Cisco Identity Services Engine (ISE) Reviews

I use the product for AAA authentication.

Before, we used to use Cisco ACS. After ACS retired, we started using Cisco Identity Services Engine. Right now, we are integrating Cisco Identity Services Engine with DNAC. Whatever we provision inside DNAC will send the information to Cisco Identity Services Engine, and the switch will be added. This process enables easy management.

The solution enables us to authenticate with AD. That way users can log in with one username to the product and access the router and switches.

The web UI should be made similar to the one in DNAC. The left pane must have the menu title followed by the submenu. Since I have moved to version 3.1, I have to go back to the old version to figure out my way. They haven't improved the left pane of the UI. The left pane is supposed to have the menu title in order.

I have been using the solution for at least seven to eight years.

So far, I have no issues with the solution’s stability. My primary and secondary systems are working fine. I have the least to worry about. It has run smoothly for seven years.

We are using the product in about 500 devices in our organization.

We have Platinum Support. When we call, everything gets through. I have no problems with support. However, if someone does not have Platinum Support, they will have to wait for probably an hour or two. I usually get a response in less than 30 minutes when I open a ticket because we pay for it. 

I am 98% happy with the support. Sometimes, I am unhappy when we have an incident and need quick support, but the support manager asks too many questions. I prefer fixing the problem in real time and then answering questions. Fixing the problem is more important than answering questions. When I talk to the engineer, they ask questions on how it has impacted our network. They must fix my problem first. I can answer all their questions later.

Positive

We have a contractor who implements the product for us. After that, they give it to me to manage. Upgrading from version 2.7 to 3.1 is easy. So far, it's good. The contractor's name is Deytek. I just provided the ACS server information from the previous server to the contractors. Then, we purchased the on-premises hardware, migrated it, and started using it. I didn’t have to do anything. It was easy for me.

The upgrade from version 2.7 to 3.1 was a little bit hard, and I had to prepare a lot to do it. We need to plan the process well. We cannot just decide to upgrade the tool without planning. We had to plan with the help of AS services, who guided us on the steps to do and the backup needed. They guided us to upgrade the secondary unit first and then the primary. I also had to talk to our corporate team in Boston. We had to inform our ISA Server team about the upgrade because once you upgrade, tools that are not authenticated might lose connection.

The solution helped me by making my job easier. I manage and deploy the solution. All the other users have to do is log in and look at what they need to do. The product makes it easy for me to manage and enables the end users to log into other systems.

The pricing is complicated. The solution uses Smart Licensing. I had to go through a lot of phone calls to convert my old license to the new one and make it work. It took me about three weeks to figure out my licensing model and why mine was different from the other teams. It's good because Cisco Identity Services Engine will automatically get our licenses from one location. It would be better this way.

The product provides an email notification if anything is detected. We set up ACL policies based on which the product would alert us through emails if anything major happens.

The solution helped me give access to many people who use Cisco products, either router switches or UCS, from other teams. Instead of creating every ACL on the tool, I only need to set up AD group permission and add their username for them to access the same policy.

I do not use the cybersecurity features of the tool much. We only use the solution for AAA authentication. I need to explore the other features we seldom use. We are upgrading to version 3.1. We recently signed a contract with Cisco Advanced Services. They might provide us with more information to use the tool in my company.

Since I joined my current organization, we have used Cisco for everything. We have deployed the tool primarily in one location, and the secondary one is 5000 miles away in another location. One tool is in California, and the other is in New York.

I implemented version 3.1 just two months ago. I need to learn more about it and enable more features on my network. I need to improve myself to learn more because version 3.1 has a lot of new features.

Overall, I rate the product a nine out of ten.

This solution ties into our Cisco Duo and Cisco AnyConnect connections to help us authenticate against the active directory and Cisco Duo multifactor authentication. It takes metrics about the connections that are connecting it and allows us to set up a rule against them. For instance, if a Windows device is not all the way up to date, we can put a message up that says, "Before you're able to connect, please do your Windows updates as they haven't been done in six months."

As this solution allows AnyConnect to authenticate with the active directory in the backend, the users won't directly use it. Still, it will be in use throughout the login process into Cisco AnyConnect as a source of authentication.

With this solution, we don't require anyone for maintenance.

The ability to integrate our Cisco AnyConnect connections to the active directory has been great. Also, as a source of authentication during the process of logging into Cisco AnyConnect has been very useful for us. 

It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced. 

That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back.

I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time. 

It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice. 

We've only been using this solution for the past three months. 

The scalability reports that we could easily handle a million users. 

I have been extensively involved with their technical support; their technical support is very good. They're more than willing to just jump on and do things for you. My only complaint is that at one point, we were trying to configure our single channel for Cisco Duo to be able to perform a password reset. Whenever we needed to look closely at another device, the support technician would say, "Hold on, let me bring in my expert on VPN; hold on, let me bring in my expert on Cisco ASA." We basically had to wait until we were able to get the Cisco Duo support agent, the Cisco ASA support agent, the Cisco VPN support agent, and the Cisco ISE support agent — all in the WebEx meeting at the same time.

As far as I'm to understand, there are CCNAs that should have been able to do it, but they brought in the experts from each item instead of just directly doing it themselves — this made the whole process take longer. Still, they were able to do everything in a way that did not affect our live environment, even though it was on the same device. That was actually very nice because it meant that we could do it in the middle of the day instead of having to do things in the middle of the night.

The initial setup was very simple. Everything was set up within an hour thanks to assistance from the onboarding teams from Duo and Cisco, and our network administrator. They got it set up and reviewed a bunch of options with us. It was a very easy and nice process.

Implementation was achieved with in-house resources and premium onboarding support. The entire process only took an hour.

We are running version 2.9 because version 2.9 of the ISE has a persistent license —it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription.

It's a licensed physical device; there is no subscription. If you want the latest operating system, then you'll need to get an annual license.

If you're planning on using this solution, my advice is to be sure you review the full feature set available and select what is important to your users. This way you'll be able to ensure that you'll have everything you want and need.

Overall, on a scale from one to ten, I would definitely give this solution a rating of nine. 

I am a Senior Technical Consultant. I have worked in professional services as a Cisco Gold partner for the last ten years. 

I have been offering Cisco ISE for the last three to four years. We do small deployments, upgrades, and those types of things.

We see a lot of customers wanting to use Cisco ISE primarily for 802.1X wired and wireless and also for posture device administration, and guest access.

A lot of our customers who come to us do not have any sort of NAC solution in place at all. They don't have a RADIUS, they might have a Soft MPS or something along those lines, but Cisco ISE is far superior. It gives them far more visibility and the policies are more configurable. The ability to do dynamic access lists, dynamic VLAN environments, and that type of thing, and it just gives them a different level of security altogether.

It's been just great at securing our infrastructure from end to end. With the operational launch and live logs, as soon as you spot anything, you can just do one click and you can stop that device from getting access to the network. So it's very responsive and quick in that sense.

Maybe some customers with ACS and MPS can consolidate the device admin into one platform.

The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile.

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. 

If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

It's been around for many years now. Since version three, stability-wise, it's been pretty reliable. We know the versions to avoid. We know the stable versions.  Besides some upgrades and that type of thing, it's generally pretty solid.

A lot of customers that I see are small deployments, maybe a single node or a two-node cluster, but we know that the product does scale. We do have customers that scale beyond just the two nodes. It's proven to be a scalable product.

We see a lot of customers getting frustrated with Cisco TAC because they don't get the responsiveness that they believe they should be getting. But as a gold partner, we are able to leverage our influence, so when our customers come to us, we can escalate a lot of stuff for them. We use our influence. We're able to get stuff remediated fairly quickly. We find that they respond to us better than maybe to our customers.

I think Cisco is fairly straightforward in terms of device admin. 802.1X  is quite easy to deploy. As you then start to look at guest access, profiling, posture, and that type of thing, it does ramp up a little bit and we get a little bit more involved. Some stuff is straightforward and other is not as much. 

Generally, over the last few years, it's been mainly deployed on-prem, but we're now starting to see a shift. Users are really willing to move to cloud with Azure-type deployments. I'm doing some labs this week because we're seeing so many requests for cloud.

If I take the two that I really compared, it would be LogSoft MPS. Cisco ISE has a lot more features, you can do a lot more regarding the policies than you can currently with MPS.

I also have limited experience with ClearPass. ClearPass is a lot more difficult to configure and manage and is less intuitive. The visibility side of ISE is far superior as well. 

I'd give it a nine out of ten. There are some hurdles with upgrading and licensing in particular, which is why I wouldn't give it a ten.

Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

Because it's such a specialized skill, they are not as available as I would like.

Neutral

We did not have a previous solution.

We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

We've evaluated some other products since implementing this one. This is not your everyday tool.

The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

For Cisco ISE specifically, I manage the cybersecurity as well as the networking team. The networking team uses it to track statistics of users coming in and out of the network platform. We use it to track equipment, collect information on identity, and have the help desk leverage the telemetry to troubleshoot. It is part of our day-to-day operations.

This provided security for our sizeable law firm, which has offices across the entire country. Our lawyers like to be mobile. Around six or seven months ago, we started to roll out iPads and really adopted a mobile culture. One of the things that we wanted to do was to provide flexibility for lawyers to walk with a corporate laptop, or walk with their own personal laptop and still have the capabilities to log on and do what they want to do.

We also used it for the many meeting rooms we have. A lot of law firms have tons of meeting rooms, and we needed to secure some of those meeting rooms as well. The technology allowed us to roll 802.1X. We were able to secure ports in the meeting rooms and have a little bit more flexibility as to where users log in.

For example, a couple of years back, we wanted to secure all of the endpoints for the help desk and networking team and all of the backend team and ensure that, irrespective of where one goes with that laptop, when they log in, it'll automatically move them to a secure VLAN. With ISE, we were able to do that and monitor it.

One of the things that we found most valuable over the years is the ability for it to provide information to the help desk that allows them to troubleshoot issues. We still use a lot of that today and we're going over to DNA soon. We're adopting some of the DNA technologies now, however, ISE has been the mainstay for us for quite a few years now.

The solution is great for establishing trust for every access request no matter where it comes from. That was one of the biggest use cases for us, as one of the problems that we had was to secure a specific VLAN. If a help desk person had a laptop, and they plugged it into a network cable port somewhere, it would automatically put them on a secure network. If a lawyer uses their laptop, it would put them on a separate network. If a phone is plugged in, it will know it's a phone and put it on a phone network. ISE is the only way we have been able to do that. We've streamlined a lot of our provisioning and de-provisioning processes through Cisco ISE.

It has certainly made it easier to secure our devices. For example, we have offices across the entire country. We are a large law firm and have huge offices in Toronto, Ottawa, Montreal, Calgary, and Vancouver. We also have ISO 27001 and 27017 certified as well and I run that program. One of the big things for us is when auditors come for a visit. All of our locations have a conference floor, a whole floor that's dedicated to conference rooms.

There are tons of large conference rooms. When we get audited, conference floors are usually floors that auditors are allowed to go to, as they're publicly accessible floors. We'll get asked, "How do you secure the port?" When we go into the conference room, they can see the network ports." They will ask, "Well, how do you secure these ports? What if somebody came and plugged their machine in?" We then say, "We use Cisco ISE. Cisco ISE identifies that it doesn't belong to our corporate network. It does a check and then puts them right onto the internet, so we don't need to worry about strangers on our closed network.”

The interface is a little bit complex. It doesn't really have an executive dashboard. I'm the director of cybersecurity infrastructure operations for the entire firm, and I'm a very technical person, so I go in, and I can move around and try to figure everything out.

However, the interface is very complex, and there are tons and tons and tons of options. It's quite complex to get into and take a look at. As a result, most of the time, just my networking team would be in there. It's so complex that sometimes I will find something one week, and by next week I can't find it again.

It's too deeply layered. They have to redo the whole interface and have something that's executive based, and another one that's technically based. Even the help desk team and my security team use some of its components, however, they don't go anywhere often, as there are so many options in there. They have to make the interface a little bit more use user-friendly.

I've worked with Cisco for about ten years.

The stability is ten out of ten. We have not really had issues with it. We've had one or two small things, however, in the 12 years that I've been there, I've had very few issues with their platform.

It scales well. We have no concerns at all. When we decided to roll out 802.1X, we only had it on our endpoint, just laptops. Then we said, "Well, let's scale it out to the wireless access point." We went from 2,000 endpoints to 10,000, since people have mobiles. When we rolled it out to do posture checks on everything wireless, we had no issues.

Technical support is good. I have no issues. Cisco supports its products very well, so we've never really had concerns with that aspect. Also, I have a very, very technical team. My guys are CCIE certified, and they are geniuses in their own rights. They've been in Cisco for 20 years.

They know the product very well and they also work very closely with the Cisco support team. The Cisco support team has very good people. They train their people well, and we've never really had issues that the Cisco team can't resolve if my team can't resolve them. We're taking it for granted that we're getting good support.

Positive

We did not use a different solution. We're a Cisco shop, so we've always used Cisco. 

I was involved in the initial setup. I manage the networking team. While I don't necessarily push the commands in, I go through architecture sessions with my team, sign off on it and make sure that what it's doing is worth it, it's my budget. I have to get involved.

We've seen an ROI. They last a very long time. For example, we have Cisco Campus, which is the next 7000s that we put in 2012, and ten years later, they're still there. We just changed the supervisor modules. However, the chassis is still sitting there and is still working quite fine.

If I'm not mistaken, it's at end of sales already, however, its end of support is in 2024. That's what I like about their products. They support their product for a very, very long time.  They easily last for ten years. Even our access switches, which are 4900s, are just being switched out now. Those have been in since probably 2010.

We spend $1.5 million as we have two switches on every single floor. Those are the ones that we're changing out now, and they still work quite fine. Cisco just decided to change them. Their products are very solid and they don't break. We keep them for a very long time. Therefore, the return on investment is not bad. I know when I put it in that I don't need to look at it again for ten more years. I know it's going to be supported for that long. 

Cisco is expensive, however, we have a good partnership with our Cisco partner, and we get really good discounts on it. We have a very, very tight relationship with our Cisco representative. We're the largest law firm in Canada and therefore we get special treatment from the Cisco reps in Toronto.

We've had really good relationships with the team at Cisco Canada, and they all know my team, the architects, the solutions engineers, the salespeople, et cetera. They all know us very well. They come to our offices and we go to their offices. We have a very tight relationship.

When it comes to cost, we'll talk to them. They'll tell us when is the best time to buy, and we'll get good discounts. I've never really had to forgo a technology that was critical to the firm due to cost. I can always work with Cisco to find some way to reduce the cost.

We always focus on Cisco products. 

I'd rate the solution seven out of ten. 

It has a lot of rich data in it, however, it's hard to get stuff out of it. You really have to know the product very well and live there to know where to go and find what you are looking for. There's a lot of telemetry in there, however, it's very difficult to actually see how to leverage it.

I've even been telling my security team, "Guys, there's a component in Cisco ISE that you need to work on, and you need to log in more often." Then two years later, they'll ask, "Why don't you guys use it?" The security networking team will say, "Well, we gave them access." My security team will say, "It's too complex. We have no time to go in there. We don't know where to find anything." That's the only problem that they need to fix. They need to make it easier to navigate, it's too deep.

Cisco ISE is a good product. It tightly integrates with all of the networking components, but you can leverage it and get a lot of return and investment out of it. However, you need to make sure that when you're rolling it out and when you're initially putting the platform in, you will need to get your help desk team and security team involved.

Of course, the networking team is the one that's probably going to own it, however, there are so many components in there that can help. The help desk can troubleshoot issues and can provide visibility from the security standpoint, and the networking team owns it anyway. If you get them more involved, they'll be more in tune with using it more often.

There are a lot of help desk and security capabilities in there. Still, just the networking team rolled it out, nobody wants to look at it, as it's a networking piece of the platform, yet really it's not. You can get a lot from this platform. That's probably what I would tell people, just get everyone involved from the get-go, so that they can get more value from it in the long run. 

We use ISE for authentication, authorization, and access control. We use it to integrate and manage a lot of the access controls between our switches, routers, and pretty much all of our network infrastructure. We use ISE on-prem instead to manage all of our infrastructure.

One of the benefits of ISE for us in our organization is the fact that, because we're a very large entity with employees of over 10,000 people, we have over 2,000 pieces of equipment. So, rather than individual programming or managing everyone's credentials on each piece of equipment, using ISE to manage all of that and giving everybody just one Active Directory login simplifies that process for us.

ISE as a platform has been able to free up time, even for me personally, in terms of having to constantly remember credentials, passwords, and all these password complexities. Using ISE to integrate into all of our core infrastructure, frees up so much time for me to do other things. Even down to the configuration, when we are building config for the scripts as well as for our switches and routers, being able to eliminate a lot of those redundant credentials within the configuration itself is a massive time saver for us. In terms of time savings with using ISE itself, we see the savings every day because we have to constantly interact or interface with tons of network equipment. So every single time I have to log into a switch, I am literally realizing I'm saving time in that moment. It's always a constant; I'll say at least three to five minutes for every login.

ISE, we use it strictly for authentication and authorization. For consolidation, not so much, because it just serves one dedicated purpose, which is basically that access control.

In terms of cybersecurity, I would say ISE helps in a way, but we do have other platforms and tools that are specifically designed for that purpose because we try to choose tools that are very specific in their functions.

For us, because we are mostly a Cisco shop, all of our equipment is Cisco. So integrating Cisco ISE into our environment wasn't too complicated, because a lot of our equipment, again, are Cisco-related products. Thus, they were all able to integrate nicely within that ecosystem.

The authorization and accounts inside of ISE are very useful for us. In the sense that we can actually go back and track and look at all of the things that access controls or people have made changes in the past. And I think the biggest part of ISE for me is that authentication as well. The fact that we can connect it to Active Directory and use it to manage access control to all of our infrastructure devices.

As software, in general, ISE is actually a fantastic product. I just think that, overall, it's just the software control, the bugs, and the fixes. We do tend to run into a lot of issues with ISE when it comes to bugs. I would like to see a lot more testing prior to the rollout of some of these software updates.

I have been using Cisco ISE for over eight years.

When it comes to the stability of the product, for the most part, it is stable. But when it breaks, it breaks on a grand scale as well. And that's why, for us, most of the time, we don't always jump to the latest and the greatest when it comes to software updates because we wanna make sure that the software goes through our internal change control and make sure that a lot of bugs have been ironed out and straightened out before we update. But even then, we are still running into unforeseen bugs and unexpected situations. But I'd say, overall, it's relatively stable.

So when it comes to the scalability of ISE, we are a massive organization with offices ranging from two people to hospitals with over 10,000 people. We are able to rapidly deploy products. Sometimes, we have mobile sites that we just spin up—especially during COVID. For example, we had to deploy a lot of COVID assessment centers. We were also able to rapidly deploy a lot of these instances. Even when we had to integrate Meraki products for some of our smaller sites, scalability-wise, it's really flexible and very scalable. If an organization of our size can easily use it to adapt, I don't see any reason why it would be an issue for anybody to scale this product.

Cisco support is actually fantastic, especially in being able to use the tech support. At least, I personally use it all the time. Being able to actually just pick up the phone and quickly get in touch with a Cisco rep, because we definitely always run into some of those issues where it's unforeseen and we're not really sure what's going on. So, it's nice to be able to have that support on standby; it comes in handy a lot of the time and it actually saves us a lot as well in terms of time, money, and headaches when it comes to managing the network. Because we all know when the network goes down, everybody starts to look for you. Being able to have that rep to assist you right away and kinda solve that problem is something that everyone should have - that tech support.

When it comes to rating tech support, nothing is perfect. So, I'll say seven. But overall, that's because of the speed, the urgency, and now the ticket seriousness. So there's always room for improvement, but I think overall, I'll say we're getting a good bang for our buck.

Neutral

We have actually always been a Cisco shop right from the start, and ISE has always been our AAA authentication tool right from the start. As far as the evaluation and selection process goes, because we're a Cisco shop, it kinda just made sense to choose a product or a tool that neatly integrates with the rest of our products. We use a lot of Cisco products in terms of our wireless control, network management, and legal firewall. So, it was just a natural fit to choose Cisco ISE and use it as part of that existing ecosystem.

When it comes to deployment of the Cisco ISE, we actually did it in-house. However, we also have a Cisco rep that we work with directly within Cisco's organization, who actually works directly with our company. As a result, the Cisco rep and the on-premises internal IT team were able to deploy it.

In terms of return on investment, I would like to think that we've seen a significant return on investment with Cisco ISE. Just looking at it purely from my perspective, in terms of time-saving, if we consider this impact on a single person and then scale it over two to three thousand employees when you multiply that data on a day-to-day basis, the time-saving is tremendous. Moreover, in terms of solutions, having the ability to keep things integrated and manage them through a single pane of view adds to the benefits. I believe the return on investment goes beyond just the financial aspect. It extends to mental well-being, reduction in stress, and as employees. It's really great.

When it comes to licensing costs and Cisco's more than one pricing, I think that's one of the areas where I actually have one of the biggest problems. I just think that Cisco is trying to move towards squeezing more money out of us as customers. They're constantly trying to change many features that used to be part of the original bundle. Now, Cisco has actually transitioned to a lot of subscription models, fees, and licenses. As a result, the cost has gone up, and I foresee it continuing to rise, which is why I have a problem with it now.

Cisco ISE, on a scale of one to ten, I'll say it's about a six. I'm giving it that score because, first of all, the ease of deployment is one of the biggest things for us. Also, the ease of use. The reason why I'm not really giving it a ten is when it comes to the licensing model and all the subscription fees – that's the big issue for me with Cisco licenses. Additionally, when it breaks, it could potentially break big as well.

I'm a network analyst for one of the largest healthcare entities in Canada, and we have over twenty thousand employees.

We're just using it for authentication to our network switches.

We have more visibility and control with the tool. It has helped us improve our cybersecurity resilience.

The authentication piece was a big deal, especially because we're able to roll it out so quickly. Once we start using it to its full potential by using NAC, we can automate a lot of things that we're doing manually. MAC lockdown is one of the big things we have an issue with because I work on the classified network, so we're locking down every end device. It takes up a lot of time. That's one of the biggest things that we're rolling out. I'm not sure what other features we're going to use out of it, but I know that once we get started on it, we'll be a lot more involved with the things that we're going to roll out.

It's really easy in terms of the authentication piece. It's a big help. We've other parts of the network that are not using any authentication at all, which is scary. We've so many separate companies, and I'm hoping that we can start using this for those networks as well.

It has saved us time. We've control on our side, and we're able to add new devices as we deploy them for new buildings and things like that. We're able to give different types of access that our users need to have, which is nice. It has been huge, and then once we start deploying NAC or something like that, that's going to be a game changer for us because that'll free up a lot of time for us. It probably saves at least ten hours a week because especially right now, we're in the phase where we're getting so many new buildings. We're not only turning up new buildings; there are also all the users. So, for every single device, you have to do a MAC lockdown. Sometimes we get spreadsheets listing a ton of PCs that we've to lock down. That just takes forever, especially if you get it wrong or someone has fat fingers and things like that. It'll hopefully eliminate a lot of that too. We won't have the back and forth with other groups for that.

It has helped consolidate tools. We don't have to go outside our own group for the authentication piece. That control is a big deal. On top of that, once we start integrating NAC and other things, it's going to eliminate a lot of manual work.

Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key. 

Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out. It was a little more cumbersome than I thought.

I've been using Cisco ISE for about a year.

For the times that I have interacted with them, they've been pretty good, but I've heard of other stories. Overall, I'd rate them an eight out of ten.

Positive

We were using regular TACACS, RSA, etc. I can't remember what they were using on their side because it was more of the infrastructure team that was using this. We would just basically go to them and give them requests. Having control through Cisco ISE is much better.

The reasons for going for Cisco ISE were having that control and having a relationship with Cisco. All of our gears are Cisco. It just made it easier and more compatible. I know there are a lot of other tools that we can take advantage of such as NAC and things like that. We're hoping to do that in the future.

As far as I know, it was fairly easy. We didn't have a lot of problems with it. One of our other guys deployed it. I wasn't with him, but I didn't hear that there were a lot of problems with it, so it was fairly easy. The same guy had deployed it on the unclassified networks, so he had experience with it.

Overall, I'd rate Cisco ISE a seven out of ten.

We utilize Cisco ISE for authentication by employing the AnyConnect Posture model to address vulnerabilities on the workstations. Additionally, we make use of TACACS.

It is a mature solution and it grows with our needs.

Cisco ISE has helped consolidate DNA Center.

Cisco ISE helps our cybersecurity resilience by enforcing security over the workstations.

The most valuable feature is AnyConnect Posture because it scans all the programs on the workstation and checks if the antivirus is up to date, as well as the cryptographic keys on our SSD. It also enforces data loss prevention on our workstation, which is usually the main vulnerability for network entry.

Cisco ISE has numerous features that are impractical, and I won't utilize them since they require payment.

I have been using Cisco ISE for around four years.

We encountered a few bugs that were resolved using the SMUs. However, when the solution is built properly, there are no performance issues.

We can scale Cisco ISE up using VMs.

The technical support is excellent, and we rely on their services frequently.

Positive

We previously used Cisco ACS but transitioned to Cisco ISE because it reached its end-of-life status, and we needed to progress.

We have observed a return on investment from the tasks performed by Cisco ISE for our organization.

Cisco ISE is not inexpensive, but the solution is well-built and worth the expense.

We evaluated Aruba ClearPass but ultimately chose Cisco ISE due to budgetary constraints. We were able to secure a favorable discount with Cisco.

I would rate Cisco ISE a nine out of ten. Despite the fact that the solution offers numerous features, it is challenging to use.

We do not rely solely on Cisco ISE to secure our infrastructure from end to end. Instead, we utilize various tools such as McAfee, DLP, and Endpoint Security. Additionally, we have the Domain client to check for any breaches. On our Internet edges, we perform SSL offload to enhance the performance of security projects like WAF and IPS, as well as conduct full packet scans. Furthermore, we have NGFW and NG Networks in place.

Cisco ISE is an important component in protecting our environment because it enforces security against the main point of vulnerability, which is accessing workstations. Ransomware infiltrates a network through workstations. The policies implemented are based on the posture model, ensuring that we use the necessary products on our network to mitigate such risks.

I was not involved in the initial setup, but testing the implementation of a new feature is always challenging. We need to allocate time to test it with the security team and the network team. Additionally, we need to create a separate environment to gain a better understanding of how we can improve the performance of the solution within our network. 

For organizations that do not have the funds to purchase Cisco ISE, there are good open-source solutions available. These include TACACS servers, OpenLDAP, and FreeRADIUS. However, Cisco ISE is an excellent tool for enhancing all the existing tools within an organization.