Chapter 8, Performing Post Installation Tasks
Download this chapter
Chapter 8, Performing Post Installation TasksChapter 8, Performing Post Installation Tasks
 Feedback

Table Of Contents

Performing Post-Installation Tasks

Installing a Valid License

Types of Licenses

Auto-Installation of the Evaluation License

Accessing ISE Using a Web Browser

Logging In

Logging Out

Verifying the ISE Configuration

Verifying the Configuration using a Web Browser

Verifying the Configuration using the CLI

Resetting the Administrator Password

Re-imaging an ISE-3300 Series Appliance

ISE System Post-Installation Configuration


Performing Post-Installation Tasks

This chapter describes a number of tasks that you must perform after successfully completing the ISE system installation and configuration. This chapter contains information about the following topics:

Installing a Valid License

Accessing ISE Using a Web Browser

Verifying the ISE Configuration

Resetting the Administrator Password

Re-imaging an ISE-3300 Series Appliance

ISE System Post-Installation Configuration

Installing a Valid License

To operate ISE, you must install a valid license. The ISE system prompts you to install a valid base license when you first access the web interface.

Note Each ISE server requires a unique base license in a distributed deployment.

This section provides information about the following topics:

Types of Licenses

Auto-Installation of the Evaluation License

Types of Licenses

Table 8-1 describes ISE-3300 series license support:

Table 8-1 ISE-3300 Series License Support 

License
Description

Base Access Policy Package License

The base license is required for all software instances deployed, as well as for all appliances. The base license enables you to use all the ISE functionality except license controlled features, and it enables standard centralized reporting features.

Required for each ISE instance, primary and secondary.

Required for all appliances.

Supports deployments with up to 50000 managed devices.

The following are the types of base license:

Permanent—This license does not have an expiration date. Supports deployments with up to 50000 managed devices.

Evaluation—Expires 90 days from the time the license is issued. Supports deployments with up to 50 managed devices.

The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.

ISE-Base-license ranges from 250/500/1000/1500/2500/3500/5000

ISE-Base-license ranges from 10000/25000/50000/100000/200000/300000

Advanced Endpoint Policy Package License

Advanced licenses can only be installed on an ISE server with installed base license. Large deployments need permanent base license to be installed.

ISE-Advanced-license ranges from 250/500/1000/1500/2500/3500/5000

ISE-Advanced-license ranges from 10000/25000/50000/100000/200000/300000

Bundled Policy Package License

Bundled policy package licenses include base and advanced.

ISE-Bundle-license ranges from 100/250/500/1000/1500/2500/3500/5000

ISE-Bundle-license ranges from 10000/25000/50000/100000/200000/300000


.

All license are centrally managed by the ISE PAP node per deployment

All licenses are applied on the PAP only

Deployments cannot have an Advanced license without the Base license

PAP should ensure that networks cannot add more Advanced endpoint licenses than the Base endpoint licenses

Inline PEP (Policy Enforcement Point) does not require a separate license

When ISE image first boots up only bootstrap configuration and license page are displayed

When a Base license is applied, additional ISE User Interface (UI) screens and tabs are displayed

When an Advanced license is applied, Profiler and Posture screens and tabs are displayed

Auto-Installation of the Evaluation License

If you are using a virtual machine (VM) for ISE with disk space between 60 GB and 600 GB, ISE automatically installs the evaluation license. However, you can also get the evaluation license and install it manually on the ISE server.

All ISE-3300 series appliances ship with an evaluation license that is limited to 90 days and 25 endpoints. For further details on licensing, see License and Documentation Guide for Cisco Identity Services Engine, Release 1.0.

Accessing ISE Using a Web Browser

The ISE-3300 series appliances support a web interface on HTTPS-enabled Microsoft Internet Explorer versions 6 and 7, and Firefox version 3.x.

This section contains:

Logging In

Logging Out

Logging In

When you log in to the ISE web interface for the first time, you are prompted to install the license file.

To log in to the ISE web interface, perform the following:

Step 1 Enter the ISE-3300 series appliance URL in your browser.

For example https://ise_host/admin/, where ise_host is the IP address or DNS host name.

The login page appears.

Step 2 In the Username field, enter admin, which is the default username. The value is not case-sensitive.

Step 3 In the Password field, enter default1A, which is the default password. The value is case-sensitive.

Note Click Reset to clear the Username and Password fields and start over, if needed.

Step 4 Click Login or press Enter.

The login page reappears, prompting you to change your password.

Step 5 Enter default in the Old Password field, then enter a new password in the New Password and Confirm Password fields.

If you forget your username or password, use the ise reset-password command to reset your username to admin and your password to default. You are prompted to change your password after a reset.

Step 6 Click Login or press Enter.

You are prompted to install a valid license as shown in Figure 8-1.

Figure 8-1 ISE License Window

Note The license page appears only the first time that you log in to ISE.

Need to see what a real license screen looks like.

Step 7 Click Browse and choose a valid, unique base license for the ISE server.

For more information on installing a valid license, see the User Guide for the Cisco Identity Services Engine, Release 1.0.

If your login is successful, the main page of the ISE web interface appears.

If your login is unsuccessful, the following error message appears:

Invalid username or password specified.

The Username and Password fields are cleared.

Step 8 Re-enter the valid username and password, and click Login.

Logging Out

To log out of the ISE web interface:

Step 1 Click Logout in the ISE web interface header to end your administrative session.

You are logged out.

Caution For security reasons, Cisco recommends that you log out of the ISE when you complete your administrative session. If you do not log out, the ISE web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data.

For more information on using the Web Interface, see the User Guide for the Cisco Identity Services Engine, Release 1.0.

Verifying the ISE Configuration

This section provides two methods for verifying your ISE configuration was successful:

Verifying the Configuration using a Web Browser

Verifying the Configuration using the CLI

Verifying the Configuration using a Web Browser

To verify that the configuration of an ISE-3300 series appliance was successful and that the username and password are valid, perform the following:

Step 1 After the ISE appliance reboot has completed, launch one of the supported web browsers.

Step 2 In the Address: field, type in the IP address of the ISE appliance using the following format, and press Enter. 

http://<IP address>/admin/

For example, using http://10.10.10.10/admin/ displays the Administrator Login page.

Step 3 In the Administrator Login page, enter the username and password you configured using Setup, and click Log In.

This displays the Cisco Identity Services Engine main window.

Verifying the Configuration using the CLI

To verify that the configuration of an ISE-3300 series appliance was successful and that the username and password are valid, perform the following:

Step 1 After the ISE appliance reboot has completed, launch a supported product for establishing an SSH connection to the ISE appliance (for example, using PuTTY).

Step 2 In the Host Name (or IP Address) field, type in the hostname (or the IP address of the ISE appliance using dotted decimal formation), and click Open to display the system prompt for the ISE appliance.

Step 3 At the login as prompt, enter the username you configured during Setup, and press Enter.

Step 4 At the password prompt, enter the password you configured during Setup, and press Enter.

Step 5 To verify that the application has been installed properly, at the system prompt enter show application version ise and press Enter.

992 build shows CPM, will be fixed in hardening (filed bug CSCti58268); figures shown are approximations.

The console displays:

Note The build number may change for different versions of this release.

Step 6 To check the status of the ISE processes, at the system prompt by entering show application status ise, and press Enter.

The console displays:

Note To get the latest ISE patches and to keep your ISE up-to-date, visit the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/ise1_patches

This needs a real s/w link.

Resetting the Administrator Password

If everyone is unable to log in to the ISE system due to the administrator password having been lost, forgotten, or compromised, you can use the Cisco Identity Services Engine, Release 1.0, Recovery DVD to reset the administrator password. To reset the administrator password, perform the following:

Step 1 Ensure that the ISE appliance is powered up.

Step 2 Insert the Cisco Identity Services Engine, Release 1.0, Recovery DVD in the appliance CD/DVD drive.

The console displays (this example shows an ISE-3355):

Welcome to Cisco Identity Services Engine Recovery - ISE-3355

To boot from hard disk press <Enter>

Available boot options:

[1] Cisco Identity Services Engine Installation (Keyboard/Monitor)

[2] Cisco Identity Services Engine Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

<Enter> Boot from hard disk

Please enter boot option and press <Enter>.

boot:

Step 3 To reset the administrator password, at the system prompt, enter 3 if you are using a keyboard and video monitor connection to the appliance, or enter 4 if you are using a local serial console port connection.

The console displays a set of parameters.

Step 4 Enter the parameters using the descriptions listed in Table 8-2.

Table 8-2 Password Reset Parameters 

Parameter
Description

Admin Username

Enter the number of the corresponding administrator whose password you want to reset.

Password

Enter the new password for the designated administrator.

Verify Password

Enter the password again.

Save Change and Reboot

Enter Y to save.


The console displays:

Admin username:

[1]:admin

[2]:admin2

[3]:admin3

[4]:admin4

Enter number of admin for password recovery:2

Password:

Verify password:

Save change and reboot? [Y/N]:

Re-imaging an ISE-3300 Series Appliance

If conditions dictate that you need to re-image an ISE-3300 series appliance, or you want to re-image an appliance previously used for a Cisco ACS 5.1 installation (for example, you are planning to migrate ACS data to ISE and want to re-use the appliance), perform the following:

Step 1 Ensure that the appliance is powered up.

Step 2 Insert the Cisco Identity Services Engine, Release 1.0, Recovery DVD in the appliance CD/DVD drive.

The console displays (this example shows an ISE-3315):

Welcome to Cisco Identity Services Engine Recovery - ISE-3315

To boot from hard disk press <Enter>

Available boot options:

[1] Cisco Identity Services Engine Installation (Keyboard/Monitor)

[2] Cisco Identity Services Engine Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

<Enter> Boot from hard disk

Please enter boot option and press <Enter>.

boot:

Step 3 At the console prompt, enter 1 if you are using a keyboard and video monitor, or enter 2 if you are using a serial console port, and press Enter.

The reimage process uninstalls the existing ADE-OS and system software versions, and installs the latest ADE-OS and ISE system software versions.

For more details about the installation and configuration process, see the Preparing to Configure the ISE-3300 Series Appliance, page 5-1 and Running the Setup Program, page 5-2.

ISE System Post-Installation Configuration

Using the ISE web interface and UI menus, you can configure the system to suit your needs. For details on configuring authentication policies, authorization, policies, and using all the features, menus, and options, see the User Guide for the Cisco Identity Services Engine, Release 1.0.

For details on each operation and other administrative functions, such as monitoring and report, see the User Guide for the Cisco Identity Services Engine, Release 1.0.

For up-to-date information on Cisco.com, see the Release Notes for the Cisco Identity Services Engine, Release 1.0.