Cisco 3850 fails to send dot1x authentications after Denali upgrade

This isn’t a Cisco ISE bug but it could affect ISE deployments. A customer had recently deployed several Cisco 3850s with Multigigabit at their headquarters. Initially, the switches were deployed with IOS XE 3.7.5. We tested the Cisco ISE configuration on those switches (Monitor Mode) and everything worked properly. The customer was able to authenticate…

VMware and Cisco ISE

At least 90% of my customers utilize their existing VMware environment to run Cisco ISE instead of buying hardware (SNS-3xx5) servers. There are issues you need to be aware of when utilizing a VM environment. Here are the two most common issues I’ve seen in the field. The first issue is enabling VMware snapshots to…

Always verify the checksum value

I can’t emphasize this tip enough. Always verify the checksum values of any Cisco ISE download. I am talking about the install files (ISO or OVA), patch files, and upgrade bundles. It’s very easy to do and can save you from a corrupted/failed installation. You won’t believe how many customers call me asking why an…

DHCP snooping and port channels

DHCP snooping is critical when using device sensors built into the switch for profiling with Cisco ISE. Setting up DHCP snooping allows the switch to collect DHCP information on endpoints which can then be forwarded to ISE in RADIUS accounting packets. DHCP snooping also allows you to configure the switch to only allow DHCP from…

Should I go to ISE 2.2?

No. I know. You’re probably wondering why. ISE 2.2 is the long term release so it’s supposed to be supported longer than 2.1 or 2.3. The answer is based solely on my personal experience, my customer’s experience, and the experience of other engineers I’ve talked to. We’ve seen so many issues with ISE 2.2 that…