Cisco Identity Services Engine (ISE) Reviews

We used it mainly for network access control and full stream for devices.

The product is expensive. It would also be a good add-on to have some machine learning.

I have been using Cisco Secure Firewall for one year.

The product is stable.

The solution is scalable.

The initial setup is straightforward.

It's also recommended for clients during deployment. You're making everything very efficiently managed within the policies. The deployment is also very smooth, allowing you to configure your rooms easily. Once the initial setup is done, it becomes straightforward to understand, especially regarding Windows maintenance.

It was deployed to protect the network from unauthorized users but does not contribute directly to operational efficiency.

Cisco ISE doesn't come cheap but it's still valid working.

We recommend it to our customers.

Cisco ISE provides authentication for various applications. It can integrate with other applications to manage access, including Privileged Access Management for those applications. For a comprehensive environment, Cisco ISE should be able to integrate and provide asset management for an IT organization or any organization.

Overall, I rate the solution an eight out of ten.

We use the solution for RADIUS authentication, device authentication, and TACACS. We also use it for Wi-Fi and guest portals.

I like the logging feature. I like that I can look at the logs for authentication issues.

I don't like the fact that we can see the logs only for 24 hours. Maybe that happens because of the way we set it up.

I have been using the solution for six years.

The stability solution is really good. Once we get it up and running, it's great. We have to do a major upgrade, and I'm not as thrilled with the upgrades as I am with just a day-to-day job integration. Upgrades aren't my favorite thing.

The product’s scalability is great. We do not have any issues. We could scale it up without any problems.

Sometimes support is better than others. It depends on who you get. Some guys are really sharp, and for some guys, it takes a little bit longer to get the thing escalated.

Neutral

We used Secure ACS, which was a Cisco tool. Cisco discontinued support for it, so we switched to Cisco Identity Services Engine.

The product runs. It does what it needs to do, and we don't have to touch it most of the time. From that standpoint, we have an ROI.

The product didn't really have a whole lot of competitors at the time. Aruba ClearPass was probably the only other competitor. We were getting rid of Aruba from our wireless. Identity Services Engine was just farther ahead than ClearPass at that time.

We have a lot of things we use for detecting threats. We use the product more for authentication issues and stuff like that. We don't use it to identify threats per se. We have other tools.

The solution helps free up our IT staff. There are only a couple of us who are Cisco Identity Services Engine administrators. In that way, other people can do other things. Once we set up the solution, there's really not a whole lot of maintenance to it. I don't know how many hours it saves. It just works, and we don't have to touch it most of the time. It does its job.

We were using Cisco ACS before using the product. We changed tools and upgraded. The tool helps us improve cybersecurity resilience. We use it for RADIUS and to validate users. There are a lot of tools that we use. Cisco Identity Services Engine is a good tool. It does 802.1X and RADIUS very well. Cisco shop is the way to go.

Overall, I rate the solution a nine out of ten.

We use the solution for network access control.

Cisco ISE is a comprehensive solution that allows you to control access to network resources granularly based on policies.

Cisco ISE is very complex and not very easy to deploy. There are a lot of prerequisites for the tool.

I have been using Cisco ISE (Identity Services Engine) for three years.

We did not face any issues with the solution’s stability.

Cisco ISE is a very scalable solution.

We are working with a partner for support and are very happy with them.

On a scale from one to ten, where one is bad and ten is good, I rate their support a seven or eight out of ten.

Compared to Cisco ISE, Fortinet NAC is more consumer-friendly.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup a four out of ten.

The project lasted a few months, but the planning took several months. Cisco ISE itself means nothing. It has to have the network set up to ensure the network penetration is in place, and we're still working on that.

Security is about risk control and exposure avoidance. You can only calculate its return on investment based on how you avoid penalty fees. Cisco ISE improves our security stats.

If you consider money only, Cisco ISE is not a cheap solution. Functionality-wise, however, it offers a very good price for the value you receive.

The solution's compliance and policy enforcement capability has benefited our organization by simplifying work.

The solution operates in the background, and users generally don't interact with it. Cisco ISE is the security framework layer between network resources and end users using them. Users do not go into Cisco ISE to do anything.

It's like Active Directory for Identity. If you're an end user, you don't work in Active Directory, but you authenticate Active Directory to use resources on the network. The same applies to Cisco ISE, and users don't interact with it directly. They are affected by it to the extent to which they are accessing network resources.

Cisco ISE has a very comprehensive integration suite and we did not face a lot of challenges in integrating this solution with other security tools. If they know how to use it, I would recommend the solution to other organizations with similar security needs.

Overall, I rate the solution an eight out of ten.

Right now we use Wireless.1X and TACACS for device management. It's in our wired network too, but only use it for MAC address bypass.

It has helped to consolidate tools and applications. Previously, we had Windows NPS in some places and then Cisco ACS in other places. Now, Cisco ISE is all I use. This consolidation hasn't had a whole lot of impact on our organization. It wasn't that big of a deal to begin with.

It works as a good RADIUS server. It has lots of features. It works with all the proprietary Cisco AB pairs and features.

It could be less monolithic. It's one huge application, and it does everything under the sun, so it's hard to deal with and upgrade and manage.

I've been using Cisco ISE for three or four years.

Overall, it's pretty stable.

It seems to be pretty good for what we're doing with it.

Cisco TAC support is hit or miss. It depends on who you got. I'd rate them a six out of ten.

Neutral

We didn't have any network access control. For the wireless, we had ACS, and some places used NPS from Windows.

We chose Cisco ISE because we have a Cisco network. It seemed like the obvious choice.

The initial setup was pretty easy, but trying to get all the switches to talk to ISE was pretty complex. It required a lot of configuration and learning, and we found a lot of bugs and issues along the way.

Initially, we took the help of Presidio. They were good. They knew a lot about it and helped us a lot. 

In terms of detection and remediation of threats, it wouldn't detect anything. If we integrated it with other products, it could cut certain clients off from the network, but we haven't gotten that far yet.

It hasn't helped to free up our IT staff. It has probably consumed more time.

I don't have a lot of familiarity with other products, so I'd rate it a six out of ten.

We use it for NAC and wireless, and for our TrustSec policy. These are the three primary use cases we have so far.

It's a network access control solution for us. Previous to Cisco ISE, we didn't have one, so, from a security standpoint, it increased our security visibly.

It has enhanced our security. We have a solution now that can protect us at the access layer, which we didn't have before.

It has helped to consolidate any tools or applications. We only have to use one product for RADIUS, TACACS, and authentication servers. NAC and other things are consolidated into one system, which is nice.

It has helped our organization improve its cybersecurity resilience. The security at the access layer through NAC has been nice, and then the ability to enforce policies dynamically using profiling and NAC and TrustSec is good.

With NAC, the profiling feature is valuable. We're able to see what we have out there in the network and dynamically assign policies to it. We can then use that to enforce TrustSec policy or anything else with NAC. 

There should be more visibility into TrustSec policy actions. When TrustSec blocks something or makes any kind of changes to the network, we don't always see that. We have to log into the switch itself, or we have to get some type of Syslog parsing to do that. Cisco DNA Center may do it, but it would be better if that was integrated into Cisco ISE.

In terms of securing our infrastructure from end to end so we can detect and remediate threats, it's a little bit difficult in terms of visibility, but, generally, we would just go through the logs and see if there's a problem or not.

I've been working in this organization for three to four years, and they have been using it prior to my joining. 

It's very stable for us.

It isn't something we have had to deal with.

They're pretty good. Compared to others, Cisco is probably above average. With Cisco TAC, usually, if the first level doesn't resolve it, you can get up to a higher level within a day or two, which is better than a lot of other vendors we've been working with lately, such as Palo Alto. Cisco tech support is doing pretty well. I'd rate them a seven out of ten. Being able to access higher-level engineers and escalate things more quickly is always going to improve any case.

Neutral

Before Cisco ISE, we didn't have a similar solution.

It was implemented before I joined, but it was probably phased. It was first for wireless and then became more of a NAC thing. It was a long process. It was somewhat difficult just because of how much was required of it. I don't think it was particularly painful.

We get a return on investment from it. It's a solution that's often required for IT insurance, etc. It's definitely needed but do we need to have one from Cisco? I don't know, but there's definitely an ROI there.

To someone researching this solution who wants to improve cybersecurity in their organization, I'd say that make sure you know what you're getting into. Understand and have a good plan going into it and have operational support for not just networking, but also help desk and other IT teams before deploying this solution.

I don't know if Cisco ISE has saved us any time because it's an enhancement to our security that we didn't have before. It probably takes a little more time than not having it. Having no security is super easy because you don't have to worry about anything, but if you have any security product, you have to do work to support that.

Overall, I'd rate Cisco ISE an eight out of ten.

The ISE product is used to make sure that folks can get access to the application servers that they need to get access to, let's say for accounting and another group like sales and marketing, they would have no business accessing each other's servers, those apps. So you would set up a policy that allows accounting to do what they have to do whether they're remote or on campus and then the sales and marketing folks could never access that. They are totally blocked. It's a virtual firewall, basically.

The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get. That you have to have that same device.

They can get into the antivirus. They will check the antivirus to see if it's the most current version and if it's not, if that's your policy, it will let you go through and access the app if the antivirus has been updated. But if the policy was that it has to be the most current version, then it can block you until you upgrade the antivirus.

As far as what could be improved, to continually be thinking about ransomware, cyber attacks, and all those kinds of things. They always have to be innovating. Always have to be improving. I can't give you anything specific because these cyber guys are always coming up with new ways to get in. You just really have to be aware of what's going on.

In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

In terms of stability, they are rock solid. If you set the policy and you implement it, it's not going to break.

They scale. You just have to buy licenses. Whether you're talking about 5,000 users or more, it's just a licensing model.

What I saw most customers trying to do was to outsource it to the partner. A value added reseller would have to do that. They typically haven't been trained. They have to go to school, get certifications and that kind of stuff. That's always a requirement, but most people weren't going to tackle that themselves. They're going to farm it out to somebody who has done it before, who has the expertise to do it.

I do anticipate increased usage. Pick a vendor, like Cisco and Aruba, because for all the threats that are out there, they are always going to have some kind of a NAC strategy. You have to. You really have to. The days of the firewall or perimeter security are over. There are just too many possible ways people can come into your network - disgruntled employees, someone that got paid off, you never know. This is always going to be here.

They're very good. All of them are very good.

It has been pretty much Cisco from the beginning. With another VAR recently, we were pitching the Aruba ClearPass. And actually the ClearPass will run on top of a Cisco infrastructure, which is kind of cool. That's unique, but the ISE doesn't go that way. You won't run ISE on top of an Aruba infrastructure, but Aruba built that solution from day one to be compatible with Cisco switches and routers and wireless stuff. I thought that was pretty compelling.

Cisco has their ISE, their Identity Services Engine. The other one that I would tell a customer to look at would be the Aruba ClearPass. I don't know enough about the Juniper Solution to make any comment about that. But those are the two that I think about the most for identity solutions.

The first part is to figure out what you want, what the customer wants to protect, who needs to be protected, and to gather all the data you can on users, contact information, the devices they use, the Mac addresses of the devices, what time of day, what apps... I mean you really have to dig into all that. It's not easy. It's hard. The bigger the customer, the more complex it is going to be. But if you don't do that, the deployment is not going to go well. Really consulting on the front end has to occur.

On the consulting part, it depends on how big the customer is, how many you're talking about - 5,000 users or 50 users. That drives the answer. I would say if you don't take 30 days to scope it correctly and document, if you do something less than that, the execution deployment is going to go sideways and that can be months. Those things are months. Those could be six months or so. You've got to pick a pilot case. You build a template, you do a small group, and then you see how the reactions are, see if the users accept that policy, make sure it's right. I would do it group by group. Accounting first, or IT first. And then you do the sales and marketing and HR and all those kinds of things.

In terms of ROI, the only thing that comes to mind is if you look at whatever the current market data says for a breach cost if you have ransomware attack or something, if you choose to rebuild your network, as opposed to paying the ransom, what does that cost? Is that $100,000 a day? Is that a million dollars a day? So whatever that cost is, go look at the cost of the NAC licensing, ISE or ClearPass. And that answers the question for you. If you can block the threats on the front end, you can avoid the whole ransomware conversation.

I have not looked at the pricing in a while. I don't really know. These companies are putting together enterprise license agreements, like a site license, and they'll do multiyear and they'll make them pretty aggressive. If you are buying three security packages from them, for example, they'll give you a significant discount. If you're at two, when you look at the cost to go to a third one, they'll just do it because it discounts the whole package altogether.

As for extra fees and costs, it is just a subscription model, pretty predictable.

I can tell you, even as a Cisco person, ISE was considered very complex and difficult to deploy. That was coming from both the customers and the partners that had to deploy it. It can be very complex and you really have to know what you're doing. The thing that we always stress with customers is to go through and build a policy first. Decide what you want to block, and who is going to have access to what, and do some due diligence on the front end because once the policy is created, then you can deploy what we have all agreed to. As opposed to just trying to wing it and figure as you go - that is not a good play. That was always the comment from the Cisco customers.

My advice to prospective users it to find a consultant or a VAR that has done it before. I think that is key. And then talk to a customer that they did it for.

On a scale of one to ten, I would rate Cisco ISE a seven. That is because it is so complex. I mean, it's not a trivial task.

The .1x authentication schema is the most valuable aspect of the solution. It makes it possible to have multiple policies and it can still adapt to us. We can authenticate and calculate our trajectory and so on. The policy is very easy to put in place. It's got to be easy due to the fact that we have more than 200,000 devices.

The implementation is very simple.

The web interface needs improvement. The new web interface that they have is not as easy to manage and we find it to be very slow.

The solution might require two authentications. They should make a new authentication to authenticate both the device and the users. Right now, we are authenticating the PC, the workstation, but not as a user. A good addition would be to authenticate the user separately to get more information.

I've been using the solution for five years.

The solution is stable. I haven't witnessed bugs or glitches. It doesn't freeze or crash. It's reliable.

The solution is quite scalable.

We started with two clients and we've since scaled up to 20 clients.

Cisco ISE was the first full solution we've used.

The initial setup wasn't complex for us. We found the process of implementing the solution very straightforward.

For our organization, in terms of deployment, the first implementation took one month, and for the global implementation took six months.

For maintenance, a company needs one or two people to handle it, one of which should be full-time.

The pricing is okay. It's reasonable for functionality, however, if you're going to implement it as a full-stack with Cisco Connect, and a work station, and so on, it's very high.

I'd advise other companies to really take care in regards to the network devices that they want to authenticate. 

For most of the cases, the biggest rooms are the easiest to manage, however, the smallest ones require specific implementation in all devices. It is very tricky due to the fact that you are obliged to put in place the rules that are not so secure and that's why it's very important to know what devices are connected on the network.

I'd rate the solution eight out of ten.

We use it to secure our networks. We can secure our switches and wireless networks, basically everything.

We use it primarily for wireless security, but it can be used for many other things as well, like LAN and WAN security.

There is room for improvement in CLI. Most things are done through the GUI, and there aren't many commands or troubleshooting options available compared to other Cisco products like switches and routers. We have more visibility on the CLI for those devices, but the GUI seems limited. Moreover, sometimes, GUI seems very pathetic. 

I have experience working with this solution. I have been using it for four to five years. We still use the old version, but we plan to migrate to the new version soon because they recently changed their licensing model.

The product is stable. We don't face many challenges. It's stable, so  I would rate it around a nine out of ten.

The product is scalable. I would rate the scalability a ten out of ten. We have medium-sized businesses as our clients. 

There was some delay.

Positive

Setup wasn't difficult because we already had a solution in place. It was very easy to install.

The deployment definitely took weeks.

I would rate the pricing an eight out of ten, one being cheap and ten being expensive.

Overall, I would rate the solution a nine out of ten.