3 Tips to Modernize your Cisco ISE Deployment

With tens of thousands of Cisco Identity Services Engine customers in production, some for close to a decade, modernization & continuous improvement has never been more important.

Top 3 Tips to Modernize your Cisco ISE Deployment:

• Upgrade to ISE 3.1
• Migrate ISE to the Cloud using Infrastructure as Code (IaC)
• Convert Existing Configuration to Software Defined

By modernizing your deployment using these tips, organizations can reduce OPEX & total cost of ownership(TCO). Your organization can also start to explore some advance outcomes, such as:

• The ability to apply the same configuration options via APIs and/or Ansible to multiple ISE Deployments (ISE Cubes or Clusters)
• Automate creation of a new lab or test environment matching the production environment
• Reduce costs of upgrades, infrastructure management and hardware lifecycle maintenance

Upgrade ISE to 3.1

In our previous article, we explored the top reasons to migrate from ISE 2.X to 3.X and why the time is NOW to migrate from Cisco Identity Services Engine 2.X to 3.X. Since then ISE 3.1 has become the suggested release, also known as the recommended release. You can directly upgrade to Release 3.1 from Cisco ISE 2.6, 2.7, or 3.0. If you are on a version earlier than Cisco ISE 2.6, you must first upgrade to one of the releases listed, and then upgrade to Release 3.1.

One change to be aware of is the new streamlined licensing scheme for Cisco ISE in line with the Cisco DNA Center licensing tiers, which requires upgrade from Cisco ISE “classic” licenses (Base, Plus, and Apex) to the new ISE license scheme with Cisco ISE Essentials, Advantage, and Premier. The ISE VM license, which replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases prior to Release 3.1. Additional details are well documented in the ISE Licensing Migration Guide.

Before upgrading, make sure to review the release notes, and the Upgrade Journey Guide.

ISE 3.1 files can be download from CCO, requires an account and active contract.

Note: If you are planning on converting your existing configuration to software defined and/or migrating ISE to the cloud, you might be able to save a lot of time and skip the upgrade process. Schedule some time with our ISE Experts to discuss your options.

Migrate ISE to the Cloud using Infrastructure as Code (IaC)

Organizations no longer have to deploy virtual machines or appliances on-premises to achieve network access control (NAC). ISE can now run in multiple cloud service providers via VMware Cloud, private cloud via VMware vSphere or Nutanix, and starting in 3.1 you can deploy ISE on AWS natively. ISE has also added Zero Touch Provisioning utilizing orchestration and automation tools, such as AWS CloudFormation, HashiCorp’s Terraform and RedHat’s Ansible.

Figure 1 — ISE Infrastructure Operations

Provisioning ISE using Infrastructure as Code (IaC) is all about speed and consistency. You can skip all the tedious line-by-line steps/wizard and just use code (declarative style/language) for configuration. This means you can modernize your deployment using an elastic and simplified approach using IaC tools.

One example of modernizing a capability in ISE is using Amazon Simple Storage Service (S3) to Backup and Restore Cisco ISE Data/Configuration. ISE Backups need to use repositories, and operating ISE on the AWS platform gives you an easy option to use the Amazon S3 buckets for storing your ISE data.

The following is full webinar on Automating ISE deployment:

Convert an Existing Configuration to Software Defined

Simplify the management of your authentication, authorization and network access policies from anywhere and within any console through APIs ISE 3.1 is equipped with rich APIs to automate policy and lifecycle management that will delight any modernization efforts. The simplified approach brings ease of configuration and automation to the forefront of network access. Providing comprehensive, secure access across the distributed network has never been easier, faster, or more flexible.

Software Defined Policy can be stored in source code repository(i.e. git, github, gitlab, etc.) and automated in CI/CD (continuous integration, continuous delivery, and continuous deployment) systems to allow for faster time to deployment of new use cases, policies or configuration.

Figure 2 — Cisco ISE OpenAPIs, Postman, ciscoisesdk

Organizations can choose whether they would like to use the ISE Ansible Collection or the ISE python SDK.

Cisco has made APIs a lot easier to consume in ISE 3.1 with the addition of OpenAPI. OpenAPIs are REST APIs based on HTTPS operating over port 443. For more information on Cisco ISE OpenAPIs, see https://<ise-ip>/api/swagger-ui/index.html. For more information, see “Enable API Service” in the Chapter “Basic Setup” in Cisco ISE Administrator Guide, Release 3.1.

Figure 3 — Example of Cisco ISE’s Swagger OpenAPI

To go deeper into using ISE APIs and Ansible, start playing with the ISE 3.1 DevNet Sandbox or check out the webinar done by the Cisco ISE team:

ModernCyber & Cisco ISE

We’ve built our NACaaS offering using these modern principals for those organizations that want to reduce OPEX and don’t have the time, staff or experience with IaC, APIs or automation. If your organizations needs help or guidance with your greenfield or brownfield ISE, ModernCyber can help your organization with ISE 2.X to 3.X Migration, ISE Cloud Migration, Software Defined ISE Configuration & Automation or traditional plan/design/implementation/optimization. Schedule some time to speak with one of our ISE experts.

This article was originally posted on the ModernCyber Blog