP: 30514 (Syslog) This is internal via session services. UDP: 45588, 45590
UDP port Note 1700 is not configurable. TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP]) UDP: 30514 (Syslog) This is internal via session services. UDP: 45588, 45590
Note
Note
Note
Note
Note
UDP ports Note 45588 and 45590 support Policy Service communication for clustering support. TCP: 8443 (HTTPS)
Guest and Sponsor Portal
Note
TCP port Note 8443 is enabled by default and configurable.
E-4
Appendix E
Table E-1
Cisco ISE Node ISE Service Policy Service ISE node (continued) Client Provisioning
TCP: 80, 8443 (web or Cisco NAC agent installation) TCP port 8443 is enabled by default, configurable, and corresponds to a configuration for Guest. TCP: 8905 (Cisco NAC agent update) TCP: 8905 Discovery (HTTPS) UDP: 8905 (Layer 2) Discovery (SWISS) UDP: 8905 PRA/Keep-alive (SWISS)
TCP: 8905 (Cisco NAC agent update)
Note
Posture and Heartbeat
TCP: 8905 Discovery (HTTPS) UDP: 8905 (Layer 2) Discovery (SWISS) UDP: 8905 PRA/Keep-alive (SWISS)
E-5
Appendix E
Table E-1
Cisco ISE Node ISE Service Policy Service ISE node (continued) Profiler

Note
UDP: 9996 (NetFlow)
UDP: 9996 (NetFlow)
UDP: 9996 (NetFlow)
UDP: 9996 (NetFlow) This port is configurable. UDP: 67, 68 (DHCP) This port is configurable. TCP: 80, 8080 (DHCPSPAN probe and HTTP) UDP: 30514 (RADIUS) This is internal via session services. NMAP uses ports 0- 65535 3 (outbound). UDP: 53 (DNS lookup) This port is route table dependent. UDP: 161 (SNMP QUERY) This port is route table dependent. UDP: 162 (SNMP trap) This port is configurable. UDP: 45588, 45590
This port is Note configurable. UDP: 67, 68 (DHCP)
Note
This port is Note configurable. TCP: 80, 8080 (DHCPSPAN probe and HTTP) UDP: 30514 (RADIUS) This is internal via session services. NMAP uses ports 0-655353 (outbound). UDP: 53 (DNS lookup) This port is route table dependent. UDP: 161 (SNMP QUERY) This port is route table dependent. UDP: 162 (SNMP trap)
This port is Note configurable. TCP: 80, 8080 (DHCPSPAN probe and HTTP) UDP: 30514 (RADIUS) This is internal via session services. NMAP uses ports 0-655353 (outbound). UDP: 53 (DNS lookup) This port is route table dependent. UDP: 161 (SNMP QUERY) This port is route table dependent. UDP: 162 (SNMP trap)
This port is Note configurable. TCP: 80, 8080 (DHCPSPAN probe and HTTP) UDP: 30514 (RADIUS) This is internal via session services. NMAP uses ports 0- 65535 3 (outbound). UDP: 53 (DNS lookup) This port is route table dependent. UDP: 161 (SNMP QUERY) This port is route table dependent. UDP: 162 (SNMP trap)
Note
Note
Note
Note
Note
Note
Note
Note
Note
Note
Note
Note
Note
This port is Note configurable. UDP: 45588, 45590
Clustering
E-6
OL-25540-01
Appendix E
Table E-1
Cisco ISE Node ISE Service Inline Posture ISE node Administration

Note
TCP: 22 (SSH server) TCP: 8443 (HTTPS) It is used by the Administration ISE node. UDP: 1645, 1812 (RADIUS proxy for authentication) UDP: 1646, 1813 (RADIUS proxy for accounting) UDP: 1700, 3799 (RADIUS CoA)
Inline Posture
UDP: 1645, 1812 (RADIUS proxy for authentication) UDP: 1646, 1813 (RADIUS proxy for accounting) UDP: 1700, 3799 (RADIUS CoA)
Note
High Availability and Management services are Inline Posture-specific and do not apply to any other Cisco ISE node types.
High Availability Management
UDP: 694 (Heartbeat)
UDP: 694 (Heartbeat)
TCP: 9090 (Redirect) TCP: 9090 (Redirect)
1. Because Inline Posture nodes do not support the Administration persona, they will not have access to this port. 2. Because Inline Posture nodes do not support the database listener function, they will not have access to this port. 3. NMAP OS Scan uses ports 0.65535 to detect endpoint operating system.
E-7
Appendix E
E-8
OL-25540-01
A P P E N D I X
Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances
This appendix describes the process for performing an initial (or fresh) installation of the Cisco ISE 3300 Series software from the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD on the following supported Cisco Secure ACS and Cisco NAC Appliance platforms:

Cisco Secure ACS-1121 Cisco NAC-3315 Cisco NAC-3355 Cisco NAC-3395
Installing the Cisco ISE 3300 Series software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because the underlying hardware on which the Cisco ISE software will be installed is the same physical device type:

Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliance). Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395 appliances, respectively).
Note
For specific details about the Cisco ISE 3300 Series hardware platforms, see Table 2-1 on page -Reference 2. This appendix describes the following procedures:
Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance, page F-2Provides instructions for installing the Cisco ISE software with the use of the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD, configuring the appliance by using the Setup program, and verifying the configuration process. Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance, page F-2Provides instructions for installing the Cisco ISE software with the use of the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD, including ho to reset the RAID configuration on the Cisco NAC appliance before you can complete the reimage process.
Note
To reimage a Cisco Secure ACS or Cisco NAC appliance as a Cisco ISE 3300 Series appliance, install the Cisco ISE software, and use the Setup program to configure the appliance.
F-1
Appendix F Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance
Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance

This section provides the procedure for reimaging an existing Cisco Secure ACS appliance as a Cisco ISE 3300 Series, Release 1.0, appliance.
To reimage a Cisco Secure ACS appliance as a Cisco ISE 3300 Series appliance, complete the following steps:
If the Cisco Secure ACS appliance is on, turn off the appliance. Turn on the Cisco Secure ACS appliance. Press F1 to enter the BIOS setup mode. Use the arrow key to navigate to Date and Time and press Enter. Set the time for your appliance to the UTC/GMT time zone.
Note
Press Esc to exit to main BIOS menu. Press Esc to exit from the BIOS setup mode. Perform the instructions described in Before Configuring a Cisco ISE 3300 Series Appliance, page 3-1. Perform the instructions described in Understanding the Setup Program Parameters, page 3-3. Perform the instructions described in Verifying the Configuration Process, page 3-10.
Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance

This section provides the procedure for reimaging an existing Cisco NAC appliance as a Cisco ISE 3300 Series, Release 1.0, appliance.
To reimage a Cisco NAC appliance as a Cisco ISE appliance, complete the following steps:
If the Cisco NAC appliance is on, turn off the appliance. Turn on the Cisco NAC appliance. Press F1 to enter the BIOS setup mode. Using the arrow key, navigate to Date and Time and press Enter. Set the time for your appliance to the UTC/GMT time zone.
F-2
OL-25540-01
Appendix F
Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance
Note
Step 6 Step 7
Press Esc to exit to main BIOS menu. Press Esc to exit from the BIOS setup mode.
Note
If the Cisco ISE DVD installation process returns a message indicating that The installer requires at least 600GB disk space for this appliance type, you may need to reset the RAID settings on the appliance to facilitate installation as described in Resetting the Existing RAID Configuration on a Cisco NAC Appliance.
Perform the instructions that are described in Before Configuring a Cisco ISE 3300 Series Appliance, page 3-1. Perform the instructions that are described in Understanding the Setup Program Parameters, page 3-3. Perform the instructions that are described in Verifying the Configuration Process, page 3-10.
Resetting the Existing RAID Configuration on a Cisco NAC Appliance

To reset the RAID settings on a Cisco NAC appliance:
Step 1 Step 2
Reboot the Cisco NAC appliance with the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD installed. When you see the RAID controller version information appear in the CLI, press Ctrl+C. The RAID controller version information appears, displaying a label like LSI Corporation MPT SAS BIOS, and the LSI Corp Config Utility becomes active. Press Enter to specify the default controller. (The highlighted controller name should read something similar to SR-BR10i.) A screen containing the Cisco NAC appliance adapter information appears. Arrow down to RAID properties and press Enter. Press Enter again on Manage Array. Arrow down to the Delete Array option and press Enter. Enter Y to confirm that you want to delete the existing RAID Array.
Configuration Utility and Reboot?
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Press Esc twice to exit the RAID configuration utility. You are prompted with an Exit prompt.
the
Press Enter. The Cisco NAC appliance reboots. As long as the Cisco Identity Services Engine ISE VM Appliance (ISE Software Version 1.1.0.xxx) DVD is still installed, the appliance automatically boots to the install menu. Press 1 to begin Cisco ISE installation.
Step 10
F-3
Appendix F Installing Cisco ISE 3300 Series Software on Cisco NAC and Cisco Secure ACS Appliances Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance
F-4
OL-25540-01
I N D EX
A
adapter cards troubleshooting airflow guidelines altitude guidelines
D-4 A-8 C-4
console port, pinouts serial

B-12
cooling system troubleshooting corrosion preventing damage

D-2 C-3
D
dust preventing damage
D-4
B
back panel
B-9
E C
electricity cable connecting management checking LEDs
B-16 A-14 B-14 1-1 B-8 B-14 C-4
safety with See EMI
A-3
electromagnetic interference electrostatic discharge See ESD EMI preventing effects of environment maintaining site
A-8 D-1 D-4 A-5
troubleshooting
checklist, installation checklist, power up configuration site

A-8
Cisco ISE deployment
environmental features
C-4 A-9
connecting cables connections troubleshooting considerations power

A-9 C-4 B-8 B-10
specifications (table) equipment racks rack-mounting safety with ESD

A-3
network interface
A-9
IN-1
Index
preventing damage preventing effects of
D-4 A-5, D-4
installing Cisco ISE setup program

3-3 6-1
post-installation tasks
F
features environmental reporting four-post hardware kit rack-mount front-panel LEDs troubleshooting
C-5 B-3 B-2 C-4
K
kit mounting
B-2 B-3
rack-mount hardware (table)
four-post rack, mounting appliance on
L
LEDs checking
B-16 A-5
G
grounding (warning) guidelines airflow lifting
A-8 A-5 A-7 B-1 B-14
lifting guidelines location serial number log, site

A-14
2-1, 2-5, 2-8, 2-12, C-5
rack installation safety

A-1
M
magnetism preventing effects of
D-3 D-5
rack-mounting configuration temperature maintenance
maintenance management cable MOP
D-1 D-3
temperature
H
hardware troubleshooting procedures humidity maintenance guidelines
D-4 C-1
B-14
method of procedure
A-10
N
network interface connecting
A-11 B-10
I
information packet and warranty installation checklist
A-14 3-10
NIC LEDs troubleshooting NIC 1 and NIC 2

C-5
verification
IN-2
OL-25540-01
Index
RJ-45 pinout
B-11
radio frequency interference. See RFI removing Cisco ISE 3300 Series appliance restricted access (warning) RFI preventing effects of
6-1 D-7
P
planning site power considerations
A-9 A-3 A-6
A-3, A-6, B-1
D-4
post-installation tasks
RJ-45 pinout NIC 1 and NIC 2

B-11
power lines (warning)
power source interruptions preventing damage from power supplies (warning) power supply (warning) power system troubleshooting power up procedure precautions general precautions problem solving See troubleshooting procedure method of power up
A-10 B-15 A-1 B-15 C-3 A-3 A-3, B-14 D-5
S
safety guidelines serial console port, pinouts serial number location setting UDI for Cisco ISE on Cisco NAC or Cisco Secure ACS appliances F-2 site configuration environment log
A-14 A-6 A-10 A-8 A-8 D-1 2-1, 2-5, 2-8, 2-12, C-5 B-12 A-1 A-3
SELV circuits (warning)
maintenance factors planning
R
rack enclosed (do not use) four-post (open) rack installation guidelines rack-mount four-post hardware kit rack-mounting configuration guidelines
B-1 B-3 A-7 A-7 B-2 A-7
requirement, MOPs
T
temperature maintenance guidelines tools and equipment required
A-13 B-1 D-3 A-9
rack, mounting on four-post
temperature and humidity guidelines
trained and qualified (warning) troubleshooting adapter cards

C-4
IN-3
Index
cables
C-4 C-4 C-3 C-5 C-5
connections
cooling system Ethernet LEDs power system front-panel LEDs
C-3
U
unpacking checking shipment upgrading post-installation tasks
6-1 A-11
V
VMware configuring installing
4-7 4-1
hardware requirements
4-1
installing the Cisco ISE appliance
4-12
W
warranty
A-11
IN-4
OL-25540-01

Ise Ig

Uploaded by

Copyright:

Available Formats

Ise Ig

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ise Ig

Uploaded by

Copyright:

Available Formats

Cisco Identity Services Engine Hardware Installation Guide, Release 1.

Text Part Number: OL-25540-01

Overview of Cisco Identity Services Engine Purpose Audience

Document Organization xi Installation Reference xii Document Conventions

Obtaining Documentation and Submitting a Service Request

Cisco ISE Series Appliances

Configuring a Cisco ISE 3300 Series Hardware Appliance

Virtual Machine Requirements

4-1 4-3 4-4

Configuring a VMware ESX or ESXi Server

Connecting to the Cisco ISE VMware Server Using Serial Console

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Enabling System Diagnostic Reports in Cisco ISE

Troubleshooting the Cisco ISE 3300 Series Appliance Troubleshooting Overview

Maintaining the Cisco ISE 3300 Series Appliance

Cisco ISE 3300 Series Appliance Ports Reference

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Resetting the Existing RAID Configuration on a Cisco NAC Appliance

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Overview of Cisco Identity Services Engine

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Cisco ISE Hardware Installation Guide Organization (continued)

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Convention boldface font Option > Network Preferences

Product Documentation for Cisco Identity Services Engine (continued)

Location http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html

Obtaining Documentation and Submitting a Service Request

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Understanding the Cisco ISE Network Deployment

Before Deploying Cisco ISE

Understanding Node Types, Personas, Roles, and Services

Chapter 1 Before Deploying Cisco ISE

Understanding the Cisco ISE Network Deployment

Cisco ISE Deployment Terminology

Term Service Node

Node type Persona

Role Node groups

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Understanding Distributed Deployment

Chapter 1 Before Deploying Cisco ISE

Understanding the Cisco ISE Network Deployment

You cannot deregister a primary Administration ISE node.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Before Registering Secondary Nodes

Chapter 1 Before Deploying Cisco ISE

Understanding the Cisco ISE Network Deployment

For more information on configuring Cisco ISE nodes, see:

Cisco Identity Services Engine User Guide, Release 1.1

Guidelines for Setting Up a Distributed Deployment

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1

Cisco ISE Architecture Overview

Nodes and persona types

Chapter 1 Deployment Scenarios

Understanding the Cisco ISE Network Deployment

Logging Policy information point

View/ configure policies

Query attributes Logging

Resource access Resource

Small Cisco ISE Network Deployments