Like many network engineers, I've been evaluating Cisco Identity Services Engine and planning for an impending implementation. So I welcomed a chance to review "Cisco ISE for BYOD and Secure Unified Access" by Aaron Woland and Jamey Heary.
If you are a management type looking to understand what ISE brings to the table, you'll find this book helpful. Several chapters explain the business case around ISE and the power of the technology. However, you are not the target audience. Cisco ISE for BYOD reads more like a lab manual than anything else, which for a newbie like me looking to get her hands dirty, this works out quite nicely.
The authors start by presenting the building blocks of the product, from the basics of topology design, node functionality, and licensing requirements, but then jump right into configuration fundamentals and demonstrations. Throughout the chapters, readers are presented with a number of technical "how-to'" examples together with pieces of practical "why you would want to" advice.
Woland and Heary assume a basic knowledge of 802.1X authentication and configuration, which ISE builds on extensively. However, the book does cover some fundamentals of the protocol for those who do not have extensive training in this area, and even includes some helpful process flow charts. The book also clearly lays out proper design, goals, and expectations that engineers should have in mind before deploying the ISE product.
The authors point out that ISE is highly customizable and no deployment will look identical to another. For example, PCI-compliant environments will invoke and prioritize different security policies than other businesses. The book even provides some excellent questions and thought processes to get engineers asking the questions that will need to be answered to determine what business policies must accompany the deployment.
[Read about a Cisco Press publication that can help if you're planning to buy Nexus gear or have already deployed it in "Book Review: 'NX-OS and Cisco Nexus Switching'."]
Another aspect of this book engineers will find remarkably helpful is the attention to the many details involving the network hardware with which ISE interacts. The authors not only provide configuration snippets for common devices like 3750s and Nexus 7000s, but they also mention some gotchas that commonly crop up when dealing with mixed environments of old and new gear. For example, they walk you through setting up SG tags on various devices and point out the various intricacies involved, such as a 6500 being able to process SG tags in ingress mode or egress mode, but not both.
My favorite chapter of "Cisco ISE for BYOD" by far is the troubleshooting chapter. The screenshots and process resolution of common issues are reference gold. The methodology laid out for troubleshooting is nothing new, but it's sound. Woland and Heary advise: "Always stay calm, take your time, and think about how the solution works." The text then gives excellent resources to help you do this, including a chart of basic authentication and authorization flows, instructions on how to access the Live log and how to run a TCP dump, as well as an excellent ISE node communications reference sheet.
I would recommend this book to any engineer taking on an ISE deployment, especially if you have a lab environment to play in. Being able to follow along through the chapters in a lab would definitely have enhanced my reading of the text, but if you find yourself lab-less, don't fret -- the book is an excellent primer and definitely worth reading.