Configuring the Cisco ISE 3300 Series Appliance

Available Languages

Download Options

PDF (167.4 KB)
View with Adobe Reader on a variety of devices

Updated:January 14, 2011

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configuring the Cisco ISE 3300 Series Appliance

Table Of Contents

Configuring the Cisco ISE 3300 Series Appliance

Before Configuring a Cisco ISE 3300 Series Appliance

Admin Rights Differences: CLI-Admin and Web-Based Admin Users

Understanding the Setup Program Parameters

Configuring a Cisco ISE 3300 Series Hardware Appliance

Verifying the Configuration Process

Configuring the Cisco ISE 3300 Series Appliance

This chapter describes how to perform an initial configuration of a Cisco Identity Services Engine (ISE) 3300 Series appliance, and it contains the following topics:

•Before Configuring a Cisco ISE 3300 Series Appliance

•Understanding the Setup Program Parameters

•Configuring a Cisco ISE 3300 Series Hardware Appliance

•Verifying the Configuration Process

Note Cisco requires you to review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE software on a Cisco ISE 3300 Series appliance.

Before Configuring a Cisco ISE 3300 Series Appliance

The Cisco ISE 3300 Series appliances are preinstalled with the Cisco Application Deployment Engine (ADE) Release 2.0 operating system (ADE-OS) and the Cisco ISE Release 1.0 software. The Cisco ADE-OS and Cisco ISE software are preinstalled on a dedicated Cisco ISE appliance (Cisco ISE 3300 Series) or can be installed on a VMware server in this release.

Make sure that you have identified all of the following configuration setting information before proceeding:

•Hostname

•IP address for the Gigabit Ethernet 0 (eth0) interface

•Netmask

•Default gateway

•DNS domain

•Primary name server

•Primary Network Time Protocol (NTP) server

•System time zone

•Username

•Password

Note The username and password that you configure using the Cisco ISE Setup program is intended only for administrative access to the Cisco ISE command-line interface (CLI), and this role is considered to be the CLI-admin user. By default, the username for the CLI-admin user is admin and the password is user-defined during the setup process. There is no default password.

As the CLI-admin user, you can start and stop the Cisco ISE application, apply software patches and upgrades, reload or shutdown the Cisco ISE appliance, and view all system and application logs. We recommend that you protect the special CLI-admin user credentials and create web-based admin users to configure and manage your ISE deployment.

For details about the differences between the CLI-admin user and web-based admin user rights, see Admin Rights Differences: CLI-Admin and Web-Based Admin Users.

Admin Rights Differences: CLI-Admin and Web-Based Admin Users

When you run the Cisco ISE Setup program during software configuration on the designated appliance, it launches an interactive command-line interface (CLI) that prompts you to enter a series of required parameters to configure the system. The last two parameters you configure during the setup process set the username and password for the CLI-admin user.

The Cisco ISE CLI-admin user has rights and capabilities that are distinctly different from those that belong to the Cisco ISE web-based admin user. You must understand how these rights affect the tasks that each user role can perform.

Tasks Performed by CLI-Admin and Web-based Admin Users

The CLI-admin user and the web-based admin user can perform the following Cisco ISE system-related tasks:

•Backup and restore the Cisco ISE application data

•Display any system, application, or diagnostic logs on the Cisco ISE appliance

•Apply Cisco ISE software patches, maintenance releases, and upgrades

Tasks Performed Only by the CLI-Admin User

Only the CLI-admin user can perform the following Cisco ISE system-related tasks:

•Start and stop the Cisco ISE application software

•Reload or shutdown the Cisco ISE appliance

Because only the CLI-admin user has this set of privileges, you must safeguard and protect the CLI-admin user credentials. To protect the CLI-admin user credentials, you must explicitly create only those users you want to access the Cisco ISE CLI.

Note Web-based admin users that are created by using the Cisco ISE user interface cannot automatically log into the Cisco ISE CLI. Only CLI-admin users that were explicitly created to have these privileges can access the Cisco ISE CLI.

To create other CLI-admin users, you must first log into the Cisco ISE CLI as the CLI-admin user and complete the following tasks:

Step 1 Log in using the CLI-admin username and password that you created during the setup process.

Step 2 Enter the Configuration mode.

Step 3 Run the username command.

Note For details, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.

Understanding the Setup Program Parameters

When you run the Cisco ISE Setup program to configure the Cisco ISE software, it launches an interactive CLI that prompts you to enter required parameters to configure the system (see Table 3-1). There are several ways you can make a connection to the supported hardware appliances to run the Setup program:

•Using a network-based console connection to the hardware appliance.

•Using a local serial console cable connection to the rear panel of the appliance.

•Using a local keyboard and video (VGA) connection to the appliance.

These methods let you configure the initial network settings that create the initial set of administrator credentials for the appliance. Using the Setup program is a one-time configuration task.

Note The following procedure assumes that you have properly installed, connected, and powered up the supported appliance by following the recommended procedures. For configuring VMware servers, see Configuring a VMware System Using the Cisco Identity Services Engine ISE Software DVD, page 4-11.

Table 3-1 Identity Services Engine Network Configuration Parameters for Setup

Prompt

Description

Example

Hostname

Must be not exceed 19 characters. Valid characters include alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the first character must be an alphabetic character.

isebeta1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14

Netmask

Must be a valid IPv4 netmask.

255.255.255.0

Default gateway

Must be a valid IPv4 address for the default gateway.

10.12.13.1

DNS domain name

Cannot be an IP address. Valid characters include ASCII characters, any numbers, hyphen (-), and period (.).

mycompany.com

Primary name server

Must be a valid IPv4 address for the primary name server.

10.15.20.25

Add/Edit another name server

Must be a valid IPv4 address for an additional name server.

(Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 address or hostname of an NTP server.

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP domain.

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone

Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.0, which provides a list of time zones that Cisco ISE supports. For example for Pacific Standard Time (PST) it is PST8PDT (or UTC-8 hours).

Note The time zones referenced in this hyperlink are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

UTC (default)

Username

Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username, The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9).

admin (default)

Password

Identifies the administrative password used for CLI access to the Cisco ISE system. You must create this password (there is no default), and it must be composed of a minimum of six characters in length, and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Myise3p@ss

Note For details about the web-based administrator username and password, see Verifying the Configuration Using a Web Browser, page 5-10.

Configuring a Cisco ISE 3300 Series Hardware Appliance

This section describes running the Cisco ISE Setup program to configure the Cisco ISE 3300 Series software for the supported hardware appliances.

To configure a Cisco ISE 3300 Series appliance by using the Setup program, complete the following steps:

Step 1 Connect a keyboard and a VGA monitor to the Cisco ISE 3300 Series appliance.

Step 2 Ensure that a power cord is connected to the Cisco ISE 3300 Series and turn on the appliance.

Note The Cisco ISE software is already preinstalled on the appliance. Do not insert the Cisco Identity Services Engine ISE VM Appliance Software Version 1.0 DVD. The DVD is provided only for performing some key post-installation operations.

In about 2 minutes, the following prompt is displayed, which means that the boot sequence is complete:

**********************************************

Please type 'setup' to configure the appliance

**********************************************

Step 3 At the prompt, type setup to start the Setup program. You are prompted to enter networking parameters and first credentials. The following illustrates a sample Setup program and default prompts:

Note Cisco ISE appliances track time internally using UTC time zones. If you do not know your own specific time zone, you can enter one based on the city, region, or country where your Cisco ISE appliance is located. See Tables Table 3-2, Table 3-3, and Table 3-4 for sample time zones. It is recommended to configure the preferred time zone (the default is UTC) during installation when Setup prompts you to configure this setting.

Caution Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see "clock timezone" in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.
Enter hostname[]: ise-server-1
Enter IP address[]: 10.0.0.0
Enter Netmask[]: 10.255.10.255
Enter default gateway[]: 172.10.10.10
Enter default DNS domain[]: cisco.com
Enter Primary nameserver[]: 200.150.200.150
Add/Edit another nameserver? Y/N: n
Enter primary NTP domain[]: clock.cisco.com
Add/Edit another NTP domain? Y/N: n
Enter system time zone[]: UTC
Enter username [admin]: admin
Enter password:
Enter password again:
Bringing up the network interface...
Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Appliance is configured
Installing applications...
Installing ISE...
Generating configuration...
Rebooting...
Welcome to the ISE initial setup. The purpose of this setup is to provision the 
internal database. This setup is non-interactive and will take roughly 15 
minutes to complete. Please be patient.
Running database cloning script...
Running database network config assistant tool...
Extracting ISE database contents...
Starting ISE database processes...
...
After the Cisco ISE software has been configured, the Cisco ISE system reboots automatically. To log back into the Cisco ISE CLI, you must enter the CLI-admin user credentials that you configured during Setup.

Step 4 After you have logged into the Cisco ISE CLI shell, you can run the following CLI command to check the status of the Cisco ISE application processes:
ise-server/admin# show application status ise
ISE Database listener is running, PID: 5244

ISE Database is running, number of processes: 30

ISE Application Server is running, PID: 5550

ISE M&T Session Database is running, PID: 5018

ISE M&T Log Collector is running, PID: 5636

ISE M&T Log Processor is running, PID: 5677

ISE M&T Alert Process is running, PID: 5582

ise-server/admin#

Step 5 After you have confirmed that the Cisco ISE Application Server is running, you can then log into the Cisco ISE user interface using one of the supported web browsers (see Accessing Cisco ISE Using a Web Browser, page 5-7).

To log into the Cisco ISE user interface using a web browser, enter the following in the Address field:
https://<your-ise-hostname or IP address>/admin/
where "your-ise-hostname or IP address" represents the hostname or IP address you configured for the Cisco ISE 3300 Series appliance during Setup.

Step 6 At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials (username and password) to access the Cisco ISE user interface.

Note The username and password credentials you use for web-based access to the Cisco ISE user interface are not the same as the CLI-admin user credentials you created during Setup for accessing the Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users, see Admin Rights Differences: CLI-Admin and Web-Based Admin Users.

The default credentials you can use for logging into the Cisco ISE user interface as a web-based admin user are:
Username: admin 
Password: cisco
After you have logged into the Cisco ISE user interface, you can configure your devices, user stores, policies, and other components.

Supported Time Zones

This section provides three tables that provide more information on common UTC time zones for Europe, the United States and Canada, Australia, and Asia.

Note The format for time zones is POSIX or System V. POSIX time zone format syntax looks like America/Los_Angeles, while System V time zone syntax looks like PST8PDT.

•For time zones in Europe, the United States, and Canada, see Table 3-2.

•For time zones in Australia, see Table 3-3.

•For time zones in Asia, see Table 3-4.

Table 3-2 Common Time Zones

Acronym or name

Time Zone Name

Europe

GMT, GMT0, GMT-0, GMT+0, UTC, Greenwich, Universal, Zulu

Greenwich Mean Time, as UTC

GB

British

GB-Eire, Eire

Irish

WET

Western Europe Time, as UTC

CET

Central Europe Time, as UTC + 1 hour

EET

Eastern Europe Time, as UTC + 2 hours

United States and Canada

EST, EST5EDT

Eastern Standard Time, as UTC -5 hours

CST, CST6CDT

Central Standard Time, as UTC -6 hours

MST, MST7MDT

Mountain Standard Time, as UTC -7 hours

PST, PST8PDT

Pacific Standard Time, as UTC -8 hours

HST

Hawaiian Standard Time, as UTC -10 hours

Table 3-3 Australia Time Zones

Australia ¹

ACT²

Adelaide

Brisbane

Broken_Hill

Canberra

Currie

Darwin

Hobart

Lord_Howe

Lindeman

LHI³

Melbourne

North

NSW⁴

Perth

Queensland

South

Sydney

Tasmania

Victoria

West

Yancowinna

¹Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.

²ACT = Australian Capital Territory

³LHI = Lord Howe Island

⁴NSW = New South Wales

Table 3-4 Asia Time Zones

Asia ¹

Aden²

Almaty

Amman

Anadyr

Aqtau

Aqtobe

Ashgabat

Ashkhabad

Baghdad

Bahrain

Baku

Bangkok

Beirut

Bishkek

Brunei

Calcutta

Choibalsan

Chongqing

Columbo

Damascus

Dhakar

Dili

Dubai

Dushanbe

Gaza

Harbin

Hong_Kong

Hovd

Irkutsk

Istanbul

Jakarta

Jayapura

Jerusalem

Kabul

Kamchatka

Karachi

Kashgar

Katmandu

Kuala_Lumpur

Kuching

Kuwait

Krasnoyarsk

¹The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.

²Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.

Note Additional time zones are available if you use the Cisco ISE CLI show timezones command. This CLI command displays a list of all time zones available to you. Choose the most appropriate one for your network location.

Verifying the Configuration Process

To verify that you have correctly completed the configuration process, use one of the following two methods to log into the Cisco ISE 3300 Series appliance:

•Web browser

•Cisco ISE CLI

Note To perform post-installation verification of configuration, see Chapter 5, "Performing Post-Installation Tasks."

Table 3-1 Identity Services Engine Network Configuration Parameters for Setup
Prompt	Description	Example
Hostname	Must be not exceed 19 characters. Valid characters include alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the first character must be an alphabetic character.	isebeta1
(eth0) Ethernet interface address	Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.	10.12.13.14
Netmask	Must be a valid IPv4 netmask.	255.255.255.0
Default gateway	Must be a valid IPv4 address for the default gateway.	10.12.13.1
DNS domain name	Cannot be an IP address. Valid characters include ASCII characters, any numbers, hyphen (-), and period (.).	mycompany.com
Primary name server	Must be a valid IPv4 address for the primary name server.	10.15.20.25
Add/Edit another name server	Must be a valid IPv4 address for an additional name server.	(Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.
Primary NTP server	Must be a valid IPv4 address or hostname of an NTP server.	clock.nist.gov
Add/Edit another NTP server	Must be a valid NTP domain.	(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.
System Time Zone	Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.0, which provides a list of time zones that Cisco ISE supports. For example for Pacific Standard Time (PST) it is PST8PDT (or UTC-8 hours). Note The time zones referenced in this hyperlink are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.	UTC (default)
Username	Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username, The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9).	admin (default)
Password	Identifies the administrative password used for CLI access to the Cisco ISE system. You must create this password (there is no default), and it must be composed of a minimum of six characters in length, and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).	Myise3p@ss

Table 3-2 Common Time Zones
Acronym or name	Time Zone Name
Europe
GMT, GMT0, GMT-0, GMT+0, UTC, Greenwich, Universal, Zulu	Greenwich Mean Time, as UTC
GB	British
GB-Eire, Eire	Irish
WET	Western Europe Time, as UTC
CET	Central Europe Time, as UTC + 1 hour
EET	Eastern Europe Time, as UTC + 2 hours
United States and Canada
EST, EST5EDT	Eastern Standard Time, as UTC -5 hours
CST, CST6CDT	Central Standard Time, as UTC -6 hours
MST, MST7MDT	Mountain Standard Time, as UTC -7 hours
PST, PST8PDT	Pacific Standard Time, as UTC -8 hours
HST	Hawaiian Standard Time, as UTC -10 hours

Table 3-3 Australia Time Zones
Australia ¹
ACT²	Adelaide	Brisbane	Broken_Hill
Canberra	Currie	Darwin	Hobart
Lord_Howe	Lindeman	LHI³	Melbourne
North	NSW⁴	Perth	Queensland
South	Sydney	Tasmania	Victoria
West	Yancowinna

Table 3-4 Asia Time Zones
Asia ¹
Aden²	Almaty	Amman	Anadyr
Aqtau	Aqtobe	Ashgabat	Ashkhabad
Baghdad	Bahrain	Baku	Bangkok
Beirut	Bishkek	Brunei	Calcutta
Choibalsan	Chongqing	Columbo	Damascus
Dhakar	Dili	Dubai	Dushanbe
Gaza	Harbin	Hong_Kong	Hovd
Irkutsk	Istanbul	Jakarta	Jayapura
Jerusalem	Kabul	Kamchatka	Karachi
Kashgar	Katmandu	Kuala_Lumpur	Kuching
Kuwait	Krasnoyarsk

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)