install and setup ise 3.1 using zero touch provisioning (ztp)
TRANSCRIPT
Install and Setup ISE 3.1 using Zero TouchProvisioning (ZTP) Contents
IntroductionPrerequisitesRequirementsComponents UsedISE 3.1 Zero Touch Provisioning ZTP ISE Installation by VM user data ZTP ISE Installation by ISE configuration imageLimitations
Introduction
This document describes how to install and setup ISE by zero touch provisioning (ZTP) in ISE 3.1.
Contributed by Saravanan Manoharan, Security Consulting Engineer.
Prerequisites
Requirements
Cisco recommends that you have basic knowledge of these topics:
ISE●
VMware Virtual Machine●
Ubuntu●
Components Used
The information in this document is based on Cisco ISE Version 3.1.
The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.
ISE 3.1 Zero Touch Provisioning
This Document explians the two options of ZTP in ISE 3.1
ZTP ISE Installation by VM user data 1.
ZTP ISE Installation by ISE configuration image2.
ZTP ISE Installation by VM user data
Note: This Method is supported only for ISE installation in Virtual Machines. This documentuses ESXi 6.7 and this method of ZTP ISE install by VM user data is supported only fromESXi 6.5 and above
Step 1. Deploy a new VM with ISE 3.1 OVA template.
Deploy a new VM and choose the 3.1 ISE OVA file
Enter the name of the VM●
Select the datastore●
Select Thick Provision●
Step 2. Add New Serial Port in the VM
Note: VM serial console is a mandatory to see any ISE installation logs.
Step 3. Create a configuration file
Enter the mandatory parameters such as hostname, IP address, IP netmask, IP default gateway,DNS domain, primary name server, NTP server, system timezone, SSH, username, andpassword. Optional parameters such as IPV6, patch, hot patch, services, and repository detailscan also be configured in the file.
hostname=ise31ztp
ipv4_addr=10.122.112.188
ipv4_mask=255.255.255.0
ipv4_default_gw=10.122.112.1
domain=csslab.com
primary_nameserver=10.122.111.5
secondary_nameserver=10.122.111.6
primary_ntpserver=10.122.1.1
secondary_ntpserver=10.122.112.1
timezone=America/New_York
ssh=true
username=admin
password=Iseisc00l
#Repository Configuration are optional
repository_name=csslab_FTP
repository_protocol=FTP
repository_server_name=10.122.109.4
repository_path=cisco/saramano
ers=true
openapi=true
pxgrid=true
pxGrid_Cloud=true
Step 4. Get the Encoded string for the configuration file
Use https://www.base64encode.org/ to encode the content in step 3.
Step 5. Enter the encoded string in the ISE VM user data
Copy the Encoded string from step 4, navigate to VM Options > Advanced > ConfigurationParameters > Edit Configuration > ADD Configuration params
Enter the new parameter guestinfo.ise.ztp and paste the copied encoded ZTP configurationstring under Value
Step 7. Verify the CLI and GUI access
After the setup complete, log in to the CLI with admin credentials and verify the configuration withshow running- configuration command
Now, verify the Web GUI access
ZTP ISE Installation by ISE configuration image
Note: The ZTP by .img file setup is supported in ISO/OVA installation in VM and physicalappliance
Create an ISE ZTP configuration image
The below steps 1-4 are performed in a ubuntu machine with root access
Step 1. Copy the script from the 3.1 guide
Copy the script without any modification from the ISE 3.1 ZTP guide
#!/bin/bash
###########################################################
# This script is used to generate ise ztp image with ztp
# configuration file.
#
# Need to pass ztp configuration file as input.
#
# Copyright (c) 2021 by Cisco Systems, Inc.
# All rights reserved.
# Note:
# To mount the image use below command
# mount ise_ztp_config.img /ztp
# To mount the image from cdrom
# mount -o ro /dev/sr1 /ztp
#############################################################
if [ -z "$1" ];then
echo "Usage:$0 <ise-ztp.conf> [out-ztp.img]"
exit 1
elif [ ! -f $1 ];then
echo "file $1 not exist"
exit 1
else
conf_file=$1
fi
if [ -z "$2" ] ;then
image=ise_config.img
else
image=$2
fi
mountpath=/tmp/ise_ztp
ztplabel=ISE-ZTP
rm -fr $mountpath
mkdir -p $mountpath
dd if=/dev/zero of=$image bs=1k count=1440 > /dev/null 2>&1
if [ `echo $?` -ne 0 ];then
echo "Image creation failed\n"
exit 1
fi
mkfs.ext4 $image -L $ztplabel -F > /dev/null 2>&1
mount -o rw,loop $image $mountpath
cp $conf_file $mountpath/ise-ztp.conf
sync
umount $mountpath
sleep 1
# Check for automount and unmount
automountpath=$(mount | grep $ztplabel | awk '{print $3}')
if [ -n "$automountpath" ];then
umount $automountpath
fi
echo "Image created $image"
Step 2. Make the script executable
Nano is used in this example to create the shell script (create_ztp_image.sh).
Make the above script executable. This script can be executed on RHEL, CentOS or Ubuntu
Step 3. Create an ISE ZTP configuration file
Enter the mandatory parameters such as hostname, IP address, IP netmask, IP default gateway,DNS domain, primary name server, NTP server, system timezone, SSH, username, andpassword. Optional parameters such as IPV6, patch, hot patch, services, and repository detailscan also be configured in the file.
hostname=ise31ztp_B
ipv4_addr=10.122.111.54
ipv4_mask=255.255.255.0
ipv4_default_gw=10.122.111.1
domain=csslab.com
primary_nameserver=10.122.111.5
secondary_nameserver=10.122.111.6
primary_ntpserver=10.122.1.1
secondary_ntpserver=10.122.111.1
timezone=America/New_York
ssh=true
username=admin
password=Iseisc00l
#Repository Configuration are optional
repository_name=csslab_FTP
repository_protocol=FTP
repository_server_name=10.122.109.4
repository_path=cisco/saramano
ers=true
openapi=true
pxgrid=true
pxGrid_Cloud=true
Note: The executable file and the above ZTP config file must be placed in the samedirectory.
Step 4. Create a ZTP configuration image file
Create the ZTP configuration image file by the command ./create_ztp_image.sh ise-ztp.confise31ztp.img
Step 5. Create and configure new ISE VM
Enter a VM name, select the storage
Add two CD/Drive device in the VM. Primary one is for the ISE ISO file and the second CD/DVDdrive is for used to mount ISE ZTP image file
After all the neccessary configuration, Power on the VM.
Step 6. Mount the ISO and ZTP Image
On the VM console, choose Removable devices and mount ISE 3.1 ISO on the Primary CD/DVDdrive
Now power off the VM and Power on again. The ISE software install would kick start. All thesubsequent steps are automatic and no manual intervention is needed at any point.
Access the VM serial console to view the ISE install logs. After the ISE software install, the setuptriggers automatically
Once the above setup is completed, the ISE application starts. Verify the show running-config bylog into the CLI and verify the web GUI access
Limitations
If the ping to the gateway, DNS or NTP fails, the ZTP process hangs.1.If the Firewall blocks the ICMP, ISE can’t be installed by ZTP.2.
In the Manual method you can say “No” in the case of a ping failure to the Gateway, DNS, NTP,etc, so the setup process continues. In ZTP, this is the limitation.
You need root access on the Linux server to create the ISE config image 3.Encrypted/hashed password in the key-value pair file for the ‘admin’ account is notsupported. It only supports the Plain password
4.