cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1858
Views
20
Helpful
4
Replies

Deployment of Cisco ISE services in a Global Scale

laurathaqi
Level 3
Level 3

Dear community, 

 

Based on what I have seen when integrating Cisco ISE in an existing network, configurations are done device per device such as Switch, Router, ASA etc. I feel this can get overwhelming when having more than 100 devices of such to integrate with services like 802.1x, Posture, TACACS etc. 

My question is as following: What is the process that you guys follow to integrate 802.1x into 100 network devices, that do cover +1L users.

The process I have applied so far has been for small number of devices and was able to manage it, but I think there must be some best practices that Engineers usually follow as part of the process for the tasks that are applied during the integration. 

 

The process I have applied is: Deployment of the ISE machines, add small number of NADs for test purposes, connect some test PCs for test also. when all configs seems right, Apply GPO for the Supplicants. 

 

I would like to know if you guys also do limit the GPO level of for example 802.1x to specific users and then if all configs correct, apply it for the whole company! 

 

Any though, ideas, recommendation would be highly appreciated since it would help me towards definition of the strategy. 

 

Thank you,

Laura  

1 Accepted Solution

Accepted Solutions

then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame
that do cover +1L users.

can you give the number +1L means 100000 users?  all in the same Location or geolocation?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi 

 

Apologies, I meant +1K users. 

 

Thank you,

Laura 

then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Damien Miller
VIP Alumni
VIP Alumni

I feel it's all relative to what you become accustomed to. I find it routine to deploy dot1x/mab and trustsec configurations to a hundred NADs and 10k+ access ports in a night. It took time to get to this level, and we also developed our own in house tooling to be able to scale. It doesn't get rid of all the prep and environment specific set up, but once through the testing, away I go. 

 

With that in mind I follow the same process as you. Start with a lab poc/test, move on to a production pilot, and once everyone is happy, begin a full scale production roll out.

 

The piece I advocate as a best practice is consistency. Only deploy to tested network platforms, and only if they are running tested/certified software. A known good enables efficiency with automation and a baseline behavior.

 

The other pseudo best practice I advocate as well as many ISE presentations is to focus on the framework. Build the advanced use cases in layers/phases and essentially only bite off manageable pieces at any one time.