Cisco ISE

Smoot Carl-Mitchell smoot at tic.com
Fri Oct 6 22:03:03 CST 2017


On Fri, 2017-10-06 at 20:41 +0000, Christopher J. Wolff wrote:
> Is anyone successfully deploying ISE 2.X?  I’m six months into it on
> about 10,000 endpoints and it seems like it’s a highly challenged
> product.  I’d love to hear your experiences on or off-list.  Thanks
> in advance.

ISE is challenging.  I helped deploy and manage a 2.1.0.474
installation with about 5,000 end points.  The hardest part was
designing the access policies  There is also some quirkiness depending
on what switches you have in your environment.  Different switches and
different IOS levels require in some cases slightly different
switchport configurations.  Keeping everything in sync can also be
painful.  I ended up writing a web based tool to audit the switch
configurations. 

The device profiler is less than perfect.  We ended up having to
statically configure some of the devices (notably printers and thin
clients) to get them authorized correctly.

Sometimes the RADIUS sessions from a switch to the ISE servers would
hang in odd ways which required shutting and reenabling the port. 
Looking at the logs on the switches was vital to sorting out various
issues.  We also have DHCP snooping enabled in our environment which
further complicated debugging.

Also be aware upgrading the software can be painful and takes a long
time.  Our last upgrade required 18 hours of time.  Mostly this was
waiting around for the software to do the upgrade.  Having an
environment where you have redundancy is really a requirement for
deploying ISE.

Conversion to ISE also needs to be done switch by switch with lots of
hand holding the users.  Users do get irritated when their computers no
longer work.  A good communications plan is vital to be successful.
-- 
Smoot Carl-Mitchell
System/Network Architect
voice: +1 480 922-7313
cell: +1 602 421-9005
smoot at tic.com


More information about the NANOG mailing list