Cisco ISE – Replace the Self Signed Certificate

KB ID 0001068 

Problem

Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).

Solution

Step 1: Import the CA Certificate into ISE

Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.

1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.

2. Select DER encoding > Download CA Certificate.

3. Save the certificate where you can find it, with a sensible name.

4. Log into ISE > Administration > System > Certificates > Certificate Store > Import.

5. Import the certificate you just saved and tick the ‘Trust for client authentication or secure Syslog services’ option > Submit.

Step 2: Generate a New Certificate for Cisco ISE

6. Whilst still in the certificate section > Local Certificates > Add > Generate Certificate Signing Request.

7. Enter the FQDN of the ISE appliance > Submit.

8. Certificates > Certificate Signing Requests > Export.

9. Again save it somewhere you can find it easily.

10. Open the PEM file you just created, and copy all the text to the clipboard.

11. Back at you web enrollment portal > Request a certificate.

12. Advanced certificate request.

13. Submit a certificate request by using…

14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.

15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.

16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.

17. Browse to the new cert > Select EAP and HTTPS > Submit.

18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)

At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?

Related Articles, References, Credits, or External Links

NA

Cisco ISE NFR Appliance Setup

KB ID 0001066

Problem

The Cisco ISE NFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah.

Solution

The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance.

VMware vSphere – How to Import and Export OVF and OVA Files

1. Default username and Password: Username admin Password ISEc0ld

Cisco ISE NFR Setup Basic IP Addressing.

2. By default the appliance has an IP address of 10.1.100.21, you can see that at CLI.

[box]ise/admin# show interface[/box]

3. Or here you can see the IP address in the vSphere console.

4. To change the IP (Note: The ISE appliance has two virtual NIC’s I’m just changing the default ones IP address).

[box]
ise/admin# configure
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ip address 192.168.200.12 255.255.255.0

Enter ‘Y’ to restart the services.

[/box]

[box] ise/admin(config-GigabitEthernet)# exit
ise/admin(config)#
ip default-gateway 192.168.200.1[/box]

Cisco ISE NFR Set Hostname and DNS Information

6. To change the appliances default domain;

[box]
ise/admin(config)# ip domain-name pnltest1.com

Enter ‘Y’ to restart the services.

[/box]

7. To set the DNS server to use for local lookups;

[box]ise/admin(config)# ip name-server 192.168.200.10

Enter ‘yes’ to restart the services.

[/box]

8. To set the Hostname, simply use the following syntax;

[box]ise/admin(config)# hostname ISE-01 [/box]

Cisco ISE NFR Set NTP Information

9. To set the timezone;

[box]ise/admin(config)# clock timezone GB [/box]

10. To set the NTP servers it’s a little more convoluted, you can have up to three, two are already configured. If you try and delete the pre-configured ones it will error. So you need to add one, then delete the two factory ones, then you can add up to another two.

[box]

To Add an NTP Server

ise/admin(config)# ntp server 123.123.123.123
To Remove an NTP Server

ise/admin(config)# no ntp server 123.123.123.123

[/box]

11. As usual NTP can take a while to synchronise, I’d go and have a coffee at this point, to test;

[box]ise/admin(config)# show ntp [/box]

12. Save your changes.

13. At this point you should be able to get to the web console.

14. Logged in successfully.

 

Related Articles, References, Credits, or External Links

NA

Cisco ISE – Upgrading

KB ID 0001071 

Problem

Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’.

Solution

If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you know how everything is setup that might break before you start.

This upgrade took me a long time! The best part of an afternoon!

1. Before we do anything let’s take a snapshot, just in case it all goes to hell in a hand cart.

2. Gotcha! The upgrade fails if you have any expired certificates, even disabling them wont help, you need to delete all expired root certs before you start.

3. Copy the upgrade file from an FTP server to the ISE device, it wont show you any progress bar, go and get a coffee, if it does not error it’s probably copying over OK :).

4. When you get the prompt back you can check it’s there with a ‘dir’ command.

5. Before you can upgrade you need to create a repository for the upgrade;

[box]

ISE-01/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ISE-01(config)# repository upgrade
ISE-01(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ISE-01(config-Repository)# exit
ISE-01(config)# exit

[/box]

6. Then you need to ‘prepare’ for the upgrade.

[box]

ISE-01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-1.4.0.253.x86_64.tar.gz upgrade
Getting bundle to local machine...
md5: 35a159416afd0900c9da7b3dc6c72043
sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y

[/box]

7. Start the upgrade, this takes ages, go and have at least three coffees.

[box]ISE-01/admin# application upgrade proceed[/box]

8. The appliance will reboot and complete the upgrade, more waiting.

9. When it’s done log in and issue a show version command to check the new version.</p?

10. Follow the advice, check the article and complete any further steps as required.</p?

11. I wont list all the post install tasks, but you need to change the hardware version to ‘Red Hat Enterprise Linux 6 (64 bit).</p?

 

Related Articles, References, Credits, or External Links

NA