Cisco Nexus Training – Go from Beginner to Advanced!
VDC, VPC, OTV, FRX, and many more…

Taking the backup is one of the basic but important task for any system including Cisco ISE. In this lesson, we will learn, how to backup Cisco ISE 2.7. So, let’s get started.

Performing Cisco ISE backup, will be done in four (4) steps. These are-

  • Creating a Repository
  • Adding crypto key
  • Backing up ISE
  • Backing Up ISE Certificates

Creating a Repository

Cisco ISE allow to create Disk, FTP, SFTP, TFTP, NFS, CDROM, HTTP, HTTPS repository. We will choose SFTP, it’s because SFTP is secure and most of the organization allows SFTP.

To create the repository, we need to go Administration >> System >> Maintenance >> Repository and click Add.

Repository Creating Path

Now, add Repository Name, Protocol, Server Name, Path, USername and Password; and then click Submit. In my case, i added like below-

Repository Name: BackupSFTP
Protocol: SFTP
Server Name: 192.168.2.181 (location of your SFTP server)
Path: / (root directory of sftp server)
Username & Password: rajib (sftp user credentials)

Cisco ISE Repository

Adding crypto key

After clicking Submit button during repository creation for SFTP, it will show below message-

Cisco ISE SFP Notification

So, we need to create host key, to work with SFTP repository. To create the host key, login to cli and run below command-

crypto host_key add host x.x.x.x

x.x.x.x = IP address of the SFTP server.

CISCO-ISE-01/admin# crypto host_key add host 192.168.2.181
host key fingerprint added
# Host 192.168.2.181 found: line 1 type RSA
1024 5b:eb:ea:b0:c7:58:fe:23:7b:d5:01:8d:7e:c8:d3:33 192.168.2.181 (RSA)

Backing up ISE

To take the backup, we need to go Administration >> System >> Backup & Restore >> and click Backup Now.

Cisco ISE Backup Path

Here, we can take two (2) types of backup, one Configuration backup and other Operational backup.

Configuration backup: It contains configuration data.
Operational backup: It contains monitoring & troubleshooting data.

We need to take backup for both. To do that (after clicking Backup Now), we need to add Backup Name, Type, Repository Name, Encryption key and then click Start Backup.

Below are my settings for Configuration backup-
Backup Cisco ISE configuration

Below are my settings for Operational backup-
Backup Cisco ISE operational

If everything OK, you will be able to see the progress just like below-

Cisco USE Backup through SFTP Config Progress

Within next few minutes you will be able to see Cisco ISE backup files in your SFTP root directory. How much time it will take, it depends on the configuration of the ISE.

Backing Up ISE Certificates

To perform ISE certification backup, you need to login CLI and run below command-

application configure ise

Then you need to select option 7 and fill all the data accordingly.

CISCO-ISE-01/admin# application configure ise

Selection ISE configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Exit

7
Export Repository Name: BackupSFTP
Enter encryption-key for export: CiscoISE123

log4j:WARN No appenders could be found for logger (org.springframework.core.env.StandardEnvironment).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Integritycheck Openssl digest output from verification with Swims release key: Verified OK
Integritycheck Output: Verified signature of integritycheck program with Swims release key
Integritycheck Output: Verified signature of integritycheck.sums file with Swims release key
Integritycheck PASSED
Inside Session facade init
In the init method of PDPFacade
Time taken for NSFAdminServiceFactory to load8947
Export in progress...

The following 5 CA key pairs were exported to repository 'BackupSFTP' at 'ise_ca_key_pairs_of_CISCO-ISE-01':
        Subject:CN=Certificate Services Root CA - CISCO-ISE-01
        Issuer:CN=Certificate Services Root CA - CISCO-ISE-01
        Serial#:0x7aa7beb7-adad4fbd-868cd5b7-17f48a18

        Subject:CN=Certificate Services Node CA - CISCO-ISE-01
        Issuer:CN=Certificate Services Root CA - CISCO-ISE-01
        Serial#:0x7df61d4e-dbd14e46-b5751fd0-8168a876

        Subject:CN=Certificate Services Endpoint Sub CA - CISCO-ISE-01
        Issuer:CN=Certificate Services Node CA - CISCO-ISE-01
        Serial#:0x7fde313d-50bf41ee-b80df5de-d21cf653

        Subject:CN=Certificate Services Endpoint RA - CISCO-ISE-01
        Issuer:CN=Certificate Services Endpoint Sub CA - CISCO-ISE-01
        Serial#:0x18c59d99-c8114d79-a3690255-64293510

        Subject:CN=Certificate Services OCSP Responder - CISCO-ISE-01
        Issuer:CN=Certificate Services Node CA - CISCO-ISE-01
        Serial#:0x1c51e21f-1a0043a2-91efc035-24fa1883

ISE CA keys export completed successfully

So, this is how to backup Cisco ISE 2.7. If you have any question, please don’t hesitate to ask.

Reference: Cisco ISE administration guide.

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 8+ years of experience in multi-vendor environment. In my current position, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *