Main Nav

We currently run Cisco ACS 4.2 for wireless authentication (as well as VPN) to support WPA2 enterprise. The source database is Active Directory, which we are in the process of upgrading to the Windows 2008 R2 functional level. ACS 4.2.1 will not work in a 2008 R2 AD environment, so we are looking at our options for RADIUS. Obviously, Cisco would love to sell us ISE for tens of thousands of dollars, and the guest access/security options would prove helpful, but it is difficult to justify the cost. What are other people using…Microsoft NPS? 

One requirement is that we need the ability to restrict SSID access based on group membership (i.e. students can only connect to the student SSID). We do this using the wlan-id attribute in ACS right now.

Thanks,

Chris Mielke

NETWORK ENGINEER 3

COMPUTER AND NETWORK SERVICES


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from mark.duling@biola.edu

But the natural upgrade path from ACS to ISE is ISE Base, which at least when we were last quoted (an upgrade from ACS) was not much or any more than ACS and the license is perpetual.  The non-upgrade retail price is 25k, but actual prices are heavily discounted as probably everyone knows and I just Googled up a price near 15k online.  Base does wired, wireless, and VPN just like ACS.  At least for the VMware virtual appliances is was not at all "tens of thousands".  With ISE, redundant servers add no cost.  I could be wrong since we haven't made the jump yet from ACS 5.x, but from what I've seen on prices I'm not sure that you'd pay any more for ISE than an upgrade from ACS 4.x to 5.x if those were still available (I don't even know if they are).

ISE Advanced (or wireless-only which is a flavor of advanced) includes profiling and posture analysis and includes the type of functions you had with Cisco NAC, aka Clean Access, and the advanced licenses aren't perpetual as they weren't for that product.  You pay a premium for profiling and posture analysis if you want that.  But that is beyond what ACS ever did.  As far as I can tell, ISE Base = ACS + guest portal functionality.


Message from mark.duling@biola.edu

If you don't need 10k RADIUS seat licenses, you can get ISE Base 5k for $10,000 discounted Google tells me.  They also have lesser licenses all the way down to a 100 seat license for $500 retail surprisingly.


We do not run VMWare (using a competing virtualization platform), so the virtual appliance is not an option for us. For redundancy we would require 2 physical appliances, which come to over 20K with annual maintenance. That includes a 40% discount. Then we have the licensing on top of that, which as you mention, will run another 6 to 9K for ISE-BASE. Also, we were told the "concurrent" licensing was not true concurrency, but based on a 1 month rolling window. In other words, even though we may max out at 2500 wireless users at any given time, I really need to license for the number of devices authenticating to the wireless network over the course of 1 month. That could easily reach 5000 or more.

One point of clarification. In your initial response you stated "redundant servers add no cost". Does that mean I only need to purchase one license sku and it will cover both appliances? I assumed we would need to purchase licensing for each appliance, essentially doubling the licensing cost.

Thanks,

Chris Mielke

NETWORK ENGINEER 3

COMPUTER AND NETWORK SERVICES



From: Mark Duling <mark.duling@BIOLA.EDU>
Reply-To: The EDUCAUSE Network Management Constituent Group Listserv <NETMAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, November 15, 2012 1:21 PM
To: "NETMAN@LISTSERV.EDUCAUSE.EDU" <NETMAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [NETMAN] RADIUS for Wireless Auth

If you don't need 10k RADIUS seat licenses, you can get ISE Base 5k for $10,000 discounted Google tells me.  They also have lesser licenses all the way down to a 100 seat license for $500 retail surprisingly.


We are running a pair of VM’s with Microsoft’s NPS to perform this function. When paired with an Aruba deployment they are running in an Active-Passive configuration for a little over a year with no major issues.

 

 

 

Patrick Goggins

Senior Systems Administrator

University of Wisconsin - Green Bay

 

 

Message from mark.duling@biola.edu

Hi Chris,

That is pricey hardware.  I didn't know about the rolling window licensing.  I supposed it was strictly per-seat.

Well it was my understanding that you can setup two administrative nodes, that the second node is a failover only, and that it requires no license at all (though Cisco sometimes has zero-cost licenses such as with Call Manager).  So this free secondary administrative node wouldn't apply to ISE Advanced posture analysis nodes for example.  Anyway, below is the relevant doc snippet I could find for 1.0 version.  As I said, we haven't purchased it yet so you should check with your sales rep to make sure nothing has changed.  I only know this because our Cisco rep mentioned it right off the bat when discussing the features/benefits when it first came out.  Better check with your sales rep to be sure.


Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
 
Well I was ready to say that a single secondary node is "high-availability," whereas multiple secondary administrative nodes would be a "distributed deployment," the latter requiring the secondaries to have licenses.  But then I see info that uses the terms synonymously.  Good 'ol Cisco docs.  Clear as mud.  Better check with the source to be sure.

Mark


I'm doing this with the built-in RADIUS server in Win2008R2, which is called Network Policy Server (NPS). I am doing access restriction by SSID using group membership, just as you want. I don't think it costs anything extra and it obviously integrates with AD.


Heath Barnhart, CCNA
Network Administrator
Information Technology Services
Washburn University
Topeka, KS

On 11/15/2012 11:33 AM, Christopher R Mielke wrote:
We currently run Cisco ACS 4.2 for wireless authentication (as well as VPN) to support WPA2 enterprise. The source database is Active Directory, which we are in the process of upgrading to the Windows 2008 R2 functional level. ACS 4.2.1 will not work in a 2008 R2 AD environment, so we are looking at our options for RADIUS. Obviously, Cisco would love to sell us ISE for tens of thousands of dollars, and the guest access/security options would prove helpful, but it is difficult to justify the cost. What are other people using…Microsoft NPS? 

One requirement is that we need the ability to restrict SSID access based on group membership (i.e. students can only connect to the student SSID). We do this using the wlan-id attribute in ACS right now.

Thanks,

Chris Mielke

NETWORK ENGINEER 3

COMPUTER AND NETWORK SERVICES


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We are using Server 2008 R2 NPS as well and are testing a migration to 2012. No issues thus far.

 

 

Tim Cappalli, ACMP CCNA | (802) 626-6456

Office of Information Technology (OIT) | Lyndon

» cappalli@lyndonstate.edu | oit.lyndonstate.edu

 

 

Microsoft NPS here. Comes with the 2008 R2 server OS at no additional cost.

 

We are also using NPS with Aruba.  We restrict access based on AD group membership.  It was easy to setup and works well consistently.

 

Kate Robinson

Network Administrator

IT Services

Western State Colorado University

Taylor Hall 125

970-943-3123

 

We are running 2008R2 with NPS with one ssid (Aruba) (students/staff/faculty) where Bradford NAC moves the device to the right subnet by AD group.

 

 

Regards,

David

 

Message from jason.cook@adelaide.edu.au

We are using freeradius  on a redhat VM’s. Has all the functionality we need, but requires resources will scripting skills. Luckily we have that on board ,not me though. No major issues to report

We peak at about 7000 devices, and almost 20,000 over the course of  a day. Currently use 3 servers, just a redundancy thing we haven’t seen any performance issues.

 

We don’t have separate SSID”s though, we use radius to assign a student/staff/visitor/eduroam user to the correct network on the one ssid. I wouldn’t think that would be an issue though.

 

There’s a wireless educause group as well, you might get some more options/feedback there

 

--

Jason Cook

Technology Services

The University of Adelaide, AUSTRALIA 5005

Ph    : +61 8 8313 4800

 

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.