Here at UCI we have been using NAC since it was Perfigo, and are concerned about the upgrade path. We attended several Cisco sessions on the ISE solution, and it would mean shelling out quite a few bucks to get it up and running. Two issues that concern us are that our 60+ 2650's would need replacing, and ISE is NOT a dhcp server, which we would miss greatly. We would need to create another system separate from ISE. This is not that difficult, but never the less, it's annoying that ISE does not have that much needed functionality.
Staying tuned..... "In my world of Information Technology, if you aren't moving forward, you're moving backwards." Ted Roberge Director, Information Technology Office of Information Technology Student Housing, University of California, Irvine Irvine, CA 92697 From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Wayne Lai Sent: Thursday, April 05, 2012 11:38 AM To: [email protected] Subject: Re: NAC -> ISE We have been using the Cisco NAC for 3 years now and we are quite disappointed/frustrated with how slow Cisco is in providing AV vendor updates; our local Cisco representative recommends us upgrading to Cisco ISE which he can help us do at a very low cost (because we can trade in our existing NAC solution), however we later also found out Cisco ISE is not compatible with our existing Cisco 4404 Wireless LAN Controllers (we would have to upgrade to Cisco 5500 WLC series at a very high price, so we are holding off for now); we use our Cisco NAC mainly for our Wi-Fi users. We have opened several Cisco TAC cases in the past couple years to try to configure manual checks to recognize the latest released popular antivirus programs such as AVG Free Edition and Avast Free Edition, but the manual checks don't work anymore (even with the assistance of Cisco TAC). So in the past we would just exempt the student's laptop (the filters list would be very long) and recently we decided to just support only Microsoft Security Essentials and Avast Antivirus Free Edition (but then a few weeks ago Avast released a new version that NAC doesn't support, so we have to exempt those users). I did hear that the Cisco NAC is an OEM product (so they rely on another vendor for the updates, etc) whereas Cisco ISE is an in-house product, so hopefully updates and bug fixes come out much faster on ISE! Also, my manager and I did have a short 1-hour webinar overview of the Impulse Networks network access control product, their ease-of-use and other things impressed us, but in the end we couldn't go with them after we read the Gartner Magic Quadrant report.... Wayne Lai Network Engineer Office of Information Technology University of La Verne (909)593-3511 x4575 From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Riegert, Timothy J. Sent: Thursday, April 05, 2012 7:00 AM To: [email protected] Subject: Re: NAC -> ISE http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html From: Cisco Clean Access Users and Administrators [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of John Schaeffer Sent: Thursday, April 05, 2012 9:47 AM To: [email protected]<mailto:[email protected]> Subject: Re: NAC -> ISE We heard that ISE won't work with the 2950's or 2960's on the edge. Is that true? On Thu, Apr 5, 2012 at 8:34 AM, Kelly Slone <[email protected]<mailto:[email protected]>> wrote: We have been looking at ISE for several months now with mixed results. We kept being promised several things would be fixed in the 1.1 release and now that we have it up and running this has changed to either that is "expected in 1.2" or even worse 2.0. We've been able to set up a functioning guest portal, perform 802.1x auths and place users in a particular vlan based on AD group membership. All of this seems to work fairly well. I'm disappointed with the posture portion of the product at this point. With nac, when a user is in a quarantined role you can easily limit their access to only allow access to software vendor patches and av vendor patches/updates for products you approve based on url filtering. This option is not available in ISE. ISE requires you to move the user to a particular vlan, and use an upstream firewall that supports url filtering. I'm not really convinced the product is ready to be a nac replacement yet. Thank you, Kelly Slone, B.S., MCP Telecom Specialist II Marshall University Computing Services Drinko Library DL420 Office: 304-696-6109<tel:304-696-6109> Helpdesk: 304-696-3200<tel:304-696-3200> [email protected]<mailto:[email protected]> -- [https://www.conncoll.edu/news/graphics/images/EmailSig.jpg] John Schaeffer | Connecticut College Systems/Network Admin | 270 Mohegan Ave. [email protected]<mailto:[email protected]> | New London, Ct (860)222-0859 | 06320
