How to backup Cisco ISE 2.7

Cisco Nexus Training – Go from Beginner to Advanced!
VDC, VPC, OTV, FRX, and many more…
Click Here

Taking the backup is one of the basic but important task for any system including Cisco ISE. In this lesson, we will learn, how to backup Cisco ISE 2.7. So, let’s get started.

Performing Cisco ISE backup, will be done in four (4) steps. These are-

  • Creating a Repository
  • Adding crypto key
  • Backing up ISE
  • Backing Up ISE Certificates

Creating a Repository

Cisco ISE allow to create Disk, FTP, SFTP, TFTP, NFS, CDROM, HTTP, HTTPS repository. We will choose SFTP, it’s because SFTP is secure and most of the organization allows SFTP.

To create the repository, we need to go Administration >> System >> Maintenance >> Repository and click Add.

Repository Creating Path

Now, add Repository Name, Protocol, Server Name, Path, USername and Password; and then click Submit. In my case, i added like below-

Repository Name: BackupSFTP
Protocol: SFTP
Server Name: 192.168.2.181 (location of your SFTP server)
Path: / (root directory of sftp server)
Username & Password: rajib (sftp user credentials)

Cisco ISE Repository

Adding crypto key

After clicking Submit button during repository creation for SFTP, it will show below message-

Cisco ISE SFP Notification

So, we need to create host key, to work with SFTP repository. To create the host key, login to cli and run below command-

crypto host_key add host x.x.x.x

x.x.x.x = IP address of the SFTP server.

CISCO-ISE-01/admin# crypto host_key add host 192.168.2.181
host key fingerprint added
# Host 192.168.2.181 found: line 1 type RSA
1024 5b:eb:ea:b0:c7:58:fe:23:7b:d5:01:8d:7e:c8:d3:33 192.168.2.181 (RSA)

Backing up ISE

To take the backup, we need to go Administration >> System >> Backup & Restore >> and click Backup Now.

Cisco ISE Backup Path

Here, we can take two (2) types of backup, one Configuration backup and other Operational backup.

Configuration backup: It contains configuration data.
Operational backup: It contains monitoring & troubleshooting data.

We need to take backup for both. To do that (after clicking Backup Now), we need to add Backup Name, Type, Repository Name, Encryption key and then click Start Backup.

Below are my settings for Configuration backup-
Backup Cisco ISE configuration

Below are my settings for Operational backup-
Backup Cisco ISE operational

If everything OK, you will be able to see the progress just like below-

Cisco USE Backup through SFTP Config Progress

Within next few minutes you will be able to see Cisco ISE backup files in your SFTP root directory. How much time it will take, it depends on the configuration of the ISE.

Backing Up ISE Certificates

To perform ISE certification backup, you need to login CLI and run below command-

application configure ise

Then you need to select option 7 and fill all the data accordingly.

CISCO-ISE-01/admin# application configure ise

Selection ISE configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Exit

7
Export Repository Name: BackupSFTP
Enter encryption-key for export: CiscoISE123

log4j:WARN No appenders could be found for logger (org.springframework.core.env.StandardEnvironment).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Integritycheck Openssl digest output from verification with Swims release key: Verified OK
Integritycheck Output: Verified signature of integritycheck program with Swims release key
Integritycheck Output: Verified signature of integritycheck.sums file with Swims release key
Integritycheck PASSED
Inside Session facade init
In the init method of PDPFacade
Time taken for NSFAdminServiceFactory to load8947
Export in progress...

The following 5 CA key pairs were exported to repository 'BackupSFTP' at 'ise_ca_key_pairs_of_CISCO-ISE-01':
        Subject:CN=Certificate Services Root CA - CISCO-ISE-01
        Issuer:CN=Certificate Services Root CA - CISCO-ISE-01
        Serial#:0x7aa7beb7-adad4fbd-868cd5b7-17f48a18

        Subject:CN=Certificate Services Node CA - CISCO-ISE-01
        Issuer:CN=Certificate Services Root CA - CISCO-ISE-01
        Serial#:0x7df61d4e-dbd14e46-b5751fd0-8168a876

        Subject:CN=Certificate Services Endpoint Sub CA - CISCO-ISE-01
        Issuer:CN=Certificate Services Node CA - CISCO-ISE-01
        Serial#:0x7fde313d-50bf41ee-b80df5de-d21cf653

        Subject:CN=Certificate Services Endpoint RA - CISCO-ISE-01
        Issuer:CN=Certificate Services Endpoint Sub CA - CISCO-ISE-01
        Serial#:0x18c59d99-c8114d79-a3690255-64293510

        Subject:CN=Certificate Services OCSP Responder - CISCO-ISE-01
        Issuer:CN=Certificate Services Node CA - CISCO-ISE-01
        Serial#:0x1c51e21f-1a0043a2-91efc035-24fa1883

ISE CA keys export completed successfully

So, this is how to backup Cisco ISE 2.7. If you have any question, please don’t hesitate to ask.

Reference: Cisco ISE administration guide.
Free SFTP server: https://www.solarwinds.com/free-tools/free-sftp-server

Related posts:

  1. How to configure TACACS+ on Cisco IOS XR
  2. How to configure SNMP v2c in Cisco IOS Devices
  3. How to configure SNMP v3 in Cisco IOS Devices
  4. How to configure Netflow on Cisco IOS XR
  5. Activating Licenses and Subscriptions in Palo Alto Firewalls
  6. How to configure PBR in Cisco Nexus switches
  7. How to configure VLAN on Cisco Catalyst Switch
  8. How to configure HSRP on Cisco – Basic to Advanced

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 8+ years of experience in multi-vendor environment. In my current position, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

This article has 14 comments

  1. Abdullah Almisfer Reply

    If you could be extra nice and include the SFTP software you used,

    it would be perfect

    thanks

    • Rajib Kumer Das Reply

      Hi, you need to go Administration >> System >> Backup & Restore page. In the bottom of the page, you will find Restore option.

      Very soon I will write a tutorial on this. Hope, that will help.

  6. Desmond Lee Reply

    Hi, those interface settings, the IP address, etc configured via the CLI initially, are they part of the “configuration backup” ? Or do I need to login to CLI and do a “show run” and backup the configuration ?

    Thanks,

    Desmond

    • Rajib Kumer Das Reply

      Hi Desmond,

      “Repository” is where you are sending your backup files. If there is any existing repository, you do not need to create one.

  7. Edinson Reply

    Hi Rajib Kumer Das,

    When when run show repository backup2 in CLI ise version 2.7 i am getting this error message

    %ERROR: Repository backup2 could not be accessed. In case backup was Restore on different setup, please reconfigure the repository password (expected behavior)
    % SSH connect error

    This could be an issue with solarwind configuration or compatibility with between solarwind and ise 2.7 ?

Leave a Comment

Your email address will not be published. Required fields are marked *