I have received the question “why should I migrate from NAC appliance to Identity Services Engine (ISE)?” a handful of times. This post will provide some reasons why you should consider migrating over. Regarding how to migrate and what discounts you could receive by migrating, see this post that covers these questions HERE.
Lets start off by looking at Cisco NAC and ISE.
NAC Appliance – Appliance only access control technology that leverages SNMP or forces all traffic inline through appliances. Many functions require specific hardware such as Profiling and Advanced Guest Access. The minimal system is a management (CAM) and enforcer (CAS) however more appliances could be needed if there is a requirement to support different deployment types (example Out Of Band CAS for LAN and in-band CAS for VPN). CAS appliances hold the user head count and require an additional collector license to perform profiling if a profiler appliance is being used.
Identity Services Engine (ISE) – 802.1x based access control that can deployed on appliances or virtual appliances. ISE consolidates hardware by being able to perform the same hardware for a CAM, CAS, Profiler, Guest Server and ACS (outside of TACACTs + until ISE 2.0) on the same solution (depending on how large the deployment). ISE uses a centralized device count model so the amount of enforcers doesn’t impact the total device count (example 500 devices could be supported by one ISE server or many depending on the number of appliances used). ISE also has features not available with NAC such as Trustsec (see more HERE), on boarding mobile devices using ISE as a certificate server and so on. I like this techwise TV overview of ISE (HERE)
So here are some reasons to consider migrating from NAC to ISE
- ISE has centralized licenses. This means all locations will have the same device count support rather than being limited to the device count tied to a particular CAS appliance.
- ISE consolidates hardware in most cases. The average NAC deployment uses a CAM, CAS, Profiler and Guest server plus double everything for high availability. The average ISE deployment can just be one ISE server with a second appliance for high availability to accomplish the same thing as the NAC deployment. This all depends on the type of deployment (distributed verses centralized) and device count (ISE will need more hardware as the device count increases) but on average, you will probably require less hardware when running ISE.
- ISE can be virtualized while NAC is appliance only.
- ISE has better reporting and troubleshooting capabilities than NAC.
- ISE is Cisco’s latest access control technology and focus for innovation. This means there are many features not available in NAC appliance. Some examples are
- Secure Group Tags (more in this HERE)
- Configuration Wizards
- ISE as a certificate server for on boarding mobile devices
- Very powerful guest access (SMS passwords, sponsor guest access, easy to build guest work flows, etc.)
- Integration with Mobile Device Management (MDM) providers. This also includes TAC support for ISE, the network (LAN, Wireless and VPN hardware) and MDM vendor solution through Cisco SMART solutions (learn more HERE).
- Many troubleshooting tools
- In many deployments, authentication and other functions run better since 802.1x leverages the network rather than completely relying on NAC appliances for everything.
- Device blacklisting
- Multi AD forest support
- Ability to be leveraged by other solutions such as Lancope, Splunk, etc. via pxGrid (more on this HERE)
- Any many more.
- ISE can scale better than NAC. You don’t need specific hardware for wireless, VPN and LAN in many ISE deployments as long as the enforcer hardware supports 802.1x change of authorization (CoA). This includes the latest Cisco ASA VPN code meaning the ASA doesn’t need an additional appliance to perform posture now that CoA is supported. ISE can also support more devices than NAC appliance.
- ISE supports dynamic ACLs meaning you can place both employees and contractors on VLAN 10 however contractors can have an ACL placed to block specific things. That ACL can be something that is built in ISE and pushed down to the port level rather than calling an existing ACL that is already configured on the switch. Here is an example of a DACL pushed to a user needing to be redirected for a posture check.
- Many more I can’t think of at the moment
There are things to consider when migrating over to ISE. First off, ISE is a different access control technology than NAC. For this reason, there isn’t an “upgrade path” to migrate over. You can use many of the same concepts from a NAC deployment when migrating over however expect configuring a new system. An example is you can configure ISE to match the same checks as NAC such as verifying all employees are running the latest windows updates, McAfee updates and on corporate approved devices before moving them to a trusted VLAN. This will save some time during the ISE design meetings however the configurations can not be imported into ISE from NAC. Consider it a new build. The NAC posture agents however can be used by ISE so that should save time on deploying agents if posture is required.
Another thing to consider when migrating over to ISE is network device support. 802.1x is not specific to Cisco however it is important that the network devices supports 802.1x CoA in order for ISE to function properly. You can find the ISE.13 switch support sheet HERE. For newer versions, just Google “ISE (latest version) switch support” to see the latest list. As you can see from the next image, some non Cisco vendors are have adopted 802.1x CoA features and work fine with ISE. Aruba is an example of a wireless vendor that works.
The last recommendation is you want to work with an authorized ISE service provider unless you know what you are doing. Most access control technologies can make or break your network depending on how they are configured. I remember hearing people complain about NAC so I would ask to see their network diagram and found they had their entire network routed through one small NAC appliance … yes that is probably a bad idea! The whole idea behind access control technologies is to automate security to save you time as well as giving you end-to-end access control protection however it must be built correctly. Once the system is setup correctly, there shouldn’t be much management needed to keep the system operational since major things don’t change like one day you go from Symantec AV to McAfee. ISE leverages your existing security and authentication services so most of those updates happen automatically (example new users can be dropped into a AD group that ISE knows about or windows updates can be seen by ISE tied to your WSUS server so ISE doesn’t need to be manually updated for these changes).
Hope this post helps answer the question “Why should I migrate?”. The only use case I’ve ran into that would support staying with NAC appliance is when a network is running cheap switches / hubs that don’t support 802.1x CoA. In this use case, NAC appliance can run as a full in-band bump in the wire so anything coming on will flow through that appliance. ISE doesn’t support this yet so as of the date of this post, NAC appliance would be your best option for this ugly situation.