How To Migrate To Cisco Identity Services Engine (ISE): NAC to ISE /ACS to ISE

Borat1 300x300 How To Migrate To Cisco Identity Services Engine (ISE): NAC to ISE /ACS to ISE
Today you may have Cisco NAC appliance or ACS and have heard great things about Cisco’s latest access control technology known as Identity Services Engine (ISE). What are you options to migrate to ISE? Here are some things you should know.

NOTE: These tips apply to how things are August 2011.

OVERVIEW:
ISE provides all the functionality of legacy NAC appliance, NAC Profiler and NAC Guest server. ISE provides all the functionality of ACS except device administration. This makes all existing customers running these services except ACS device administration (TACACS /RADIUS) an upgrade candidate. Many customers are keeping ACS for device management and purchasing new ISE solutions.

SOFTWARE
ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.

ISE is a 50% software discount for customers who have ACS or NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.

HARDWARE
ISE is supported on current generation NAC appliance hardware (3315, 3355,3395) and ACS (1121) hardware.

ISE is not support on any previous generation hardware (3310,3350, 3390, 1120, 3140, etc.). There are hardware/vmware migration discounts for customers moving from these platforms to the latest appliance or VMware systems.

ISE is available in appliance and VMware. There are VMware bundle options to increase discount when purchasing multiple VMware instances.

ISE hardware is discounted if the customer owns older NAC appliance (3310,3350 or 3390) or ACS appliance (1120).

Example 1:
Customer has a NAC manager appliance, 2000 user Cisco NAC Server appliance, Cisco Profiler appliance and Cisco Guest server. All hardware is the newer model IBM appliances (3315,3355 or 3395). The customer can get ISE software at no cost. They can download ISE .ISO for free from cisco.com and reimage the appliances to the latest ISE software. They can order a license from a Cisco partner at no cost as long as they have an active Smartnet contract and the supported hardware. The customer only needs one license since license management is centralized regardless of the number of existing appliances.

Example 2:
Customer has a NAC manager appliance, 2000 user NAC Server, Cisco Profiler and Cisco Guest server. All hardware is older HP servers (3310,3350 or 3390). The customer can download ISE .ISO for free from cisco.com and order a license at no cost. The hardware will not support ISE. This customer will have to migrate to the latest ISE appliance or vmware system for each NAC appliance server. The cost of the hardware will be discounted.

Example 3:
Customer has Cisco ACS supporting 2000 users and wants to migrate to ISE. They will need to purchase the 50% discounted ISE base and full advance licenses. They will need to migrate to ISE via VMware or Appliance if they don’t own an ACS 1121 appliance.

VN:F [1.9.22_1171]
Rating: 5.0/5 (7 votes cast)
How To Migrate To Cisco Identity Services Engine (ISE): NAC to ISE /ACS to ISE, 5.0 out of 5 based on 7 ratings

7 thoughts on “How To Migrate To Cisco Identity Services Engine (ISE): NAC to ISE /ACS to ISE

  1. Any chance you have the link off Cisco that shows that the ICE upgrade is free for customers with NAC appliance/Profiler? Cisco has been giving conflicting information depending on who you ask.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Jack. Here is the official word. ISE is free regarding licenses if you have NAC appliance and/or profiler. The part number is L-ISE-ADV-(number of devices)-M= and description says “Cisco ISE (number of devices) EndPoint Advanced + Base Migration License” at zero dollars (IE the part covers both base and advance subscription license). The license matches the existing NAC appliance CAS head count. ISE is supported on the newer hardware (IE IBM hardware which is 3315, 3355,3395,1121) so if you have NAC appliance and the newer hardware, the cost for the licenses is free which is ordered through a reseller.

      Now keep in mind NAC appliance uses secure SNMP or InBand for access control while ISE uses 802.1x or InBand via iPEP so there is a COST associated with deploying 802.1x. That cost could be switch upgrades that don’t support 802.1x COA, time to roll out 802.1x (IE start off in monitor only mode, than low impact and finally high impact or very secure mode). That cost can be reduced if you have a network management solution that can push out configurations to simplify the deployment. Wireless is a little different since any cisco WLC that supports 7.x or higher code can do straight 802.1x to the controller rather than secure SNMP or inband like NAC appliance wireless.

      Finally if you have older hardware (IE HP hardware 3310,3350,3390), the licenses will be free matching your CAS head count however you will need to migrate to the newer hardware which is discounted. ACS 802.1x doesn’t get you the free license upgrade.

      Hope this helps. Feel free to ask any other questions on here or via joey.muniz@wwt.com.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  2. Hello Blogger,

    I have a client that wants to deploy NAC, he has less than a thousand devices to handle. My AM wants to deploy NAC and use ISE as profiler since NAC profiler is out of sale (so that we can make more money). As an Engineer i just want to deploy a single ISE appliance 3315 for the client and forget about the whole NAC Manager, server and profiler conglomeration.

    Please advice.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Hi Rabzy,

      You are correct that NAC profiler (great bay’s BEACON OEMed by Cisco) is end of sale and ISE is the replacement. I’m not following the “make more money” comment. Do you mean you are up selling profiling functions to your customer along with automated access control or up selling ISE from NAC appliance? In any event, yes one of the huge values of ISE is it consolidates NAC appliance (manager / server), ACS (802.1x), guest server and profiler into one solution. For 1000 devices, you may want to go with a single 3355 or virtual appliance depending on what features you plan to enable.

      Note a few things

      1) ISE requires base licenses for 802.1x authentication and guest servers (some basic profiling is available as well).
      2) ISE requires advances subscription licenses for advance profiling and posture. If you are selling profiling, you will need to sell both a base and advance license.
      3) ISE requires the solution provider to be a ATP for ISE (advanced technology partner). If the reseller isn’t a ATP, it will not ship from Cisco.
      4) If the customer has NAC appliance, profiler, guest server or ACS, they may be able to get discounts on hardware and licenses for migrating.
      5) You may want to selling N+1 for high availability.
      6) The initial design / architecture is the key for success. Make sure to assit your customer with understanding best practices for deployment. For example, start basic and in monitor only mode.

      Good luck!

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  3. Hi there,

    I have another question, i’m migrating my NAC appliance 3355 to ISE, the Licenso Adv i already know it is free.. But the new Smartnet will be free too? Because when it was presented to me it says: “Prorated based on existing SMARTnet contract”, what that means? I will have to pay for a new smartnet? I already have Smartnet active in my NAC today..

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • My understanding is your smartnet will move over to the new ISE equipment. I’ll double check on this. Stand by

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • Here is the final word from Cisco. “NAC customers will need a new ISE smartnet or SASU (for VMs) contract, but can work with the AM to get credit for the remaining value of their existing contract.”. So short answer, you will get credit for your existing smartnet and will need to convert to a new smartnet.

        VN:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.


3 × = twelve

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image