Open for Voting
over 1 year ago

Cisco ISE Monitoring

Since Cisco is sunsetting ACS, I'd love to see some monitoring features for Cisco ISE added. It would be nice to be able to download the config of the ISE appliance like I can with any switch, router, or firewall. I'd also love to see some sort of template to set up monitoring for ISE. I've been working with Cisco for some time now on a ticket to get my ISE appliances to recognize SolarWinds still to no avail. Some sort of template for making this happen would be helpful.

  • We just upgraded to ISE 2.4; things are significantly improved.  I can't say Cisco has it all right, but it's also not all on their backs.  One product line of bar code printer we use (over a thousand of these printers) was reportedly incompatible with our standard network switchport ISE and VLAN settings, and we'd have to manually remove the Voice VLAN from every switchport connecting to one of these printers to get them to work.  And then their users would report in a few weeks that they'd hung again.  It turns out neither ISE nor VLAN configuration lines were the cause--the vendor admitted their product did not respond properly when a session to one of their ports unexpectedly was interrupted; their printer would hang until it was rebooted.  We use network security probing tools like Nexus and Nexpose and Rapid 7; and guess what they do?  Probe all ports and disconnect without any acknowledgement.  It might be our Security team was shooting us in the foot, and we were blaming Cisco when we should have blamed the printer manufacturer.

  • I don't see a template as of SAM 6.7.1.

    NPM discovers it as a basic Linux node via SNMPv3.

    There are minimal CLI startup-config and running-config files, but 99% of the configuration is in other files and databases. There is probably a way to get at the other files via the CLI, but I think Cisco feels it's antithetical to good security to allow easy access to them. Backup of ISE is essentially a backup of a Linux server, though there is an application data restore, too. It's not like a switch or router at all.

  • is there a SAM template for ISE?

  • Take it for what it's worth, but my sales team told me not to use wasn't going well and it may get pulled. They'll still provide XML/python scripting capabilities, but ACI in it current "gen1" state may go (watch for Viptela to replace it?). My ISE deployment has been solid, but I'm not a hospital and I've limited the features I use. Really hoping SGT (security group tagging) works out...that's the Holy Grail of packet pushing.


  • We've wasted so much time & effort on ISE.  Cisco promised it was compatible with our hardware, then we spent six months proving it overloaded the CPU & memory on 400 Cisco 2960S switches.  Cisco's going to replace them for us at 25% of list--not bad.  But we really went through a lot of stress getting to this stage.  It'll take a year now, since we've a lot of 7x24 hospital sites.

    We see cases where devices, that were learned by ISE Discovery Mode, drop off the network when Enforcement Mode is applied.  It's as if the white listing doesn't work at all.

    Worse is when some devices don't even get along with Discovery Mode.  They won't pass packets even when ISE is simply observing!  And we must remove all ISE config lines from their switch ports.

    It's an interesting product idea, but deploying it has not been what we were lead to expect.  There's no going back, though.  It's already saved us from countless issues.

    On a very similar path, ACI has some parallel characteristics to ISE, and we've had that for two years.  All the security promised by Cisco through ACI in the data centers has not panned out well.  The vendors and application sales people and their in-house support experts typically don't know what protocols & ports & communications are required, so we end up not implementing all the ACI security we'd like.

    And yesterday Cisco told us "anyone using the ACI GUI has something wrong.  All management should be done via scripting."  Funny, they sold us on ACI's ability to do everything via GUI--that it was the wave of the future.  Snort.