topic Re: Deployment of Cisco ISE services in a Global Scale in Network Access Control

Deployment of Cisco ISE services in a Global Scale

laurathaqi — Wed, 19 May 2021 18:04:01 GMT

Dear community,

Based on what I have seen when integrating Cisco ISE in an existing network, configurations are done device per device such as Switch, Router, ASA etc. I feel this can get overwhelming when having more than 100 devices of such to integrate with services like 802.1x, Posture, TACACS etc.

My question is as following: What is the process that you guys follow to integrate 802.1x into 100 network devices, that do cover +1L users.

The process I have applied so far has been for small number of devices and was able to manage it, but I think there must be some best practices that Engineers usually follow as part of the process for the tasks that are applied during the integration.

The process I have applied is: Deployment of the ISE machines, add small number of NADs for test purposes, connect some test PCs for test also. when all configs seems right, Apply GPO for the Supplicants.

I would like to know if you guys also do limit the GPO level of for example 802.1x to specific users and then if all configs correct, apply it for the whole company!

Any though, ideas, recommendation would be highly appreciated since it would help me towards definition of the strategy.

Thank you,

Laura

Re: Deployment of Cisco ISE services in a Global Scale

balaji.bandi — Wed, 19 May 2021 18:37:56 GMT

that do cover +1L users.

can you give the number +1L means 100000 users? all in the same Location or geolocation?

Re: Deployment of Cisco ISE services in a Global Scale

Damien Miller — Wed, 19 May 2021 18:38:30 GMT

I feel it's all relative to what you become accustomed to. I find it routine to deploy dot1x/mab and trustsec configurations to a hundred NADs and 10k+ access ports in a night. It took time to get to this level, and we also developed our own in house tooling to be able to scale. It doesn't get rid of all the prep and environment specific set up, but once through the testing, away I go.

With that in mind I follow the same process as you. Start with a lab poc/test, move on to a production pilot, and once everyone is happy, begin a full scale production roll out.

The piece I advocate as a best practice is consistency. Only deploy to tested network platforms, and only if they are running tested/certified software. A known good enables efficiency with automation and a baseline behavior.

The other pseudo best practice I advocate as well as many ISE presentations is to focus on the framework. Build the advanced use cases in layers/phases and essentially only bite off manageable pieces at any one time.

Re: Deployment of Cisco ISE services in a Global Scale

laurathaqi — Thu, 20 May 2021 05:38:57 GMT

Hi @balaji.bandi

Apologies, I meant +1K users.

Thank you,

Laura

Re: Deployment of Cisco ISE services in a Global Scale

balaji.bandi — Thu, 20 May 2021 08:46:22 GMT

then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..