[Day 5] Cisco ISE Mastery Training: Installing Cisco ISE in VMware ESXi / EVENG

[Day 5] Cisco ISE Mastery Training: Installing Cisco ISE in VMware ESXi / EVENG

Post Views: 142

Introduction

This session shows you how to deploy Cisco Identity Services Engine (ISE) in a lab environment using VMware ESXi (vSphere client) and EVE-NG. Installing ISE correctly matters because ISE is the enforcement and policy brain for NAC — mis-provisioned VMs, wrong disk types, or snapshot usage can break clustering, DB replication, or leave services in a degraded state. This workshop focuses on:

  • Pre-deployment checks and host configuration.
  • OVA (preferred) or ISO deployment flow on ESXi.
  • How to add ISE as a node in EVE-NG (ISO→qcow/ISO method).
  • The initial ISE setup wizard (console) and post-deploy validations (GUI + CLI).
  • Troubleshooting the common install pain points you’ll see in labs.

Problem Statement

In real networks:

  • ISE nodes are central — if an Admin node fails or a PSN is mis-installed, RADIUS/TACACS can break widely.
  • Common pain points during install: wrong VM sizing, unsupported snapshot/backup strategy, wrong NIC types, incorrect storage performance (IOPS) or thin provisioning, and DNS/NTP mismatches that cause AD join failures.

If you don’t follow proper install steps, you’ll waste hours debugging service start failures, AD-join problems, or replication faults. The goal of this lab is to install ISE in a repeatable, correct way so validation is quick and reliable.

Solution Overview

Correct installation practice prevents those issues:

  • Follow Cisco VM resource recommendations (vCPU, RAM, disk) and use recommended disk provisioning and storage IO guidelines.
  • Deploy using the OVA for ESXi (recommended). If using EVE-NG, upload the Cisco ISE ISO and register the node properly (rename to cdrom.iso).
  • Perform console initial setup (network, NTP, DNS, admin password) using the interactive setup tool — it’s one-time and required.
  • Validate via CLI & GUI: ping/DNS tests, show application status ise, and confirm the Admin GUI loads.

Load-bearing references (quick):

  • Cisco ISE VM & install requirements (OVA/ISO steps & storage I/O).
  • OVA import / ZTP notes for ESXi flows.
  • EVE-NG image upload and renaming steps. (eve-ng.net)
  • CLI verification: show application status ise / show version.

Sample Lab Topology

Goal: A single-node lab (PAN + PSN combined) for validation. For multi-node labs follow the same deploy steps for the other nodes and then join them together.

Components (VMware ESXi or EVE-NG):

  • ISE VM (single node for lab): 4 vCPU, 16 GB RAM, 300 GB (evaluation) – storage: thick provision recommended.
  • Windows Server 2019: Active Directory, DNS, DHCP (10.10.10.10)
  • CSR1000v: Router for Internet simulation / default gateway (10.10.10.1)
  • IOSv-L2 / Catalyst or physical switch: for wired port testing and RADIUS reachability
  • WLC (9800 or 5508 image / simulated) for WebAuth testing
  • Windows 10 client: wired test
  • Wi-Fi client (laptop): wireless test

IP summary (suggested):

  • Management network: 10.10.10.0/24
  • ISE: 10.10.10.5/24 (static)
  • AD/DNS: 10.10.10.10/24

Topology Layout:

Diagram: Use your favorite diagram tool (Visio/Draw.io). Keep ISE and AD on a management VLAN so they can reach each other directly.

Step-by-Step GUI Configuration Guide (ESXi & EVE-NG) — Do every validation step

Important: Captures/snapshots of a production ISE are not supported — do not rely on VMware snapshots for backups. Use ISE native backup.

Pre-deploy checklist (do not skip)

  1. Host prerequisites
    • Ensure VT-x/AMD-V is enabled in BIOS on the ESXi host.
    • Reserve CPU & RAM for the ISE VM (Cisco recommends reserving resources and thick provisioning for ISE VMs).
  2. Storage
    • Ensure consistent storage latency/IOPS — Cisco documents minimum read/write perf for the appliance and recommends fast disks for production.
  3. Networking
    • Create a management portgroup in vSphere & ensure DNS can resolve AD FQDNs.
  4. Files required
    • ISE OVA or ISO (download from Cisco software download), and if you use ZTP/extra config, have that image ready (for advanced flows).

A — Deploying Cisco ISE on VMware ESXi (OVA method) — preferred

Step 1 — Deploy OVA

  1. Open vSphere Client (HTML5) → Hosts & Clusters → choose the target host/cluster.
  2. Right-click → Deploy OVF Template → Browse to the Cisco ISE .ova file.
    [Screenshot: vSphere Deploy OVF Template Screen]
  1. Accept the EULA, choose the VM name (e.g., ISE-PAN-LAB), pick datastore.
    Important: Choose Thick Provision Eager Zeroed if storage allows; otherwise use Thick Lazy Zeroed — Cisco recommends not using thin for production. Reserve CPU/memory.
    [Screenshot: vSphere OVA Storage Selection]
  1. Map networks: assign the ISE VM NIC to the management portgroup you created.
    [Screenshot: vSphere Network Mapping]
  1. Finish and power on the VM.

Step 2 — (Optional) insert ZTP ISO (if you have a ZTP config)

  • Attach the ZTP ISO to the VM CD drive before powering on, per Cisco instructions for zero-touch config flows.

Step 3 — Open the VM console

  • The ISE appliance boots and invokes the setup program (interactive CLI). Wait for the prompt.
    [Screenshot: ISE Console During Setup]

Step 4 — Console Initial Setup (one-time interactive wizard)
When the console setup runs, provide:

  • Management IP (e.g., 10.10.10.5) / netmask / gateway
  • Hostname (ise-lab.domain.local)
  • DNS server (10.10.10.10)
  • NTP server (pool.ntp.org or your AD server)
  • Admin GUI password (you will create it during setup)
    These entries are provided via the interactive prompts described in the ISE install guide.
    [Screenshot: ISE Setup Wizard – Network Entry]

Step 5 — Wait for services

  • The appliance will perform first-boot tasks and start services; this can take several minutes (be patient — 15–60+ minutes depending on node size). Use the console to watch messages.
    [Screenshot: ISE Boot Messages]

Validation (ESXi/ISE):

Cisco ISE CLI Verification Commands – Initial Setup Validation
ise/admin# ping 10.10.10.1
Purpose: Checks basic IP connectivity to a default gateway or network device.
Expected Output: Replies with minimal latency and no packet loss.

ise/admin# nslookup ad.domain.local 10.10.10.10
Purpose: Confirms DNS resolution of your Active Directory FQDN via a specific DNS server (10.10.10.10).
Expected Output: Shows resolved IP address of ad.domain.local.

ise/admin# show application status ise
Purpose: Displays the running state of ISE application processes.
Expected Output:
All essential processes should show Running.
Example:
Application Server Running Database Running M&T Session Database Running Certificate Authority Running

ise/admin# show version
Purpose: Displays the current installed version of Cisco ISE and build info.
Expected Output:
Example:
Cisco Identity Services Engine Version: 3.2.0.542

Final Validation:
The show application status ise output must eventually show all required processes in Running state. If any are stuck in Initializing or Stopped, troubleshooting is required before proceeding with configuration.

  • From your workstation, open browser: https://10.10.10.5/admin (or https://10.10.10.5/) and confirm the ISE Admin portal loads on HTTPS 443.
    [Screenshot: ISE Admin Login Page]
  • If the Admin GUI is unreachable but show application status ise lists processes running, try tech netstat | inc 443 on ISE (or check firewall between your workstation and VM).

Step 6 — Upload License & Apply

  • GUI: Administration → System → Licensing → Upload Evaluation or permanent licenses.
    [Screenshot: ISE Licensing Upload]

Step 7 — Create Backup Immediately

  • Use ISE’s built-in backup functionality (Administration → System → Backup). Do not use hypervisor snapshots to back up ISE.

B — Adding Cisco ISE to EVE-NG (ISO flow)

Note: EVE-NG does not include vendor images. You must upload a Cisco ISE ISO into the EVE filesystem and create the node. The steps below follow the EVE how to pattern. (eve-ng.net)

Step 1 — Prepare the EVE host

  1. SSH to EVE server as root. Create an image folder: mkdir -p /opt/unetlab/addons/qemu/ise-<version>/
  2. Upload the Cisco ISE ISO using WinSCP/SFTP to that folder.

Step 2 — Rename & fix

  1. Inside EVE: cd /opt/unetlab/addons/qemu/ise-<version>/ mv ise-<version>.SPA.x86_64.iso cdrom.iso /opt/unetlab/wrappers/unl_wrapper -a fixpermissions (The cdrom.iso name is expected by EVE templates). (eve-ng.net)

Step 3 — Create node in EVE GUI

  • In the EVE web UI, add a new qemu node using the ISE template (choose the folder you created), set vCPU/RAM (4 vCPU, 16GB), link to networks, and start the node. Open the console.

Step 4 — Run ISE console setup

  • The ISE ISO will boot and run the same interactive setup wizard. Provide IP, DNS, NTP, hostname, admin credentials as for ESXi.

Validation (EVE-NG):

  • From the EVE console run the same ISE CLI checks: ping 10.10.10.1 nslookup ad.domain.local 10.10.10.10 show application status ise show version
  • From your laptop (or a routed connection), browse to https://<ISE-IP>/admin and login.

Post-deploy Checks (GUI + CLI validation summary)

CLI commands (ISE node) — run these as soon as setup completes:

  • show application status ise — check all ISE services.
  • show version — confirm installed version.
  • ping <gateway> and nslookup <AD-FQDN> — basic network/DNS checks.
  • application reset-passwd ise admin — (if you need to reset web GUI password from console). (packetmischief.ca)

GUI checks

  • Admin login success at https://<ISE-IP>/admin.
  • Administration → System → Deployment — confirm node persona (PAN/PSN/MNT) and green status.
  • Operations → RADIUS → Live Logs — after you configure a NAD (switch), verify RADIUS hits.

ESXi host checks

  • Ensure VM shows expected resource reservation & no snapshots present. If backups are required, use ISE backup, not hypervisor snapshots.

FAQs

1. What is the minimum hardware requirement to install Cisco ISE on VMware/EVE-NG?

  • Lab Minimum (for basic features):
    • 4 vCPU
    • 12 GB RAM
    • 200 GB HDD
  • Recommended (for profiling, posture, guest portals):
    • 4–8 vCPU
    • 16–32 GB RAM
    • 300 GB+ HDD
  • CLI Check: show system resources
  • GUI Check:
    • Navigate: Administration → System → Maintenance → System Summary
    • Look for CPU/Memory Utilization.

2. Can I run Cisco ISE in EVE-NG without ESXi?

  • Yes — EVE-NG supports ISE installation directly as a VM.
  • Requirement: EVE-NG Pro or Community with nested virtualization enabled.
  • Tip: Ensure the underlying physical CPU supports VT-x/AMD-V.
  • Validation: grep -E 'vmx|svm' /proc/cpuinfo

3. Why does my ISE installation hang at “Application Server is starting”?

  • Usually caused by insufficient CPU/RAM allocation or slow disk I/O.
  • Fix:
    • Increase CPU/RAM.
    • Use SSD storage for faster boot.
  • CLI Check: show application status ise Ensure all services are running.

4. Do I need to configure an IP address during installation, or can I do it later?

  • You must configure:
    • IP address
    • Hostname (FQDN)
    • DNS
    • NTP server
  • These settings are critical for AD integration later.
  • Change later if needed: conf t interface GigabitEthernet 0 ip address x.x.x.x y.y.y.y Then update in Administration → Deployment in GUI.

5. How do I verify ISE services after first boot?

  • CLI: show application status ise Look for all services in running state.
  • GUI:
    • Login → Administration → System → Deployment
    • Status column should show Running for the node.

6. My ISE web GUI is not loading — what should I check?

  • Possible causes:
    • HTTPS service not running.
    • Firewall blocking TCP 443.
  • CLI Fix: application stop ise application start ise or restart: reload
  • Validation:
    • Access via: https://ISE_FQDN:443/admin
    • Ping FQDN from client.

7. What’s the default ISE admin username/password?

  • No default — set during installation.
  • If forgotten:
    • Console into VM → Reboot → Select ISE Recovery Mode → Reset password.
  • Command method: application reset-passwd ise admin

8. Can I integrate ISE with Active Directory immediately after install?

  • Yes — but ensure:
    • Correct time sync with AD.
    • DNS resolution works for domain controllers.
  • CLI Check: show ntp nslookup dc.domain.local
  • GUI Path: Administration → Identity Management → External Identity Sources → Active Directory.

9. How can I backup my ISE lab installation?

  • GUI:
    • Administration → Maintenance → Backup & Restore → Backup
    • Store backup on FTP/SFTP server.
  • CLI: backup LAB_BACKUP repository MYREPO
  • Tip: In a lab, you can snapshot the VM in VMware/EVE-NG before changes.

10. How do I confirm ISE is reachable from switches/WLC?

  • Ping Test: ping ise.domain.local
  • RADIUS Test (from switch): test aaa group radius <username> <password> new-code
  • GUI Validation in ISE:
    • Operations → RADIUS → Live Logs — Look for test request entries.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Upgrade Your Skills – Start Today

Take Your Cisco ISE Skills from Lab to CCIE-Level Expertise

You’ve just seen how powerful Cisco ISE can be when installed and configured properly — but this is just the tip of the iceberg.

If you’re serious about mastering Cisco ISE, NAC, and the full CCIE Security blueprint, join me, for my 4-Month Instructor-Led CCIE Security Mastery Program.

  • Inside this training, you’ll get:
  • 100% Live Sessions — Learn directly from me, not pre-recorded videos
  • Full CCIE Security Course Outline — Covering Cisco ISE, Firepower, VPN, Advanced Threat Defense, and more (View Full Outline Here)
  • Hands-On Labs — VMware ESXi, EVE-NG, and production-style setups
  • 1-on-1 Doubt Sessions — Direct access to me to solve your unique challenges
  • Real-World Scenarios — Learn configs and troubleshooting exactly as you’ll face in the field
  • Exam & Job Prep — Build the skills to crack the CCIE lab and lead enterprise security projects

Next Batch Starts Soon — Seats Are Limited
Click below to reserve your spot and get started on your journey to becoming an elite network security engineer.

Reserve Your Seat Now

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

Trainer Sagar Dhawan
Hi all, Good to see you here. I'm your Trainer for CCIE, CCNP, CCNA, Firewall batches and many more courses coming up! Stay tuned for latest updates! Keep me posted over Whatsapp/Email about your experience learning from us. Thanks for being part of - "Network Journey - A journey towards packet-life!!!"

Related Posts

Day 74 – Cisco ISE Mastery Training: TrustSec Policy Matrix

[Day 74] Cisco ISE Mastery Training: TrustSec Policy Matrix

  • Posted on
    • [Day 9] Cisco ISE Mastery Training: Creating Internal Users & Groups

    [Day 9] Cisco ISE Mastery Training: Creating Internal Users & Groups

  • Posted on
    • Day 79 – Cisco ISE Mastery Training: Context Visibility Dashboard

    [Day 79] Cisco ISE Mastery Training: Context Visibility Dashboard

  • Posted on