Cisco Identity Services Engine (ISE) Reviews

I often use Cisco ISE for guest portals to onboard devices. For example, if a company wants to allow their employees to bring their own devices, there's a large security risk. Cisco ISE can help with onboarding those devices and check whether they're up-to-date with security patches and whether they fit the criteria to join the network.

There's so much stress involved with the pressures of trying to make it easy for customers to use the product without constantly having to jump over security hurdles. On the other hand, there is the constant threat of cyber attacks. Balancing the two can be quite stressful for developers, engineers, and consultants.

Our main goal, as an intermediary between Cisco and our clients, is to help IT managers, IT engineers, and administrators have better days. There is a lot of pressure on IT staff, and by giving them the right tools and solutions, we can help them feel more empowered to do their job much more effectively and, therefore, feel proud of their work.

In terms of features, the best feedback I've received has to do with guest portals. The guest portals and sponsor portals are where a company can customize their appearance. As people join the guest network, they're presented with the branding of the company that they're in.

A lot of customers use a third party to manage their guest Wi-Fi. Cisco ISE presents the ability to bring that in-house so that customers can have full control over it, change the branding, and get extra telemetry from it and the user data. It works really well for our customers.

I first started working with ISE at version 1.2, which was quite a few years ago. Over the years, the user interface has become a lot easier. The way the different parts of ISE come together and the connections between the different sections are a lot easier to follow. The interface gives you a much clearer picture of how the different policies and standards that you are building are brought together.

I don't see as many customers as I should adopting the onboarding feature. I think Cisco should make that process a lot easier and less intrusive on the end users' devices.

I've worked with Cisco solutions since 2007.

We offer the entire suite, with SecureX, Umbrella, and Cisco ISE being the main headlines. We work a lot in developing the orchestration and automation of new security systems in line with Cisco.

The various licencing levels allow increased functionality as your requirement increases.

When it's time to generate a TAC case, it means that things have gone very wrong and that my colleagues and I have run out of ideas and are desperate. Cisco's technical support staff are very much aware of that and know that by the time an issue comes to them that all the obvious roots of troubleshooting have already been explored. It's great that they comprehend this and that they understand the urgency as well. 

I'm always thankful for their help and would rate technical support at ten out of ten.

I have previously used other portals to provide guest user access. Cisco ISE provides many more options in functionality. Also when troubleshooting ISE provides detailed logs to pinpoint the problem. I have been unable to get this detailed information from other portals.

A benefit to using Cisco ISE as far as deployments are concerned is the fact that because it's software-based, everything can be tested before deployment. You can then be confident that everything is going to work when it's deployed in the real world.

Our ROI is that once clients have a Cisco system installed, they tend to stick with Cisco. They'll upgrade to the latest Cisco product rather than looking at any other vendors.

In general, licensing can be quite complex with Cisco products. It would be nice if it was a bit more intuitive and had fewer "gotchas" in there.

I've worked with customers who have used Purple Portal, for example, for their guest wireless access. In comparison to using Cisco ISE, Purple Portal adds an extra layer of complexity on all their guest networks running through a third party. This means that the customer will not have as much visibility into their guest users or control over what their guests see when they join the Wi-Fi network.

With Cisco ISE and the way the policies are built, it gives you a lot of freedom. It covers a wide range of potential solutions. Because each bit can be built together modularly, you can build anything with it. Therefore, Cisco ISE applies to so many different applications.

On a scale from one to ten, I would rate Cisco ISE at eight because it is a complex product and requires more technical ability to deploy it, though it fits many more solution requirements.

Cisco is the main player in networking and security. Having that backing behind our company gives us credence. We're proud to sell the products and to recommend them. Cisco's portfolio is what I would sell by choice. It just makes my job a lot easier.

We are using it in-house for phone profiling and for users' computer authentication needs.

The policy and segmentation that we use are currently based on the users and their domains. Let's say different domains, such as HR or finance and procurement. We have policies where users are assigned VLANs or specific requirements and are directed to corresponding policies where services are activated. They have access to specific services based on their domain or vertical.

Many Cisco ISE features are good. It offers automatic profiling of phones and computers, enabling administrators to identify and categorize devices seamlessly. Additionally, Cisco ISE can block anonymous devices attempting to connect to the network. This includes unauthorized attempts from non-domain computers or users trying to obscure their identity to gain network access. Cisco ISE ensures such attempts are thwarted by enforcing full identification authentication.

I struggled with spoofing, specifically the max spoofing feature, which I believe has started working after version 3. Before that, it was not that effective. They could incorporate some AI features.

I have been using Cisco ISE for over three years.

The product is stable.

I rate the solution’s stability a out of ten.

Scalability is also good. I haven't seen any problem because I currently have a new deployment for the ISE and other branches. Getting an integrated access setup is easy, and scalability is also fine. Initially, the scale upon the licensing part and that sizing is low. ISE's existing policies pretty much work very well. There are no significant changes you have to make.

We have more than a thousand users using this solution.

ISE support is good.

The initial setup is straightforward. They are very easy to manage and not complicated at all.

We have received all our files from the client and deployed them. Currently, we are using single active nodes. We have one Primary Admin Node, which is active, and one Policy Service Node. We don't have a secondary admin node for administrative purposes. We have an active operational node. The deployment is pretty simple. You download the file from Cisco, import it into your Cisco ISE, and follow the prompts to set it up based on your requirements, including IPs, basic security needs, DNS servers, etc. Once the initial setup is complete, you can begin creating policies.

Cisco ISE protects your environment from potential physical attacks. This ensures that your environment and users are fully safe, thus enhancing your overall security posture as a first line of defense.

We don't have the full license. An enterprise license includes Apex and device management. We secured it for one of our new branches where the deployment will start. We have a full enterprise license, including Apex and device management, to cut costs.

The problem is we have a team of five. I look into the security and infrastructure part.

Integrating Cisco ISE depends on the specific products you're working with. Each integration may present unique challenges that require individualized solutions. There isn't a one-size-fits-all checklist for potential issues.

They were looking to protect their assets, such as devices, from somebody. If they have an environment exposed to users who frequently come to their office, and it's not a very closed environment, then Cisco ISE is very much required. It's the first place where the attack starts. From a risk and compliance perspective, ISE is essential.

Overall, I rate the solution an eight out of ten.

We use it to secure our networks. We can secure our switches and wireless networks, basically everything.

We use it primarily for wireless security, but it can be used for many other things as well, like LAN and WAN security.

There is room for improvement in CLI. Most things are done through the GUI, and there aren't many commands or troubleshooting options available compared to other Cisco products like switches and routers. We have more visibility on the CLI for those devices, but the GUI seems limited. Moreover, sometimes, GUI seems very pathetic. 

I have experience working with this solution. I have been using it for four to five years. We still use the old version, but we plan to migrate to the new version soon because they recently changed their licensing model.

The product is stable. We don't face many challenges. It's stable, so  I would rate it around a nine out of ten.

The product is scalable. I would rate the scalability a ten out of ten. We have medium-sized businesses as our clients. 

There was some delay.

Positive

Setup wasn't difficult because we already had a solution in place. It was very easy to install.

The deployment definitely took weeks.

I would rate the pricing an eight out of ten, one being cheap and ten being expensive.

Overall, I would rate the solution a nine out of ten. 

We use the solution for RADIUS authentication, device authentication, and TACACS. We also use it for Wi-Fi and guest portals.

I like the logging feature. I like that I can look at the logs for authentication issues.

I don't like the fact that we can see the logs only for 24 hours. Maybe that happens because of the way we set it up.

I have been using the solution for six years.

The stability solution is really good. Once we get it up and running, it's great. We have to do a major upgrade, and I'm not as thrilled with the upgrades as I am with just a day-to-day job integration. Upgrades aren't my favorite thing.

The product’s scalability is great. We do not have any issues. We could scale it up without any problems.

Sometimes support is better than others. It depends on who you get. Some guys are really sharp, and for some guys, it takes a little bit longer to get the thing escalated.

Neutral

We used Secure ACS, which was a Cisco tool. Cisco discontinued support for it, so we switched to Cisco Identity Services Engine.

The product runs. It does what it needs to do, and we don't have to touch it most of the time. From that standpoint, we have an ROI.

The product didn't really have a whole lot of competitors at the time. Aruba ClearPass was probably the only other competitor. We were getting rid of Aruba from our wireless. Identity Services Engine was just farther ahead than ClearPass at that time.

We have a lot of things we use for detecting threats. We use the product more for authentication issues and stuff like that. We don't use it to identify threats per se. We have other tools.

The solution helps free up our IT staff. There are only a couple of us who are Cisco Identity Services Engine administrators. In that way, other people can do other things. Once we set up the solution, there's really not a whole lot of maintenance to it. I don't know how many hours it saves. It just works, and we don't have to touch it most of the time. It does its job.

We were using Cisco ACS before using the product. We changed tools and upgraded. The tool helps us improve cybersecurity resilience. We use it for RADIUS and to validate users. There are a lot of tools that we use. Cisco Identity Services Engine is a good tool. It does 802.1X and RADIUS very well. Cisco shop is the way to go.

Overall, I rate the solution a nine out of ten.

We use it for NAC and wireless, and for our TrustSec policy. These are the three primary use cases we have so far.

It's a network access control solution for us. Previous to Cisco ISE, we didn't have one, so, from a security standpoint, it increased our security visibly.

It has enhanced our security. We have a solution now that can protect us at the access layer, which we didn't have before.

It has helped to consolidate any tools or applications. We only have to use one product for RADIUS, TACACS, and authentication servers. NAC and other things are consolidated into one system, which is nice.

It has helped our organization improve its cybersecurity resilience. The security at the access layer through NAC has been nice, and then the ability to enforce policies dynamically using profiling and NAC and TrustSec is good.

With NAC, the profiling feature is valuable. We're able to see what we have out there in the network and dynamically assign policies to it. We can then use that to enforce TrustSec policy or anything else with NAC. 

There should be more visibility into TrustSec policy actions. When TrustSec blocks something or makes any kind of changes to the network, we don't always see that. We have to log into the switch itself, or we have to get some type of Syslog parsing to do that. Cisco DNA Center may do it, but it would be better if that was integrated into Cisco ISE.

In terms of securing our infrastructure from end to end so we can detect and remediate threats, it's a little bit difficult in terms of visibility, but, generally, we would just go through the logs and see if there's a problem or not.

I've been working in this organization for three to four years, and they have been using it prior to my joining. 

It's very stable for us.

It isn't something we have had to deal with.

They're pretty good. Compared to others, Cisco is probably above average. With Cisco TAC, usually, if the first level doesn't resolve it, you can get up to a higher level within a day or two, which is better than a lot of other vendors we've been working with lately, such as Palo Alto. Cisco tech support is doing pretty well. I'd rate them a seven out of ten. Being able to access higher-level engineers and escalate things more quickly is always going to improve any case.

Neutral

Before Cisco ISE, we didn't have a similar solution.

It was implemented before I joined, but it was probably phased. It was first for wireless and then became more of a NAC thing. It was a long process. It was somewhat difficult just because of how much was required of it. I don't think it was particularly painful.

We get a return on investment from it. It's a solution that's often required for IT insurance, etc. It's definitely needed but do we need to have one from Cisco? I don't know, but there's definitely an ROI there.

To someone researching this solution who wants to improve cybersecurity in their organization, I'd say that make sure you know what you're getting into. Understand and have a good plan going into it and have operational support for not just networking, but also help desk and other IT teams before deploying this solution.

I don't know if Cisco ISE has saved us any time because it's an enhancement to our security that we didn't have before. It probably takes a little more time than not having it. Having no security is super easy because you don't have to worry about anything, but if you have any security product, you have to do work to support that.

Overall, I'd rate Cisco ISE an eight out of ten.

When it comes to ISE, the main challenge that we were trying to address is with our retail environments. We don't have control over the physical access to all the ports and we didn't really have any network access control.

ISE has, and will continue to allow us to secure our edge environment at the retail stores. It's also going to provide more security as we are rolling out more wireless access.

We're expanding our footprint to just outside of the retail environment. For example, we're implementing wireless service in our lumber yards. As we progress, we really need to be focused on securing that, and ISE is going to allow us to do that.

The main way that ISE is improving our organization is by acting as an added layer of security. It's a physical layer at the actual network jacks in our retail environments.

This is also true for our corporate office in conference rooms. We've now got the ability to allow those ports to be hot for a vendor to come in and plug in, and we're not having to rush and go make it hot for them. At the same time, we can still control what access they have without having to be hands-on all of the time.

The other thing with vendors is that in our stores, a lot of times we have some older technology from vendors that is not wireless. Until now, we haven't been able to push those devices onto a guest network. But now with ISE, we are able to dynamically assign those types of devices to a wired guest network.

The fact that Cisco ISE establishes trust, regardless of where requests come from, has helped us come to realize what was on our network. We thought we knew what was on our network, and we thought we had control over devices, but there's a lot out there that can't keep track of, day to day. For example, if a different department adds a computer that handles paint and we didn't know about it, suddenly it's on our network.

Now that we've got ISE, I feel like it's a big step in the right direction in terms of increasing the trust in our network. Not having to trust devices and being able to set those levels of trust and more finely control our network is a benefit.

ISE has really helped us in supporting our distributed network because we are geographically diverse with remote sites in Texas and five surrounding states. This means that we can't always be out there, hands-on.

With retail environments, we can't rely on our employees in the stores to be technically minded all the time. As such, it really helps us not to have to worry about that. We don't have to try and train people that aren't meant to be doing that kind of work, because their job is selling lumber. It's not always being there on top of the security of the network.

The most valuable feature for us with ISE is the network access control. It provides both security and visibility to what is on our network.

The control ISE gives us with those devices, whether they're company-owned or BYOD, anything on our network, we now have a little bit more visibility into and more control over how it performs and what access it has on our network.

When it comes to improvements with ISE, even though we've been using it, there's still a lot to learn because it's such a robust product. I think that Cisco could do something to counteract the stigma that ISE is cumbersome and hard to use.

There was a big pushback against us implementing this product because as VPs and executives start to talk, they want to talk about everything they've heard, and they had it in their minds that things are the way they are. To proceed with implementing ISE, we had to push against that.

The UI is not as intuitive as some other products, even products inside of Cisco's wheelhouse. To an extent, some of it feels like it's legacy and could be improved upon.

One thing with Cisco is that we haven't ever had issues with stability, and ISE lines right up with that. We're using the virtual appliance and we're using VMs. We haven't had any issues there, as long as you know the caveats that go along with their setup.

There have been no issues as far as performance or uptime.

Scalability with ISE goes back to the setup, and that initial planning phase. You have to identify your networks and your devices and what you want to do.

Once you get it set up, then scalability is not an issue. Definitely, the more complex your network, the more time you're going to spend on the pre-setup stage.

I really like Cisco's products. Sometimes, however, I have trouble with the support because you're getting someone that doesn't know your environment. This is something that's just going to happen.

Another frustrating point is that you sometimes get a person that doesn't realize that you might know what you're doing. You've already turned it off and back on, but they've got to walk you through those steps no matter what you tell them.

You feel like it's a battle to get to the point where you actually start to work on the solution. It's not the same with everyone but when we do have to work with Cisco, it's usually a bigger problem that necessitates engaging TAC.

At that point, it's hit or miss. Sometimes they're great and just click and get the problem fixed, whereas other times it's an uphill battle back and forth where you can't get on the same page.

I would rate the technical support a six and a half out of ten.

However, our account team from Cisco, who are the systems engineers that support us, I would rate about a nine. They are always there and are great to work with. 

Neutral

This is our first solution for network access control and that level of visibility.

For visibility, we do have CrowdStrike. That gives us visibility into our network, but it only acts on the agent and it uses an ARP request to discover devices that it didn't already know about. You can't really trust that, because if someone gets on maliciously, they're going to know enough to not just be blatantly, obviously there. You want to have a little bit more security in place when they first connect.

The deployment of ISE is definitely more complex than other things, but it's inherent because there's a lot of prep and planning to set up how you're going to handle certain types of devices.

You start realizing that you hadn't even thought of some things and accounted for other things. Definitely, it's a big exercise in prep work. It involves filling out questionnaires and keeping spreadsheets on everything on your network. That said, it was eye-opening and a good experience, but there's definitely quite a bit of work to set up ISE.

We're juggling a lot of things at one time, so it took six months to deploy. A lot of that was not dedicated to ISE, and we were still doing the other parts of our job throughout the process.

We received help setting it up from our reseller, who was Accudata, but they were recently purchased by Converge Technology Solutions. We've got a great relationship with them; they've always got great resources and great account teams.

If I were to comment on the return of investment on ISE, I don't really know where to begin because it was something we never did before. It was somewhere where we were lacking. We just didn't have the time or the manpower to do what ISE will do for us.

I'm sure someone out there can crunch the numbers and quantify the ROI on stopping an attack or a breach, but I don't have those numbers and thankfully, we haven't had one yet.

For us, we didn't have the manpower to do it right. Implementing ISE has saved us the need to invest in that manpower.

When it comes to licensing, I'm hoping Cisco is improving that because that's always been a pain point. I usually rely on our account team, which thankfully we have one, to help with the licensing.

Over the years, licensing has been confusing and complicated because there are so many different licenses for each different product and each different iteration of the product.

In terms of advice for anybody who is looking into Cisco ISE, I wouldn't suggest just jumping in and buying ISE. I'm not trying to talk badly about anything, but I would say, do your due diligence and understand your network and what's going to work for you.

Definitely understand that you're getting into a lot with ISE. There's a lot of capability, but I don't feel like just one person working on a hundred networks should be taking that on and trying to manage it themselves.

Overall, this is a good product but there's definitely room for improvement. Also, we're not using everything we could within the product.

I would rate this solution a seven out of ten. 

One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

[In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

[I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

Positive

[The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

[Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

I've just been involved with the secondary deployment, using the ISE on our wired ports.

It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

[It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

[What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.

We are using it mainly for .1X authentication, and we also authenticate our VPN users, and we are doing some light profiling and posture.

We're trying to solve the problem where different users have different privileges in the network. And also we're trying to block some access from our least privileged users. Those are the main use cases for us.

We have on-prem virtual appliances and a distributed model.

It has improved our organization very much because we're now adopting the SGTs, Security Group Tags, and we're leveraging security based on those tags on our core systems and integrating with other SG firewalls.

We have a pretty distributed network and we have only one ISE deployment and it's been really good so far for managing all of those sites.

The most valuable thing in ISE is the adoption of EAP deep that came in [version] 2.7, so we can do authentication based on user and machine certificates in one authentication.

[Regarding establishing trust for every access request] it's been pretty good so far. We've been authenticating all of our users, no matter where they're coming from. If it's from our VPNs, or if it's wireless access, we are all Cisco, so the integrations are pretty good. It's very important [that the solution considers all resources to be external]. Right now, with the challenges that the multi-cloud environment poses, you have to have a solution like this.

[When it comes to securing access to your applications we are] not [using it] so much. I'll have another session with a TAC engineer on Friday, and I will have to discuss some basic concepts of securing the application with ISE. I find it very challenging to do some micro segmentation with it. I'm staying on top of it and doing it macro, but I want to go micro, and it's something I need to discuss more with an engineer.

Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them. This is a problem in ISE. This could be much simpler.

I wasn't involved in the process of choosing this particular technology. The colleagues that made the decision made it seven or eight years ago. They were using ISE for a long time. I've been in the company for four years now so I came into an already deployed solution. But it wasn't so good, so we had to migrate from physical appliances to virtual ones because they were end-of-life and end-of-support.

Sometimes, they push an update that breaks the whole deployment. It happened to me with update two. It was my fault. I updated right after it came out, and I won't ever do that again. I will wait at least a month or two or three, because the update was taken down a week later.

I was lucky enough because I had updated from update one to update two. So it didn't really break the whole deployment, just parts of it. But they fixed it in a week with update three, so I was able to put it back together. Roll back is also always an option.

Scalability is really good. The number of possible nodes in deployment is high. I don't know the exact number, but it's really high. Scalability is not a problem.

I have had some problems lately with the TAC engineers being unable to investigate the logs that I gave [them]. They always ask for more, but there is not much you can do on ISE. When you give out all the debugs from the nodes, then there is nothing else to do.

It's been a bit of a ping pong with the TAC engineers. Sometimes I have four to five TAC cases open, specifically on ISE. Most of the problems I have are with the integrations of other companies' firewalls. 

This year I would give them a six [out of 10]. Before, I would say eight.

Neutral

I have had to find my own way to do the new deployment. It wasn't that there was some documentation about how to migrate. There is none of this stuff on Cisco's site. You have to search Reddit and multiple forums to assess what you can do with the deployment. I basically built it from scratch.

We are more secure thanks to ISE. That's always a return on investment.

[When it comes to eliminating trust from our organization's network architecture] I'd say, no, ISE hasn't done that. It's been a challenge to implement this. We're trying to bridge the gap between the security guys and network guys. They're not the same teams. Sometimes the security guys also do networking, but it can be hard to cooperate on projects like this. This is a big project. ISE is a pretty big solution and security guys are sometimes lost in what's going on in the network, like equipment where you have to configure things.

It's pretty much the most resilient solution as of now.

I like this solution a lot. I would say it's a nine out of 10.

We have been authenticating our company's employees and certifying that they are in compliance. We have to certify our employees in regards to compliance, having all the necessary protections in our infrastructure for their endpoints, notebooks, laptops, and mobile phones.

We have implemented it across the entire company in every area and department at every single level of our organization.

So far, it has been on-premises. We are still working to expand it to integrate with multiple cloud providers, like AWS.

We have become more reliable because we do not have any vulnerabilities coming into our network, which is important since a lot of employees are using their own endpoints to connect to our infrastructure.

Every other time that we have a new employee, we need to make sure they have been using the latest version of the solution in order to connect to our infrastructure.

We have made our company more secure. As an IT guy, I have gained more importance to my company.

It is more about the features related to Apex. This is part of the solution where we can deep dive into each employees' usage according to our infrastructure needs.

There are a lot of integrations available with multiple vendors. This has made the solution easier to work with.

We use the management platform, which makes it easy for our IT to access and manage. 

We have been working with it for about 10 years.

If you have someone taking care of it, it can be quite easy to manage the solution. Otherwise, if you don't look after it and take care of it day-to-day, then it will become more complex to run. However, if you have someone taking care of it, maintenance is not that difficult.

The scalability is good and quite easy to do. If you have the licenses, then anything is possible.

We worked with customers. The last one that we worked with had 10,000 licenses, i.e., 10,000 endpoints. We started working with the corporate office, then we replicate to the distribution centers.

As an IT integrator, it is quite easy to work with their technical support. We have the correct people to deploy it as well as receive good support from the Cisco Technical Assistance Center. I would rate the support as 10 out of 10.

Positive

We have been using ISE for a while. We didn't have another solution beforehand.

We had to do some labs beforehand, in order not to breach the environment. The deployment was not too complex.

When we work with customers, it takes four or five hours. We start with a specific environment, then we replicate to other areas.

We are a reseller. My professional services implemented it, which includes a tech lead, engineer, senior engineer, and project manager to work with the solution.

It is an easy solution to implement with the correct partner.

It is difficult to measure security breaches, but since we have not been attacked so far, it has paid for itself over the years.

We worked with Fortinet to look at their solution, but ISE was more reliable and had more integration with our product vendors. Also, it had a more affordable cost.

When compared with other vendors, like Forescout, for what we need, ISE has been more usable and accessible.

Learn about the solution, then evaluate what devices it would be implemented with. I would amalgamate the devices and their versions with a systems integrator or partner who already has experience and will try only to replicate it, not to reinvent the wheel.

Part of our journey is getting everybody connected to the infrastructure and trying to avoid any breaches. We don't want to be vulnerable.

I would rate the solution as 10 out of 10.

The primary use cases include customer environments, BYOD, posture assessment, and dot1x for wireless and wired networks.

I'm customer-focused, and for my customers, Cisco ISE has enabled them to deploy secure wireless and secure wired networks and gave them a lot of flexibility to do security enforcement.

The posture assessment is a valuable feature because of the ability to do assessments on the clients before they connect to the network.

The guests' BYOD portal and onboarding are feature-rich and fairly straightforward and easy to set up.

From a zero-trust standpoint, it is critical that Cisco ISE considers all resources to be external because, in essence, we don't want to allow anybody on the network that hasn't been verified. Even when they're on the network, we want to make sure that they have the least amount of privileges to do their job.

Cisco ISE hasn't eliminated trust, but it's definitely helped us to migrate more toward zero-trust network environments. It helped us to have a much better security posture overall to help eliminate threats and also give visibility into the response.

ISE is generally deployed as a distributed environment, and it makes it easier to have local resources across the distributed environment so that you're not dependent on always-on access to a data center. In case you lose your internet connection or lose an MPLS connection, you can still have a certain amount of security control at the distributed location.

As far as securing access to applications go, with the posture assessment you get a lot more visibility into the applications on the client when you deploy it and a lot more control over enforcing connectivity in the network, especially with secure group access.

When I work with customers to do my knowledge transfer, they're really overwhelmed with the navigation of the product and the number of things you can do with it. From a user interface standpoint, Cisco could focus on making certain tasks a bit more guided and easier for customers to walk through. That is, a user-friendly interface and streamlined workflows would be great.

I've been using Cisco ISE for about eight years.

I've had very few issues with stability and haven't run into any bugs.

It scales quite well. Essentially, you can scale up to about 500,000 users, and most of my customers are south of that.

I am familiar with ClearPass. I prefer ISE because most of the environments I'm dealing with are Cisco networks. Having the device administration based on TACACS+ is a plus, with it being a proprietary protocol. ISE definitely implements it better than other solutions. From a conceptual standpoint, ISE makes more sense.

ISE may be a bit difficult for my customers because they're not used to it, but the reality is that the workflows make a lot more sense to me than they did with other solutions like ClearPass.

The first deployment I did was complex because I ran into the same thing my customers did. It's overwhelming at first to figure out because there are so many options and so many different use cases. It was tough to narrow it down to what was important and what could be added later.

However, after having done 30 or 40 deployments, it's now straightforward.

I've deployed the solution in a bunch of different environments. I have manufacturing customers with centralized management and monitoring, so the PAN and the MTS are in data centers that are separate but with PSMs deployed all across the network for the distributed model. There also are some, where everything's pretty much in a data center or is split across two data centers.

Licensing has gotten much simpler since Cisco moved to the DNA model because we just have the three tiers, but it could always stand to be improved upon.

I evaluated ClearPass.

To leaders who want to build more resilience within their organization, I would say that it's definitely worth moving toward a zero-trust environment. It's really a rebranding of an old concept of least privileged access, but the tools we have to implement it, such as Cisco ISE and firewalls, at the core and the ability to broker it out to the cloud as well, give us a lot more visibility and a lot more control over the traffic and our data, which is our biggest asset.

If you're evaluating the solution, pick two to three use cases, stick with those, and familiarize yourself with the solution. Try not to get overwhelmed with the interface, and don't try to see everything it can do and let it spin out of control; it's easy to do that. Just start with something you really need to implement and then worry about adding more features later on.

On a scale from one to ten, I would rate Cisco ISE at nine.