Cisco Identity Services Engine (ISE) Reviews

I use it for licensing and profiling. It's like a "traffic cop." It's an endpoint user migration tool. It's also a TACACS server. It depends on what I'm using it for at the moment.

For the applications it's authentication and then authorization into the network. It's the networks you're on and what AD gives you. Your profile is based in AD or an LDAP server. ISE talks to those two servers and says, "What groups do you belong to, and should you have access to those roles?" With ISE, if AD says you can have it, then go for it.

I use it in big campus environments, anywhere that needs authentication and authorization to work with AD. It's a great tool for that, if you want to profile your network and you want to secure your network inside. We're not talking about firewalls but about what the tool can do for you, what it's designed for.

It has improved internal security, in-to-out, out-to-in. Without ISE, you can't posture or profile your network. Authorizations, authentications. ISE is not the only product that can do it, but it's a great tool.

Among the most valuable features is TACACS. Also, the rules and logging, but TAC is just as easy. Cisco TAC is great.

The area where things could be improved is education. It's complicated to deploy initially because you have to know what you're getting into. That's true with any customer. I don't know them so I have to learn about them. I have to figure it out, but there are very limited windows to do that. If a customer's going to hire you, you are the professional. You should know this already. You should come in with a base knowledge of what you need to do and, after that, grow with the customer. More education is how it can be improved.

I have been using Cisco ISE (Identity Services Engine) since 2016. I usually come into an environment after everything is there already. Customers bring me in to fix things that are broken.

The stability of the solution depends on how you scale it. If you have set it up properly, it will be great. If you put all your eggs in one basket, in one part of the network, and that goes down, then you have lost everything.

It's scalable. It can grow with your network. You can create new nodes or move everything from local to the cloud. It's easy to spin up a VM, so you can put it on a VM real quick and be done within a couple of days. But you have to know what you're doing. You can't just do it with the assumption that you can copy and just redeploy it. ISE doesn't work like that. It has to be done properly.

Cisco's TAC is excellent. Cisco always has great support.

Positive

I previously used the older versions of the hardware that were the original predecessors to ISE.

The deployment model for ISE depends on the customer: where their data centers are, what they can afford, and what type of maintenance agreements they have with Cisco's support. Are they on a VM or a physical device? Deployment depends on what we are trying to do and the environment.

In terms of establishing trust for every access request, trust is only as good as the rules and definitions you build. Without that, you need not only to trust the device, you need the trust of the customer too. That's important.

Trust is only eliminated when a customer wants the rules loosened. When the customer says, "This is too difficult, you're making it too hard," that is when exposure happens, things start collapsing, and there are breaches. You can't give the customer everything they want, because they don't know the consequences. You have to educate them. They need to know that the inconvenience of hitting "enter" to log in, and having it take three seconds or five seconds is because you'd rather have the machine and the network think before they let you on the network. A lot of times a customer will say, "If I'm hitting enter and it's not bringing me to where I need to be, then this is not a good solution." You have to educate them.

The solution is like an iPad that someone set up for you. If they didn't do a good job setting it up, you're going to rate the tool as bad. A lot of times, I come in and it's already done and I have to fix the problems. There are times that I do create it from scratch and it works really well. 

We're using version 3.1, which is very stable. There have been a lot of improvements.

I like the automation of the collection of information.

We have only been deploying this version for three months. We haven’t had any issues, but we'll see how it goes. One of the issues that we used to have was with profiling because we're working with a service provider that uses a lot of bring your own devices. We haven't had any issues since we started using version 3.1.

I have been using this solution for over 12 years.

There are no stability issues with version 3.1.

It's stable. We deployed with a client in petroleum with about 200 users worldwide, and it was stable.

Setup wasn't easy, especially if you haven’t worked with it intensively. VM is a little bit easier. If you don't deploy ISE with correct policies, it will be difficult.

If you deploy it with the correct policies, it's a wonderful product. You don't need to attach anything like your firewalls or creating rules.

ISE has always been expensive compared to other products in terms of what it does on a user level. I haven't had a client who didn't say that ISE wasn't expensive. I’ve had an issue where I was just selling four boxes, and it was four million. It was a high-end box, and the client didn't take it. They end up going with VM.

I would rate this solution 9 out of 10.

It's one of the more difficult products to deploy.

You can learn a lot about ISE from their training videos. I would suggest watching the videos before deploying the solution. They have created good videos for ISE, from version 1.3.

We primarily use the solution for user authentication and wireless segmentation of users for actual radius purposes.

The actual radius is the most valuable aspect of the solution. We need to have a centric solution either on MarTech X and for the wireless user authentication. We were mainly on Cisco and we continue to use them. However, this is the time period for a refresh as the five-year lifespan is completed. We may look for other options.

Technical support is okay.

The solution is not so user-friendly. It's very difficult to navigate through different manuals. The documentation should be simplified so that it is easier to understand.

It would take time for a beginner to understand and familiarize themselves with the solution. There's a bit of a learning curve.

Cisco ISE is not very stable. They could work on that aspect. 

We'd like the pricing to be better.

The product is not easily scalable.

Currently, if you want to do something with authentication, you need to have an additional document agent, however, these are short on all Microsoft endpoints. We then need to come up with some alternate options so that I don't have to modify any native applications on it. By default, Windows should be able to support and onboard the devices. Right now I need to have a Cisco AnyConnect as an agent to be deployed for authentication.

I've been using the solution for over five years at this point. It's been a while.

The stability of the solution needs to be improved. It's not ideal. It's lacking overall. If we have five or six items activated, the box shakes and we're scared to touch anything. When we do have to reconfigure things, it's a nightmare as it can go down and it can take us a day or two to sort things out.

In terms of scalability, it needs to be reactivated, which means that I need to add more nodes. It's got its own design limitations. We had only a two-node deployment in it. We need to add more hardware and we need to reduce so many things. It's not an easy option to scale this hardware. Scaling, in general, is very difficult.

We have roughly 9,000 users on this product currently.

Technical support is fine. However, we may need to depend on support to resolve some of our many issues. We need to spend an enormous amount of time with them and to explain so much stuff. It would be easier if we could troubleshoot the issue ourselves or if the solution was more reliable.

I don't know about other alternative products. I don't have any experience with other alternative products. I've only ever used Cisco ISE.

The solution's initial setup can be a bit complex as there are so many features that are available. It all depends, however, upon which one you want to activate. In our case, we have five or six activated and the box always shakes. It's not stable. So my colleagues are always afraid to touch the box. If it is working well and good, you don't touch it, and we don't reconfigure it. In cases where we encounter any issues, it's a nightmare and we need to spend a minimum of twenty-four to forty-eight hours to recover everything.

We pay a fee based on a subscription model.

The pricing could always be better.

I've been looking at evaluating Aruba's Clearpass as a potential replacement option for this solution. I haven't gotten too far into my research, however. I'm looking for a solution that's scalable and easy to use.

My advice to Cisco would be to simplify as much as possible so that a normal IT guy can understand the CCD and set it up. If they can simplify the manuals, navigation, and documentation, it would be nice. It will always be difficult for a beginner, however, to, rearrange or design the network.

I would rate the solution five out of ten.

We use it to ensure that any device that connects to our network or wireless environment is a company-owned asset and has all the security certificates. We aren't doing too much remediation. We just identify whether it's one of our assets and whether it's allowed.

In our company, we have a lot of remote workers. Knowing that even devices that are coming through a VPN comply with our policies, whether they're in the office or they're remote, face the same level of scrutiny is a benefit to our company.

We can set as in-depth alerts as we want to. We can set up an alert through email, text, etc.

It has helped to improve our cybersecurity resilience. It helps to ensure that all devices meet the patching and certificate requirements.

It's keeping our company safe from rogue devices connecting to our network. From a security standpoint, there's peace of mind knowing that every device that connects is a good one.

The upgrades could be better. Every time we try to do an upgrade, we have problems. It's a pain.

I've only been with the company for six months, but they adopted Cisco ISE about three to five years ago.

Support has always been good. Overall, I'd rate them an eight out of ten. Sometimes it feels that their first-level support hasn't been trained in-depth.

Positive

We have redundant solutions across all of our data centers, policy nodes, and authentication nodes. As far as I know, we started off in a small deployment with our wireless. We profiled our devices to ensure that they belonged to our companies before we let them access, and then from there, we expanded into profiling wired ports as well, so we started very small and then moved to a larger solution.

In terms of our plans to increase its usage, we may use Cisco ISE in different ways, but the number of nodes that we have will probably stay the same. With version 2, we're moving more of our deployment to the cloud, so we'll move from the on-premise solution to the cloud. We've already started the process. We have some nodes built in the cloud, and we just have to move the production and then remove our on-prem. We're using Oracle Cloud for our highest deployments. It will be fully cloud.

We've seen a return on investment from the security aspect.

I'd advise starting just the way we did. Start small because there are a lot of use cases of Cisco ISE. If you try to do it all at once, you might be disappointed, so start small and pick an area that you'd like to focus on, get that piece done, and then go from there. 

It hasn't really helped to free up our IT staff for other projects. It also hasn't helped us consolidate any tools. 

Overall, I'd rate Cisco ISE an eight out of ten.

We use it for Community WiFi and TACACS authentication. It is service provider authentication, both for the core infrastructure and Community WiFi.

We were looking to solve captive portal and centralized authentication with Cisco ISE.

It has allowed us to pull in multiple authentication databases, then centralize them into a captive portal system.

It is important for our organization that the solution considers all resources to be external. It treats them with minimum trust.

Integration is a big factor. That has really been the driving force behind it.

Documentation is probably the worst part of the software.

I have been using it for about five years.

It is very stable. I would rate the stability as 10 out of 10.

We don't use its scalability. I would rate it as five out of 10.

The technical support is good. I would rate them as six out of 10.

Neutral

We previously used an open-source solution. We switched for vendor support and scalability.

We don't monetize this solution.

It is fair.

We did not evaluate other options.

It is worth checking out the integration that it provides. It is a strong platform.

Cybersecurity resilience has not been that important for our organization.

I would rate ISE as eight out of 10. It does exactly what it is supposed to do without much issue.

We use it for SDA infrastructure. We have a challenge in recognizing different kinds of devices and that's what we are using ISE for in the SDA fabric.

We can better recognize our endpoints and we know whether they are allowed to access our network. That's really important for us.

It has also eliminated some rogue devices from accessing our network.

The integration with Active Directory is the most valuable feature for us.

The admin interface is really slow. It's horrible.

I have been using Cisco ISE (Identity Services Engine) for five years.

It's really stable.

It's scalable, but we need to upgrade some of our hardware to support more users.

Our SDA fabric has about 1,500 users that we are authenticating. We have plans to use it throughout the City of Helsinki, which has about 38,000 personnel whom we will need to authenticate in the future.

I haven't used the tech support.

We also currently have Microsoft RADIUS, but we are planning to move away from it and use ISE as our only authentication solution.

Other than the slow admin interface, it's an excellent product.

We are a partner with Cisco and am a part of an information security team that uses Cisco to provide security policy management via network, device and wireless access. 

Cisco offers automation, visibility, and control as well as third party integration capabilities.

I would like for the next release to be easier to implement and to limit its dependencies around ISE, Windows, the network as a whole, etc.

I have been using Cisco ISE for over six years.

This is a very stable solution with many integrations.

Cisco's scalability depends on the design - small deployments are not scalable.

Cisco support is good.

This solution is a bit more complex to set up than in comparison to other options - it can take anywhere from two to five months depending on the use case.

The price for Cisco ISE itself is very low, however, Cisco professional services are quite expensive. Subscription amount is dependent on number of users.

We looked at Forescout which is more user-friendly but they have a very vulnerable network.

This is a good solution for security teams. If you do not have a security team, I would not recommend this product. 

Overall, I would rate Cisco a seven out of ten.

We are resellers. We provide and deploy solutions for our customers.

Cisco ISE (Identity Services Engine) helps the operation to automate.

It works very well with the network, router, and switches. It is able to enforce the policy and assigns the traffic a Security Group tag.

A Google user is able to enforce access throughout the router and switches ensuring the traffic going through has the same policy.

When you push out the policy, it is able to populate the entire network at one time.

It's quite good, the market is using this solution.

This solution has enhanced features that make it difficult to use. To make it easier, it should be made without PxGrid.

It should be able to work with third-party routers and switches. We want to work in an environment where there are multi-vendors that require PxGrid.

Their software-defined access is not easy to implement. You have to have a good understanding of how to implement it. It would be helpful if they could make it easier for the customer to adopt.

Third-party integration is important, as well as the continuous adaptation feature, which is the AIOps. It would be helpful to include the AIOps.

They are currently on version 3.1.

If the customer has more than 200,000 users, the performance becomes a bit laggy.

In terms of scalability, it's available on the cloud, but I have not yet tested the features on the cloud.

It is used mainly by our customers, who use it for their entire infrastructure. They have anywhere from 50,000 to 100,000 users.

Technical support could be better. They outsource the support.

We are brought all around the world, it is similar to following the sun.

Currently, I am using SD-WAN (Software-Defined WAN) from Silver Peak.

To complete the installation, you need to be technically knowledgeable. The setup could be easier.

For the content, and the technologies it is made to be a bit more complex. 

The technology is good, but to use some of the other features, and capabilities, they request that we purchase the Cisco DNA Center. As a result, the bundled price is a little high.

Once you purchase the DNA, you will need the SNA then the license, overall it's very expensive.

If, however, you implement Cisco ISE without the DNA and the SDA, the price is reasonable.

To avoid running into any complications when getting this solution up and running, you should get technically trained and comfortable with it before applying it.

I would rate Cisco ISE (Identity Services Engine) a seven out of ten.