This is Part 2 of ISE Cookbook series, and in continuation with the last article "Cisco ISE Guide - CookBook Part 1". In today article we discuss about how to do the first setup configuration on ISE.
ISE Configuration - Initial
2. After the OVA is installed, console to the new vm and type setup
3. During the setup, you need to provide the following information:
- Hostname
- IP Address of ISE
- Netmask
- Default Gateway
- DNS Domain - Typically the Active Directory domain
- Nameserver - This is my AD server since it is also the DNS server
- NTP Server - (At least one)
- Timezone - EST
- Username - The default is admin. This is for the CLI login, not the GUI
- Password - Again, for logging into the CLI
4. After it’s up, issue show ntp to verify NTP is up and show application status ise to verify services.- IP Address of ISE
- Netmask
- Default Gateway
- DNS Domain - Typically the Active Directory domain
- Nameserver - This is my AD server since it is also the DNS server
- NTP Server - (At least one)
- Timezone - EST
- Username - The default is admin. This is for the CLI login, not the GUI
- Password - Again, for logging into the CLI
5. Navigate to http of the ISE IP address
6. Administration>System>Admin Access>Administrators>Admin Users and change the admin password
7. Administration>External Identity Sources>Active Directory and click Add
8. In the Join Point Name field, use the computer name of the AD server and add the domain name in the Active Directory Domain field
9. A window will pop-up asking for domain credentials to add ISE to the domain. enter administrator credentials
10. After ISE is joined to the domain, click on the Groups tab. Click on Add and then Select Directory Groups. This is where we add Active Directory groups to ISE for future use in Authentication policies.
11. At a minimum add Domain Users, Domain Computers, Domain Admins
12. navigate to the Attributes tab. Click Add and Select Attributes from Directory. In the sample user or machine account, enter the administrator username or any user account. This will pull up the AD attributes for that account. Check the boxes for attributes to use later in policies. Use cn, memberOf, and userCertificate attributes:
13. Navigate to https://AD-IP-address/certsrv and click on the Download a CA certificate, certificate chain, or CRL link
14. Choose the radio button for Base 64 and click on the Download CA certificate
15. On ISE Administration>System>Certificate>Certificate Management>Trusted Certificates and click Import
16. Upload the CA certificate that you just download. Give it a friendly name and check Trust for authentication within ISE, Trust for client authentication and Syslog, Trust for authentication of Cisco Services
17. Administration>System>Certificates>Certificate Signing Requests and click on Generate Certificate Signing Requests (CSR)
18. Choose Multi-use in the drop-down. Check the box next to the ISE node and fill out the subject information. Click on Generate and then click Export on the pop-up that comes up.
19. Open the CSR that you just downloaded in Notepad and reopen https://AD-IP-address/certsrv . Click on the Request a certificate link. On the next page, click on the advanced certificate request link.
20. Copy and paste the body of the CSR from your Notepad into the Base-64-encoded certificate request field and under the Certificate Template drop-down, choose the pxGrid as the template. Click Submit.
21. On the next page, choose the radio button for Base 64 encoded and click the Download certificate
22. on ISE Administration>System>Certificates>Certificate Management>Certificate Signing Request and check the box next to the CSR you previously created. Click on the Bind Certificate button
23. Give it a friendly name like "CA-BIND". Check the boxes next to Admin and EAP authentication. You can choose the Portal as well but this is for Guest/Sponsor/Hotspot/etc portals so recommendation is to use a publicly-signed certificate so guests don’t get cert errors
24. Administration>System>Certificates>Certificate Management>Certificate Signing Requests and create another CSR
25. Specify that it will be used for pxGrid under the Certificate(s) will be used for field. After it is generated, export and download it:
26. Open the CSR in Notepad and open the AD CA Web Enrollment page in your browser. Request a certificate and go to advanced certificate request again. Copy the CSR into the Base-64-encoded certificate request field and the Pxgrid certificate template:
27. Submit, choose the radio button for Base 64 encoded and click the Download certificate
28. Administration>System>Certificates>Certificate Management>Certificate Signing Requests page, bind this newly downloaded certificate to ISE:
29. Administration>Identity Management>External Identity Management>Certificate Authentication Profile and click Add.
30. Name the profile AD_CA_AltName. From the Identity Store drop-down, choose the AD domain. Certificate Attribute radio button, choose Subject Alternative Name option. On the Match Client Certificate Against Certificate in Identity Store keep it at the default, which is Only to resolve identity ambiguity.
31. Click Add and create the following certificate profile which will be for BYOD, identity store = not applicable, Certificate Attribute radio button, choose Subject Alternative Name, Match Client Certificate Against Certificate in Identity Store = never
32. Administration>Identity Management>Identity Source Sequences and click Add. Name it ALL_IDENTITIES and include all of the identity stores
33. Administration>System>Certificates>Certificate Authority>External CA Settings and click Add
34. In the following page, provide a name for the profile as well as link to the SCEP server. By default, the URL should be http://CA-ip-address/certsrv/mscep/mscep.dll
35. Administration>System>Certificates>Certificate Authority>Certificate Templates and click Add
36. The name of the template must be the same name of the BYOD certificate template in the Active Directory Certificate Authority, BYOD. In the drop-down for SCEP RA profile, use the SCEP profile just created. Check the box for Server and Client Authentication and click Save
37. Administration>System>Deployment. Click on the hostname ISE node. Check the following boxes on this page to enable this node for pxGrid: Enable SXP Service, Enable Device Admin Service, Enable Identity Mapping, Pxgrid, Enable ThreatCentric NAC Service
38. Administration>Identity Mapping>AD Domain Controllers click ADD
39. Add the Display name, Domain FQDN, AD Host FQDN, and the username/password created in step 48 of the Windows configuration section. Operations>RADIUS Livelog to verify users are getting logged.
40. Administration>Pxgrid Services and click on the Enabled Auto-Registration link on the top right-hand corner.
41. Administration>System>Deployment and click on the hostname of your PSN. Navigate to the Profiling Configuration. Enable the probes to be used for profiling etc. Common ones are DHCP, HTTP, RADIUS, DNS, SNMP Query, SNMP Trap, Active Directory Probe
42. Administration>System>Maintenance>Repository page, click Add to add a new TFTP, SFTP, FTP, etc server to store files
43. Administration>System>Backup & Restore to add a backup schedule
44. If customized portal pages etc. are needed, navigate to https://isepb.cisco.com/#/ to create a custom portal. Install the Firefox plugin following the instructions on the linked page
45. Administration>System>Admin Access>Settings>Portal Customization and change the radio dial to Enable Portal Customization with HTML and JavaScript and click Save
46. Administration>System>Admin Access>Authentication and in the Identity Source drop-down, choose your AD server and click Save
47. Administration>System>Admin Access>Administrators>Admin Groups and choose to create a new group. Check the box for External and in the External Groups drop-down, choose the Domain Admins group (or whatever other group you prefer). Click Submit
48. Administrator>System>Admin Access>Authorization>Policy
49. Click the gear sign next to any policy and choose Insert Policy. Name the policy. Under the Admin Group field, choose the policy you just created and the appropriate permissions under the Permissions field. Ex. Domain Admins group access as a Super-Admin to give anyone part of that AD group full access to ISE
50. Administration>System>Settings>Profiling and make sure that the CoA Type drop-down is set to Reauth. Change the SNMP string to the string used in the environment
51. Administration>System>Settings>Protocols>RADIUS and uncheck the Suppress Anomalous Clients box
52. Administration>System>Settings>Policy Sets and choose the radio button for Enabled
53. Administration>System>Settings>SMTP Server and add the SMTP server
54. Administration>System>Settings>Client Provisioning and choose enable on the Enable Automatic Download drop-down
55. Administration>System>Settings>Posture>Updates and check the box next to Automatically check for updates starting from initial delay and click Save
56. Administration>Feed Service and check the box next to Enable Profiler Feed Service. Click Save