I read an article on The Security Blogger talking about why one should migrate from the Cisco NAC Appliance to Cisco ISE. I wanted to share my thoughts on the matter in this post. For those of you who don’t know, Cisco ISE supports NAC capability, termed Posture.
TLDR: Cisco NAC Appliance is a sinking ship. Get off before it’s too late. Cisco ISE Supports NAC features, so migrate now!
Unless you’ve been under a rock, you know that Cisco ISE is the flagship for Cisco Trustsec deployments. It’s packet with many more features than the Cisco NAC appliance. And the Cisco NAC appliance functionality is where they ported the ISE functionality from. Further, Cisco isn’t going to support these two product lines for a long time. Additionally, I would venture to say that you should start to really consider what you need to do to migrate Cisco ACS functions, that are not TACACS+ related over to Cisco ISE. Once Cisco ISE supports TACACS+ ACS will likely sink as well.
ISE is the hands down winner when you consider that Cisco NAC uses SNMP (garbage) and Cisco ISE is an 802.1x based platform using RADIUS which supports RADIUS CoA to handle changes in device posture. Couple that with the authentication and authorization of devices across the network and you have a complete solution.
There are a ton of additional features that ISE supports like Central Web Authentication and Guest Services. A Sponsor Portal and BYOD Onboarding. There are many more, but you should take a look at the following release notes:
I would also encourage you to look at the lists of supported Windows AV/AS products as well as supported Mac OS X AV/AS products.
You may also be interested in the configuration guide on client posture policies.
What you’ll find is that the common interface for configuring 802.1x policies as well as NAC is much more efficient as opposed to jumping between multiple interfaces.
And by the way, CoA is finally getting some love from other vendors. Thank you Avaya, Brocade, and Juniper!
The Bottom Line
Cisco has been in a shift for some time now from two independent products, Cisco NAC appliance and Cisco ACS, to a single device, Cisco ISE. If you haven’t caught on to that you’re kidding yourself thinking that the two independent products will be around for many years to come. The concept of a Single Pane Of Glass (SPOG) is proliferating the networking community and AAA security management is following suite as well.
I implement ISE systems and also teach the Cisco SISE course covering all the bells and whistles in ISE. If you’d like to discuss a possible engagement, be it from consulting on your deployment model to teaching your IT team how to use Cisco ISE in day-to-day operation, please use the contact form below to get in touch. I’d be happy to give you a custom quote.