ISE Migration and Deployment (Healthcare Provider) Case Study
Feb 05, 2024
About the Client: Large Health Care provider - NJ
Customer is one of the largest non-profit health care provider in New Jersey providing wide array of healthcare services. Customer serves more than half the state of NJ providing care for health needs including critical patient care services. They are known for providing exceptional patient outcomes, experiences and committed to provide highest quality care.
Executive Summary
Due to EOL/EOS of existing version 2.x of Cisco ISE (Identity Service Engine) customer has decided to migrate ISE to newer version. This strategic initiative was the outcome of multiple challenges & limitations faced by customer with existing running version of ISE Persona such as troubleshooting, administration, bug fix (non complient with Info-Sec Security standard), PSN resiliency, no technical support from TAC.
We worked with customer to come up with solution to migrated the existing ISE version 2.x to 3.x which also includes deployment of additional PSN across multiple Medical Centers. We engineered this solution to have very minimal downtime/outage to critical medical centers during the entire migration process. This has resulted to enhanced performance, better scalability, simplified management and better high-availability of all ISE Persona.
Goals
Network Performance:
Customer faced challenges with existing running version of ISE Persona when it comes to troubleshooting during major incident related to wireless authentication which was creating delay to the resolution of the incident. Since Medical Centers are equipped with highly critical medical devices such as Infusion Pump, body scanner etc, customer wanted the new solution to enhance wireless authentication process, ISE administration and provide better reliability in supporting critical wireless healthcare devices.
Scalability:
Customer wanted new deployment should be more efficient to handle multiple Radius authentication request without having any issues on the performance of ISE platform.
Network Resiliency:
Considering the criticality of wireless medical equipment, customer wanted the new ISE infra to be deployed to have full resiliency to all critical wireless medical devices and wireless clients for the WiFi authentication.
Network resiliency was needed to enhance overall user experience by reducing downtime and increasing network responsiveness.
Simplified Management:
Existing ISE nodes were running on EOS/EOL version, which made it difficult to manage and troubleshoot Wi-Fi authentication issues. Customer wanted a solution that can simplify the configuration, administration and troubleshooting of any issues related to NAC.
Solutions and Outcomes
To address the goals highlighted above, Customer has decided to migrate existing EOL/EOS ISE deployment (2.x) to newer and stable version of ISE (3.x with Latest Patch) this also includes addition of 6 more ISE node to infrastructure. In the New deployment/migration, we deployed total 12 ISE Nodes (Replacement of existing 6 nodes and additional new 6 nodes). Since all the Medical Center were equiped with highly critical medical devices, this entired deployment/migration has taken place by deploying 12 new Parallel VM for new ISE deployment this has reduced the downtime. This new ISE design is the distributed deployment ( 2 PAN/MNT + 10 PSN)
The overall deployement of new ISE infrastructure included below key components:
Management and Control: New deployment 3.x has optimized UI which helped customer to adiministor/configure/troubleshoot ISE in more efficient way. Licensing model has also been changed from Traditional to Smart License which helped customer to keep track of License usage to avoid non-compliance issues with Cisco. All New ISE VM resources has been allocated as per Cisco standard hence there is no performance issue reported on any of the ISE node.
Scalability: New deployment of ISE is fully capable of handling multiple Radius authentication requests without getting overloaded. This has also eliminated the previous radius timeout/high-latency issue as we additionally provisioned 6 more ISE PSN. We have mapped each PSN to WLC based on geographical location and less WAN latency.
Network Resiliency: New deployment is fully redundant and in Distributed model
- Redundancy of PAN/MNT/PSN
- In DC1 we deployed 1 ISE as Primary PAN/ Secondary MNT
- In DC2 we deployed 1 ISE as Secondary PAN/ Primary MNT
- Each DC has 2 PSN to serve authentication to the nearest geographical WLC
- 8 PSN were deployed across all Medical Centers which is Primary PSN for its respective WLC and Secondary PSN is the nearest DC PSN
Enhanced Security: New ISE deployment is more secure i.e. enabled with TLS 1.2. This has also fixed the high severity bugs running on old ISE deployment. We made new deployment compliant to Customer Info-Sec security standard.
This case study provides the overall idea of the success of ISE migration/deployment from 2.x to 3.x in addressing challenges faced by healthcare enterprises and also reflects the positive impact of modernizing NAC solution to Medical Wireless devices. As the healthcare industy continues to grow and evolve, the Customer is well-positioned to adapt new challenges with respect to Wireless Security.