Cisco Identity Services Engine (ISE) Reviews

We use the solution for network access control.

Cisco ISE is a comprehensive solution that allows you to control access to network resources granularly based on policies.

Cisco ISE is very complex and not very easy to deploy. There are a lot of prerequisites for the tool.

I have been using Cisco ISE (Identity Services Engine) for three years.

We did not face any issues with the solution’s stability.

Cisco ISE is a very scalable solution.

We are working with a partner for support and are very happy with them.

On a scale from one to ten, where one is bad and ten is good, I rate their support a seven or eight out of ten.

Compared to Cisco ISE, Fortinet NAC is more consumer-friendly.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup a four out of ten.

The project lasted a few months, but the planning took several months. Cisco ISE itself means nothing. It has to have the network set up to ensure the network penetration is in place, and we're still working on that.

Security is about risk control and exposure avoidance. You can only calculate its return on investment based on how you avoid penalty fees. Cisco ISE improves our security stats.

If you consider money only, Cisco ISE is not a cheap solution. Functionality-wise, however, it offers a very good price for the value you receive.

The solution's compliance and policy enforcement capability has benefited our organization by simplifying work.

The solution operates in the background, and users generally don't interact with it. Cisco ISE is the security framework layer between network resources and end users using them. Users do not go into Cisco ISE to do anything.

It's like Active Directory for Identity. If you're an end user, you don't work in Active Directory, but you authenticate Active Directory to use resources on the network. The same applies to Cisco ISE, and users don't interact with it directly. They are affected by it to the extent to which they are accessing network resources.

Cisco ISE has a very comprehensive integration suite and we did not face a lot of challenges in integrating this solution with other security tools. If they know how to use it, I would recommend the solution to other organizations with similar security needs.

Overall, I rate the solution an eight out of ten.

We primarily use the solution for network access control solution and network device access management. The solution comes with features like posturing.

The valuable feature of the solution lies in its integration capabilities with other applications. This facilitates seamless operations like Microsoft migration across networks and call center management. The ability to segregate multiple domain users in the Access Network ensures efficient, logical management.

The tracking mechanism in Cisco ISE is relatively costly, especially its vendor-specific protocol. It would be beneficial if it could support open source or other devices with a similar checking mechanism, but unfortunately, it remains proprietary.

I have been working with the solution for the past five years.

The solution is highly-stable. I rate it a perfect ten.

The solution is scalable. We have three users for the Cisco ISE.

Their customer service and support is excellent.

Positive

The setup is straightforward. Effective planning is crucial for the setup of Cisco ISE. Placement of the virtual solution requires careful consideration of network accessibility from all branches. Different components may need placement in various areas in a large network. So, thoughtful planning for the architecture is important. It takes around two days for the deployment.

Previously, Cisco ISE had a perpetual licensing model, but now they have shifted to a subscription-based licensing system. We now have to pay recurring costs. This change in the pricing model has presented challenges for many customers accustomed to the simplicity of the previous licensing model.

I recommend this solution to all. Overall, I rate it a perfect 10.

At first, Cisco ISE was a replacement for only ACS RADIUS. It was mostly for remote access VPNs and Wi-Fi. That was it, and later, it evolved into a complete ACS replacement, so it's for both TACACS and RADIUS. Nowadays, we also deploy .1X quite a lot. 

It was a driver towards .1X. With the features that were there on the network side and the features that were there with Cisco ISE, it was way easier to go to .1X.

It's the brain of many things. It's the brain for VPNs. In Cisco ISE, we control where the users are allowed to go. Customers are able to do that by themselves. It's the same for .1X. It's the heart of security.

Cisco ISE improved our cybersecurity resilience. It enabled features that were not present or possible before.

For customers, it's great. It has a GUI, so the customers themselves can edit ACLs or even modify the policies. It's also an all-in-one solution with RADIUS and TACACS.

I'm frustrated by the resource consumption and how many resources it needs to run. It takes a lot of RAM. It takes a lot of space and a lot of IO power. It's frustrating to do upgrades because it takes a long time. Things are at a much smaller scale where we are than in the US. We even have smaller virtualization farms, so it takes a considerable amount of power and resources.

We've been using this solution since its initial release. It was probably version 1.1 or 1.2.

I don't remember opening a case for Cisco ISE except for the licensing problems, but several years ago, it took some time for people to get to the right way to solve the problem. I am not sure whether it was my inability to clarify the situation or whether it was a matter of poor training, but it was sometimes very painful.

I've been working with this product for a while. It doesn't seem difficult. However, in terms of resources, it takes a while to get it running. I don't think it's necessary to be so resource-consuming and slow. That makes it complicated. 

Pricing is where things got a bit more complicated. Previously, it was a one-time purchase and we just had to renew support. These days, there's a subscription model, which is supposed to be easier and cheaper as well, but it's more pricey. Customers are aware of that, and many vendors are going the same way. They are trying to go along with the new model.

We did consider other products, but it didn't make sense to go for any competing vendor because of the integration with other Cisco products. AnyConnect is the best VPN product I am aware of, and that's usually why we stick with Cisco.

We also sell HPE products. We've deployed some HPE RADIUS solutions, but we prefer Cisco these days.

To someone researching this solution who wants to improve the cybersecurity in their organization, I would tell them to first think about what they are trying to achieve and then think about Cisco ISE as a tool. It isn't a turnkey solution.

It hasn't saved our IT staff's time. It was something that wasn't present before. It's an evolution that is necessary, but I wouldn't say it saves time.

It did help us consolidate any tools or applications. It was either a replacement of some legacy products or it was an improvement where it introduced new features that were not present before, but it didn't help get rid of some of the other products. It was a new thing to place into the network.

Overall, I'd rate Cisco ISE a six out of ten.

We are using it mainly for .1X authentication, and we also authenticate our VPN users, and we are doing some light profiling and posture.

We're trying to solve the problem where different users have different privileges in the network. And also we're trying to block some access from our least privileged users. Those are the main use cases for us.

We have on-prem virtual appliances and a distributed model.

It has improved our organization very much because we're now adopting the SGTs, Security Group Tags, and we're leveraging security based on those tags on our core systems and integrating with other SG firewalls.

We have a pretty distributed network and we have only one ISE deployment and it's been really good so far for managing all of those sites.

The most valuable thing in ISE is the adoption of EAP deep that came in [version] 2.7, so we can do authentication based on user and machine certificates in one authentication.

[Regarding establishing trust for every access request] it's been pretty good so far. We've been authenticating all of our users, no matter where they're coming from. If it's from our VPNs, or if it's wireless access, we are all Cisco, so the integrations are pretty good. It's very important [that the solution considers all resources to be external]. Right now, with the challenges that the multi-cloud environment poses, you have to have a solution like this.

[When it comes to securing access to your applications we are] not [using it] so much. I'll have another session with a TAC engineer on Friday, and I will have to discuss some basic concepts of securing the application with ISE. I find it very challenging to do some micro segmentation with it. I'm staying on top of it and doing it macro, but I want to go micro, and it's something I need to discuss more with an engineer.

Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them. This is a problem in ISE. This could be much simpler.

I wasn't involved in the process of choosing this particular technology. The colleagues that made the decision made it seven or eight years ago. They were using ISE for a long time. I've been in the company for four years now so I came into an already deployed solution. But it wasn't so good, so we had to migrate from physical appliances to virtual ones because they were end-of-life and end-of-support.

Sometimes, they push an update that breaks the whole deployment. It happened to me with update two. It was my fault. I updated right after it came out, and I won't ever do that again. I will wait at least a month or two or three, because the update was taken down a week later.

I was lucky enough because I had updated from update one to update two. So it didn't really break the whole deployment, just parts of it. But they fixed it in a week with update three, so I was able to put it back together. Roll back is also always an option.

Scalability is really good. The number of possible nodes in deployment is high. I don't know the exact number, but it's really high. Scalability is not a problem.

I have had some problems lately with the TAC engineers being unable to investigate the logs that I gave [them]. They always ask for more, but there is not much you can do on ISE. When you give out all the debugs from the nodes, then there is nothing else to do.

It's been a bit of a ping pong with the TAC engineers. Sometimes I have four to five TAC cases open, specifically on ISE. Most of the problems I have are with the integrations of other companies' firewalls. 

This year I would give them a six [out of 10]. Before, I would say eight.

Neutral

I have had to find my own way to do the new deployment. It wasn't that there was some documentation about how to migrate. There is none of this stuff on Cisco's site. You have to search Reddit and multiple forums to assess what you can do with the deployment. I basically built it from scratch.

We are more secure thanks to ISE. That's always a return on investment.

[When it comes to eliminating trust from our organization's network architecture] I'd say, no, ISE hasn't done that. It's been a challenge to implement this. We're trying to bridge the gap between the security guys and network guys. They're not the same teams. Sometimes the security guys also do networking, but it can be hard to cooperate on projects like this. This is a big project. ISE is a pretty big solution and security guys are sometimes lost in what's going on in the network, like equipment where you have to configure things.

It's pretty much the most resilient solution as of now.

I like this solution a lot. I would say it's a nine out of 10.

We use it for our AAA authentication through Active Directory. We also use it a lot to verify command line history.

We have ISE in the data center environment with redundancy, and we use it for authentication for all our devices. We have access to our third-party vendors, and for the new projects, we all use ISE. It's an awesome enterprise product for on-premises or for cloud-based deployments.

The integration of ISE with Active Directory has really been a big plus for us.

I've found two features to be the most valuable. One would be AAA reporting for historical analysis, showing what's been done and by whom. The second is the log for failures on Active Directory logins.

If I were to assess Cisco ISE for establishing trust for every access request, I would give it an eight or nine on a scale from one to ten.

Cybersecurity resilience has been very important to our organization and has been a big factor. We've had issues in the past, but one of the things I like about ISE is its logging features. Security-wise or information-wise, it really has been a powerful tool.

My impression of Cisco ISE for helping to support an organization across a distributed network is that it's invaluable. It's a monster tool; we don't even touch on all the features that it offers, but the few that we do use are extremely strong and very user-friendly.

On the network services devices, when you click on filter, the filter comes up. However, when I search and want to click on something it defaults back to the main page. I keep having an issue with that, and I'm not doing anything wrong.

I've been using Cisco ISE (Identity Services Engine) for about six to seven years.

I've had no issues with stability.

We've actually scaled before and have never had an issue.

I've used technical support only once and would give them an eight out of ten.

Positive

We previously used ACS.

The return on investment we have seen is related to time in terms of troubleshooting. The logs, such as the security logs, inform us of the issues that people have had. ISE has been very instrumental in helping isolate those issues. We've seen a lot of cost savings because we don't have to pay an IT person to waste time doing something that should be instantaneous.

If you are a leader who wants to build more resilience within your organization, I would advise you to follow what they're doing at ISE.

If you're evaluating Cisco ISE, do an apples-to-apples comparison. There are a lot of features, and ISE is a monster. If you use it the right way, I think that no other product will compare to it.

We have been authenticating our company's employees and certifying that they are in compliance. We have to certify our employees in regards to compliance, having all the necessary protections in our infrastructure for their endpoints, notebooks, laptops, and mobile phones.

We have implemented it across the entire company in every area and department at every single level of our organization.

So far, it has been on-premises. We are still working to expand it to integrate with multiple cloud providers, like AWS.

We have become more reliable because we do not have any vulnerabilities coming into our network, which is important since a lot of employees are using their own endpoints to connect to our infrastructure.

Every other time that we have a new employee, we need to make sure they have been using the latest version of the solution in order to connect to our infrastructure.

We have made our company more secure. As an IT guy, I have gained more importance to my company.

It is more about the features related to Apex. This is part of the solution where we can deep dive into each employees' usage according to our infrastructure needs.

There are a lot of integrations available with multiple vendors. This has made the solution easier to work with.

We use the management platform, which makes it easy for our IT to access and manage. 

We have been working with it for about 10 years.

If you have someone taking care of it, it can be quite easy to manage the solution. Otherwise, if you don't look after it and take care of it day-to-day, then it will become more complex to run. However, if you have someone taking care of it, maintenance is not that difficult.

The scalability is good and quite easy to do. If you have the licenses, then anything is possible.

We worked with customers. The last one that we worked with had 10,000 licenses, i.e., 10,000 endpoints. We started working with the corporate office, then we replicate to the distribution centers.

As an IT integrator, it is quite easy to work with their technical support. We have the correct people to deploy it as well as receive good support from the Cisco Technical Assistance Center. I would rate the support as 10 out of 10.

Positive

We have been using ISE for a while. We didn't have another solution beforehand.

We had to do some labs beforehand, in order not to breach the environment. The deployment was not too complex.

When we work with customers, it takes four or five hours. We start with a specific environment, then we replicate to other areas.

We are a reseller. My professional services implemented it, which includes a tech lead, engineer, senior engineer, and project manager to work with the solution.

It is an easy solution to implement with the correct partner.

It is difficult to measure security breaches, but since we have not been attacked so far, it has paid for itself over the years.

We worked with Fortinet to look at their solution, but ISE was more reliable and had more integration with our product vendors. Also, it had a more affordable cost.

When compared with other vendors, like Forescout, for what we need, ISE has been more usable and accessible.

Learn about the solution, then evaluate what devices it would be implemented with. I would amalgamate the devices and their versions with a systems integrator or partner who already has experience and will try only to replicate it, not to reinvent the wheel.

Part of our journey is getting everybody connected to the infrastructure and trying to avoid any breaches. We don't want to be vulnerable.

I would rate the solution as 10 out of 10.

We use it for the identification of our devices, users, and wireless users.

Unauthenticated devices are not allowed on our network and that has been an improvement for our company. With Cisco ISE, we control the certificates of each device so that devices have internet access. The solution has eliminated trust from our network architecture.

The access policies, and all of the policies in Cisco ISE, are important to us.

The user interface could be more user-friendly.

I have been using Cisco ISE (Identity Services Engine) for about six years.

The stability has been perfect. Our company has been using it for more than 10 years and it's stable. It's really good.

The scalability is also good.

The customer service has been perfect.

Positive

We did not have a previous solution.

The pricing is fair. We have a base license and an OpEx license.

We looked at other solutions, but that was a long time ago.

I would recommend ISE to colleagues. We are happy with it and we want to use it in the cloud, next. Our on-prem devices go end-of-support in 2023 and we will try to use it on the cloud.

We use it for identity services, profiling, and locking down devices.

We're an airport, so when anybody plugs in a device, it's obviously a really big security point for us.

We have a lot of different devices that get plugged in and we really don't have the manpower to address each one individually, as far as our network goes. Cisco ISE has really cut down a lot on the size of our ticket queues and the manpower. My boss is extremely happy about that.

The solution has also eliminated trust from our organization's network architecture and that has actually been positive because we have to meet PCI compliance. It is very important for us to be able to take cards. It has also helped to improve our pen-testing scores at the end of the year.

Resilience, in cyber security, is at the top of the list. It's one of the most valuable aspects and has been extremely important for us. Before, we had mid-range scores, but over the last couple of years, between implementing ISE and a few other technologies and SIEMs, we've gotten into the 90th percentile with our pen-testing scores. We were sitting at about 75 to 80, so this is a pretty huge jump for us.

Profiling is one of the most valuable features. We have a lot of different devices between cameras, access points, and laptops that get plugged in.

Establishing trust for every access request, no matter where it comes from, is extremely important for us, especially because we are an airport entity. We do have port security implemented throughout our airport, but on the more sensitive side of things, it's a little bit more hardcore regarding what we need to allow, per security zone.

There are always some things that I would request.

I first started using Cisco ISE (Identity Services Engine) in about 2015, but we recently just spun it up here at my current job.

The stability of the solution is a 10 out of 10.

The scalability is also a 10 out of 10.

For this particular solution, the technical support has been pretty good.

Positive

I've worked with ISE before, and it was actually my suggestion that we buy the license for it.

The initial deployment was pretty straightforward only because I had done it before. I worked on it with a colleague and taught him everything about it, just in case I was incapacitated.

From the start, including getting to an agreement, budgeting, and scheduling, the deployment took about three months.

In terms of an implementation strategy, once we got the licensing, we just stood the nodes up. Then we did the features one-by-one, with proper RFCs done, just to see, in a break-fix manner, if each thing we implemented would break something.

We used a consultant. The deployment required two people on our side. I was in charge of the initial rollout and implementation, and I'm in charge of managing it. However, if I'm not there, we have another network guy who does the day-to-day tasks and checks the logs to see if he needs to approve anything.

We have definitely seen return on investment. We have so many different security solutions in place, and ISE just works really seamlessly with them. I get to keep my job, so that's a pretty ROI from my point of view.

The pricing is fair for what it does. The only time I've really not been too crazy about the price is for Cisco Prime, which is a management solution for Cisco products.

We implemented a request for purchase and talked to a few different companies. One of the companies was Presidio. There was another company close by called Net Solutions. Three out of the five companies that we talked to were outsourcing the work to pretty much just bring in an ISE solution, so we just decided to do it in-house.

If you are on the fence about it, and you don't have someone on your team who has worked with the product before, definitely reach out to a company or a certified Cisco entity to help with the rollout. It's pretty painful if you don't know what you're doing.

Resilience is never a bad idea and it's never too late to start working towards it or to begin the journey to Zero Trust. It's very important in this day and age. 

I'm the only cyber security administrator that we have currently, so if we hadn't gotten this solution in place, I highly doubt that I would have been able to make it here to Cisco Live 2021, so it's excellent.

From 2015, when I first started using it, until now, there's not really a lot that I would ask be changed. They've been hard at it ever since I first started using it.

It's been incredible ever since we got it in place.