OK, thank you at least this is considered common.

They are using ISE VMs, but will advise based on those appliance hardware specs for performance comparison.

Their real pain point is with the construction/entry or filling out of the spreadsheet to get it ready for import.  Is there anything to help there?

We were just told to upgrade to ISE 2.2 due to hitting a couple of bugs (Deny All Shell profile does not send fail and authorization does not work in 2.1)  Based on the bug that you mention above in ISE 2.2, they will be impacted on importing all of the WSA's and FirePower device since they support RADIUS only and not TACACs.

Do you know when ISE 2.2 will be patched?

Thanks.

I've unicast you some more info.

Could you also unicast the info you just hinted? pzhou@prosysis.com I'm also planing to import 3k NADs for both radius and T+, along with the NAD groups. I'm interested in all aspects in this regard. Thanks in advance.

The bug has not been committed to a patch yet. If it important for you to get the fix, please open a TAC case and request for the hot patch.

There are two workarounds,

1. to put a dummy RADIUS shared secret for any device without it.

2. to use ISE ERS API for NAD.

On a clean install of ISE 2.2 and apply patch 1 I tested an import of a TACACS device with no Radius details - and it worked.  I am curious what provokes this bug, because I have not experienced it

I would have attached my .csv but there is no option. So below is the line in the .csv that was imported without any errors.

TACACS_only_device,TACACS test client,1.1.1.1/32,,,Device Type#All Device Types|IPSEC#Is IPSEC Device#No|Location#All Locations#VM_Lab,,,,,,,,,,,,,,,,,,,,,,,,,,ENABLE_USING_COA,,,,,,,,TACACSpwd123,ON_LEGACY,Cisco,1700,FALSE,2083,

If it regarding CSCvc16661, its fix is part of 2.2 Patch 1.