The problem
The entry point was unglamorous. Device administration ran on Cisco ACS 5.x, a platform with no future, and every router, switch, firewall, and controller in a 1,500+ device estate authenticated its administrators against it. Endpoint authentication was the bigger gap: nobody owned 802.1X, and there was no initiative to own. So I founded one, and the ACS replacement became the foundation for something much larger.
My role
I founded the 802.1X initiative, architected the ISE platform, and deployed it. That started with migrating device-admin AAA from ACS 5.x to a four-node ISE 2.3 deployment: two combined PAN/MnT nodes and two Policy Service Nodes. I owned the patch lifecycle through 2.4, then made the call that shaped everything after it: never bet production on an in-place upgrade. We stood up a 3.1 environment in parallel with the patched 2.4, upgraded the new build to 3.2, and migrated onto it. Production never carried the risk of its own upgrade.
The approach
Policy structure came first. Policy sets split by protocol: wired 802.1X, wireless 802.1X, wired MAB, wireless MAB, and guest, with device populations handled as authorization logic inside each set instead of more top-level sprawl. TACACS device administration got its own policy sets by platform family: IOS and IOS-XE, Nexus, wireless controllers, management platforms, ASA, and Palo Alto.
The design decisions that mattered: access ports fail closed. Cisco phones are trusted through their manufacturer-installed certificates. Every device keeps a single local break-glass account in case TACACS is ever unreachable.
The rollout was deliberately slow at the start. Our first three client programs carried 802.1X as a contractual requirement, so they became the proving ground, about eight months end to end. Monitor mode first. Supplicant settings proved out in test OUs before the production OU and GPO design went live. Enforcement batches started at two or three PCs, grew to ten through the first 250 machines, then to fifty at a time across multiple geographies. Every batch rode a change request with post-implementation support attached, and the organization matured from per-client rollouts to per-site rollouts as confidence grew.
Config generation matured on the same curve. The first switch templates lived in Notepad. They ended up as Cisco DNA Center templates pushing IOS and IOS-XE configurations at fleet scale.
What shipped
A 14-node distributed ISE 3.x deployment: a dedicated PAN pair, a dedicated MnT pair, and two PSNs in each of five global datacenters across North America and Asia. It fronts the 1,500+ device estate for TACACS and authenticates the endpoint population over wired and wireless 802.1X.
Where it stands
60K+ endpoints authenticate through the platform today, wired and wireless, and the number keeps climbing. ISE has become the authorization brain for VPN remote access: the headends authenticate users with Azure MFA, then ISE runs posture checks and authorizes the session. Duo integration is putting MFA in front of ISE administration itself, and the enterprise is moving supplicants from MSCHAP and PEAP to EAP-TLS, trading passwords on the wire for certificates. The platform I installed as an ACS replacement now decides who gets on the network, everywhere.