Cisco Identity Services Engine (ISE) Reviews

We have two servers and they're both VMs. Every network system is issued a certificate and each device coming onto the network has to be on the domain with an active AD user logging into it. It needs an up-to-date AMP, which is our Cisco malware and virus scan product and it also needs to have the most current Microsoft security updates and the three layers that we're using: The core VPN, the Network Access Manager and the ISE profiler. When it goes through all those different things on every port on the switch, there are commands for it to be able to go through an ACL so it knows what users are there, what server, and what devices have been put onto the domain. It can verify all that.

The user can then proceed on to the network. We've set it so that regular users are VLAN'd off and can only see the data network through ISE and are blocked from seeing the rest of the network. Depending on the department needs or other factors, we have cameras for security which are on a different VLAN, and they can see those. We also have something for O&M where the AC guy can see the AC equipment, and we can prevent all the VLAN's from being viewed by everybody.

We are customers of Cisco and I'm the infrastructure and Cyber security manager.

The solution cuts down on the repercussions of getting malware or ransomware which happened to us four years ago. We regularly took very aggressive snapshots and we were able to recover in an hour and 20 minutes without any loss of data.

Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that.

I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. 

Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

I've been using this solution for the past two years. 

ISE is pretty stable. If it does have an issue then you need to call TAC and work through the bug in it. They are very responsive and very quick to help us eliminate the issue and also come up with a plan, such as how to move forward with additional issues or different things that are coming down the pipe with Cisco ISE. When you're talking to them, you feel like they are a partner and not just a disconnected entity.

The technical support is excellent, I would rate them very highly.

The initial setup is very complex. You have to go in and manually add in all the network devices, as far as all the switches, access points are concerned. You have to go port by port and add in codes and conditions and you have to go switch by switch and add in codes and conditions. You start out with a monitor mode and then go to an impact mode and then you go towards total lockdown. Implementation took us about 18 months. We rolled it out in short bursts because we have a very small IT team and we had a consultant company come in and work with us on installing it. A lot of it was knowledge transfer from them to us.

Our consultant was Cycorp, their main focus is network security. They are a sister Cisco partner, and we had one of their CCIE's come out and help implement everything. The gentleman at the top of the CCIE, was a former Cisco employee and a beta tester for ISE. Now that we have it in, I feel it's pretty much a game changer on locking down our network so that we're not penetrated from inside or outside because everything going through the VPN has to meet a certain standard.

We did a five year deal and it was very reasonable. I think for the Avast virus scan, I think we were paying $95 a machine for five years, which nobody else could touch. And that includes all updates, technical support, etc. From the ISE side, I'm not really sure what it costs because it was all encompassed in equipment we were buying and the ISE and the AMP and the open DNS. I know that it was not more expensive than any of the things we had looked at with HP or BMC or other places. It was much more cost effective.

We have looked at other products but we are a Cisco shop so having a Cisco product rides very easy on all our switches, our access points, and our Cisco servers. I believe it's the same for other companies such as HP. It's also a priority for them that the solution works better with HP switches. Given that we weren't going to change our switches, we really needed to focus on something that was going to work well with our environment.

The important thing is to have a good game plan going into it. Prep is key for everything going on with ISE. The more stuff you have prepped and the more understanding that you have upfront of how it goes through and how it behaves, the better off you are.

I would rate this solution a nine out of 10. 

We use it for wired .1x, wireless authentication, VPN, and multi-factor authentication. We wanted to have a consistent experience for authentication and authorization of endpoints across the network, as well as security.

As a water utility organization, we're considered critical infrastructure by the feds. Everyone needs water. So it's important for us to protect our industrial control systems, our SCADA systems. ISE helps us do that by segmenting them off from the rest of the network.

And by eliminating trust, it helps us with audits, including CJIS because we have a law enforcement division, and trying to conform to the NIST standards. A lot of government agencies are becoming more familiar with the Zero Trust model and ISE makes our audits go a lot faster and a lot smoother than they used to.

The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

In addition, ISE really adopts and is strong in the Zero Trust model where we consider everybody a foreign endpoint until they prove they belong on the network. ISE just seems to be built from the ground up to do that, whereas with other solutions, you have to "shoehorn" that in.

I also rate it pretty highly for securing access to our applications and network. If you have the good fortune of being a total Cisco shop, you can utilize SGTs, end to end, across the network. It can be a little tricky to get working, but once it does, it creates quite a consistent experience for any endpoint, even if it moves anywhere in the network.

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

I've been using Cisco ISE (Identity Services Engine) for 10 years.

Now, the stability is pretty good. I've been working on it since the product launched and it was a bit sketchy. Its current state is really good right now.

The only thing we have run into was a bug when we ran virtual appliances, but that turned out to be an issue with our storage networking QoS policies. That wasn't really an ISE problem, it was more of a storage problem.

In terms of supporting a distributed network, it's pretty powerful. You can stand it up and cluster it and it scales out pretty well. You can put nodes wherever you want to service authentication requests. We're able to scale up or out and we can choose how and when we do that with either virtual or physical machines, meaning it's very flexible. 

It scales quite well. One of the things that Cisco is good at is keeping things pretty simple when you want to scale it. If you want to scale up, you get stronger admin and monitoring nodes. If you want to scale out, you get more policy service nodes. It's quite easy to stand them up, really anywhere, if you use virtuals.

We use it around our Fort Worth campus, which has about half a dozen buildings. By the end of the summer, we'll have it deployed to all of the rest of our five campuses. We have about 30 remote locations across 12 counties in North Texas and they're all using ISE. It works out pretty well.

We have it on-prem right now, but we are moving to a hybrid cloud platform on Azure for a lot of our applications, so we're starting to do proofs of concept with ISE in Azure.

TAC is pretty good. I would definitely suggest getting their solution support, which provides higher maintenance. That way, when you do get someone, you get someone who knows what they're doing. If you get the higher level of support, you get some really smart people who can fix things pretty quickly.

Positive

We used to use Aruba ClearPass. It was somewhat clunky to use and it didn't integrate well with third-party platforms. If you used Aruba, it worked great. If you didn't use Aruba, and were pointing things at ClearPass, it had some issues. We found that ISE typically handled things a little bit better. We could point anything at ISE and take care of it.

The initial deployment was pretty straightforward. It's very simple to just turn the box on and plug into it. You go through a couple of settings and then you can log in to the GUI and pull in all the other nodes that you want.

After the gear came in, it took us about a day to deploy it. I started by implementing it at the local campus. That way, if I broke anything, I could just walk down the hall and not have to drive anywhere.

I stood up the first cluster, and then it was another engineer and me who worked on deploying it out to all the buildings. We started out in monitor mode, to see what it would do if we had turned it on. Once we had remediated anything that looked like it was authenticating incorrectly on the wired network, we went to closed mode and that's where we are now.

Return on investment falls in line with the business vision of securing our resources and protecting them against cyber attacks and nation-state attacks. It's hard to put a monetary value on clean water.

Licensing is a disaster. It's a mess and I hope they fix it soon.

In addition to ClearPass, we looked at Forescout. At the time we looked at Forescout, it was more of an inline product and we weren't looking to add more infrastructure between parts of the network to try to do inline authentications. It seemed easier to do it on the switch ports and have them talk to ISE.

It's a very strong platform, especially now that we're on version 3.1. It's definitely my go-to. I would recommend it over any other NAC platform.

It requires a lot of technical knowledge to actually get it off the ground and running. It's not quite as intuitive as it could be, but it's still a solid platform.

We are working with packets and A011X. In some cases, we also do profiling.

We are using this solution because we wanted to improve security and reduce security gaps. This is mainly for our customers.

This solution improves security. There is a new law in the Dominican Republic, where I am from. The central bank has ordered the banks to improve their security through a law. ISE is one of the start points for those organizations to start improving their security.

The solution gives us a way to provide a professional security solution to our customers.

They provide you multiple ways to achieve security, not only on-prem, but also when you have remote and guest workers. Especially post-pandemic, a lot of our customers have remote workers. So, it has been really helpful.

Its resilience gives you a better security posture. Cybersecurity resilience is very important. Security is one of the main things in my country enforced by law.

Profiling is a really good feature. However, it sometimes is a challenge for customers when there are issues with the remediation part. I would add a built-in remediation solution. That would be a very nice feature.

I have been using the solution for six to seven years.

It is very stable.

It is very scalable. You can install several nodes in order to scale the solution.

The technical support is really good. I would rate them as 10 out of 10. You need to know how to work with the tech support. If you don't know how to work with them, then it won't work.

Positive

We have been working for 15 years with Cisco as a Cisco partner. We like the Cisco solutions.

The deployment is complex. It takes four or five to deploy it.

Deployment takes a skilled technician. The customer's help is always needed since we need to integrate Active Directory. 

Our customers see ROI. They feel more confident about their operations. It gives them time to do other things in order to be more profitable.

It has a fair price. It is better than it was before.

We have seen Aruba ClearPass, but it is not that common in the Dominican Republic.

Organizational leaders should do constant analysis of their security posture, in order to be improving every day.

I would rate them as eight out of 10 because of the remediation feature.

We use ISE for TACACS and 802.1X authentication, wired and wireless. We also use ISE for our VPN authentication, as well as for different policies. We were trying to solve some security holes with Mac solutions, and ISE was a good fit.

It helped our security, which is nice.

I love the policy sets, they are really nice and dynamic. 

This solution helps to support an organization across a distributed network. It's built for enterprises and large-scale deployment. It does what it's supposed to do.

ISE is a little clunky. The front-end feels like it is from the 1980s.

The usability, as far as programmability goes, needs to be improved.

I've been using Cisco ISE for about three years.

The solution is pretty stable. I haven't had any problems.

Cisco ISE is very scalable.

Technical support is horrible. If we call and ask them for help, their first response is always that we should upgrade. That is a horrible response. We pay another company to support us because the technical support can't, even though we pay them to do so. I would give them a two out of ten.

Negative

We have a distributed deployment model. They're all virtual appliances, distributed geographically.

We've got six ISE nodes. Everything is redundant and distributed across multiple data centers. We then used them again for 802.1X, TACACS, and other authentications and policies.

It's hard to dig into at first, so seek help and education.

I'd give Cisco ISE (Identity Services Engine) an eight on a scale from one to ten because it's Cisco, it's reliable. It has a lot of development and other vendors around it because it is Cisco. It works and is pretty stable.

I often use Cisco ISE for guest portals to onboard devices. For example, if a company wants to allow their employees to bring their own devices, there's a large security risk. Cisco ISE can help with onboarding those devices and check whether they're up-to-date with security patches and whether they fit the criteria to join the network.

There's so much stress involved with the pressures of trying to make it easy for customers to use the product without constantly having to jump over security hurdles. On the other hand, there is the constant threat of cyber attacks. Balancing the two can be quite stressful for developers, engineers, and consultants.

Our main goal, as an intermediary between Cisco and our clients, is to help IT managers, IT engineers, and administrators have better days. There is a lot of pressure on IT staff, and by giving them the right tools and solutions, we can help them feel more empowered to do their job much more effectively and, therefore, feel proud of their work.

In terms of features, the best feedback I've received has to do with guest portals. The guest portals and sponsor portals are where a company can customize their appearance. As people join the guest network, they're presented with the branding of the company that they're in.

A lot of customers use a third party to manage their guest Wi-Fi. Cisco ISE presents the ability to bring that in-house so that customers can have full control over it, change the branding, and get extra telemetry from it and the user data. It works really well for our customers.

I first started working with ISE at version 1.2, which was quite a few years ago. Over the years, the user interface has become a lot easier. The way the different parts of ISE come together and the connections between the different sections are a lot easier to follow. The interface gives you a much clearer picture of how the different policies and standards that you are building are brought together.

I don't see as many customers as I should adopting the onboarding feature. I think Cisco should make that process a lot easier and less intrusive on the end users' devices.

I've worked with Cisco solutions since 2007.

We offer the entire suite, with SecureX, Umbrella, and Cisco ISE being the main headlines. We work a lot in developing the orchestration and automation of new security systems in line with Cisco.

The various licencing levels allow increased functionality as your requirement increases.

When it's time to generate a TAC case, it means that things have gone very wrong and that my colleagues and I have run out of ideas and are desperate. Cisco's technical support staff are very much aware of that and know that by the time an issue comes to them that all the obvious roots of troubleshooting have already been explored. It's great that they comprehend this and that they understand the urgency as well. 

I'm always thankful for their help and would rate technical support at ten out of ten.

Positive

I have previously used other portals to provide guest user access. Cisco ISE provides many more options in functionality. Also when troubleshooting ISE provides detailed logs to pinpoint the problem. I have been unable to get this detailed information from other portals.

A benefit to using Cisco ISE as far as deployments are concerned is the fact that because it's software-based, everything can be tested before deployment. You can then be confident that everything is going to work when it's deployed in the real world.

Our ROI is that once clients have a Cisco system installed, they tend to stick with Cisco. They'll upgrade to the latest Cisco product rather than looking at any other vendors.

In general, licensing can be quite complex with Cisco products. It would be nice if it was a bit more intuitive and had fewer "gotchas" in there.

I've worked with customers who have used Purple Portal, for example, for their guest wireless access. In comparison to using Cisco ISE, Purple Portal adds an extra layer of complexity on all their guest networks running through a third party. This means that the customer will not have as much visibility into their guest users or control over what their guests see when they join the Wi-Fi network.

With Cisco ISE and the way the policies are built, it gives you a lot of freedom. It covers a wide range of potential solutions. Because each bit can be built together modularly, you can build anything with it. Therefore, Cisco ISE applies to so many different applications.

On a scale from one to ten, I would rate Cisco ISE at eight because it is a complex product and requires more technical ability to deploy it, though it fits many more solution requirements.

Cisco is the main player in networking and security. Having that backing behind our company gives us credence. We're proud to sell the products and to recommend them. Cisco's portfolio is what I would sell by choice. It just makes my job a lot easier.

We use it for network access control. For security reasons, if a vendor plugs into our network, the port is automatically shut down because it's not authenticated to our network.

Cisco ISE is a great solution. It helped us determine real users on our network. It's very useful.

From a security standpoint, Cisco ISE has improved our organization 100%. We're not guessing who is plugging into our network. It 100% protects our environment and infrastructure from end to end.

Cisco ISE has saved the time of our IT staff time to help work on other projects, but I don't have the metrics.

Cisco ISE has absolutely improved our cybersecurity resilience. Specifically, the 802.11 authentication for wireless has been huge.

Cisco ISE hasn't helped to consolidate any tools or applications.

Cisco ISE is a powerful solution. It gives us the ability to control who's accessing our network, and Cisco has made it very easy.

Some of the reporting could be improved.

We've been using it for about ten years.

It's stable. We never had any issues.

I love it. They know their stuff. Almost in one call, you get the right person. They're very good. I'd rate them a nine out of ten.

Positive

We didn't use any other solution previously.

You have to have a plan. You have to be prepared to roll it out. You need to think through what you want to configure.

It took us about three and a half months to get every angle we were after, and after that, it was a very slow rollout. We rolled it out in about eight months. It was easy.

We did it all in-house, but we did have consultants from Cisco come in and help us tweak it.

Pricing and licensing are not my expertise. As far as budgeting is concerned, we run an ELA with Cisco. It's a part of our ELA.

We didn't evaluate other products. We went straight to Cisco because you can't go wrong with their technology. They're a leader in this space, and they've got a good, robust solution, so we rolled it out.

It integrates seamlessly with other Cisco products that we have. I use Cisco Meraki for all my edge cases. We never considered switching to another vendor. 

It's a great product. I'd rate Cisco ISE a nine out of ten.

We utilize Cisco ISE for authentication by employing the AnyConnect Posture model to address vulnerabilities on the workstations. Additionally, we make use of TACACS.

It is a mature solution and it grows with our needs.

Cisco ISE has helped consolidate DNA Center.

Cisco ISE helps our cybersecurity resilience by enforcing security over the workstations.

The most valuable feature is AnyConnect Posture because it scans all the programs on the workstation and checks if the antivirus is up to date, as well as the cryptographic keys on our SSD. It also enforces data loss prevention on our workstation, which is usually the main vulnerability for network entry.

Cisco ISE has numerous features that are impractical, and I won't utilize them since they require payment.

I have been using Cisco ISE for around four years.

We encountered a few bugs that were resolved using the SMUs. However, when the solution is built properly, there are no performance issues.

We can scale Cisco ISE up using VMs.

The technical support is excellent, and we rely on their services frequently.

Positive

We previously used Cisco ACS but transitioned to Cisco ISE because it reached its end-of-life status, and we needed to progress.

We have observed a return on investment from the tasks performed by Cisco ISE for our organization.

Cisco ISE is not inexpensive, but the solution is well-built and worth the expense.

We evaluated Aruba ClearPass but ultimately chose Cisco ISE due to budgetary constraints. We were able to secure a favorable discount with Cisco.

I would rate Cisco ISE a nine out of ten. Despite the fact that the solution offers numerous features, it is challenging to use.

We do not rely solely on Cisco ISE to secure our infrastructure from end to end. Instead, we utilize various tools such as McAfee, DLP, and Endpoint Security. Additionally, we have the Domain client to check for any breaches. On our Internet edges, we perform SSL offload to enhance the performance of security projects like WAF and IPS, as well as conduct full packet scans. Furthermore, we have NGFW and NG Networks in place.

Cisco ISE is an important component in protecting our environment because it enforces security against the main point of vulnerability, which is accessing workstations. Ransomware infiltrates a network through workstations. The policies implemented are based on the posture model, ensuring that we use the necessary products on our network to mitigate such risks.

I was not involved in the initial setup, but testing the implementation of a new feature is always challenging. We need to allocate time to test it with the security team and the network team. Additionally, we need to create a separate environment to gain a better understanding of how we can improve the performance of the solution within our network. 

For organizations that do not have the funds to purchase Cisco ISE, there are good open-source solutions available. These include TACACS servers, OpenLDAP, and FreeRADIUS. However, Cisco ISE is an excellent tool for enhancing all the existing tools within an organization.

I use Cisco ISE for VPN and authentication.

Cisco ISE is a good and easy-to-use solution. We had a smooth experience with it, and we didn't face any issues. We upgraded the solution two years ago, and that version also worked fine. 

Cisco ISE's integration with other external identity servers like Duende is very simple and easy.

Cisco ISE's performance could be better, faster, and more robust. Sometimes it takes some time to move through the tabs and configure something.

I have been using Cisco ISE for three and a half years.

Cisco ISE is a stable solution. We haven't faced any major issues with the product.

Cisco ISE is a scalable solution. Our environment has a cluster distributed across three countries and seven nodes. It would be very easy to add another node or remote site.

In some areas, Cisco ISE's technical support is good. However, we had an issue with integrating Cisco ISE with DNS. So we opened a case, which escalated, and we had it for almost two years. Cisco escalated our case after hearing about our integration problem, and the issue was solved eventually.

In normal support cases, like if you are facing a bug, you will have very quick input from Cisco ISE's technical support. It is easy to find the issues in some areas, but in some cases, you might have to go along a troubleshooting path to find the issue. I used to work for Cisco tech wireless team. In some deployments, you have a complicated environment and must understand and solve the issue. Sometimes, it might take a long time to solve or find an issue, while it would be easy in other cases. It depends on the complexity of the environment.

Positive

Cisco ISE was already deployed when I joined my company, but I was present when it was upgraded. The upgrading process wasn't very easy, but we didn't face many issues. When we upgraded our Cisco ISE, it was running on the 2.3 version. We upgraded it to 2.7, and we had some issues at that time. We upgraded directly to 2.7 patch 2, and most problems were solved.

My main focus is on the .1X access. We have another security team whose focus is on VPN access. I use Cisco ISE for TechX authentication and .1X authentication.

Cisco ISE saves us time. If you deploy any security features using Cisco ISE, you don't have other options not to automate it. Part of our Cisco ISE is integrated with the Cisco DNS center. The Cisco DNS center saves time in terms of configuration, integration, upgrading, and adding other switches to the fabric. You can deploy the features in Cisco ISE using manual techniques.

Cisco ISE was already deployed in my organization when I joined. However, I know that Cisco ISE replaced ACS.

I work in the banking industry. Our main concern is securing our network from either remote or on-site access. When you get physical access to the site and connect your device, you might risk the security of the network on purpose or unknowingly. Deploying Cisco ISE has helped improve the security of our organization.

Overall, I rate Cisco ISE a nine out of ten because I have a very good experience with the solution and hear the same from other vendors.