05-19-2021 11:04 AM
Dear community,
Based on what I have seen when integrating Cisco ISE in an existing network, configurations are done device per device such as Switch, Router, ASA etc. I feel this can get overwhelming when having more than 100 devices of such to integrate with services like 802.1x, Posture, TACACS etc.
My question is as following: What is the process that you guys follow to integrate 802.1x into 100 network devices, that do cover +1L users.
The process I have applied so far has been for small number of devices and was able to manage it, but I think there must be some best practices that Engineers usually follow as part of the process for the tasks that are applied during the integration.
The process I have applied is: Deployment of the ISE machines, add small number of NADs for test purposes, connect some test PCs for test also. when all configs seems right, Apply GPO for the Supplicants.
I would like to know if you guys also do limit the GPO level of for example 802.1x to specific users and then if all configs correct, apply it for the whole company!
Any though, ideas, recommendation would be highly appreciated since it would help me towards definition of the strategy.
Thank you,
Laura
Solved! Go to Solution.
05-20-2021 01:46 AM
then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..
05-19-2021 11:37 AM
that do cover +1L users.
can you give the number +1L means 100000 users? all in the same Location or geolocation?
05-19-2021 10:38 PM
05-20-2021 01:46 AM
then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..
05-19-2021 11:38 AM
I feel it's all relative to what you become accustomed to. I find it routine to deploy dot1x/mab and trustsec configurations to a hundred NADs and 10k+ access ports in a night. It took time to get to this level, and we also developed our own in house tooling to be able to scale. It doesn't get rid of all the prep and environment specific set up, but once through the testing, away I go.
With that in mind I follow the same process as you. Start with a lab poc/test, move on to a production pilot, and once everyone is happy, begin a full scale production roll out.
The piece I advocate as a best practice is consistency. Only deploy to tested network platforms, and only if they are running tested/certified software. A known good enables efficiency with automation and a baseline behavior.
The other pseudo best practice I advocate as well as many ISE presentations is to focus on the framework. Build the advanced use cases in layers/phases and essentially only bite off manageable pieces at any one time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide