Cisco Identity Services Engine (ISE) Reviews

Identity Services Engine for us has an incredible number of use cases, predominantly around identity and contact sharing within the enterprise or Endpoint onboarding for, authentication and authorization. Most recently, in the last few years, we've actually finally added device authentication and device management into that with the TACACS implementation. And now we have a comprehensive set of features to perform enterprise NAC, pure RADIUS authentication, and user authorization.

Cisco Identity Services Engine has provided two incredibly beneficial outcomes for our clients. First and foremost, they've been able to limit and minimize the number of different discrete platforms they need to use to deliver things such as network admission control, device authorization, and posturing, as well as do device and policy enforcement at the endpoint level. The second one that really is under sung is the ability to comprehensively manage guests in BYOD wireless access. The ability for the enterprise pretty much out of the box to deploy an end-to-end solution to manage guest onboarding, user self-service, as well as bring your own device has been a real boom to network access.

Using ISE to detect and remediate threats is really the hinge pin for pretty much everything in the Cisco security infrastructure. Without identity and without context, you really can't do any enforcement. It's fine to be able to detect a threat with an IPS, with a threat appliance, with anomaly detection, but being able to use things like RADIUS chains of authorization to then blacklist a host or remove a host from a production relay is an incredibly important outcome, not the least of which because that's all automated in ISE. And that's an incredible benefit to IT teams who perhaps don't have a NOC, don't have a SOC that can run out, and respond to a threat immediately. Having those SOAR automation capabilities inherent to the system is a really powerful feature set.

I think it's inevitable when a customer is deploying or using ISE that they're gonna find additional cycles that they can spend their time on. The rich automation and the quick startup out of the box, for instance, ISA has a really rich onboarding wizard. Pretty much out of the box, you can go through a series of steps, input your IP address, your domain names, etcetera. You don't have to do a lot of the upfront planning and design work that was required of previous systems that did network admission control, certainly more so than the old NAC. And so I believe that many customers will find they have extra cycles to go and use that IT talent to do more impactful projects than spending months and months and months deploying admission control.

Identity Services Engine has done a great advantage to our clients in the fact that Cisco has begun to move more capabilities into the platform over time. As they started out with the basic AAA capability, authentication, authorization, and accounting that was present in ACS and the older service architecture, they've now begun to move in, device administration in the form of the TACACS server and other capabilities within ISE. When they previously introduced the pxGrid capability, you now have the ability to bring other enterprise platforms such as your IPS, your threat systems, and your DNS security platforms directly into ISE for performing all those automation. And so it absolutely has consolidated the number of platforms that you need to deploy to achieve that secure outcome.

The effect of the consolidation of all of these functionalities within Identity Services Engine has had on IT is that now you have a single platform with which to maintain. I think sometimes we overlook the fact that security platforms themselves have a lifecycle associated with them. We have to patch these systems. We have to maintain currency on the devices. And over time, those devices like anything else become a little long in the tooth and require refreshing. The flexibility to deploy Identity Services Engine in multiple persona types on hardware or in a virtual machine is a huge advantage to customers who want to consolidate the number of vendors and hardware platforms that they have to support and manage.

Identity Services Engine has helped a lot of our clients as well as Logicalis simplify the way that we approach compliance governance and risk consulting within our own enterprise, being able to have a single source context for when devices were on the network when they were last authenticated, and, of course, that rich user context that we get. We can now share contextual information from Identity Services Engine within an Azure environment, within an AWS environment with our own active directory, and that's an enormous advantage when you're not only threat hunting, but when you're trying to pass those checks and balances that are required for cybersecurity insurance or your own internal compliance auditing.

For us and our clients, the most valuable features of Identity Services Engine are really around the rich contact sharing that ISE gives you. The ability to categorically list all the endpoints in the infrastructure, understand where they are, how they made it onto the wire, whether that was through wireless, through a wired engagement, And all of the self-service features that allow you to manage guest access to wired and wireless infrastructure are an incredible number of use cases that our clients are constantly deploying now.

I think in any technology infrastructure, you're going to have environments where improvements could occur. I think some areas where ISE could be better are perhaps in the number of integrations that they offer from a virtual standpoint, as well as having a better and more comprehensive pathway for the customer to go from a physical environment to a virtual one. Many of our clients today are hybrid. They have a physical footprint in a data center somewhere, as well as a public cloud instance for things. Today there really isn't an elegant pathway for a client that wants to go 100 percent cloud, and that's an improvement I think that could be along the way.

I have been using Cisco ISE for close to ten years.

The stability of the Cisco Identity Services Engine has continued to improve over time as the product has matured. Anytime you're dealing with something like a database product that has millions or hundreds of thousands of endpoints and entries in it, inevitably you're going to have performance creep over time. Because of the scale of the Cisco purpose-built UCS appliances, the SNS appliances that predominantly run identity services engine, we've seen an enormous advantage by staying up to date on the most current Cisco SNS appliances. We've also seen an enormous advantage by leveraging ISE in a hybrid capacity. So the ability to deploy PSMs on a hybrid cloud environment, on a public cloud environment, as either additional capacity or as a failover point for that on-premise install base is a really nice advantage to have.

The beauty of Identity Service Engine is the fact that there's really no environment too small. If you have 500 to 1000, maybe up to 2000 endpoints, We're talking laptops, mobile devices, access point switches, etcetera. You're really not too small to deploy Identity Service Engine. The beauty of the multi-persona design of the Identity Service Engine is that you can leverage that capability to split off those PSN personas which is actually the persona within the Identity Service Engine that processes all of that high rate of radius authorization and authentication traffic. So the scalability of ISE is really well thought out. It was really well thought out from the get-go. You can also split off the admin personas and the monitoring and logging personas as well to give you that horizontal scale. I'm not sure today what the exact endpoint count that ISE scales to is, but it is certainly into the hundreds of thousands of endpoints.

Cisco support for Identity Services Engine has been world-class. The guts of ISE are still a RADIUS server. They're still AAA-based functionality. So many folks that have been deploying and supporting the Cisco Secure ACS Server as well as the TACACS server and all of the things that have come along with that, continue to use the same skill set to support and deploy ISE. Really, the differences nowadays in terms of support are bringing about more comprehensive offerings to support the systems that surround ISE. Many things plug into ISE and provide much richer context, and really that's where the complexity tends to creep in. Our support from Cisco both as an end user and a partner has been beyond reproach, and we really appreciate Cisco's continued investment in the TAC, and in all the areas they bring to bear to help you receive that business outcome you're after.

Cisco support is always going to be ranked a strong nine with me, mainly because we know there's always room to improve things. We don't want to give a full passing score, but without a doubt, I don't know how anyone could consume and deploy business outcomes with Cisco technologies without leveraging support. And so Cisco leads the way and continues to invest in that area.

Positive

The deployment experience with ISE in the early stages was without a doubt, very daunting. There is a huge number of things that you need to understand about the existing infrastructure, about the existing customer environment to properly deploy that solution. As time has gone on, however, the designers and the developers of that software have begun to create wizard, have begun to create additional upfront deployment tactics within the tool itself so that essentially a journeyman network engineer or security architect can deploy the minimum level of functionality right out of the box.

It's difficult to say whether the clients have seen an immediate ROI with the deployment of the Identity Services Engine. Oftentimes, you have to take on additional technologies in the ISE product family in order to receive that comprehensive benefit. So I think only time will tell what the true ROI is. I can tell you that the value exchange that occurs between a partner and a client when we're talking about everything within the Cisco security portfolio being fully integrated together and working comprehensively has been an enormous advantage to customers who today have a complex act of multi-vendor products. Being able to consolidate on a platform-based solution is an incredibly powerful story to tell, and it's also incredibly powerful from a cost-benefit standpoint as well.

In terms of the licensing and the pricing structure of the Cisco Identity Services Engine, there's been a huge advantage to our clients recently with the advent of the enterprise agreement. You now have an enterprise agreement choice, which now allows you to buy as few as two security products to unlock additional discounting and additional life cycle advantages when you consume that solution for security business outcomes. At Logicalis, we deliver a full life cycle approach to Identity Services Engine when embedded into a Cisco security enterprise agreement. We're able to deliver not only the onboarding and the design guidance that the customer needs to deliver that secure business outcome, but also provide the ancillary services to support all of the other infrastructure that often comes along with deploying a solution like ice.

Identity Services Engine compares favorably with many of the other competitor's products that are in that space. I won't mention them now, but I think we know that all of the same industry competitors have been delivering identity solutions and NAC solutions over the last decade or so. Cisco continues to rank in the upper and farther to the right in Gartner Magic Quadrant for those identity solutions, and I think they'll continue on that trajectory. Cisco has long been the number one network vendor in the world, and I think you'll continue to see that growth as the network continues to be important to business.

I rate Cisco Identity Services Engine a ten, on a scale of one to ten. It's a necessary solution to deploy in order to achieve many of the business outcomes such as some of the smart business architectures, certainly anything within the automated campus designs that are out there with DNA Center. It's just an incredibly powerful tool to manage both identity and endpoints within the infrastructure, and it really does become the hub of a hub and spoke comprehensive security architecture.

When Identity Services Engine became the de facto migration path from ACS Access Control Server, we were very early adopting and getting that product into our labs and in the hands of our customers for proofs of concept, proofs of value, and enterprise pilots.

I am a Cyber System Engineer, specifically working on the network team.

We use Cisco ISE mainly for authentication, accounting, authorization, and monitoring different devices that we have on many different sites within our company. 

The improvements that impacted our organization, specifically, my team who is in charge of the network of our program, are the different amounts of access and the different amount of features that it provides. Authorization, authentication, and accounting are the main three simple basics of cybersecurity. The ability to give access to specific users and what each one can do while being able to monitor them very well and even apply more secure protocols through them using TACACS is beneficial.

My team has gained a lot from Cisco ISE as it does also provide automation, which is a big asset in the eighth hour. After setting it up, it took a lot of the weight off in many ways. We have a co-worker, who we call the ISE Master because he's in charge of the ISE configurations. He's able to save a lot of time by being able to monitor everything from there. So it did take off a lot of time that we would waste by going individually to that different device and trying to figure out what was wrong. 

It definitely improved the security resilience in our company as it did provide more secure options for us you know, securing accounts, securing devices, allowing specific actions for the specific user, you know. Everything was in one place, which is an amazing thing.

This client has helped a lot with replacing different applications that we would use. We do use it hand in hand with other applications like SolarWinds and it did replace the main power itself. We get help desk tickets and try to figure out the problem with specific devices. So it did replace all of that and we can just control it from one place. It's a one-stop-shop kind of thing. 

The features that we really appreciate are the monitoring features and also being able to administer the different devices that we have. We have a broad amount of devices with Cisco and we would need to be able to monitor them as well as be able to give specific access to each one of them. The fact that if something as simple as that if somebody gets locked out of their laptop, I can go to Cisco ISE and easily see exactly what happened, when it happened, and see if it was a bad or wrong password is really amazing.

The one main thing that it can improve on is the GUI. As the newest addition to the team, I struggle a little bit to get around it just because it has so many features. This is an amazing thing but the downside of it is that it's not as friendly to figure out which feature does what and how to get to it. 

You have to go through a lot of menus to figure out what you need. Although it's fantastic, it's full of different options that are endless, it does get a bit hectic for new users to get comfortable with it. It's taking me a while to figure out all the features and options.

I have personally been using it for about a year. However, my team has been using it for over five years now.

My impression of the stability of Cisco ISE is that we don't have an issue with it, it's pretty stable. Even when things went down system-wise, Cisco was able to help us figure out what was wrong. So from my experience, which is limited because I only have one year of experience with ISE, is that it's been pretty stable.

Scalability is amazing. We have about 1,000 nodes and we're growing every site, so it is an ongoing project. Our project keeps expanding and it doesn't end at a specific point. It covers everything that we are working with, all the devices because we have computers, switches, routers, and so on and so forth and everything is fantastic.

We all love the fact that there are a lot of forums so if you don't want to talk to somebody about it every time there is a problem, just pull the model. With Cisco, you pull the model, put your question in, and there's a huge community that you can see, there are also the hassles that they had to go through and benefit from their answers. It's fantastic because you can go with the support or you can go through the forums. It's fantastic, to be honest.

I would definitely rate them an eight out of ten. I think they are fantastic. We wouldn't be using them that much, especially in a defense company if we didn't think it was up to par security-wise. They're fantastic feature-wise. However, there is always room for improvement hardware-wise, device-wise, or software-wise. 

Positive

We chose it because we have a lot of Cisco products in our company. Ninety percent of our base uses Cisco. Cisco ISE was one of the options that we had. After studying it with some managers and some other teams, it did provide a lot of options that the others didn't. 

I personally didn't evaluate other products but I dabbled through other software, other interfaces, and GUIs of other products. Cisco does provide a lot more options. You can admin the administration part of Cisco ISE, there are endless options of how you can customize it to your own needs. A lot of the other competitors tend to lose it in the fact that the interface is a lot more complicated or it doesn't provide as many features.

In our field, we need the most secure option. That's something that would work with TACACS, which is something that we all use now. That was one of the main factors. 

In terms of the difficulty level of implementation, it was great. At the same time, it was a little bit time-consuming because you need to switch from whatever model that you had with all of your nodes, which in our case was a lot. We utilize at least 1,000 nodes. 

It's very easy for you once you know how to create a new node on ISE. It's very easy to understand how to do it and click on that process but when you're moving a whole entire system into that, it tends to be a little bit hectic. 

We deployed it ourselves with my team. However, we did consult a reseller a couple of times as well as customer support any time we ran into issues. 

The company does see a return on investment. We definitely use it a lot more than we thought it would be used. I can be used for something as simple as a wrong password,  which is something that everyone does in the office, especially right after updating it all the way to something as complicated as if a site has a specific switch or router that depends on it, and it's down, and there's some sort of phishy activity happening. So it is definitely an investment that we all like and appreciate. We do feel that we're getting back what we paid for. 

I would definitely rate it as a nine out of ten. The only major problem for me is the GUI  but I can't really complain that much because it does have all the functions that we need and even more. 

It would be fantastic if it was more user-friendly and there was more explanation.

Mainly the use case of the solution is for ensuring that the corporate staff gets access to their authorized systems. 

Another use case is for contractors to get access to the authorized systems. Those are the ones that hope to assist in the maintenance or for authorized admissions to the network.

We do also use it for remote access, for example, VPN's and also for wired and wireless access to the network.

The posturing is the solution's most important aspect. When a user connects his or her machine to the network, the first is for ISE to check whether that machine is authorized, check that that machine is compliant with respect to antiviruses, whether it complies with respect to Windows updates, et cetera. If not, a feature is on auto-remediation, so that the proper antivirus and Windows updates can be pushed to the machine.

At the moment, ISE seems to integrate very well with a number of other technologies. It integrates well with Microsoft and integrates well with other wireless systems.

In terms of the improvements I need, they've already, according to my research, done those improvements with their new versions. The features have already improved on their newer version, and that's why we need to update to that new version.

What is required is that Cisco needs to be doing health checks and following up with the customer to ensure that their Cisco partners have done the deployment right. That's something that has really helped us.

Whenever a partner comes and does any deployment, we would, later on, engage Cisco for a health check, so that Cisco could assist with their products. They would check whether it has been deployed following the best practices - or they would just alert us on which features that we have paid for and we are not taking advantage of that. 

Cisco needs to continue with that health check. That engagement with their customers to reconfirm everything is like a quality assurance that the Cisco partners have given the right stuff to their customers.

This product doesn't work in isolation. For example, when we talk of posturing the Microsoft updates, the system that does automatic updates for Microsoft needs to work in an ideal fashion. The antivirus needs to work. OF course, the antivirus is not Cisco. Those products need to work as they should so that integration of the ISE product will work as well. When all factors are held constant, Cisco works well. 

We have been using the solution for six years now.

We have been using it, especially during alternative working arrangements (due to the COVID-19). Using it, it's been stable. We have not had any issues. The only reason we are looking to upgrade is we didn't know the benefits that the newer version offered. When we checked with Cisco, they advised us that we were missing a few items that actually gaps caused by the partner's setup which we realized we missed during the health check.

We haven't had bugs or glitches. It doesn't crash or freeze. It's good.

Everyone in our company is using Cisco. In terms of users, we have about 1,500, however, in terms of endpoints we have, that would be closer to about 3,000 to 4,000 endpoints, including wireless gadgets, switches, laptops, phones, and all that. We use it on a daily basis.

Scalability probably might be an issue. Before we bought ISE, we did sizing for each. We looked at the number of users in the organization, 1,500,  and then we used a factor to look at the uppermost band. We decided we would have to go for 4,000 licenses or 4,500 licenses. We multiplied by three. Based on that, we went for a certain hardware model.

This time, the hardware model we are going for supports up to or has the capability to support up to 10,000 users or endpoints. When we go for that, we will have used even less than 50% of what their hardware is capable of. Above 10,000, there's another hardware model that we're generally expected to go for. 

Basically, when you get the right model, when you do the right scaling, it will be very scalable. However, from the onset, you need to write hardware for USI.

The solution is more meant for enterprise-level organizations. It's not really for small companies, however, that has more to do with the pricing.

We're dealt with technical support in the past. Their support is excellent, except for Umbrella. There is a technology called Cisco Umbrella, and they're a bit slow, however, the technical support in general, depending on the severity of the issue, is very prompt. I would say we are quite satisfied with their level of service.

I've only ever used Cisco. I used to use NAC, however, they changed to ISE. I've never used any other product.

We had a partner set up the solution, and we're not sure if they set it up correctly. The partners come straight to us, and do the deployment. Cisco only is there to be the third eye to come and check that the deployment has been done okay.

You have to make sure that other items connected to ISE are correctly implemented and updated as well (such as the antivirus), otherwise, it won't work as you need it to. There's a lot of configuration that needs to be done at the outset.

I'm not sure how long the deployment takes, as I wasn't at the company when it was set up. However, it's my understanding that it shouldn't take too long so long as everything surrounding it is correctly aligned.

Any maintenance that needs to be done is handled by a third party. That includes patching, et cetera. We have an SLA with a Cisco recognized partner.

We worked with a partner that assisted with the setup.

Afterward, Cisco will also come in to do a "health check" to make sure the setup is correct and they can direct users to features they should use or are not using.

Cisco does not sell directly. They have authorized partners you need to buy through.

I don't deal directly with the licensing and therefore do not have any idea what the pricing of the product is. It's not part of my responsibilities.

It is my understanding, however, that it would be expensive for smaller organizations. Startups may not be able to afford these products.

We don't really worry about pricing, as cheap might be expensive in the long run if you don't get a product that is right for your organization, or is more likely to break down over time.

We are in the process of doing a refresh and I have compared other technologies to see how they stack up. I've looked at Fortinet, for example.

I wouldn't say we are switching from Cisco. What we are doing is we were exploring other technologies that offer similar functions. Sometimes it's good to look outside as you might think you have the best and yet you don't. We are just looking for other solutions to get to know what they offer. If we feel that there is something unique that is on offer somewhere else, then we would want to check that in Cisco and see, where is this offered in Cisco's product? 

We haven't concluded that we are switching. In any case, from what I have seen so far, it is likely we won't switch. 

We're just a customer. We buy their products for our security and our connectivity.

We're not using the latest version. We're actually using a few versions. We have ISE, which is version 2.3. We're supposed to up to version 2.7, and that requires a refresh of the hardware.

That's why we are saying, "Should we try to look for a different solution?" That's why I have been looking for comparisons. We haven't dedicated a lot of time to that yet. From my assessments so far, however, ISE still wins the show and it's likely that the partner that was doing the deployment originally on behalf of Cisco probably missed out on a number of things. It's really about the engineers who are doing the deployment. You need to make sure you have some good ones.

I would recommend this solution to others, especially mature organizations as the smaller organizations may not be able to afford this. 

On a scale from one to ten, I would rate the product at an eight

This solution ties into our Cisco Duo and Cisco AnyConnect connections to help us authenticate against the active directory and Cisco Duo multifactor authentication. It takes metrics about the connections that are connecting it and allows us to set up a rule against them. For instance, if a Windows device is not all the way up to date, we can put a message up that says, "Before you're able to connect, please do your Windows updates as they haven't been done in six months."

As this solution allows AnyConnect to authenticate with the active directory in the backend, the users won't directly use it. Still, it will be in use throughout the login process into Cisco AnyConnect as a source of authentication.

With this solution, we don't require anyone for maintenance.

The ability to integrate our Cisco AnyConnect connections to the active directory has been great. Also, as a source of authentication during the process of logging into Cisco AnyConnect has been very useful for us. 

It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced. 

That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back.

I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time. 

It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice. 

We've only been using this solution for the past three months. 

The scalability reports that we could easily handle a million users. 

I have been extensively involved with their technical support; their technical support is very good. They're more than willing to just jump on and do things for you. My only complaint is that at one point, we were trying to configure our single channel for Cisco Duo to be able to perform a password reset. Whenever we needed to look closely at another device, the support technician would say, "Hold on, let me bring in my expert on VPN; hold on, let me bring in my expert on Cisco ASA." We basically had to wait until we were able to get the Cisco Duo support agent, the Cisco ASA support agent, the Cisco VPN support agent, and the Cisco ISE support agent — all in the WebEx meeting at the same time.

As far as I'm to understand, there are CCNAs that should have been able to do it, but they brought in the experts from each item instead of just directly doing it themselves — this made the whole process take longer. Still, they were able to do everything in a way that did not affect our live environment, even though it was on the same device. That was actually very nice because it meant that we could do it in the middle of the day instead of having to do things in the middle of the night.

The initial setup was very simple. Everything was set up within an hour thanks to assistance from the onboarding teams from Duo and Cisco, and our network administrator. They got it set up and reviewed a bunch of options with us. It was a very easy and nice process.

Implementation was achieved with in-house resources and premium onboarding support. The entire process only took an hour.

We are running version 2.9 because version 2.9 of the ISE has a persistent license —it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription.

It's a licensed physical device; there is no subscription. If you want the latest operating system, then you'll need to get an annual license.

If you're planning on using this solution, my advice is to be sure you review the full feature set available and select what is important to your users. This way you'll be able to ensure that you'll have everything you want and need.

Overall, on a scale from one to ten, I would definitely give this solution a rating of nine. 

We use ISE for authentication, authorization, and access control. We use it to integrate and manage a lot of the access controls between our switches, routers, and pretty much all of our network infrastructure. We use ISE on-prem instead to manage all of our infrastructure.

One of the benefits of ISE for us in our organization is the fact that, because we're a very large entity with employees of over 10,000 people, we have over 2,000 pieces of equipment. So, rather than individual programming or managing everyone's credentials on each piece of equipment, using ISE to manage all of that and giving everybody just one Active Directory login simplifies that process for us.

ISE as a platform has been able to free up time, even for me personally, in terms of having to constantly remember credentials, passwords, and all these password complexities. Using ISE to integrate into all of our core infrastructure, frees up so much time for me to do other things. Even down to the configuration, when we are building config for the scripts as well as for our switches and routers, being able to eliminate a lot of those redundant credentials within the configuration itself is a massive time saver for us. In terms of time savings with using ISE itself, we see the savings every day because we have to constantly interact or interface with tons of network equipment. So every single time I have to log into a switch, I am literally realizing I'm saving time in that moment. It's always a constant; I'll say at least three to five minutes for every login.

ISE, we use it strictly for authentication and authorization. For consolidation, not so much, because it just serves one dedicated purpose, which is basically that access control.

In terms of cybersecurity, I would say ISE helps in a way, but we do have other platforms and tools that are specifically designed for that purpose because we try to choose tools that are very specific in their functions.

For us, because we are mostly a Cisco shop, all of our equipment is Cisco. So integrating Cisco ISE into our environment wasn't too complicated, because a lot of our equipment, again, are Cisco-related products. Thus, they were all able to integrate nicely within that ecosystem.

The authorization and accounts inside of ISE are very useful for us. In the sense that we can actually go back and track and look at all of the things that access controls or people have made changes in the past. And I think the biggest part of ISE for me is that authentication as well. The fact that we can connect it to Active Directory and use it to manage access control to all of our infrastructure devices.

As software, in general, ISE is actually a fantastic product. I just think that, overall, it's just the software control, the bugs, and the fixes. We do tend to run into a lot of issues with ISE when it comes to bugs. I would like to see a lot more testing prior to the rollout of some of these software updates.

I have been using Cisco ISE for over eight years.

When it comes to the stability of the product, for the most part, it is stable. But when it breaks, it breaks on a grand scale as well. And that's why, for us, most of the time, we don't always jump to the latest and the greatest when it comes to software updates because we wanna make sure that the software goes through our internal change control and make sure that a lot of bugs have been ironed out and straightened out before we update. But even then, we are still running into unforeseen bugs and unexpected situations. But I'd say, overall, it's relatively stable.

So when it comes to the scalability of ISE, we are a massive organization with offices ranging from two people to hospitals with over 10,000 people. We are able to rapidly deploy products. Sometimes, we have mobile sites that we just spin up—especially during COVID. For example, we had to deploy a lot of COVID assessment centers. We were also able to rapidly deploy a lot of these instances. Even when we had to integrate Meraki products for some of our smaller sites, scalability-wise, it's really flexible and very scalable. If an organization of our size can easily use it to adapt, I don't see any reason why it would be an issue for anybody to scale this product.

Cisco support is actually fantastic, especially in being able to use the tech support. At least, I personally use it all the time. Being able to actually just pick up the phone and quickly get in touch with a Cisco rep, because we definitely always run into some of those issues where it's unforeseen and we're not really sure what's going on. So, it's nice to be able to have that support on standby; it comes in handy a lot of the time and it actually saves us a lot as well in terms of time, money, and headaches when it comes to managing the network. Because we all know when the network goes down, everybody starts to look for you. Being able to have that rep to assist you right away and kinda solve that problem is something that everyone should have - that tech support.

When it comes to rating tech support, nothing is perfect. So, I'll say seven. But overall, that's because of the speed, the urgency, and now the ticket seriousness. So there's always room for improvement, but I think overall, I'll say we're getting a good bang for our buck.

Neutral

We have actually always been a Cisco shop right from the start, and ISE has always been our AAA authentication tool right from the start. As far as the evaluation and selection process goes, because we're a Cisco shop, it kinda just made sense to choose a product or a tool that neatly integrates with the rest of our products. We use a lot of Cisco products in terms of our wireless control, network management, and legal firewall. So, it was just a natural fit to choose Cisco ISE and use it as part of that existing ecosystem.

When it comes to deployment of the Cisco ISE, we actually did it in-house. However, we also have a Cisco rep that we work with directly within Cisco's organization, who actually works directly with our company. As a result, the Cisco rep and the on-premises internal IT team were able to deploy it.

In terms of return on investment, I would like to think that we've seen a significant return on investment with Cisco ISE. Just looking at it purely from my perspective, in terms of time-saving, if we consider this impact on a single person and then scale it over two to three thousand employees when you multiply that data on a day-to-day basis, the time-saving is tremendous. Moreover, in terms of solutions, having the ability to keep things integrated and manage them through a single pane of view adds to the benefits. I believe the return on investment goes beyond just the financial aspect. It extends to mental well-being, reduction in stress, and as employees. It's really great.

When it comes to licensing costs and Cisco's more than one pricing, I think that's one of the areas where I actually have one of the biggest problems. I just think that Cisco is trying to move towards squeezing more money out of us as customers. They're constantly trying to change many features that used to be part of the original bundle. Now, Cisco has actually transitioned to a lot of subscription models, fees, and licenses. As a result, the cost has gone up, and I foresee it continuing to rise, which is why I have a problem with it now.

Cisco ISE, on a scale of one to ten, I'll say it's about a six. I'm giving it that score because, first of all, the ease of deployment is one of the biggest things for us. Also, the ease of use. The reason why I'm not really giving it a ten is when it comes to the licensing model and all the subscription fees – that's the big issue for me with Cisco licenses. Additionally, when it breaks, it could potentially break big as well.

I'm a network analyst for one of the largest healthcare entities in Canada, and we have over twenty thousand employees.

I utilize Cisco ISE to access the switches on our network for monitoring configurations.

Using Cisco ISE, we are able to control access to our networks, ensuring that only authorized individuals have access to appropriate devices. Additionally, we can restrict access to devices that should be off-limits to them.

Cisco ISE helps free up 50 percent of our IT staff's time, allowing them to work on other projects. It provides quick access when available, but delays occur when we have to wait for access to be granted.

Cisco ISE helps consolidate our tools, eliminating the need to worry about multiple passwords for the various devices in our environments by using a single password key.

The consolidation of tools makes it easy for me to access and complete my work. It also facilitates finding a solution for any problem I may encounter with the switch.

Cisco ISE has enhanced our organization's cybersecurity resilience by providing us with control over device access.

It would be helpful for us to know what needs to be deployed, configured, and what changes we need to make to our devices when we don't receive the specific login which is an indication of a lack of connection or incorrect configuration.

I have been using Cisco ISE for one and a half years.

Cisco ISE has consistently performed as expected, and we have not experienced any stability issues.

Assisting a larger number of users in gaining access and guiding them through the process of getting on Cisco ISE has been seamless.

Cisco support is helpful, and they have always been responsive whenever we needed assistance.

Positive

I rate Cisco ISE a nine out of ten.

From a user's perspective, Cisco ISE is seamless. It is extremely helpful as it reduces the amount of work required to access and control device permissions.

Our organization is a major Cisco partner, and it is logical for us to increasingly integrate Cisco products into our environment.

We use ISE primarily for RADIUS authentications on our wireless networks and VLAN segmentation for those users.

ISE makes things easier because we all work on one system and we all have the same views, so one person is not looking at a different system. We can all look at the same system and say, "Okay, go to this link." Also, you can integrate it with DNAC (Cisco DNA Center), which is something I am very into. It helps us troubleshoot from the client all the way down to the packet. DNAC can tell us, within ISE, when they're integrated, "This is the issue they're having," and we can report back.

It's great across a distributed network for securing access to all our apps and the network. We don't have to worry about which system is going through which access layer or which security system. We can just put everything into ISE. We don't have to separate the switches from the routers to the wireless. It's all just "one-stop, go." It used to be that our switches were in a separate system for authentication routers and the wireless was all on EAP. It was confusing. ISE consolidated all that.

For my use cases, the in-depth troubleshooting into why a client can't connect or why they failed, is very valuable. I can go back to someone and say, "Hey, it's not my network. It's their certificates or user error," or something else. For my coworkers the VLAN segmentation means a client got in, it dropped them into this VLAN, and that's where they belong. They can't get out. It makes things more efficient.

Also, the fact that ISE considers all resources to be external is very important. We use ISE in our retail environments for our payment sleds. We want our payment system to be secure. Zero Trust is our whole thing. It's great that everything is external to ISE and then everything has to go through the system.

The opinion of my coworkers, and it's mine as well, is that the user interface could use some tender loving care. It seems counterintuitive sometimes. If you go to the logs, it's hard to figure out which one you need to look at. My ISE admin probably has different ideas, but for us, that's the main complaint.

I've been using Cisco ISE (Identity Services Engine) for about 15 years.

Uptime is great. I don't have a complaint with ISE with uptime. It's been a rockstar. As far as I'm aware, we have probably had 95 percent uptime, or even 99 percent. Nothing is 100 percent. When there's an issue, it's usually not ISE.

Scalability is our issue: keeping up with the number of licenses we need for customers and clients. That's our main concern right now. Part of that is on us and part of that is on ISE.

For us, ISE is global between retail stores, warehouses, and world headquarters. Our entire wireless network of over 30,000 devices uses it. In North America alone, we have 13,000 access points and usually around 60,000 clients.

We've had some issues with support. We usually just get our account manager involved and they get the BU online.

It depends on the role of the dice and your TAC engineer and how well they understand the issue. We've had numerous cases where we decided to say, "Okay, escalate."

Neutral

We had ClearPass but we found some difficulties with it and those were things that ISE was better at, such as EAP authentication. We had some issues with how ClearPass interacted with the Cisco wireless environment. The merging of the two technologies was hard.

We have jumped around. We were Juniper, Aruba, and then a Cisco corporate environment, and then a mixed environment. We finally consolidated those between retail, warehouses, and our world headquarters, into a unified Cisco environment with ISE as our RADIUS backbone. ISE gave us what we needed to unify all of them. We finally shut down our last ClearPass server a couple of years ago.

Being fully honest, the Cisco licensing model right now is really confusing. We don't know what licenses we have where. We have Smart licensing, but the different levels are way confusing.

There are different levels for different accesses. We have an enterprise license agreement with Cisco, but all the details of what we have with those licenses get confused in the massive amount of licenses we have, or in the different license levels we have for different geos, et cetera. The Smart license portal is there, but right now, we just don't have the time or manpower to put into that.

I give it an eight out of 10 mostly because when you get in to start configuring the details, it's hard to find some stuff. Otherwise, it's a great platform.

I am a Senior Technical Consultant. I have worked in professional services as a Cisco Gold partner for the last ten years. 

I have been offering Cisco ISE for the last three to four years. We do small deployments, upgrades, and those types of things.

We see a lot of customers wanting to use Cisco ISE primarily for 802.1X wired and wireless and also for posture device administration, and guest access.

A lot of our customers who come to us do not have any sort of NAC solution in place at all. They don't have a RADIUS, they might have a Soft MPS or something along those lines, but Cisco ISE is far superior. It gives them far more visibility and the policies are more configurable. The ability to do dynamic access lists, dynamic VLAN environments, and that type of thing, and it just gives them a different level of security altogether.

It's been just great at securing our infrastructure from end to end. With the operational launch and live logs, as soon as you spot anything, you can just do one click and you can stop that device from getting access to the network. So it's very responsive and quick in that sense.

Maybe some customers with ACS and MPS can consolidate the device admin into one platform.

The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile.

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. 

If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

It's been around for many years now. Since version three, stability-wise, it's been pretty reliable. We know the versions to avoid. We know the stable versions.  Besides some upgrades and that type of thing, it's generally pretty solid.

A lot of customers that I see are small deployments, maybe a single node or a two-node cluster, but we know that the product does scale. We do have customers that scale beyond just the two nodes. It's proven to be a scalable product.

We see a lot of customers getting frustrated with Cisco TAC because they don't get the responsiveness that they believe they should be getting. But as a gold partner, we are able to leverage our influence, so when our customers come to us, we can escalate a lot of stuff for them. We use our influence. We're able to get stuff remediated fairly quickly. We find that they respond to us better than maybe to our customers.

I think Cisco is fairly straightforward in terms of device admin. 802.1X  is quite easy to deploy. As you then start to look at guest access, profiling, posture, and that type of thing, it does ramp up a little bit and we get a little bit more involved. Some stuff is straightforward and other is not as much. 

Generally, over the last few years, it's been mainly deployed on-prem, but we're now starting to see a shift. Users are really willing to move to cloud with Azure-type deployments. I'm doing some labs this week because we're seeing so many requests for cloud.

If I take the two that I really compared, it would be LogSoft MPS. Cisco ISE has a lot more features, you can do a lot more regarding the policies than you can currently with MPS.

I also have limited experience with ClearPass. ClearPass is a lot more difficult to configure and manage and is less intuitive. The visibility side of ISE is far superior as well. 

I'd give it a nine out of ten. There are some hurdles with upgrading and licensing in particular, which is why I wouldn't give it a ten.