The easiest route - we'll conduct a 15 minute phone interview and write up the review for you.
Use our online form to submit your review. It's quick and you can post anonymously.
Identity Services Engine for us has an incredible number of use cases, predominantly around identity and contact sharing within the enterprise or Endpoint onboarding for, authentication and authorization. Most recently, in the last few years, we've actually finally added device authentication and device management into that with the TACACS implementation. And now we have a comprehensive set of features to perform enterprise NAC, pure RADIUS authentication, and user authorization.
Cisco Identity Services Engine has provided two incredibly beneficial outcomes for our clients. First and foremost, they've been able to limit and minimize the number of different discrete platforms they need to use to deliver things such as network admission control, device authorization, and posturing, as well as do device and policy enforcement at the endpoint level. The second one that really is under sung is the ability to comprehensively manage guests in BYOD wireless access. The ability for the enterprise pretty much out of the box to deploy an end-to-end solution to manage guest onboarding, user self-service, as well as bring your own device has been a real boom to network access.
Using ISE to detect and remediate threats is really the hinge pin for pretty much everything in the Cisco security infrastructure. Without identity and without context, you really can't do any enforcement. It's fine to be able to detect a threat with an IPS, with a threat appliance, with anomaly detection, but being able to use things like RADIUS chains of authorization to then blacklist a host or remove a host from a production relay is an incredibly important outcome, not the least of which because that's all automated in ISE. And that's an incredible benefit to IT teams who perhaps don't have a NOC, don't have a SOC that can run out, and respond to a threat immediately. Having those SOAR automation capabilities inherent to the system is a really powerful feature set.
I think it's inevitable when a customer is deploying or using ISE that they're gonna find additional cycles that they can spend their time on. The rich automation and the quick startup out of the box, for instance, ISA has a really rich onboarding wizard. Pretty much out of the box, you can go through a series of steps, input your IP address, your domain names, etcetera. You don't have to do a lot of the upfront planning and design work that was required of previous systems that did network admission control, certainly more so than the old NAC. And so I believe that many customers will find they have extra cycles to go and use that IT talent to do more impactful projects than spending months and months and months deploying admission control.
Identity Services Engine has done a great advantage to our clients in the fact that Cisco has begun to move more capabilities into the platform over time. As they started out with the basic AAA capability, authentication, authorization, and accounting that was present in ACS and the older service architecture, they've now begun to move in, device administration in the form of the TACACS server and other capabilities within ISE. When they previously introduced the pxGrid capability, you now have the ability to bring other enterprise platforms such as your IPS, your threat systems, and your DNS security platforms directly into ISE for performing all those automation. And so it absolutely has consolidated the number of platforms that you need to deploy to achieve that secure outcome.
The effect of the consolidation of all of these functionalities within Identity Services Engine has had on IT is that now you have a single platform with which to maintain. I think sometimes we overlook the fact that security platforms themselves have a lifecycle associated with them. We have to patch these systems. We have to maintain currency on the devices. And over time, those devices like anything else become a little long in the tooth and require refreshing. The flexibility to deploy Identity Services Engine in multiple persona types on hardware or in a virtual machine is a huge advantage to customers who want to consolidate the number of vendors and hardware platforms that they have to support and manage.
Identity Services Engine has helped a lot of our clients as well as Logicalis simplify the way that we approach compliance governance and risk consulting within our own enterprise, being able to have a single source context for when devices were on the network when they were last authenticated, and, of course, that rich user context that we get. We can now share contextual information from Identity Services Engine within an Azure environment, within an AWS environment with our own active directory, and that's an enormous advantage when you're not only threat hunting, but when you're trying to pass those checks and balances that are required for cybersecurity insurance or your own internal compliance auditing.
For us and our clients, the most valuable features of Identity Services Engine are really around the rich contact sharing that ISE gives you. The ability to categorically list all the endpoints in the infrastructure, understand where they are, how they made it onto the wire, whether that was through wireless, through a wired engagement, And all of the self-service features that allow you to manage guest access to wired and wireless infrastructure are an incredible number of use cases that our clients are constantly deploying now.
I think in any technology infrastructure, you're going to have environments where improvements could occur. I think some areas where ISE could be better are perhaps in the number of integrations that they offer from a virtual standpoint, as well as having a better and more comprehensive pathway for the customer to go from a physical environment to a virtual one. Many of our clients today are hybrid. They have a physical footprint in a data center somewhere, as well as a public cloud instance for things. Today there really isn't an elegant pathway for a client that wants to go 100 percent cloud, and that's an improvement I think that could be along the way.
I have been using Cisco ISE for close to ten years.
The stability of the Cisco Identity Services Engine has continued to improve over time as the product has matured. Anytime you're dealing with something like a database product that has millions or hundreds of thousands of endpoints and entries in it, inevitably you're going to have performance creep over time. Because of the scale of the Cisco purpose-built UCS appliances, the SNS appliances that predominantly run identity services engine, we've seen an enormous advantage by staying up to date on the most current Cisco SNS appliances. We've also seen an enormous advantage by leveraging ISE in a hybrid capacity. So the ability to deploy PSMs on a hybrid cloud environment, on a public cloud environment, as either additional capacity or as a failover point for that on-premise install base is a really nice advantage to have.
The beauty of Identity Service Engine is the fact that there's really no environment too small. If you have 500 to 1000, maybe up to 2000 endpoints, We're talking laptops, mobile devices, access point switches, etcetera. You're really not too small to deploy Identity Service Engine. The beauty of the multi-persona design of the Identity Service Engine is that you can leverage that capability to split off those PSN personas which is actually the persona within the Identity Service Engine that processes all of that high rate of radius authorization and authentication traffic. So the scalability of ISE is really well thought out. It was really well thought out from the get-go. You can also split off the admin personas and the monitoring and logging personas as well to give you that horizontal scale. I'm not sure today what the exact endpoint count that ISE scales to is, but it is certainly into the hundreds of thousands of endpoints.
Cisco support for Identity Services Engine has been world-class. The guts of ISE are still a RADIUS server. They're still AAA-based functionality. So many folks that have been deploying and supporting the Cisco Secure ACS Server as well as the TACACS server and all of the things that have come along with that, continue to use the same skill set to support and deploy ISE. Really, the differences nowadays in terms of support are bringing about more comprehensive offerings to support the systems that surround ISE. Many things plug into ISE and provide much richer context, and really that's where the complexity tends to creep in. Our support from Cisco both as an end user and a partner has been beyond reproach, and we really appreciate Cisco's continued investment in the TAC, and in all the areas they bring to bear to help you receive that business outcome you're after.
Cisco support is always going to be ranked a strong nine with me, mainly because we know there's always room to improve things. We don't want to give a full passing score, but without a doubt, I don't know how anyone could consume and deploy business outcomes with Cisco technologies without leveraging support. And so Cisco leads the way and continues to invest in that area.
Positive
The deployment experience with ISE in the early stages was without a doubt, very daunting. There is a huge number of things that you need to understand about the existing infrastructure, about the existing customer environment to properly deploy that solution. As time has gone on, however, the designers and the developers of that software have begun to create wizard, have begun to create additional upfront deployment tactics within the tool itself so that essentially a journeyman network engineer or security architect can deploy the minimum level of functionality right out of the box.
It's difficult to say whether the clients have seen an immediate ROI with the deployment of the Identity Services Engine. Oftentimes, you have to take on additional technologies in the ISE product family in order to receive that comprehensive benefit. So I think only time will tell what the true ROI is. I can tell you that the value exchange that occurs between a partner and a client when we're talking about everything within the Cisco security portfolio being fully integrated together and working comprehensively has been an enormous advantage to customers who today have a complex act of multi-vendor products. Being able to consolidate on a platform-based solution is an incredibly powerful story to tell, and it's also incredibly powerful from a cost-benefit standpoint as well.
In terms of the licensing and the pricing structure of the Cisco Identity Services Engine, there's been a huge advantage to our clients recently with the advent of the enterprise agreement. You now have an enterprise agreement choice, which now allows you to buy as few as two security products to unlock additional discounting and additional life cycle advantages when you consume that solution for security business outcomes. At Logicalis, we deliver a full life cycle approach to Identity Services Engine when embedded into a Cisco security enterprise agreement. We're able to deliver not only the onboarding and the design guidance that the customer needs to deliver that secure business outcome, but also provide the ancillary services to support all of the other infrastructure that often comes along with deploying a solution like ice.
Identity Services Engine compares favorably with many of the other competitor's products that are in that space. I won't mention them now, but I think we know that all of the same industry competitors have been delivering identity solutions and NAC solutions over the last decade or so. Cisco continues to rank in the upper and farther to the right in Gartner Magic Quadrant for those identity solutions, and I think they'll continue on that trajectory. Cisco has long been the number one network vendor in the world, and I think you'll continue to see that growth as the network continues to be important to business.
I rate Cisco Identity Services Engine a ten, on a scale of one to ten. It's a necessary solution to deploy in order to achieve many of the business outcomes such as some of the smart business architectures, certainly anything within the automated campus designs that are out there with DNA Center. It's just an incredibly powerful tool to manage both identity and endpoints within the infrastructure, and it really does become the hub of a hub and spoke comprehensive security architecture.
When Identity Services Engine became the de facto migration path from ACS Access Control Server, we were very early adopting and getting that product into our labs and in the hands of our customers for proofs of concept, proofs of value, and enterprise pilots.
We have two main use cases: wired networks and wireless networks. In the wireless scenario, our main focus is on authenticating users to ensure compliance before granting access to our private network.
We use the Forescout Platform for device visibility and control in our network. It's very helpful for tracking malicious or unusual activity. We use it to track which ports are open, which machines are running specific services, and to identify vulnerabilities. For example, there was a vulnerability related to SMB, and we could use the product to determine which machines inside our organization were allowing SMB traffic.
The tool's most valuable feature is its ease of configuring and controlling endpoints, particularly in building policies for endpoint management. Its interface is simple to use and offers good visibility.
When compared with other solutions, the Forescout Platform's standout feature is its ability to integrate with various systems. This capability is particularly valuable as it supports the implementation of a zero-trust architecture. We are currently in the process of constructing our zero-trust architecture, wherein the tool serves as a pivotal component.
The solution's compliance capabilities have indeed been very beneficial for our organization. Unlike other solutions, it allows us to implement controls swiftly. Typically, transitioning to a blocking mode with other solutions would take around six months. However, we achieved this with the Forescout Platform within just one month.
The product needs to improve its support. I know a case that dragged on for about one and a half years. They eventually suggested professional services and closed the ticket. We followed their advice, engaging the account manager and professional service team, only to discover that the issue was a bug. After reopening the case, it's been about six months, and the problem still hasn't been resolved.
Forescout Platform's support often takes a long time to respond to tickets. Even after we reply, there's another lengthy wait for feedback, and their responses sometimes seem to delay resolution with unnecessary questions. For instance, they might ask for details about previous issues. Meanwhile, competitors may offer temporary solutions but often lack or are unsatisfactory regarding technical or research and development support from Forescout Platform's team.
Another area where it can improve is when dealing with multiple sites and overlapping subnets. While it works well for individual sites, it struggles when managing several sites with overlapping subnets, especially with authentication portals.
I think the Forescout Platform could use some extra features or improvements in the future. Specifically, it could be better at working with other security tools. For example, when it connects with VPNs or security scanners, it could work a bit better. The tool has already made some efforts in this area, but I think it could do even more to make these devices work together
I have been working with the product for two years.
I rate the product's stability a ten out of ten.
My company has 800 to 1000 endpoints and approximately 500 users. I rate the tool's scalability an eight out of ten. Forescout Platform is fully operational in our company, managing all our devices. We plan to use it more in the future because we're setting up a zero-trust architecture. This will allow our staff to work remotely, even from home.
I have used Cisco before. When deciding which product to switch to, we picked the Forescout Platform because it was more stable and easier to upgrade.
I rate the tool's ease of deployment a ten out of ten. It is easy to manage and implement. With the help of our partner, it took about one to two weeks at most to deploy this solution. This includes setting up the policies, implementing them, and ensuring the product is operational. Building the policies initially took around two to five days. However, refining and enhancing the policies took approximately three weeks in total.
We required a team of one senior engineer and one regular engineer to deploy this solution. The regular engineer was primarily responsible for implementing the Forescout Platform. In contrast, the senior engineer was involved in specific areas, such as integration and troubleshooting issues during deployment.
We currently only need one engineer for maintenance. The solution is mostly up and running, requiring minimal intervention. On average, the engineer spends about five minutes daily checking for issues or addressing complaints.
I rate the overall product an eight out of ten.
