This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am currently evaluating two NAC systems: ISE and Bradford and I wanted to see if anyone has had the opportunity to see both systems. Although we are a Cisco shop, I am looking for simplicity due to staff shortage.
In the event I decide to go with ISE, I would like to hear your personal challenges with the product during the deployment phase and those little things I need to keep in mind to avoid future headaches.
Thanks in advance !
ISE Base vs. ISE Advanced and wired vs. wireless are different experiences. Also native supplicants vs. using AnyConnect Network Access Module as your 802.1x supplicant makes a difference. You need to understand the basics of X.509 certificates and the types of devices you will be allowing on your network and have a plan for how you deal with them.
Also, most experiences people have will be with 1.2 or earlier ISE versions. 1.3 was just released a couple of weeks ago and has LOTS of enhancements.
My experience is that ISE is a comprehensive solution that does a LOT of different things. The current release does them all very nicely - much improved over the earlier releases. If you start small and think out what you're doping ahead of time, it can be a great solution. If you just deploy the system and make it up as you go along, it can fail spectacularly. For this reason, Cisco requires all but the most basic wireless-only versions be purchased via an Authorized Technology Partner (ATP). That route should get you the assistance of a partner engineer who has been trained and will take the time to assist you with a successful deployment.
Thank you for your feedback. The idea is to start small as you said. Just to log and monitor the activity until we identify what is really valid and what's not. Then we will proceed to work on specific access by device type; however, I am looking for those pieces I need to clarify with my cisco partner at the time of the purchase since I have specific budget for the product. I have been told that the biggest expense here is the professional services which was an outrageous number. Any ideas on this arena?
Your partner should be using Cisco's high level design (HLD) questionnaire / template which guides and properly scopes a new deployment.
If they don't bring up the HLD during initial discussions, ask for it. Any ISE ATP engineer should be referring to it as a guide for the deployment. It will delve into your desired use cases, existing network topology and device types, desired policy, endpoint types, identity stores, supplicant software etc. etc. It goes on for 28 pages and is very thorough.
ISE can be a big project, even with a monitor mode deployment as it touches a lot more than the traditional network devices themselves. Accordingly, the professional services required to do it right are more extensive.
(Disclaimer - I work for a partner as a professional services engineer so I am predisposed to answer from that perspective.)
You can find ISE Planning and Predeployment Checklists here
I have one done (not finished) one deployment with 150 clients. And one guy I know is doing a very large scale deployment.
To me it's very interesting but very challenging. I really under estimated the time it would take. I did this project because my client wanted it. From a technical point of view it's very positive for me, from a financial point of view it's really bad as I've spent a lot of time.
The client is so far very happy although some implemented features are missing.
I would recommend to start with Wifi only and once you understand ISE and know how to troubleshoot make Wire to work. I have not tried remote access though.
- You're full Cisco or you have other vendors (I'm thinking about IP Phones but the question can also be asked for switches and wlc)
- You have a PKI or not.
- You have devices (endpoints) and they are not 802.1X capable. All of us have, but the important is to list them.
It's also difficult because it involves a lot of components and protocols:
- Components: The radius server (ISE), the NAS (Switch or WLC), the endpoints (PC, APs, printers), the host (in my case VMWare)
- Protocols: EAP protocols, Snmp/DHCP for profiling, Wifi etc.
So I wouldn't see a guy with a little experience in networking dealing with something like this. I was more than familiar with many of these things. And before ISE I also tried Freeradius and made is work with Wifi and Vlan assignement and a LDAP server.
If by chance I make the whole thing to work I need to give the skills to someone else to do a troubleshooting.
So this is my experience so far. Some other have much more experience of course.