Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
1
Helpful
7
Replies

Migrate from non-Cisco/3rd Party Identity solution to ISE

Go to solution
YHam
Level 1
Level 1

‎03-07-2025 02:33 AM

Hello everyone,

We currently have a non-Cisco/3rd party identity solution and are planning to migrate authentication (via 802.1x and MAB) for wired and wireless users. For wireless, we have approx. 50 WLCs deployed across different locations. For wired, there's only location (headquarter) in scope that has total of 5000 devices including users (windows, mac, linux), printers, phones etc.
Could someone please provide high level steps involved in the migration and estimated time for both wireless and wired?
Do you execute such migration in phases? if so, how do you segregate?

Thank you!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎03-07-2025 05:11 AM

 

 - Basically I would see it   as good as a from scratch implementation with ISE ; meaning you need to high level describe your         policies and then translate to an ISE setup (infrastructure). Then I would test this on an ISE 'birth deployment' ; meaning on
 your switches and WLC's in the beginning migrate only one NAD type  -(WLC, switch) to use the new ISE (radius)
                   and check if the ISE deployment works as intended.
 Then you can switchover more WLC's and switches. Don't do it all at once!

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
7 Replies 7

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎03-07-2025 05:11 AM

 

 - Basically I would see it   as good as a from scratch implementation with ISE ; meaning you need to high level describe your         policies and then translate to an ISE setup (infrastructure). Then I would test this on an ISE 'birth deployment' ; meaning on
 your switches and WLC's in the beginning migrate only one NAD type  -(WLC, switch) to use the new ISE (radius)
                   and check if the ISE deployment works as intended.
 Then you can switchover more WLC's and switches. Don't do it all at once!

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-07-2025 06:44 AM

I agree with @marce1000 and take it slow.  Depending on if you have a dev environment or not, you probably want to start with wireless first and only test with a small site or if you can in a lab.  You really want to validate everything is working as expected, get sign-off from other teams before you start migrating.  I would still migrate slowly because one site may differ from another and you might have to back peddle to understand why and how you will remediate it.  Then after the wireless has migrated, then you would do the same for wired.  

What I have typically done is TACACS is my 1st phase, wireless is phase 2 and wired is phase 3.  I like to play it safe.

-Scott
*** Please rate helpful posts ***

Go to solution
YHam
Level 1
Level 1
In response to Scott Fella

‎03-07-2025 09:04 AM

Thank you Scott. Why do you prefer wireless first over wired?

0 Helpful

Go to solution
YHam
Level 1
Level 1

‎03-07-2025 09:07 AM

@Scott Fella @marce1000 Thank you. I really appreciate your input.
Do you start with Monitoring mode before turning on Low-Impact or Close mode?
Any rough estimate on the time required to migrate around 50 WLCs? I understand its difficult to answer without all the details but i just need a ballpark figure based on your past experience.

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to YHam

‎03-07-2025 09:30 AM

 

 @YHam  - I would neither use Monitoring Moe or Low-Impact mode but a standard deployment as intended ;
                  the core benefit comes from migrating NAD's one-by-one and not everything at the same time.
                  To do that use new IP addresses for the ISE radius servers (in the new deployment).
                  Then you only need to remove the old one IP addresses  and enter the new ones in the configuration of the NAD's.
                  It provides the basic solution for not having to switch everything all at once to the new ISE environment;
                  and that is the more important thing.

   So ,as far as migrating 50 WLC's is concerned and the time needed ; that is difficult to tell and depends on used procedures.
   Such as removing and entering the new radius servers (IP addresses) , but also the level  of quality and verification
   testing that is expected by business   when migrating each WLC (for instance)

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
YHam
Level 1
Level 1
In response to marce1000

‎03-10-2025 05:28 AM

Thanks again. Regarding validated ISE configuration for the Wireless, do you thing migrating only one or few WLCs (phased approach) can create issues as wifi users may move around?

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to YHam

‎03-10-2025 06:10 AM

 

   @YHam  - If users roam across   a few specific WLC's , then those ,  must be migrated together ,

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents