No more typing reviews! Try our Samantha, our new voice AI agent.
Darren Hill - PeerSpot reviewer
Technical Consultant at a computer software company with 1,001-5,000 employees
Real User
Aug 7, 2023
Offers users the ability to be able to see what devices are actually on their network
Pros and Cons
  • "The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile."
  • "If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out."

What is our primary use case?

I am a Senior Technical Consultant. I have worked in professional services as a Cisco Gold partner for the last ten years. 

I have been offering Cisco ISE for the last three to four years. We do small deployments, upgrades, and those types of things.

We see a lot of customers wanting to use Cisco ISE primarily for 802.1X wired and wireless and also for posture device administration, and guest access.

A lot of our customers who come to us do not have any sort of NAC solution in place at all. They don't have a RADIUS, they might have a Soft MPS or something along those lines, but Cisco ISE is far superior. It gives them far more visibility and the policies are more configurable. The ability to do dynamic access lists, dynamic VLAN environments, and that type of thing, and it just gives them a different level of security altogether.

How has it helped my organization?

It's been just great at securing our infrastructure from end to end. With the operational launch and live logs, as soon as you spot anything, you can just do one click and you can stop that device from getting access to the network. So it's very responsive and quick in that sense.

Maybe some customers with ACS and MPS can consolidate the device admin into one platform.

What is most valuable?

The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile.

What needs improvement?

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. 

If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

Buyer's Guide
Cisco Identity Services Engine (ISE)
July 2026
Learn what your peers think about Cisco Identity Services Engine (ISE). Get advice and tips from experienced pros sharing their opinions. Updated: July 2026.
904,146 professionals have used our research since 2012.

What do I think about the stability of the solution?

It's been around for many years now. Since version three, stability-wise, it's been pretty reliable. We know the versions to avoid. We know the stable versions.  Besides some upgrades and that type of thing, it's generally pretty solid.

What do I think about the scalability of the solution?

A lot of customers that I see are small deployments, maybe a single node or a two-node cluster, but we know that the product does scale. We do have customers that scale beyond just the two nodes. It's proven to be a scalable product.

How are customer service and support?

We see a lot of customers getting frustrated with Cisco TAC because they don't get the responsiveness that they believe they should be getting. But as a gold partner, we are able to leverage our influence, so when our customers come to us, we can escalate a lot of stuff for them. We use our influence. We're able to get stuff remediated fairly quickly. We find that they respond to us better than maybe to our customers.

How was the initial setup?

I think Cisco is fairly straightforward in terms of device admin. 802.1X  is quite easy to deploy. As you then start to look at guest access, profiling, posture, and that type of thing, it does ramp up a little bit and we get a little bit more involved. Some stuff is straightforward and other is not as much. 

Generally, over the last few years, it's been mainly deployed on-prem, but we're now starting to see a shift. Users are really willing to move to cloud with Azure-type deployments. I'm doing some labs this week because we're seeing so many requests for cloud.

Which other solutions did I evaluate?

If I take the two that I really compared, it would be LogSoft MPS. Cisco ISE has a lot more features, you can do a lot more regarding the policies than you can currently with MPS.

I also have limited experience with ClearPass. ClearPass is a lot more difficult to configure and manage and is less intuitive. The visibility side of ISE is far superior as well. 

What other advice do I have?

I'd give it a nine out of ten. There are some hurdles with upgrading and licensing in particular, which is why I wouldn't give it a ten.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Brad Lossing - PeerSpot reviewer
Manager Network Operations at RAND Corporation
Real User
Jun 19, 2023
A reasonably priced tool that improves an organization’s resilience and makes it more secure
Pros and Cons
  • "The solution enables us to do everything from one interface."
  • "They should improve the documentation. There tends to be a lot of old text, or the new things aren't always up to what's been released on the code, and sometimes the documentation is inconsistent."

What is our primary use case?

We use the product for TACACS, dot1x, authentication for some of our RADIUS devices, and authentication and authorization for our VPN clients.

How has it helped my organization?

We've become more secure. We see devices that lose certificates, and then they get denied. Before, we would only get to know that the network was down. Now, with the help of the solution, we can pull up reports, go through them and understand that the certificate has expired. So, the person who raised the ticket takes the certificate, and everything gets resolved.

We can also understand if posturing fails because the user doesn't have the current version of the software on. The product provides us with one place to look for all of these noncompliance issues. If a port keeps locking down, we can send somebody to check the devices and remove a bad device if needed. The issue doesn’t get on the network because the product ties in and locks the network down for us on that port.

What is most valuable?

Cisco ISE Identity Services Engine enables us to do everything from one interface. It makes it easy to work with top-down policies, to configure groups or the granularity we control in our dot1x environment and posturing. The product helps the granularity our InfoSec group wants to achieve within their posturing project.

What needs improvement?

They should improve the documentation. There tends to be a lot of old text, or the new things aren't always up to what's been released on the code, and sometimes the documentation is inconsistent.

Last week, we were doing a dot1x troubleshooting, and I was showing people how to look for it, and all the documentation came up for version 1.0. I wondered why version 3.0 is not the top choice since it is already out, and we've been on Version 2.0 for five years. The solution should try adjusting their tags because sometimes it's difficult to find things.

For how long have I used the solution?

I have been using the solution since version 1.1.2 was released.

How are customer service and support?

I haven't found another support group that I've been able to call that gets me where I need to be as quickly. Our account manager is great. He gets on the phone with support if we ever have an issue. Unlike other organizations, Cisco has been a trusted partner. Support has quick turnarounds. The quality of support depends on the subject we need help with.

How would you rate customer service and support?

Positive

How was the initial setup?

Just getting the solution up and running was quick. Getting it to do what we wanted took us about six months. I didn't take class for it. I had the documentation to go with, but it was version 1.0.

What was our ROI?

The product has helped us save money drastically. We were able to get rid of two different service contracts. We could invest more into the solution or into people that can help us administer it. So it's been nice. We save quite a bit of money getting rid of those other products.

What's my experience with pricing, setup cost, and licensing?

The solution’s pricing is reasonable. For everything that it does, it's actually great. It's part of our Security Enterprise Agreement. So, we get guaranteed pricing for the length of the agreement, including upgrades. It's worth it. There are no hidden costs with Cisco.

Which other solutions did I evaluate?

We looked at Microsoft, but the product was too immature. We also looked at a Linux product. The networking team told us that we have to be sysadmins to run it. It didn't do something we needed it to do.

We had looked at other products, but the mesh Cisco products have with their devices makes it more seamless. If I'm having a problem with a device, it is good to have everything from a single vendor to solve issues quickly.

What other advice do I have?

A lot of the apects that needs to be improved in the product has already been done in the 3.0 version, including HTML5 and integrations with other cloud products like Azure and Intune. I just haven't upgraded yet. They are doing a good job of keeping up with new technologies. I have a small team, and it's hard to keep up with products.

With our dot1x, we've seen situations where people have inadvertently plugged their own PC into the port, and the port shuts down. We instantly know that the port got shut down. It's been great. I haven't found another product that can do it as well and as easy to set up as the implementation of dot1x.

The solution has freed up the IT staff’s time a little bit, but it also created more work in a good way. It has created more work in Cisco because now we're doing segmentation. We're taking dot1x to the next level and closer to moving towards a zero-trust network. The Cisco team gets access to the servers after authentication.

We've done a lot of research on zero-trust networks. I work for a research company, and we've been looking at ways to do it. Historically, we have done segmentation by identifying groups of servers and locking them down. This process is challenging to manage. While setting up micro VLANs, we can provide role-based access instead of just putting applications on server pools and wondering who gets what access. If user A needs to be able to update their personal information because they got a new phone number, they need access to the HR system to do that. The HR people need to be able to see all their review records. However, user C doesn't need to see anything that user A is doing. That is what we are looking for. We want zero trust so that an individual has access to what that individual needs to be able to do and nothing more and nothing less.

We had been running two other RADIUS servers just because they worked better with the product that we brought in. Cisco Identity Services Engine is more configurable, especially on ports. So, we were able to get rid of the other two RADIUS servers. We don’t have to pay service contracts for them, and there are no more upgrades. Now, we have one suite that we focus on.

The mean time for issue resolution has drastically reduced. Everybody's looking at the same pane, the network team and InfoSec. As soon as they see something blocked, if we're not already investigating it, they're investigating it. We get to share the responsibility with multiple groups with the same end goal. It has tied the team together and made things a lot easier.

I have a small team. I have seven sites and seven people. And if I applied one person to each one, we could watch it. Our InfoSec group, who's watching all their logs from the external firewalls, would watch that. With Cisco Identity Services Engine, we must have saved 100s of hours over the year. If something comes up, two groups almost instantaneously open a chat and start working on it. We know that our escalations are blocked on time. The amount of cleanup that we've had to do from malicious devices is down to almost nil.

The solution has helped our organization to improve its cybersecurity resilience. We see malicious or unknown devices and react to them. We see known devices come in with outdated software. Everything gets addressed as soon as the user connects. It all comes together.

Spend some money on classes and not on just who you think is going to lead your project. Get your whole team involved. If you are from the networking side, ensure your InfoSec team is included, and vice versa. The tool has so many capabilities that you will feel overwhelmed, but it becomes easier once the pieces start coming together.

We had two other RADIUS servers. When we moved to Cisco Identity Services Engine, we were on Cisco ACS. Not many people offer the granularity that Cisco does because it's the main protocol for authenticating on devices.

Cisco SD-WAN’s support still needs more learning. Cisco ThousandEyes started the same way. They have improved in the last two years. They're up to an eight out of ten now. Before, I didn't even want to talk to them. We love the product.

We're expanding our cloud and looking at deploying the product on a hybrid cloud. However, we've got to get done with SD-WAN first.

Overall, I rate the solution a ten out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Cisco Identity Services Engine (ISE)
July 2026
Learn what your peers think about Cisco Identity Services Engine (ISE). Get advice and tips from experienced pros sharing their opinions. Updated: July 2026.
904,146 professionals have used our research since 2012.
reviewer2211627 - PeerSpot reviewer
Network Engineer II at a healthcare company with 10,001+ employees
Real User
Jun 18, 2023
Offers enhanced network access control, serves as our first line of defense for access, and scales exceptionally well
Pros and Cons
  • "Cisco ISE scales exceptionally well."
  • "Sometimes, there are instances when Cisco ISE simply fails to function without any apparent reason, and regardless of the investigation we undertake, the logs indicate that everything is functioning properly, making it somewhat inexplicable."

What is our primary use case?

We are on-prem at twelve separate sites with one main node.

We utilize Cisco ISE for authenticating both our employees and residents at our senior care center. We authenticate them either against LDAP or our network.

How has it helped my organization?

Cisco ISE provides us with enhanced network access control, allowing us to manage the VLAN assignments for both our residents and employees. Additionally, Cisco ISE enables us to exercise control over the devices permitted to connect to our network.

I am not aware of the extent to which we leverage Cisco ISE to remediate threats, but it serves as our first line of defense for access. It has been extremely beneficial. Our clientele consists of senior residents, and having some level of control over the devices they connect to the network has had a significant impact. 

Cisco ISE has helped to free up the time of our IT team for other projects.

What needs improvement?

Sometimes, there are instances when Cisco ISE simply fails to function without any apparent reason, and regardless of the investigation we undertake, the logs indicate that everything is functioning properly, making it somewhat inexplicable. However, after a while, it spontaneously begins functioning again. Therefore, I believe it is not a widespread problem, but when it does occur, it can be quite frustrating.

The support specifically for Cisco ISE has room for improvement.

For how long have I used the solution?

I have been using Cisco ISE for two years, and the company has been utilizing the solution for ten years.

What do I think about the stability of the solution?

For the most part, Cisco ISE is stable, good, and functional. However, when it fails, we are left clueless as to the reason behind it, and that's the frustrating aspect.

What do I think about the scalability of the solution?

Cisco ISE scales exceptionally well. However, we have encountered issues while updating to the latest version. It is a significant endeavor due to the extensive scope of our deployment. Nevertheless, I believe this challenge is not unique to us; it appears to be primarily related to the scale of the deployment. Currently, we have nearly 15,000 devices.

How are customer service and support?

The times I've had to contact technical support for Cisco ISE, the experience has been somewhat unsatisfactory. I get the feeling that, at least on the surface, they perform tasks that I can do myself, such as reviewing the logs and identifying the issues. Moreover, given the integration of Cisco ISE with various network components, it's difficult to confine troubleshooting solely to that aspect. Therefore, I desire improved support specifically for Cisco ISE. I would rate the support for Cisco ISE as a six out of ten, whereas for other products in their portfolio, it would receive a nine out of ten.

How would you rate customer service and support?

Neutral

What's my experience with pricing, setup cost, and licensing?

I am not aware of the current price for Cisco ISE, but considering it is a Cisco product, it is likely to be quite high. However, I do not have control over the checkbook.

Which other solutions did I evaluate?

We evaluated Aruba ClearPass, which was something we considered. However, since we are committed to Cisco throughout our infrastructure, we didn't believe it was worthwhile to replace it with another solution without being certain that it would be better than Cisco ISE.

Aruba ClearPass had a slightly better reputation among the people we surveyed in our industry. We frequently compared it to how college campuses manage their systems because our use case is very similar. In terms of functionality, I believe it was mostly the same. The key difference seemed to be the level of stability.

What other advice do I have?

I give Cisco ISE an eight out of ten. Without knowledge of how the other implementations or competing offerings function, I believe Cisco ISE performs admirably in its intended role. Moreover, I am aware that without it, we would encounter significantly greater challenges. Therefore, I consider it to be great.

Our organization utilizes Cisco products extensively, which, in my opinion, is the reason behind the organization's decision to choose Cisco ISE.

I believe we would have a much more open network if it weren't for Cisco ISE. We would be restricted to only using PSKs, and we wouldn't have a true understanding of what our residents are connecting to the network. I think that's likely the most significant aspect of the implementation.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Laurence Mcbride - PeerSpot reviewer
Senior Business Systems Analyst at a financial services firm with 201-500 employees
Real User
Jun 20, 2022
Improved our trust situation, but usability, while improving, still needs work
Pros and Cons
  • "It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go."
  • "Cisco ISE definitely helped us pass the audit requirements we had."
  • "A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it."

What is our primary use case?

Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

How has it helped my organization?

Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

What is most valuable?

It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

What needs improvement?

A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

For how long have I used the solution?

For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

What do I think about the stability of the solution?

It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

What do I think about the scalability of the solution?

It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

How are customer service and support?

It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

Because it's such a specialized skill, they are not as available as I would like.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

What was our ROI?

In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

What's my experience with pricing, setup cost, and licensing?

It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

Which other solutions did I evaluate?

We've evaluated some other products since implementing this one. This is not your everyday tool.

The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

What other advice do I have?

People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Wayne Cross - PeerSpot reviewer
Director of cyber security at Borden Ladner Gervais LLP
Real User
Top 20
Jun 16, 2022
Secures devices and has good support, but needs a better interface
Pros and Cons
  • "The solution is great for establishing trust for every access request no matter where it comes from."
  • "The interface is a little bit complex."
  • "The interface is very complex, and there are tons and tons and tons of options."

What is our primary use case?

For Cisco ISE specifically, I manage the cybersecurity as well as the networking team. The networking team uses it to track statistics of users coming in and out of the network platform. We use it to track equipment, collect information on identity, and have the help desk leverage the telemetry to troubleshoot. It is part of our day-to-day operations.

This provided security for our sizeable law firm, which has offices across the entire country. Our lawyers like to be mobile. Around six or seven months ago, we started to roll out iPads and really adopted a mobile culture. One of the things that we wanted to do was to provide flexibility for lawyers to walk with a corporate laptop, or walk with their own personal laptop and still have the capabilities to log on and do what they want to do.

We also used it for the many meeting rooms we have. A lot of law firms have tons of meeting rooms, and we needed to secure some of those meeting rooms as well. The technology allowed us to roll 802.1X. We were able to secure ports in the meeting rooms and have a little bit more flexibility as to where users log in.

For example, a couple of years back, we wanted to secure all of the endpoints for the help desk and networking team and all of the backend team and ensure that, irrespective of where one goes with that laptop, when they log in, it'll automatically move them to a secure VLAN. With ISE, we were able to do that and monitor it.

What is most valuable?

One of the things that we found most valuable over the years is the ability for it to provide information to the help desk that allows them to troubleshoot issues. We still use a lot of that today and we're going over to DNA soon. We're adopting some of the DNA technologies now, however, ISE has been the mainstay for us for quite a few years now.

The solution is great for establishing trust for every access request no matter where it comes from. That was one of the biggest use cases for us, as one of the problems that we had was to secure a specific VLAN. If a help desk person had a laptop, and they plugged it into a network cable port somewhere, it would automatically put them on a secure network. If a lawyer uses their laptop, it would put them on a separate network. If a phone is plugged in, it will know it's a phone and put it on a phone network. ISE is the only way we have been able to do that. We've streamlined a lot of our provisioning and de-provisioning processes through Cisco ISE.

It has certainly made it easier to secure our devices. For example, we have offices across the entire country. We are a large law firm and have huge offices in Toronto, Ottawa, Montreal, Calgary, and Vancouver. We also have ISO 27001 and 27017 certified as well and I run that program. One of the big things for us is when auditors come for a visit. All of our locations have a conference floor, a whole floor that's dedicated to conference rooms.

There are tons of large conference rooms. When we get audited, conference floors are usually floors that auditors are allowed to go to, as they're publicly accessible floors. We'll get asked, "How do you secure the port?" When we go into the conference room, they can see the network ports." They will ask, "Well, how do you secure these ports? What if somebody came and plugged their machine in?" We then say, "We use Cisco ISE. Cisco ISE identifies that it doesn't belong to our corporate network. It does a check and then puts them right onto the internet, so we don't need to worry about strangers on our closed network.”

What needs improvement?

The interface is a little bit complex. It doesn't really have an executive dashboard. I'm the director of cybersecurity infrastructure operations for the entire firm, and I'm a very technical person, so I go in, and I can move around and try to figure everything out.

However, the interface is very complex, and there are tons and tons and tons of options. It's quite complex to get into and take a look at. As a result, most of the time, just my networking team would be in there. It's so complex that sometimes I will find something one week, and by next week I can't find it again.

It's too deeply layered. They have to redo the whole interface and have something that's executive based, and another one that's technically based. Even the help desk team and my security team use some of its components, however, they don't go anywhere often, as there are so many options in there. They have to make the interface a little bit more use user-friendly.

For how long have I used the solution?

I've worked with Cisco for about ten years.

What do I think about the stability of the solution?

The stability is ten out of ten. We have not really had issues with it. We've had one or two small things, however, in the 12 years that I've been there, I've had very few issues with their platform.

What do I think about the scalability of the solution?

It scales well. We have no concerns at all. When we decided to roll out 802.1X, we only had it on our endpoint, just laptops. Then we said, "Well, let's scale it out to the wireless access point." We went from 2,000 endpoints to 10,000, since people have mobiles. When we rolled it out to do posture checks on everything wireless, we had no issues.

How are customer service and support?

Technical support is good. I have no issues. Cisco supports its products very well, so we've never really had concerns with that aspect. Also, I have a very, very technical team. My guys are CCIE certified, and they are geniuses in their own rights. They've been in Cisco for 20 years.

They know the product very well and they also work very closely with the Cisco support team. The Cisco support team has very good people. They train their people well, and we've never really had issues that the Cisco team can't resolve if my team can't resolve them. We're taking it for granted that we're getting good support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not use a different solution. We're a Cisco shop, so we've always used Cisco. 

How was the initial setup?

I was involved in the initial setup. I manage the networking team. While I don't necessarily push the commands in, I go through architecture sessions with my team, sign off on it and make sure that what it's doing is worth it, it's my budget. I have to get involved.

What was our ROI?

We've seen an ROI. They last a very long time. For example, we have Cisco Campus, which is the next 7000s that we put in 2012, and ten years later, they're still there. We just changed the supervisor modules. However, the chassis is still sitting there and is still working quite fine.

If I'm not mistaken, it's at end of sales already, however, its end of support is in 2024. That's what I like about their products. They support their product for a very, very long time.  They easily last for ten years. Even our access switches, which are 4900s, are just being switched out now. Those have been in since probably 2010.

We spend $1.5 million as we have two switches on every single floor. Those are the ones that we're changing out now, and they still work quite fine. Cisco just decided to change them. Their products are very solid and they don't break. We keep them for a very long time. Therefore, the return on investment is not bad. I know when I put it in that I don't need to look at it again for ten more years. I know it's going to be supported for that long. 

What's my experience with pricing, setup cost, and licensing?

Cisco is expensive, however, we have a good partnership with our Cisco partner, and we get really good discounts on it. We have a very, very tight relationship with our Cisco representative. We're the largest law firm in Canada and therefore we get special treatment from the Cisco reps in Toronto.

We've had really good relationships with the team at Cisco Canada, and they all know my team, the architects, the solutions engineers, the salespeople, et cetera. They all know us very well. They come to our offices and we go to their offices. We have a very tight relationship.

When it comes to cost, we'll talk to them. They'll tell us when is the best time to buy, and we'll get good discounts. I've never really had to forgo a technology that was critical to the firm due to cost. I can always work with Cisco to find some way to reduce the cost.

Which other solutions did I evaluate?

We always focus on Cisco products. 

What other advice do I have?

I'd rate the solution seven out of ten. 

It has a lot of rich data in it, however, it's hard to get stuff out of it. You really have to know the product very well and live there to know where to go and find what you are looking for. There's a lot of telemetry in there, however, it's very difficult to actually see how to leverage it.

I've even been telling my security team, "Guys, there's a component in Cisco ISE that you need to work on, and you need to log in more often." Then two years later, they'll ask, "Why don't you guys use it?" The security networking team will say, "Well, we gave them access." My security team will say, "It's too complex. We have no time to go in there. We don't know where to find anything." That's the only problem that they need to fix. They need to make it easier to navigate, it's too deep.

Cisco ISE is a good product. It tightly integrates with all of the networking components, but you can leverage it and get a lot of return and investment out of it. However, you need to make sure that when you're rolling it out and when you're initially putting the platform in, you will need to get your help desk team and security team involved.

Of course, the networking team is the one that's probably going to own it, however, there are so many components in there that can help. The help desk can troubleshoot issues and can provide visibility from the security standpoint, and the networking team owns it anyway. If you get them more involved, they'll be more in tune with using it more often.

There are a lot of help desk and security capabilities in there. Still, just the networking team rolled it out, nobody wants to look at it, as it's a networking piece of the platform, yet really it's not. You can get a lot from this platform. That's probably what I would tell people, just get everyone involved from the get-go, so that they can get more value from it in the long run. 

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Adarge Ekholt - PeerSpot reviewer
Network Engineer at a university with 1,001-5,000 employees
Video Review
Real User
Aug 7, 2023
The ability to see what devices are online for a particular user helps a lot with our troubleshooting
Pros and Cons
  • "The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting."
  • "The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away."

What is our primary use case?

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

How has it helped my organization?

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

What is most valuable?

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

What needs improvement?

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

What do I think about the scalability of the solution?

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

How are customer service and support?

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

How was the initial setup?

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

What was our ROI?

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

What's my experience with pricing, setup cost, and licensing?

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

What other advice do I have?

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Network Engineer at a financial services firm with 10,001+ employees
Real User
Jun 21, 2023
Enables us to authenticate with AD
Pros and Cons
  • "The solution enables us to authenticate with AD."
  • "The web UI should be made similar to the one in DNAC."

What is our primary use case?

I use the product for AAA authentication.

How has it helped my organization?

Before, we used to use Cisco ACS. After ACS retired, we started using Cisco Identity Services Engine. Right now, we are integrating Cisco Identity Services Engine with DNAC. Whatever we provision inside DNAC will send the information to Cisco Identity Services Engine, and the switch will be added. This process enables easy management.

What is most valuable?

The solution enables us to authenticate with AD. That way users can log in with one username to the product and access the router and switches.

What needs improvement?

The web UI should be made similar to the one in DNAC. The left pane must have the menu title followed by the submenu. Since I have moved to version 3.1, I have to go back to the old version to figure out my way. They haven't improved the left pane of the UI. The left pane is supposed to have the menu title in order.

For how long have I used the solution?

I have been using the solution for at least seven to eight years.

What do I think about the stability of the solution?

So far, I have no issues with the solution’s stability. My primary and secondary systems are working fine. I have the least to worry about. It has run smoothly for seven years.

What do I think about the scalability of the solution?

We are using the product in about 500 devices in our organization.

How are customer service and support?

We have Platinum Support. When we call, everything gets through. I have no problems with support. However, if someone does not have Platinum Support, they will have to wait for probably an hour or two. I usually get a response in less than 30 minutes when I open a ticket because we pay for it. 

I am 98% happy with the support. Sometimes, I am unhappy when we have an incident and need quick support, but the support manager asks too many questions. I prefer fixing the problem in real time and then answering questions. Fixing the problem is more important than answering questions. When I talk to the engineer, they ask questions on how it has impacted our network. They must fix my problem first. I can answer all their questions later.

How would you rate customer service and support?

Positive

What about the implementation team?

We have a contractor who implements the product for us. After that, they give it to me to manage. Upgrading from version 2.7 to 3.1 is easy. So far, it's good. The contractor's name is Deytek. I just provided the ACS server information from the previous server to the contractors. Then, we purchased the on-premises hardware, migrated it, and started using it. I didn’t have to do anything. It was easy for me.

The upgrade from version 2.7 to 3.1 was a little bit hard, and I had to prepare a lot to do it. We need to plan the process well. We cannot just decide to upgrade the tool without planning. We had to plan with the help of AS services, who guided us on the steps to do and the backup needed. They guided us to upgrade the secondary unit first and then the primary. I also had to talk to our corporate team in Boston. We had to inform our ISA Server team about the upgrade because once you upgrade, tools that are not authenticated might lose connection.

What was our ROI?

The solution helped me by making my job easier. I manage and deploy the solution. All the other users have to do is log in and look at what they need to do. The product makes it easy for me to manage and enables the end users to log into other systems.

What's my experience with pricing, setup cost, and licensing?

The pricing is complicated. The solution uses Smart Licensing. I had to go through a lot of phone calls to convert my old license to the new one and make it work. It took me about three weeks to figure out my licensing model and why mine was different from the other teams. It's good because Cisco Identity Services Engine will automatically get our licenses from one location. It would be better this way.

What other advice do I have?

The product provides an email notification if anything is detected. We set up ACL policies based on which the product would alert us through emails if anything major happens.

The solution helped me give access to many people who use Cisco products, either router switches or UCS, from other teams. Instead of creating every ACL on the tool, I only need to set up AD group permission and add their username for them to access the same policy.

I do not use the cybersecurity features of the tool much. We only use the solution for AAA authentication. I need to explore the other features we seldom use. We are upgrading to version 3.1. We recently signed a contract with Cisco Advanced Services. They might provide us with more information to use the tool in my company.

Since I joined my current organization, we have used Cisco for everything. We have deployed the tool primarily in one location, and the secondary one is 5000 miles away in another location. One tool is in California, and the other is in New York.

I implemented version 3.1 just two months ago. I need to learn more about it and enable more features on my network. I need to improve myself to learn more because version 3.1 has a lot of new features.

Overall, I rate the product a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Network Engineer at Lawrence Livermore National Laboratory
Real User
Jun 21, 2023
We've control and visibility, which is a big deal, but adding new devices is a bit cumbersome
Pros and Cons
  • "Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key."
  • "Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out."

What is our primary use case?

We're just using it for authentication to our network switches.

How has it helped my organization?

We have more visibility and control with the tool. It has helped us improve our cybersecurity resilience.

The authentication piece was a big deal, especially because we're able to roll it out so quickly. Once we start using it to its full potential by using NAC, we can automate a lot of things that we're doing manually. MAC lockdown is one of the big things we have an issue with because I work on the classified network, so we're locking down every end device. It takes up a lot of time. That's one of the biggest things that we're rolling out. I'm not sure what other features we're going to use out of it, but I know that once we get started on it, we'll be a lot more involved with the things that we're going to roll out.

It's really easy in terms of the authentication piece. It's a big help. We've other parts of the network that are not using any authentication at all, which is scary. We've so many separate companies, and I'm hoping that we can start using this for those networks as well.

It has saved us time. We've control on our side, and we're able to add new devices as we deploy them for new buildings and things like that. We're able to give different types of access that our users need to have, which is nice. It has been huge, and then once we start deploying NAC or something like that, that's going to be a game changer for us because that'll free up a lot of time for us. It probably saves at least ten hours a week because especially right now, we're in the phase where we're getting so many new buildings. We're not only turning up new buildings; there are also all the users. So, for every single device, you have to do a MAC lockdown. Sometimes we get spreadsheets listing a ton of PCs that we've to lock down. That just takes forever, especially if you get it wrong or someone has fat fingers and things like that. It'll hopefully eliminate a lot of that too. We won't have the back and forth with other groups for that.

It has helped consolidate tools. We don't have to go outside our own group for the authentication piece. That control is a big deal. On top of that, once we start integrating NAC and other things, it's going to eliminate a lot of manual work.

What is most valuable?

Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key. 

What needs improvement?

Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out. It was a little more cumbersome than I thought.

For how long have I used the solution?

I've been using Cisco ISE for about a year.

How are customer service and support?

For the times that I have interacted with them, they've been pretty good, but I've heard of other stories. Overall, I'd rate them an eight out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We were using regular TACACS, RSA, etc. I can't remember what they were using on their side because it was more of the infrastructure team that was using this. We would just basically go to them and give them requests. Having control through Cisco ISE is much better.

The reasons for going for Cisco ISE were having that control and having a relationship with Cisco. All of our gears are Cisco. It just made it easier and more compatible. I know there are a lot of other tools that we can take advantage of such as NAC and things like that. We're hoping to do that in the future.

How was the initial setup?

As far as I know, it was fairly easy. We didn't have a lot of problems with it. One of our other guys deployed it. I wasn't with him, but I didn't hear that there were a lot of problems with it, so it was fairly easy. The same guy had deployed it on the unclassified networks, so he had experience with it.

What other advice do I have?

Overall, I'd rate Cisco ISE a seven out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Mehran Reza - PeerSpot reviewer
Engineering Lead at Canadian Broadcasting Corporation
Real User
Jun 19, 2023
Integrates well with other tools, but troubleshooting can be a challenge
Pros and Cons
  • "Cisco ISE integrates with everything else."
  • "Troubleshooting and multi-ISE can be challenging with the solution."

What is our primary use case?

Cisco ISE is on the back end, and all our policies and security are on it. DNS centers and all our network backbone is integrated into Cisco ISE. So, the solution is pretty critical for us.

How has it helped my organization?

Cisco ISE has helped improve our organization security-wise.

What is most valuable?

Cisco ISE integrates with everything else. It forms our security and identity backbone, and all our authentication goes through Cisco ISE. That's why the solution is so important to us.

What needs improvement?

Troubleshooting and multi-ISE can be challenging with the solution.

For how long have I used the solution?

My organization has been using Cisco ISE since 2018.

What do I think about the stability of the solution?

Once configured properly, Cisco ISE shows good stability.

How are customer service and support?

Cisco's TAC is good. Cisco support, in general, is too layered these days. Often we have to repeat the same thing over and over to the TAC guys, which is a bit frustrating. Cisco's TAC needs to be a bit better.

How would you rate customer service and support?

Neutral

What about the implementation team?

Cisco ISE's deployment can take weeks, months, or years depending on how rigidly you adhere to the guidelines and how good your existing infrastructure is.

What was our ROI?

We have seen a return on investment with Cisco ISE from a security point of view.

What's my experience with pricing, setup cost, and licensing?

Cisco ISE's licensing can get pricey.

What other advice do I have?

Sometimes, the Cisco guys disagree about it, but other than that, the Cisco guidelines are clear and concise enough.

Cisco ISE helps to secure our infrastructure from end to end so we can detect and remediate threats. The solution does what it's supposed to do.

Cisco ISE has saved a little time for our organization.

Since Cisco ISE is a more robust solution, it has helped our organization improve its cybersecurity resilience.

Before implementing Cisco ISE, you should look into it in-depth on how it can be used, how it can be integrated with existing tools, and how your staff can be trained to troubleshoot it. The solution has its pitfalls, and when it breaks, it can break heavily. So be aware before you deploy it.

Overall, I rate Cisco ISE a seven out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Jeffry Pereira - PeerSpot reviewer
Network Technical Lead at a energy/utilities company with 10,001+ employees
Real User
Jun 18, 2023
Good pricing, easy to give role-based access, and easy to manage
Pros and Cons
  • "For me, the TACACS feature is the most valuable. I have also used Cisco ISE with LDAP, not with Active Directory. That works for me because I prefer LDAP versus Active Directory."
  • "The templates could be better. When you have to do certs, especially with X.500 certs, it isn't very intuitive."

What is our primary use case?

The company's use case for Cisco ISE is switch access. I'm from the high-performance compute side. I'm not the back office IT. I'm what they call GSIT. Their use cases are different but very similar.

How has it helped my organization?

On our side, Cisco ISE has improved cybersecurity resilience. The company uses it for global WAN and other things. We haven't had any issues.

What is most valuable?

For me, the TACACS feature is the most valuable. I have also used Cisco ISE with LDAP, not with Active Directory. That works for me because I prefer LDAP versus Active Directory.

What needs improvement?

The templates could be better. When you have to do certs, especially with X.500 certs, it isn't very intuitive.

For how long have I used the solution?

I've been using Cisco ISE since 2011.

What do I think about the stability of the solution?

After I set it and forget it, upgrading Cisco ISE is the only thing to do.

What do I think about the scalability of the solution?

I've never had a problem with Cisco. Cisco has always scaled well, so it's pretty good.

How are customer service and support?

Initially, it wasn't good, but once I found the right TAC person, it was fine. I had to probably get level three or above, and then I had to get a software developer because the certs didn't initially work properly to give you a special code. I'd rate their support a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I used OpenRADIUS before. That was open source. I switched because I'm the support for everything. It was easy to support with Cisco ISE.

Role-based access is easy to do with Cisco ISE versus OpenRADIUS. That's because OpenRADIUS is something you have to manage yourself. You have to manage the certs and other things. You have to define the roles yourself for special read access and for certain groups and multi-groups.

The only thing I didn't like at the beginning was that Cisco ISE was limited to how many groups you could use. That problem has been fixed. I haven't run into that problem.

How was the initial setup?

The initial setup was complex. The main part was the certs, especially the X.500 certs with LDAP. Azure Directory is a little bit smoother, but I prefer LDAP.

It's deployed for internal switch access. It's purely for switch access and role-based access.

What about the implementation team?

I deployed it myself.

What was our ROI?

We've seen an ROI.

What's my experience with pricing, setup cost, and licensing?

I get very good pricing from Cisco, so I don't have a problem with that. I also don't have a problem with licensing because we get enterprise or global licensing.

What other advice do I have?

It hasn't helped to free up our IT staff. Our IT staff is already very limited anyway. We've always worked smart and don't work where we don't have to work. For example, in 2019, we were more than 60. There are 14 of us now, and we still do the same amount of work. Cisco ISE hasn't contributed to less workload. We do it with automation. We have a lot of Linux, so we do automation on all of our stuff. 

Overall, I'd rate Cisco ISE an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Download our free Cisco Identity Services Engine (ISE) Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2026
Buyer's Guide
Download our free Cisco Identity Services Engine (ISE) Report and get advice and tips from experienced pros sharing their opinions.