Install Cisco ISE
Install Cisco ISE Using CIMC
This section lists the high-level installation steps to help you quickly install Cisco ISE.
Before you begin
- Ensure that you have met the System Requirements as specified in this guide.
- (Optional; required only if you are installing Cisco ISE on virtual machines) Ensure that you have created the virtual machine correctly.
See the following topics for more information:
- Configure a VMware Server
- Install Cisco ISE on KVM
- Create a Cisco ISE Virtual Machine on Hyper-V
- (Optional; required only if you are installing Cisco ISE on SNS hardware appliances) Ensure that you set up the Cisco Integrated Management Interface (CIMC) configuration utility to manage the appliance and configure BIOS. See the following documents for more information:
- For SNS-3500 series appliances, see Cisco SNS-3500 Series Appliance Hardware Installation Guide.
- For SNS-3600 series appliances, see Cisco SNS-3600 Series Appliance Hardware Installation Guide.
- For SNS-3700 series appliances, see Cisco SNS-3700 Series Appliance Hardware Installation Guide.
Step 1
If you are installing Cisco ISE on a:
- Cisco SNS appliance: Install the hardware appliance. Connect to CIMC for server management.
- Virtual Machine: Ensure that your VM is configured correct.
Step 2
Download the Cisco ISE ISO image.
- Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.
- Click Download Software for this Product.
The Cisco ISE image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.
Step 3
Boot the appliance or the virtual machine.
- Cisco SNS appliance:
- Connect to CIMC and log in using the CIMC credentials.
- Launch the KVM console.
- Choose Virtual Media > Activate Virtual Devices.
- Choose Virtual Media > Map CD/DVD and select the ISE ISO image and click Map Device.
- Choose Macros > Static Macros > Ctrl-Alt-Del to boot the appliance with the ISE ISO image.
- Press F6 to bring up the boot menu. A screen similar to the following one appears:
Figure 1: Selection of Boot Device
Please select boot device: Cisco Identity Service Engine UEFI: Built-in EFI Shell UEFI: IP4 0100 Intel(R) I350 Gigabit Network Connection UEFI: IP4 0101 Intel(R) I350 Gigabit Network Connection UEFI: IP4 0400 Intel(R) I350 Gigabit Network Connection UEFI: IP4 0401 Intel(R) I350 Gigabit Network Connection UEFI: IP4 0402 Intel(R) I350 Gigabit Network Connection UEFI: IP4 0403 Intel(R) I350 Gigabit Network Connection UEFI: Cisco VKVM-Mapped vDVD1.22 Enter Setup ↑ and ↓ to move selection ENTER to select boot device ESC to boot using defaults
Note: If the SNS appliances are placed in a remote location (for example, data centers), to which you do not have any physical access and need to perform CIMC install from remote servers, it might take long hours for installation. It is recommended that you copy the ISO file on a USB drive and use that in the remote location to speed up the installation process.
Note: Cisco ISE installation using CIMC may be affected by network speed, network stability, TCP segmentation, or other factors of the operating system. This may impact the speed and the time taken (approximately 30 minutes) for Cisco ISE installation.
Virtual Machine:
- Map the CD/DVD to an ISO image. A screen similar to the following one appears. The following message and installation menu are displayed.
Welcome to the Cisco Identity Services Engine Installer Cisco ISE Version: 3.1.0.xxx Available boot options: Cisco ISE Installation (Serial Console) Cisco ISE Installation (Keyboard/Monitor) System Utilities (Serial Console) System Utilities (Keyboard/Monitor)
Step 4
At the boot prompt, press 1 and Enter to install Cisco ISE using a serial console.
If you want to use a keyboard and monitor, use the arrow key to select the Cisco ISE Installation (Keyboard/Monitor) option. The following message appears.
***** ********** Please type 'setup' to configure the appliance ** *******
Step 5
At the prompt, type setup to start the Setup program. See Run the Setup Program of Cisco ISE, on page 3 for details about the Setup program parameters.
Step 6
After you enter the network configuration parameters in the Setup mode, the appliance automatically reboots, and returns to the shell prompt mode.
Step 7
Exit from the shell prompt mode. The appliance comes up.
Step 8
Continue with Verifying the Cisco ISE Installation Process, on page 6.
Run the Setup Program of Cisco ISE
This section describes the setup process to configure the ISE server.
The setup program launches an interactive command-line interface (CLI) that prompts you for the required parameters. An administrator can use the console or a dumb terminal to configure the initial network settings and provide the initial administrator credentials for the ISE server using the setup program. This setup process is a one-time configuration task.
Note: If you are integrating with Active Directory (AD), it is best to use the IP and subnet addresses from a dedicated Site created specifically for ISE. Consult with the staff in your organization responsible for AD and retrieve the relevant IP and subnet addresses for your ISE nodes prior to installation and configuration.
Note: It is not recommended to attempt offline installation of Cisco ISE as this can lead to system instability. When you run the Cisco ISE installation script offline, the following error is shown:
Sync with NTP server failed' Incorrect time could render the system unusable until it is re-installed. Retry? Y/N [Y]:
Choose Yes to continue with the installation. Choose No to retry syncing with the NTP server.
It is recommended to establish network connectivity with both the NTP server and the DNS server while running the installation script.
To run the setup program:
- Turn on the appliance that is designated for the installation.
- The setup prompt appears:
Please type 'setup' to configure the appliance localhost login:
At the login prompt, enter setup and press Enter.
The console displays a set of parameters. You must enter the parameter values as described in the table that follows.
Note: The eth0 interface of ISE must be statically configured with an IPv6 address if you want to add a Domain Name Server or an NTP Server with an IPv6 address.
Table 1: Cisco ISE Setup Program Parameters
| Prompt | Description | Example |
|---|---|---|
| Hostname | Must not exceed 19 characters. Valid characters include alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The first character must be a letter. | isebetal |
| Note: We recommend that you use lowercase letters to ensure that certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verifications. You cannot use "localhost" as hostname for a node. | ||
| (eth0) Ethernet interface address | Must be a valid IPv4 or Global IPv6 address for the Gigabit Ethernet 0 (eth0) interface. | 10.12.13.14/2001:420:54ff:4::458:121:119 |
| Netmask | Must be a valid IPv4or IPv6 netmask. | 255.255.255.0/ 2001:420:54ff:4::458:121:119/122 |
| Default gateway | Must be a valid IPv4or Global IPv6 address for the default gateway. | 10.12.13.1/2001:420:54ff:4::458:1 |
| DNS domain name | Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.). | example.com |
| Primary name server | Must be a valid IPv4 or Global IPv6 address for the primary name server. | 10.15.20.25 / 2001:420:54ff:4::458:118 |
| Add/Edit another name server | Must be a valid IPv4 or Global IPv6 address for the primary name server. | (Optional) Allows you to configure multiple name servers. To do so, enter y to continue. |
| Primary NTP server | Must be a valid IPv4 or Global IPv6 address or hostname of a Network Time Protocol (NTP) server. | clock.nist.gov / 10.15.20.25 / 2001:420:54ff:4::458:117 |
| Note: Ensure that the primary NTP server is reachable. | ||
| Add/Edit another NTP server | Must be a valid NTP domain. | (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue. |
| System Time Zone | Must be a valid time zone. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or Coordinated Universal Time (UTC) minus 8 hours). | UTC (default) |
| Note: Ensure that the system time and time zone match with the CIMC or Hypervisor Host OS time and time zone. System performance might be affected if there is any mismatch between the time zones. | ||
| Note: We recommend that you set all the Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps. | ||
| Username | Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and comprise of valid alphanumeric characters (A–Z, a–z, or 0–9). | admin (default) |
| Password | Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password in order to continue because there is no default password. The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), one uppercase letter (A-Z), and one numeral (0-9). | MyIseYPass2 |
Verifying the Cisco ISE Installation Process
To verify that you have correctly completed the installation process:
- When the system reboots, at the login prompt enter the username you configured during setup, and press Enter.
- Enter a new password.
- Verify that the application has been installed properly by entering the
show applicationcommand, and press Enter. The console displays:
ise/admin# show application <name> <Description> ise Cisco Identity Services Engine
Note: The version and date might change for different versions of this release.
- Check the status of the ISE processes by entering the
show application status isecommand, and press Enter. The console displays:
ise/admin# show application status ise ISE PROCESS NAME STATE PROCESS ID Database Listener running 14890 Database Server running 70 PROCESSES Application Server running 19158 Profiler Database running 16293 ISE Indexing Engine running 20773 AD Connector running 22466 M&T Session Database running 16195 M&T Log Collector running 19294 M&T Log Processor running 19207 Certificate Authority Service running 22237 EST Service running 29847 SXP Engine Service disabled Docker Daemon running 21197 TC-NAC Service disabled Wifi Setup Helper Container not running pxGrid Infrastructure Service disabled pxGrid Publisher Subscriber Service disabled pxGrid Connection Manager disabled pxGrid Controller disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled
Note: When you create a password for the administrator during installation or after installation in the CLI, do not use the $ character in your password, unless it is the last character of the password. If it is the first or one of the subsequent characters, the password is accepted, but cannot be used to log in to the CLI.
If you inadvertently create such a password, reset your password by logging into the console and using the CLI command, or by getting an ISE CD or ISO file. Instructions for using an ISO file to reset the password are explained in the following document: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html
After the setup program is run, the system reboots automatically.
Now, you can log in to Cisco ISE using the username and password that was configured during the setup process.
Install Cisco ISE on a Cisco SNS Appliance Using NFS
This section describes how to install Cisco ISE on a Cisco SNS appliance using a Network File System (NFS) server.
Before you begin
- Ensure that you have met the System Requirements as specified in this guide.
- Ensure that you set up the Cisco Integrated Management Interface (CIMC) configuration utility to manage the appliance and configure BIOS. See the following documents for more information:
- For SNS-3600 series appliances, see Cisco SNS-3600 Series Appliance Hardware Installation Guide.
- For SNS-3700 series appliances, see Cisco SNS-3700 Series Appliance Hardware Installation Guide.
Step 1
Download the Cisco ISE ISO image from http://www.cisco.com/go/ise.
Step 2
Connect to CIMC and log in using the CIMC credentials.
Step 3
Choose Compute > Remote Management > Virtual Media > Add New Mapping.
Step 4
In the Add New Mapping window, enter the details of the NFS server, and then click Save.
Step 5
In the Current Mappings window, ensure that the Status of the added mapping is shown as OK.
Step 6
Launch the KVM console.
Step 7
Choose Power > Power Cycle System.
Step 8
Click Confirm.
Step 9
Press F6 to enter the boot menu.
Step 10
In the Select Boot Device window, choose UEFI: Cisco CIMC-Mapped vDVD2.00, and press Enter.
After the server completes the booting process, Cisco ISE installation menu is displayed.
Step 11
Choose Cisco ISE Installation (Keyboard/Monitor) to proceed with the installation.
Related Documents
 |
思科身份服务引擎安装指南,版本 2.2 - Cisco ISE 安装与部署 本安装指南提供了关于思科身份服务引擎 (Cisco ISE) 版本 2.2 的详细安装和部署说明。内容涵盖了网络部署架构、不同部署方案(小型、中型、大型)、硬件和虚拟化平台(VMware, KVM, Hyper-V)的安装步骤,以及安装后的配置和维护任务。 |
 |
Cisco Identity Services Engine (ISE) v2.6: Common Criteria Operational User Guidance This document provides comprehensive operational user guidance and preparative procedures for Cisco Identity Services Engine (ISE) version 2.6, focusing on its Common Criteria evaluated configuration, installation, and administration for network security professionals. |
 |
Cisco ISE-PIC Installation and Upgrade Guide, Release 3.3 Comprehensive guide for installing and upgrading Cisco Identity Services Engine Passive Identity Connector (ISE-PIC) software, detailing prerequisites, installation steps, upgrade procedures, and troubleshooting for network administrators. |
 |
Cisco Catalyst 9800-CL Wireless Controller Cloud Deployment Guide This guide provides comprehensive instructions for deploying and configuring the Cisco Catalyst 9800-CL Wireless Controller for cloud environments. It covers deployment options using VMware ESXi, Linux KVM, Microsoft Hyper-V, and Cisco ENCS NFVIS, along with detailed steps for virtual machine setup, network configuration, and high availability. |
 |
Cisco Identity Services Engine CLI Reference Guide, Release 2.0 A comprehensive reference guide for the Cisco Identity Services Engine (ISE) Command Line Interface (CLI), covering management, configuration, and troubleshooting commands for Release 2.0. |
 |
Cisco ISE アップグレードとバージョン3.3の新機能 | Ask the Experts Cisco Identity Services Engine (ISE) のバージョン3.3へのアップグレードに関する専門家向けセッション。新機能、リリースサイクル、互換性、ライセンスモデル、アップグレードパスを解説。 |
 |
Cisco ISE 3.0 Upgrade Guide: Overview Comprehensive guide to upgrading Cisco Identity Services Engine (ISE) to version 3.0, covering upgrade paths, licensing changes, smart licensing for air-gapped networks, and VM license categories. Includes procedures for configuring SSM On-Prem and understanding Permanent License Reservation. |
 |
Cisco Secure Email and Web Virtual Appliance Installation Guide This guide provides comprehensive instructions for installing Cisco Secure Email and Web Virtual Appliances. It covers system requirements, deployment procedures for various platforms like Microsoft Hyper-V, KVM, and VMware ESXi, as well as AWS EC2 deployments. The document also details license installation, configuration, and troubleshooting steps. |