2013/10/03

Cisco ISE - part 1 - Installing

I will start my blogging with the series posts about installing and configuring Cisco Identity Service or Cisco ISE.

Cisco ISE is really cool platform for security management and control. It is primarily used to established secured network and guest access, but it could be also used for device access (routers, switches etc.). Cisco treats ISE as one of the main platform for establish BYOD.

Cisco ISE application runs on top of Cisco ADE-OS. You can do some basic system stuff on that OS, like IP addressing and routing, NTP settings, hostname etc. It can be used to reset admin password for Cisco ISE application as well. To access Cisco ADE-OS you can use SSH with your favorite terminal program.

Cisco ISE could be deployed as a hardware appliance (Cisco ISE 3000 series) or VM. Since I am a big fan of virtualization I prefer VM-based deployment, but it always depends on your requirements. ISE could be deployed in standalone mode or HA mode, in which you can also distribute different services among ISE servers. Since I am currently doing proof-of-concept I will use standalone mode. You can always extend your deployment to HA mode.

Of course to start using Cisco ISE you first need to install your server. The minimum requirements for installation by Cisco is Quad-Core, 4GB RAM and 60GB of disk storage. You must provide 4GB of RAM and 60GB of disk storage at installation. Otherwise the installation process will not let you through. If you just want to do proof-of-concept you can later decrease amount of RAM. You can use 1GB and you should be fine. But of course you need to increase resources to use it in production environment.

You should use iso file for installation. Insert Cisco ISE in your VM and start VM. You have to choose to install ISE and then wait for installation process to get to the login prompt, where you should enter setup mode with setup command. 


Now you will be guided through wizard for basic configuration parameters. As this is pretty straightforward I didn’t paste any screenshoot. After you enter basic parameters ISE application is going to install. You will have to enter database admin and user password. I believe those users are rarely used or are used by Cisco TAC. So you should use some good password and save this somewhere to safe place. By the way KeePass is good tool to store passwords. After some time ISE should be installed and you are able to access ADE-OS via ssh or Cisco ISE admin console via web browser.

You can check ise application status or reset application in ADE-OS. All processes should running to access ISE application through browser.

ciscoise/admin# sh application status ise

ISE Database listener is running, PID: 5237
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 11768
ISE M&T Session Database is running, PID: 4897
ISE M&T Log Collector is running, PID: 7022
ISE M&T Log Processor is running, PID: 7106
ISE M&T Alert Process is running, PID: 6928
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 64 GB

You can start, stop, reset application, reset admin password or completely reset configuration to factory default. Commands are listed below. 

ciscoise/admin# application ?
 configure     Configure application
 install       Install An Application Bundle
 remove        Uninstall An Application
 reset-config  Reset application configuration to factory defaults
 reset-passwd  Reset application password for specified user
 start         Start an Application
 stop          Stop an Application
 upgrade       Upgrade An Application Bundle

To access Cisco ISE via web browser you should only enter http://x.x.x.x and you are automatically redirected to https page. You enter your credentials that were provided during installation and you are ready to use your fresh installation of the Cisco ISE. What is specially cool about ISE is that Cisco provide 90-days evaluation license with all features. So you can use this to build proof-of-concept or to test some functionalities.



No comments:

Post a Comment