Backup and Restore Repositories
Cisco ISE allows you to create and delete repositories through the administrator portal. You can create the following types of repositories:
-
DISK
-
FTP
-
SFTP
-
NFS
-
CD-ROM
-
HTTP
-
HTTPS
Note |
Repositories are local to each device. |
We recommend that you have a repository size of minimum 100 GB for all types of deployment (small, medium, and large).
Create Repositories
You can use the CLI and GUI to create repositories. We recommend that you use the GUI due to the following reasons:
-
Repositories that are created through the CLI are saved locally and do not get replicated to the other deployment nodes. These repositories do not get listed in the GUI’s repository page.
-
Repositories that are created on the primary PAN get replicated to the other deployment nodes.
The keys are generated only at the primary PAN on GUI, and so during upgrade you need to generate the keys again at GUI of new primary admin and export it to the SFTP server. If you remove the nodes from your deployment, you need to generate the keys on GUI of non-admin nodes and export it to the SFTP server.
You can configure an SFTP repository in Cisco ISE with RSA public key authentication. Instead of using an administrator-created password to encrypt the database and logs, you can choose the RSA public key authentication that uses secure keys. In case of SFTP repository created with RSA public key, the repositories created through the GUI do not get replicated in the CLI and the repositories created through the CLI do not get replicated in the GUI. To configure same repository on the CLI and GUI, generate RSA public keys on both CLI and GUI and export both the keys to the SFTP server.
Before you begin
-
To perform the following task, you must have the privileges of either a Super Admin or System Admin.
-
If you want to create an SFTP repository with RSA public key authentication, perform the following steps:
-
Enable RSA public key authentication in the SFTP repository.
-
You must log in as the Admin CLI user. Enter the host key of the SFTP server from the Cisco ISE CLI using the crypto host_key add command. The host key string should match the hostname that you enter in the Path field of the repository configuration page.
-
Generate the key pairs and export the public key to your local system from the GUI. From the Cisco ISE CLI, generate the key pairs using the crypto key generate rsa passphrase test123 command, where, passphrase must be greater than four letters, and export the keys to any repository (local disk or any other configured repository).
-
Copy the exported RSA public key to the PKI-enabled SFTP server and add it to the "authorized_keys" file.
-
Procedure
Step 1 |
Choose Administration > System > Maintenance > Repository. |
Step 2 |
Click Add to add a new repository. |
Step 3 |
Enter the values as required to set up new repository. See Repository Settings for a description of the fields. |
Step 4 |
Click Submit to create the repository. |
Step 5 |
Verify that the repository is created successfully by clicking Repository from the Operations navigation pane on the left or click the Repository List link at the top of Repository window to go to the repository listing page. |
What to do next
-
Ensure that the repository that you have created is valid. You can do so from the Repository Listing window. Select the corresponding repository and click Validate. Alternatively, you can execute the following command from the Cisco ISE command-line interface:
show repository repository_name
where repository_name is the name of the repository that you have created.
Note
If the path that you provided while creating the repository does not exist, then you will get the following error:
%Invalid Directory
-
Run an on-demand backup or schedule a backup.
Repository Settings
Fields |
Usage Guidelines |
||
---|---|---|---|
Repository |
Enter the name of the repository. Alphanumeric characters are allowed and the maximum length is 80 characters. |
||
Protocol |
Choose one of the available protocols that you want to use. |
||
Server Name |
(Required for TFTP, HTTP, HTTPS, FTP, SFTP, and NFS) Enter the hostname or IPv4 address of the server where you want to create the repository.
|
||
Path |
Enter the path to your repository. The path must be valid and must exist at the time you create the repository. This value can start with two forward slashes (//) or a single forward slash (/) denoting the root directory of the server. However, for the FTP protocol, a single forward slash (/) denotes the FTP of the local device home directory and not the root directory. |
||
Enable PKI authentication |
(Optional; applicable only for SFTP repository) Check this check box if you want to enable RSA Public Key Authentication in SFTP repository. |
||
User Name |
(Required for FTP, SFTP, and NFS) Enter the username that has write permission to the specified server. A username can contain alphanumeric and _-. /@\$ characters. |
||
Password |
(Required for FTP, SFTP, and NFS) Enter the password that will be used to access the specified server. Passwords can consist of the following characters: 0 to 9, a to z, A to Z, -, ., |, @, #,$, ^, &, *, (, ), +, and =. |
Enable RSA Public Key Authentication in SFTP Repository
In the SFTP server, each node must have two RSA public keys, one each for CLI and for GUI. To enable RSA public key authentication in SFTP repository, perform the following steps:
Note |
After you enable RSA public key authentication in SFTP repository, you will not be able to log in using SFTP credentials. You can either use PKI-based authentication or credential-based authentication. If you want to use credential-based authentication again, you must remove the public key pair from the SFTP server. |
Procedure
Step 1 |
Log in to SFTP server with an account that has permission to edit the /etc/ssh/sshd_config.file.
|
||
Step 2 |
Enter the vi /etc/ssh/sshd_config command. The contents of the sshd_config file is listed. |
||
Step 3 |
Remove the "#" symbol from the following lines to enable RSA public key authentication:
|