What needs improvement with Cisco ISE (Identity Services Engine)?

The product is expensive. It would also be a good add-on to have some machine learning.

Cisco ISE is very complex and not very easy to deploy. There are a lot of prerequisites for the tool.

I would like to see better management. Integration with other platforms can also be improved. Cisco ISE does not recognize devices and that is an issue we faced during its integration with our existing devices.

We face many bugs. The vendor is trying to improve it by releasing new patches and hotfixes.

You have to restart the system to change the DNS or NTP server.

The tracking mechanism in Cisco ISE is relatively costly, especially its vendor-specific protocol. It would be beneficial if it could support open source or other devices with a similar checking mechanism, but unfortunately, it remains proprietary.

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away.

It could be less monolithic. It's one huge application, and it does everything under the sun, so it's hard to deal with and upgrade and manage.

The templates could be better. When you have to do certs, especially with X.500 certs, it isn't very intuitive.

Cisco ISE can become quite complex, especially with policy sets, the entire authentication process, and everything involved. I would appreciate a more comprehensive visual depiction of the steps from the beginning to the end.

Cisco ISE has numerous features that are impractical, and I won't utilize them since they require payment.

It would be helpful for us to know what needs to be deployed, configured, and what changes we need to make to our devices when we don't receive the specific login which is an indication of a lack of connection or incorrect configuration.

It could be more intuitive in terms of how to configure the policies.

They should improve the documentation. There tends to be a lot of old text, or the new things aren't always up to what's been released on the code, and sometimes the documentation is inconsistent. Last week, we were doing a dot1x troubleshooting, and I was showing people how to look for it, and all the documentation came up for version 1.0. I wondered why version 3.0 is not the top choice since it is already out, and we've been on Version 2.0 for five years. The solution should try adjusting their tags because sometimes it's difficult to find things.

Sometimes some of Cisco ISE's graphical interfaces could be a little bit smoother. However, with the different versions, the product is getting better and better.

Its user interface could be better. It's not bad. They've just redesigned the whole user interface. It's not terribly difficult. The drop-down menus are easy to use. However, when you're looking for some things in the user interface, it takes a minute to find where you were prior.

There should be more visibility into TrustSec policy actions. When TrustSec blocks something or makes any kind of changes to the network, we don't always see that. We have to log into the switch itself, or we have to get some type of Syslog parsing to do that. Cisco DNA Center may do it, but it would be better if that was integrated into Cisco ISE. In terms of securing our infrastructure from end to end so we can detect and remediate threats, it's a little bit difficult in terms of visibility, but, generally, we would just go through the logs and see if there's a problem or not.

The policies could be adjusted to make them more easily implementable.

Cisco ISE's performance could be better, faster, and more robust. Sometimes it takes some time to move through the tabs and configure something.

Troubleshooting and multi-ISE can be challenging with the solution.

Sometimes, there are instances when Cisco ISE simply fails to function without any apparent reason, and regardless of the investigation we undertake, the logs indicate that everything is functioning properly, making it somewhat inexplicable. However, after a while, it spontaneously begins functioning again. Therefore, I believe it is not a widespread problem, but when it does occur, it can be quite frustrating. The support specifically for Cisco ISE has room for improvement.

I don't see as many customers as I should adopting the onboarding feature. I think Cisco should make that process a lot easier and less intrusive on the end users' devices.

There is room for improvement in its ability to allow end users to self-enroll their devices. Instead, you should be able to assign that permission by AD group, which is currently not available.

[When it comes to securing access to your applications we are] not [using it] so much. I'll have another session with a TAC engineer on Friday, and I will have to discuss some basic concepts of securing the application with ISE. I find it very challenging to do some micro segmentation with it. I'm staying on top of it and doing it macro, but I want to go micro, and it's something I need to discuss more with an engineer. Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them. This is a problem in ISE. This could be much simpler.

A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on. The upgrade process is not very simple. It's pretty time-consuming. If you follow it step by step you're probably going to have a good time, but there are still a lot of things that could be a lot more user-friendly from an administrator's perspective. [They could be] easing a lot of the issues that people have. Instead of just saying the best practice is to migrate to new nodes [what would be helpful] would be to make that upgrade process easier. The UI is a lot nicer in 3.0. It's pretty slow, but for the most part, it's easy to find what you're looking for, especially things like RADIUS live logs, TACACS live logs. From a troubleshooting perspective, it's really nice finding stuff. For setting up policies, from that perspective, it could be a little bit better looking.

The UI and UX could be more seamless and easier to use.

Cisco could improve the GUIs on their hardware.

When I work with customers to do my knowledge transfer, they're really overwhelmed with the navigation of the product and the number of things you can do with it. From a user interface standpoint, Cisco could focus on making certain tasks a bit more guided and easier for customers to walk through. That is, a user-friendly interface and streamlined workflows would be great.

I would definitely improve the deployment and maybe a little bit of the support. Our first exposure to ISE had a lot of issues. However, I have noticed as we have been implementing patches and upgrades that it has gotten a lot better.

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

I would like to see them simplify the dashboard. It's very configurable, but, at the same time, it's not easy to maneuver through it. They should "Merakify" it. The deployment is complex. I get that it's very configurable, but there is the challenge of how to get to certain things. You go to different places to get the same things done. There needs to be improvement to the GUI.

Cisco ISE has almost all the features we are looking for now, but sometimes the configuration, such as the conditions, is a little difficult to understand and not so easy to navigate.

I'm not working in the IT team. I'm working the sales team. While there are a lot of features that we could improve in our organization, I can't speak to the exact changes that should be made. We'd like to be able to integrate the product with our solutions. Sometimes we face some infrastructure where there are multiple vendors and sometimes the ISE is not the best tool to manage multiple vendor infrastructure. The price here in Brazil is very expensive. Configurations can be a bit complicated. Sometimes we have problems integrating logs into SIEM solutions. We have to deliver some logs to a SIEM secret platform, and sometimes it does not work well. It would be better if we had better integration or a better way to deliver the logging SIEM platforms.

There are still some bugs in ISE that need to be worked out.

We have only been deploying this version for three months. We haven’t had any issues, but we'll see how it goes. One of the issues that we used to have was with profiling because we're working with a service provider that uses a lot of bring your own devices. We haven't had any issues since we started using version 3.1.

Compatibility with other vendors is what needs to be improved in Cisco ISE (Identity Services Engine). We should be able to use it with other vendors, for all specifications. There should be integration with different vendors, e.g. Cisco ISE (Identity Services Engine) working with AccuPoint networks.

The licensing documentation needs to be better. We found some old documents describing the license names, like the Base license and Apex license. Cisco used both names. We have found that they changed the Advantage license and Premier License. If someone misunderstands that, they might end up with a hassle. I don't know if it's possible or not for Cisco to remove the older documents from the official website.

I would like the product to include support for OSVS version three.

In an upcoming release, it would be nice to have NAC already standard in the solution.

I have not come across any missing features. It would be ideal if Cisco could provide some short training videos or documentation to customers to help them understand how to use the product.

The solution could be more secure.

This solution has enhanced features that make it difficult to use. To make it easier, it should be made without PxGrid. It should be able to work with third-party routers and switches. We want to work in an environment where there are multi-vendors that require PxGrid. Their software-defined access is not easy to implement. You have to have a good understanding of how to implement it. It would be helpful if they could make it easier for the customer to adopt. Third-party integration is important, as well as the continuous adaptation feature, which is the AIOps. It would be helpful to include the AIOps.

The initial setup could be simplified. The support could be faster and the pricing could be reduced.

The solution isn't as dynamic as it could be. There are some limitations, specifically around switches. Deploying to a machine, as opposed to a dedicated appliance, can be a bit difficult. The network solutions need to be improved by Cisco.

The solution infrastructure configuration is complicated to set up. They have improved over the years but there is still a lot of room to improve. When comparing the simplicity to other vendors, such as Fortinet and Aruba they are behind.

It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced. That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back. I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time. It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice.

It is too complex. It should be easy to use. We are not such a big team. We only have three engineers to work with this, and we don't use all of the functionality of the product. Its range of functionality is too wide for us, and this is the reason why we are thinking of switching to a more simple product. We have shortlisted a Microsoft solution. We have a big footprint for Microsoft products, especially in security. As a global strategy, we try to leverage to the maximum what is possible around Microsoft.

An issue with the product is it tends to have a lot of bugs whenever they release a new release. We've always found ourselves battling out one bug or another. I think, overall they need to form a quality assurance standpoint. ISE has always had this issue with bugs. Even if you go to a Cisco website and you type all the bug releases for ISE, you'll find a lot of bugs. Because the product is kind of intrusive, right? It's in the network. Whenever you have a bug, if something doesn't work, that always creates a lot of noise. I would say that the biggest issue we're having is with all the product bugs. Also, the graphical user interface is very heavy. By heavy, I mean it's quite fancy. It's equipped with a lot of features and animations that sometimes slow down the user interface. It's a technical product — I don't think a lot of engineers really need fancy GUIs. We pretty much look for functionality, but I think Cisco, for some reason, is putting an emphasis on its GUIs looking better. We always look for functionality over fancy features. We've had issues with different browsers, and sometimes it's really slow. From a functionality standpoint, we would rather the GUI was light and faster to navigate. ISE has a very good logging capability but because their GUI is so slow, we feel it's not as flexible or user-friendly as we would like it to be, especially when it comes to monitoring and logging. At the end of the day, we're implementing ISE for security. And that means visibility. Of course, you can export the data into other products to get that visibility, but we would like to have a better type of monitoring, maybe better dashboards, and better analytics capabilities within the product. Analytics is one thing that's really lacking. Even if you're to extract a report, it just takes a lot of time. So, again, that comes down to product design, but that's definitely an area for improvement. I think it does the job well, but they can definitely improve on the monitoring and analytics side.

They have recently made a lot of improvements. My clients don't have much to complain about — it's a one-stop-shop. It should be virtualized because many people have begun migrating to the cloud. They should offer a hybrid version.

Segmentation can be improved. They can also improve security policies for each group of users, and automation can also be better. The software interface could be better. They should make it easier for users to find features.

The solution is not so user-friendly. It's very difficult to navigate through different manuals. The documentation should be simplified so that it is easier to understand. It would take time for a beginner to understand and familiarize themselves with the solution. There's a bit of a learning curve. Cisco ISE is not very stable. They could work on that aspect. We'd like the pricing to be better. The product is not easily scalable. Currently, if you want to do something with authentication, you need to have an additional document agent, however, these are short on all Microsoft endpoints. We then need to come up with some alternate options so that I don't have to modify any native applications on it. By default, Windows should be able to support and onboard the devices. Right now I need to have a Cisco AnyConnect as an agent to be deployed for authentication.

In terms of the improvements I need, they've already, according to my research, done those improvements with their new versions. The features have already improved on their newer version, and that's why we need to update to that new version. What is required is that Cisco needs to be doing health checks and following up with the customer to ensure that their Cisco partners have done the deployment right. That's something that has really helped us. Whenever a partner comes and does any deployment, we would, later on, engage Cisco for a health check, so that Cisco could assist with their products. They would check whether it has been deployed following the best practices - or they would just alert us on which features that we have paid for and we are not taking advantage of that. Cisco needs to continue with that health check. That engagement with their customers to reconfirm everything is like a quality assurance that the Cisco partners have given the right stuff to their customers. This product doesn't work in isolation. For example, when we talk of posturing the Microsoft updates, the system that does automatic updates for Microsoft needs to work in an ideal fashion. The antivirus needs to work. OF course, the antivirus is not Cisco. Those products need to work as they should so that integration of the ISE product will work as well. When all factors are held constant, Cisco works well.

The user interface can be improved.

There should be better documentation on the implementation of the solution. I learned how to implement it from watching videos. I felt the documentation was too complicated and I also learn better from watching videos. In my experience, there needs to be better documentation for firewall integration as well, we had some trouble early on.

It is a good product, but in order to use all of the functions of the product, you must have a good understanding of the product. You must know how to use and manage it. It is a little bit complicated to configure and manage. It must be simplified to make it easy to manage for end users. In the initial stage, we found ISE complicated for end users. It was not easy to manage it or to write authentication and authorization protocol. They must improve its management and make it easy for end users. The monitoring and reporting capabilities can be improved because end users want to quickly see what is happening in their network. There were some restrictions in working with other vendors. It should also have a better and easy integration with other vendors.

The ISE software needs to be improved in role to be easier to administer. SOftware enhancement required to have easier way to find the featured required to implement and also need enhancement of features sorting. Completing processes can be complex when try to implement some solutions. also steps are complex and the troubleshooting as well. As an example, if you intend to make AAA policy and enforce it on a group of users, you will find the software very confusing................................

As I treat the system basically as a user would, and am not overly technical, I can't say what features, if any, the solution is missing. I'm working from China currently and the only real issue is that, within the country, there's some concern around Cisco and its ability to offer the solution for the long term. As the United States has banned the Huawei version in their country, we feel there may be retaliation in ours and Cisco will get banned as a countermeasure from the government. The future of Cisco in China is in question. Our local partners are worried about the situation.

The web interface needs improvement. The new web interface that they have is not as easy to manage and we find it to be very slow. The solution might require two authentications. They should make a new authentication to authenticate both the device and the users. Right now, we are authenticating the PC, the workstation, but not as a user. A good addition would be to authenticate the user separately to get more information.

Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that. I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

The software is a little bit complicated to understand in the beginning, meaning the implementation. It needs proper documentation so that we can understand the options more easily.

This solution does not provide us with enough visibility into our network. We would like to see additional information that it does not show. In general, the reporting is not very useful. ISE needs to have better integration with third-party products. A basic profiling engine would make a good addition because device profiling is very important. This product requires the use of agents and ideally, I would like an agentless version. I think that they should get rid of them because they are hard to manage and deploy. Also, they are not useful. The interface is not very user-friendly and it is not simple to use.

I'd like to see an easier way to upgrade to larger versions, as well as more best practices that are easier to locate on their support page.

An area that could be improved is the agent. The challenge now is that agent and most of the computers have changed. They could think about agent-less deployment. Also, I've not explored MDM but if it should be integrated.

The stability of this solution needs to be improved. It should not be necessary to go to each individual set of alarms and acknowledge them in order for them to go away. There should be a single button that can be pressed to dismiss all of the alarms at once.

Cisco ISE is complex. The deployment and design of networks with it is so complex. If it could change it would be better. It needs a better solution for reduced complexity. I think to add more people to four-thousand users is going to be hard. Cisco needs to make it easier to add more people.

There should be an easier way to do the upgrades. Customers were having issues going from one version to the next. There are a lot of steps to get to the next version from the previous version which ends up being a bit of the headache with the upgrade.

So far we have had no complaints from customers. No major complaints in terms of ISE. They do complain obviously if the ISE service stops working. Normally that happens if there's a server flaw or some problem at the data center somewhere. There can more integration between the wireless controller management and ISE. Consolidation or integration of the controller and ISE dashboards would be great. It's not that bad but would make for simplified support if it could be combined into one dashboard.

There are issues with respect to the posture assessment function. It's been observed that customers are not receiving total access to the network because the assessment agent is glitchy and malfunctions from time-to-time. I would like to see refining of the compliance assessment and adding more detailed compliance of endpoints on the user end. We have also had to deal with some cache update issues in conjunction with Cisco's tech support team. Unfortunately, they had trouble providing suitable solutions within specific and desirable time frames. The next release should offer more inter-operability, increased cross-integration functionality.

It has many complications from the administration perspective, it's not easy to learn. Not like other solutions that are very friendly and easy to go through. It needs to be more user-friendly. We'll see the same name on more than one tab so we need to realize why that name is there or why only the main tab is not like the other. I cannot believe that Cisco is the best case of security integration however it is easier to implement. They are good at integration, I do not expect more from them in that regard. They could think about developing VXLAN. They have LDN switches, we need to get into contextual switches, not catalyst switches. Normal switches. I wish they could explore developing more VXLAN options.

Support and integration for the active devices needs to be worked on. Their features mainly work well with Mac devices. If we use an HP the Mac functionalities may no longer be able to deliver.

Since we have started, we struggled a lot to implement this solution into our network, and we opened a case a couple of times. Up until this point, nothing else needs to be improved with this product.

They should improve the upgrades. It's not easy to upgrade the solution.

The compliance and posture don't always work. They should make it more stable. With each upgrade, we lose some functionality. We have to wait for another upgrade. I would like to see them develop some type of device management, like an iPad feature, just to be able to give security access to certain devices for management. Mainly for the suppliers and the third parties. Another feature I would like to see would be for them to create the ability to integrate with other products from the start. We always search for products that integrate with us and so it would ease the management and then everybody would be entered.

I would like for them to improve the reporting.