Cisco Identity Services Engine (ISE) Reviews

Cisco Identity Service Engine (ISE) is used mostly for endpoints. If you want to know the profiling and what endpoints are connecting to your company, then ISE is a good solution because it has built-in signatures. Therefore, it knows what kinds of devices are getting added into the network.

You can install it with any cloud provider, e.g., AWS or Azure.

You can install ISE locally. If your site is critical, like in manufacturing, you need to make sure that ISE is a part of the local site. Usually, people install data centers, but you can also install at critical sites.

One of the advantages is that you can easily find rogue endpoints. For example, if you don't want to allow any endpoints where you don't know the people plugging into what kind of devices, ISE can give you a big, clear picture, e.g., what kind of endpoints are getting connected to your network. That is one of the advantages.

From our company perspective, or any company perspective, you need to be PCI compliant and follow HIPAA laws. Therefore, ISE is really instrumental from a cybersecurity perspective. You need to comply if you are PCI compliant and utilizing credit card transactions. ISE can help you become compliant from that perspective.

There is a new trend: a zero-trust kind of architecture. If a company really wants to improve their security, ISE can upscale the security in their network by creating an access policy. This ensures that if the device is not allowed to access something then ISE won't let that device access that resource. This is mostly for segmentation security.

Cisco could improve the GUIs on their hardware.

I have been using Cisco ISE for about seven or eight years.

The stability is good.

You can scale your ISE. You can use ISE for a company of any size: for a small company, a mid-size company, or a large company. ISE can be installed in a cluster-distributed environment. Thus, there is a lot of scalability and resiliency when using ISE.

I would rate the scalability as eight or nine out of 10.

Cisco support is awesome. I would rate them as eight or nine out of 10.

Positive

We did not previously use another solution.

Initially, it is always challenging. Once you get the gist of the deployment, it becomes normal and straightforward afterwards.

Definitely make sure you install ISE in a distributed fashion. Make sure there is a lot of high availability. Otherwise, if your ISE goes down, then you won't be able to authenticate your endpoint. It is better to install ISE in a high availability solution.

We have definitely seen ROI as we are getting compliant. When you are compliant, you get fewer fines from PCI and those types of organizations. 

It is not that pricey.

We have Zscaler, but it is not operating in the same zone as ISE.

Use ISE if you want to build more resilience within your organization.

I would rate the solution as eight or nine out of 10.

We currently use it for RADIUS and TACACS authentication, but we're moving to SD Campus Fabric. We're tying that in with DNA Center, making it flow with the wireless and authentications at the port, using .1X. That's where we're headed.

We have a 10-node deployment: two PSNs, four dedicated to TACACS and RADIUS, two dedicated to guest WiFi, and two dedicated to pxGrid.

While it doesn't give us a single pane of glass, it helps identify problems more quickly. You can identify what's going on in the logs most of the time.

Also, ISE, working with DNA Center, provides a trust set. It's very important to us that the solution considers all resources to be external, so that we know who is connecting, when and where, at all times; we're not just trusting you because you're internal.

At the moment, RADIUS is the most valuable feature for us. We haven't really opened it up yet, so RADIUS is the best feature because it supplies authentication to our entire campus.

Also, when it comes to securing access to applications and the network, that goes hand-in-hand with fully developing ISE, implementing .1X, tying in DNA Center, and enabling TrustSec to look at SGTs and figure out who's who and what is what.

The knocks I have against the product are the number of bugs that we encounter, constantly, and the amount of upgrading that we have to do.

I have been using Cisco ISE (Identity Services Engine) for about five years.

Because of the numerous bugs we've been hit with, on a scale of one to 10, the stability is a four or five.

In theory, the scalability is great, if it all works.

We have six 17-floor buildings, and had a little more than 1,500 users on campus, pre-COVID. ISE is providing access and authentication for everyone who uses the WiFi and it helps us get into our devices.

TAC is moving a little slowly with respect to the technology. They're not keeping up. When you call in with a question, you get 10 questions fired back at you, and it just goes round and round until you figure it out.

Neutral

We previously used ACS.

If you're not going through an agreement, it's very expensive.

We didn't evaluate other options. We're a Cisco shop.

Do a deep dive. If you're a Cisco shop you really don't have a choice. It's the direction they're moving in. Cut your teeth with it and don't rely on outside sources to implement it. Implement it yourself so you know how to troubleshoot it and move forward. If you use outside sources, as soon as they leave, you're left holding the bucket and you don't understand what's going on.

I see the theory behind ISE and if we can get it to gel in our environment, it will be a beautiful thing.

We use Cisco ISE for 802.1 network authentication.

ISE integrates well with other Cisco products.

This solution does not provide us with enough visibility into our network. We would like to see additional information that it does not show. In general, the reporting is not very useful.

ISE needs to have better integration with third-party products.

A basic profiling engine would make a good addition because device profiling is very important.

This product requires the use of agents and ideally, I would like an agentless version. I think that they should get rid of them because they are hard to manage and deploy. Also, they are not useful.

The interface is not very user-friendly and it is not simple to use.

I have been using the Cisco Identity Services Engine for six years.

This is a stable product. The features that do work, work well, and we use it on a daily basis.

I would say that this product is scalable because we are using it in our central headquarters, in addition to several branch offices.

We do not pay for Cisco SMARTnet, so we did not contact technical support.

Prior to using ISE, we were using a solution by Trustwave. It is a different product because it uses Name Poisoning methods. It was an interesting solution but we changed because the price of support is too high. We opted to instead purchase a new product.

The initial setup is not simple. I don't consider our deployment to be complete because we were unsuccessful at trying to use the majority of the features. The fact that we can't solve these problems is why we are searching for another solution.

We had assistance from a consultant for the deployment.

Internally, we have a team of five administrators who manage this product.

The SMARTnet technical support is available at an additional cost.

I am currently doing research on Fortinet FortiNAC because I find that Cisco ISE is not a very powerful tool.

My advice for anybody who is considering Cisco ISE is to first run a proof of concept to see that all of the features work well. In my opinion, you have to see all of the features.

I would rate this solution a seven out of ten.

Identity Services Engine for us has an incredible number of use cases, predominantly around identity and contact sharing within the enterprise or Endpoint onboarding for, authentication and authorization. Most recently, in the last few years, we've actually finally added device authentication and device management into that with the TACACS implementation. And now we have a comprehensive set of features to perform enterprise NAC, pure RADIUS authentication, and user authorization.

Cisco Identity Services Engine has provided two incredibly beneficial outcomes for our clients. First and foremost, they've been able to limit and minimize the number of different discrete platforms they need to use to deliver things such as network admission control, device authorization, and posturing, as well as do device and policy enforcement at the endpoint level. The second one that really is under sung is the ability to comprehensively manage guests in BYOD wireless access. The ability for the enterprise pretty much out of the box to deploy an end-to-end solution to manage guest onboarding, user self-service, as well as bring your own device has been a real boom to network access.

Using ISE to detect and remediate threats is really the hinge pin for pretty much everything in the Cisco security infrastructure. Without identity and without context, you really can't do any enforcement. It's fine to be able to detect a threat with an IPS, with a threat appliance, with anomaly detection, but being able to use things like RADIUS chains of authorization to then blacklist a host or remove a host from a production relay is an incredibly important outcome, not the least of which because that's all automated in ISE. And that's an incredible benefit to IT teams who perhaps don't have a NOC, don't have a SOC that can run out, and respond to a threat immediately. Having those SOAR automation capabilities inherent to the system is a really powerful feature set.

I think it's inevitable when a customer is deploying or using ISE that they're gonna find additional cycles that they can spend their time on. The rich automation and the quick startup out of the box, for instance, ISA has a really rich onboarding wizard. Pretty much out of the box, you can go through a series of steps, input your IP address, your domain names, etcetera. You don't have to do a lot of the upfront planning and design work that was required of previous systems that did network admission control, certainly more so than the old NAC. And so I believe that many customers will find they have extra cycles to go and use that IT talent to do more impactful projects than spending months and months and months deploying admission control.

Identity Services Engine has done a great advantage to our clients in the fact that Cisco has begun to move more capabilities into the platform over time. As they started out with the basic AAA capability, authentication, authorization, and accounting that was present in ACS and the older service architecture, they've now begun to move in, device administration in the form of the TACACS server and other capabilities within ISE. When they previously introduced the pxGrid capability, you now have the ability to bring other enterprise platforms such as your IPS, your threat systems, and your DNS security platforms directly into ISE for performing all those automation. And so it absolutely has consolidated the number of platforms that you need to deploy to achieve that secure outcome.

The effect of the consolidation of all of these functionalities within Identity Services Engine has had on IT is that now you have a single platform with which to maintain. I think sometimes we overlook the fact that security platforms themselves have a lifecycle associated with them. We have to patch these systems. We have to maintain currency on the devices. And over time, those devices like anything else become a little long in the tooth and require refreshing. The flexibility to deploy Identity Services Engine in multiple persona types on hardware or in a virtual machine is a huge advantage to customers who want to consolidate the number of vendors and hardware platforms that they have to support and manage.

Identity Services Engine has helped a lot of our clients as well as Logicalis simplify the way that we approach compliance governance and risk consulting within our own enterprise, being able to have a single source context for when devices were on the network when they were last authenticated, and, of course, that rich user context that we get. We can now share contextual information from Identity Services Engine within an Azure environment, within an AWS environment with our own active directory, and that's an enormous advantage when you're not only threat hunting, but when you're trying to pass those checks and balances that are required for cybersecurity insurance or your own internal compliance auditing.

For us and our clients, the most valuable features of Identity Services Engine are really around the rich contact sharing that ISE gives you. The ability to categorically list all the endpoints in the infrastructure, understand where they are, how they made it onto the wire, whether that was through wireless, through a wired engagement, And all of the self-service features that allow you to manage guest access to wired and wireless infrastructure are an incredible number of use cases that our clients are constantly deploying now.

I think in any technology infrastructure, you're going to have environments where improvements could occur. I think some areas where ISE could be better are perhaps in the number of integrations that they offer from a virtual standpoint, as well as having a better and more comprehensive pathway for the customer to go from a physical environment to a virtual one. Many of our clients today are hybrid. They have a physical footprint in a data center somewhere, as well as a public cloud instance for things. Today there really isn't an elegant pathway for a client that wants to go 100 percent cloud, and that's an improvement I think that could be along the way.

I have been using Cisco ISE for close to ten years.

The stability of the Cisco Identity Services Engine has continued to improve over time as the product has matured. Anytime you're dealing with something like a database product that has millions or hundreds of thousands of endpoints and entries in it, inevitably you're going to have performance creep over time. Because of the scale of the Cisco purpose-built UCS appliances, the SNS appliances that predominantly run identity services engine, we've seen an enormous advantage by staying up to date on the most current Cisco SNS appliances. We've also seen an enormous advantage by leveraging ISE in a hybrid capacity. So the ability to deploy PSMs on a hybrid cloud environment, on a public cloud environment, as either additional capacity or as a failover point for that on-premise install base is a really nice advantage to have.

The beauty of Identity Service Engine is the fact that there's really no environment too small. If you have 500 to 1000, maybe up to 2000 endpoints, We're talking laptops, mobile devices, access point switches, etcetera. You're really not too small to deploy Identity Service Engine. The beauty of the multi-persona design of the Identity Service Engine is that you can leverage that capability to split off those PSN personas which is actually the persona within the Identity Service Engine that processes all of that high rate of radius authorization and authentication traffic. So the scalability of ISE is really well thought out. It was really well thought out from the get-go. You can also split off the admin personas and the monitoring and logging personas as well to give you that horizontal scale. I'm not sure today what the exact endpoint count that ISE scales to is, but it is certainly into the hundreds of thousands of endpoints.

Cisco support for Identity Services Engine has been world-class. The guts of ISE are still a RADIUS server. They're still AAA-based functionality. So many folks that have been deploying and supporting the Cisco Secure ACS Server as well as the TACACS server and all of the things that have come along with that, continue to use the same skill set to support and deploy ISE. Really, the differences nowadays in terms of support are bringing about more comprehensive offerings to support the systems that surround ISE. Many things plug into ISE and provide much richer context, and really that's where the complexity tends to creep in. Our support from Cisco both as an end user and a partner has been beyond reproach, and we really appreciate Cisco's continued investment in the TAC, and in all the areas they bring to bear to help you receive that business outcome you're after.

Cisco support is always going to be ranked a strong nine with me, mainly because we know there's always room to improve things. We don't want to give a full passing score, but without a doubt, I don't know how anyone could consume and deploy business outcomes with Cisco technologies without leveraging support. And so Cisco leads the way and continues to invest in that area.

Positive

The deployment experience with ISE in the early stages was without a doubt, very daunting. There is a huge number of things that you need to understand about the existing infrastructure, about the existing customer environment to properly deploy that solution. As time has gone on, however, the designers and the developers of that software have begun to create wizard, have begun to create additional upfront deployment tactics within the tool itself so that essentially a journeyman network engineer or security architect can deploy the minimum level of functionality right out of the box.

It's difficult to say whether the clients have seen an immediate ROI with the deployment of the Identity Services Engine. Oftentimes, you have to take on additional technologies in the ISE product family in order to receive that comprehensive benefit. So I think only time will tell what the true ROI is. I can tell you that the value exchange that occurs between a partner and a client when we're talking about everything within the Cisco security portfolio being fully integrated together and working comprehensively has been an enormous advantage to customers who today have a complex act of multi-vendor products. Being able to consolidate on a platform-based solution is an incredibly powerful story to tell, and it's also incredibly powerful from a cost-benefit standpoint as well.

In terms of the licensing and the pricing structure of the Cisco Identity Services Engine, there's been a huge advantage to our clients recently with the advent of the enterprise agreement. You now have an enterprise agreement choice, which now allows you to buy as few as two security products to unlock additional discounting and additional life cycle advantages when you consume that solution for security business outcomes. At Logicalis, we deliver a full life cycle approach to Identity Services Engine when embedded into a Cisco security enterprise agreement. We're able to deliver not only the onboarding and the design guidance that the customer needs to deliver that secure business outcome, but also provide the ancillary services to support all of the other infrastructure that often comes along with deploying a solution like ice.

Identity Services Engine compares favorably with many of the other competitor's products that are in that space. I won't mention them now, but I think we know that all of the same industry competitors have been delivering identity solutions and NAC solutions over the last decade or so. Cisco continues to rank in the upper and farther to the right in Gartner Magic Quadrant for those identity solutions, and I think they'll continue on that trajectory. Cisco has long been the number one network vendor in the world, and I think you'll continue to see that growth as the network continues to be important to business.

I rate Cisco Identity Services Engine a ten, on a scale of one to ten. It's a necessary solution to deploy in order to achieve many of the business outcomes such as some of the smart business architectures, certainly anything within the automated campus designs that are out there with DNA Center. It's just an incredibly powerful tool to manage both identity and endpoints within the infrastructure, and it really does become the hub of a hub and spoke comprehensive security architecture.

When Identity Services Engine became the de facto migration path from ACS Access Control Server, we were very early adopting and getting that product into our labs and in the hands of our customers for proofs of concept, proofs of value, and enterprise pilots.

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

Positive

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

We use Cisco ISE for device administration with TACACS.

It's a very critical system. It is one of the most critical systems that we have.

With TACACS, we use it for endpoints like computers, devices, and network access. As a device admin, we use it to cater to users who use routers and switches.

It is a good product for what it does. I don't have a similar experience with other solutions.

The solution cannot be deployed on the cloud yet, and that is one of the things I would like to test. Also, I want to have a couple of VMs integrated with the solution.

I have been using Cisco Identity Services Engine for about six to seven years.

We contact support when there are problems. We take care of small things on our own. When we call for support, we need someone more experienced than us. Usually, that's a challenge. It takes days to get to the right people.

How long it takes to resolve an issue after getting to the right person is something that depends on the issue. If you get to the right person quickly, then it will be quick, but sometimes you have to keep escalating it. Within Cisco's team, they will have to go to someone who has answers to everything. Considering Cisco has a way of identifying issues that they have already worked on when I call them, it's as if I'm reporting that issue for the first time. 

I'm pretty sure other customers have reported the same problems before but it reflects as a new issue. Then you find out later that there was a bug in it. That means other customers have had the same issue. Cisco actually knows about the issue, and they have provided guidance for it. It takes time. Somehow, within Cisco, maybe AI is the way to go. It is better to make available quick customer service, especially if it is a known issue so that we can get a resolution or work around quickly.

The initial setup process is complex since there are so many big components. It depends on a lot of other systems starting from the device to the end user. That's quite complex. Also, if something goes wrong, it is challenging since it needs someone who knows about the endpoints to get things right.

Hardware appliances are expensive. The license pricing was good when it was perpetual. But now they have migrated into DNA-styled licensing. We haven't bought the new licensing yet because we migrated from the old licensing to the new licensing model. At some point, we'll have to buy the licenses. The license pricing was fair. Now moving to DNA-styled licensing, we have subscription-based licensing for everything. I hope it will continue to be fair, but we will have to wait and see.

We did not look for other solutions in the market. We went straight with Cisco.

We don't consider switching to another product. Cisco Identity Services Engine is the best in the market. The solution is the best for the things that we use.

Whether in terms of user experience, user interface, ease of use, and things like that, if I was to speak about something specific that I really value about the solution, I would say that upgrade processes are not simple. It's easier to just restore the state by going through the steps for the upgrade. We also use VMs and a couple of hardware appliances since sometimes we run into certain issues that nobody knows about. We've had a couple of incidents that were challenging. Cisco blamed it on VM infrastructure, while our VM team blamed Cisco. We were stuck in the middle. We had to re-provision a couple of things. All this was because sometimes it is buggy.

It hasn't really helped free up my IT staff for other projects. 

It helped my organization improve its cybersecurity resilience by making sure that untrusted devices are not connected to the network and only trusted devices get connected.

To those planning to use the product, I would say that it's a good product. You must plan ahead, test thoroughly, and do it step by step. Don't try to migrate everything at once. It is an overall good product.

I rate the overall product an eight out of ten.

Cisco ISE is on the back end, and all our policies and security are on it. DNS centers and all our network backbone is integrated into Cisco ISE. So, the solution is pretty critical for us.

Cisco ISE has helped improve our organization security-wise.

Cisco ISE integrates with everything else. It forms our security and identity backbone, and all our authentication goes through Cisco ISE. That's why the solution is so important to us.

Troubleshooting and multi-ISE can be challenging with the solution.

My organization has been using Cisco ISE since 2018.

Once configured properly, Cisco ISE shows good stability.

Cisco's TAC is good. Cisco support, in general, is too layered these days. Often we have to repeat the same thing over and over to the TAC guys, which is a bit frustrating. Cisco's TAC needs to be a bit better.

Neutral

Cisco ISE's deployment can take weeks, months, or years depending on how rigidly you adhere to the guidelines and how good your existing infrastructure is.

We have seen a return on investment with Cisco ISE from a security point of view.

Cisco ISE's licensing can get pricey.

Sometimes, the Cisco guys disagree about it, but other than that, the Cisco guidelines are clear and concise enough.

Cisco ISE helps to secure our infrastructure from end to end so we can detect and remediate threats. The solution does what it's supposed to do.

Cisco ISE has saved a little time for our organization.

Since Cisco ISE is a more robust solution, it has helped our organization improve its cybersecurity resilience.

Before implementing Cisco ISE, you should look into it in-depth on how it can be used, how it can be integrated with existing tools, and how your staff can be trained to troubleshoot it. The solution has its pitfalls, and when it breaks, it can break heavily. So be aware before you deploy it.

Overall, I rate Cisco ISE a seven out of ten.

We utilize Cisco ISE for wireless user authentication, as well as authentication, authorization, and accounting for our network devices.

Cisco ISE has made us much more secure. It has streamlined the process of adding new devices to our wireless network, specifically wireless-only devices. Moreover, thanks to scripting capabilities and flexibility on the Cisco ISE side, it has significantly reduced the amount of manual effort required by everyone involved.

Cisco ISE effectively secures our infrastructure from end to end, enabling us to detect and remediate threats. It does a commendable job of securing both end users and their devices, including guest-wired devices for anonymous access. Its ability to compartmentalize everything makes it incredibly convenient, and the comprehensive tracking features are particularly valuable.

Cisco ISE has helped to free up our IT staff's time by saving approximately 40 hours per month, as we are constantly uploading new devices. 

Cisco ISE has helped our organization improve its cybersecurity resilience by authenticating users. It ensures that only certain MAC addresses can be on our network, particularly on our production wireless network. Additionally, it keeps track of authentication frequency and alerts us if clients authenticate too often, allowing us to optimize CPU cycles.

The live logs and live sessions for troubleshooting are the most valuable features because they provide a detailed report of any issues. I appreciate that they guide us through every step that a user or authenticator goes through.

Cisco ISE can become quite complex, especially with policy sets, the entire authentication process, and everything involved. I would appreciate a more comprehensive visual depiction of the steps from the beginning to the end.

I have been using Cisco ISE for five years.

We have never experienced any stability issues with Cisco ISE.

We can scale Cisco ISE by adding additional licenses or servers.

Cisco technical support is excellent. They respond promptly, and their thoroughness is remarkable. For instance, we can send them numerous logs, and they will analyze them in detail for us.

Positive

We have seen a return on investment around the soft cost, with how streamlined everything is, how we don't have to really worry about wrong devices getting on our production Wi-Fi.

I give Cisco ISE a ten out of ten.

Cisco ISE is a great tool. It integrates well with Active Directory and numerous other components. The solution has become a fundamental part of our network and I recommend Cisco ISE to others who are looking to improve their cybersecurity.