Main Nav

Message from apage@nd.edu

Are there any fellow higher ed shops running Cisco ISE yet? We have been hearing about the reasonably priced migration licenses for the last year or so, but just recently were told about the mandatory consulting fee.

 

Any personal experiences you would be willing to share will be appreciated.

 

Andy

 

--
Andy Page
Network Design Professional
University of Notre Dame

Member, ND Wireless Institute

apage@nd.edu | 574.631.6592


Go  Irish!

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Andy,

We implemented Cisco ISE during the summer of 2012. When we did so there was no mandatory consulting fee, though I did hear that something along those lines was instituted after.

Our experience with ISE has been positive. We have hit a few bugs along the way, nothing catastrophic though. Operationally the system runs well, from the ground up it is designed to provide HA/redundancy for network authentication which is one of the things that drew us to it. Most of the issues that we have run into have had to do with improperly sized VM servers, my understanding is that this is one of the reasons that you now have to work closely with your VAR on the design/install. All of our deployment with the exception of one policy node (radius server) runs in VM. We elected to keep one of the servers physical in case our VM deployment ever goes offline.

--Joe


On things like MSE and PI, we’re finding the sizing of VMs/licensing/re-licensing/rebuilding because of licensing issues/relicensing because of Cisco botching the licensing/confusing docs etc to be maddening, even when trying to work closely with Cisco to get it right. I can’t imagine having to pay for this sort of “service”.

 

-Lee

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Roth
Sent: Friday, February 21, 2014 9:47 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco ISE

 

Andy,

We implemented Cisco ISE during the summer of 2012. When we did so there was no mandatory consulting fee, though I did hear that something along those lines was instituted after.

Our experience with ISE has been positive. We have hit a few bugs along the way, nothing catastrophic though. Operationally the system runs well, from the ground up it is designed to provide HA/redundancy for network authentication which is one of the things that drew us to it. Most of the issues that we have run into have had to do with improperly sized VM servers, my understanding is that this is one of the reasons that you now have to work closely with your VAR on the design/install. All of our deployment with the exception of one policy node (radius server) runs in VM. We elected to keep one of the servers physical in case our VM deployment ever goes offline.

--Joe

 

We have ISE in test right now and deployed it ourselves. I haven’t heard anything about required professional services, but I do agree that it is a complex implementation and not really something many people can simply figure out on their own. I took an ISE class from Global Knowledge which proved very helpful. We will soon be sending all wireless authentication to ISE.

 

Lee, I’m going through a licensing nightmare with PI right now…maddening.

 

--Mike

_________________________________________________________________________________________________________________________________________________________________________________________________________

Michael Adams | Network Administrator III

Wilmington University | 47 Reads Way, New Castle, DE 19720

Office (302) 295-1220

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, February 21, 2014 10:00 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco ISE

 

On things like MSE and PI, we’re finding the sizing of VMs/licensing/re-licensing/rebuilding because of licensing issues/relicensing because of Cisco botching the licensing/confusing docs etc to be maddening, even when trying to work closely with Cisco to get it right. I can’t imagine having to pay for this sort of “service”.

 

-Lee

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Roth
Sent: Friday, February 21, 2014 9:47 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco ISE

 

Andy,

We implemented Cisco ISE during the summer of 2012. When we did so there was no mandatory consulting fee, though I did hear that something along those lines was instituted after.

Our experience with ISE has been positive. We have hit a few bugs along the way, nothing catastrophic though. Operationally the system runs well, from the ground up it is designed to provide HA/redundancy for network authentication which is one of the things that drew us to it. Most of the issues that we have run into have had to do with improperly sized VM servers, my understanding is that this is one of the reasons that you now have to work closely with your VAR on the design/install. All of our deployment with the exception of one policy node (radius server) runs in VM. We elected to keep one of the servers physical in case our VM deployment ever goes offline.

--Joe

 

I also went through the nightmare of licensing when we migrated from WCS to Prime. I hate their licensing department. They're the worst I've ever dealt with in over 12 years.

One year ago we heard from Cisco that they would require professional services for the discount to apply. I think they dropped the requirement because we purchased ISE in November without it and got the discount since we were a Cisco  NAC (Clean Access) shop. I would not have purchased it if we needed to pay a third party to install it.


On 2/21/2014 11:00 AM, Michael Adams wrote:

We have ISE in test right now and deployed it ourselves. I haven’t heard anything about required professional services, but I do agree that it is a complex implementation and not really something many people can simply figure out on their own. I took an ISE class from Global Knowledge which proved very helpful. We will soon be sending all wireless authentication to ISE.

 

Lee, I’m going through a licensing nightmare with PI right now…maddening.

 

--Mike

_________________________________________________________________________________________________________________________________________________________________________________________________________

Michael Adams | Network Administrator III

Wilmington University | 47 Reads Way, New Castle, DE 19720

Office (302) 295-1220

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, February 21, 2014 10:00 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco ISE

 

On things like MSE and PI, we’re finding the sizing of VMs/licensing/re-licensing/rebuilding because of licensing issues/relicensing because of Cisco botching the licensing/confusing docs etc to be maddening, even when trying to work closely with Cisco to get it right. I can’t imagine having to pay for this sort of “service”.

 

-Lee

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Roth
Sent: Friday, February 21, 2014 9:47 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco ISE

 

Andy,

We implemented Cisco ISE during the summer of 2012. When we did so there was no mandatory consulting fee, though I did hear that something along those lines was instituted after.

Our experience with ISE has been positive. We have hit a few bugs along the way, nothing catastrophic though. Operationally the system runs well, from the ground up it is designed to provide HA/redundancy for network authentication which is one of the things that drew us to it. Most of the issues that we have run into have had to do with improperly sized VM servers, my understanding is that this is one of the reasons that you now have to work closely with your VAR on the design/install. All of our deployment with the exception of one policy node (radius server) runs in VM. We elected to keep one of the servers physical in case our VM deployment ever goes offline.

--Joe

 

When we purchased and implemented ISE ourselves we sized our VMs to match the largest hardware platform that they had at the time (3395?) There were no real specs for VM per se, it was more "size the VM to the hardware platform that would be appropriate." This turned out to be undersized by more than 50% When we met with Cisco a full year later to rework all of this they had better VM specs, but after speaking with engineering we needed to go even further beyond these. We were also told that the speed of the drives in the iSCSI array was an issue. Cisco wants all 10K RPM drives for the VM servers and the LUN to be built a certain way, our VM team had our servers running on 7200 RPM arrays. We didn't see that anywhere in the VM specs either. Luckily we had a 10K RPM array running and our team was able to migrate everything to that.

My understanding is that they want you to contract/consult professional services to avoid these sorts of issues, and I agree that it shouldn't be necessary. I will admit that I am not a server/DB guy, but it isn't unreasonable to expect and install guide to have the correct specs. I'm hoping that that has since been rectified in their documentation.

As far as ISE licensing we have rebuilt all of the servers once and had to obtain (reissue) a new license for them, that process wasn't too difficult.


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.