Cisco Identity Services Engine (ISE) Reviews

We are on-prem at twelve separate sites with one main node.

We utilize Cisco ISE for authenticating both our employees and residents at our senior care center. We authenticate them either against LDAP or our network.

Cisco ISE provides us with enhanced network access control, allowing us to manage the VLAN assignments for both our residents and employees. Additionally, Cisco ISE enables us to exercise control over the devices permitted to connect to our network.

I am not aware of the extent to which we leverage Cisco ISE to remediate threats, but it serves as our first line of defense for access. It has been extremely beneficial. Our clientele consists of senior residents, and having some level of control over the devices they connect to the network has had a significant impact. 

Cisco ISE has helped to free up the time of our IT team for other projects.

Sometimes, there are instances when Cisco ISE simply fails to function without any apparent reason, and regardless of the investigation we undertake, the logs indicate that everything is functioning properly, making it somewhat inexplicable. However, after a while, it spontaneously begins functioning again. Therefore, I believe it is not a widespread problem, but when it does occur, it can be quite frustrating.

The support specifically for Cisco ISE has room for improvement.

I have been using Cisco ISE for two years, and the company has been utilizing the solution for ten years.

For the most part, Cisco ISE is stable, good, and functional. However, when it fails, we are left clueless as to the reason behind it, and that's the frustrating aspect.

Cisco ISE scales exceptionally well. However, we have encountered issues while updating to the latest version. It is a significant endeavor due to the extensive scope of our deployment. Nevertheless, I believe this challenge is not unique to us; it appears to be primarily related to the scale of the deployment. Currently, we have nearly 15,000 devices.

The times I've had to contact technical support for Cisco ISE, the experience has been somewhat unsatisfactory. I get the feeling that, at least on the surface, they perform tasks that I can do myself, such as reviewing the logs and identifying the issues. Moreover, given the integration of Cisco ISE with various network components, it's difficult to confine troubleshooting solely to that aspect. Therefore, I desire improved support specifically for Cisco ISE. I would rate the support for Cisco ISE as a six out of ten, whereas for other products in their portfolio, it would receive a nine out of ten.

Neutral

I am not aware of the current price for Cisco ISE, but considering it is a Cisco product, it is likely to be quite high. However, I do not have control over the checkbook.

We evaluated Aruba ClearPass, which was something we considered. However, since we are committed to Cisco throughout our infrastructure, we didn't believe it was worthwhile to replace it with another solution without being certain that it would be better than Cisco ISE.

Aruba ClearPass had a slightly better reputation among the people we surveyed in our industry. We frequently compared it to how college campuses manage their systems because our use case is very similar. In terms of functionality, I believe it was mostly the same. The key difference seemed to be the level of stability.

I give Cisco ISE an eight out of ten. Without knowledge of how the other implementations or competing offerings function, I believe Cisco ISE performs admirably in its intended role. Moreover, I am aware that without it, we would encounter significantly greater challenges. Therefore, I consider it to be great.

Our organization utilizes Cisco products extensively, which, in my opinion, is the reason behind the organization's decision to choose Cisco ISE.

I believe we would have a much more open network if it weren't for Cisco ISE. We would be restricted to only using PSKs, and we wouldn't have a true understanding of what our residents are connecting to the network. I think that's likely the most significant aspect of the implementation.

I am head of the IT infrastructure for a company. My company is a manufacturing company, based out of India. My company has between 3,000 to 5,000 users. 

Our solution is completely on-prem.

The domain under which my company works puts a lot of importance on cybersecurity. Our management gave us clear instructions that there should be an environment where there are zero trust policies applied.

We explored various solutions that could bring in zero trust. The first level of zero trust that we wanted to bring in is a zero trust network.

We reached out to Cisco at that time, and they told us about the things that can be done around the software-defined access and the integration of Cisco ISE. And that was the time when we started doing a lot of POCs to see which use cases we could use for it. That was when we got in touch with Cisco and they told us that this would offer us network-level zero trust. 

When I say zero trust architecture, the first thing is that we wanted to have a network authentication done on a certificate basis. That was the first use case, where the only versions in the network that have a domain-based certificate could be allowed to join my network. My enterprise network should not allow anybody from outside. That was the first use case. 

The second use case was that we had to do the posturing of my endpoints. I wanted to ensure that those which are connected to my network have proper antivirus and software installed, and the operating system is permissible. That is where we started to do the posturing part of it. 

The third use case is around the access part of it. We have multiple departments in our company, and we wanted to restrict the access of particular user groups to particular IT applications. 

The first benefit is that we can implement zero trust architecture because of Cisco ISE. I can assure my CISO in my company that my network is such that nobody can just bring in their laptop, desktop, or any sort of mobile device and can directly get connected to my network. That is a benefit that I can only allow people who I trust on the network. 

I can only allow the people who I trust on the network. When an infected machine comes into the network, there is a very high chance that infection will travel laterally. Since I do the posturing part of it, I know that I'm not allowing anything in that is not safe.

It certainly has helped enhance my company's resilience.

Posturing is the most valuable feature. There are other tools available that can do some of their other features, like network authentication. The posturing was something because of the nature of the industry that we are in. There are people who go outside for work. Their machines are at times not in the network, and not patched properly. We don't know when they're going to come back, whether it is in a good state, whether it has antivirus, whether it's installed on those machines. Posturing is something that we have made our baseline policy that whenever a machine comes back to our network, it should have a certain level of the operating system and a level of security and antivirus installed. 

We couldn't have done this posturing without Cisco ISE. This is its greatest feature.

It does help me to detect and remediate my network. It enables me to detect any external threat that comes to my network and remediate. If a machine comes into my network that does not qualify per my baseline policy, I have a policy that the machine gets redirected to where it can be patched and remediated. I can ensure that it is fully patched and secure. 

The entire idea of having ISE is to enhance cybersecurity resilience. The zero trust architecture was coined by the cybersecurity team itself. It was a task given to us in the infrastructure space to see how we can bring resilience into the cybersecurity network and ISE was the solution. 

Cisco ISE integration with Cisco ACI is something that can be done in a less complex way. And the simplification in that area may help us do better. 

We started adopting Cisco a couple of years back. 

The stability is good. It is a cybersecurity product. It needs a lot of fine-tuning but that is part and parcel of the requirement. New things are coming, new technologies are coming, new softwares are coming but it is more or less stable.

It is a very scalable product. The deployment of Cisco is completely contingent on the number of endpoints that we have. It's just a matter of buying a license and uploading it. So scalability is not a problem at all. 

Cisco has very good partner support, and they're in their own support. I noticed that the first level of defense always comes from the partner ecosystem that Cisco has built. There are many partners we work with along with Cisco. Any time we are stuck, these partners are available for the first level of support.  

Any time we are stuck with anything, these partners are there as the first level of support. We get L1 level of support. When we feel that there is an issue that needs to be escalated to L3, Cisco TAC is always available. We have very good engagement with Cisco enterprise teams and the account directors. We do have dedicated people who work with us on the Cisco team. We always have their support any time something needs to get escalated. 

I would rate Cisco support an eight or nine out of ten. We have seen a lot of cases in the last ten years where any time we needed to get their support we could get it. We also have a customer support team who works with the backend tech team to ensure that we get whatever help we need on time.

Positive

We have been a Cisco shop for more than twenty years now. Cisco is a company that we can trust in every aspect of the work that we do together. Cisco is our partner for everything we do on the network.

We are very observant of the kind of solutions Cisco provides us. It is feature-rich. It is very easy to implement. There is longevity there. Our first choice is to go directly to Cisco.

In the cybersecurity space, return on investment is something that is very difficult to justify. ISE is something that is a pure network cybersecurity resiliency solution. 

I can definitely assure my management that by implementing this, we are good in the overall cybersecurity posture. 

Cisco is not cheap. Cisco is something that comes at a cost. There are various products in the market that compete with Cisco and are 30-40% cheaper and they offer 60-70% of the features that Cisco offers. 

The differentiator is the kind of engagement that Cisco offers the customer. They will prove the value, what we call the PoV. The PoV value is very good. 

Pricing-wise, they are premium. Licensing is something that is conducive. I feel that the licensing that Cisco offers is flexible.

We have an enterprise agreement as far as the licensing is concerned. There are various benefits where I can use any Cisco solution.

There are various dimensions to cybersecurity. The first thing is how you enter a network and what you do with particular use cases. My recommendation would be to focus on north-south traffic. That is what is coming from outside to inside through a normal network plane. You should also be vigilant about what your internal users bring in from the outside. My advice would be that you have to be vigilant not only from the outside traffic, but you have to be wary about the traffic that internal users bring in. 

When it comes to zero trust architecture, specifically for network authentication, this is one of the tools to go for. I would rate Cisco ISE an eight out of ten because of the ease of deployment and the support. 

We primarily use Cisco ISE as a network access control solution. We do a lot of quarantine actions from our CSOC. We use the AnyConnect VPN by setting multiple deployments for dedicated purposes, where we use it to provide wireless.

Cisco ISE has brought a level of visibility that my organization hadn't had beforehand. At the same time, it has mitigated a lot of potential attack factors and brought in a sense of control in the hardware during the onboarding process.

I found the CMDB Direct Connect in Cisco ISE 3.2 the most promising feature for my use case. We have a lot of wired map devices and having an externally approved source to validate if a machine is legitimate or approved to be on the network is extremely valuable for us. It helps make the whole process of authorizing endpoints quick.

Cisco ISE's real-time data analytics for database logging could be improved. Earlier, you didn't have direct read access to the database. You'd have to rely on logs through some other sources like Splunk and be able to put everything that you want together. Being able to review logs in real-time, customized to your filtering, adds a lot of context and visibility.

I have been using Cisco Identity Services Engine for about four and a half years.

I do not like the stability of Cisco ISE in the virtual environment. That might have been more of an underlying host issue rather than an ISE issue. But we've moved to hardware right now, and I wouldn't have looked back. The next place we're looking to explore is potentially in the cloud, but that's still up in the air because our environment is not small. We're one of the larger 700,000-plus endpoints.

Cisco ISE's scalability is nice. However, not many people can deploy Cisco ISE in a very large environment. In other words, there are no large environments that are hitting around 100,000 plus clients for active concurrent sessions. If you're trying to create multiple deployments to distribute the workload evenly, I don't like that there's no centralized management platform for Cisco ISE. You still have to go into each deployment and do your configuration.

From my account team, I rate Cisco ISE's technical support ten out of ten. However, from a tech perspective, if I'm talking to tech level one, tech tier one, or tech tier two, I'd have to give it a six out of ten. Once you start getting into the more advanced tiers and even the business units, the support goes through the roof.

Positive

I've always worked with Cisco ISE. However, in my organization, there's another part of my infrastructure where they use Forescout. The way Forescout implements a NAC solution differs vastly from how Cisco ISE does it. The way Cisco ISE does it is more ingrained in the whole radius process and enhances the security features on a switch or wireless line controller.

Our organization chose to go with Cisco ISE instead of Forescout because, holistically, the solution checked all the boxes needed for a NAC solution.

I was not involved in our organization's first iteration of Cisco ISE. We've since migrated and modernized our Cisco ISE deployment, and I've been heavily involved in that. 

The ease of deployment depends on the environment you're deploying in, understanding what use cases you have out there, and understanding what kind of endpoints you're exposed to or exposing your network.

Overall, Cisco ISE's initial setup is not overly complicated right now. But since our organization is moving into a multi-vendor or managed services contract, we're bringing in many vendors like Meraki, Juniper Mist, Aruba, and Fortinet. That's when things get complicated because they don't all use the same type of authorization results.

We implemented Cisco ISE in our organization directly through Cisco. My experience with Cisco has been phenomenal because they listen. We've run into many technical issues, but they've been at our beck and call and have been there to support us to a point where they've rushed certain fixes. We've had a couple of engineering specialits because of things we've encountered. They worked hard for us.

The product is positive regarding a return on investment, considering the cost we're bringing in for Cisco ISE's deployment versus the value we're adding to the environment.

According to my sales and account team, the prices we're getting are pretty good. I wouldn't say they're the manufacturing or listed price by any means, but we do a lot of business with them. So the price points that they're coming in at are pretty manageable.

When it comes to securing our infrastructure from end to end so that we can detect intermediate threats, a lot of it has to do with integrating Cisco ISE with other products. For example, Cisco ISE primarily deals with either the access layer or remote connections. However, when you start integrating it with other things like titration or secure network analytics, you can get a bigger grasp of the overall picture. When you bring other security teams into it, they can start creating their policies, alerts, etc. They can start automating some of the incident mitigations and stuff like that.

My use case is a little bit different in that there's no end to our work. There are a lot of other business groups within my organization that aren't complying with what the network security policy should be. So I have to reach out to them and get them to use a dot1x protocol or ensure that their stuff is in our CMDB database.

We're in a big migration and shift in our overall security policy. So there's a lot of moving aspects going on right now. However, as we start getting things moved into an MDM, as we start getting things moved into using a dot1x protocol, we can get an active identity of an endpoint.

Cisco helps reduce the amount of staff we have to chase down and figure out what kind of policies should be implemented. We can then incorporate our onboarding process into that, preventing unauthorized devices from connecting in or at least be reassured that if anything that we haven't had any chance to look at connects in, we can deny it with confidence. Down the road, it'll alleviate a lot of the time and planning we're doing right now.

My organization is a bit different. I've tried to get them onto the posture feature of Cisco ISE, but they're pursuing other vendors for that. We've decided to incorporate through a pxGrid integration with other applications such as Tanium, Forescout, or whatever application my security organization uses. They can pull contacts from the Cisco ISE endpoint and then be able to issue a quarantine action to Cisco ISE on that particular endpoint.

Overall, I rate Cisco ISE ten out of ten.

The primary use case of Cisco Identity Services Engine (ISE) is to serve as a security solution that can specify the endpoints in an organization for segmentation. This involves defining the reachability domain for each endpoint in an organization. 

It automates pushing access lists or authorizations and offers profiling to define and manage endpoints. It provides profiling to help organizations define the type and points of the endpoints, building security rules, and providing health checks to ensure endpoints comply with rules.

The solution offers automation and real-time visibility, which aids in monitoring and troubleshooting issues with endpoints. 

The product provides feedback about the network based on endpoint behavior, assisting in understanding the network's current state.

The solution is integrated with other Cisco devices and can offer automation for an organization, making deployments more dynamic and providing real-time visibility. It gives feedback on what is happening within the network and assists mostly with troubleshooting. 

Additionally, it's considered highly reliable and scalable.

The licensing scheme is complex and could use enhancement to provide more options. Pricing can be more expensive compared to other vendors, and there is a significant price gap observed, which doesn't seem justified by some specific features. The complex licensing schema and the need for improvement in pricing are primary areas for improvement.

The Cisco Identity Services Engine (ISE) has been deployed for a long time in various environments.

Cisco Identity Services Engine (ISE) is considered very reliable and stable. Although it is not one hundred percent reliable theoretically, in practice, it offers great reliability.

The solution is described as very scalable, and there are minimal issues with scalability.

Sometimes it's challenging to identify which support team is responsible for certain issues, which is a significant concern.

Positive

Setup is not about deploying ISE itself, but rather about managing the number of switches and endpoints in the organization. After initial deployment, routine upgrades and backups are part of the normal process.

A specific implementation team is not mentioned, but deployment complexity varies depending on the organization size and manpower available.

Cisco ISE is more expensive but covers a lot of features. The pricing scheme could be improved. Compared to other solutions like HPE ClearPass, Cisco is more costly, and the conversation suggests a possible forty percent price gap compared to competitors.

Detailed mentions of other solutions include HPE ClearPass and Fortinet. However, these are mentioned for comparison purposes rather than as alternatives considered before using Cisco ISE.

It is suggested to keep the review anonymous and refrain from making personal information public.

I'd rate the solution eight out of ten.

Cisco Identity Service Engine (ISE) is used mostly for endpoints. If you want to know the profiling and what endpoints are connecting to your company, then ISE is a good solution because it has built-in signatures. Therefore, it knows what kinds of devices are getting added into the network.

You can install it with any cloud provider, e.g., AWS or Azure.

You can install ISE locally. If your site is critical, like in manufacturing, you need to make sure that ISE is a part of the local site. Usually, people install data centers, but you can also install at critical sites.

One of the advantages is that you can easily find rogue endpoints. For example, if you don't want to allow any endpoints where you don't know the people plugging into what kind of devices, ISE can give you a big, clear picture, e.g., what kind of endpoints are getting connected to your network. That is one of the advantages.

From our company perspective, or any company perspective, you need to be PCI compliant and follow HIPAA laws. Therefore, ISE is really instrumental from a cybersecurity perspective. You need to comply if you are PCI compliant and utilizing credit card transactions. ISE can help you become compliant from that perspective.

There is a new trend: a zero-trust kind of architecture. If a company really wants to improve their security, ISE can upscale the security in their network by creating an access policy. This ensures that if the device is not allowed to access something then ISE won't let that device access that resource. This is mostly for segmentation security.

Cisco could improve the GUIs on their hardware.

I have been using Cisco ISE for about seven or eight years.

The stability is good.

You can scale your ISE. You can use ISE for a company of any size: for a small company, a mid-size company, or a large company. ISE can be installed in a cluster-distributed environment. Thus, there is a lot of scalability and resiliency when using ISE.

I would rate the scalability as eight or nine out of 10.

Cisco support is awesome. I would rate them as eight or nine out of 10.

Positive

We did not previously use another solution.

Initially, it is always challenging. Once you get the gist of the deployment, it becomes normal and straightforward afterwards.

Definitely make sure you install ISE in a distributed fashion. Make sure there is a lot of high availability. Otherwise, if your ISE goes down, then you won't be able to authenticate your endpoint. It is better to install ISE in a high availability solution.

We have definitely seen ROI as we are getting compliant. When you are compliant, you get fewer fines from PCI and those types of organizations. 

It is not that pricey.

We have Zscaler, but it is not operating in the same zone as ISE.

Use ISE if you want to build more resilience within your organization.

I would rate the solution as eight or nine out of 10.

We use Cisco ISE to set different policies for various profiles. For example, someone on their own device has a different set of policies and postures than a person on a company machine. 

Currently, we are using Cisco's dictionary for both device and user authentication. When I say "device authentication," I mean we authenticate users who access network devices. 

We consider the running policy when users want to access a data center server. The user is forwarded to the ISE servers to be authenticated, and they're given a password defined on the ISE for them according to the policy.

We have two virtual servers with different rules. For example, one is used to authenticate and audit, and the other to authorize and authenticate. And since most of our centers don't support full ISE integration, we use only some features. That means not all our users are not authenticated via the ISE.

It's easy to change and add policies.

Some of ISE's features need to be more agile. For example, we couldn't integrate our data because Cisco needs your data to be in its own format.

We implemented Cisco ISE about a year ago.

We have capacity limitations with retail, and we aren't integrating ISE for all the users. We have about 2,000 end-users that need to be integrated, and we added the entire thing to about 1,000 devices.

I rate Cisco support eight out of 10. We initially had difficulty integrating ISE with another solution we use from Huawei. We deleted the existing profiles defined on ISE and lost our definitions and profile features that were there before. We ordered the platform through these resellers, but they haven't been helpful, so we get more support from Cisco. They are very good.

Positive

Setting up this solution wasn't that difficult for me because I was involved with all of these projects. We implemented everything last year and deployed a portion of the modules integrated into our environment. It wasn't that difficult to install and apply to get these permissions.

A contractor came to help us deploy everything as part of the bank's data center solution. Since then, I have installed one of the components that we deployed at the time. It was a local tech company that got the platform given to them. That's how they got everything implemented with it together.

The return on investment depends on how you utilize the solution. We haven't utilized it well thus far, so I would rate it four or six out of 10.

There is a limit on the number of nodules supported. The number of users per license is limited to around 2,000, so the license price should be adjusted to take these limitations into account or we should be allowed to add more users to the same devices.

We use ISE because most of our networking devices are from Cisco, including the VIRL lab. I have to compare other vendors, but I don't think the cost difference is so much that I would switch solutions. 

I rate Cisco ISE eight out of 10. It works fine in our experience. 

We use Cisco ISE for device administration with TACACS.

It's a very critical system. It is one of the most critical systems that we have.

With TACACS, we use it for endpoints like computers, devices, and network access. As a device admin, we use it to cater to users who use routers and switches.

It is a good product for what it does. I don't have a similar experience with other solutions.

The solution cannot be deployed on the cloud yet, and that is one of the things I would like to test. Also, I want to have a couple of VMs integrated with the solution.

I have been using Cisco Identity Services Engine for about six to seven years.

We contact support when there are problems. We take care of small things on our own. When we call for support, we need someone more experienced than us. Usually, that's a challenge. It takes days to get to the right people.

How long it takes to resolve an issue after getting to the right person is something that depends on the issue. If you get to the right person quickly, then it will be quick, but sometimes you have to keep escalating it. Within Cisco's team, they will have to go to someone who has answers to everything. Considering Cisco has a way of identifying issues that they have already worked on when I call them, it's as if I'm reporting that issue for the first time. 

I'm pretty sure other customers have reported the same problems before but it reflects as a new issue. Then you find out later that there was a bug in it. That means other customers have had the same issue. Cisco actually knows about the issue, and they have provided guidance for it. It takes time. Somehow, within Cisco, maybe AI is the way to go. It is better to make available quick customer service, especially if it is a known issue so that we can get a resolution or work around quickly.

The initial setup process is complex since there are so many big components. It depends on a lot of other systems starting from the device to the end user. That's quite complex. Also, if something goes wrong, it is challenging since it needs someone who knows about the endpoints to get things right.

Hardware appliances are expensive. The license pricing was good when it was perpetual. But now they have migrated into DNA-styled licensing. We haven't bought the new licensing yet because we migrated from the old licensing to the new licensing model. At some point, we'll have to buy the licenses. The license pricing was fair. Now moving to DNA-styled licensing, we have subscription-based licensing for everything. I hope it will continue to be fair, but we will have to wait and see.

We did not look for other solutions in the market. We went straight with Cisco.

We don't consider switching to another product. Cisco Identity Services Engine is the best in the market. The solution is the best for the things that we use.

Whether in terms of user experience, user interface, ease of use, and things like that, if I was to speak about something specific that I really value about the solution, I would say that upgrade processes are not simple. It's easier to just restore the state by going through the steps for the upgrade. We also use VMs and a couple of hardware appliances since sometimes we run into certain issues that nobody knows about. We've had a couple of incidents that were challenging. Cisco blamed it on VM infrastructure, while our VM team blamed Cisco. We were stuck in the middle. We had to re-provision a couple of things. All this was because sometimes it is buggy.

It hasn't really helped free up my IT staff for other projects. 

It helped my organization improve its cybersecurity resilience by making sure that untrusted devices are not connected to the network and only trusted devices get connected.

To those planning to use the product, I would say that it's a good product. You must plan ahead, test thoroughly, and do it step by step. Don't try to migrate everything at once. It is an overall good product.

I rate the overall product an eight out of ten.

We have two servers and they're both VMs. Every network system is issued a certificate and each device coming onto the network has to be on the domain with an active AD user logging into it. It needs an up-to-date AMP, which is our Cisco malware and virus scan product and it also needs to have the most current Microsoft security updates and the three layers that we're using: The core VPN, the Network Access Manager and the ISE profiler. When it goes through all those different things on every port on the switch, there are commands for it to be able to go through an ACL so it knows what users are there, what server, and what devices have been put onto the domain. It can verify all that.

The user can then proceed on to the network. We've set it so that regular users are VLAN'd off and can only see the data network through ISE and are blocked from seeing the rest of the network. Depending on the department needs or other factors, we have cameras for security which are on a different VLAN, and they can see those. We also have something for O&M where the AC guy can see the AC equipment, and we can prevent all the VLAN's from being viewed by everybody.

We are customers of Cisco and I'm the infrastructure and Cyber security manager.

The solution cuts down on the repercussions of getting malware or ransomware which happened to us four years ago. We regularly took very aggressive snapshots and we were able to recover in an hour and 20 minutes without any loss of data.

Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that.

I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. 

Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

I've been using this solution for the past two years. 

ISE is pretty stable. If it does have an issue then you need to call TAC and work through the bug in it. They are very responsive and very quick to help us eliminate the issue and also come up with a plan, such as how to move forward with additional issues or different things that are coming down the pipe with Cisco ISE. When you're talking to them, you feel like they are a partner and not just a disconnected entity.

The technical support is excellent, I would rate them very highly.

The initial setup is very complex. You have to go in and manually add in all the network devices, as far as all the switches, access points are concerned. You have to go port by port and add in codes and conditions and you have to go switch by switch and add in codes and conditions. You start out with a monitor mode and then go to an impact mode and then you go towards total lockdown. Implementation took us about 18 months. We rolled it out in short bursts because we have a very small IT team and we had a consultant company come in and work with us on installing it. A lot of it was knowledge transfer from them to us.

Our consultant was Cycorp, their main focus is network security. They are a sister Cisco partner, and we had one of their CCIE's come out and help implement everything. The gentleman at the top of the CCIE, was a former Cisco employee and a beta tester for ISE. Now that we have it in, I feel it's pretty much a game changer on locking down our network so that we're not penetrated from inside or outside because everything going through the VPN has to meet a certain standard.

We did a five year deal and it was very reasonable. I think for the Avast virus scan, I think we were paying $95 a machine for five years, which nobody else could touch. And that includes all updates, technical support, etc. From the ISE side, I'm not really sure what it costs because it was all encompassed in equipment we were buying and the ISE and the AMP and the open DNS. I know that it was not more expensive than any of the things we had looked at with HP or BMC or other places. It was much more cost effective.

We have looked at other products but we are a Cisco shop so having a Cisco product rides very easy on all our switches, our access points, and our Cisco servers. I believe it's the same for other companies such as HP. It's also a priority for them that the solution works better with HP switches. Given that we weren't going to change our switches, we really needed to focus on something that was going to work well with our environment.

The important thing is to have a good game plan going into it. Prep is key for everything going on with ISE. The more stuff you have prepped and the more understanding that you have upfront of how it goes through and how it behaves, the better off you are.

I would rate this solution a nine out of 10.