[196167] in North American Network Operators' Group
Re: Cisco ISE
daemon@ATHENA.MIT.EDU (Scott Morris)
Sat Oct  7 12:22:54 2017
X-Original-To: nanog@nanog.org
Date: Fri, 6 Oct 2017 23:23:10 -0400
In-Reply-To: <1507327383.7079.114.camel@tic.com>
From: Scott Morris <swm@emanon.com>
To: Smoot Carl-Mitchell <smoot@tic.com>, "Christopher J. Wolff"
 <cjwolff@nola.gov>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
There are other products out there that give more successful results much q=
uicker and with much less effort.
While I won=E2=80=99t spam the list with things, I=E2=80=99d be happy to sh=
are my experience off-list if desired.
Scott
-----Original Message-----
From: NANOG <nanog-bounces@nanog.org> on behalf of Smoot Carl-Mitchell <smo=
ot@tic.com>
Date: Friday, October 6, 2017 at 10:09 PM
To: "Christopher J. Wolff" <cjwolff@nola.gov>, "nanog@nanog.org" <nanog@nan=
og.org>
Subject: Re: Cisco ISE
    On Fri, 2017-10-06 at 20:41 +0000, Christopher J. Wolff wrote:
    > Is anyone successfully deploying ISE 2.X?  I=E2=80=99m six months int=
o it on
    > about 10,000 endpoints and it seems like it=E2=80=99s a highly challe=
nged
    > product.  I=E2=80=99d love to hear your experiences on or off-list.  =
Thanks
    > in advance.
   =20
    ISE is challenging.  I helped deploy and manage a 2.1.0.474
    installation with about 5,000 end points.  The hardest part was
    designing the access policies  There is also some quirkiness depending
    on what switches you have in your environment.  Different switches and
    different IOS levels require in some cases slightly different
    switchport configurations.  Keeping everything in sync can also be
    painful.  I ended up writing a web based tool to audit the switch
    configurations.=20
   =20
    The device profiler is less than perfect.  We ended up having to
    statically configure some of the devices (notably printers and thin
    clients) to get them authorized correctly.
   =20
    Sometimes the RADIUS sessions from a switch to the ISE servers would
    hang in odd ways which required shutting and reenabling the port.=20
    Looking at the logs on the switches was vital to sorting out various
    issues.  We also have DHCP snooping enabled in our environment which
    further complicated debugging.
   =20
    Also be aware upgrading the software can be painful and takes a long
    time.  Our last upgrade required 18 hours of time.  Mostly this was
    waiting around for the software to do the upgrade.  Having an
    environment where you have redundancy is really a requirement for
    deploying ISE.
   =20
    Conversion to ISE also needs to be done switch by switch with lots of
    hand holding the users.  Users do get irritated when their computers no
    longer work.  A good communications plan is vital to be successful.
    --=20
    Smoot Carl-Mitchell
    System/Network Architect
    voice: +1 480 922-7313
    cell: +1 602 421-9005
    smoot@tic.com
   =20
=