ISE Management

jrgilkinson · ‎09-24-2018

Any websites or suggestions on who owns and Administers ISE? It seems that network should own it and security get reporting from it, but should security be able to write policy's in in directly?

slicerpro · ‎09-24-2018

The question of who gets to own/control the ISE is totally organizational dependent. I don't think you will find a vendor documentation directing you to one way or the other.

Arne Bier · ‎09-24-2018

This is probably more of a discussion than a blog ... but still, in a world where many organisation still operate in a silo'd environment, ISE is probably best placed in the Network team. To be more specific, Network Operations. Why? Because the acronym NAC (Network Access Control) implies that we are controlling access to the network (as opposed to authenticating end user desktops ... that role might be better suited to the Security Team). But at the end of the day this is an arbitrary decision that makes no difference how the dice fall. Organizations should work together and stop being so silo'd - and give the job to those engineers who have the appropriate understanding of Radius, TACACS, ACL's, VLAN's, IP addressing. But most network engineers panic when they have to deal with certificates - that's when they may need to engage the expertise of the Security Team. But on the whole, most network engineers should feel comfortable working with ISE.

thomas · ‎09-25-2018

This is more of a question than a blog post.

hestert · ‎09-29-2018

It doesn’t matter. I would just make sure the roles are defined. One major plus in ISE can be a major hurdle. Many elements are usable for multiple functions. I would mandate a required naming scheme so all users know who owns or controls an element. I.e. NDGs are used in both TACACS and Radius functionality. In many organizations the device admin or TACACS administrators are not the same team as the network access team. Just have well defined roles!