Cisco Identity Services Engine (ISE) Reviews

We use this solution to protect the network especially when someone brings their own device and to lock out access to anybody connecting to the network. Also to make sure that the people connect to the correct VLAN. So, mainly for security wifi access so that when people want to connect to our wifi they have to log in using their credentials.

We give guests limited access to the internet when they come in so that access has been useful. Previously, we just used to give them the APN key which they would leave with. Now, we give them credentials to use that are for a limited period of time.

It is stable. Any time we found an issue we would get in touch with the reseller to help fix it. Then they tell us where the problem is and we'll know where to look. 

It is scalable. We have around 350 users. We required two staff members for maintenance but they don't have enough knowledge so we have to reach out externally for more help. 

Their technical support has been good. They have been responsive every time we have an issue. They get logs, check and then give us feedback of which corrections to do.

The initial setup was complex. We had to engage an expert. When we rolled it out we would find challenges and then we would have to find a way of fixing those challenges. Out of  nowhere, it would lock out all users. Then we discovered that no, the password had expired for the service account. We needed to make it none expiry.

Deployment took about a month. We had to do project planning, discuss the plan with the team, and by the end, it was a month.

We used a reseller for the implementation and we had a good experience with them. 

If you go directly with Cisco for the implementation it's very, very expensive.

We also looked at Aruba.

It's a good product but it requires technical support and knowledge otherwise it will be difficult to manage and run it. It requires somebody to be configuring issues. You need protection as you advance in the usage but it's a good product. 

I would rate this solution an eight out of ten. In order to make it a ten, it should be more user-friendly. You need somebody who is knowledgeable about it to use it. It's not easy to use. We have to rely heavily on technical support.

My main uses are device administration, wireless access authentication, and ethernet access.

The most valuable feature is network access control for the users coming into the network, which allows us to know who is in the network at any given time.

The intuitiveness of the user interface could be improved. They could also make the deployment process more user-friendly.

I have two years of experience with this solution.

ISE is very stable - since it was installed, I've had no issues with it.

I've had no issues with scalability. I started using it on two campuses, and now I'm using it across the country and scaling it across subsidiaries in other countries.

I've worked closely with Cisco for many years and have no complaints about their support. Sometimes it takes less than a couple of minutes to get through to their support team.

I previously used Portnox, but it only gave us network access control, so we switched to ISE, which has more features like device administration.

Deployment is usually tough the first time, though once you get it working, it works well.

We used in-house engineers and an integrator.

We have a three-year license. Standard licensing gives backup access and very few features, and then there's VM licensing - each VM we use needs to be licensed. VM licensing comes in different sizes: small, medium, and extra-large. There are also licenses for features, posturing licenses, and profiling licenses.

Before deploying, it's a good idea to read up on the product first and then get some training so that when deployed, someone in the organization understands the solution. I would rate this solution as nine out of ten.

We primarily use the solution for network access control solution and network device access management. The solution comes with features like posturing.

The valuable feature of the solution lies in its integration capabilities with other applications. This facilitates seamless operations like Microsoft migration across networks and call center management. The ability to segregate multiple domain users in the Access Network ensures efficient, logical management.

The tracking mechanism in Cisco ISE is relatively costly, especially its vendor-specific protocol. It would be beneficial if it could support open source or other devices with a similar checking mechanism, but unfortunately, it remains proprietary.

I have been working with the solution for the past five years.

The solution is highly-stable. I rate it a perfect ten.

The solution is scalable. We have three users for the Cisco ISE.

Their customer service and support is excellent.

Positive

The setup is straightforward. Effective planning is crucial for the setup of Cisco ISE. Placement of the virtual solution requires careful consideration of network accessibility from all branches. Different components may need placement in various areas in a large network. So, thoughtful planning for the architecture is important. It takes around two days for the deployment.

Previously, Cisco ISE had a perpetual licensing model, but now they have shifted to a subscription-based licensing system. We now have to pay recurring costs. This change in the pricing model has presented challenges for many customers accustomed to the simplicity of the previous licensing model.

I recommend this solution to all. Overall, I rate it a perfect 10.

At first, Cisco ISE was a replacement for only ACS RADIUS. It was mostly for remote access VPNs and Wi-Fi. That was it, and later, it evolved into a complete ACS replacement, so it's for both TACACS and RADIUS. Nowadays, we also deploy .1X quite a lot. 

It was a driver towards .1X. With the features that were there on the network side and the features that were there with Cisco ISE, it was way easier to go to .1X.

It's the brain of many things. It's the brain for VPNs. In Cisco ISE, we control where the users are allowed to go. Customers are able to do that by themselves. It's the same for .1X. It's the heart of security.

Cisco ISE improved our cybersecurity resilience. It enabled features that were not present or possible before.

For customers, it's great. It has a GUI, so the customers themselves can edit ACLs or even modify the policies. It's also an all-in-one solution with RADIUS and TACACS.

I'm frustrated by the resource consumption and how many resources it needs to run. It takes a lot of RAM. It takes a lot of space and a lot of IO power. It's frustrating to do upgrades because it takes a long time. Things are at a much smaller scale where we are than in the US. We even have smaller virtualization farms, so it takes a considerable amount of power and resources.

We've been using this solution since its initial release. It was probably version 1.1 or 1.2.

I don't remember opening a case for Cisco ISE except for the licensing problems, but several years ago, it took some time for people to get to the right way to solve the problem. I am not sure whether it was my inability to clarify the situation or whether it was a matter of poor training, but it was sometimes very painful.

I've been working with this product for a while. It doesn't seem difficult. However, in terms of resources, it takes a while to get it running. I don't think it's necessary to be so resource-consuming and slow. That makes it complicated. 

Pricing is where things got a bit more complicated. Previously, it was a one-time purchase and we just had to renew support. These days, there's a subscription model, which is supposed to be easier and cheaper as well, but it's more pricey. Customers are aware of that, and many vendors are going the same way. They are trying to go along with the new model.

We did consider other products, but it didn't make sense to go for any competing vendor because of the integration with other Cisco products. AnyConnect is the best VPN product I am aware of, and that's usually why we stick with Cisco.

We also sell HPE products. We've deployed some HPE RADIUS solutions, but we prefer Cisco these days.

To someone researching this solution who wants to improve the cybersecurity in their organization, I would tell them to first think about what they are trying to achieve and then think about Cisco ISE as a tool. It isn't a turnkey solution.

It hasn't saved our IT staff's time. It was something that wasn't present before. It's an evolution that is necessary, but I wouldn't say it saves time.

It did help us consolidate any tools or applications. It was either a replacement of some legacy products or it was an improvement where it introduced new features that were not present before, but it didn't help get rid of some of the other products. It was a new thing to place into the network.

Overall, I'd rate Cisco ISE a six out of ten.

The solution is used for controlled access in the network, like if you want to restrict access.

The solution is deployed on-prem. I am an integrator of this solution.

The best features are the scalability and the license structure. The license structure is like a tier. If a customer doesn't actually want the highest features, then they can just start with the basic license package and upgrade it if their network is growing. For the smaller customers, they can start with the smaller plans and so on. If you have a financial customer or banking customer, they can go for the full features, and if it's not that critical, the customer can get the basic license package and implement that.

The licensing documentation needs to be better. We found some old documents describing the license names, like the Base license and Apex license. Cisco used both names. We have found that they changed the Advantage license and Premier License. If someone misunderstands that, they might end up with a hassle. I don't know if it's possible or not for Cisco to remove the older documents from the official website.

We have been working with this solution for more than two years.

We were using two solutions on Cisco's network, so we had a few ISE plans in that network.

The solution is stable. We have maybe 4,000 users for the Next solution.

We haven't used technical support very much, but in general, Cisco's support is always responsive.

Initial setup was straightforward from our point of view because we have engineers who did that, so of course it was not an issue with us.

The accesses took maybe three or four months to complete, but the Next part took about three weeks.

For deployment and maintenance, the team was average sized. You need to follow the correct documents for deployment. There can be misunderstandings if you use old documentation.

The licensing is subscription-based and based on the user account.

I would rate this solution 8 out of 10. 

I would recommend this solution.

If someone is looking for a concrete solution to control the access, then ISE is a better solution.

We use it for Cisco device TACACS authentication and .1X security. 

We have a better state of mind that we're secure, and we don't have unauthorized devices accessing the network. In a financial institution, we want to keep everything as secure as possible. We don't want anything plugged in.

It has helped to consolidate tools. We had arpwatch monitoring, which we no longer have to use, and then TACACS is securing the network. We didn't have a tool before, so that added a layer of security for us.

It has improved our cybersecurity resilience. We have authentication logging for everything that's authenticated or denied. We use a Splunk forwarder. We get notifications if something is denied for authentication. 

TACACS and .1X security are the most valuable features. TACACS acts for user control, so no one can authenticate to our network devices, and .1X is to validate that unauthorized devices are plugged into our network.

Its user interface could be better. It's not bad. They've just redesigned the whole user interface. It's not terribly difficult. The drop-down menus are easy to use. However, when you're looking for some things in the user interface, it takes a minute to find where you were prior.

I've been using Cisco ISE for a year.

Its stability is great.

Its scalability is also great. We have 350 users. 

Their support is excellent. I've opened two support tickets so far, and they were able to remediate the issue within a few hours.

It's fairly difficult. We have third-party support to assist with the setup.

Our setup is on-prem and virtual in Azure. 

It was a third-party support, not a reseller.

It's a very good tool for security. It's a lot of work to initially set up, but once it's set up, it's pretty easy to use.

It hasn't yet saved the time of our IT staff. It's still fairly new, so we haven't had much time to use the product fully. It has only been a year since we started using it, so it's still pretty new.

Overall, I'd rate Cisco ISE a nine out of ten.

I am not certain if I am using the latest version. It is the one which is made for TV. 

We use the solution to access control. Prior to any device being authenticated on the network, a person must login to the solution's site for authentication purposes. 

While the solution has a host of features, we only use the one involving access control. 

We are looking into further uses for it. My aim is to deploy it across all three of our sites and not just one. 

There is much room for improvement, especially after having perused the documentation on the solution's website. 

The solution lacks properly knowledgeable support, especially internationally, and this is why I am exploring other applications. 

I would need time to expand my knowledge of the solution and consult with the Cisco engineers before I could point to other pain points. 

I have been using Cisco ISE (Identity Services Engine) since 2015. 

So far, we have had no issues with the stability. 

There should be more knowledgeable support, particularly in the international sphere. 

I have no doubt that we will get there. They contacted me yesterday, which makes it likely that by weeks-end we should be able to build a structure and do many things with the solution. This would allow me to know where I am standing, explore further and even examine the possibility of implementing some of Cisco's other features. 

We did not use other solutions prior to the current one and will likely not explore others in the future. The current one should be fine. 

The installation was straightforward, although it will likely involve a more complex implementation in the future.

As the previous installation was not complex, it did not take long. 

I believe I have paid around $1,000 in licensing fees. The license is annual. 

We did not really explore other options prior to using the solution. We considered Fortigate, but found it to not be very straightforward, which is why we decided to go with the current solution. 

While we have focused on the access control aspects of the solution, the documentation demonstrates that it has many more features, so I would like to explore it further. 

We are customers of Cisco. 

At the moment, we have around 250 users making use of the solution. 

I rate Cisco ISE (Identity Services Engine) as a five out of ten. This is because I wish to explore further any additional features that can add value to our organization, especially on the IT security side. 

Our use cases are based around dot1x. Basically wired and wireless authentication, authorization, and accounting. 

In terms of administration, only our networking team uses this solution. Probably five to ten administrators manage the whole product. Their role pretty much is to make sure that we configure the use cases that we use ISE for — pretty much for authenticating users to the wired and wireless networks. We might have certain other advanced use cases depending on certain other business requirements, but their job is pretty much to make sure all the use cases work. If there are issues, if users are complaining, they log into ISE to troubleshoot those issues and have a look at the logs. They basically expand ISE to the rest of the network. There is ongoing activity there as well. The usage is administrative in nature, making sure the configurations are okay, deploying new use cases, and troubleshooting issues.

This solution has definitely improved the way our organization functions.

In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now. ISE is always very complicated to deploy because it's GUI-based. So they came up with this feature called work centers, that kind of streamlines that process. That's a good feature in the product right now.

An issue with the product is it tends to have a lot of bugs whenever they release a new release.

We've always found ourselves battling out one bug or another. I think, overall they need to form a quality assurance standpoint. ISE has always had this issue with bugs. Even if you go to a Cisco website and you type all the bug releases for ISE, you'll find a lot of bugs. Because the product is kind of intrusive, right? It's in the network. Whenever you have a bug, if something doesn't work, that always creates a lot of noise. I would say that the biggest issue we're having is with all the product bugs.

Also, the graphical user interface is very heavy. By heavy, I mean it's quite fancy. It's equipped with a lot of features and animations that sometimes slow down the user interface.

It's a technical product — I don't think a lot of engineers really need fancy GUIs. We pretty much look for functionality, but I think Cisco, for some reason, is putting an emphasis on its GUIs looking better. We always look for functionality over fancy features.

We've had issues with different browsers, and sometimes it's really slow. From a functionality standpoint, we would rather the GUI was light and faster to navigate.

ISE has a very good logging capability but because their GUI is so slow, we feel it's not as flexible or user-friendly as we would like it to be, especially when it comes to monitoring and logging. At the end of the day, we're implementing ISE for security. And that means visibility.

Of course, you can export the data into other products to get that visibility, but we would like to have a better type of monitoring, maybe better dashboards, and better analytics capabilities within the product.

Analytics is one thing that's really lacking. Even if you're to extract a report, it just takes a lot of time. So, again, that comes down to product design, but that's definitely an area for improvement. I think it does the job well, but they can definitely improve on the monitoring and analytics side.

I have been using this solution since they released the first version over ten years ago.

Scalability is pretty good, provided that you design it properly from the get-go. There are design limitations, depending on the platforms, especially the hardware platforms that you select. On the scalability front, it's not a product that can be virtualized very well — that's an issue. Because in the world of virtualization, customers are always looking for products that they can put in their virtual environments. But ISE is not a truly virtualized product, as in it doesn't do a lot of resource sharing.

As a result, it's not truly virtualized. Although they do have the VM offering, it's not virtualization in the proper sense of the word. That's one limitation of the product. It's very resource-intensive. As a result, you always end up purchasing additional hardware, actual ISE physical servers. Whereas, we would like to have it deployed in virtual machines if it was better designed. I think when it comes to resource utilization, it probably isn't optimized very well. Ideally, we would like to have a better-virtualized platform.

Tech support tends to be pretty good for ISE. We do use it extensively because of all of the bugs we encounter. 

Mostly it's at the beginning of setting the whole environment up. Typically, once it's set up properly, it tends to work. But it's just that the product itself integrates with a lot of other products in the network. It integrates with your switches, with your APs, etc. So, it's a part of an ecosystem. What happens is, if those products experience bugs, then it kind of affects the overall ISE solution as well — that is a bit of a dependency. The ISE use cases are dependent on your network access devices, but that's just the nature of it. The only issue with support is you might have to open a ticket with the ISE team, but if you're looking at issues in your wireless network or switches, you might have to open another ticket with their tech team for switches. 

For customers using Cisco, end-to-end, they should improve the integration and providing a seamless experience to the customer. But right now, they have to refer to other experts. They come in the call, but the whole process just takes some time.

That's an area that they can improve on. But typically, I would say that the support has been good. We've been able to resolve issues. They are responsive. They've been good.

Overall, I would give the support a rating of eight.

The setup is not straightforward. It's complex. You need to have a high level of expertise.

It's an expensive solution when compared to other vendors. It's definitely more expensive than ClearPass. It's expensive, but the issue, again, comes down to scalability. Because you can't virtualize the product, there's a lot of investment when it comes to your hardware resources. Your CapEx is one of the biggest issues here. That's something Cisco needs to improve because organizations are looking at reducing their hardware footprint. It's unfortunate that ISE is such a resource-intensive application to begin with. As it's not a properly virtualized application, you need to rely on physical hardware to get the best performance.

The CapEx cost is high. When it comes to operational expenditure, it all depends on the features you're using. They have their tiers, and it all depends on the features you're using. The basic tier, which is where most of the functionality is, is relatively quite cheap. But if you're using some advanced use cases, you need to go to their higher tiers. So, I'm not too worried about operations costs. You need to buy support for the hardware: you need space, power, and cooling for the hardware-side. All of that adds up. So, that all comes down to the product design and they need to make sure it's properly scalable and it's truly virtualized going forward.

We've evaluated other products, for example, Aruba ClearPass. There's another product, Forescout, but the use case is a bit different.

When it comes to dot1x authentication, I think it's ISE and Aruba ClearPass. Forescout also comes into the next space, but the use case is a bit different.

We prefer ISE because, I think if you're using Cisco devices, it really kind of integrates your ecosystem — that's why we prefer ISE. When it comes to NAC or dot1x products, from a feature standpoint, ISE has had that development now for 10 to 11 years. So, we've seen the product mature over time. And right now it's a pretty stable and functional product. It has a lot of features as well. So, I think the decision is mainly kind of driven by the fact that the rest of the ecosystem is Cisco as well. From a uniform figure standpoint, the other product is probably the industry leader at this point in time for network admission control.

The main advice would be in terms of upfront design — this is where a lot of people get it very wrong. Depending on the platforms you choose, there are restrictions and limitations on how many users. We've got various nodes, so how many nodes you can implement, etc. Also, latency considerations must be taken into account; especially if you're deploying it across geographically dispersed regions. The main advice would be to get the design right. Because given that directly interferes with the network, if you don't get your design right it could be disruptive to the network. Once you've got the proper design in place and that translates into a bit of material, the implementation, you can always figure it out. Getting it right, upfront, is the most important thing.

Overall, I would give ISE a rating of eight out of ten. I don't want to give it a 10 out of 10 because of all the design issues. There is definitely room for improvement, but overall out there in the market, I think it's one of the best products. It has a good ecosystem. It integrates well with Cisco devices, but it also integrates with third-party solutions if you have to do that. It's based on open standards, and we've seen the ecosystem grow over the years. So, they're doing a good job in terms of growing the ecosystem and making sure ISE can work with other products, but there's definitely room for improvement on the product design itself — on monitoring, on analytics.