How To's - Deploy Cisco Identity Services Engine (ISE) 2.7
Hi there, in this post we’re going to deploy Cisco Identity Services Engine (ISE) version 2.7, on VMWare Workstation and make it join a domain controller.
There are some pre-requirements that I recommend you should have in your environment before deploying ISE. They are not mandatory as per Cisco requirements but I had some issues by adding them at a later stage, like the NTP on ISE wouldn’t sync correctly with the NTP Server and to fix it you have to log into the root level and use a tool to help you troubleshoot the problem… short story, just add it at the installation phase. These are the requirements:
- Ensure the gateway is reachable
- Ensure the DNS Server is reachable
- Ensure the NTP Server is reachable
To deploy a DNS Server, check my post How To's - Deploy Windows Server 2019 as a Domain Controller and DNS Server.
https://www.dhirubhai.net/pulse/how-tos-deploy-windows-server-2019-domain-dns-sil%C3%A9sio-carvalho/
Now let’s begin by downloading ISE ova file from Cisco Software Download page: https://software.cisco.com/download/home
To download ISE you don’t need a contract associated with your account.
At the time of this writing, the recommended version is 2.7, it means this is considered the most stable release.
Once we have the image, we’ll import it on VMWare Workstation > Open a Virtual Machine > Select the image.
Specify the location where the image will be stored and set a name for easier reference.
Press Next in Deployment Options > Eval > Import
Once the importing finishes you may see an upgrade option for ISE VM. Upgrade the machine to the latest Hardware compatibility option and choose Alter this virtual machine in the end.
By default ISE comes pre-configured with some values for CPU, memory, hard disk and interfaces. If your host can afford it just keep them by default, in my case I changed them to lower values.
Press ok and power on ISE.
In login prompt just type setup (don’t try to login, like I did once :-)
Next provide the required values for ISE (hostname, IP address...).
Be patient because this process my last for a while (more than 30 mins). Once it completes successfully, we’ll have to wait some more couple of minutes to let the applications start.
You can verify the application status by typing the command show application status ise.
Once the STATE column show running for most of the applications on the top side, then we can access the web page.
The username and the password is the same as the console credentials.
Once you login you’ll be presented with a page requesting your Cisco Account ID, you may skip this step by choosing the option Provide later.
Then it will show you a page describing your license evaluation period, just accept and close.
At this stage, we have successfully deployed ISE 2.7. Now let’s join an AD Server.
In the menu bar, select Work Centers > Ext ID Sources
Then go to External Identity Sources > Active Directory > Add >
In Join Point Name set the name that will represent the AD Server in ISE.
In Active Directory Domain field, type the domain name.
After submitting this connection it will ask us if we want to join ISE with the Active Directory Domain. Press Yes.
Next provide a user with admin privilege in AD.
If the operation status is successful, we can then add specific groups from AD that will be used to authenticate and authorize users on per group filtering.
And we have successfully deployed ISE 2.7 and make it join an active directory.
I’ll write another article, showing you how to provide network access for users using ISE.
I hope you enjoyed this post, leave your comments below and I'll see you on the next one.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_011.html#cpp_n2s_rdb
TAC Engineer
4 年You great, bro!