We have never had a Cisco engineer recommend WPA2/AES-PSK on an enterprise environment. Was it a consultant? If not I would talk to your Cisco SE about the bad advice. That type of thinking is archaic.
We have been using ISE for three years at WVU. The initial implementation was to replace our ACS servers for RADIUS authentication. We are now using it for students to self-register their devices that don’t support 802.1x authentication. So far it has worked extremely well. We also use ISE to specifically profile gaming consoles and place them on a VLAN with a public IP so we don’t have to fight with UPnP using NAT through the firewall. We just implemented both the guest self-registration and the sponsor portal registration which are also working well with the exception of a bug we just ran into in the self-registration process after upgrading to 2.1.0.474. The self-registration still works but the text message sent to the user is blank and the email can’t be read using Apple Mail (it ends up as garbled text). We expect a fix in the next few weeks. / Stephen Belcher Assistant Director of Network Operations WVU Information Technology Services One Waterfront Place / PO Box 6500 Morgantown, WV 26506 (304) 293-8440 office (681) 214-3389 mobile [email protected]<mailto:[email protected]> From: T. Shayne Ghere [mailto:[email protected]] Sent: Monday, August 1, 2016 10:06 AM Subject: Cisco ISE Good morning, Currently we have a home grown wireless registration system in place that is becoming obsolete. We are getting ready to refresh our Cisco AP’s, and I’m writing to see if anyone has any positive/negative issues in using Cisco ISE for individual “self” registration on your wireless network. We also use WPA2/AES Certificate based security, but that is problematic because of compatibility issues and devices that have no way of accepting certs. In talking with some Cisco Wireless Engineers, they recommend WPA2/AES-PSK but we don’t have the manpower to set that up on every device. We also do not NAT any devices. If you have any suggestions, or comments on using ISE and moving away from Certs, I would greatly appreciate them. Thanks Shayne ---------------------------------- T. Shayne Ghere Bradley University Wireless/Lan Network Engineer 1501 W. Bradley Ave, Jobst 224A [email protected]<mailto:[email protected]> FBI CA Graduate2011 Alumni FBI InfraGard Member ---------------------------------- UPCOMING OUT OF OFFICE None ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.educause.edu%2fgroups%2f&data=01%7c01%7csteve.belcher%40MAIL.WVU.EDU%7c3754866688ef445244ee08d3bac8de0e%7ca7531e183e5d4145ae4c336d320ca7e4%7c0&sdata=zCgKjQATauS1YY7XErXK9BuG%2fXPY%2fgELLg9bCzh9mOU%3d>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.educause.edu%2fgroups%2f&data=01%7c01%7csteve.belcher%40MAIL.WVU.EDU%7c3754866688ef445244ee08d3bac8de0e%7ca7531e183e5d4145ae4c336d320ca7e4%7c0&sdata=zCgKjQATauS1YY7XErXK9BuG%2fXPY%2fgELLg9bCzh9mOU%3d>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
