Cisco ISE - Identity Services Engine - Experience

swild

I got a call from a recruiter trying to fill an "immediate need" position. They only had one requirement: hands-on experience with Cisco ISE.

Having never heard of it, as soon as he said it, I put my Google skills to work and had a pdf open in about 5 seconds. The technology is only one year old and they just released version 2 of the software, and sounds pretty awesome. He said that he has contacted everyone on in my area with Cisco certs and so far no one has heard of this device/service.

So I ran through my spiel of Cisco and Security knowledge and he said that I sound like I know more about it than anyone else he has talked to, even though I was up front about never having heard of it. He said that I was also the only one in my area he could find with a CCNA: Security cert and that no one he could find has a CCNP: Security (or at least anyone looking for a job).

He said that he is going to contact the customer and see if they would be happy with me even though I have never used the service. He also said that the customer must remain confidential until they want to give a job offer AND I sign an NDA. I am shocked that any company around me 1) would have been talked into buying this device 2) would not have staff to implement/administer it 3) would be unwilling to train internal staff 4) would have this level of secrecy.

A couple of questions for you guys:

Has anyone ever had hands-on experience with an ISE or does your company use it?

What kind of company would fit this profile? I'm thinking maybe a smaller local bank or financial services company, besides that I am pulling a blank. There are a couple of bigger companies, but I know for a fact they would train internal employees first.

swild

Well, I landed an interview. That's step one.

I was almost right about financial services. Actually, it is a consulting firm specializing in Security and Wireless installations for financial services companies.

I plan to spend the weekend flipping through Cisco's 1200 page user guide on the ISE. I want this job.

I would still like to know how prevalent this tech is. Anyone chime in if you've heard of it in use.

Legacy User

Good luck on the interview.

Zartanasaurus

ISE is basically their new and improved ACS device. No experience on ISE, but I have experience on ACS. Have been researching ISE lately since BYOD is coming here soon. My impression is it's a RADIUS server with extra Cisco goodies thrown in.

Akaricloud

We've looked at Cisco ISE and in all honestly it looks great but our company size/budget has held us back from moving forward with it. I honestly think with the whole BYOD movement they are going to be quite popular here in the near future and experts will be in demand.

Zartanasaurus

Akaricloud wrote: »

We've looked at Cisco ISE and in all honestly it looks great but our company size/budget has held us back from moving forward with it. I honestly think with the whole BYOD movement they are going to be quite popular here in the near future and experts will be in demand.

How much was it?

hiddenknight821

Good luck on the interview. Will you still be located in Arkansas?

Akaricloud

I never personally looked at the price, that was between our network engineer and director.

swild

Yeah, I don't have to move.

The price is pretty steep. After all is said and done it looks like a $50k minimum investment for 100 end hosts. High end of $2 mill with 100000 end hosts.

networkjutsu

swild wrote: »

The price is pretty steep. After all is said and done it looks like a $50k minimum investment for 100 end hosts. High end of $2 mill with 100000 end hosts.

$50K sounds about right. I was quoted the same thing. People in the twitterverse said that some partners can offer lower than that though. If I remember correctly, ISE = ACS + NAC and etc. We were considering SecureACS and/or ISE because it can do 802.1x and to retire my tac_plus AAA implementation, but ~$17K (ACS) for one server is pretty steep. They like to do redundant systems over here so spending ~$34K will most likely be turned down right away by the management. So now, I am just trying to implement Win2K8's NPS/NAP for 802.1x and still keep the tac_plus. If only I know more about MS stuff then it should be up and running by now. I couldn't get it to work in my lab but I think I made some progress on it since Windows 7 was asking for credentials but kept saying wrong credentials. The first one I did in my lab never did ask for credentials! Maybe my third one will be a success. Cross fingers. Maybe some TE guys can help with my NPS/NAP lab? Would really appreciate it!

Aruba's ClearPass is another one for BYOD strategy stuff. If I remember correctly, they're going to include Amigopod as well in the ClearPass.

Good luck on the interview!

Zartanasaurus

networkjutsu wrote: »

So now, I am just trying to implement Win2K8's NPS/NAP for 802.1x and still keep the tac_plus. If only I know more about MS stuff then it should be up and running by now. I couldn't get it to work in my lab but I think I made some progress on it since Windows 7 was asking for credentials but kept saying wrong credentials. The first one I did in my lab never did ask for credentials! Maybe my third one will be a success. Cross fingers. Maybe some TE guys can help with my NPS/NAP lab? Would really appreciate it!

Me and you are doing the exact same thing right now!
I have it working in my test environment with a WLC4400, AP1252 and Windows NPS. I think the big seller for the ISE is allowing end users to "sponsor" guest wireless credentials on the fly without having IT intervene. When we did a seminar with our Cisco Partner in the spring, they used ISE to give us guest access on the wireless. To be honest, it would be more practical for us to make a guest account for all the sites to use and maybe change it on a monthly basis considering how many visitors and sites we have.

Zartanasaurus

swild wrote: »

Yeah, I don't have to move.

The price is pretty steep. After all is said and done it looks like a $50k minimum investment for 100 end hosts. High end of $2 mill with 100000 end hosts.

Ouch!
We'd have potentially 30K internal users, plus an unknown amount of visitors on a daily basis.

Iristheangel

I haven't personally used ISE yet, but the new job I just accepted today would deal with it. This was the conversation I had with the IT manager:
IT Manager: Have you ever used Cisco ISE?
Me: No.
IT Manager: Get ready for some fun. It's one of the most complicated things to configure that I've ever seen from Cisco

I don't have any personal experience yet, but hopefully in the coming weeks, I'll be able to add some more input here.

networkjutsu

Zartanasaurus wrote: »

Me and you are doing the exact same thing right now!
I have it working in my test environment with a WLC4400, AP1252 and Windows NPS.

Mine is for Wired 802.1x. What is your lab setup? One box doing AD, CA, and NPS/NAP? I tried doing separate boxes on all three and didn't get any luck on two tries. My next attempt would be two boxes, one AD and one CA + NPS/NAP. I may need your help if I still couldn't get it to work.

Zartanasaurus

networkjutsu wrote: »

Mine is for Wired 802.1x. What is your lab setup? One box doing AD, CA, and NPS/NAP? I tried doing separate boxes on all three and didn't get any luck on two tries. My next attempt would be two boxes, one AD and one CA + NPS/NAP. I may need your help if I still couldn't get it to work.

I have a separate AD, NPS and CA server. Do you know exactly where you got stuck? Did you register the NPS server with AD and configure the CA to automatically issue certs to IAS servers? I used this guide from Microsoft to handle the NPS requirements.

Do some Wireshark captures on the NPS and filter for RADIUS to see where the process is breaking.

networkjutsu

Zartanasaurus wrote: »

I have a separate AD, NPS and CA server. Do you know exactly where you got stuck? Did you register the NPS server with AD and configure the CA to automatically issue certs to IAS servers? I used this guide from Microsoft to handle the NPS requirements.

Do some Wireshark captures on the NPS and filter for RADIUS to see where the process is breaking.

I may have to check that guide. I found a guide from Microsoft as well for wired but if I remember correctly it didn't work. I used other guides out there as well but no luck.

The first try, my Windows client (Win 7) wasn't getting the prompt to authenticate. The second try, Windows client starting to get the authentication prompt but it kept saying that the credential was wrong. So there's some progress for sure but still broke. Hah! I am going to try the 2 boxes then I'll go from there.

IIRC, I tried pushing a GPO to issue the certs automatically but that didn't work. I'll probably try the wireless guide and maybe I'll learn something from that guide but obviously it'll be a different process to configure the NPS/NAP.