Cisco Identity Services Engine Installation Guide, Release 3.0

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Network Deployments in Cisco ISE
• Cisco Secured Network Server Series Appliances and Virtual Machine Requirements
• Install Cisco ISE
• Additional Installation Information
• Installation Verification and Post-Installation Tasks
• Common System Maintenance Tasks
• Cisco ISE Ports Reference

Book Title

Cisco Identity Services Engine Installation Guide, Release 3.0

Additional Installation Information

• PDF - Complete Book (4.63 MB)PDF - This Chapter (1.87 MB) View with Adobe Reader on a variety of devices

Results

Chapter: Additional Installation Information

• Additional Installation Information
• SNS Appliance Reference
  • Create a Bootable USB Device to Install Cisco ISE
  • Reimage the Cisco SNS Hardware Appliance
  • Virtual Machine Resource and Performance Checks
  • Install Cisco ISE on VMware Virtual Machine Using the ISO File
    • Prerequisites for Configuring a VMware ESXi Server
      • Virtualization Technology Check
      • Enable Virtualization Technology on an ESXi Server
      • Configure VMware Server Interfaces for the Cisco ISE Profiler Service
      • Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client
      • Verify VMWare Tools Installation Using the CLI
      • Support for Upgrading VMware Tools
      • Clone a Cisco ISE Virtual Machine Using a Template
        • Create a Virtual Machine Template
        • Deploy a Virtual Machine Template
        • KVM Virtualization Check
        • Install Cisco ISE on KVM
        • Create a Cisco ISE Virtual Machine on Hyper-V

        Additional Installation Information

        SNS Appliance Reference

        Create a Bootable USB Device to Install Cisco ISE

        Before you begin

        • Use the LiveUSB-creator tool to create a bootable USB device from the Cisco ISE installation ISO file. Download https://github.com/lmacken/liveusb-creator/releases/tag/3.12.0https://github.com/lmacken/liveusb-creator/releases/tag/3.12.0 to the local system.
        • Download the Cisco ISE installation ISO file to the local system.
        • Use a 16-GB or 32-GB USB device.

        Procedure

        Reformat the USB device using FAT16 or FAT32 to free up all the space.

        Plug in the USB device to the local system and launch LiveUSB-creator .

        Click Browse from the Use existing Live CD area and choose the Cisco ISE ISO file.

        Choose the USB device from the Target Device drop-down list.

        If there is only one USB device connected to the local system, it is selected automatically.

        Click Create Live USB .

        From the USB drive, open the following text files in a text editor:

        • isolinux/isolinux.cfg or syslinux/syslinux.cfg
        • EFI/BOOT/grub.cfg

        Replace the term "cdrom" in both the files.

        • If you have a SNS 3515, 3595, 3615, 3655, or 3695 appliance, replace the term "cdrom" with "hd:sdb1" in both the files.

        Specifically, replace all instances of the "cdrom" string. For example, replace

        ks=cdrom/ks.cfg

        ks=hd:sdb1:/ks.cfg

        Save the files and exit.

        Safely remove the USB device from the local system.

        Plug in the bootable USB device to the Cisco ISE appliance, restart the appliance, and boot from the USB drive to install Cisco ISE.

        When installing Cisco ISE via USB, end of line (EOL) characters must be set to "LF" (not "CR LF"). The installation via USB doesn't work if EOL characters are "CR LF."

        Reimage the Cisco SNS Hardware Appliance

        The Cisco SNS hardware appliances do not have built-in DVD drives. Therefore, to reimage a Cisco ISE hardware appliance with Cisco ISE software, you can do one of the following:

        Cisco SNS hardware appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed ISE image can be installed on the SNS hardware appliances, and prevents installation of any unsigned operating system even with physical access to the device. For example, generic operating systems, such as Red Hat Enterprise Linux or Microsoft Windows cannot boot on this appliance.

        The SNS 3515 and SNS 3595 appliances support only Cisco ISE 2.0.1 or later releases. You cannot install a release earlier than 2.0.1 on the SNS 3515 or SNS 3595 appliance.

        • Use the Cisco Integrated Management Controller (Cisco IMC) interface to map the installation .iso file to the virtual DVD device.
        • Create an install DVD with the installation .iso file and plug in an USB external DVD drive and boot the appliance from the DVD drive.
        • Create a bootable USB device using the installation .iso file and boot the appliance from the USB drive.

        VMware Virtual Machine

        The VMware form factor instructions provided in this document are applicable for Cisco ISE installed on Cisco Hyperflex as well.

        Virtual Machine Resource and Performance Checks

        Before installing Cisco ISE on a virtual machine, the installer performs hardware integrity checks by comparing the available hardware resources on the virtual machine with the recommended specifications.

        During a VM resource check, the installer checks for the hard disk space, number of CPU cores allocated to the VM, CPU clock speed, and RAM allocated to the VM. If the VM resources do not meet the basic evaluation specifications, the installation terminates. This resource check is applicable only for ISO-based installations.

        When you run the Setup program, a VM performance check is done, where the installer checks for disk I/O performance. If the disk I/O performance does not meet the recommended specifications, a warning appears on screen, but it allows you to continue with the installation.

        The VM performance check is done periodically (every hour) and the results are averaged for a day. If the disk I/O performance does not meet the recommended specification, an alarm is generated.

        The VM performance check can also be done on demand from the Cisco ISE CLI using the show tech-support command.

        The VM resource and performance checks can be run independent of Cisco ISE installation. You can perform this test from the Cisco ISE boot menu.

        Install Cisco ISE on VMware Virtual Machine Using the ISO File

        This section describes how to install Cisco ISE on a VMware virtual machine using the ISO file.

        Prerequisites for Configuring a VMware ESXi Server

        Review the following configuration prerequisites listed in this section before you attempt to configure a VMWare ESXi server:

        • Remember to log in to the ESXi server as a user with administrative privileges (root user).
        • Cisco ISE is a 64-bit system. Before you install a 64-bit system, ensure that Virtualization Technology (VT) is enabled on the ESXi server.
        • Ensure that you allocate the recommended amount of disk space on the VMware virtual machine.
        • If you have not created a VMware virtual machine file system (VMFS), you must create one to support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured on the VMware host. For VMFS5, the 1-MB block size supports up to 1.999 TB virtual disk size.

        Virtualization Technology Check

        If you have an ESXi server installed already, you can check if Virtualization Technology is enabled on it without rebooting the machine. To do this, use the esxcfg-info command. Here is an example:

         ~ # esxcfg-info |grep "HV Support" |----HV Support. 3 |----World Command Line. grep HV Support 

        If HV Support has a value of 3, then VT is enabled on the ESXi server and you can proceed with the installation.

        If HV Support has a value of 2, then VT is supported, but not enabled on the ESXi server. You must edit the BIOS settings and enable VT on the server.

        Enable Virtualization Technology on an ESXi Server

        You can reuse the same hardware that you used for hosting a previous version of Cisco ISE virtual machine. However, before you install the latest release, you must enable Virtualization Technology (VT) on the ESXi server.

        Procedure

        Reboot the appliance.

        Press F2 to enter setup.

        Choose Advanced > Processor Configuration .

        Select Intel(R) VT and enable it.

        Press F10 to save your changes and exit.

        Configure VMware Server Interfaces for the Cisco ISE Profiler Service

        Configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service.

        Procedure

        Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance) VMswitch0 (one of your VMware ESXi server interfaces) Properties Security .

        In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.

        In the Promiscuous Mode drop-down list, choose Accept and click OK .

        Repeat the same steps on the other VMware ESXi server interface used for profiler data collection of SPAN or mirrored traffic.

        Connect to the VMware Server Using the Serial Console

        Procedure

        Power down the particular VMware server (for example ISE-120).

        Right-click the VMware server and choose Edit.

        Click Add on the Hardware tab.

        Choose Serial Port and click Next .

        In the Serial Port Output area, click the Use physical serial port on the host or the Connect via Network radio button and click Next.

        • If you choose the Connect via Network option, you must open the firewall ports over the ESXi server.
        • If you select the Use physical serial port on the host, choose the port. You may choose one of the following two options:
          • /dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1).
          • /dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).

          In the Device Status area, check the appropriate check box. The default is Connected.

          Click OK to connect to the VMware server.

          Configure a VMware Server

          Before you begin

          Procedure

          Log in to the ESXi server.

          In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual Machine .

          In the Select a Creation Type area, click Create a new virtual machine and click Next .

          In the Select a Name and Folder area, enter a name for the VMware system, select a location from the displayed list, and click Next .

          Use the hostname that you want to use for your VMware host.

          In the Select a compute resource area, choose a destination compute resource and click Next .

          In the Select storage area, choose a datastore that has the recommended amount of space available and click Next .

          In the Select compatibility area, from the Compatible with drop-down list, choose an ESXi version that is compatible with your Cisco ISE version and click Next .

          For information the ESXi versions that are compatible with your Cisco ISE release, see "Supported Virtual Environments" in the Release Notes for Cisco Identity Services Engine for your release.

          In the Select a guest OS area, carry out the following steps and then click Next :

          1. From the Guest OS Family drop-down list, choose Linux .
          2. From the Guest OS Version drop-down list, choose the supported Red Hat Enterprise Linux (RHEL) version.

          In the Customize hardware area, in the Virtual Hardware tab, carry out the following configurations and then click Next .

          1. choose the required values from the CPU and Memory drop-down lists according to the SNS series appliance you use: SNS 3600 Series Appliance:
             • Small—16 vCPU cores, 32 GB
             • Medium—24 vCPU cores, 96 GB
             • Large—24 vCPU cores, 256 GB The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3600 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU Cores or 16 Threads.

          You must reserve vCPU and memory resources equivalent to the configured vCPU cores and memory allocations. Failure to do so may significantly impact Cisco ISE performance and stability. Click the CPU and Memory collapsible areas and update the reservation fields for each setting.

          Choose the amount of memory and click Next .

          Choose the NIC driver from the Adapter drop-down list and click Next .

          Choose Create a new virtual disk and click Next .

          In the Disk Provisioning dialog box, click Thick provisioned, eagerly zeroed radio button, and click Next to continue.

          Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioned, eagerly zeroed for better performance, especially for Monitoring nodes. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion.

          Uncheck the Support clustering features such as Fault Tolerance check box.

          In the Ready to complete area, verify the configuration details, such as name, guest OS, CPUs, memory, and disk size of the newly created VMware system.

          The VMware system is now installed.

          What to do next

          To activate the newly created VMware system, right-click VM in the left pane of your VMware client user interface and choose Power > Power On .

          Increase Virtual Machine Power-On Boot Delay Configuration

          On a VMware virtual machine, the boot delay by default is set to 0. You can change this boot delay to help you choose the boot options (while resetting the Administrator password, for example).

          Procedure

          From the VSphere client, right click the VM and choose Edit Settings .

          Click the Options tab.

          Choose Advanced > Boot Options .

          From the Power on Boot Delay area, select the time in milliseconds to delay the boot operation.

          Check the check box in the Force BIOS Setup area to enter into the BIOS setup screen when the VM boots the next time.

          Click OK to save your changes.

          Install Cisco ISE Software on a VMware System

          Before you begin

          • After installation, if you do not install a permanent license, Cisco ISE automatically installs a 90-day evaluation license that supports a maximum of 100 endpoints.
          • Download the Cisco ISE software from the Cisco Software Download Site at http://www.cisco.com/en/US/products/ps11640/index.html and burn it on a DVD. You will be required to provide your Cisco.com credentials.
          • (Optional; applicable only if you are installing Cisco ISE on VMware Cloud) The process of installing Cisco ISE on VMware Cloud is exactly the same as that of installing Cisco ISE on VMware virtual machine.
            • Cisco ISE virtual machine deployed on VMware cloud in Amazon Web Services (AWS): Cisco ISE can be hosted on software-defined data center (SDDC) provided by VMware Cloud on AWS. Ensure that appropriate security group policies are configured on VMware Cloud (under Networking and Security > Security > Gateway Firewall Settings ) to enable reachability to on-premises deployment, required devices and services.
            • Cisco ISE virtual machine deployed on Azure VMware Solution (AVS): AVS runs VMware workloads natively on Microsoft Azure, where Cisco ISE can be hosted as VMware virtual machine.

            Procedure

            Log in to the VMware client.

            For the VM to enter the BIOS setup mode, right-click the VM and select Edit Settings .

            Click the Options tab.

            Click Boot Options , and in the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.

            You must change the firmware from BIOS to EFI in the boot mode of VM settings to boot GPT partitions with 2 TB or more capacity.

            If you have selected Guest OS RHEL 8 and EFI boot mode, disable the Enable UEFI Secure Boot option. This option is enabled by default for Guest operating system RHEL 8 VM.

            Ensure that the Coordinated Universal Time (UTC) and the correct boot order are set in BIOS:

            1. If the VM is turned on, turn the system off.
            2. Turn on the VM. The system enters the BIOS setup mode.
            3. In the Main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter.
            4. Enter the UTC/Greenwich Mean Time (GMT) time zone. This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.
            5. Using the arrow keys, navigate to the Boot menu and press Enter .
            6. Using the arrow keys, select CD-ROM drive and press + to move the CD-ROM drive up the order.
            7. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes .
            8. Choose Yes to save the changes and exit.

            Insert the Cisco ISE software DVD into the VMware ESXi host CD/DVD drive and turn on the virtual machine.

            When the DVD boots, the console displays:

             Cisco ISE Installation (Serial Console) Cisco ISE Installation (Keyboard/Monitor) System Utilities (Serial Console) System Utilities (Keyboard/Monitor)

            Use the arrow keys to select Cisco ISE Installation (Serial Console) or Cisco ISE Installation (Keyboard/Monitor) and press Enter . If you choose the serial console option, you should have a serial console set up on your virtual machine. See the VMware vSphere Documentation for information on how to create a console.

            The installer starts the installation of the Cisco ISE software on the VMware system. Allow 20 minutes for the installation process to complete. When the installation process finishes, the virtual machine reboots automatically. When the VM reboots, the console displays:

            Type 'setup' to configure your appliance localhost:

            At the system prompt, type setup and press Enter .

            From Cisco ISE Release 3.0 onwards, the CPUs of the virtualization platform that hosts ISE virtual machines must support (Streaming SIMD Extensions) SSE 4.2 instruction set. Otherwise, certain ISE services (e.g. the ISE API gateway) will not work, and the Cisco ISE GUI cannot be launched. Both Intel and AMD processors have been supporting SSE 4.2 version since 2011.

            VMware Tools Installation Verification

            Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client

            Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware Tools field should be OK.

            

            Verify VMWare Tools Installation Using the CLI

            You can also verify if the VMware tools are installed using the show inventory command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware Virtual Ethernet driver will be listed in the Driver Descr field.

            NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis" PID: ISE-VM-K9 , VID: A0 , SN: FCH184X9XXX Total RAM Memory: 65700380 kB CPU Core Count: 16 CPU 0: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 1: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 2: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 3: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 4: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 5: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 6: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 7: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 8: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 9: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 10: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 11: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 12: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 13: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 14: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz CPU 15: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz Hard Disk Count(*): 1 Disk 0: Device Name: /xxx/abc Disk 0: Capacity: 1198.00 GB NIC Count: 6 NIC 0: Device Name: eth0: NIC 0: HW Address: xx:xx:xx:xx:xx:xx NIC 0: Driver Descr: Intel(R) Gigabit Ethernet Network Driver NIC 1: Device Name: eth1: NIC 1: HW Address: xx:xx:xx:xx:xx:xx NIC 1: Driver Descr: Intel(R) Gigabit Ethernet Network Driver NIC 2: Device Name: eth2: NIC 2: HW Address: xx:xx:xx:xx:xx:xx NIC 2: Driver Descr: Intel(R) Gigabit Ethernet Network Driver NIC 3: Device Name: eth3: NIC 3: HW Address: xx:xx:xx:xx:xx:xx NIC 3: Driver Descr: Intel(R) Gigabit Ethernet Network Driver NIC 4: Device Name: eth4: NIC 4: HW Address: xx:xx:xx:xx:xx:xx NIC 4: Driver Descr: Intel(R) Gigabit Ethernet Network Driver NIC 5: Device Name: eth5: NIC 5: HW Address: xx:xx:xx:xx:xx:xx NIC 5: Driver Descr: Intel(R) Gigabit Ethernet Network Driver (*) Hard Disk Count may be Logical. 

            Support for Upgrading VMware Tools

            The Cisco ISE ISO image contains the supported VMware tools. Upgrading VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE.

            Clone a Cisco ISE Virtual Machine

            You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually.

            You can also clone a Cisco ISE VM using a template.

            For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program.

            Before you begin

            • Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest .
            • Ensure that you change the IP Address and Hostname of the cloned machine before you power it on and connect it to the network.

            Procedure

            Log in to the ESXi server as a user with administrative privileges (root user).

            VMware vCenter is required to perform this step.

            Right-click the Cisco ISE VM you want to clone, and click Clone .

            Enter a name for the new machine that you are creating in the Name and Location dialog box and click Next .

            This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your reference.

            Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next .

            Select a datastore for the new Cisco ISE VM that you are creating and click Next .

            This datastore could be the local datastore on the ESXi server or a remote storage. Ensure that the datastore has enough disk space.

            Click the Same format as source radio button in the Disk Format dialog box and click Next .

            This option copies the same format that is used in the Cisco ISE VM that you are cloning this new machine from.

            Click the Do not customize radio button in the Guest Customization dialog box and click Next .

            What to do next

            • Changing the IP Address and Hostname of a Cloned Virtual Machine
            • Connecting a Cloned Cisco Virtual Machine to the Network

            Clone a Cisco ISE Virtual Machine Using a Template

            If you are using vCenter, then you can use a VMware template to clone a Cisco ISE virtual machine (VM). You can clone the Cisco ISE node to a template and use that template to create multiple new Cisco ISE nodes. Cloning a virtual machine using a template is a two-step process:

            Before you begin

            For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program.

            Procedure

            Create a Virtual Machine Template

            Before you begin

            • Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.
            • We recommend that you create a template from a Cisco ISE VM that you have just installed and not run the setup program on. You can then run the setup program on each of the individual Cisco ISE nodes that you have created and configure IP address and hostnames individually.

            Procedure

            Log in to the ESXi server as a user with administrative privileges (root user).

            VMware vCenter is required to perform this step.

            Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template .

            Enter a name for the template, choose a location to save the template in the Name and Location dialog box, and click Next .

            Choose the ESXi host that you want to store the template on and click Next .

            Choose the datastore that you want to use to store the template and click Next .

            Ensure that this datastore has the required amount of disk space.

            Click the Same format as source radio button in the Disk Format dialog box and click Next .

            The Ready to Complete dialog box appears.

            Deploy a Virtual Machine Template

            After you create a virtual machine template, you can deploy it on other virtual machines (VMs).

            Procedure

            Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from this template .

            Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog box, and click Next .

            Choose the ESXi host where you want to store the new Cisco ISE node and click Next .

            Choose the datastore that you want to use for the new Cisco ISE node and click Next .

            Ensure that this datastore has the required amount of disk space.

            Click the Same format as source radio button in the Disk Format dialog box and click Next .

            Click the Do not customize radio button in the Guest Customization dialog box.

            The Ready to Complete dialog box appears.

            Check the Edit Virtual Hardware check box and click Continue .

            The Virtual Machine Properties page appears.

            Choose Network adapter , uncheck the Connected and Connect at power on check boxes, and click OK .

            You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the network.

            What to do next

            • Changing the IP Address and Hostname of a Cloned Virtual Machine
            • Connecting a Cloned Cisco Virtual Machine to the Network

            Change the IP Address and Hostname of a Cloned Virtual Machine

            After you clone a Cisco ISE virtual machine (VM), you have to power it on and change the IP address and hostname.

            Before you begin

            

            • Ensure that the Cisco ISE node is in the standalone state.
            • Ensure that the network adapter on the newly cloned Cisco ISE VM is not connected when you power on the machine. Uncheck the Connected and Connect at power on check boxes. Otherwise, if this node comes up, it will have the same IP address as the source machine from which it was cloned.
            • Ensure that you have the IP address and hostname that you are going to configure for the newly cloned VM as soon as you power on the machine. This IP address and hostname entry should be in the DNS server. You cannot use "localhost" as the hostname for a node.
            • Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname. Procedure

            Procedure

            Right-click the newly cloned Cisco ISE VM and choose Power > Power On .

            Select the newly cloned Cisco ISE VM and click the Console tab.

            Enter the following commands on the Cisco ISE CLI:

            configure terminal hostname hostname 

            The hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted.

            Enter the following commands:

            interface gigabit 0 ip address ip_address netmask

            The ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services. See the Cisco Identity Services Engine CLI Reference Guide , for the ip address and hostname commands.

            Enter Y to restart Cisco ISE services.

            Connect a Cloned Cisco Virtual Machine to the Network

            After you power on and change the ip address and hostname, you must connect the Cisco ISE node to the network.

            Procedure

            Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings .

            Click Network adapter in the Virtual Machine Properties dialog box.

            In the Device Status area, check the Connected and Connect at power on check boxes.

            Migrate Cisco ISE VM from Evaluation to Production

            After evaluating the Cisco ISE release, you can migrate the from an evaluation system to a fully licensed production system.

            Before you begin

            • When you move the VMware server to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size or higher (up to the allowed maximum of 2.4 TB ).
            • Please not that you cannot migrate data to a production VM from a VM created with less than 300 GB of disk space. You can only migrate data from VMs created with 300 GB or more disk space to a production environment.

            Procedure

            Back up the configuration of the evaluation version.

            Ensure that your production VM has the required amount of disk space.

            Install a production deployment license.

            Restore the configuration to the production system.

            Check Virtual Machine Performance On-Demand

            You can run the show tech-support command from the CLI to check the VM performance at any point of time. The output of this command will be similar to the following:

            ise-vm123/admin# show tech | begin "disk IO perf" Measuring disk IO performance ***************************************** Average I/O bandwidth writing to disk device: 48 MB/second Average I/O bandwidth reading from disk device: 193 MB/second WARNING: VM I/O PERFORMANCE TESTS FAILED! WARNING: The bandwidth writing to disk must be at least 50 MB/second, WARNING: and bandwidth reading from disk must be at least 300 MB/second. WARNING: This VM should not be used for production use until disk WARNING: performance issue is addressed. Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 314572800 bytes (315 MB) copied, 7.81502 s, 40.3 MB/s Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 314572800 bytes (315 MB) copied, 0.416897 s, 755 MB/s 

            Virtual Machine Resource Check from the Cisco ISE Boot Menu

            You can check for virtual machine resources independent of Cisco ISE installation from the boot menu.

            The CLI transcript appears as follows:

             Cisco ISE Installation (Serial Console) Cisco ISE Installation (Keyboard/Monitor) System Utilities (Serial Console) System Utilities (Keyboard/Monitor) 

            Use the arrow keys to select System Utilities (Serial Console) or System Utilities (Keyboard/Monitor) and press Enter . The following screen appears:

             Available System Utilities: [1] Recover administrator password [2] Virtual Machine Resource Check [3] Perform System Erase [q] Quit and reload Enter option [1 - 3] q to Quit 

            Enter 2 to check for VM resources. The output will be similar to the following:

            ***** ***** Virtual Machine host detected… ***** Hard disk(s) total size detected: 600 Gigabyte ***** Physical RAM size detected: 16267516 Kbytes ***** Number of network interfaces detected: 6 ***** Number of CPU cores: 12 ***** CPU Mhz: 2300.00 ***** Verifying CPU requirement… ***** Verifying RAM requirement… ***** Writing disk partition table… 

            Linux KVM

            KVM Virtualization Check

            KVM virtualization requires virtualization support from the host processor; Intel VT-x for Intel processors and AMD-V for AMD processors. Open a terminal window on the host and enter the cat /proc/cpuinfo command. You must see either the vmx or the svm flag.

            # cat /proc/cpuinfo flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid

            # cat /proc/cpuinfo flags: fpu tsc msr pae mce cx8 apic mtrr mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm cr8_legacy

            Install Cisco ISE on KVM

            This procedure explains how to create a KVM on RHEL and install Cisco ISE on it using the Virtual Machine Manager (virt-manager).

            If you choose to install Cisco ISE through the CLI, enter a command similar to the following one:

            #virt-install --name= kvm-ise1  --arch=x86_64 --cpu=host --vcpus=2 --ram=4096 --os-type=linux --os-variant=rhel6 --hvm --virt-type=kvm --cdrom= /home/admin/Desktop/ise-3.0.0.x.SPA.x86_64.iso  --disk= /home/libvirt-images/kvm-ise1.img,size=100  --network type=direct,model=virtio,source= eth2 ,source_mode=bridge 

            where ise-3.0.0.x.SPA.x86_64.iso is the name of the Cisco ISE ISO image.

            Before you begin

            Download the Cisco ISE ISO image to your local system.

            Procedure

            From the virt-manager, click New .

            The Create a new virtual machine window appears.

            Click Local install media (ISO media or CDROM) , and then click Forward .

            Click the Use ISO image radio button, click Browse , and select the ISO image from your local system.

            1. Uncheck the Automatically detect operating system based on install media check box, choose Linux as the OS type, choose supported Red Hat Enterprise Linux version, and click Forward .

            Choose the RAM and CPU settings and click Forward .

            Check the Enable storage for this virtual machine check box and choose the storage settings.

            1. Click the Select managed or other existing storage radio button.
            2. Click Browse .
            3. From the Storage Pools navigation pane on the left, click disk FileSystem Directory .
            4. Click New Volume . A Create storage volume window appears.
            5. Enter a name for the storage volume.
            6. Choose raw from the Format drop-down list.
            7. Enter the Maximum Capacity.
            8. Click Finish .
            9. Choose the volume that you created and click Choose Volume .
            10. Click Forward . The Ready to begin the installation screen appears.

            Check the Customize configuration before install check box.

            Under Advanced options, choose the macvtap as the source for the interface, choose Bridge in the Source mode drop-down list, and click Finish .

            1. (Optional) Click Add Hardware to add additional NICs. Choose macvtap as the Network source and virtio as the Device model.
            2. Click Finish .

            In the Virtual Machine screen, choose the disk device and under Advanced and Performance Options , choose the following options, and click Apply .

            Click Begin Installation to install Cisco ISE on KVM.

            At the system prompt, enter 1 to choose a monitor and keyboard port, or 2 to choose a console port, and press Enter .

            The installer starts the installation of the Cisco ISE software on the VM. When the installation process finishes, the console displays:

            Type 'setup' to configure your appliance localhost:

            At the system prompt, type setup and press Enter .

            Microsoft Hyper-V

            Create a Cisco ISE Virtual Machine on Hyper-V

            This section describes how to create a new virtual machine, map the ISO image from the local disk to the virtual CD/DVD drive, edit the CPU settings, and install Cisco ISE on Hyper-V.

            Cisco ISE does not support the use of Multipath I/O (MPIO). Hence, the installation will fail if you are using MPIO for the VM.

            Before you begin

            Download the Cisco ISE ISO image from cisco.com to your local system.

            Procedure

            Launch Hyper-V Manager on a supported Windows server.

            Right-click the VM host and click New > Virtual Machine .

            Click Next to customize the VM configuration.

            Enter a name for the VM and (optionally) choose a different path to store the VM, and click Next .

            Click the Generation 1 radio button and click Next .

            If you choose to create a Generation 2 ISE VM, ensure that you disable the Secure Boot option in the VM settings.

            Specify the amount of memory to allocate to this VM, for example, 16000 MB, and click Next .

            Select the network adapter and click Next .

            Click the Create a virtual hard disk radio button and click Next .

            Click the Install an operating system from a bootable CD/DVD-ROM radio button.

            

            The Cisco ISE VM is created on Hyper-V.

            Select the VM and edit the VM settings.

            Select the VM and click Connect to launch the VM console. Click the start button to turn on the Cisco ISE VM.

            

            The Cisco ISE installation menu appears.

            Enter 1 to install Cisco ISE using a keyboard and monitor.