Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1962
Views
20
Helpful
4
Replies

Deployment of Cisco ISE services in a Global Scale

Go to solution
laurathaqi
Level 3
Level 3

‎05-19-2021 11:04 AM

Dear community, 

 

Based on what I have seen when integrating Cisco ISE in an existing network, configurations are done device per device such as Switch, Router, ASA etc. I feel this can get overwhelming when having more than 100 devices of such to integrate with services like 802.1x, Posture, TACACS etc. 

My question is as following: What is the process that you guys follow to integrate 802.1x into 100 network devices, that do cover +1L users.

The process I have applied so far has been for small number of devices and was able to manage it, but I think there must be some best practices that Engineers usually follow as part of the process for the tasks that are applied during the integration. 

 

The process I have applied is: Deployment of the ISE machines, add small number of NADs for test purposes, connect some test PCs for test also. when all configs seems right, Apply GPO for the Supplicants. 

 

I would like to know if you guys also do limit the GPO level of for example 802.1x to specific users and then if all configs correct, apply it for the whole company! 

 

Any though, ideas, recommendation would be highly appreciated since it would help me towards definition of the strategy. 

 

Thank you,

Laura  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to laurathaqi

‎05-20-2021 01:46 AM

then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-19-2021 11:37 AM 

that do cover +1L users.

can you give the number +1L means 100000 users?  all in the same Location or geolocation?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
laurathaqi
Level 3
Level 3
In response to balaji.bandi

‎05-19-2021 10:38 PM

Hi @balaji.bandi 

 

Apologies, I meant +1K users. 

 

Thank you,

Laura 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to laurathaqi

‎05-20-2021 01:46 AM

then you are good in the approach, deploy, Monitor, restrict mode, posture and so on..

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎05-19-2021 11:38 AM

I feel it's all relative to what you become accustomed to. I find it routine to deploy dot1x/mab and trustsec configurations to a hundred NADs and 10k+ access ports in a night. It took time to get to this level, and we also developed our own in house tooling to be able to scale. It doesn't get rid of all the prep and environment specific set up, but once through the testing, away I go. 

 

With that in mind I follow the same process as you. Start with a lab poc/test, move on to a production pilot, and once everyone is happy, begin a full scale production roll out.

 

The piece I advocate as a best practice is consistency. Only deploy to tested network platforms, and only if they are running tested/certified software. A known good enables efficiency with automation and a baseline behavior.

 

The other pseudo best practice I advocate as well as many ISE presentations is to focus on the framework. Build the advanced use cases in layers/phases and essentially only bite off manageable pieces at any one time. 

Customers Also Viewed These Support Documents