First off, if you're thinking about Cisco ISE don't get it. There are much cheaper, better options out there. For those of you who do have ISE I have a few questions, and comments to see if anyone has the same issues.
SCCM Posturing Has anyone actually gotten this to work properly? Every document out there doesn't actually address the fact that the 'Policy > Condition > Patch Management Condition' specifically for SCCM doesn't trigger a software inventory for MS Updates, therefore never actually keeping the device in a remediation, limited network state. I have seen people make mention of SCCM scripts to launch for a 'Launch Program Remediation, but my SA has yet to make one successfully work as intended. For those of you who may say "yes this works for me!"; are you using SMBv1 (I seriously hope not) to tie SCCM into the ISE MDM in version 2.1+? SMBv2 and above are not supported by ISE, btw and I checked with my sales rep about this. He said "In about 13 months it should be fixed", so this means never. Other ISE Posturing services have worked great (McAfee updates, Adobe Flash, etc), so far SCCM has been the biggest issue.
VM Snapshot /Restore Process Snapshots work in the ISE, but aren't supported. For some reason my backup exec is causing the ISE to crash each time it tries to make a backup of the server. A simple reboot fixes it, but still not good when you have Wireless/Wired users who are on 24/7. My biggest worry is one day the system will actually crash and it'll take rebuilding the server from an OVA, then slapping the config from a FTP backup to get it running again. Personally, I feel like we're well into the virtualization age that ISE should be able to support such features as snapshot for simple backups and quick restores.
Version Upgrades While patching the system is super easy and nice, upgrading the ISE to another full version is a complete pain. Has anyone gotten a 2.0 to 2.1 (or 2.2, 2.3, etc) upgrade path to actually work? The best I can do is just create an entirely new server with the clean install .ova file then FTP the config on it.
Misconfigured NAS error Will they ever get this figured out?
Misconfigured Supplicant Detected I also get a ton of these alerts, but I think thats more to do with the SA side of things and the certs that are used. "11514 Unexpectedly received empty TLS message; treating as a rejection by the client" is the error message. Either way, I think something is funky with the way ISE views CA's in general on clients making them fail wired dot1x. It will appear to work if I clear out all but one of the CA's on the client that come from our local CA, and reissue a client cert. The SA's say the reason for the multiple CA's from the same CA server is due to various servers needing (and sending) them (like SCCM, Wireless etc.). Not sure if that's BS or not since I'm not an SA.
Anyway, thanks for reading. Looking forward to your responses.
No comments:
Post a Comment