cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3103
Views
15
Helpful
8
Replies

Cisco ISE

Imran Ahmad
Level 2
Level 2

Hi Everyone,


We are a Small company with 400-Users and currently we are using ACS 4.2  at our company.  we want to upgrade and use Cisco ISE Appliance instead.


I want to know is there any major changes in configurtaion between  ACS 4.2 and the ISE Latest Verison..............?


Is there any Hardware (Switch or Cisco AP ) compatibility issues with using Cisco ISE.    (we are currently using Cisco Cat 3550 and Cisco Aironet 2600 APs  with the existing ACS4.2)


What ISE Series & what Soft version are the latest so i can order ?

Thank You

8 Replies 8

Amjad Abdullah
VIP Alumni
VIP Alumni

Salam Imran,

Yes there is a big change about how to configure ISE and ACS 4.2.

There is no direct migration from 4.2 to ISE, you need to migrate from 4.2 to 5.x then migrate from 5.x to ISE.

Check this:

http://www.cisco.com/en/US/docs/security/ise/1.1/migration_guide/ise_mig_undst_tool.html

It worths to mention that migraiton from 4.x to 5.x ACS version does not migrate all config. It migrates some of them (usernames, identity groups, devices, device groups..etc) but the policies are not necessarily migrated.

Check what is being migrated on this link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html#wp1057975

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

You should be running atleast v12.2(44)SE on the switches and 7.2.103.0 on the WLC.

Check this compability list:

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html

Thank you Amjad and Philip

One question, We currently have Cisco Aironet Access-Point in our network.  is it a need to have WLC for ISE Deployment,   or the Aironet APs can work with ISE ??   please advice

AS it is stated on Cisco website that ISE does not have TACACS+ functionality,

then for device-management purposes companies should use ACS 

and for other AAA/NAC... services should use ISE ?

My quesiton is both products should be used for having multiple services  TACACS+ & Radius ?

You can not use autonomus accesspoints with ISE, only lightweight (using WLC).

The second question someone else have to answer. I just learned this week that admin access to devices is not yet fully implemented with ISE so we have to use our old ACS for that.

edondurguti
Level 4
Level 4

In my company we use both ACS and ISE, well we had ACS originally but we have to keep it for Autonomous APs and TACACS+, cisco said they will be adding TACACS+ to ISE but that would be in the future.

manjeets
Level 3
Level 3

Hello  Imran,

there is a big change about how to configure ISE and ACS 4.2.

There is no direct migration from 4.2 to ISE, you need to migrate from 4.2 to 5.x then migrate from 5.x to ISE.

Below is the link of the devices that  supporte by Cisco ISE.

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html

Venkatesh Attuluri
Cisco Employee
Cisco Employee

Basic funtion of ACS is for AAA funtion. ISE is a combination of ACS and NAC  with advanced features

If you want to migrate from ACS to ISE Cisco ISE  supports data migration from Cisco Secure ACS 5.1 and 5.2 using the Cisco Secure  ACS-ISE 1.0.4 Migration Tool

The hardware for the Cisco ISE is the same as  the hardware for the Cisco 1121 Secure Access Control System (ACS). The ISE also  supports VMware

Cisco Secure ACS capabilities are available in the Base  software version of the Identity Services Engine. Cisco is offering a 50%  discount on the Base migration SKUs.

Latest version Of software for ISE is  1.1.3 , 1.1.3 does not support TACACS+

and minimum recquirement for WLC and  switch models refer the following links

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

harvisin
Level 3
Level 3

Hello Imran,

For your first question:-

We currently have Cisco Aironet Access-Point in our network.  is it a  need to have WLC for ISE Deployment,   or the Aironet APs can work with  ISE ??

Answer is YEs, you need to have a WLC for the ISE deployment , it is recommended.

For your second question:-

Till now, ISE does not have a support for TACACS+ functionality, so  you can use ACS in your network for that purpose but rest of the network should be managed by ISE.