Cisco Identity Services Engine (ISE) Reviews

We use it for the identification of our devices, users, and wireless users.

Unauthenticated devices are not allowed on our network and that has been an improvement for our company. With Cisco ISE, we control the certificates of each device so that devices have internet access. The solution has eliminated trust from our network architecture.

The access policies, and all of the policies in Cisco ISE, are important to us.

The user interface could be more user-friendly.

I have been using Cisco ISE (Identity Services Engine) for about six years.

The stability has been perfect. Our company has been using it for more than 10 years and it's stable. It's really good.

The scalability is also good.

The customer service has been perfect.

We did not have a previous solution.

The pricing is fair. We have a base license and an OpEx license.

We looked at other solutions, but that was a long time ago.

I would recommend ISE to colleagues. We are happy with it and we want to use it in the cloud, next. Our on-prem devices go end-of-support in 2023 and we will try to use it on the cloud.

We use it for MAC Authentication Bypass, 802.1X authentication, and certification and validation against Active Directory. Because MAC devices can't be enrolled in the domain, we were doing a manual installation of certificates.

We are a very secure enterprise now because only our corporate endpoints can be authenticated on our wireless. Before, any device could be connected to our production network. And the corporate endpoints have antivirus and anti-malware. Things are more and more secure.

Authentication is the most valuable feature because it puts our company at another level of security. It establishes trust for every access because we use only corporate endpoints. If somebody has another device, they can't connect it to the enterprise network because we haven't implemented bring-your-own-device yet. We have five warehouse buildings and all our operations are around logistics and that means external people don't come to our buildings.

I have been using Cisco ISE (Identity Services Engine) for three years.

It's very stable.

It's expensive to scale Cisco ISE, but our situation is stable so we don't need to scale it for now. In the future, we will need a more scalable solution.

It is used for all our departments, all end-users, all corporate endpoints. And when we use MAC Authentication Bypass, we include printers and VIP cell phones.

Tech support is very good.

Positive

We didn't have a previous solution.

The deployment was a little complex, but not because of the solution. It was more an issue for our people because it was a mindset change.

It took us about six months to deploy. Because we didn't have a previous solution, we just deployed it one department at a time across our four departments.

We used an integrator, ITS Infocom. Experience-wise, it was very good. On our side, we had three people involved. 

Since implementing Cisco ISE, we haven't had any attacks against our application.

Pricing is not a problem for Cisco because it has a lot of features and not much competition, although it's more expensive than other products. But if I do a cost-benefit analysis, Cisco provides high quality.

We looked at Aruba. Cisco ISE is much better.

Be patient with the implementation. It can be very difficult for the clients, the people using it, because it requires a change of mindset.

We're using version 3.1, which is very stable. There have been a lot of improvements.

I like the automation of the collection of information.

We have only been deploying this version for three months. We haven’t had any issues, but we'll see how it goes. One of the issues that we used to have was with profiling because we're working with a service provider that uses a lot of bring your own devices. We haven't had any issues since we started using version 3.1.

I have been using this solution for over 12 years.

There are no stability issues with version 3.1.

It's stable. We deployed with a client in petroleum with about 200 users worldwide, and it was stable.

Setup wasn't easy, especially if you haven’t worked with it intensively. VM is a little bit easier. If you don't deploy ISE with correct policies, it will be difficult.

If you deploy it with the correct policies, it's a wonderful product. You don't need to attach anything like your firewalls or creating rules.

ISE has always been expensive compared to other products in terms of what it does on a user level. I haven't had a client who didn't say that ISE wasn't expensive. I’ve had an issue where I was just selling four boxes, and it was four million. It was a high-end box, and the client didn't take it. They end up going with VM.

I would rate this solution 9 out of 10.

It's one of the more difficult products to deploy.

You can learn a lot about ISE from their training videos. I would suggest watching the videos before deploying the solution. They have created good videos for ISE, from version 1.3.

We use Cisco ISE to set different policies for various profiles. For example, someone on their own device has a different set of policies and postures than a person on a company machine. 

Currently, we are using Cisco's dictionary for both device and user authentication. When I say "device authentication," I mean we authenticate users who access network devices. 

We consider the running policy when users want to access a data center server. The user is forwarded to the ISE servers to be authenticated, and they're given a password defined on the ISE for them according to the policy.

We have two virtual servers with different rules. For example, one is used to authenticate and audit, and the other to authorize and authenticate. And since most of our centers don't support full ISE integration, we use only some features. That means not all our users are not authenticated via the ISE.

It's easy to change and add policies.

Some of ISE's features need to be more agile. For example, we couldn't integrate our data because Cisco needs your data to be in its own format.

We implemented Cisco ISE about a year ago.

We have capacity limitations with retail, and we aren't integrating ISE for all the users. We have about 2,000 end-users that need to be integrated, and we added the entire thing to about 1,000 devices.

I rate Cisco support eight out of 10. We initially had difficulty integrating ISE with another solution we use from Huawei. We deleted the existing profiles defined on ISE and lost our definitions and profile features that were there before. We ordered the platform through these resellers, but they haven't been helpful, so we get more support from Cisco. They are very good.

Positive

Setting up this solution wasn't that difficult for me because I was involved with all of these projects. We implemented everything last year and deployed a portion of the modules integrated into our environment. It wasn't that difficult to install and apply to get these permissions.

A contractor came to help us deploy everything as part of the bank's data center solution. Since then, I have installed one of the components that we deployed at the time. It was a local tech company that got the platform given to them. That's how they got everything implemented with it together.

The return on investment depends on how you utilize the solution. We haven't utilized it well thus far, so I would rate it four or six out of 10.

There is a limit on the number of nodules supported. The number of users per license is limited to around 2,000, so the license price should be adjusted to take these limitations into account or we should be allowed to add more users to the same devices.

We use ISE because most of our networking devices are from Cisco, including the VIRL lab. I have to compare other vendors, but I don't think the cost difference is so much that I would switch solutions. 

I rate Cisco ISE eight out of 10. It works fine in our experience. 

The ISE product is used to make sure that folks can get access to the application servers that they need to get access to, let's say for accounting and another group like sales and marketing, they would have no business accessing each other's servers, those apps. So you would set up a policy that allows accounting to do what they have to do whether they're remote or on campus and then the sales and marketing folks could never access that. They are totally blocked. It's a virtual firewall, basically.

The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get. That you have to have that same device.

They can get into the antivirus. They will check the antivirus to see if it's the most current version and if it's not, if that's your policy, it will let you go through and access the app if the antivirus has been updated. But if the policy was that it has to be the most current version, then it can block you until you upgrade the antivirus.

As far as what could be improved, to continually be thinking about ransomware, cyber attacks, and all those kinds of things. They always have to be innovating. Always have to be improving. I can't give you anything specific because these cyber guys are always coming up with new ways to get in. You just really have to be aware of what's going on.

In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

In terms of stability, they are rock solid. If you set the policy and you implement it, it's not going to break.

They scale. You just have to buy licenses. Whether you're talking about 5,000 users or more, it's just a licensing model.

What I saw most customers trying to do was to outsource it to the partner. A value added reseller would have to do that. They typically haven't been trained. They have to go to school, get certifications and that kind of stuff. That's always a requirement, but most people weren't going to tackle that themselves. They're going to farm it out to somebody who has done it before, who has the expertise to do it.

I do anticipate increased usage. Pick a vendor, like Cisco and Aruba, because for all the threats that are out there, they are always going to have some kind of a NAC strategy. You have to. You really have to. The days of the firewall or perimeter security are over. There are just too many possible ways people can come into your network - disgruntled employees, someone that got paid off, you never know. This is always going to be here.

They're very good. All of them are very good.

It has been pretty much Cisco from the beginning. With another VAR recently, we were pitching the Aruba ClearPass. And actually the ClearPass will run on top of a Cisco infrastructure, which is kind of cool. That's unique, but the ISE doesn't go that way. You won't run ISE on top of an Aruba infrastructure, but Aruba built that solution from day one to be compatible with Cisco switches and routers and wireless stuff. I thought that was pretty compelling.

Cisco has their ISE, their Identity Services Engine. The other one that I would tell a customer to look at would be the Aruba ClearPass. I don't know enough about the Juniper Solution to make any comment about that. But those are the two that I think about the most for identity solutions.

The first part is to figure out what you want, what the customer wants to protect, who needs to be protected, and to gather all the data you can on users, contact information, the devices they use, the Mac addresses of the devices, what time of day, what apps... I mean you really have to dig into all that. It's not easy. It's hard. The bigger the customer, the more complex it is going to be. But if you don't do that, the deployment is not going to go well. Really consulting on the front end has to occur.

On the consulting part, it depends on how big the customer is, how many you're talking about - 5,000 users or 50 users. That drives the answer. I would say if you don't take 30 days to scope it correctly and document, if you do something less than that, the execution deployment is going to go sideways and that can be months. Those things are months. Those could be six months or so. You've got to pick a pilot case. You build a template, you do a small group, and then you see how the reactions are, see if the users accept that policy, make sure it's right. I would do it group by group. Accounting first, or IT first. And then you do the sales and marketing and HR and all those kinds of things.

In terms of ROI, the only thing that comes to mind is if you look at whatever the current market data says for a breach cost if you have ransomware attack or something, if you choose to rebuild your network, as opposed to paying the ransom, what does that cost? Is that $100,000 a day? Is that a million dollars a day? So whatever that cost is, go look at the cost of the NAC licensing, ISE or ClearPass. And that answers the question for you. If you can block the threats on the front end, you can avoid the whole ransomware conversation.

I have not looked at the pricing in a while. I don't really know. These companies are putting together enterprise license agreements, like a site license, and they'll do multiyear and they'll make them pretty aggressive. If you are buying three security packages from them, for example, they'll give you a significant discount. If you're at two, when you look at the cost to go to a third one, they'll just do it because it discounts the whole package altogether.

As for extra fees and costs, it is just a subscription model, pretty predictable.

I can tell you, even as a Cisco person, ISE was considered very complex and difficult to deploy. That was coming from both the customers and the partners that had to deploy it. It can be very complex and you really have to know what you're doing. The thing that we always stress with customers is to go through and build a policy first. Decide what you want to block, and who is going to have access to what, and do some due diligence on the front end because once the policy is created, then you can deploy what we have all agreed to. As opposed to just trying to wing it and figure as you go - that is not a good play. That was always the comment from the Cisco customers.

My advice to prospective users it to find a consultant or a VAR that has done it before. I think that is key. And then talk to a customer that they did it for.

On a scale of one to ten, I would rate Cisco ISE a seven. That is because it is so complex. I mean, it's not a trivial task.

We primarily use the solution for network access control solution and network device access management. The solution comes with features like posturing.

The valuable feature of the solution lies in its integration capabilities with other applications. This facilitates seamless operations like Microsoft migration across networks and call center management. The ability to segregate multiple domain users in the Access Network ensures efficient, logical management.

The tracking mechanism in Cisco ISE is relatively costly, especially its vendor-specific protocol. It would be beneficial if it could support open source or other devices with a similar checking mechanism, but unfortunately, it remains proprietary.

I have been working with the solution for the past five years.

The solution is highly-stable. I rate it a perfect ten.

The solution is scalable. We have three users for the Cisco ISE.

Their customer service and support is excellent.

Positive

The setup is straightforward. Effective planning is crucial for the setup of Cisco ISE. Placement of the virtual solution requires careful consideration of network accessibility from all branches. Different components may need placement in various areas in a large network. So, thoughtful planning for the architecture is important. It takes around two days for the deployment.

Previously, Cisco ISE had a perpetual licensing model, but now they have shifted to a subscription-based licensing system. We now have to pay recurring costs. This change in the pricing model has presented challenges for many customers accustomed to the simplicity of the previous licensing model.

I recommend this solution to all. Overall, I rate it a perfect 10.

At first, Cisco ISE was a replacement for only ACS RADIUS. It was mostly for remote access VPNs and Wi-Fi. That was it, and later, it evolved into a complete ACS replacement, so it's for both TACACS and RADIUS. Nowadays, we also deploy .1X quite a lot. 

It was a driver towards .1X. With the features that were there on the network side and the features that were there with Cisco ISE, it was way easier to go to .1X.

It's the brain of many things. It's the brain for VPNs. In Cisco ISE, we control where the users are allowed to go. Customers are able to do that by themselves. It's the same for .1X. It's the heart of security.

Cisco ISE improved our cybersecurity resilience. It enabled features that were not present or possible before.

For customers, it's great. It has a GUI, so the customers themselves can edit ACLs or even modify the policies. It's also an all-in-one solution with RADIUS and TACACS.

I'm frustrated by the resource consumption and how many resources it needs to run. It takes a lot of RAM. It takes a lot of space and a lot of IO power. It's frustrating to do upgrades because it takes a long time. Things are at a much smaller scale where we are than in the US. We even have smaller virtualization farms, so it takes a considerable amount of power and resources.

We've been using this solution since its initial release. It was probably version 1.1 or 1.2.

I don't remember opening a case for Cisco ISE except for the licensing problems, but several years ago, it took some time for people to get to the right way to solve the problem. I am not sure whether it was my inability to clarify the situation or whether it was a matter of poor training, but it was sometimes very painful.

I've been working with this product for a while. It doesn't seem difficult. However, in terms of resources, it takes a while to get it running. I don't think it's necessary to be so resource-consuming and slow. That makes it complicated. 

Pricing is where things got a bit more complicated. Previously, it was a one-time purchase and we just had to renew support. These days, there's a subscription model, which is supposed to be easier and cheaper as well, but it's more pricey. Customers are aware of that, and many vendors are going the same way. They are trying to go along with the new model.

We did consider other products, but it didn't make sense to go for any competing vendor because of the integration with other Cisco products. AnyConnect is the best VPN product I am aware of, and that's usually why we stick with Cisco.

We also sell HPE products. We've deployed some HPE RADIUS solutions, but we prefer Cisco these days.

To someone researching this solution who wants to improve the cybersecurity in their organization, I would tell them to first think about what they are trying to achieve and then think about Cisco ISE as a tool. It isn't a turnkey solution.

It hasn't saved our IT staff's time. It was something that wasn't present before. It's an evolution that is necessary, but I wouldn't say it saves time.

It did help us consolidate any tools or applications. It was either a replacement of some legacy products or it was an improvement where it introduced new features that were not present before, but it didn't help get rid of some of the other products. It was a new thing to place into the network.

Overall, I'd rate Cisco ISE a six out of ten.

We use it to ensure that any device that connects to our network or wireless environment is a company-owned asset and has all the security certificates. We aren't doing too much remediation. We just identify whether it's one of our assets and whether it's allowed.

In our company, we have a lot of remote workers. Knowing that even devices that are coming through a VPN comply with our policies, whether they're in the office or they're remote, face the same level of scrutiny is a benefit to our company.

We can set as in-depth alerts as we want to. We can set up an alert through email, text, etc.

It has helped to improve our cybersecurity resilience. It helps to ensure that all devices meet the patching and certificate requirements.

It's keeping our company safe from rogue devices connecting to our network. From a security standpoint, there's peace of mind knowing that every device that connects is a good one.

The upgrades could be better. Every time we try to do an upgrade, we have problems. It's a pain.

I've only been with the company for six months, but they adopted Cisco ISE about three to five years ago.

Support has always been good. Overall, I'd rate them an eight out of ten. Sometimes it feels that their first-level support hasn't been trained in-depth.

Positive

We have redundant solutions across all of our data centers, policy nodes, and authentication nodes. As far as I know, we started off in a small deployment with our wireless. We profiled our devices to ensure that they belonged to our companies before we let them access, and then from there, we expanded into profiling wired ports as well, so we started very small and then moved to a larger solution.

In terms of our plans to increase its usage, we may use Cisco ISE in different ways, but the number of nodes that we have will probably stay the same. With version 2, we're moving more of our deployment to the cloud, so we'll move from the on-premise solution to the cloud. We've already started the process. We have some nodes built in the cloud, and we just have to move the production and then remove our on-prem. We're using Oracle Cloud for our highest deployments. It will be fully cloud.

We've seen a return on investment from the security aspect.

I'd advise starting just the way we did. Start small because there are a lot of use cases of Cisco ISE. If you try to do it all at once, you might be disappointed, so start small and pick an area that you'd like to focus on, get that piece done, and then go from there. 

It hasn't really helped to free up our IT staff for other projects. It also hasn't helped us consolidate any tools. 

Overall, I'd rate Cisco ISE an eight out of ten.