Kyle, We have made the switch and have started deployment in Monitor Mode on wired. Work has begun on the wireless side as well.
We are running 600GB thick deployed VMs. Redundant ADMs, MONs and multiple PSNs behind a Cisco ACE VIP with plans for a second PSN VIP as well. Some gotcha's / comparison's to NAC so far..... - Push out the 802.1x wired NIC config BEFORE starting deployment. With 3 sites deployed, our Primary ADM box is hammered due to all of the failed AUTH messages from laptops and desktops. - Add "ip radius source-interface Loopback0" for any switch addressed with a Loopback address rather than a management address. ISE will NOT work without this. - Had to uncontrol ports when a desktop switch was used on a NAC'd port. Multiple devices can AUTH on a single port under ISE. - Nice to have a centralized deployment and not have hardware scattered all over the Enterprise. - Security point moved down to the switchport level rather than at the CAS level. - Nice to have ISE an "All Cisco" product. No third party involvement as with Great Bay with Profiling under NAC. Future versions going to 64 bit as well as a more "forgiving" sync algorithm. Multiple updates then synced is better than update sync, update sync, repeat! Enjoy! From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Kyle Torkelson Sent: Wednesday, February 27, 2013 2:14 PM To: [email protected] Subject: NAC -> ISE Has anyone moved from NAC -> ISE? We're contemplating attempting this summer...we're running 2-3355's so we are going to renew our SmartNet as CON-SNT-ISE3355 instead of NAC3355-M1500-K9 and NACMGR-M-STD-K9. Cisco is fine with us doing this and it even saves some $$ on SmartNet renewal since ISE SmartNet is slightly cheaper than NAC SmartNet. We figure right now, we don't have any HA with one CAM/CAS each but with 2 3355's, we can run ISE in Primary/Secondary mode and have failover. So, we've setup a test 1.1.2.145 ISE VM and connected it to a hidden SSID on our wireless controller and done some testing by our IT Staff to see what we think. I'm skeptical but cautiously optimistic after using it the last week. I like that we can start to get some granularity into using profiling and seeing what's on our network. My boss had a Windows 8 Surface RT (can't run NAC Agent or NAC web agent) machine and it actually was fairly easy to profile the device and then create an authorization policy so that we could get it working through ISE. So, I'm curious what others have done or issues they have ran into using ISE. I haven't done any testing on wired ports, just testing with 802.1X wireless. An issue I don't like is the 1st time an Apple iDevice or Android device connects, it has to get profiled and you basically get a message that says "close your browser and try again in one minute." Well, what's happening is that you basically have to disconnect from wireless and reconnect and then the next time you get the right ACL and authorization profile applied correctly. It works great after the 1st time but not sure I like the 1st time connecting problem...TAC has told me that 1.2 (tentative for May) is supposed to have functionality to make this seamless for the user and not require the end user to manually re-associate to the SSID in order for the profiling/ACL to get applied correctly. Thanks [cid:[email protected]]
<<inline: image001.jpg>>
