Day 94 – Cisco ISE Mastery Training: Disaster Recovery & Backup

[Day 94] Cisco ISE Mastery Training: Disaster Recovery & Backup


Introduction

When Cisco ISE is the policy brain for 802.1X/MAB, VPN, and wireless access, a misstep in backups or a slow, incorrect restore means no logins, no network. Disaster Recovery (DR) in ISE isn’t just “take a backup.” It’s:

  • Designing Admin/MnT high availability,
  • Capturing the right data (config vs operational),
  • Storing encrypted backups off-box, and
  • Rebuilding nodes (with the same identity) in a calm, repeatable way.

Your objective today: build a production-grade, fully validated DR runbook for ISE that you can execute blindfolded (almost). We’ll configure repositories, schedule encrypted backups, prove them in the logs, simulate a PAN failure, promote the secondary, and restore a lab node from scratch—all with GUI + CLI evidence.
(ISE separates Configuration backup from Operational/MnT backup; restores are version/patch bound; internal CA private keys are not included in config backups—plan accordingly.) (Cisco)


Problem Statement

Real-world pain this solves in NAC:

  • A failed Primary PAN halts policy changes, certificate trust updates, and replication.
  • Loss of the MnT database kills compliance/audit evidence; you can’t answer “who got on when/where.”
  • PSNs keep authenticating, but if you can’t quickly promote or restore, change windows blow up, audits fail, and execs get grumpy.
  • Backups taken incorrectly (wrong repo, wrong encryption, wrong hostname/IP on restore) won’t restore. (Cisco)

Solution Overview (What ISE gives you)

  • Two backup types:
    1. Configuration (PAN database, trust store, policies, and more)
    2. Operational (MnT) (sessions, RADIUS/TACACS logs, reports).
      Both can be scheduled or run on-demand to a remote repository (SFTP/NFS/FTP/disk). (Cisco)
  • Encrypted backups (GUI or CLI) with encryption key you manage.
  • PAN HA: Secondary PAN can be promoted (“Make Primary”) if the Primary dies; later you reimage/restore the old Primary and rejoin. (Cisco)
  • Strict restore rules: Same ISE major/minor/patch, same hostname and usually same IP/FQDN (especially if certs pin identity). Internal CA private keys are not included in config backups—export CA store separately. (Cisco)

Sample Lab Topology

Platform: VMware ESXi or EVE-NG for virtual ISE/wireless/switch nodes.
Nodes:

  • ISE-PAN1 (Primary Admin + Primary MnT)
  • ISE-PAN2 (Secondary Admin + Secondary MnT)
  • ISE-PSN1/2 (two Policy Service Nodes behind a load-balancer or WLC AAA pointing to both)
  • SFTP-Repo (Ubuntu SFTP on VLAN10 with dedicated user/folder)
  • AD/DC, DNS/NTP
  • Catalyst Switch (dot1x/MAB lab ports)
  • Cisco WLC (WLAN using ISE for AAA)
  • Endpoints (Win10/11, iPhone/Android)

Topology diagram:


Step-by-Step GUI Configuration Guide (with CLI validation)

Phase A — Prepare a Secure Remote Repository (SFTP)

Goal: Create an off-box encrypted backup location.

A1. Create repo (GUI):

  1. Admin > System > Maintenance > RepositoryAdd.
  2. Name: SFTP_REPO
  3. Protocol: SFTP
  4. Server: 10.10.20.50 Path: /ise-backups
  5. Username/Password: ise-backup / ••••
  6. Submit.
    • [Screenshot: ISE Add Repository]
      (If ISE prompts about SFTP host key, you must add host key via CLI once.) (Cisco)

A2. Trust the SFTP host key (CLI on any ISE node):

ise/admin# ssh ise-backup@10.10.20.50
# type 'yes' to accept fingerprint (saved in known_hosts), then Ctrl+C

Validate repository (CLI):

ise/admin# show repository SFTP_REPO
# Expect URL sftp://10.10.20.50/ise-backups and free space

(Repo config & show commands are standard ISE CLI.) (Cisco)


Phase B — Schedule Encrypted Configuration Backups

B1. Run an immediate config backup (GUI):

  1. Admin > System > Maintenance > Backup & RestoreBackup Now.
  2. Type: Configuration
  3. Repository: SFTP_REPO
  4. Filename prefix: cfg-
  5. Encryption Key: enter strong passphrase
  6. Start.
    • [Screenshot: ISE Backup & Restore – Backup Now] (Cisco)

B2. Schedule nightly config backups (GUI):

  1. On same page, ScheduleAdd.
  2. Type: Configuration; Repository: SFTP_REPO
  3. When: Daily at 02:15; Retention: 14 copies.
  4. Encryption Key: (same passphrase)
  5. Save.
    • [Screenshot: ISE Backup Schedule]

B3. Validate (GUI + CLI):

  • GUI: Operations/Reports → System → Backup & Restore (or Operational Audit) → confirm Status: SUCCESS with timestamps & file names.
    • [Screenshot: ISE Backup Report] (Cisco)
  • CLI (3.x):
ise/admin# show backup status
ise/admin# dir repository SFTP_REPO
ise/admin# dir repository SFTP_REPO | include cfg-

(show-mode “backup” status is in ISE CLI reference.) (Cisco)


Phase C — Schedule Encrypted Operational (MnT) Backups

C1. Immediate MnT backup (GUI):

  1. Admin > System > Maintenance > Backup & RestoreBackup Now.
  2. Type: Operational
  3. Repository: SFTP_REPO
  4. Filename prefix: ops-
  5. Encryption Key: enter passphrase → Start.
    • [Screenshot: MnT (Operational) Backup Now] (Cisco)

C2. Schedule weekly MnT backups:

  • Schedule → Weekly (e.g., Sun 03:00), Retention: based on audit policy (e.g., 8 copies).
    • [Screenshot: MnT Backup Schedule]

C3. Validate (GUI + CLI):

  • GUI report shows Operational backup success and sizes (large).
  • CLI:
ise/admin# show backup status
ise/admin# dir repository SFTP_REPO | include ops-

Important: Config and Operational are separate artifacts; you normally restore Config first, then (optionally) Operational. Internal CA private keys are not included in config backups; export the CA store via CLI application configure ise options Export Internal CA Store and keep safe. (Cisco)


Phase D — CLI: Repositories + On-Demand Backups (power-user)

ISE 3.2+ supports the backup/restore commands; many engineers still use the older application backup/restore form in earlier releases—TAB-complete on your exact version. Syntax examples below align to current CLI reference. (Cisco)

D1. Define repository via CLI (if you prefer CLI):

ise/admin# configure terminal
ise/admin(config)# repository SFTP_REPO
ise/admin(config-Repository)# url sftp://10.10.20.50/ise-backups
ise/admin(config-Repository)# user ise-backup
ise/admin(config-Repository)# password plain <SFTP_PASSWORD>
ise/admin(config-Repository)# exit
ise/admin# show repository SFTP_REPO

D2. Run on-demand CONFIG backup (CLI):

# Example filename 'cfg-2025-08-20'
ise/admin# backup ise-config cfg-2025-08-20 repository SFTP_REPO encryption-key plain <BACKUP_KEY>
# monitor:
ise/admin# show backup status
ise/admin# dir repository SFTP_REPO | include cfg-2025-08-20

(Backup/Show syntax per ISE CLI Reference.) (Cisco)

D3. Run on-demand OPERATIONAL (MnT) backup (CLI):

ise/admin# backup ise-operational ops-2025-08-20 repository SFTP_REPO encryption-key plain <BACKUP_KEY>
ise/admin# show backup status
ise/admin# dir repository SFTP_REPO | include ops-2025-08-20

Phase E — PAN High Availability & Promotion Drill

E1. Verify PAN roles (GUI):

  • Admin > System > Deployment:
    • ISE-PAN1 = Primary Admin, Primary MnT
    • ISE-PAN2 = Secondary Admin, Secondary MnT
    • [Screenshot: ISE Deployment – Node Roles] (Cisco)

E2. Simulate Primary PAN outage:

  • On ISE-PAN1 CLI:
ise-pan1/admin# application stop ise
ise-pan1/admin# show application status ise
  • Validate authentications continue (PSNs still work).

E3. Promote Secondary PAN to Primary (GUI on ISE-PAN2):

  1. Admin > System > Deployment(Actions)Make Primary.
  2. Confirm.
    • [Screenshot: Make Primary Dialogue]
    • Validate: ISE-PAN2 now shows Primary Admin role; policies editable. (Cisco)

E4. Bring PAN1 back later: (after reimage/restore—Phase F)

  • Once restored, register it back as Secondary and synchronize.

Phase F — Full Node Restore (Config first, then Operational)

Golden rules: Restore onto same ISE version/patch, and (practically) same hostname/FQDN and IP to avoid certificate/trust issues. Internal CA private keys are not inside the config backup—export/import CA store separately. (Cisco)

F0. Prep the target VM/appliance:

  • Fresh ISE install same version/patch as the backup; set hostname/IP to match the original node identity for a clean restore.
    • [Screenshot: ISE Setup Wizard Completed]

F1. Re-create repository (CLI): (same as D1)

F2. Restore Configuration (CLI):

# Choose the exact backup filename visible in repository
ise/admin# restore cfg-2025-08-20 repository SFTP_REPO encryption-key plain <BACKUP_KEY>
# (Optional) include ADE-OS system settings if your backup captured it:
ise/admin# restore cfg-2025-08-20 repository SFTP_REPO encryption-key plain <BACKUP_KEY> include-adeos
# ISE will restart automatically. Monitor boot:
ise/admin# show application status ise

(Restore command and include-adeos option per CLI Reference.) (Cisco)

F3. Restore Operational (MnT) data (optional):

ise/admin# restore ops-2025-08-20 repository SFTP_REPO encryption-key plain <BACKUP_KEY>

F4. Import Internal CA store (if you used ISE as CA):

ise/admin# application configure ise
# [7] Export / [8] Import Internal CA Store (use your exported file set)

F5. Rejoin deployment (GUI):

  • If this was a PAN: Admin > System > DeploymentRegister / Assign Persona (Admin Secondary, MnT Secondary) → SaveSynchronize.
  • Validate Replication: SUCCESS and PAN role is correct.
    • [Screenshot: Deployment – Replication Success] (Cisco)

Phase G — End-to-End Validation Checklist (print & tick)

Backups exist & are encrypted

  • GUI report shows SUCCESS for config & operational backups.
  • show backup status returns last job SUCCESS.
  • dir repository SFTP_REPO shows expected files & sizes. (Cisco)

Repository health

  • show repository SFTP_REPO shows reachable, free space.
  • SFTP host key trusted (able to SSH once). (Cisco)

PAN HA

  • Secondary can be promoted (GUI “Make Primary”).
  • PSNs keep authenticating during PAN outage. (Cisco)

Restore

  • Config restore completes; ISE restarts; services RUNNING.
  • Optional: MnT restore completes; old reports visible.
  • If used ISE-CA, Internal CA store imported.
  • Node re-registered and replication = SUCCESS. (Cisco)

FAQs – Cisco ISE Disaster Recovery & Backup

1. What exactly is the difference between a Configuration and Operational (MnT) backup?

  • Configuration backup = policies, endpoints, device profiles, trust store (certs), settings.
  • Operational backup = Monitoring & Troubleshooting (MnT) logs, RADIUS/TACACS sessions, reports.
  • You normally restore Config first, then Operational if audit logs are required.

2. Do I need the exact same version of ISE to restore a backup?

  • Yes. Backups are version and patch bound.
  • Example: A config backup from ISE 3.2 patch 3 will not restore on 3.2 patch 2.
  • Always upgrade new node to the same patch level before restoring.

3. Do I need the same hostname and IP during restore?

  • Best practice: same hostname/FQDN and usually the same IP.
  • Certificates in trust store are bound to FQDN → mismatches cause trust issues.
  • GUI shows restore will fail if hostname doesn’t match.

4. How do I encrypt backups, and what if I lose the encryption key?

  • When creating/scheduling a backup, enter an Encryption Key.
  • In CLI, append: backup ise-config cfg-20250820 repository SFTP_REPO encryption-key plain <KEY>
  • If you lose the key → backup is unusable. Always store in a secure vault.

5. Where do I check if a backup succeeded?

  • GUI: Operations → Reports → System → Backup & Restore.
  • CLI: show backup status dir repository SFTP_REPO
  • Look for Status: SUCCESS and correct file size.

6. How do I promote a Secondary PAN to Primary?

  • GUI: Administration → System → Deployment → (Actions) → Make Primary.
  • CLI validation: show running-config ise confirms new primary.
  • PSNs continue authentication without disruption during promotion.

7. My SFTP repository fails when I trigger a backup — why?

  • Common causes:
    • SFTP host key not accepted (fix: SSH once from ISE CLI to repo host).
    • Wrong path permissions on server.
    • Incorrect credentials.
    • Disk space full.
  • CLI test: show repository SFTP_REPO

8. If I use ISE as a Certificate Authority (Internal CA), will backups capture private keys?

  • No, Config backup includes only the CA certificates, not private keys.
  • Export Internal CA store separately: application configure ise # Option 7: Export Internal CA Store

9. Can I back up to local disk instead of remote repo?

  • Yes, to disk: repository, but it consumes VM disk space.
  • Best practice = SFTP/NFS remote repo for secure, redundant storage.
  • Use CLI: dir disk:/

10. What’s the recommended DR test cycle in production?

  • Run Config backup nightly + Operational backup weekly.
  • Test PAN promotion quarterly.
  • Perform a full restore drill (lab or DR node) at least once per year.
  • Always validate with show backup status + GUI reports.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

  • Treat ISE DR as a runbook: repo → encrypted backups → promote/preserve → restore → rejoin.
  • Practice the promotion and restore workflows quarterly.
  • Keep encryption keys and CA export in a separate vault.
  • Monitor backup job health just like you monitor PSNs—no surprises in real incidents. (Cisco)

Upgrade Your Skills – Start Today

Want a guided path, labs, and accountability? I run a focused 4-month, instructor-led progra under Network Journey focused on CCIE Security depth with real-world ISE mastery. Expect structured modules, live labs, community support, and interview-ready artifacts.

“For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel — Network Journey and join my instructor-led classes.”

Your next steps

  • Apply for the next cohort (limited seats).
  • Book a 1:1 discovery call to map your role, timelines, and outcomes.
  • Bring your current ISE topology—get a personalized DR/backups improvement plan.

Learn more & register here → (course outline ref: course.networkjourney.com/ccie-security/)

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

(Note: Program specifics evolve; confirm the latest dates, curriculum, and bonuses on the course page.)