Cisco Identity Services Engine (ISE) Reviews

We use Cisco ISE to authenticate users or devices onto the network and then drop them into the appropriate VLANs to isolate them and maintain network segmentation.

Cisco ISE has been a great tool to segment our traffic and get the users into the right VLANs. It definitely does free up a lot of time from manual configurations.

It has definitely improved our security a lot. We used to be a single flat network, and now, we are a segmented network where we have all our different traffic isolated so that in case we do get a breach, not all the customers are affected.

Cisco ISE has been great for securing our infrastructure from end to end so that we can detect and remediate threats. We've already seen it detect some devices that we didn't know about, and they quarantine those devices, allowing us to take the appropriate security actions against them.

Our IT staff has been freed up for other projects with Cisco ISE because we're able to do a little bit more automated configuration. We just throw out a single configuration to the ports, and then the users get dropped into whatever VLAN they need to be in without us having to go to each site and configure these things manually. On a usual workday, it has freed up at least a couple of engineers for two to three hours.

Our cybersecurity resilience has improved with Cisco. Users are now segmented. We have firewalls in between, so we can take a look at all the traffic. We have quarantine enabled in there so that if we get a device on our network that we don't recognize, we can lock it down.

The feature that I found most valuable is profiling. We use that to profile certain types of devices, and then depending on the manufacturer, drop them into the appropriate VLAN without us having to go in and manually add the devices.

We would definitely like to see a little bit of an improvement in the web GUI navigation. Some of the things are a little bit hidden in the drop-down menu. If we could get a way to get to those quicker, it'd be much more useful.

We've been using Cisco ISE for about three years.

So far, from what we've been using, we haven't had any problems even with any of the additional patches that we've added. It has been great.

Scalability-wise, it's great. We have plenty of space to add additional nodes. Right now, the ones we do have are not being utilized to a hundred percent, so if we ever do need to add additional, it seems pretty straightforward.

Cisco support has been pretty good over the years, helping us get this stuff up and running. It has definitely taken us a while, and some of the cases have been pretty long, but Cisco support has been pretty good. I'd rate their support a nine out of ten.

Positive

We weren't using anything in place of Cisco ISE previously. We were pretty lacking in that department. When we got Cisco ISE, we improved our security significantly.

We went for Cisco ISE based on a suggestion from one of our vendor partners who helped us with our network refresh. They said that Cisco ISE was something that they had used previously in lots of larger deployments, and they had seen great success with it.

I was involved in its deployment. It was pretty straightforward. A lot of the issues that we ran into were related to coordination with the users just because it was a change for them, but the actual deployment and everything else were pretty straightforward.

We used MTT. They were great. They walked us through the whole process. They designed the network refresh for us as well as the Cisco ISE integration portion of it.

We've seen an ROI. We've freed up some hours, so those engineers who were previously doing more mundane tasks are now able to do something else.

I don't know too much about the actual pricing on it. The licensing part is pretty straightforward. It's a lot more simple than some of the other Cisco licensing models. In that aspect, it's great.

Overall, I'd rate Cisco ISE a nine out of ten.

We use Cisco ISE for the authentication of wireless clients.

Cisco ISE has saved me a couple of hours per month in terms of not having to manually onboard clients. However, there are still some manual tasks that need to be uploaded to Cisco ISE.

The most valuable feature of Cisco ISE is its seamless integration with the switches and the entire suite, enabling wireless access and smooth client information retrieval.

One of the problems we have had is that there are many features on Cisco ISE that we are not utilizing. In the real world, it requires multiple parties to come together, just like the AD or OU. Therefore, it won't be solely the responsibility of the network or security personnel to ensure that the solution works as intended and utilizes all the features. It necessitates collaboration among various stakeholders. If Cisco could grant more control, the features could be more focused on network and security administration, reducing the need for integration with other components. This would be beneficial for my organization.

I have been using Cisco ISE for one and a half years.

Cisco ISE is extremely stable.

As long as we have the funds to purchase the license, Cisco ISE is highly scalable.

We have a contact person in Singapore whom we can reach at any time for support.

Positive

The initial setup was straightforward because we used an integrator.

We used an integrator for the implementation.

The cost-benefit analysis primarily considers the time saved through manual labor.

The recent changes in the licensing model have caused some issues with the team. 

We have a rigorous procurement process and carefully evaluated other options before selecting Cisco ISE.

One of the other solutions we evaluated was the Aruba Wireless feed and its accompanying authentication, but we determined that Cisco ISE was superior and more beneficial.

I would rate Cisco ISE with a nine out of ten based on its overall benefits. However, since I am unable to utilize all the features due to the need for coordination from numerous other teams, I would personally assign it a benefit score of only five out of ten.

We attempted role-based access with the Cisco ISE integration, but it didn't work out effectively because it is more of an upper-level issue regarding organization and role level. Multiple teams had to collaborate, and there was a need to configure the Active Directory and Organizational Unit groups. This also involved restructuring and similar tasks. As individuals moved between OU groups, someone had to consistently update the OU groups to ensure the success of the process.

We have made a significant investment in Cisco infrastructure; therefore, we have chosen Cisco ISE as a logical option for our authentication mechanism.

Cisco ISE has not directly assisted our organization in enhancing its cybersecurity resilience.

There's a variety of customer uses for Cisco ISE, which includes securing the edge of the network.

Cisco ISE allows our customers to concentrate on other aspects of the business, knowing that much of their security is now in place.

Cisco ISE's profiling and posturing features ensure that all devices are compliant with regulatory authorities.

Sometimes some of Cisco ISE's graphical interfaces could be a little bit smoother. However, with the different versions, the product is getting better and better.

We've been using Cisco ISE for approximately seven years.

Like most products, as Cisco ISE evolves with different software versions over time, it becomes more stable and feature-rich. Initially, when it first came out, it was playing catch up with other vendors and solutions. However, now Cisco ISE is probably at the forefront of Open NAC solutions.

You can build a distributed model or architecture, and you can scale out with a number of PSN nodes. So Cisco ISE can grow as you grow.

Cisco ISE's technical support is generally very good. They have different levels of tech engineers, but their tech support is very good.

Positive

Some of our customers have considered using Juniper NAC, ClearPass, etc. They switched to Cisco ISE because they had a lot of network infrastructure in place and wanted a single vendor they could use end to end. Everybody has a good relationship with Cisco because they know that if there is a problem, their technical support team will resolve things in a quick and timely manner.

Cisco ISE is very scalable. We can do a small proof of concept and very quickly demonstrate that to customers.

Our customers have seen a return on investment with Cisco ISE. The solution has helped our customers consolidate several products into one and free up their IT staff. Also, the reporting from Cisco ISE enables them to show senior management their network's health.

The licensing could be better across all of the Cisco products. Cisco's licensing models seem to keep changing with different software versions. Cisco is moving towards a subscription service, which would mean additional costs.

Our customers are using Cisco ISE, but we're helping to integrate it into their solutions.

The end-to-end infrastructure security from Cisco AnyConnect host points is very good.

Cisco ISE has helped free up our customer's IT staff to concentrate on other projects. In the UK, where I predominantly work, a lot of the NHS staff have a lot of access switches located throughout multiple buildings. Cisco ISE probably frees up at least twenty percent of their time.

Our customers can use Cisco ISE for device administration for TACACS, RADIUS devices, and individual host appliances.

The migration from ACS to Cisco ISE has helped. Some of our customers were looking at various MAP implementations using different vendors, but we've now got I 2.1 X and MAM all built-in together.

Cisco ISE's ability to consolidate tools or applications has centralized everything and made things a lot easier and smoother for our customers to carry out their day-to-day tasks.

Cisco ISE has helped improve the cybersecurity resilience of our customers' organizations. We've always been able to integrate Cisco ISE into other products. So they're getting more security alerts, making them a lot more secure and happy with their environment.

Overall, I rate Cisco ISE an eight out of ten.

I use Cisco ISE for VPN and authentication.

Cisco ISE is a good and easy-to-use solution. We had a smooth experience with it, and we didn't face any issues. We upgraded the solution two years ago, and that version also worked fine. 

Cisco ISE's integration with other external identity servers like Duende is very simple and easy.

Cisco ISE's performance could be better, faster, and more robust. Sometimes it takes some time to move through the tabs and configure something.

I have been using Cisco ISE for three and a half years.

Cisco ISE is a stable solution. We haven't faced any major issues with the product.

Cisco ISE is a scalable solution. Our environment has a cluster distributed across three countries and seven nodes. It would be very easy to add another node or remote site.

In some areas, Cisco ISE's technical support is good. However, we had an issue with integrating Cisco ISE with DNS. So we opened a case, which escalated, and we had it for almost two years. Cisco escalated our case after hearing about our integration problem, and the issue was solved eventually.

In normal support cases, like if you are facing a bug, you will have very quick input from Cisco ISE's technical support. It is easy to find the issues in some areas, but in some cases, you might have to go along a troubleshooting path to find the issue. I used to work for Cisco tech wireless team. In some deployments, you have a complicated environment and must understand and solve the issue. Sometimes, it might take a long time to solve or find an issue, while it would be easy in other cases. It depends on the complexity of the environment.

Positive

Cisco ISE was already deployed when I joined my company, but I was present when it was upgraded. The upgrading process wasn't very easy, but we didn't face many issues. When we upgraded our Cisco ISE, it was running on the 2.3 version. We upgraded it to 2.7, and we had some issues at that time. We upgraded directly to 2.7 patch 2, and most problems were solved.

My main focus is on the .1X access. We have another security team whose focus is on VPN access. I use Cisco ISE for TechX authentication and .1X authentication.

Cisco ISE saves us time. If you deploy any security features using Cisco ISE, you don't have other options not to automate it. Part of our Cisco ISE is integrated with the Cisco DNS center. The Cisco DNS center saves time in terms of configuration, integration, upgrading, and adding other switches to the fabric. You can deploy the features in Cisco ISE using manual techniques.

Cisco ISE was already deployed in my organization when I joined. However, I know that Cisco ISE replaced ACS.

I work in the banking industry. Our main concern is securing our network from either remote or on-site access. When you get physical access to the site and connect your device, you might risk the security of the network on purpose or unknowingly. Deploying Cisco ISE has helped improve the security of our organization.

Overall, I rate Cisco ISE a nine out of ten because I have a very good experience with the solution and hear the same from other vendors.

One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

[In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

[I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

Positive

[The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

[Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

I've just been involved with the secondary deployment, using the ISE on our wired ports.

It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

[It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

[What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.

I'm using Cisco ISE for integration. We are currently using it for 82.X, but we are planning on using it for a different use case in the next couple of quarters.

The core point is that Cisco ISE is the same globally compared to FortiAuthenticator. Whether I deploy in China, the US, South Africa, or wherever, I'm can get all the capabilities. It allows me to directly integrate with 365, and from a communications point of view, that is a good capability. 

Cisco ISE could be simplified somewhat. I would also prefer certificate-based authentication over confirmation-based authentication for all the processes. It's possible for us to do a workaround, but the process needs to be simplified. 

I've been using Cisco ISE for more than a year.

Cisco ISE is stable.

I haven't really tried to scale ISE, but I don't think we'd face any challenges with hard gentle scaling.

We have a good relationship with Cisco support. However, when they do a new release, they take their time. I don't have much of an issue with Cisco support itself, but working with their customer success team and those types of things can be a challenge. It's not just the response time. It's the total resolution time. They'll respond quickly, but when they get the particular fix, it's a challenge. 

In the previous versions, the setup was okay. But as they add more capabilities, it gets more complicated to deploy and maintain the solution. We expect these complexities as part of the roadmap and evolution. We have to set the policy definitions manually because there is no discovery process to define what needs to be authenticated. When a new device is added, we might have to configure something so that it's integrated or set up some data flows of the service we need to do it. These are some of the maintenance activities that we must do to keep it live. We have a good IT team that numbers around 25 people and serves a decent number of customers.

Customers respond to a low price. From the point of view of integration, Cisco ISE hikes up the cost of security, but otherwise, I think it should be okay.

I rate Cisco ISE nine out of 10.

We have two servers and they're both VMs. Every network system is issued a certificate and each device coming onto the network has to be on the domain with an active AD user logging into it. It needs an up-to-date AMP, which is our Cisco malware and virus scan product and it also needs to have the most current Microsoft security updates and the three layers that we're using: The core VPN, the Network Access Manager and the ISE profiler. When it goes through all those different things on every port on the switch, there are commands for it to be able to go through an ACL so it knows what users are there, what server, and what devices have been put onto the domain. It can verify all that.

The user can then proceed on to the network. We've set it so that regular users are VLAN'd off and can only see the data network through ISE and are blocked from seeing the rest of the network. Depending on the department needs or other factors, we have cameras for security which are on a different VLAN, and they can see those. We also have something for O&M where the AC guy can see the AC equipment, and we can prevent all the VLAN's from being viewed by everybody.

We are customers of Cisco and I'm the infrastructure and Cyber security manager.

The solution cuts down on the repercussions of getting malware or ransomware which happened to us four years ago. We regularly took very aggressive snapshots and we were able to recover in an hour and 20 minutes without any loss of data.

Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that.

I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. 

Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

I've been using this solution for the past two years. 

ISE is pretty stable. If it does have an issue then you need to call TAC and work through the bug in it. They are very responsive and very quick to help us eliminate the issue and also come up with a plan, such as how to move forward with additional issues or different things that are coming down the pipe with Cisco ISE. When you're talking to them, you feel like they are a partner and not just a disconnected entity.

The technical support is excellent, I would rate them very highly.

The initial setup is very complex. You have to go in and manually add in all the network devices, as far as all the switches, access points are concerned. You have to go port by port and add in codes and conditions and you have to go switch by switch and add in codes and conditions. You start out with a monitor mode and then go to an impact mode and then you go towards total lockdown. Implementation took us about 18 months. We rolled it out in short bursts because we have a very small IT team and we had a consultant company come in and work with us on installing it. A lot of it was knowledge transfer from them to us.

Our consultant was Cycorp, their main focus is network security. They are a sister Cisco partner, and we had one of their CCIE's come out and help implement everything. The gentleman at the top of the CCIE, was a former Cisco employee and a beta tester for ISE. Now that we have it in, I feel it's pretty much a game changer on locking down our network so that we're not penetrated from inside or outside because everything going through the VPN has to meet a certain standard.

We did a five year deal and it was very reasonable. I think for the Avast virus scan, I think we were paying $95 a machine for five years, which nobody else could touch. And that includes all updates, technical support, etc. From the ISE side, I'm not really sure what it costs because it was all encompassed in equipment we were buying and the ISE and the AMP and the open DNS. I know that it was not more expensive than any of the things we had looked at with HP or BMC or other places. It was much more cost effective.

We have looked at other products but we are a Cisco shop so having a Cisco product rides very easy on all our switches, our access points, and our Cisco servers. I believe it's the same for other companies such as HP. It's also a priority for them that the solution works better with HP switches. Given that we weren't going to change our switches, we really needed to focus on something that was going to work well with our environment.

The important thing is to have a good game plan going into it. Prep is key for everything going on with ISE. The more stuff you have prepped and the more understanding that you have upfront of how it goes through and how it behaves, the better off you are.

I would rate this solution a nine out of 10. 

We used it mainly for network access control and full stream for devices.

The product is expensive. It would also be a good add-on to have some machine learning.

I have been using Cisco Secure Firewall for one year.

The product is stable.

The solution is scalable.

The initial setup is straightforward.

It's also recommended for clients during deployment. You're making everything very efficiently managed within the policies. The deployment is also very smooth, allowing you to configure your rooms easily. Once the initial setup is done, it becomes straightforward to understand, especially regarding Windows maintenance.

It was deployed to protect the network from unauthorized users but does not contribute directly to operational efficiency.

Cisco ISE doesn't come cheap but it's still valid working.

We recommend it to our customers.

Cisco ISE provides authentication for various applications. It can integrate with other applications to manage access, including Privileged Access Management for those applications. For a comprehensive environment, Cisco ISE should be able to integrate and provide asset management for an IT organization or any organization.

Overall, I rate the solution an eight out of ten.