Phase 3: Restore from Backup

Phase 3: Restore from Backup

Stage Patch on NAS (while restore runs)

# Ensure Vault SSH cert is valid
ssh-keygen -L -f ~/.ssh/id_ed25519_vault-cert.pub | grep -E 'Valid|Principal'

# If expired, reissue (requires dsource d000 dev/vault):
vault write -field=signed_key ssh/sign/domus-client \
  public_key=@$HOME/.ssh/id_ed25519_vault.pub \
  valid_principals="evanusmodestus,adminerosado" \
  >| ~/.ssh/id_ed25519_vault-cert.pub

# Stage patch directly to NAS
rsync -avP ~/Downloads/ise-patchbundle-3.5.0.527-Patch3-26040703.SPA.x86_64.tar.gz \
  nas-01:/volume1/ise_backups/

Configure NAS Repository on ISE CLI

configure terminal
repository nas-01
  url nfs://10.50.1.70:/volume1/ise_backups
exit

Verify Repository

show repository nas-01

Expect to see: pre-rotation-2026-06-CFG10-260607-0942.tar.gpg and the Patch 3 file.

Get Encryption Key

dsource d000 dev/storage
echo $ISE_BACKUP_KEY

Restore

restore pre-rotation-2026-06-CFG10-260607-0942.tar.gpg repository nas-01 encryption-key plain <KEY>

ISE will:

  1. Download backup from NAS

  2. Decrypt and extract

  3. Leave the current AD domain (expected — rejoin later)

  4. Stop services, restore database

  5. Reboot automatically

Known Warnings During Restore (Safe to Ignore)

  • Leaving the currently connected AD domain — expected, rejoin from GUI after

  • here-document delimited by end-of-file (wanted 'EOF') — Cisco script bug, cosmetic

  • cp: cannot stat '*.yaml': No such file or directory — missing connector configs from backup, harmless

  • ignitecontrol.sh: No such file or directory — transient

Remove Stale SSH Host Key

A fresh ISE install generates new host keys. SSH will refuse to connect with a "REMOTE HOST IDENTIFICATION HAS CHANGED" warning. Remove the old entry:

# For user SSH
ssh-keygen -R ise-01.inside.domusdigitalis.dev

# For sudo SSH (root's known_hosts is separate)
sudo ssh-keygen -R ise-01.inside.domusdigitalis.dev

This is expected after every rotation — the host key changes with each fresh ISE install. It is NOT a man-in-the-middle attack. Verify by checking that the IP resolves correctly: dig ise-01.inside.domusdigitalis.dev +short should return 10.50.1.20.

Wait for Services (15-20 minutes)

show application status ise

Wait until Application Server shows running.

Verify Restored Configuration

dsource d000 dev/network

# Check NADs restored
netapi ise api-call ers GET '/ers/config/networkdevice?size=100' --target ise-01 \
  | jq '.SearchResult.total'

# Check policy sets restored
netapi ise get-policy-sets --target ise-01 | head -20

# Check AD join point exists (will need rejoin)
netapi ise api-call ers GET '/ers/config/activedirectory' --target ise-01 \
  | jq '.SearchResult.total'