Cisco ACS to ISE High Level Design Questionnaire

This post is a high-level design questionnaire that can be used to gather information from a customer’s environment to plan your ACS to ISE Migration. This covers information you need to collect on ACS deployment, Endpoints, Network Devices, Performance and Scale, Logging etc that will provide good insight and detailed information to design customer’s ISE deployment to facilitate migration.

ACS Deployment

1. What is your ACS topology, high level design diagram?

2. How many ACS servers in total and what hardware/software is current ACS running on?

3. How many ACS clusters do you have? How many different sites they are spread across?

4. What is the Bandwidth and Latency across sites?

5. Do you want to combine ACS clusters to one or more ISE deployment? If so why or why not?

6. Are you using Load Balancers or planning to use load balancers? Make and model/version?

7. What kind of redundancy/failover mechanism you have or plan to have for Hardware/Software failures?

8. What services do you use ACS for (Wired/Wireless authentication /MAB /Device administration)?

9. Endpoint services using RADIUS back plane (if applicable)
a. What authentication methods being used? 802.1x(EAP, PEAP, EAP-TLS etc), Mac authentication bypass?
b. Are you using RADIUS as Device administration for Network devices?
If so, how many devices?

10. Device administration services using TACACS+
a. How many network device groups used?
b. Are there additional authorization attributes? Do you have the vendor specific information? (Ex.third party – Nokia, Erickson, Juniper etc )

Endpoints and services

1. How many endpoints do you have in total (including laptops, printers, cameras and other devices connected) using ISE AAA services(RADIUS)?

2. What are the services currently used to authenticate these endpoints (802.1x, Mac auth bypass)?

3. What level of access for these devices and type (VLAN, ACL, SGT/SGACL)?
4. Do you intend to use ISE services for Guest/ Profiling/Trustsec? If so how many endpoints?

5. Do you intend to use ISE services BYOD/MDM integration/Posture/Threat centric NAC? If so, how many endpoints?

Device administration and services

1. How many Network Devices are managed on the network?

2. How many IOS devices and other Cisco devices? Please provide device type and device count.

3. What other third-party devices are available? Please provide device count and device type.

4. Where are devices located with respect to AAA servers?

5. Device administration using TACACS+:

a. Is TACACS+ command authorization used? How many commands per user (or) commands per script executed?
b. Is command accounting being used?

Users and Identity Store

1. Approximately how many users will be authenticating? How often are devices accessed. AuthC/sec ?

2. What level of access for these users and type (VLAN, ACL, SGT/SGACL)?

3. Where are user accounts stored?

4. Are you using Multi-factor authentication (please list out the name of vendor/version)?

5. Where is your ID store (Active directory) located with respect to AAA Authentication server? Latency between AD and AAA server?

6. How many different types of user roles for Device administration (i.e. Network Admin, Help Desk, etc.)?

7. How are privilege and command set determined for each user? ( eg: Based on Network Device Group, based on Active directory group etc)

Management

1. How are users and devices added into the system?

2. How are users and devices removed from the system when no longer employed?

3. Are there automated scripts to CRUD users?

Frequency variable. One per several hours
a. Devices, other entities?
b. What interface it uses – REST, CLI/CSV, WEB?

4. Are there any other ACS configuration managed by API’s? Please list out.

Migration

1. Are there any other migration considerations or details?

Performance

1. What is the AAA rate for TACACS? On RADIUS?

Note: TACACS TPS = (Authentication, authorization, accounting) + n x (command authorization and command accounting) where n is the number of commands executed.

2. Are scripts employed to monitor devices, which generate TACACS traffic?

a. How many scripts run and how often are these scripts run?
b. Are they run simultaneously, or in a staggered schedule? What information do they capture?
c. How many commands per session? How many sessions per day?

3. What is the logging rate daily, weekly?
How much Gig/day per cluster?
Log retention for how long?

4. What is the current max number of TACACS requests per second for 1 server at any given moment?

Logging and Monitoring

1. How are logs sent to logging server?

2. How is AAA logging maintained?
– Internal or external logging server?

3. What is the log retention period for ACS?

4. Are there logs export to SQL?

*Provide more details on logging capabilities of ISE

Backup, periodic incremental backup

1. Is there periodic/scheduled configuration backup?

2. Is there periodic View & Monitoring backup?

Other design considerations & Future Growth

1. How many more devices do you anticipate will be added into the network in the next year? In the next 2 years? 5 years?

2. Other design considerations?

Source:
https://community.cisco.com/t5/security-documents/acs-to-ise-high-level-design-questionnairre/ta-p/3656688

More Stories
Palo Alto Routing Verification Basics