ISE?

vito_corleone · January 03, 2015, 11:34:30 PM

I've been involved in a ton of ISE projects for customers going back to the 1.0 release. It started out... interesting, but has really come a long way. 1.3 seems to be pretty solid so far.

Who's running it, for how long, what are you doing with it (wired, wireless - profiling, posture, etc) and what are your thoughts?

deanwebb · January 04, 2015, 11:09:40 AM

For wireless, ISE worked very well for us in our testing. Wireless in general is very 802.1X friendly, and ISE is 802.1X, through and through. 1.3 added some nice improvements to the GUI for wireless functionality.

For wired, 802.1X was just too unforgiving for our network. We did not want to push an equipment upgrade and overhaul simultaneous to the push of the NAC system. ForeScout CounterACT provided a non-dot1x NAC solution, so we saw that as being overall less risky.

Regardless of the dot1x technology used, our biggest headache was actually the Windows default wired dot1x supplicant. For ForeScout, we pushed out their client piece and used that to help devices that had issues. For Cisco ISE, we use the Cisco supplicant (which is now AnyConnect, if what I hear about it is true), and that cleared up every issue with dot1x. It worked faster and cleaner than the native Windows, so there was no way we would ever roll out ISE without the client piece.

Getting back to the equipment side, even some of our newest equipment (by our standards) was obsolete relative to ISE (by Cisco standards). The sup5 cards in our 4500 switches were not on the equipment list for ISE, and we had issues with them when we tried to make them work anyway. Doing the IOS upgrades introduced instability to the network when we had confusion about which IOS package to use. One of our consultants said that the advanced IP services would run just fine on a production 4500... and it didn't, so we had to get the same version of IOS with a different package. (Can't remember which one we needed, but it definitely wasn't advanced IP services).

I know of another firm in the financial industry where an ISE deployment caused some major disruptions in production, knocking a few thousand ATMs offline for a week. I have a good friend that's an IT director there, and his firm's experience was so disruptive that they canceled that project. I've got some friends that do ISE installations and they agree that it can be a very sensitive deployment. "Interesting", as you said.

I'd like to see more customizable reporting functionality in ISE along with the potential for deeper reporting functionality. IE, when I looked at the ISE authorizations page, I had a hard limit on how far back it reported. If I wanted to see all systems currently connected, that option wasn't available.

If ISE offered a non-dot1x method of NAC enforcement alongside the dot1x methods, I think it would be able to neatly sidestep the hardware issues it currently has. If I was using it for wireless-only, I would be able to make a recommendation for it.

Speaking of wireless, Meraki gear did not really want to play well with either CounterACT or ISE. Because we wanted NAC to be integral to our wireless system, that was a technical hit on Meraki as a possible solution.

SimonV · January 04, 2015, 01:20:51 PM

It's on our roadmap for the next few monts -wireless deployment with BYOD selfprovisioning and guest networks- but I still haven't had the time to look at it properly.
Bought the book and read the first few chapters but kind of got distracted then. However I noticed that CBT nuggets has released the SISAS videos so that could be a chance to get up to speed quickly...

vito_corleone · January 04, 2015, 02:10:44 PM

Quote from: SimonV on January 04, 2015, 01:20:51 PM
It's on our roadmap for the next few monts -wireless deployment with BYOD selfprovisioning and guest networks- but I still haven't had the time to look at it properly.
Bought the book and read the first few chapters but kind of got distracted then. However I noticed that CBT nuggets has released the SISAS videos so that could be a chance to get up to speed quickly...

ISE moves too quickly to rely on books, IMO. You should look at the Cisco Live presos.

jinxer · January 04, 2015, 04:13:23 PM

We too are about to implement ISE for the same reason as SimonV. Looking at Cisco ISE for BYOD And secure unified access book.. Its fot ISE 1.2.. The difference that big compared to 1.3?

Sent from my iPhone using Tapatalk

deanwebb · January 04, 2015, 05:25:18 PM

Agree that Cisco Live is going to be the best source for ISE material.

1.3 has some definite improvements on 1.2, including some stability and security fixes. As for inner workings, there are two halves of it. The first half is 802.1X and getting that to work properly. Once that's together, you're then going to deal with the posturing piece, which will involve a lot of discussing with desktop people. NAC gets multi-disciplinary, very early on. The sooner you engage affected parties, the better.

wintermute000 · January 04, 2015, 05:34:05 PM

I attended the recent Cisco sales engineer EVT and boy are they pushing ISE hard. The main angle they're pushing is trustsec. Unfortunately they're also pushing uphill against years of people getting burnt by Cisco security product roadmaps. There was certainly a lot of skepticism in the audience and that was all Cisco techs lol

killabee · January 05, 2015, 12:48:22 AM

Interface is dog slow - The release notes for 1.3 say they made "database optimizations"....I'm curious if that'll help
Certain ISE functions didn't work well with some wireless devices - iOS 7.x, Windows 8, some Windows mobile phones
Guest wireless integration with anchored WLCs
Constant development in web browsers and mobile devices forces you to stay on top of ISE patches
Cisco's definition of "guest access" is different than what I thought - I consider guest access to be an open SSID with an Acceptable Usage Policy. They consider it to be an open SSID with a username/password to login to a guest portal, and the guest accounts are created by a sponsor (similar to how hotels do it). If you want just an open SSID with an AUP, you have to do the authentication on the WLC using HTML pages on the WLC.
How to configure the wireless controllers - I was new to ISE. ISE version 1.2 was new. I was new to WLCs in general, and the IOS XE-based WLCs were new...needless to say, it was a very steep learning curve!
How to setup and configure ISE - Again, ISE 1.2 was new, and the "Cisco ISE for BYOD and Secure Unified Access" book was quickly becoming obsolete
TAC - Probably another result of a cutting edge WLC, but they weren't familiar with my WLCs and sometimes we had a hard time telling whether it was a wireless problem or ISE problem

wintermute000 · January 05, 2015, 01:03:51 AM

yeah its pretty fast moving, combined with the constant state of flux in the WLC space it makes for some hilarious bug hunting

jinxer · January 05, 2015, 02:26:18 AM

Quote from: killabee on January 05, 2015, 12:48:22 AM
We've been running 1.2 for about a year now for wireless authentication, authorization, guest access, and BYOD on-boarding (though we use the flows a bit differently).

This was my first deployment of a centralized AAA server (specifically for the aforementioned functions), so maybe my struggles were unique, but they were:

Interface is dog slow - The release notes for 1.3 say they made "database optimizations"....I'm curious if that'll help
Certain ISE functions didn't work well with some wireless devices - iOS 7.x, Windows 8, some Windows mobile phones
Guest wireless integration with anchored WLCs
Constant development in web browsers and mobile devices forces you to stay on top of ISE patches
Cisco's definition of "guest access" is different than what I thought - I consider guest access to be an open SSID with an Acceptable Usage Policy. They consider it to be an open SSID with a username/password to login to a guest portal, and the guest accounts are created by a sponsor (similar to how hotels do it). If you want just an open SSID with an AUP, you have to do the authentication on the WLC using HTML pages on the WLC.
How to configure the wireless controllers - I was new to ISE. ISE version 1.2 was new. I was new to WLCs in general, and the IOS XE-based WLCs were new...needless to say, it was a very steep learning curve!
How to setup and configure ISE - Again, ISE 1.2 was new, and the "Cisco ISE for BYOD and Secure Unified Access" book was quickly becoming obsolete
TAC - Probably another result of a cutting edge WLC, but they weren't familiar with my WLCs and sometimes we had a hard time telling whether it was a wireless problem or ISE problem

Nice to know info

deanwebb · January 05, 2015, 09:46:54 AM

What killabee is talking about in regards to guest networks is also true in the CounterACT NAC solution. NAC isn't done to win friends and popularity contests. It's not done because it's as much fun as swigging gin as you drive your 4x4 across the ice to the Magnetic North Pole. It's done because your company has to comply with regulations, audits, and the like. It will reduce overall ease of use in order to introduce more security.

Windows 8 is a red-headed stepchild... nobody likes it.

SimonV · March 05, 2015, 08:09:17 AM

During our first discussions with our partner, I raised the question of possibly using it as a central server for network management AAA. Now, in the proposal, they mention that Cisco has a program running that gives you a free of cost ACS installation when purchasing ISE. Is anyone aware of that program? Sounds like a good deal to me

edit: here it is, slide 47. Only with the physical appliance though

http://www.slideshare.net/CiscoPublicSector/cisco-security-the-evolution-continues

deanwebb · March 05, 2015, 10:26:31 AM

You really should get physical appliances for the admin nodes, probably also the MnTs. That should help with the ACS bundle.

SimonV · March 05, 2015, 01:08:25 PM

Well, looking at the pricing, and considering it's just for Guest and BYOD we'll probably do collapsed nodes

vito_corleone · March 05, 2015, 01:12:38 PM

Quote from: SimonV on March 05, 2015, 08:09:17 AM
During our first discussions with our partner, I raised the question of possibly using it as a central server for network management AAA. Now, in the proposal, they mention that Cisco has a program running that gives you a free of cost ACS installation when purchasing ISE. Is anyone aware of that program? Sounds like a good deal to me

edit: here it is, slide 47. Only with the physical appliance though

http://www.slideshare.net/CiscoPublicSector/cisco-security-the-evolution-continues

Yeah, they had to start doing this due to slipping so much (years) on adding TACACS functionality to ISE.