RE: Alternatives to ISE?
Ray, I'm running 2.2 with 17000 endpoints in a 7 node deployment. Main Problems: -Replication slow or failed -Displaying endpoints ends up in a "Shards" error or crashes the GUI (documented Cisco bug) -Wifi Container Service (?) fails -Inaccurate license counts causing license alarms -Moments where unable to add or see network devices -Profile rules are not catching certain hosts (even when you hardcode the OUI) I'm certain I'm forgetting a few but you get the drift. Yours in service, Christopher J. Wolff | Network Operations Information Technology & Innovation City of New Orleans (o) 504.658.7817 (m) 504.265.6306 (e) cjwo...@nola.gov -Original Message- From: Ray Van Dolson [mailto:rvandol...@esri.com] Sent: Sunday, December 3, 2017 9:55 PM To: Christopher J. Wolff Cc: nanog@nanog.org Subject: Re: Alternatives to ISE? On Sun, Dec 03, 2017 at 02:39:27PM +, Christopher J. Wolff wrote: > I've about reached my limit with the dumpster fire that is Cisco's > Identity Service Engine. Are there any reliable alternatives that do > endpoint classification, central web auth, and .1x auth? What version of ISE are you running? What are your main frustrations with it? Ray
Re: Alternatives to ISE?
On Sun, Dec 03, 2017 at 02:39:27PM +, Christopher J. Wolff wrote: > I've about reached my limit with the dumpster fire that is Cisco's > Identity Service Engine. Are there any reliable alternatives that do > endpoint classification, central web auth, and .1x auth? What version of ISE are you running? What are your main frustrations with it? Ray
Re: Alternatives to ISE?
if you're already slurping the commercial koolaid (support contracts, someone to blame etc etc) - then Aruba Clearpass? (otherwise local homebrew with FreeRADIUS core or PacketFence as FOSSOTS ;-) ) alan
Re: Alternatives to ISE?
$dayjob is a university where we use PacketFence to support .1x for a population of approx. 28K concurrent Wi-Fi devices. It took us a couple of iterations but we now have a clustered deployment (of VM’s) model which routinely handles >1200 logins per second, has a fair bit of headroom left over and can scale larger as required. We have been very satisfied with the responsiveness and capabilities of tech support by Inverse.ca. All this and the price point is hard to beat. I have no personal interest in Inverse other than as a satisfied customer. Our presentation on the scalable deployment model for PF may be found by searching the web for “Authentication for big Wi-Fi”. Eriks --- Eriks Rugelis Sr. Consultant Netidea Inc. T: +1.416.876.0740 > On Dec 3, 2017, at 10:06, Jean | ddostest.me via NANOG > wrote: > > I'm about to try this one. > > https://packetfence.org/ > > Not sure if it covers all the features you need though, but it seems > promising. In case you give it a try, could you share your experience > please? > > Thanks > Jean > >> On 17-12-03 09:48 AM, segs wrote: >> Forescout but if you want something simpler with SNMP authentication of >> switches and Domain Controller of authorized PCs you can have a look at >> Portnox. Done couple of deployments with Portnox. >> >> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff >> wrote: >> >>> I've about reached my limit with the dumpster fire that is Cisco's >>> Identity Service Engine. Are there any reliable alternatives that do >>> endpoint classification, central web auth, and .1x auth? >>> >>> Thanks in advance, >>> Christopher >>> >
Re: Alternatives to ISE?
I’ve used PacketFence for several years, but it’s kind of fragile. Compared to many FOSS systems, it’s exceptionally well documented, and uses reasonably good Web GUI standards. It also supports Cisco switches well. However, I routinely have to twiddle with it when one or another internal components silently crashes. It’s about ads fiddly as Asterisk is for telephony: just when you think you’ve got it working, some unpredicted external event — a new device or an OS security patch — breaks it. What PF really needs is some kind of internal monitoring and notification system to let you know when and what stopped working. Various users have jury rigged their own scripts and published them, but they’re too customized to work generically for any PF installation. I’ve seen commercial NAC systems that appear to be much more reliable. Cisco’s is not among them. I haven’t taken the time to try them out yet, however. -mel > On Dec 3, 2017, at 7:06 AM, Jean | ddostest.me via NANOG > wrote: > > I'm about to try this one. > > https://packetfence.org/ > > Not sure if it covers all the features you need though, but it seems > promising. In case you give it a try, could you share your experience > please? > > Thanks > Jean > > On 17-12-03 09:48 AM, segs wrote: >> Forescout but if you want something simpler with SNMP authentication of >> switches and Domain Controller of authorized PCs you can have a look at >> Portnox. Done couple of deployments with Portnox. >> >> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff >> wrote: >> >>> I've about reached my limit with the dumpster fire that is Cisco's >>> Identity Service Engine. Are there any reliable alternatives that do >>> endpoint classification, central web auth, and .1x auth? >>> >>> Thanks in advance, >>> Christopher >>>
Re: Alternatives to ISE?
I'm about to try this one. https://packetfence.org/ Not sure if it covers all the features you need though, but it seems promising. In case you give it a try, could you share your experience please? Thanks Jean On 17-12-03 09:48 AM, segs wrote: > Forescout but if you want something simpler with SNMP authentication of > switches and Domain Controller of authorized PCs you can have a look at > Portnox. Done couple of deployments with Portnox. > > On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff > wrote: > >> I've about reached my limit with the dumpster fire that is Cisco's >> Identity Service Engine. Are there any reliable alternatives that do >> endpoint classification, central web auth, and .1x auth? >> >> Thanks in advance, >> Christopher >>
Re: Alternatives to ISE?
Forescout but if you want something simpler with SNMP authentication of switches and Domain Controller of authorized PCs you can have a look at Portnox. Done couple of deployments with Portnox. On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff wrote: > I've about reached my limit with the dumpster fire that is Cisco's > Identity Service Engine. Are there any reliable alternatives that do > endpoint classification, central web auth, and .1x auth? > > Thanks in advance, > Christopher >
Alternatives to ISE?
I've about reached my limit with the dumpster fire that is Cisco's Identity Service Engine. Are there any reliable alternatives that do endpoint classification, central web auth, and .1x auth? Thanks in advance, Christopher
