Is anyone successfully deploying ISE 2.X? I’m six months into it on about 10,000 endpoints and it seems like it’s a highly challenged product. I’d love to hear your experiences on or off-list. Thanks in advance.
As would I. We are going to start a project that is replacing ACS 5.7 with ISE 2.X -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher J. Wolff Sent: Friday, October 6, 2017 2:41 PM To: nanog@nanog.org Subject: Cisco ISE Is anyone successfully deploying ISE 2.X? I’m six months into it on about 10,000 endpoints and it seems like it’s a highly challenged product. I’d love to hear your experiences on or off-list. Thanks in advance.
Proceed with extreme caution. You may want to have that end of life ACS deployment bake for another six months. You will want to have the highest level of Cisco engineering engaged should you choose to go this direction. On Oct 6, 2017, at 3:48 PM, Mann, Jason <jamann@mt.gov<mailto:jamann@mt.gov>> wrote: As would I. We are going to start a project that is replacing ACS 5.7 with ISE 2.X -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher J. Wolff Sent: Friday, October 6, 2017 2:41 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Cisco ISE Is anyone successfully deploying ISE 2.X? I’m six months into it on about 10,000 endpoints and it seems like it’s a highly challenged product. I’d love to hear your experiences on or off-list. Thanks in advance.
Any particular part of the product giving you trouble or just the migration to the product itself ? Running 5.7 here a multi-vendor endpoint environment using both TACACS+ & RADIUS for device administration and have been curious about the pain I may or may not have ahead of me... ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Christopher J. Wolff <cjwolff@nola.gov> Sent: Friday, October 6, 2017 3:53 PM To: Mann, Jason Cc: nanog@nanog.org Subject: Re: Cisco ISE Proceed with extreme caution. You may want to have that end of life ACS deployment bake for another six months. You will want to have the highest level of Cisco engineering engaged should you choose to go this direction. On Oct 6, 2017, at 3:48 PM, Mann, Jason <jamann@mt.gov<mailto:jamann@mt.gov>> wrote: As would I. We are going to start a project that is replacing ACS 5.7 with ISE 2.X -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher J. Wolff Sent: Friday, October 6, 2017 2:41 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Cisco ISE Is anyone successfully deploying ISE 2.X? I’m six months into it on about 10,000 endpoints and it seems like it’s a highly challenged product. I’d love to hear your experiences on or off-list. Thanks in advance.
On Fri, 2017-10-06 at 20:41 +0000, Christopher J. Wolff wrote:
Is anyone successfully deploying ISE 2.X? I’m six months into it on about 10,000 endpoints and it seems like it’s a highly challenged product. I’d love to hear your experiences on or off-list. Thanks in advance.
ISE is challenging. I helped deploy and manage a 2.1.0.474 installation with about 5,000 end points. The hardest part was designing the access policies There is also some quirkiness depending on what switches you have in your environment. Different switches and different IOS levels require in some cases slightly different switchport configurations. Keeping everything in sync can also be painful. I ended up writing a web based tool to audit the switch configurations. The device profiler is less than perfect. We ended up having to statically configure some of the devices (notably printers and thin clients) to get them authorized correctly. Sometimes the RADIUS sessions from a switch to the ISE servers would hang in odd ways which required shutting and reenabling the port. Looking at the logs on the switches was vital to sorting out various issues. We also have DHCP snooping enabled in our environment which further complicated debugging. Also be aware upgrading the software can be painful and takes a long time. Our last upgrade required 18 hours of time. Mostly this was waiting around for the software to do the upgrade. Having an environment where you have redundancy is really a requirement for deploying ISE. Conversion to ISE also needs to be done switch by switch with lots of hand holding the users. Users do get irritated when their computers no longer work. A good communications plan is vital to be successful. -- Smoot Carl-Mitchell System/Network Architect voice: +1 480 922-7313 cell: +1 602 421-9005 smoot@tic.com
There are other products out there that give more successful results much quicker and with much less effort. While I won’t spam the list with things, I’d be happy to share my experience off-list if desired. Scott -----Original Message----- From: NANOG <nanog-bounces@nanog.org> on behalf of Smoot Carl-Mitchell <smoot@tic.com> Date: Friday, October 6, 2017 at 10:09 PM To: "Christopher J. Wolff" <cjwolff@nola.gov>, "nanog@nanog.org" <nanog@nanog.org> Subject: Re: Cisco ISE On Fri, 2017-10-06 at 20:41 +0000, Christopher J. Wolff wrote: > Is anyone successfully deploying ISE 2.X? I’m six months into it on > about 10,000 endpoints and it seems like it’s a highly challenged > product. I’d love to hear your experiences on or off-list. Thanks > in advance. ISE is challenging. I helped deploy and manage a 2.1.0.474 installation with about 5,000 end points. The hardest part was designing the access policies There is also some quirkiness depending on what switches you have in your environment. Different switches and different IOS levels require in some cases slightly different switchport configurations. Keeping everything in sync can also be painful. I ended up writing a web based tool to audit the switch configurations. The device profiler is less than perfect. We ended up having to statically configure some of the devices (notably printers and thin clients) to get them authorized correctly. Sometimes the RADIUS sessions from a switch to the ISE servers would hang in odd ways which required shutting and reenabling the port. Looking at the logs on the switches was vital to sorting out various issues. We also have DHCP snooping enabled in our environment which further complicated debugging. Also be aware upgrading the software can be painful and takes a long time. Our last upgrade required 18 hours of time. Mostly this was waiting around for the software to do the upgrade. Having an environment where you have redundancy is really a requirement for deploying ISE. Conversion to ISE also needs to be done switch by switch with lots of hand holding the users. Users do get irritated when their computers no longer work. A good communications plan is vital to be successful. -- Smoot Carl-Mitchell System/Network Architect voice: +1 480 922-7313 cell: +1 602 421-9005 smoot@tic.com
participants (5)
-
Christopher J. Wolff
-
Darin Herteen
-
Mann, Jason
-
Scott Morris
-
Smoot Carl-Mitchell