Re: OT - ISE first deployments / impressions

From guest services standpoint there have been huge improvements
1 - guest server is now integrated with ISE
2 - ISE supports centralized web auth (COA required)
  - It involves a process whereby a redirect url is dynamically pushed to a local access switch to provide a captive portal for authentication
    (don't confuse this with local web auth in some of the 802.1x documentation on Cisco.com)
3 - dACLs + centralized web auth effectively allows you to build centrally controlled guest access without requiring the typical complexity associated with building out separate networks(VRFs/VLANs) or configuring static ACLs on the network. SGA/Trustsec may be another viable option in the near future as support extends accross the product lines. As it stands now you can deliver guest/role based access in a very centralized manner that is completely pushed out from ISE to the switch with the port dynamically controlled to only allow guest access via downloadable ACLs based on radius authorization from ISE.

From HA perspective, one of the biggest improvements was the removal of the requirement for l2 adjacency that existed on NAC for the managers. With ISE the equivalent admin node can now exist in separate data centers. Now you can effectively build multisite/distributed deployment at the admin level and also leverage active/active nodes servicing radius authentication request (posture/profiling/guest as well) where ever you may need them including the ability to localize services in either virtual and physical form factor with exception for iPEP. One of the key considerations would be to take into account authentication sources in terms of an overall HA design.

Sent from my iPad

-Greg
On Oct 19, 2011, at 12:30 PM, Ryan West <rwest_at_zyedge.com> wrote:

> For the security and wireless guys out there. I was hoping to get some
> feedback on ISE deployments. In particular I'm curious about the overall
> deployment, guest services (wired/wireless), integration with NCS, and
> comparisons to past NAC implementations. If you don't mind sharing overall
> size (number of endpoints) of engagement, that would be useful as well.
>
> Thanks for any feedback.
>
> -ryan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 19 2011 - 23:26:11 ART