Cisco Identity Services Engine (ISE) handles access to network devices. It is often configured to use TACACS Authentication and Command Authorization to decicde which user is allowewd to run which commands on (a group of) devices. Often in combination with LDAP integration (AD) as an external identity source.

Beside ISE itself, a bare metal server (or VM) appliance is needed to run the software. Cisco offers “Secure Network Server” (SNS) hardware which is based on their “Unified Computing System” (UCS).

To update BIOS and FW, make sure to download the right combination of BIOS binary and Host Upgrade Utility “HUU” ISO, e.g.

SNS-37xx-BIOS-4-3-4d_ISE.cap
SNS-37xx-HUU-4.3.5.xxxx_ISE.iso

Matching versions are listed on Cisco ISE Downloads Site.

First install the BIOS firmware, from the BMC (or “CIMC”). This option can be found via Admin > Firmware Management in the left menu.

The HUU updates BMC and other firmware. It’s ISO can be mapped as Virtual Media and booted remotely using KVM Console. For boot menu press “F6” in BIOS during boot. Or, add “KVM MAPPED DVD” in the tab “Configure Boot Order” (Advanced) in Compute menu on the left. Now you can select it as Boot Device in the KVM Console popup, and it will boot instead of having to wait for the BIOS.

A generic UCS (non-CNS) HUU will not work. If you get secure boot errors make sure you have the SNS variants of BIOS and HUU and their versions match.

Next is updating the pre-installed ISE software to the latest version, by installing a upgrade/patchbundle tar ball. This can be done via ISE web gui or cli. For small ISE deployments use a local repository, where you upload the archive file to local disk.

If needed, a full ISE ISO can also be installed (again, using virtual media in KVM popup).

Now “all” that is left, is actually configuring ISE :)

⚠ Note that the server can be used for ISE only, e.g. running Linux or ESXi will not work (due to secure boot).