Lab01

© Global Knowledge Training LLC L1-1

L1

ISE Installation & Web Console Familiarization

Lab 1: ISE Installation & Web Console Familiarization

L1-2 © Global Knowledge Training LLC

Lab Overview In this lab, you will configure ISE for the first time. You’ll investigate the CLI of ISE and the ADE-OS. You will also be configuring a repository that will be used for upgrading ISE and backing up the database configuration. At the end of the lab, you will be logging into ISE for the first time and load the Base and Advanced licenses.

Estimated Completion Time 70 minutes

Lab Procedures 1. Configuring ISE for the First Time

2. Configuring a Repository

3. Web Console Familiarization



Configuring ISE for the First Time The ISE_Secondary appliance is in its initial default state. The installation .iso has been used to install the ISE 1.1.1 software but it has not yet been configured. In fact, the initial configuration has not yet been performed. The Cisco Application Deployment Engine (ADE-OS) 2.0.4 has been installed which provides the base operating system for installing applications like ISE or ACS 5.x. In this section, you'll configure ADE-OS and install the ISE 1.1 application.

1. Configure the ISE_Secondary device to communicate with the other devices on the network:

1.1. Access the console of the ISE_Secondary device by selecting the device in the topology diagram.

1.2. You will see the ISE_Secondary console displayed. Click anywhere in the console in order to stimulate the device. Press the Enter key.



1.3. The banner displayed is an indicator that the system has not been configured and it instructs the user to enter the setup command. Enter the setup command and press the Enter key.

1.4. Enter the following information into the setup script:

Note If at any time you enter invalid data, you must press CTRL+C to exit the script and then re-run the script.

Note Note that in the following script, ‘gkl’ is not gk1. GKL in our network stands for Global Knowledge Labs.

Enter hostname[]: ISE-Secondary Enter IP address[]: 10.10.2.60 Enter IP netmask[]: 255.255.255.0 Enter IP default gateway[]: 10.10.2.1 Enter default DNS domain[]: gkl.local Note that this is 'gkl', not 'gk1' Enter Primary nameserver[]: 10.10.1.25 Add secondary nameserver? Y/N [N] : <enter> Enter NTP server[time.nist.gov]: 1.1.1.11 Add another NTP server? Y/N [N]: <enter> Enter system timezone[UTC]: <enter> Enter username [admin]: <enter> Enter password: 5dmin$Pwd Enter password again: 5dmin$Pwd Bringing up network interface... Pinging the gateway... Pinging the primary nameserver... Virtual Machine detected, configuring VMware tools… Do not use `Ctrl-C' from this point on... Installing applications... Installing ISE... The mode has been set to licensed. Application bundle (ISE) installed successfully === Initial Setup for Application: ISE === Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup requires that you create a database administrator password and also create a database user password. Please follow the prompts below to create the database administrator password.



Enter new database admin password: Admin4Database Confirm new database admin password: Admin4Database Successfully created database administrator password. Please follow the prompts below to create the database user password. Enter new database user password: User4Database Confirm new database user password: User4Database Successfully created database user password. Running Database cloning script … Running database network network config assistant tool … Extracting ISE database content … Starting ISE database processes… Creating ISE M&T session directory Performing ISE database priming … Generating configuration … Rebooting … Generating configuration... Rebooting...

Note The installation of the ISE software will take approximately 10 minutes. Then, the system will reboot. The reboot will take another 2 1/2 minutes. You can continue without having to wait for the system to reboot.

The installation of the ISE application can take some time. To help with class timing, switch to the ISE-Primary VM to proceed with its setup. This ISE-Primary VM has already been configured for use and is ready-to-go for the remainder of the course.

2. On the ISE-Primary, login for the first time and verify that the ISE application is installed properly:

Note Press [Ctrl] [Alt], in order for the mouse to escape the console of the ISE VM.

2.1. Login using the admin and 4dmin$Pwd credentials.

2.2. Enter the show application command which should indicate that the application is installed.



2.3. Verify the release and version of the software by executing the show application version ise command.

2.4. Verify the status of the Cisco Secure ISE processes by entering the show application status ise command. All the processes listed should indicate a status of ‘running’. Note the Warning message at the bottom of the output.



2.5. Issue the show inventory command to display hardware details of the appliance.

What is the Serial Number of the appliance?

What is the size of the Hard Disk Drive?

How much DRAM is allocated to the host?

2.6. Next issue the show udi command to di splay quick information regarding the serial number of the appliance. Note that the serial number assigned in a VM is based upon certain hardware. Reimaging an appliance will still reuse the same serial number value.



2.7. Now verify the network details on the interface of the ISE appliance by entering the show interface command as seen below:

Note The Cisco secure ISE is an IPv6 capable device.

2.8. Verify the routing table by executing the show ip route command. The output should display a default next hop going to the 10.10.2.1 address which is the Layer3-Switch in the topology diagram.

2.9. Next ensure that the configuration is saved by executing the write mem command.

2.10. Although not required to do so at this point, we can reload the ISE be executing the reload command from the command prompt. If you choose to reload, the reboot process will again take another 2 1/2 minutes if you choose to execute the command.

2.11. Verify the clock by entering the show clock command. There is no need to adjust the clock; NTP has already been configured on this VM and should already be synchronized with time.nist.gov.

Note Manually resetting the clock in ISE requires a database reset.



3. Add an additional NTP server to the ISE-Primary:

3.1. Add the 1.1.1.11 NTP server as a trusted NTP source. This server resides beyond the student pods within our core infrastructure.

ISE-Primary/admin# config t ISE-Primary/admin(config)# ntp server 1.1.1.11 ISE-Primary/admin(config)# exit

3.2. Issue the show ntp command to display the current state of the NTP synchronization. The output may indicate that the server is unsynchronized currently. Refresh the output by using the up arrow button, the output will eventually display a synchronized NTP status as seen below:

Note The IP address in the second row listed will differ depending on which time.nist.gov server we are syncing with.



3.3. Issue the show version command, which is different from the previously used command, show application version ise, to view the version of not just the ISE application but also the OS of the appliance itself:

Configuring a Repository As you investigated in prior steps, this version of ISE is 1.1.1. Eventually, there will be upgrades released and we’ll need to update the appliances. In order to perform an upgrade, we’ll need to define a repository that ISE can use in order to download the appropriate files.

4. Configure and examine an FTP repository on the Admin-PC:

4.1. On the console of the ISE-Primary, prepare a repository location where the upgrade files are located. In our case, we have an FTP service running on the Admin-PC (10.10.2.20).

ISE-Primary/admin# config t Enter configuration commands, one per line. End with CNTL/Z. ISE-Primary/admin(config)# repository GKL_Repo ISE-Primary/admin(config-Repository)# url ftp admin-pc ISE-Primary/admin(config-Repository)# user anonymous password plain letmein ISE-Primary/admin(config-Repository)# do write mem Generating configuration... ISE-Primary/admin(config-Repository)# end



Note Admin-PC, as referenced in the above configuration, will require a DNS lookup and will resolve obviously to the 10.10.2.20 address.

Note This is one of the few cases where the ADE-OS configuration (repository setting) will carry over and can be used in the ISE GUI interface. IP address and interface configurations cannot be configured through the GUI.

4.2. Validate the configuration by examining the content of the repository on the Admin-PC.

ISE-Primary/admin# show repository GKL_Repo

Note The files/folders seen reside on the Admin-PC and not locally on ISE.

Web Console Familiarization In this section of the lab, you will use the web console of ISE for the first time and familiarize yourself with the general layout of the interface.

5. Verify the installation of the Cisco Secure ISE by logging into the web console:

5.1. Launch Chrome from the desktop of the Admin-PC.

5.2. On the shortcut bar within Chrome is a shortcut labeled ISE_Primary. You can either click that link or you can manually enter https://10.10.2.50 (don’t forget this is an https connection).



5.3. Chrome should display an invalid certificate window. This is because the Cisco Secure ISE currently has a self-signed certificate installed and since Chrome doesn’t recognize this as a trusted Certificate Authority (CA), the message is displayed. For now, trust the certificate by clicking the Proceed anyway button. Follow the same steps when accessing the ISE appliance in subsequent labs until we get a valid certificate installed.

5.4. You should now be at the logon page for the ISE. Login using the admin username and password 5dmin$Pwd. Note that the username is not case-sensitive.



Note Possible that you receive the following message about the password having expired.

If so, return to the CLI, log as admin / 4dmin$Pwd and execute the application reset-passwd ise admin command. Note that there might be a delay up to 60 seconds after each of the command shown in the following screen output. As new password, use 6dmin$Pwd, for now.

5.5. Once the main page loads, we will get familiar with the basics. Mouse over the hostname of the appliance on the top right. You should see the Node Information window appear. Note that this is a quick method for determining the personas that are currently provisioned on the appliance and the role of the appliance.

Note If the browser opens an empty blank page, simple re-click the ISE_Primary button on the shortcut bar and re-start the admin session.



5.6. Navigate to Administration > System > Admin Access > Authentication. Click the Password Policy tab on the right side of the screen.

5.6.1. In the Password must contain at least one character of each of the selected types section, modify the following:

5.6.2. In the Password History section, enter 1 in the Password must be different from the previous versions field.

5.6.3. In the Password Lifetime field fields, deselect the first item.

5.6.4. In the Incorrect Password Attempts section, deselect the checkbox.

5.7. Click Save at the bottom of the screen.

6. Change the Admin account's email address and password:

6.1. Click on the Admin link on the top right of the screen.

6.2. A window will appear indicating user specific information. In the email field, enter [email protected].

6.3. In the Password fields, enter admin$Pwd and click Save.



7. Next, investigate the Task Navigator drop-down box:

7.1. As an example, click Task Navigator > Setup.

7.2. The Setup Task list is displayed. Scroll to the right to view all the available tasks on the system. We’ll come back to this list throughout the week but for now click the Licensing task.

7.3. Examine the installed license. This license was installed in preparation for this class. Notice that the licenses are fully functional (non-eval) permanent Base and Advanced licenses.

How many devices does the license support? ________________

7.4. Select ISE-Primary and click the Edit button to view the license information. Note the serial number listed. It should match the value recorded in step 2.5.

7.5. Normally, you would click the Add Service button to add a license into the database on the PAN, but since our labs come pre-loaded, there is no need to do so.

7.6. Next, click the Home button.



7.7. Examine the various dashlets, as they are called, shown on the page. They provide a quick view of what is happening currently with ISE. In the System Summary dashlet, mouse over the green checkbox. You’ll see a quick view of the various process statuses.

Note Adobe Flash Player must be installed on the Administration ISE node in order to view the dashlets and metric meters on the dashboard.

7.8. Mouse over the alarms and notifications area on the bottom right of the screen. A popup should appear providing relevant information. You might see various alarms related to DNS or NTP failures.

7.9. Finally, the main tabs on the dashboard. The primary navigation tabs span the top of the Cisco ISE window. Administrators can perform various tasks from the Cisco ISE dashboard depending on their assigned access roles. The major tasks are performed from the following high-level tabs in the user interface:

— Home: This tab is the landing page when you first log into the Cisco ISE web interface. This page provides a real-time view of services running on the Cisco ISE. You can view more detailed information by double-clicking elements on the page.

— Operations: This tab provides access to tools for monitoring live authentications, querying historical data through reports, and troubleshooting network services. It also provides information on real-time alarms as they occur on the network.

— Policy: This tab provides access to tools for managing network security in the areas of authentication, authorization, profiling, posture, client provisioning. Secure Group Access and select policy elements have direct links for ease of use.



— Administration: This tab provides access to tools for administering the ISE network in these functional areas: System, Identity Management, Network Resources, and Guest Management.

7.10. Click the Administration tab in order to view the Administration menu. For the remainder of the course, you’ll be getting familiar with this interface and where things are located in the GUI.

7.11. Click the Logout link on the top right of the screen.

Lab Complete Please let your instructor know that your Pod has completed the lab.



Documents

Lab01