Has anyone moved from NAC -> ISE? We're contemplating attempting this summer...we're running 2-3355's so we are going to renew our SmartNet as CON-SNT-ISE3355 instead of NAC3355-M1500-K9 and NACMGR-M-STD-K9. Cisco is fine with us doing this and it even saves some $$ on SmartNet renewal since ISE SmartNet is slightly cheaper than NAC SmartNet. We figure right now, we don't have any HA with one CAM/CAS each but with 2 3355's, we can run ISE in Primary/Secondary mode and have failover.
So, we've setup a test 1.1.2.145 ISE VM and connected it to a hidden SSID on our wireless controller and done some testing by our IT Staff to see what we think. I'm skeptical but cautiously optimistic after using it the last week. I like that we can start to get some granularity into using profiling and seeing what's on our network. My boss had a Windows 8 Surface RT (can't run NAC Agent or NAC web agent) machine and it actually was fairly easy to profile the device and then create an authorization policy so that we could get it working through ISE. So, I'm curious what others have done or issues they have ran into using ISE. I haven't done any testing on wired ports, just testing with 802.1X wireless. An issue I don't like is the 1st time an Apple iDevice or Android device connects, it has to get profiled and you basically get a message that says "close your browser and try again in one minute." Well, what's happening is that you basically have to disconnect from wireless and reconnect and then the next time you get the right ACL and authorization profile applied correctly. It works great after the 1st time but not sure I like the 1st time connecting problem...TAC has told me that 1.2 (tentative for May) is supposed to have functionality to make this seamless for the user and not require the end user to manually re-associate to the SSID in order for the profiling/ACL to get applied correctly. Thanks [signature]
<<inline: image003.jpg>>
