What is our primary use case?
I use it for licensing and profiling. It's like a "traffic cop." It's an endpoint user migration tool. It's also a TACACS server. It depends on what I'm using it for at the moment.
For the applications it's authentication and then authorization into the network. It's the networks you're on and what AD gives you. Your profile is based in AD or an LDAP server. ISE talks to those two servers and says, "What groups do you belong to, and should you have access to those roles?" With ISE, if AD says you can have it, then go for it.
I use it in big campus environments, anywhere that needs authentication and authorization to work with AD. It's a great tool for that, if you want to profile your network and you want to secure your network inside. We're not talking about firewalls but about what the tool can do for you, what it's designed for.
How has it helped my organization?
It has improved internal security, in-to-out, out-to-in. Without ISE, you can't posture or profile your network. Authorizations, authentications. ISE is not the only product that can do it, but it's a great tool.
What is most valuable?
Among the most valuable features is TACACS. Also, the rules and logging, but TAC is just as easy. Cisco TAC is great.
What needs improvement?
The area where things could be improved is education. It's complicated to deploy initially because you have to know what you're getting into. That's true with any customer. I don't know them so I have to learn about them. I have to figure it out, but there are very limited windows to do that. If a customer's going to hire you, you are the professional. You should know this already. You should come in with a base knowledge of what you need to do and, after that, grow with the customer. More education is how it can be improved.
For how long have I used the solution?
I have been using Cisco ISE (Identity Services Engine) since 2016. I usually come into an environment after everything is there already. Customers bring me in to fix things that are broken.
What do I think about the stability of the solution?
The stability of the solution depends on how you scale it. If you have set it up properly, it will be great. If you put all your eggs in one basket, in one part of the network, and that goes down, then you have lost everything.
What do I think about the scalability of the solution?
It's scalable. It can grow with your network. You can create new nodes or move everything from local to the cloud. It's easy to spin up a VM, so you can put it on a VM real quick and be done within a couple of days. But you have to know what you're doing. You can't just do it with the assumption that you can copy and just redeploy it. ISE doesn't work like that. It has to be done properly.
How are customer service and support?
Cisco's TAC is excellent. Cisco always has great support.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I previously used the older versions of the hardware that were the original predecessors to ISE.
How was the initial setup?
The deployment model for ISE depends on the customer: where their data centers are, what they can afford, and what type of maintenance agreements they have with Cisco's support. Are they on a VM or a physical device? Deployment depends on what we are trying to do and the environment.
What other advice do I have?
In terms of establishing trust for every access request, trust is only as good as the rules and definitions you build. Without that, you need not only to trust the device, you need the trust of the customer too. That's important.
Trust is only eliminated when a customer wants the rules loosened. When the customer says, "This is too difficult, you're making it too hard," that is when exposure happens, things start collapsing, and there are breaches. You can't give the customer everything they want, because they don't know the consequences. You have to educate them. They need to know that the inconvenience of hitting "enter" to log in, and having it take three seconds or five seconds is because you'd rather have the machine and the network think before they let you on the network. A lot of times a customer will say, "If I'm hitting enter and it's not bringing me to where I need to be, then this is not a good solution." You have to educate them.
The solution is like an iPad that someone set up for you. If they didn't do a good job setting it up, you're going to rate the tool as bad. A lot of times, I come in and it's already done and I have to fix the problems. There are times that I do create it from scratch and it works really well.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner