Introduction

Cisco Identity Services Engine (ISE) provides centralized policy management, identity verification, and access enforcement for network access control across your network. ISE can assist you with whether you’re looking to enhance security through 802.1X authentication, streamline device management, or gain deeper visibility into who and what is on your network. In this blog post, we’ll walk you through installing Cisco ISE, ensuring you’re well-prepared to leverage its powerful features for securing and managing your network environment.

Getting the ISE software

Some of you might not have access to ISE software to install in your labs. I won’t encourage or guide you to illegally download it somewhere, nor would that be a safe option. Thankfully, Cisco offers a great way to get evaluation licenses and access to the software. The first step is to create your own Cisco account if you don’t already have one. Navigate to Cisco.com and click the Log in link on the top right-hand corner of the screen.

On the next screen, click the link for Sign up to create a new account.

Your new account may be put on a compliance hold. Don’t stress—that usually resolves in less than a day. After the compliance hold is up, we will apply for trial licenses. Sign into cisco.com and navigate to software.cisco.com. Once there, click on Access LRP under Traditional Licenses

On the Product License Registration page, click on Get Licenses and choose Demo and evaluation… from the dropdown.

In the Get Demo and Evaluation Licenses window, choose Security Products>Identity Services Engine.

Click Next.

For an ISE evaluation, you don’t need licenses. You need access to the software to spin up a fresh install, which will grant you a 90-day evaluation for all features.

Strangely, the evaluation prompt expects you to know the serial number and product/version ID before downloading the software. This seems like a cart-before-the-horse situation since we haven’t yet access the software. Here is what you can fill in:

  • Primary Product ID: ISE-VM-K9
  • Primary Version ID: V01
  • Primary Serial Number: Some-9-Digit-Number

Choose ISE-ADV-90-DAY-100-ENDPTS license and then click Next.

Click Submit on the next screen.

You should receive the licenses via email, but this is not important. You shouldn’t need to download anything as long as you have access to the ISE software.

Now, we can navigate to software.cisco.com/download/home and search for Identity Services Engine to get to the ISE download page. We should be able to now download ISE for our labbing pleasure.

Installing ISE

You can install ISE on a virtual machine in one of two ways:

  • Deploying a pre-built OVA (recommended) – This is recommended because it includes the resource reservations already configured and should be sized according to whether or not you want a small, medium or large VM depending on the OVA you downloaded.
  • Mounting the ISE install ISO and installing it manually – If you do it this way, read the ISE Installation Guide for the version you are installing to ensure all the VM settings are correct.

Whether you install manually or via ISO, you will come to the same screen where you are asked to enter a login. Type setup and press enter.

You will be walked through the ISE application installation. During the setup, you will need to configure the following:

  • Hostname – Make sure to add this VM and any other ISE VMs you spin up to DNS
  • IP Address
  • Netmask
  • Default Gateway
  • DNS Domain – I am pretty much using my Active Directory domain for this
  • Nameserver – I would not recommend using an external DNS server. If you plan on integrating ISE into Active Directory, it needs to be a DNS server that has your SRV DNS records so ISE can find your domain controllers, so make sure it’s a trusted internal DNS server.
  • NTP Server  – Since time skews cause errors, be sure you sync it to an accurate NTP server
  • Timezone
  • Username – The default is admin.
  • Password – This will set the admin for CLI and GUI initially only. However, if you ever change the GUI password at some point in the future, the CLI password will not be changed. You will have to sign into the CLI to change that password.
  • Enable SSH service – Whether or not you will enable the SSH service to allow remote administration of the CLI. I usually select Y for this one

After you enter this information, ISE will bring up the network interface, attempt to contact the default gateway and nameserver, and reboot if that is successful after setup.

After the ISE application installs and the VM reboots, I would recommend doing a few sanity checks:

  1. Log in to the CLI and make sure that your credentials work
  2. Ensure that NTP is synchronized by issuing the show ntp command in the CLI
  3. Ensure that you can SSH to the ISE server. If you cannot, enable the service with the service sshd enable command

Note: NTP must be configured correctly. If it is not working correctly and the year/month skew is off, you might have to reinstall ISE to fix it.

Navigate to the ISE GUI by entering the IP address in your browser. I would recommend using Firefox, Chrome, or Edge for ISE.

You should initially receive a certificate error in the browser. That is due to ISE initially using a self-signed certificate for SSL. You may proceed to log in.

Navigate to Administration>System>Admin Access>Administrators>Admin Users. 

Here, you can either create a new administrator or change the password for the default admin user for the GUI if you would like to have a separate password for the GUI.

Congratulations! You’ve now installed ISE!