We are deploying Cisco ISE in a Hyper-V environment and beyond.
IT training is a permanent process. An IT specialist is simply obliged to learn every day in order not only to learn something new, but not to lose the old. And since I started my article on the subject of training, I want to thank the team of the CCIE project for a year for the excellent opportunity to prepare for the CCIE exam in a team of like-minded people and under the strict guidance of competent specialists / trainers.
In preparation for the 300-208 SISAS exam from the CCNP Security track, you will have to deal with a network security product like the Cisco Identity Service Engine. After studying the theory, be sure to want to go to practice. For this perfect virtual machine. But the virtual machine image is available only for VMWare, which, in principle, is not a problem, but brings some inconvenience. For example, I have 2 OSes installed - Windows 10 and Ubuntu 15.10, and I prefer to use native Hyper-V in Windows or integrated in GNS3 VirtualBox in Ubuntu. In this case, you can use the option of a clean install of Cisco ISE from an iso image available on cisco.com.
After the first attempts to install ISE in one of the officially unsupported hypervisors, it turned out that this was not so easy. The installer finishes at the very beginning of the installation with the text of the error stating that ISE cannot be installed in this environment. But this is not a sentence ... So, we have an iso image and we are ready to start installing Cisco ISE 2.0 in the Hyper-V environment.
Installation is performed by the Anaconda installer using Kickstart , the entire process of the preliminary compatibility check is implemented in the kickstart file. We start by unpacking the iso image with any archiver in the local disk directory. After unpacking is completed, go to the directory with the unpacked image and find the ks.cfg file. Open it in a text editor and make changes:
1. It is necessary to comment out all calls to halt - add # in front of all lines / sbin / halt -f ;
2. It is necessary to replace all calls to the cars_udi_util application with various parameters with static entries:
Lines of the form:
It is necessary to replace the lines of the form:
3. It is also necessary to strictly indicate the UDI_PID in the first line of the function validate_hwinfo () . To do this, after the line "validate_hwinfo () {" insert a new line of the form UDI_PID = "Cisco-VM-SPID" .
Save all changes to the source file. Now you need to rebuild the iso file. For this task, I recommend using the ImgBurn application. After installing the application, launch it and select the “Create image file from files / folders” menu.
In the window that opens, specify the source folder with the files of the previously unpacked iso image (Source) and the destination file (Destination).
Go to the tab "Options" and set the following values:
On the tab "Labels" you must specify the labels of the volume.
Go to the tab "Advanced". First we set the restrictions on the tab "Restrictions -> ISO9660":
Go to the tab "Restrictions -> Joliet":
We complete the configuration on the “Bootable Disc” tab:
After that we make a button at the bottom of the window on the left and the process of creating a bootable iso image begins.
Now that we have a modified Cisco ISE installation image, we can proceed to the installation. We create the first generation Hyper-V virtual machine that meets the minimum parameters . We specify the created iso image as a bootable media, save the configuration of the virtual machine and launch it.
At startup, a series of checks will be launched that will return scary error messages to the virtual machine console. They are not afraid of them because you and I have previously commented on all the halt calls in the ks script. Installation is quite simple and should not cause problems, the official manual is located by reference .
After the installation is complete, the virtual machine will reboot and after launch we will be asked to enter the word setup for the initial software configuration. Next, a script will be run, which in dialogue mode will perform the basic configuration and expand the database schema. This process usually takes 15-20 minutes. At the end of the machine will be restarted. We now have a working Cisco ISE instance with a trial license, deployed in a Hyper-V virtual environment.
True, there are nuances of licensing - the software incorrectly determines the VID / PID / Serial, working under Hyper-V. But it can be solved ...
We need an iso image of CentOS 7 Minimal, the current version is available here . Download the image and specify it as a boot for our virtual machine. Reboot the machine and find ourselves in the CentOS installer's boot menu. Select the menu item "Troubleshooting -> Rescue a CentOS system". We will be asked to automatically detect and mount an existing file system (by default, the file system will be mounted in the / mnt / sysimage / directory). Go to the directory / mnt / sysimage / opt / system / bin / :
Rename the existing cars_udi_util application to cars_udi_util.bak :
Create a shell script cars_udi_util or copy it from an external source:
We set the rights to the cars_udi_util file
Turn off the virtual machine, unmount the CentOS 7 Minimal iso image and start the VM again. After all services start, we try to connect to the Cisco ISE web interface and check the VID / PID / Serial.
Now we can install licensed licenses in Cisco ISE running in a Hyper-V virtual environment.
In preparation for the 300-208 SISAS exam from the CCNP Security track, you will have to deal with a network security product like the Cisco Identity Service Engine. After studying the theory, be sure to want to go to practice. For this perfect virtual machine. But the virtual machine image is available only for VMWare, which, in principle, is not a problem, but brings some inconvenience. For example, I have 2 OSes installed - Windows 10 and Ubuntu 15.10, and I prefer to use native Hyper-V in Windows or integrated in GNS3 VirtualBox in Ubuntu. In this case, you can use the option of a clean install of Cisco ISE from an iso image available on cisco.com.
After the first attempts to install ISE in one of the officially unsupported hypervisors, it turned out that this was not so easy. The installer finishes at the very beginning of the installation with the text of the error stating that ISE cannot be installed in this environment. But this is not a sentence ... So, we have an iso image and we are ready to start installing Cisco ISE 2.0 in the Hyper-V environment.
Installation is performed by the Anaconda installer using Kickstart , the entire process of the preliminary compatibility check is implemented in the kickstart file. We start by unpacking the iso image with any archiver in the local disk directory. After unpacking is completed, go to the directory with the unpacked image and find the ks.cfg file. Open it in a text editor and make changes:
1. It is necessary to comment out all calls to halt - add # in front of all lines / sbin / halt -f ;
2. It is necessary to replace all calls to the cars_udi_util application with various parameters with static entries:
Lines of the form:
UDI_PID=`/sbin/cars_udi_util -p` UDI_VID=`/sbin/cars_udi_util -v` UDI_SN=`/sbin/cars_udi_util -s` It is necessary to replace the lines of the form:
UDI_PID="Cisco-VM-SPID" UDI_VID="1.0" UDI_SN="123456789" 3. It is also necessary to strictly indicate the UDI_PID in the first line of the function validate_hwinfo () . To do this, after the line "validate_hwinfo () {" insert a new line of the form UDI_PID = "Cisco-VM-SPID" .
Save all changes to the source file. Now you need to rebuild the iso file. For this task, I recommend using the ImgBurn application. After installing the application, launch it and select the “Create image file from files / folders” menu.
In the window that opens, specify the source folder with the files of the previously unpacked iso image (Source) and the destination file (Destination).
Go to the tab "Options" and set the following values:
File System: ISO9660 + Joliet Recurse Subdirectories: Enabled Include Hidden Files: Enabled Include System Files: Enabled On the tab "Labels" you must specify the labels of the volume.
Go to the tab "Advanced". First we set the restrictions on the tab "Restrictions -> ISO9660":
Folder/File Name Length: Level 1 - 11 Charachters, 8.3 Format Charachter Set: Standard Allow More Than 8 Directory Levels: Enabled Allow More Than 255 Characters In Path: Enabled Allow Files Without Extensions: Enabled Don't Add ';1' Version Number To Files: Enabled Go to the tab "Restrictions -> Joliet":
Folder/File Name Length: Level 1 - 64 Characters Allow Files Without Extensions: Enabled We complete the configuration on the “Bootable Disc” tab:
Make Image Bootable: Enabled Boot Image: isolinux.bin ( isolinux iso ) Patch Boot Information Table: Enabled After that we make a button at the bottom of the window on the left and the process of creating a bootable iso image begins.
Now that we have a modified Cisco ISE installation image, we can proceed to the installation. We create the first generation Hyper-V virtual machine that meets the minimum parameters . We specify the created iso image as a bootable media, save the configuration of the virtual machine and launch it.
At startup, a series of checks will be launched that will return scary error messages to the virtual machine console. They are not afraid of them because you and I have previously commented on all the halt calls in the ks script. Installation is quite simple and should not cause problems, the official manual is located by reference .
After the installation is complete, the virtual machine will reboot and after launch we will be asked to enter the word setup for the initial software configuration. Next, a script will be run, which in dialogue mode will perform the basic configuration and expand the database schema. This process usually takes 15-20 minutes. At the end of the machine will be restarted. We now have a working Cisco ISE instance with a trial license, deployed in a Hyper-V virtual environment.
True, there are nuances of licensing - the software incorrectly determines the VID / PID / Serial, working under Hyper-V. But it can be solved ...
We need an iso image of CentOS 7 Minimal, the current version is available here . Download the image and specify it as a boot for our virtual machine. Reboot the machine and find ourselves in the CentOS installer's boot menu. Select the menu item "Troubleshooting -> Rescue a CentOS system". We will be asked to automatically detect and mount an existing file system (by default, the file system will be mounted in the / mnt / sysimage / directory). Go to the directory / mnt / sysimage / opt / system / bin / :
cd /mnt/sysimage/opt/system/bin/ Rename the existing cars_udi_util application to cars_udi_util.bak :
mv cars_udi_util cars_udi_util.bak Create a shell script cars_udi_util or copy it from an external source:
vi cars_udi_util Shell script cars_udi_util
As the VID / PID / Serial we specify our values ​​from the purchased license files.
#!/bin/sh # Change PID/VID/Serial to your license. PID="Cisco-VM-SPID" VID="1.0" Serial="HABRAHABR" Platform="VM" RUN=0 function pid() { echo $PID RUN=1 } function pid() { echo $VID RUN=1 } function serial() { echo $Serial RUN=1 } function platform() { echo $Platform RUN=1 } while getopts "::qpvst" option do case $option in q ) exit 0 ;; p ) pid ;; v ) vid ;; s ) serial ;; t ) platform ;; esac done if [ $RUN -eq 0 ] then echo "SPID: $PID" echo "VPID: $VID" echo "Serial: $Serial" fi As the VID / PID / Serial we specify our values ​​from the purchased license files.
We set the rights to the cars_udi_util file
chmod 4755 cars_udi_util Turn off the virtual machine, unmount the CentOS 7 Minimal iso image and start the VM again. After all services start, we try to connect to the Cisco ISE web interface and check the VID / PID / Serial.
Now we can install licensed licenses in Cisco ISE running in a Hyper-V virtual environment.
')
Source: https://habr.com/ru/post/282692/
All Articles