Cisco ISE Part 2: Installation

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

  • Part 1: introduction
  • Part 2: installation
  • Part 3: Active Directory
  • Part 4: High Availability
  • Part 5: Configuring wired network devices
  • Part 6: Policy enforcement and MAB
  • Part 7: Configuring wireless network devices
  • Part 8: Inline posture and VPN
  • Part 9: Guest and web authentication
  • Part 10: Profiling and posture

This week, part 2: installation.

Cisco ISE installation

After installation of the software, type “setup” in the username field on the console.

A wizard appears, complete this wizard with the following information:

  • Hostname
  • IP adress
  • Netmask
  • Default Gateway
  • DNS domain
  • Nameservers
  • NTP server
  • Timezone (try to use UTC)
  • Enter a useraccount for the first admin user
  • Enter the password for this user

Make sure the NTP server is correct and reachable, NTP is important for the ISE deployment.

During the wizard proces, enter a database password and a database user password.

After the wizard, it can take up to 30 minutes before the setup completes. So, grab a coffee or something.

After setup, verify the installation:

ISE-Hostname/admin# show application

Verify the release version:

ISE-Hostname/admin# show application version ise

Check the hardware:

ISE-Hostname/admin# show inventory

For your license request, you have to use the information from this output:

ISE-Hostname/admin# show udi

Check routing table:

ISE-Hostname/admin# show ip route

Now you can browse with a webbrowser* to the IP address of the ISE appliance for further configuration:

https://10.0.0.10/

* at this point, only IE and Firefox 3.x are supported, but other browsers may work too. I also experienced some troubles with IE and firefox with some buttons/fields. Try to switch to a different browser if some buttons or fields are not working.

A login screen appears, log in with the created Admin user:

Login screen

Click on the Task navigator (on the right), click Setup:

Task navi - licensing

The Setup task list is displayed. All these steps will be covered in upcoming blog posts.
For adding the license, click “Licensing”. Click the device and click “edit”

License1

Upload the optained License file.

License2

To configure a SSL certificate for administration:
First, get the root certificate of your CA. This is out of the scope of this blog post. Be sure to get BASE64 coded certificates.

Click Administration – System – Certificates – Certificate Authority Certificates and import a new trusted CA certificate:

CA cert import

Now, request a SSL certificate for webmanagement.
Click Administration – System – Certificates – Local Certificates.
Click Add – Generate Certificate Signing Request and fill in the form.

Cert request

Click Submit.

Under Certificates Operations, select Certificate Signing Requests. Download (export) the CSR.

Processing of this CSR within your CA is out of scope of this blogpost.

When you get the requested certificate, click Administration – System – Certificates – Local Certificates.

Click Add – Bind CA Certificate and upload the certificate.
Under the protocols section, check both options: EAP and Management Interface.

Certbind

The ISE service will be restarted after clicking Submit, this takes a while so grab another coffee.

Make sure all nodes you want to add in the deployments have a valid SSL certificate for (at least) the management interface!

Next week part 3 of this blog post series: Cisco ISE with Active Directory.