CCIE Security Lab: ISE-berg ahead! (Part one).


I know I have not devoted enough time to this learning as I need to. Work's been a bit busy with PCI audits, the new book has been published (CCNA and Beyond, not the Multicast one..), and it's been hard to find the time.

But I have a renewed interest, and this is down to picking up this book:


It's proving to be a great book so far, even though I am less than 100 pages in, it's got some really good real-world tips, it's well written, the pictures are a little small at times, but it is a good read. Well worth picking up from Amazon! So click on the picture and buy it, it's very good!

I have rolled out ISE 2.0 (although I think the CCIE lab uses 1.4), and the first step is to change the IP address:
ISE20/admin# sh run
!        
hostname ISE20
!        
ip domain-name lab.local
!        
interface GigabitEthernet 0
  ip address 192.168.90.205 255.255.255.0
  ipv6 address autoconfig
  ipv6 enable
!        
ip name-server 8.8.8.8  
!        
ip default-gateway 192.168.90.1
!        
ISE20/admin# conf t
ISE20/admin(config)# int gi 0
ISE20/admin(config-GigabitEthernet)# ip add 10.1.4.153 255.255.255.0

% Changing the IP address might cause ISE services to restart 
Continue with IP address change?  Y/N [N]: Y
Stopping ISE Monitoring & Troubleshooting Log Collector...
Stopping ISE Monitoring & Troubleshooting Log Processor...
ISE Identity Mapping Service is disabled
ISE pxGrid processes are disabled
Stopping ISE Application Server...
ISE Certificate Authority Service is disabled
ISE Sxp Engine Service is disabled
Stopping ISE Profiler Database...
Stopping ISE Monitoring & Troubleshooting Session Database...
Stopping ISE AD Connector...
Stopping ISE Database processes...

Error: Database listener not reachable! Reached timeout of 240 seconds


ISE20/admin(config-GigabitEthernet)# 
ISE20/admin(config-GigabitEthernet)# 
ISE20/admin(config-GigabitEthernet)# 
ISE20/admin(config-GigabitEthernet)# do sh run
!        
interface GigabitEthernet 0
  ip address 10.1.4.153 255.255.255.0
  ipv6 address autoconfig
  ipv6 enable
!        
ip name-server 8.8.8.8  
!        
ip default-gateway 192.168.90.1
!        
ISE20/admin(config-GigabitEthernet)# exi
ISE20/admin(config)# no ip default-gateway 192.168.90.1
ISE20/admin(config)# ip default-gateway 10.1.4.254
ISE20/admin(config)# do ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254) 56(84) bytes of data.
64 bytes from 10.1.4.254: icmp_seq=1 ttl=255 time=11.6 ms
64 bytes from 10.1.4.254: icmp_seq=2 ttl=255 time=7.04 ms
64 bytes from 10.1.4.254: icmp_seq=3 ttl=255 time=8.79 ms
64 bytes from 10.1.4.254: icmp_seq=4 ttl=255 time=8.00 ms

--- 10.1.4.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3013ms
rtt min/avg/max/mdev = 7.044/8.875/11.663/1.728 ms

ISE20/admin(config)# end
ISE20/admin# copy run start
Generating configuration...
ISE20/admin# sh app stat ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          12147       
Database Server                        running          24 PROCESSES
Application Server                     not running                  
Profiler Database                      not running                  
AD Connector                           not running                  
M&T Session Database                   not running                  
M&T Log Collector                      not running                  
M&T Log Processor                      not running                  
Certificate Authority Service          disabled                     
SXP Engine Service                     disabled                     
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
Identity Mapping Service               disabled                     
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 128 GB 

ISE20/admin#
ISE20/admin#
ISE20/admin# app start ise
ISE Database processes already running, PID: 12147
Starting ISE Monitoring & Troubleshooting Session Database...
Starting ISE Profiler Database...
Starting ISE Application Server...
Starting ISE Monitoring & Troubleshooting Log Processor...
Starting ISE Monitoring & Troubleshooting Log Collector...
Starting ISE AD Connector...
Note: ISE Processes are initializing. Use 'show application status ise'
      CLI to verify all processes are in running state. 

ISE20/admin# sh app stat ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          12147       
Database Server                        running          35 PROCESSES
Application Server                     initializing                 
Profiler Database                      running          20877       
AD Connector                           running          22676       
M&T Session Database                   running          20790       
M&T Log Collector                      running          22573       
M&T Log Processor                      running          22524       
Certificate Authority Service          disabled                     
SXP Engine Service                     disabled                     
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
Identity Mapping Service               disabled                     
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 128 GB 

ISE20/admin#
ISE20/admin# sh app stat ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          12147       
Database Server                        running          43 PROCESSES
Application Server                     running          22485       
Profiler Database                      running          20877       
AD Connector                           running          22676       
M&T Session Database                   running          20790       
M&T Log Collector                      running          22573       
M&T Log Processor                      running          22524       
Certificate Authority Service          disabled                     
SXP Engine Service                     disabled                     
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
Identity Mapping Service               disabled                     
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 128 GB 

ISE20/admin# 
It does take a while to get everything up and running (mainly the application server), but once it's up, we *should* have access:

Cisco ISE 403 error

The logs are plentiful, and full of crap about Java. I hate Java, it sucks. So, I guess I will have to rebuild, and just accept the default IP address it comes with, and set up a new VLAN...

A little while later, and it's back up and running. With this configuration:
ISE20/admin# sh run
hostname ISE20
!        
ip domain-name lab.local
!        
interface GigabitEthernet 0
  ip address 192.168.90.205 255.255.255.0
  ipv6 address autoconfig
  ipv6 enable
!        
ip name-server 8.8.8.8  
!        
ip default-gateway 192.168.90.1
!        
ISE20/admin#
So, I need to add a new VLAN, VLAN interfaces etc etc. Yeah, I know, troubleshooting would have been a better way of learning, but I just want to get on and play!
SW3#vtp primary 
This system is becoming primary server for feature vlan 
No conflicting VTP3 devices found.
Do you want to continue? [confirm]
SW3#
SW3#
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 5000.0010.0000 has become the primary server for the VLAN VTP feature
SW3#
SW3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#vlan 90
SW3(config-vlan)#
SW3(config-vlan)#name ISE_VLAN
SW3(config-vlan)#
SW3(config-vlan)#exit

SW1(config)#interface Vlan90
SW1(config-if)# ip address 192.168.90.1 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#

SW4(config)#int gi 1/2
SW4(config-if)#swi acc vl 90
SW4(config-if)#do sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi1/0, Gi1/1
4    Management                       active    Gi1/3
7    DMZ                              active    
9    Phones                           active    
11   Switch-MGMT                      active    
12   Junk_VLAN                        active    
20   Users-1                          active    
21   Users-2                          active    
55   Failover                         active    
90   ISE_VLAN                         active    Gi1/2
99   Data-Phone                       active             
SW4(config-if)#

ISE20/admin# ping 192.168.90.1
% Error: connect: Network is unreachable
ISE20/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ISE20/admin(config)# int gi 0
ISE20/admin(config-GigabitEthernet)# no shut
ISE20/admin(config-GigabitEthernet)# end
ISE20/admin# ping 192.168.90.1
PING 192.168.90.1 (192.168.90.1) 56(84) bytes of data.
64 bytes from 192.168.90.1: icmp_seq=1 ttl=255 time=2.61 ms
64 bytes from 192.168.90.1: icmp_seq=2 ttl=255 time=3.16 ms
64 bytes from 192.168.90.1: icmp_seq=3 ttl=255 time=2.68 ms
64 bytes from 192.168.90.1: icmp_seq=4 ttl=255 time=2.98 ms

--- 192.168.90.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 2.612/2.862/3.169/0.235 ms

ISE20/admin# 
Note that I gave each of the other switches a VLAN 90 interface, and IP address (192.168.90.2 for SW2 and so on). We can now ping it from the Windows host:

Pinging the Cisco ISE

We can't get to the interface, but this is because the application is not started properly:
ISE20/admin# sh app stat ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          2774        
Database Server                        running          27 PROCESSES
Application Server                     not running                  
Profiler Database                      not running                  
AD Connector                           not running                  
M&T Session Database                   running          2265        
M&T Log Collector                      not running                  
M&T Log Processor                      not running                  
Certificate Authority Service          disabled                     
SXP Engine Service                     disabled                     
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
Identity Mapping Service               disabled                     
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 128 GB 

ISE20/admin# app start ise

ISE Database processes already running, PID: 2774
ISE M&T Session Database is already running, PID: 2265
Starting ISE Profiler Database...
Starting ISE Application Server...
Starting ISE Monitoring & Troubleshooting Log Processor...
Starting ISE Monitoring & Troubleshooting Log Collector...
Starting ISE AD Connector...
Note: ISE Processes are initializing. Use 'show application status ise'
      CLI to verify all processes are in running state. 

ISE20/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          2774        
Database Server                        running          36 PROCESSES
Application Server                     initializing                 
Profiler Database                      running          11371       
AD Connector                           running          13165       
M&T Session Database                   running          2265        
M&T Log Collector                      running          13069       
M&T Log Processor                      running          13020       
Certificate Authority Service          disabled                     
SXP Engine Service                     disabled                     
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
Identity Mapping Service               disabled                     
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 128 GB 

ISE20/admin#

ISE20/admin# sh app stat ise | i Application
Application Server                     initializing                 
ISE20/admin# sh app stat ise | i Application
Application Server                     initializing                 
ISE20/admin# sh app stat ise | i Application
Application Server                     initializing                 
ISE20/admin# sh app stat ise | i Application
Application Server                     running          12983       
ISE20/admin# 
It takes quite a while for it to get up and running! Eventually (after A LOT of refreshing the browser), we start to get somewhere!

ISE login page

After logging in I get that sinking feeling, like the Titanic hitting the ISE-berg (geddit?).

ISE login errors

So I tried Chrome, actually, I tried Chrome after updating UNL, and the underlying OS to the latests, and rebooting everything. Naturally I needed to do a no shut on the ISE Gig0 interface and start the application again. It's all a bit frustrating really, but no one said that this was going to be easy.

Anyway, I finally seem to be getting somewhere:

ISE Setup page

Clicking on "Yes" hasn't brought up any setup pages though... But it does look nice when you get into it.


Basically this is a crap start, and a large number of hours feel like they have been wasted. The Service Provider track would have been so much easier, with vastly less time having to rebuild shit from the start. It does not help that I am tired and a bit grumpy. Had a really crap night, went to sleep at about 11, got woken up at about 3am, and ended up getting up at about 4:30am and went downstairs to read (the ISE book above).

But sometimes you gotta take the rough with the smooth, and accept that studying does have it's pain-in-the-arse moments.

It's now just before 4pm in the afternoon and I am yawning my head off.

Anyway, in part 2 I will attempt to connect my 3750-X, and the Wifi, up to ISE and play around with some of the different options available - all cribbed from the ISE book at the top of this post, A: because it's a good book and B: because I am not feeling inventive enough to dive in.

Catch you soon, maybe once I am feeling a little brighter.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »