Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
showrepositoryrepository_name whererepository_nameisthenameoftherepositorythatyouhavecreated. Ifthepaththatyouprovidedwhilecreatingtherepositorydoesnotexist,thenyouwill getthefollowingerror:%InvalidDirectory. Note •Runanon-demandbackuporscheduleabackup. On-Demand and Scheduled Backups Ciscoprovideson-demandbackupsofthePrimaryPANandtheprimarymonitoringnode.Performan on-demandbackupwhenyouwanttobackupdataimmediately. Ciscoalsoallowsyoutoschedulesystem-levelbackupsthatcanbescheduledtorunonce,daily,weekly,or monthly.Becausebackupoperationscanbelengthy,youcanschedulethemsotheyarenotadisruption.You canscheduleabackupfromtheCiscoAdminportal. IfyouupgradetoCiscoISE,Release1.2,thescheduledbackupjobsneedtoberecreated.Note Related Topics MaintenanceSettings,onpage708 Perform an On-Demand Backup YoucanperformanOn-demandbackuptoinstantlybackuptheconfigurationormonitoring(operational) data.TherestoreoperationrestoresCiscototheconfigurationstatethatexistedatthetimeofobtainingthe backup. Cisco Identity Services Engine Administrator Guide, Release 1.3 215 On-Demand and Scheduled Backups
Whenperformingabackupandrestore,therestoreoverwritesthelistoftrustedcertificatesonthetarget systemwiththelistofcertificatesfromthesourcesystem.Itiscriticallyimportanttonotethatbackup andrestorefunctionsdonotincludeprivatekeysassociatedwiththeInternalCertificateAuthority(CA) certificates. Ifyouareperformingabackupandrestorefromonesystemtoanother,youwillhavetochoosefromone oftheseoptionstoavoiderrors: Important •Option1: ExporttheCAcertificatesfromthesourcenodethroughtheCLIandimportthemintothetarget systemthroughtheCLI. Pros:Anycertificatesissuedtoendpointsfromthesourcesystemwillcontinuetobetrusted.Any newcertificatesissuedbythetargetsystemwillbesignedbythesamekeys. Cons:Anycertificatesthathavebeenissuedbythetargetsystempriortotherestorefunctionwill notbetrustedandwillneedtobere-issued. •Option2: Aftertherestoreprocess,generateallnewcertificatesfortheinternalCA. Pros:Thisoptionistherecommendedandcleanmethod,whereneithertheoriginalsourcecertificates ortheoriginaltargetcertificateswillbeused.Certificatesissuedbytheoriginalsourcesystemwill continuetobetrusted. Cons:Anycertificatesthathavebeenissuedbythetargetsystempriortotherestorefunctionwill notbetrustedandwillneedtobere-issued. Before You Begin •Beforeyouperformthistask,youshouldhaveabasicunderstandingofthebackupdatatypesinCisco . •Ensurethatyouhavecreatedrepositoriesforstoringthebackupfile. •Donotbackupusingalocalrepository.Youcannotbackupthemonitoringdatainthelocalrepository ofaremoteMonitoringnode. •Ensurethatyouperformallcertificate-relatedchangesbeforeyouobtainthebackup. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Forbackupandrestoreoperations,thefollowingrepositorytypesarenotsupported: CD-ROM,HTTP,HTTPS,orTFTP.Thisisbecause,eithertheserepositorytypesare read-onlyortheprotocoldoesnotsupportfilelisting.Torestoreabackup,choosethe repositoryandclickRestore. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 216 On-Demand and Scheduled Backups
Procedure Step 1ChooseAdministration>System>BackupandRestore. Step 2ClickBackupNow. Step 3Enterthevaluesasrequiredtoperformabackup. Step 4ClickOK. Step 5Verifythatthebackupcompletedsuccessfully. Ciscoappendsthebackupfilenamewithatimestampandstoresthefileinthespecifiedrepository.Inaddition tothetimestamp,CiscoaddsaCFGtagforconfigurationbackupsandOPStagforoperationalbackups. Ensurethatthebackupfileexistsinthespecifiedrepository. Inadistributeddeployment,donotchangetheroleofanodeorpromoteanodewhenthebackupisrunning. Changingnoderoleswillshutdownalltheprocessesandmightcausesomeinconsistencyindataifabackup isrunningconcurrently.Waitforthebackuptocompletebeforeyoumakeanynoderolechanges. Donotpromoteanodewhenthebackupisrunning.Thiswillshutdownalltheprocessesandmightcause someinconsistencyindataifabackupisrunningconcurrently.Waitforthebackuptocompletebeforeyou makeanynodechanges. HighCPUusagemightbeobservedandHighLoadAveragealarmmightbeseenwhenthebackup isrunning.CPUusagewillbebacktonormalwhenthebackupiscomplete. Note Related Topics CiscoISERestoreOperation,onpage220 ExportAuthenticationandAuthorizationPolicyConfiguration,onpage226 Schedule a Backup YoucanperformanOn-demandbackuptoinstantlybackuptheconfigurationormonitoring(operational) data.TherestoreoperationrestoresCiscototheconfigurationstatethatexistedatthetimeofobtainingthe backup. Cisco Identity Services Engine Administrator Guide, Release 1.3 217 On-Demand and Scheduled Backups
Whenperformingabackupandrestore,therestoreoverwritesthelistoftrustedcertificatesonthetarget systemwiththelistofcertificatesfromthesourcesystem.Itiscriticallyimportanttonotethatbackup andrestorefunctionsdonotincludeprivatekeysassociatedwiththeInternalCertificateAuthority(CA) certificates. Ifyouareperformingabackupandrestorefromonesystemtoanother,youwillhavetochoosefromone oftheseoptionstoavoiderrors: Important •Option1: ExporttheCAcertificatesfromthesourcenodethroughtheCLIandimportthemintothetarget systemthroughtheCLI. Pros:Anycertificatesissuedtoendpointsfromthesourcesystemwillcontinuetobetrusted.Any newcertificatesissuedbythetargetsystemwillbesignedbythesamekeys. Cons:Anycertificatesthathavebeenissuedbythetargetsystempriortotherestorefunctionwill notbetrustedandwillneedtobere-issued. •Option2: Aftertherestoreprocess,generateallnewcertificatesfortheinternalCA. Pros:Thisoptionistherecommendedandcleanmethod,whereneithertheoriginalsourcecertificates ortheoriginaltargetcertificateswillbeused.Certificatesissuedbytheoriginalsourcesystemwill continuetobetrusted. Cons:Anycertificatesthathavebeenissuedbythetargetsystempriortotherestorefunctionwill notbetrustedandwillneedtobere-issued. Before You Begin •Beforeyouperformthistask,youshouldhaveabasicunderstandingofthebackupdatatypesinCisco . •Ensurethatyouhaveconfiguredrepositories. •Donotbackupusingalocalrepository.Youcannotbackupthemonitoringdatainthelocalrepository ofaremoteMonitoringnode. •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •IfyouhaveupgradedtoCiscoISE1.2fromCiscoISE1.1orearlierreleases,youshouldreconfigure yourscheduledbackups.SeetheKnownUpgradeIssuessectionintheCiscoIdentityServicesEngine UpgradeGuide,Release1.2. Forbackupandrestoreoperations,thefollowingrepositorytypesarenotsupported:CD-ROM,HTTP, HTTPS,orTFTP.Thisisbecause,eithertheserepositorytypesareread-onlyortheprotocoldoesnot supportfilelisting. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 218 On-Demand and Scheduled Backups
Procedure Step 1ChooseAdministration>System>BackupandRestore. Step 2ClickCreatetoscheduleaConfigurationoranOperationalbackup. Step 3Enterthevaluesasrequiredtoscheduleabackup. Step 4ClickSavetoschedulethebackup. Step 5ClicktheRefreshlinkatthetopofthispagetoseethescheduledbackuplist. YoucancreateonlyonescheduleatatimeforaConfigurationorOperationalbackup.Youcanenableor disableascheduledbackup,butyoucannotdeleteit. Backup Using the CLI AlthoughyoucanschedulebackupsbothfromtheCLIaswellastheGUI,itisrecommendedtouseGUIfor betteroptions.But,youcanperformOperationalbackuponthesecondarymonitoringnodeonlyfromthe CLI. Backup History Backuphistoryprovidesbasicinformationaboutscheduledandon-demandbackups.Itliststhenameofthe backup,backupfilesize,repositorywherethebackupisstored,andtimestampthatindicateswhenthebackup wasobtained.ThisinformationisavailableintheOperationsAuditreportandontheBackupandRestore pageintheHistorytable. Forfailedbackups,Ciscotriggersanalarm.Thebackuphistorypageprovidesthefailurereason.Thefailure reasonisalsocitedintheOperationsAuditreport.Ifthefailurereasonismissingorisnotclear,youcanrun thebackup-logscommandfromtheCiscoISECLIandlookattheADE.logformoreinformation. Whilethebackupoperationisinprogress,youcanusetheshowbackupstatusCLIcommandtocheckthe progressofthebackupoperation. BackuphistoryisstoredalongwiththeCiscoADEoperatingsystemconfigurationdata.Itremainsthereeven afteranapplicationupgradeandareonlyremovedwhenyoureimagethePAN. Backup Failures Ifbackupfails,checkthefollowing: •Makesurethatnootherbackupisrunningatthesametime. •Checktheavailablediskspacefortheconfiguredrepository. ◦Monitoring(operational)backupfailsifthemonitoringdatatakesupmorethan75%oftheallocated monitoringdatabasesize.Forexample,ifyourMonitoringnodeisallocated600GB,andthe monitoringdatatakesupmorethan450GBofstorage,thenmonitoringbackupfails. ◦Ifthedatabasediskusageisgreaterthan90%,apurgeoccurstobringthedatabasesizetoless thanorequalto75%ofitsallocatedsize. Cisco Identity Services Engine Administrator Guide, Release 1.3 219 On-Demand and Scheduled Backups
•Verifyifapurgeisinprogress.Backupandrestoreoperationswillnotworkwhileapurgeisinprogress. •Verifyiftherepositoryisconfiguredcorrectly. Cisco ISE Restore Operation Youcanrestoreconfigurationdataonaprimaryorstandaloneadministrationnode.Afteryourestoredataon thePrimaryPAN,youmustmanuallysynchronizethesecondarynodeswiththePrimaryPAN. Theprocessforrestoringtheoperationaldataisdifferentdependingonthetypeofdeployment. Thenewbackup/restoreuserinterfaceinCiscomakesuseofmeta-datainthebackupfilename.Therefore, afterabackupcompletes,youshouldnotmodifythebackupfilenamemanually.Ifyoumanuallymodify thebackupfilename,theCiscobackup/restoreuserinterfacewillnotbeabletorecognizethebackupfile. Ifyouhavetomodifythebackupfilename,youshouldusetheCiscoISECLItorestorethebackup. Note Guidelines for Data Restoration FollowingareguidelinestofollowwhenyourestoreCiscobackupdata. •CiscoISEallowsyoutoobtainabackupfromanISEnode(A)andrestoreitonanotherISEnode(B), bothhavingthesamehostnames(butdifferentIPaddresses).However,afteryourestorethebackupon nodeB,donotchangethehostnameofnodeBbecauseitmightcauseissueswithcertificatesandportal grouptags. •IfyouobtainabackupfromthePrimaryPANinonetimezoneandtrytorestoreitonanotherCisco nodeinanothertimezone,therestoreprocessmightfail.Thisfailurehappensifthetimestampinthe backupfileislaterthanthesystemtimeontheCisconodeonwhichthebackupisrestored.Ifyourestore thesamebackupadayafteritwasobtained,thenthetimestampinthebackupfileisinthepastandthe restoreprocesssucceeds. •WhenyourestoreabackuponthePrimaryPANwithadifferenthostnamethantheonefromwhichthe backupwasobtained,thePrimaryPANbecomesastandalonenode.Thedeploymentisbrokenandthe secondarynodesbecomenonfunctional.Youmustmakethestandalonenodetheprimarynode,reset theconfigurationonthesecondarynodes,andreregisterthemwiththeprimarynode.Toresetthe configurationonCisconodes,enterthefollowingcommandfromtheCiscoISECLI: ◦applicationreset-configise •WerecommendthatyoudonotchangethesystemtimezoneaftertheinitialCiscoinstallationandsetup. •Ifyouchangedthecertificateconfigurationononeormorenodesinyourdeployment,youmustobtain anotherbackuptorestorethedatafromthestandaloneCisconodeorPrimaryPAN.Otherwise,ifyou trytorestoredatausinganolderbackup,thecommunicationbetweenthenodesmightfail. •AfteryourestoretheconfigurationbackuponthePrimaryPAN,youcanimporttheCiscoISECA certificatesandkeysthatyouexportedearlier. Cisco Identity Services Engine Administrator Guide, Release 1.3 220 Cisco ISE Restore Operation
IfyoudidnotexporttheCiscoISECAcertificatesandkeys,thenafteryourestorethe configurationbackuponthePrimaryPAN,generatetherootCAandsubordinateCAs onthePrimaryPANandPolicyServiceNodes(PSNs). Note •Youneedadatarepository,whichisthelocationwhereCiscosavesyourbackupfile.Youmustcreate arepositorybeforeyoucanrunanon-demandorscheduledbackup. •Ifyouhaveastandaloneadministrationnodethatfails,youmustruntheconfigurationbackuptorestore it.IfthePrimaryPANfails,youcanusethedistributedsetuptopromoteyourSecondaryAdministration Nodetobecometheprimary.YoucanthenrestoredataonthePrimaryPANafteritcomesup. Ciscoalsoprovidesthebackup-logsCLIcommandthatyoucanusetocollectlogand configurationfilesfortroubleshootingpurposes. Note Restoration of Configuration or Monitoring (Operational) Backup from the CLI TorestoreconfigurationdatathroughtheCiscoISECLI,usetherestorecommandintheEXECmode.Use thefollowingcommandtorestoredatafromaconfigurationoroperationalbackup: restorefilenamerepositoryrepository-nameencryption-keyhash|plainencryption-keynameinclude-adeos SyntaxDescription Typethiscommandtorestoredatafromaconfigurationoroperationalbackup.restore Nameofthebacked-upfilethatresidesintherepository.Supportsupto120 alphanumericcharacters. Youmustaddthe.tar.gpgextensionafterthefilename(forexample, myfile.tar.gpg). Note filename Specifiestherepositorythatcontainsthebackup.repository Nameoftherepositoryyouwanttorestorethebackupfrom.repository-name (Optional)Specifiesuser-definedencryptionkeytorestorebackup.encryption-key Hashedencryptionkeyforrestoringbackup.Specifiesanencrypted(hashed) encryptionkeythatfollows.Supportsupto40characters. hash Plaintextencryptionkeyforrestoringbackup.Specifiesanunencryptedplaintext encryptionkeythatfollows.Supportsupto15characters. plain Entertheencryptionkey.encryption-keyname Cisco Identity Services Engine Administrator Guide, Release 1.3 221 Cisco ISE Restore Operation
(Optional,applicableonlyforconfigurationbackup)Enterthiscommandoperator parameterifyouwanttorestoreADE-OSconfigurationfromaconfiguration backup.Whenyourestoreaconfigurationbackup,ifyoudonotincludethis parameter,CiscoISErestoresonlytheCiscoISEapplicationconfigurationdata. include-adeos Defaults Nodefaultbehaviororvalues. Command Modes EXEC Usage Guidelines WhenyouuserestorecommandsinCisco,theCiscoserverrestartsautomatically. Theencryptionkeyisoptionalwhilerestoringdata.Tosupportrestoringearlierbackupswhereyouhavenot providedencryptionkeys,youcanusetherestorecommandwithouttheencryptionkey. Examples ise/admin#restoremybackup-100818-1502.tar.gpgrepositorymyrepositoryencryption-keyplainLab12345Restoremayrequirearestartofapplicationservices.Continue?(yes/no)[yes]?yesInitiatingrestore.Pleasewait...ISEapplicationrestoreisinprogress.Thisprocesscouldtakeseveralminutes.Pleasewait...StoppingISEApplicationServer...StoppingISEMonitoring&TroubleshootingLogProcessor...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingAlertProcess...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEApplicationServer...StartingISEMonitoring&TroubleshootingAlertProcess...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEMonitoring&TroubleshootingLogProcessor...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.ise/admin# Related Commands Description Performsabackup(CiscoandCiscoADEOS)andplacesthebackupina repository. backup Backsupsystemlogs.backup-logs Enterstherepositorysubmodeforconfigurationofbackups.repository Displaystheavailablebackupfileslocatedonaspecificrepository.showrepository Cisco Identity Services Engine Administrator Guide, Release 1.3 222 Cisco ISE Restore Operation
Description Displaysthebackuphistoryofthesystem.showbackuphistory Displaysthestatusofthebackupoperation.showbackupstatus Displaysthestatusoftherestoreoperation.showrestorestatus IfthesyncstatusandreplicationstatusafterapplicationrestoreforanysecondarynodeisOutofSync,you havetoreimportthecertificateofthatsecondarynodetothePrimaryPANandperformamanual synchronization. Restore Configuration Backups from the GUI YoucanrestoreaconfigurationbackupfromtheAdminportal.TheGUIlistsonlythebackupsthataretaken fromthecurrentrelease.Torestorebackupsthatarepriortothisrelease,usetherestorecommandfromthe CLI. Before You Begin Procedure Step 1ChooseAdministration>System>BackupandRestore. Step 2SelectthenameofthebackupfromthelistofConfigurationalbackupandclickRestore. Step 3EntertheEncryptionKeyusedduringthebackup. Step 4ClickRestore. What to Do Next IfyouareusingtheCiscoISECAservice,youmust: 1RegeneratetheentireCiscoISECArootchain. 2ObtainabackupoftheCiscoISECAcertificatesandkeysfromthePrimaryPANandrestoreitonthe SecondaryPAN.ThisensuresthattheSecondaryPANcanfunctionastherootCAorsubordinateCAof anexternalPKIincaseofaPrimaryPANfailureandyoupromotetheSecondaryPANtobethePrimary PAN. Restoration of Monitoring Database TheprocessforrestoringtheMonitoringdatabaseisdifferentdependingonthetypeofdeployment.The followingsectionsexplainhowtorestoretheMonitoringdatabaseinstandaloneanddistributeddeployments. YoumustusetheCLItorestoreanon-demandMonitoringdatabasebackupfrompreviousreleasesofCisco ISE.RestoringascheduledbackupacrossCiscoISEreleasesisnotsupported. Cisco Identity Services Engine Administrator Guide, Release 1.3 223 Cisco ISE Restore Operation
Ifyouattempttorestoredatatoanodeotherthantheonefromwhichthedatawastaken,youmust configuretheloggingtargetsettingstopointtothenewnode.Thisensuresthatthemonitoringsyslogs aresenttothecorrectnode. Note Restore a Monitoring (Operational) Backup in a Standalone Environment TheGUIlistsonlythebackupsthataretakenfromthecurrentrelease.Torestorebackupsthatobtainedfrom earlierreleases,usetherestorecommandfromtheCLI. Before You Begin •Purgetheoldmonitoringdata. •Scheduleabackuporperformanon-demandbackup. Procedure Step 1ChooseAdministration>System>BackupandRestore. Step 2SelectthenameofthebackupfromthelistofOperationalbackupandclickRestore. Step 3EntertheEncryptionKeyusedduringthebackup. Step 4ClickRestore. Restore a Monitoring Backup with Administration and Monitor Personas YoucanrestoreaMonitoringbackupinadistributedenvironmentwithAdministrationandMonitorpersonas. Before You Begin •Purgetheoldmonitoringdata. •Scheduleabackuporperformanon-demandbackup. Procedure Step 1PreparetopromoteanotherCiscoISEnodeasthePAN,bysynchronizingthenodewiththeexistingprimary nodeyouwanttobackup. ThisensuresthattheconfigurationoftheCiscoISEnodeyouaregoingtopromoteisuptodate. Step 2PromotethenewlysyncedAdministrationnodetoprimarystatus. Step 3PreparetoderegisterthenodetobebackedupbyassigningtheMonitoringpersonatoanothernodeinthe deployment. AdeploymentmusthaveatleastonefunctioningMonitoringnode. Cisco Identity Services Engine Administrator Guide, Release 1.3 224 Cisco ISE Restore Operation