1. Plan for Professional Services Fees
Cisco ISE is a large, cumbersome and complex application and it’s unlikely you’ll have the internal resources to throw at an upgrade. You’re not alone. This is why managed service providers exist, after all. Now with that said, you can expect to be quoted anywhere from 40-65 hours of professional services to initiate, test and complete a full Cisco ISE upgrade. Let’s hope it’s for chronological versions, and not for a significant jump if you’ve been running on a single version for years without upgrading.
Depending on the firm you contract for the work, you’ll probably see a range of hourly rates – anywhere from $175-250/hour. So, if we do the math, that’s $7,000 on the low end and $16,250 on the high end. In some cases, ISE customers have even reported paying more for third-party upgrade support. Mind you, Cisco ISE is also a product you’ve already paid for.
2. Set Aside Enough Time
It’s not hard to find the Cisco ISE horror stories on Reddit and other online communities where people have taken to detailing their ISE upgrade experiences. In more tragic cases, some ISE customers have taken to these threads to seek real-time help from strangers. The reality is that you cannot and should not rush an ISE upgrade. 10 times out of 10, those who have lived through it will suggest testing the upgrade in your lab before pushing live to production. This means setting aside the appropriate amount of time conduct the upgrade and minimize the failures (more on that below).
Configuration is complicated, and the 50+ page system upgrade checklists are a testament to that. If you’re going to manage an ISE upgrade in-house, prepare for more than 40 hours – especially if you’re not an ISE expert. And if things go awry, don’t expect prompt support from Cisco TAC.
3. Prepare for Failure
There’s a reason that Cisco provides extensive documentation for potential ISE upgrade failures – it happens a lot – especially if you opted to tackle it head on internally after balking at the above PS costs. Ultimately, planning for failure means planning for service downtime altogether. To minimize the impact on operations from service downtime, you’ll likely need to spend the weekend parsing through pages and pages of ISE upgrade instructions – missing your kid’s soccer game, unable to take your wife out to dinner, and not watching your alma mater play in the big bowl game.
Sometimes, in multi-server deployments, some of your servers in the infrastructure will not upgrade successfully. If that happens, you’ll have to rebuild the server as a new node and re-join the cluster. Sounds fun, right?
4. Be Mindful of Your Subscription
We all like auto-pay and auto-renew for some of our everyday subscriptions. It’s a little different when you’re talking about a large, enterprise application, however. You should be mindful that Cisco ISE subscriptions automatically renew for an additional 12-month term by default unless auto-renewal is deselected at the time of initial order. Three months before the end of the initial term, renewal notices will be sent to you, and you’ll or partner receive an invoice at the start of the new term.
Now, you can cancel a renewal up to 60 days prior to the start date of the new term, but if the subscription is not cancelled 60 days prior to the start of the new term, the subscription will auto-renew. Mid-term cancellations of subscriptions for credit are not allowed. Starting with the release of Cisco ISE 3.0, licenses have changed and you should check carefully to see if you can import your old license or if you need to migrate to the new license method entirely.
There IS an Alternative
With Portnox CLEAR – the first and only cloud-delivered NAC-as-aService – organizations gain actionable network visibility and continuous risk monitoring of all endpoints across all access layers – no matter device type or geo-location. Portnox CLEAR determines device type, location and level of access for every user on the network. Additionally, the platform can identify operating systems, installed applications, services, certificates and more – helping your IT team ensure compliance across the entire workforce.
With access control based on 802.1X protocol, network administrators can block rogue devices, quarantine noncompliant endpoints, limit access to specified resources and more – whatever your internal policy calls for. As a cloud-delivered solution, Portnox CLEAR is simple to configure, deploy and maintain. With built-in integrations to AzureAD, Okta, Microsoft Intune, Palo Alto Networks and more, you can easily mesh your network access control with your existing tech stack and remain as streamlined as ever.
Portnox is SOC-certified, GDPR ready, and can help organizations in preparation for regulatory compliance, such as PCI, HIPAA and more. All customer data is encrypted in-motion or at rest, user credentials never leave the organization, and administrators can be set to use MFA.
Try Portnox Cloud for Free Today
Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!