Cisco Identity Services Engine (ISE) Reviews

Our use cases are based around dot1x. Basically wired and wireless authentication, authorization, and accounting. 

In terms of administration, only our networking team uses this solution. Probably five to ten administrators manage the whole product. Their role pretty much is to make sure that we configure the use cases that we use ISE for — pretty much for authenticating users to the wired and wireless networks. We might have certain other advanced use cases depending on certain other business requirements, but their job is pretty much to make sure all the use cases work. If there are issues, if users are complaining, they log into ISE to troubleshoot those issues and have a look at the logs. They basically expand ISE to the rest of the network. There is ongoing activity there as well. The usage is administrative in nature, making sure the configurations are okay, deploying new use cases, and troubleshooting issues.

This solution has definitely improved the way our organization functions.

In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now. ISE is always very complicated to deploy because it's GUI-based. So they came up with this feature called work centers, that kind of streamlines that process. That's a good feature in the product right now.

An issue with the product is it tends to have a lot of bugs whenever they release a new release.

We've always found ourselves battling out one bug or another. I think, overall they need to form a quality assurance standpoint. ISE has always had this issue with bugs. Even if you go to a Cisco website and you type all the bug releases for ISE, you'll find a lot of bugs. Because the product is kind of intrusive, right? It's in the network. Whenever you have a bug, if something doesn't work, that always creates a lot of noise. I would say that the biggest issue we're having is with all the product bugs.

Also, the graphical user interface is very heavy. By heavy, I mean it's quite fancy. It's equipped with a lot of features and animations that sometimes slow down the user interface.

It's a technical product — I don't think a lot of engineers really need fancy GUIs. We pretty much look for functionality, but I think Cisco, for some reason, is putting an emphasis on its GUIs looking better. We always look for functionality over fancy features.

We've had issues with different browsers, and sometimes it's really slow. From a functionality standpoint, we would rather the GUI was light and faster to navigate.

ISE has a very good logging capability but because their GUI is so slow, we feel it's not as flexible or user-friendly as we would like it to be, especially when it comes to monitoring and logging. At the end of the day, we're implementing ISE for security. And that means visibility.

Of course, you can export the data into other products to get that visibility, but we would like to have a better type of monitoring, maybe better dashboards, and better analytics capabilities within the product.

Analytics is one thing that's really lacking. Even if you're to extract a report, it just takes a lot of time. So, again, that comes down to product design, but that's definitely an area for improvement. I think it does the job well, but they can definitely improve on the monitoring and analytics side.

I have been using this solution since they released the first version over ten years ago.

Scalability is pretty good, provided that you design it properly from the get-go. There are design limitations, depending on the platforms, especially the hardware platforms that you select. On the scalability front, it's not a product that can be virtualized very well — that's an issue. Because in the world of virtualization, customers are always looking for products that they can put in their virtual environments. But ISE is not a truly virtualized product, as in it doesn't do a lot of resource sharing.

As a result, it's not truly virtualized. Although they do have the VM offering, it's not virtualization in the proper sense of the word. That's one limitation of the product. It's very resource-intensive. As a result, you always end up purchasing additional hardware, actual ISE physical servers. Whereas, we would like to have it deployed in virtual machines if it was better designed. I think when it comes to resource utilization, it probably isn't optimized very well. Ideally, we would like to have a better-virtualized platform.

Tech support tends to be pretty good for ISE. We do use it extensively because of all of the bugs we encounter. 

Mostly it's at the beginning of setting the whole environment up. Typically, once it's set up properly, it tends to work. But it's just that the product itself integrates with a lot of other products in the network. It integrates with your switches, with your APs, etc. So, it's a part of an ecosystem. What happens is, if those products experience bugs, then it kind of affects the overall ISE solution as well — that is a bit of a dependency. The ISE use cases are dependent on your network access devices, but that's just the nature of it. The only issue with support is you might have to open a ticket with the ISE team, but if you're looking at issues in your wireless network or switches, you might have to open another ticket with their tech team for switches. 

For customers using Cisco, end-to-end, they should improve the integration and providing a seamless experience to the customer. But right now, they have to refer to other experts. They come in the call, but the whole process just takes some time.

That's an area that they can improve on. But typically, I would say that the support has been good. We've been able to resolve issues. They are responsive. They've been good.

Overall, I would give the support a rating of eight.

The setup is not straightforward. It's complex. You need to have a high level of expertise.

It's an expensive solution when compared to other vendors. It's definitely more expensive than ClearPass. It's expensive, but the issue, again, comes down to scalability. Because you can't virtualize the product, there's a lot of investment when it comes to your hardware resources. Your CapEx is one of the biggest issues here. That's something Cisco needs to improve because organizations are looking at reducing their hardware footprint. It's unfortunate that ISE is such a resource-intensive application to begin with. As it's not a properly virtualized application, you need to rely on physical hardware to get the best performance.

The CapEx cost is high. When it comes to operational expenditure, it all depends on the features you're using. They have their tiers, and it all depends on the features you're using. The basic tier, which is where most of the functionality is, is relatively quite cheap. But if you're using some advanced use cases, you need to go to their higher tiers. So, I'm not too worried about operations costs. You need to buy support for the hardware: you need space, power, and cooling for the hardware-side. All of that adds up. So, that all comes down to the product design and they need to make sure it's properly scalable and it's truly virtualized going forward.

We've evaluated other products, for example, Aruba ClearPass. There's another product, Forescout, but the use case is a bit different.

When it comes to dot1x authentication, I think it's ISE and Aruba ClearPass. Forescout also comes into the next space, but the use case is a bit different.

We prefer ISE because, I think if you're using Cisco devices, it really kind of integrates your ecosystem — that's why we prefer ISE. When it comes to NAC or dot1x products, from a feature standpoint, ISE has had that development now for 10 to 11 years. So, we've seen the product mature over time. And right now it's a pretty stable and functional product. It has a lot of features as well. So, I think the decision is mainly kind of driven by the fact that the rest of the ecosystem is Cisco as well. From a uniform figure standpoint, the other product is probably the industry leader at this point in time for network admission control.

The main advice would be in terms of upfront design — this is where a lot of people get it very wrong. Depending on the platforms you choose, there are restrictions and limitations on how many users. We've got various nodes, so how many nodes you can implement, etc. Also, latency considerations must be taken into account; especially if you're deploying it across geographically dispersed regions. The main advice would be to get the design right. Because given that directly interferes with the network, if you don't get your design right it could be disruptive to the network. Once you've got the proper design in place and that translates into a bit of material, the implementation, you can always figure it out. Getting it right, upfront, is the most important thing.

Overall, I would give ISE a rating of eight out of ten. I don't want to give it a 10 out of 10 because of all the design issues. There is definitely room for improvement, but overall out there in the market, I think it's one of the best products. It has a good ecosystem. It integrates well with Cisco devices, but it also integrates with third-party solutions if you have to do that. It's based on open standards, and we've seen the ecosystem grow over the years. So, they're doing a good job in terms of growing the ecosystem and making sure ISE can work with other products, but there's definitely room for improvement on the product design itself — on monitoring, on analytics. 

We mainly use it for endpoint security.

Cisco ISE has made our network more secure. 

It has saved the time of our security team. I can't say how much time it has saved because I'm on the network side, but I'd imagine it has saved quite a bit of time. It lets them sleep better at night.

It does a good job of securing our infrastructure from end to end so that we can detect and remediate threats, but I don't have a similar product to compare.

It hasn't helped to consolidate any tools. The customer is in the process of migrating from their current ACS to ISE. When they've done that, we'll consolidate that piece. This consolidation would provide a single pane of management versus multiple tools.

I'd imagine it has helped our organization improve its cybersecurity resilience, but the security team would know more about it.

The ability to allow or deny hosts onto the network is valuable. It provides great security to the network environment.

It could be more intuitive in terms of how to configure the policies.

I've been using Cisco ISE for four years.

It's very stable.

It's very scalable. We have deployed it globally.

Their support is good. I'd rate them a seven out of ten.

Neutral

We didn't use any other solution previously. We went for Cisco ISE because we're a Cisco shop. It helps to have one vendor for network management and security.

Cisco's Professional services did the installation. I wasn't involved in its installation, but they did a pretty good job.

I'd imagine we have seen an ROI, but I'm not involved in the pricing or purchasing. The security it provides gives peace of mind. That's a good return.

My advice would be to do an evaluation of the product and purchase it.

I'd rate Cisco ISE an eight out of ten.

It's mostly for authentication to our network for our end-users.

It's allowed us to create groups for different vendors and for employees in various groups in our company, without giving everyone access.

It has also given us a lot of extra security as the backbone of authentication for our VPN and wireless network.

The policy sets give us more granular groups for end-user access.

I've been using Cisco ISE (Identity Services Engine) for five years.

The stability is really great. We haven't had any issues with it. We've had it for a long time. We ran an old version for three or four years without any issues.

From what I have read, the scalability seems good. We haven't had to deal much with that. We have two nodes and about 2,000 sessions going at once.

Technical support is very good. They've always been there to answer any questions, and if they don't know the answer they make sure to find someone who can give me the answer.

Positive

Cyber security resilience has been at the top of our list since 2020 because we had so many people working from home and that increased as time went on. That opened our eyes.

I was involved when we upgraded at the beginning of this year. It was pretty straightforward, although we reached out for outsourced help.

We used a CDW consultant.

For us, the return on investment is that it gives us easy ways to divide up our end-users for authentication, especially for our VPN.

The pricing seems fair. The licensing can be confusing, but it is still pretty good.

I was asked a couple of years ago, when we were having issues with ISE, if there were alternatives, and I said I didn't want to switch because we're so embedded in this solution already.

Talk to someone outside of Cisco too, if you're thinking about ISE. That way, you can get all the information.

We wanted to outsource some of our work because I only have two years of admin experience and another of our network engineers has about a year. This way, if the system goes down, we have a quick way to get it back up.

I would tell leaders who want to add cyber security resiliency to make sure they include team members who are involved and not just make decisions on their own.

We use it for SDA infrastructure. We have a challenge in recognizing different kinds of devices and that's what we are using ISE for in the SDA fabric.

We can better recognize our endpoints and we know whether they are allowed to access our network. That's really important for us.

It has also eliminated some rogue devices from accessing our network.

The integration with Active Directory is the most valuable feature for us.

The admin interface is really slow. It's horrible.

I have been using Cisco ISE (Identity Services Engine) for five years.

It's really stable.

It's scalable, but we need to upgrade some of our hardware to support more users.

Our SDA fabric has about 1,500 users that we are authenticating. We have plans to use it throughout the City of Helsinki, which has about 38,000 personnel whom we will need to authenticate in the future.

I haven't used the tech support.

We also currently have Microsoft RADIUS, but we are planning to move away from it and use ISE as our only authentication solution.

Other than the slow admin interface, it's an excellent product.

My main uses are device administration, wireless access authentication, and ethernet access.

The most valuable feature is network access control for the users coming into the network, which allows us to know who is in the network at any given time.

The intuitiveness of the user interface could be improved. They could also make the deployment process more user-friendly.

I have two years of experience with this solution.

ISE is very stable - since it was installed, I've had no issues with it.

I've had no issues with scalability. I started using it on two campuses, and now I'm using it across the country and scaling it across subsidiaries in other countries.

I've worked closely with Cisco for many years and have no complaints about their support. Sometimes it takes less than a couple of minutes to get through to their support team.

I previously used Portnox, but it only gave us network access control, so we switched to ISE, which has more features like device administration.

Deployment is usually tough the first time, though once you get it working, it works well.

We used in-house engineers and an integrator.

We have a three-year license. Standard licensing gives backup access and very few features, and then there's VM licensing - each VM we use needs to be licensed. VM licensing comes in different sizes: small, medium, and extra-large. There are also licenses for features, posturing licenses, and profiling licenses.

Before deploying, it's a good idea to read up on the product first and then get some training so that when deployed, someone in the organization understands the solution. I would rate this solution as nine out of ten.

We use this solution for network security.

The most valuable features are the ability to retrieve information about Active Directory user names, viewing the log files to see which MAC address tried to connect with the created SSIDs, portal designing for your company, hotspot tools, and creating network rules for WiFi access.

The interface could be more user-friendly and the ability to apply rules to MAC addresses, for example, if I wanted to allow a certain MAC address access at a particular time I cannot make this adjustment.

In an upcoming release, they could improve by providing rule-based bandwidth consumption, bring your own device (BYOD) need to be more mature, and the reports could be more user-friendly.

I have been using this solution for approximately four years.

The solution is stable.

The controller has to manage a certain number of access points and we did not see any problems with the scalability. It is able to handle more access points than we need it for.

We do not have experience with The technical support from Cisco directly because the technical support we receive is from our partners which they have been excellent.

We have used 3Com wireless controllers previously.

We used Cisco partners to do the implementation of the solution.

Recently, I have evaluated Aruba solutions and I found them to be better than Cisco. There is room for improvement, Cisco can do better.

When deciding to implement this solution it is a good idea to assess and define the requirements to determine whether there is a need for this solution. It is important to know what you can use from it. You can have a WiFi environment without the need for a Cisco ISE. This solution has advanced security that might not be needed for your use case. Be sure about your needs.

I rate Cisco ISE (Identity Services Engine) a seven out of ten.

We use this solution to provide wireless for our residence halls and guest networks. We're also a college that works primarily off of iPads, so we have to be able to keep resident hall activity off of the network so that students can do their homework and class activities. We use the Services Engine to authorize all of them.

The biggest value of ISE is that it can get so granular with gaming systems, versus IoT and BYOD.

I'd like to see an easier way to upgrade to larger versions, as well as more best practices that are easier to locate on their support page.

I have had a very good impression of its stability.

We're actually upgrading right now from a small version to a medium-sized one. It's not as simple as I'd like it to be for scalability, but it's still working well.

We were very late adopters in the education arena of wireless. We didn't adopt until about five years ago. We had a great relationship with our partner and got to see this demo several times. It was really good.

The initial setup was complex.

The name of the company at the time was MSN but they've been recently purchased. The engineers did a really good job. I would have liked a greater share of knowledge at the time, but they did a great job in implementing a complex situation.

Cisco was the only one that we evaluated. There was also Aruba, but Cisco was really the top choice.

My advice to someone considering this solution would be to seek the most comprehensive solution for residence halls.

I would rate this solution as eight out of ten. I would like the flow of authentication and authorization metrics to be easier to see.

We primarily use the solution for network admission control.

Previously, what used to happen is that we use to have anyone - any user, a staff member or a non-staff member, consultant contractors, etc. able to connect to our line without authentication, which I think posed a security risk. We felt that whoever connected to our network should be authenticated. We should know the person. We should have visibility to see who was connecting to our network so that we can detect anomalies. Now, we have different profiles, of different users and staff and for contractors or others. So, depending on the profile, there's control on the access that you can get.

An area that could be improved is the agent. The challenge now is that agent and most of the computers have changed. They could think about agent-less deployment. Also, I've not explored MDM but if it should be integrated. 

In terms of scalability, I think it's scalable. Quite scalable and very intricate. Easy to use and provides good support. 

We've had many issues with technical support but from the local vendor, we do get a lot of support which is good. The fact that we also did some training helped. We normally don't have so much trouble when we rescale. We see that we can fix it and then if there are issues, with the vendors and their help, we can rescale it.

Initially, the setup is a bit complex but that depends on the vendor. Maybe because of the complexities around it. Sometimes I think it's about how the best project team really does it.

The person who was put in place to implement it couldn't. So we got another vendor who was good and was a lot more experienced. It's a very new feature so we're hopeful here in Uganda. My country only has about maybe 2 or 3 clients. Those are the ones I know about, our team being one of them.

The deployment strategy was faster than the pilot. We had to see how it works and then we had to, in a transparent manner, see how it works. Deployment took about six months. But the rollout is on-going because we keep opening branches all the time, so we just keep adding them into the solution. For deployment, we used the front liner support but for documentation, we had professional staff. For deployment and maintenance, we have a small team of maybe about five to ten. 

I would give the solution 5.5 out of 10.