A quick post on the correct way of doing backups on ISE. There are a few instances I have seen, where ISE is not being backed up using the supported (correct) method as dictated by Cisco. This is especially true in vSphere environments, where VCB backups of the ISE nodes are used as the sole backup.
In the event of a failure of a node and your backup solution is to use VCB backups (snapshots or alike) and choose to restore from one, it may actually create issues, not to mention at the moment the snapshot is processing, ISE may become unresponsive and drop RADIUS requests. Therefore to setup the BACKUP correctly and to make it part of your automated backup schedule, please follow the steps below:
Create a Repository
Log into the ISE web UI and navigate to Administration > System > Maintenance > Repository and click Add.
You will need to select the Protocol to use, I generally recommend using SFTP so that your backup is secure over the wire and it’s off box. The figure below shows an example of my DEMO SFTP Backup Server.
After you hit submit, you are presented with the following warning:
Add SSH Host Key
*** This only applies for Repositories created using SFTP, skip for FTP etc.
Once you have created the SFTP repository, you need to add the SSH key into your Primary Administration Node and if Applicable your Secondary Administration Node. To add the host key, the steps are:
ISE/admin# crypto host_key add host 10.10.200.1
The output you should receive on each node (PAN/SAN) is as follows:
host key fingerprint added # Host 10.10.200.1 found: line 1 type RSA 2048 e6:34:9c:c3:50:99:bb:40:4c:35:39:7f:4a:7c:8f:1d 10.10.200.1 (RSA)
Create Backup Schedules/ Start On-Demand Backup
Now, back in the ISE UI (Web Page) navigate to Administration > System > Backup & Restore, you will need to create a schedule for:
- Configuration: Contains both application-specific and Cisco ADE operating system configuration data
- Operational: Contains monitoring and troubleshooting data
Select create under the appropriate heading and fill in the details of your scheduled backup, you will need to enter in the Encryption Key, which is extremely important that you record this in a safe place as it will be used for restoration of your ISE environment in the event of a disaster.
When creating schedules, I recommend doing a configuration backup once a week in a fairly static environment and operational backups once a day.
Let’s start a On-Demand Backup by selecting the Backup Now button, as mentioned before you will need to enter and record the encryption key used.
Below are two figures for reference:
Backup your certificates: ISE 1.3 and above
If your are using ISE 1.3 and above, you must backup your certificates and keys manually and in a secure manner so you can restore them back onto your Secondary Administration Node (SAN) in the event the Primary Administration Node (PAN) fails and you promote the SAN to a PAN.
The main point to remember is, this backup must be done once your certificates are all in place for your ISE nodes and is not included as part of your configuration backup, therefore it’s imperative that you do it. The certificate backup contains the following certificates for your reference:
- ISE Root CA Cert
- ISE Sub CA Cert
- ISE Endpoint RA Cert
- ISE OSCP Responder Cert
The backup needs to be performed from the Primary Administration Node (PAN). The following sub-section will detail how to create a repository on the CLI and perform a backup.
Creating a repository – (SFTP_BAK) from global configuration mode:
repository REPO_NAME url sftp://IP_ADDRESS user USER password plain PASS crypto host_key add IP_ADDRESS
Once you have created the backup repository perform the backup by issuing the following commands:
application configure ise select option 7  Export Internal CA Store Export Repository Name: SFTP_BAK Enter encryption-key for export: PLAIN_PASS
After you have backed up the keys up, make sure you keep them in a safe place 🙂