Cisco Identity Services Engine (ISE) Reviews

We used it mainly for network access control and full stream for devices.

The product is expensive. It would also be a good add-on to have some machine learning.

I have been using Cisco Secure Firewall for one year.

The product is stable.

The solution is scalable.

The initial setup is straightforward.

It's also recommended for clients during deployment. You're making everything very efficiently managed within the policies. The deployment is also very smooth, allowing you to configure your rooms easily. Once the initial setup is done, it becomes straightforward to understand, especially regarding Windows maintenance.

It was deployed to protect the network from unauthorized users but does not contribute directly to operational efficiency.

Cisco ISE doesn't come cheap but it's still valid working.

We recommend it to our customers.

Cisco ISE provides authentication for various applications. It can integrate with other applications to manage access, including Privileged Access Management for those applications. For a comprehensive environment, Cisco ISE should be able to integrate and provide asset management for an IT organization or any organization.

Overall, I rate the solution an eight out of ten.

We use Cisco ISE to authenticate users or devices onto the network and then drop them into the appropriate VLANs to isolate them and maintain network segmentation.

Cisco ISE has been a great tool to segment our traffic and get the users into the right VLANs. It definitely does free up a lot of time from manual configurations.

It has definitely improved our security a lot. We used to be a single flat network, and now, we are a segmented network where we have all our different traffic isolated so that in case we do get a breach, not all the customers are affected.

Cisco ISE has been great for securing our infrastructure from end to end so that we can detect and remediate threats. We've already seen it detect some devices that we didn't know about, and they quarantine those devices, allowing us to take the appropriate security actions against them.

Our IT staff has been freed up for other projects with Cisco ISE because we're able to do a little bit more automated configuration. We just throw out a single configuration to the ports, and then the users get dropped into whatever VLAN they need to be in without us having to go to each site and configure these things manually. On a usual workday, it has freed up at least a couple of engineers for two to three hours.

Our cybersecurity resilience has improved with Cisco. Users are now segmented. We have firewalls in between, so we can take a look at all the traffic. We have quarantine enabled in there so that if we get a device on our network that we don't recognize, we can lock it down.

The feature that I found most valuable is profiling. We use that to profile certain types of devices, and then depending on the manufacturer, drop them into the appropriate VLAN without us having to go in and manually add the devices.

We would definitely like to see a little bit of an improvement in the web GUI navigation. Some of the things are a little bit hidden in the drop-down menu. If we could get a way to get to those quicker, it'd be much more useful.

We've been using Cisco ISE for about three years.

So far, from what we've been using, we haven't had any problems even with any of the additional patches that we've added. It has been great.

Scalability-wise, it's great. We have plenty of space to add additional nodes. Right now, the ones we do have are not being utilized to a hundred percent, so if we ever do need to add additional, it seems pretty straightforward.

Cisco support has been pretty good over the years, helping us get this stuff up and running. It has definitely taken us a while, and some of the cases have been pretty long, but Cisco support has been pretty good. I'd rate their support a nine out of ten.

Positive

We weren't using anything in place of Cisco ISE previously. We were pretty lacking in that department. When we got Cisco ISE, we improved our security significantly.

We went for Cisco ISE based on a suggestion from one of our vendor partners who helped us with our network refresh. They said that Cisco ISE was something that they had used previously in lots of larger deployments, and they had seen great success with it.

I was involved in its deployment. It was pretty straightforward. A lot of the issues that we ran into were related to coordination with the users just because it was a change for them, but the actual deployment and everything else were pretty straightforward.

We used MTT. They were great. They walked us through the whole process. They designed the network refresh for us as well as the Cisco ISE integration portion of it.

We've seen an ROI. We've freed up some hours, so those engineers who were previously doing more mundane tasks are now able to do something else.

I don't know too much about the actual pricing on it. The licensing part is pretty straightforward. It's a lot more simple than some of the other Cisco licensing models. In that aspect, it's great.

Overall, I'd rate Cisco ISE a nine out of ten.

We are on-prem at twelve separate sites with one main node.

We utilize Cisco ISE for authenticating both our employees and residents at our senior care center. We authenticate them either against LDAP or our network.

Cisco ISE provides us with enhanced network access control, allowing us to manage the VLAN assignments for both our residents and employees. Additionally, Cisco ISE enables us to exercise control over the devices permitted to connect to our network.

I am not aware of the extent to which we leverage Cisco ISE to remediate threats, but it serves as our first line of defense for access. It has been extremely beneficial. Our clientele consists of senior residents, and having some level of control over the devices they connect to the network has had a significant impact. 

Cisco ISE has helped to free up the time of our IT team for other projects.

Sometimes, there are instances when Cisco ISE simply fails to function without any apparent reason, and regardless of the investigation we undertake, the logs indicate that everything is functioning properly, making it somewhat inexplicable. However, after a while, it spontaneously begins functioning again. Therefore, I believe it is not a widespread problem, but when it does occur, it can be quite frustrating.

The support specifically for Cisco ISE has room for improvement.

I have been using Cisco ISE for two years, and the company has been utilizing the solution for ten years.

For the most part, Cisco ISE is stable, good, and functional. However, when it fails, we are left clueless as to the reason behind it, and that's the frustrating aspect.

Cisco ISE scales exceptionally well. However, we have encountered issues while updating to the latest version. It is a significant endeavor due to the extensive scope of our deployment. Nevertheless, I believe this challenge is not unique to us; it appears to be primarily related to the scale of the deployment. Currently, we have nearly 15,000 devices.

The times I've had to contact technical support for Cisco ISE, the experience has been somewhat unsatisfactory. I get the feeling that, at least on the surface, they perform tasks that I can do myself, such as reviewing the logs and identifying the issues. Moreover, given the integration of Cisco ISE with various network components, it's difficult to confine troubleshooting solely to that aspect. Therefore, I desire improved support specifically for Cisco ISE. I would rate the support for Cisco ISE as a six out of ten, whereas for other products in their portfolio, it would receive a nine out of ten.

Neutral

I am not aware of the current price for Cisco ISE, but considering it is a Cisco product, it is likely to be quite high. However, I do not have control over the checkbook.

We evaluated Aruba ClearPass, which was something we considered. However, since we are committed to Cisco throughout our infrastructure, we didn't believe it was worthwhile to replace it with another solution without being certain that it would be better than Cisco ISE.

Aruba ClearPass had a slightly better reputation among the people we surveyed in our industry. We frequently compared it to how college campuses manage their systems because our use case is very similar. In terms of functionality, I believe it was mostly the same. The key difference seemed to be the level of stability.

I give Cisco ISE an eight out of ten. Without knowledge of how the other implementations or competing offerings function, I believe Cisco ISE performs admirably in its intended role. Moreover, I am aware that without it, we would encounter significantly greater challenges. Therefore, I consider it to be great.

Our organization utilizes Cisco products extensively, which, in my opinion, is the reason behind the organization's decision to choose Cisco ISE.

I believe we would have a much more open network if it weren't for Cisco ISE. We would be restricted to only using PSKs, and we wouldn't have a true understanding of what our residents are connecting to the network. I think that's likely the most significant aspect of the implementation.

Cisco Identity Service Engine (ISE) is used mostly for endpoints. If you want to know the profiling and what endpoints are connecting to your company, then ISE is a good solution because it has built-in signatures. Therefore, it knows what kinds of devices are getting added into the network.

You can install it with any cloud provider, e.g., AWS or Azure.

You can install ISE locally. If your site is critical, like in manufacturing, you need to make sure that ISE is a part of the local site. Usually, people install data centers, but you can also install at critical sites.

One of the advantages is that you can easily find rogue endpoints. For example, if you don't want to allow any endpoints where you don't know the people plugging into what kind of devices, ISE can give you a big, clear picture, e.g., what kind of endpoints are getting connected to your network. That is one of the advantages.

From our company perspective, or any company perspective, you need to be PCI compliant and follow HIPAA laws. Therefore, ISE is really instrumental from a cybersecurity perspective. You need to comply if you are PCI compliant and utilizing credit card transactions. ISE can help you become compliant from that perspective.

There is a new trend: a zero-trust kind of architecture. If a company really wants to improve their security, ISE can upscale the security in their network by creating an access policy. This ensures that if the device is not allowed to access something then ISE won't let that device access that resource. This is mostly for segmentation security.

Cisco could improve the GUIs on their hardware.

I have been using Cisco ISE for about seven or eight years.

The stability is good.

You can scale your ISE. You can use ISE for a company of any size: for a small company, a mid-size company, or a large company. ISE can be installed in a cluster-distributed environment. Thus, there is a lot of scalability and resiliency when using ISE.

I would rate the scalability as eight or nine out of 10.

Cisco support is awesome. I would rate them as eight or nine out of 10.

Positive

We did not previously use another solution.

Initially, it is always challenging. Once you get the gist of the deployment, it becomes normal and straightforward afterwards.

Definitely make sure you install ISE in a distributed fashion. Make sure there is a lot of high availability. Otherwise, if your ISE goes down, then you won't be able to authenticate your endpoint. It is better to install ISE in a high availability solution.

We have definitely seen ROI as we are getting compliant. When you are compliant, you get fewer fines from PCI and those types of organizations. 

It is not that pricey.

We have Zscaler, but it is not operating in the same zone as ISE.

Use ISE if you want to build more resilience within your organization.

I would rate the solution as eight or nine out of 10.

We use it for wired .1x, wireless authentication, VPN, and multi-factor authentication. We wanted to have a consistent experience for authentication and authorization of endpoints across the network, as well as security.

As a water utility organization, we're considered critical infrastructure by the feds. Everyone needs water. So it's important for us to protect our industrial control systems, our SCADA systems. ISE helps us do that by segmenting them off from the rest of the network.

And by eliminating trust, it helps us with audits, including CJIS because we have a law enforcement division, and trying to conform to the NIST standards. A lot of government agencies are becoming more familiar with the Zero Trust model and ISE makes our audits go a lot faster and a lot smoother than they used to.

The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

In addition, ISE really adopts and is strong in the Zero Trust model where we consider everybody a foreign endpoint until they prove they belong on the network. ISE just seems to be built from the ground up to do that, whereas with other solutions, you have to "shoehorn" that in.

I also rate it pretty highly for securing access to our applications and network. If you have the good fortune of being a total Cisco shop, you can utilize SGTs, end to end, across the network. It can be a little tricky to get working, but once it does, it creates quite a consistent experience for any endpoint, even if it moves anywhere in the network.

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

I've been using Cisco ISE (Identity Services Engine) for 10 years.

Now, the stability is pretty good. I've been working on it since the product launched and it was a bit sketchy. Its current state is really good right now.

The only thing we have run into was a bug when we ran virtual appliances, but that turned out to be an issue with our storage networking QoS policies. That wasn't really an ISE problem, it was more of a storage problem.

In terms of supporting a distributed network, it's pretty powerful. You can stand it up and cluster it and it scales out pretty well. You can put nodes wherever you want to service authentication requests. We're able to scale up or out and we can choose how and when we do that with either virtual or physical machines, meaning it's very flexible. 

It scales quite well. One of the things that Cisco is good at is keeping things pretty simple when you want to scale it. If you want to scale up, you get stronger admin and monitoring nodes. If you want to scale out, you get more policy service nodes. It's quite easy to stand them up, really anywhere, if you use virtuals.

We use it around our Fort Worth campus, which has about half a dozen buildings. By the end of the summer, we'll have it deployed to all of the rest of our five campuses. We have about 30 remote locations across 12 counties in North Texas and they're all using ISE. It works out pretty well.

We have it on-prem right now, but we are moving to a hybrid cloud platform on Azure for a lot of our applications, so we're starting to do proofs of concept with ISE in Azure.

TAC is pretty good. I would definitely suggest getting their solution support, which provides higher maintenance. That way, when you do get someone, you get someone who knows what they're doing. If you get the higher level of support, you get some really smart people who can fix things pretty quickly.

Positive

We used to use Aruba ClearPass. It was somewhat clunky to use and it didn't integrate well with third-party platforms. If you used Aruba, it worked great. If you didn't use Aruba, and were pointing things at ClearPass, it had some issues. We found that ISE typically handled things a little bit better. We could point anything at ISE and take care of it.

The initial deployment was pretty straightforward. It's very simple to just turn the box on and plug into it. You go through a couple of settings and then you can log in to the GUI and pull in all the other nodes that you want.

After the gear came in, it took us about a day to deploy it. I started by implementing it at the local campus. That way, if I broke anything, I could just walk down the hall and not have to drive anywhere.

I stood up the first cluster, and then it was another engineer and me who worked on deploying it out to all the buildings. We started out in monitor mode, to see what it would do if we had turned it on. Once we had remediated anything that looked like it was authenticating incorrectly on the wired network, we went to closed mode and that's where we are now.

Return on investment falls in line with the business vision of securing our resources and protecting them against cyber attacks and nation-state attacks. It's hard to put a monetary value on clean water.

Licensing is a disaster. It's a mess and I hope they fix it soon.

In addition to ClearPass, we looked at Forescout. At the time we looked at Forescout, it was more of an inline product and we weren't looking to add more infrastructure between parts of the network to try to do inline authentications. It seemed easier to do it on the switch ports and have them talk to ISE.

It's a very strong platform, especially now that we're on version 3.1. It's definitely my go-to. I would recommend it over any other NAC platform.

It requires a lot of technical knowledge to actually get it off the ground and running. It's not quite as intuitive as it could be, but it's still a solid platform.

We are using it in-house for phone profiling and for users' computer authentication needs.

The policy and segmentation that we use are currently based on the users and their domains. Let's say different domains, such as HR or finance and procurement. We have policies where users are assigned VLANs or specific requirements and are directed to corresponding policies where services are activated. They have access to specific services based on their domain or vertical.

Many Cisco ISE features are good. It offers automatic profiling of phones and computers, enabling administrators to identify and categorize devices seamlessly. Additionally, Cisco ISE can block anonymous devices attempting to connect to the network. This includes unauthorized attempts from non-domain computers or users trying to obscure their identity to gain network access. Cisco ISE ensures such attempts are thwarted by enforcing full identification authentication.

I struggled with spoofing, specifically the max spoofing feature, which I believe has started working after version 3. Before that, it was not that effective. They could incorporate some AI features.

I have been using Cisco ISE for over three years.

The product is stable.

I rate the solution’s stability a out of ten.

Scalability is also good. I haven't seen any problem because I currently have a new deployment for the ISE and other branches. Getting an integrated access setup is easy, and scalability is also fine. Initially, the scale upon the licensing part and that sizing is low. ISE's existing policies pretty much work very well. There are no significant changes you have to make.

We have more than a thousand users using this solution.

ISE support is good.

The initial setup is straightforward. They are very easy to manage and not complicated at all.

We have received all our files from the client and deployed them. Currently, we are using single active nodes. We have one Primary Admin Node, which is active, and one Policy Service Node. We don't have a secondary admin node for administrative purposes. We have an active operational node. The deployment is pretty simple. You download the file from Cisco, import it into your Cisco ISE, and follow the prompts to set it up based on your requirements, including IPs, basic security needs, DNS servers, etc. Once the initial setup is complete, you can begin creating policies.

Cisco ISE protects your environment from potential physical attacks. This ensures that your environment and users are fully safe, thus enhancing your overall security posture as a first line of defense.

We don't have the full license. An enterprise license includes Apex and device management. We secured it for one of our new branches where the deployment will start. We have a full enterprise license, including Apex and device management, to cut costs.

The problem is we have a team of five. I look into the security and infrastructure part.

Integrating Cisco ISE depends on the specific products you're working with. Each integration may present unique challenges that require individualized solutions. There isn't a one-size-fits-all checklist for potential issues.

They were looking to protect their assets, such as devices, from somebody. If they have an environment exposed to users who frequently come to their office, and it's not a very closed environment, then Cisco ISE is very much required. It's the first place where the attack starts. From a risk and compliance perspective, ISE is essential.

Overall, I rate the solution an eight out of ten.

We primarily use Cisco ISE as a network access control solution. We do a lot of quarantine actions from our CSOC. We use the AnyConnect VPN by setting multiple deployments for dedicated purposes, where we use it to provide wireless.

Cisco ISE has brought a level of visibility that my organization hadn't had beforehand. At the same time, it has mitigated a lot of potential attack factors and brought in a sense of control in the hardware during the onboarding process.

I found the CMDB Direct Connect in Cisco ISE 3.2 the most promising feature for my use case. We have a lot of wired map devices and having an externally approved source to validate if a machine is legitimate or approved to be on the network is extremely valuable for us. It helps make the whole process of authorizing endpoints quick.

Cisco ISE's real-time data analytics for database logging could be improved. Earlier, you didn't have direct read access to the database. You'd have to rely on logs through some other sources like Splunk and be able to put everything that you want together. Being able to review logs in real-time, customized to your filtering, adds a lot of context and visibility.

I have been using Cisco Identity Services Engine for about four and a half years.

I do not like the stability of Cisco ISE in the virtual environment. That might have been more of an underlying host issue rather than an ISE issue. But we've moved to hardware right now, and I wouldn't have looked back. The next place we're looking to explore is potentially in the cloud, but that's still up in the air because our environment is not small. We're one of the larger 700,000-plus endpoints.

Cisco ISE's scalability is nice. However, not many people can deploy Cisco ISE in a very large environment. In other words, there are no large environments that are hitting around 100,000 plus clients for active concurrent sessions. If you're trying to create multiple deployments to distribute the workload evenly, I don't like that there's no centralized management platform for Cisco ISE. You still have to go into each deployment and do your configuration.

From my account team, I rate Cisco ISE's technical support ten out of ten. However, from a tech perspective, if I'm talking to tech level one, tech tier one, or tech tier two, I'd have to give it a six out of ten. Once you start getting into the more advanced tiers and even the business units, the support goes through the roof.

Positive

I've always worked with Cisco ISE. However, in my organization, there's another part of my infrastructure where they use Forescout. The way Forescout implements a NAC solution differs vastly from how Cisco ISE does it. The way Cisco ISE does it is more ingrained in the whole radius process and enhances the security features on a switch or wireless line controller.

Our organization chose to go with Cisco ISE instead of Forescout because, holistically, the solution checked all the boxes needed for a NAC solution.

I was not involved in our organization's first iteration of Cisco ISE. We've since migrated and modernized our Cisco ISE deployment, and I've been heavily involved in that. 

The ease of deployment depends on the environment you're deploying in, understanding what use cases you have out there, and understanding what kind of endpoints you're exposed to or exposing your network.

Overall, Cisco ISE's initial setup is not overly complicated right now. But since our organization is moving into a multi-vendor or managed services contract, we're bringing in many vendors like Meraki, Juniper Mist, Aruba, and Fortinet. That's when things get complicated because they don't all use the same type of authorization results.

We implemented Cisco ISE in our organization directly through Cisco. My experience with Cisco has been phenomenal because they listen. We've run into many technical issues, but they've been at our beck and call and have been there to support us to a point where they've rushed certain fixes. We've had a couple of engineering specialits because of things we've encountered. They worked hard for us.

The product is positive regarding a return on investment, considering the cost we're bringing in for Cisco ISE's deployment versus the value we're adding to the environment.

According to my sales and account team, the prices we're getting are pretty good. I wouldn't say they're the manufacturing or listed price by any means, but we do a lot of business with them. So the price points that they're coming in at are pretty manageable.

When it comes to securing our infrastructure from end to end so that we can detect intermediate threats, a lot of it has to do with integrating Cisco ISE with other products. For example, Cisco ISE primarily deals with either the access layer or remote connections. However, when you start integrating it with other things like titration or secure network analytics, you can get a bigger grasp of the overall picture. When you bring other security teams into it, they can start creating their policies, alerts, etc. They can start automating some of the incident mitigations and stuff like that.

My use case is a little bit different in that there's no end to our work. There are a lot of other business groups within my organization that aren't complying with what the network security policy should be. So I have to reach out to them and get them to use a dot1x protocol or ensure that their stuff is in our CMDB database.

We're in a big migration and shift in our overall security policy. So there's a lot of moving aspects going on right now. However, as we start getting things moved into an MDM, as we start getting things moved into using a dot1x protocol, we can get an active identity of an endpoint.

Cisco helps reduce the amount of staff we have to chase down and figure out what kind of policies should be implemented. We can then incorporate our onboarding process into that, preventing unauthorized devices from connecting in or at least be reassured that if anything that we haven't had any chance to look at connects in, we can deny it with confidence. Down the road, it'll alleviate a lot of the time and planning we're doing right now.

My organization is a bit different. I've tried to get them onto the posture feature of Cisco ISE, but they're pursuing other vendors for that. We've decided to incorporate through a pxGrid integration with other applications such as Tanium, Forescout, or whatever application my security organization uses. They can pull contacts from the Cisco ISE endpoint and then be able to issue a quarantine action to Cisco ISE on that particular endpoint.

Overall, I rate Cisco ISE ten out of ten.

We use Cisco ISE for device administration with TACACS.

It's a very critical system. It is one of the most critical systems that we have.

With TACACS, we use it for endpoints like computers, devices, and network access. As a device admin, we use it to cater to users who use routers and switches.

It is a good product for what it does. I don't have a similar experience with other solutions.

The solution cannot be deployed on the cloud yet, and that is one of the things I would like to test. Also, I want to have a couple of VMs integrated with the solution.

I have been using Cisco Identity Services Engine for about six to seven years.

We contact support when there are problems. We take care of small things on our own. When we call for support, we need someone more experienced than us. Usually, that's a challenge. It takes days to get to the right people.

How long it takes to resolve an issue after getting to the right person is something that depends on the issue. If you get to the right person quickly, then it will be quick, but sometimes you have to keep escalating it. Within Cisco's team, they will have to go to someone who has answers to everything. Considering Cisco has a way of identifying issues that they have already worked on when I call them, it's as if I'm reporting that issue for the first time. 

I'm pretty sure other customers have reported the same problems before but it reflects as a new issue. Then you find out later that there was a bug in it. That means other customers have had the same issue. Cisco actually knows about the issue, and they have provided guidance for it. It takes time. Somehow, within Cisco, maybe AI is the way to go. It is better to make available quick customer service, especially if it is a known issue so that we can get a resolution or work around quickly.

The initial setup process is complex since there are so many big components. It depends on a lot of other systems starting from the device to the end user. That's quite complex. Also, if something goes wrong, it is challenging since it needs someone who knows about the endpoints to get things right.

Hardware appliances are expensive. The license pricing was good when it was perpetual. But now they have migrated into DNA-styled licensing. We haven't bought the new licensing yet because we migrated from the old licensing to the new licensing model. At some point, we'll have to buy the licenses. The license pricing was fair. Now moving to DNA-styled licensing, we have subscription-based licensing for everything. I hope it will continue to be fair, but we will have to wait and see.

We did not look for other solutions in the market. We went straight with Cisco.

We don't consider switching to another product. Cisco Identity Services Engine is the best in the market. The solution is the best for the things that we use.

Whether in terms of user experience, user interface, ease of use, and things like that, if I was to speak about something specific that I really value about the solution, I would say that upgrade processes are not simple. It's easier to just restore the state by going through the steps for the upgrade. We also use VMs and a couple of hardware appliances since sometimes we run into certain issues that nobody knows about. We've had a couple of incidents that were challenging. Cisco blamed it on VM infrastructure, while our VM team blamed Cisco. We were stuck in the middle. We had to re-provision a couple of things. All this was because sometimes it is buggy.

It hasn't really helped free up my IT staff for other projects. 

It helped my organization improve its cybersecurity resilience by making sure that untrusted devices are not connected to the network and only trusted devices get connected.

To those planning to use the product, I would say that it's a good product. You must plan ahead, test thoroughly, and do it step by step. Don't try to migrate everything at once. It is an overall good product.

I rate the overall product an eight out of ten.