Cisco IT’s Identity Services Engine Deployment: First Capabilities to Roll Out
Cisco IT is deploying Identity Services Engine (ISE) globally. ISE is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. We’re running ISE 1.2 Patch 3 globally and evaluating Patch 5 for its guest networking enhancements. Over the next few months, I’d like to share some of our best practices and lessons learned as we continue our ISE deployment. Much of the background and deployment work before my blog can be found in this published article.To manage capability deployment and adoption, we’re implementing ISE capabilities in bundles (see chart below). This bundle strategy helps Cisco IT ensure that the requisite steps for success of each capability are completed properly.
Guest wireless access control was the first ISE capability we deployed globally. Cisco’s guest networking system was nearing end of life. It wasn’t very flexible and was prone to outages due to complexity. Simplicity was paramount in deploying guest networking services via ISE. Our deployment required only two servers, a primary one in our data center in Silicon Valley and a secondary one in Western Europe. Complexity plummeted by having just two servers, and we lowered our total cost of ownership (TCO) and operational overhead.
Redundancy was built into the application in ISE. This functionality was tested in real life when our secondary server failed due to a virtual machine issue. All global guest networking requests landed on the primary server, and all were handled correctly with no discernible effect to the end users.
In January 2014, ISE provided guest accounts to almost 30,000 users. Usage is trending up month to month with growth around 2 percent per month.
Lessons Learned from Deploying Guest Wireless Access
- Communication is crucial. This capability involves user experience, so it was critical for us to communicate changes to end-users in multiple ways. Find as many avenues as you can to communicate the changes. This is a case where over-sharing is not a bad trait.
- Design a way for escalations in the first week or two to be handled by a dedicated team. This type of change occurs abruptly for users, so having a special team will ease Day 1 War Room conditions.
- Provide an avenue, whether a forum or mailer, where users can direct how-to questions, provide feedback, or just vent their concerns.
Next we deployed the 802.1X Monitor Mode and Profiling ISE capabilities. These two capabilities are critical steps toward full 802.1X Authentication and Enforcement mode. Monitor Mode and Profiling allows us to understand what is on the network and what is not 802.1X capable (and thus will either need to be remediated, upgraded, or added to a MAC bypass list). As of February 18, 2014, Cisco IT had deployed both 802.1X Monitor Mode and Profiling to 150 sites (out of 330 sites globally).
Lessons Learned from deploying 802.1X Monitor Mode and Profiling
- Consider using a large analytics engine. Cisco IT uses Splunk to analyze data from ISE. While ISE provides reporting, using a large analytics engine provides additional capabilities.
- Perform platform testing before deployment. Cisco IT has a robust lab with every network device deployed in our global network. In some cases, certain Cisco IOS Software versions did not perform well with ISE features, so we timed the deployment to coincide with version upgrades to ensure the best performance.
Wireless authentication was the third ISE capability we deployed. The Cisco Access Control System (ACS) version 5.4 currently manages our wireless authentication. ACS has managed wireless authentication for a long time. Wireless access is critical to an enterprise, and the conversion to ISE was viewed as an important milestone and indicator of Cisco IT’s success. We designed the deployment in a measured, controlled fashion with three initial limited rollouts.
In February 2014, we will have deployed wireless authentication to 12 global sites. In March, we will deploy to an additional 40 sites, followed by the last 80 sites of the limited rollout in April. If all these deployments prove successful, we will implement wireless authentication to the rest of Cisco’s global sites, concluding in May 2014.
Below are graphs taken from the analytics engine about our wireless authorization limited deployment.
Lessons Learned from Deploying Wireless Authentication
- Identify older AD servers. Older versions of Windows AD servers (2005) on the network can cause intermittent issues with authentication. This is observed when running ACS, not just ISE, for wireless authentication.
- Stage limited deployments. Limited deployments first will help you ensure that platform compatibility is good. What’s more, the load on the ISE infrastructure provides the project team the best way to manage a global deployment.
Lastly, wired authentication is a new capability deployment for Cisco IT, and requires a good deal more preparation than wireless authentication. We’re in the final planning stages with wired authentication via ISE. Changes to the formal design document have been completed and approved. In March 2014, we will deploy wired authentication in production in a single building at Cisco’s San Jose campus. Simultaneously, Cisco IT will be finalizing the support and communications execution. Full deployment is scheduled for May to July 2014.
Stay tuned for more blogs about Cisco IT’s ISE deployment journey.