Install Cisco ISE

• Install Cisco ISE Using CIMC, on page 1

• Run the Setup Program of Cisco ISE, on page 3
• Verifying the Cisco ISE Installation Process, on page 7

Install Cisco ISE Using CIMC

This section lists the high-level installation steps to help you quickly install Cisco ISE:

Before you begin

• Ensure that you have met the System Requirements as specified in this guide.
• (Optional; required only if you are installing Cisco ISE on virtual machines) Ensure that you have created
the virtual machine correctly. See the following topics for more information:
• #unique_42
• #unique_43
• Create a Cisco ISE Virtual Machine on Hyper-V

• (Optional; required only if you are installing Cisco ISE on SNS hardware appliances) Ensure that you
set up the Cisco Integrated Management Interface (CIMC) configuration utility to manage the appliance
and configure BIOS. See the following document for more information:
• For SNS 3500 series appliances, see Cisco SNS-3500 Series Appliance Hardware Installation Guide.
• For SNS-3600 series appliances, see Cisco SNS-3600 Series Appliance Hardware Installation Guide.

Step 1 If you are installing Cisco ISE on a:

• Cisco SNS appliance: Install the hardware appliance. Connect to CIMC for server management.
• Virtual Machine: Ensure that your VM is configured correct.

Step 2 Download the Cisco ISE ISO image.

a) Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.

Install Cisco ISE

1
 Install Cisco ISE
Install Cisco ISE Using CIMC

b) Click Download Software for this Product.

The Cisco ISE image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco
ISE services when the installation and initial configuration is complete.

Step 3 Boot the appliance or the virtual machine.

• Cisco SNS appliance:
a. Connect to CIMC and log in using the CIMC credentials.
b. Launch the KVM console.
c. Choose Virtual Media > Activate Virtual Devices.
d. Choose Virtual Media > Map CD/DVD and select the ISE ISO image and click Map Device.
e. Choose Macros > Static Macros > Ctrl-Alt-Del to boot the appliance with the ISE ISO image.
f. Press F6 to bring up the boot menu. A screen similar to the following one appears:
Figure 1: Selection of Boot Device

Note If the SNS appliances are placed in a remote location (for example, data centers), to which you do not
have any physical access and need to perform CIMC install from remote servers, it might take long
hours for installation. We recommend that you copy the ISO file on a USB drive and use that in the
remote location to speed up the installation process.

• Virtual Machine:

Install Cisco ISE

2
 Install Cisco ISE
Run the Setup Program of Cisco ISE

a. Map the CD/DVD to an ISO image. A screen similar to the following one appears. The following message and
installation menu are displayed.
Welcome to the Cisco Identity Services Engine Installer
Cisco ISE Version: 3.0.0.xxx

Available boot options:

Cisco ISE Installation (Serial Console)

Cisco ISE Installation (Keyboard/Monitor)
System Utilities (Serial Console)
System Utilities (Keyboard/Monitor)

Step 4 At the boot prompt, press 1 and Enter to install Cisco ISE using a serial console.
If you want to use a keyboard and monitor, use the arrow key to select the Cisco ISE Installation (Keyboard/Monitor)
option. The following message appears.
**********************************************
Please type 'setup' to configure the appliance
**********************************************

Step 5 At the prompt, type setup to start the Setup program. See Run the Setup Program of Cisco ISE, on page 3 for details
about the Setup program parameters.
Step 6 After you enter the network configuration parameters in the Setup mode, the appliance automatically reboots, and returns
to the shell prompt mode.
Step 7 Exit from the shell prompt mode. The appliance comes up.
Step 8 Continue with Verifying the Cisco ISE Installation Process, on page 7 .

Run the Setup Program of Cisco ISE

This section describes the setup process to configure the ISE server.
The setup program launches an interactive command-line interface (CLI) that prompts you for the required
parameters. An administrator can use the console or a dumb terminal to configure the initial network settings
and provide the initial administrator credentials for the ISE server using the setup program. This setup process
is a one-time configuration task.

Note If you are integrating with Active Directory (AD), it is best to use the IP and subnet addresses from a
dedicated Site created specifically for ISE. Consult with the staff in your organization responsible for
AD and retrieve the relevant IP and subnet addresses for your ISE nodes prior to installation and
configuration.

Install Cisco ISE

3
 Install Cisco ISE
Run the Setup Program of Cisco ISE

Note It is not recommended to attempt offline installation of Cisco ISE as this can lead to system instability.
When you run the Cisco ISE installation script offline, the following error is shown:
Sync with NTP server failed' Incorrect time could render the system unusable until it is re-installed.
Retry? Y/N [Y]:
Choose Yes to continue with the installation. Choose No to retry syncing with the NTP server.
It is recommended to establish network connectivity with both the NTP server and the DNS server while
running the installation script.

To run the setup program:

Step 1 Turn on the appliance that is designated for the installation.

The setup prompt appears:
Please type ‘setup’ to configure the appliance
localhost login:

Step 2 At the login prompt, enter setup and press Enter.

The console displays a set of parameters. You must enter the parameter values as described in the table that follows.
Note The eth0 interface of ISE must be statically configured with an IPv6 address if you want to add a Domain Name
Server or an NTP Server with an IPv6 address.

Table 1: Cisco ISE Setup Program Parameters

Prompt Description Example

Hostname Must not exceed 19 characters. Valid isebeta1

characters include alphanumerical
(A–Z, a–z, 0–9), and the hyphen (-).
The first character must be a letter.
Note We recommend that you use
lowercase letters to ensure
that certificate
authentication in Cisco ISE
is not impacted by minor
differences in
certificate-driven
verifications. You cannot
use "localhost" as hostname
for a node.

(eth0) Ethernet interface address Must be a valid IPv4 or Global IPv6 10.12.13.14/
address for the Gigabit Ethernet 0 2001:420:54ff:4::458:121:119
(eth0) interface.

Install Cisco ISE

4
Install Cisco ISE
Prompt
Netmask
Default gateway
DNS domain name
Primary name server
Add/Edit another name server
Primary NTP server
Add/Edit another NTP server
Run the Setup Program of Cisco ISE
Description Example
Must be a valid IPv4or IPv6 netmask. 255.255.255.0/
2001:420:54ff:4::458:121:119/122
Must be a valid IPv4or Global IPv6 10.12.13.1/ 2001:420:54ff:4::458:1
address for the default gateway.
Cannot be an IP address. Valid example.com
characters include ASCII characters,
any numerals, the hyphen (-), and the
period (.).
Must be a valid IPv4 or Global IPv6 10.15.20.25 / 2001:420:54ff:4::458:118
address for the primary name server.
Must be a valid IPv4 or Global IPv6 (Optional) Allows you to configure
address for the primary name server. multiple name servers. To do so,
enter y to continue.
Must be a valid IPv4 or Global IPv6 clock.nist.gov / 10.15.20.25 /
address or hostname of a Network Time 2001:420:54ff:4::458:117
Protocol (NTP) server.
Note Ensure that the primary NTP
server is reachable.
Must be a valid NTP domain. (Optional) Allows you to configure
multiple NTP servers. To do so, enter y
to continue.
Install Cisco ISE
5
 Install Cisco ISE
Run the Setup Program of Cisco ISE

Prompt Description Example

System Time Zone Must be a valid time zone. For UTC (default)
example, for Pacific Standard Time
(PST), the System Time Zone is
PST8PDT (or Coordinated Universal
Time (UTC) minus 8 hours).
Note Ensure that the system time
and time zone match with
the CIMC or Hypervisor
Host OS time and time zone.
System performance might
be affected if there is any
mismatch between the time
zones.

You can run the show timezones

command from the Cisco ISE CLI for
a complete list of supported time zones.
Note We recommend that you set
all the Cisco ISE nodes to
the UTC time zone. This
time zone setting ensures
that the reports, logs, and
posture agent log files from
the various nodes in your
deployment are always
synchronized with regard to
the time stamps.

Username Identifies the administrative username admin (default)

used for CLI access to the Cisco ISE
system. If you choose not to use the
default (admin), you must create a new
username. The username must be three
to eight characters in length and
comprise of valid alphanumeric
characters (A–Z, a–z, or 0–9).

Password Identifies the administrative password MyIseYPass2

that is used for CLI access to the Cisco
ISE system. You must create this
password in order to continue because
there is no default password. The
password must be a minimum of six
characters in length and include at least
one lowercase letter (a–z), one
uppercase letter (A–Z), and one
numeral (0–9).

Install Cisco ISE

6
 Install Cisco ISE
Verifying the Cisco ISE Installation Process

Note When you create a password for the administrator during installation or after installation in the CLI, do not use
the $ character in your password, unless it is the last character of the password. If it is the first or one of the
subsequent characters, the password is accepted, but cannot be used to log in to the CLI.
If you inadvertently create such a password, reset your password by logging into the console and using the CLI
command, or by getting an ISE CD or ISO file. Instructions for using an ISO file to reset the password are
explained in the following document: https://www.cisco.com/c/en/us/support/docs/security/
identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html

After the setup program is run, the system reboots automatically.

Now, you can log in to Cisco ISE using the username and password that was configured during the setup process.

Verifying the Cisco ISE Installation Process

To verify that you have correctly completed the installation process:

Step 1 When the system reboots, at the login prompt enter the username you configured during setup, and press Enter.
Step 2 Enter a new password.
Step 3 Verify that the application has been installed properly by entering the show application command, and press Enter.
The console displays:
ise/admin# show application
<name> <Description>
ise Cisco Identity Services Engine

Note The version and date might change for different versions of this release.

Step 4 Check the status of the ISE processes by entering the show application status ise command, and press Enter.
The console displays:
ise/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 14890
Database Server running 70 PROCESSES
Application Server running 19158
Profiler Database running 16293
ISE Indexing Engine running 20773
AD Connector running 22466
M&T Session Database running 16195
M&T Log Collector running 19294
M&T Log Processor running 19207
Certificate Authority Service running 22237
EST Service running 29847
SXP Engine Service disabled
Docker Daemon running 21197
TC-NAC Service disabled
Wifi Setup Helper Container not running
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled

Install Cisco ISE

7
 Install Cisco ISE
Verifying the Cisco ISE Installation Process

PassiveID WMI Service disabled

PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled

ise/admin#

Install Cisco ISE

8