I've about reached my limit with the dumpster fire that is Cisco's Identity Service Engine. Are there any reliable alternatives that do endpoint classification, central web auth, and .1x auth?
Thanks in advance,
Christopher
I've about reached my limit with the dumpster fire that is Cisco's Identity Service Engine. Are there any reliable alternatives that do endpoint classification, central web auth, and .1x auth?
Thanks in advance,
Christopher
Forescout but if you want something simpler with SNMP authentication of
switches and Domain Controller of authorized PCs you can have a look at
Portnox. Done couple of deployments with Portnox.
I'm about to try this one.
Not sure if it covers all the features you need though, but it seems
promising. In case you give it a try, could you share your experience
please?
Thanks
Jean
I’ve used PacketFence for several years, but it’s kind of fragile. Compared to many FOSS systems, it’s exceptionally well documented, and uses reasonably good Web GUI standards. It also supports Cisco switches well. However, I routinely have to twiddle with it when one or another internal components silently crashes. It’s about ads fiddly as Asterisk is for telephony: just when you think you’ve got it working, some unpredicted external event — a new device or an OS security patch — breaks it. What PF really needs is some kind of internal monitoring and notification system to let you know when and what stopped working. Various users have jury rigged their own scripts and published them, but they’re too customized to work generically for any PF installation.
I’ve seen commercial NAC systems that appear to be much more reliable. Cisco’s is not among them. I haven’t taken the time to try them out yet, however.
-mel
$dayjob is a university where we use PacketFence to support .1x for a population of approx. 28K concurrent Wi-Fi devices.
It took us a couple of iterations but we now have a clustered deployment (of VM’s) model which routinely handles >1200 logins per second, has a fair bit of headroom left over and can scale larger as required.
We have been very satisfied with the responsiveness and capabilities of tech support by Inverse.ca. All this and the price point is hard to beat.
I have no personal interest in Inverse other than as a satisfied customer.
Our presentation on the scalable deployment model for PF may be found by searching the web for “Authentication for big Wi-Fi”.
Eriks
if you're already slurping the commercial koolaid (support contracts,
someone to blame etc etc) - then Aruba Clearpass?
(otherwise local homebrew with FreeRADIUS core or PacketFence as
FOSSOTS )....
alan
What version of ISE are you running? What are your main frustrations
with it?
Ray
Ray,
I'm running 2.2 with 17000 endpoints in a 7 node deployment.
Main Problems:
-Replication slow or failed
-Displaying endpoints ends up in a "Shards" error or crashes the GUI (documented Cisco bug)
-Wifi Container Service (?) fails
-Inaccurate license counts causing license alarms
-Moments where unable to add or see network devices
-Profile rules are not catching certain hosts (even when you hardcode the OUI)
I'm certain I'm forgetting a few but you get the drift.
Yours in service,
Christopher J. Wolff | Network Operations
Information Technology & Innovation
City of New Orleans
(o) 504.658.7817
(m) 504.265.6306
(e) cjwolff@nola.gov