Cisco Identity Services Engine (ISE) Reviews

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

Positive

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

We use it for access control in our organization for network control and the guest portal of the guest users who access the wireless network.

Cisco ISE has improved our security. It's very important to us since we are a banking entity. Security is one of the most important aspects of our architecture.

The most valuable feature is the provisioning of the device so as to ensure that they are compliant with the security policy that we need to have.

I believe that Cisco can improve the way its policies are built because they're a little complex. If the operation teams do not have not a very good understanding of the solutions, they can break something because it's not so easy to view their policies through their eyes.

I have been using Cisco Identity Services Engine for six years.

Cisco's support team does a good job. Sometimes they take a long time to solve a problem, so it's difficult for us. But in general, it's a good solution with good tech support. I rate the technical support an eight out of ten.

Positive

We are using Juniper. We are also using Cisco, which is the main vendor. Before, a solution for web portal access was deployed by our internal team, and we moved it back to Cisco. We chose Cisco because, as a NAC solution, it made sense to us since it keeps things together in the last single tool.

The product's implementation was done by my team, along with handling virtual operations too. The setup is simple to do. However, the policies of the solution are a bit complex.

Regarding how the solution helps me secure my infrastructure from end to end, I would say that it is a good solution for us. We are also using all the features Cisco ISE has.

I don't believe it does save my IT staff any time because we need to build the policies and follow the configuration, then follow the user access.

After getting rid of other products, my company was able to save some money.

Regarding the solution's ability to consolidate tools and add to my security infrastructure, I would say that because Cisco ISE (Identity Services Engine) was able to get rid of those other products, it did help secure my infrastructure.

It did improve my company's cybersecurity resilience because we have deployed the solution as a high-availability solution. So if we lose one of the boxes, the other one, we all remain to stay in the job.

I would absolutely recommend the solution since it helped us a lot to improve our security and put some tools together in a single pane of glass to support and troubleshoot it. So it's easier to do that.

Regarding if the solution was able to integrate well with other solutions, I do not think we have any integrations at this moment, but I know that Cisco ISE (Identity Services Engine) has a lot of integrations.

I rate the overall solution a nine out of ten.

We use it for identity services, profiling, and locking down devices.

We're an airport, so when anybody plugs in a device, it's obviously a really big security point for us.

We have a lot of different devices that get plugged in and we really don't have the manpower to address each one individually, as far as our network goes. Cisco ISE has really cut down a lot on the size of our ticket queues and the manpower. My boss is extremely happy about that.

The solution has also eliminated trust from our organization's network architecture and that has actually been positive because we have to meet PCI compliance. It is very important for us to be able to take cards. It has also helped to improve our pen-testing scores at the end of the year.

Resilience, in cyber security, is at the top of the list. It's one of the most valuable aspects and has been extremely important for us. Before, we had mid-range scores, but over the last couple of years, between implementing ISE and a few other technologies and SIEMs, we've gotten into the 90th percentile with our pen-testing scores. We were sitting at about 75 to 80, so this is a pretty huge jump for us.

Profiling is one of the most valuable features. We have a lot of different devices between cameras, access points, and laptops that get plugged in.

Establishing trust for every access request, no matter where it comes from, is extremely important for us, especially because we are an airport entity. We do have port security implemented throughout our airport, but on the more sensitive side of things, it's a little bit more hardcore regarding what we need to allow, per security zone.

There are always some things that I would request.

I first started using Cisco ISE (Identity Services Engine) in about 2015, but we recently just spun it up here at my current job.

The stability of the solution is a 10 out of 10.

The scalability is also a 10 out of 10.

For this particular solution, the technical support has been pretty good.

Positive

I've worked with ISE before, and it was actually my suggestion that we buy the license for it.

The initial deployment was pretty straightforward only because I had done it before. I worked on it with a colleague and taught him everything about it, just in case I was incapacitated.

From the start, including getting to an agreement, budgeting, and scheduling, the deployment took about three months.

In terms of an implementation strategy, once we got the licensing, we just stood the nodes up. Then we did the features one-by-one, with proper RFCs done, just to see, in a break-fix manner, if each thing we implemented would break something.

We used a consultant. The deployment required two people on our side. I was in charge of the initial rollout and implementation, and I'm in charge of managing it. However, if I'm not there, we have another network guy who does the day-to-day tasks and checks the logs to see if he needs to approve anything.

We have definitely seen return on investment. We have so many different security solutions in place, and ISE just works really seamlessly with them. I get to keep my job, so that's a pretty ROI from my point of view.

The pricing is fair for what it does. The only time I've really not been too crazy about the price is for Cisco Prime, which is a management solution for Cisco products.

We implemented a request for purchase and talked to a few different companies. One of the companies was Presidio. There was another company close by called Net Solutions. Three out of the five companies that we talked to were outsourcing the work to pretty much just bring in an ISE solution, so we just decided to do it in-house.

If you are on the fence about it, and you don't have someone on your team who has worked with the product before, definitely reach out to a company or a certified Cisco entity to help with the rollout. It's pretty painful if you don't know what you're doing.

Resilience is never a bad idea and it's never too late to start working towards it or to begin the journey to Zero Trust. It's very important in this day and age. 

I'm the only cyber security administrator that we have currently, so if we hadn't gotten this solution in place, I highly doubt that I would have been able to make it here to Cisco Live 2021, so it's excellent.

From 2015, when I first started using it, until now, there's not really a lot that I would ask be changed. They've been hard at it ever since I first started using it.

It's been incredible ever since we got it in place.

We currently use it for RADIUS and TACACS authentication, but we're moving to SD Campus Fabric. We're tying that in with DNA Center, making it flow with the wireless and authentications at the port, using .1X. That's where we're headed.

We have a 10-node deployment: two PSNs, four dedicated to TACACS and RADIUS, two dedicated to guest WiFi, and two dedicated to pxGrid.

While it doesn't give us a single pane of glass, it helps identify problems more quickly. You can identify what's going on in the logs most of the time.

Also, ISE, working with DNA Center, provides a trust set. It's very important to us that the solution considers all resources to be external, so that we know who is connecting, when and where, at all times; we're not just trusting you because you're internal.

At the moment, RADIUS is the most valuable feature for us. We haven't really opened it up yet, so RADIUS is the best feature because it supplies authentication to our entire campus.

Also, when it comes to securing access to applications and the network, that goes hand-in-hand with fully developing ISE, implementing .1X, tying in DNA Center, and enabling TrustSec to look at SGTs and figure out who's who and what is what.

The knocks I have against the product are the number of bugs that we encounter, constantly, and the amount of upgrading that we have to do.

I have been using Cisco ISE (Identity Services Engine) for about five years.

Because of the numerous bugs we've been hit with, on a scale of one to 10, the stability is a four or five.

In theory, the scalability is great, if it all works.

We have six 17-floor buildings, and had a little more than 1,500 users on campus, pre-COVID. ISE is providing access and authentication for everyone who uses the WiFi and it helps us get into our devices.

TAC is moving a little slowly with respect to the technology. They're not keeping up. When you call in with a question, you get 10 questions fired back at you, and it just goes round and round until you figure it out.

Neutral

We previously used ACS.

If you're not going through an agreement, it's very expensive.

We didn't evaluate other options. We're a Cisco shop.

Do a deep dive. If you're a Cisco shop you really don't have a choice. It's the direction they're moving in. Cut your teeth with it and don't rely on outside sources to implement it. Implement it yourself so you know how to troubleshoot it and move forward. If you use outside sources, as soon as they leave, you're left holding the bucket and you don't understand what's going on.

I see the theory behind ISE and if we can get it to gel in our environment, it will be a beautiful thing.

We're just using it for authentication to our network switches.

We have more visibility and control with the tool. It has helped us improve our cybersecurity resilience.

The authentication piece was a big deal, especially because we're able to roll it out so quickly. Once we start using it to its full potential by using NAC, we can automate a lot of things that we're doing manually. MAC lockdown is one of the big things we have an issue with because I work on the classified network, so we're locking down every end device. It takes up a lot of time. That's one of the biggest things that we're rolling out. I'm not sure what other features we're going to use out of it, but I know that once we get started on it, we'll be a lot more involved with the things that we're going to roll out.

It's really easy in terms of the authentication piece. It's a big help. We've other parts of the network that are not using any authentication at all, which is scary. We've so many separate companies, and I'm hoping that we can start using this for those networks as well.

It has saved us time. We've control on our side, and we're able to add new devices as we deploy them for new buildings and things like that. We're able to give different types of access that our users need to have, which is nice. It has been huge, and then once we start deploying NAC or something like that, that's going to be a game changer for us because that'll free up a lot of time for us. It probably saves at least ten hours a week because especially right now, we're in the phase where we're getting so many new buildings. We're not only turning up new buildings; there are also all the users. So, for every single device, you have to do a MAC lockdown. Sometimes we get spreadsheets listing a ton of PCs that we've to lock down. That just takes forever, especially if you get it wrong or someone has fat fingers and things like that. It'll hopefully eliminate a lot of that too. We won't have the back and forth with other groups for that.

It has helped consolidate tools. We don't have to go outside our own group for the authentication piece. That control is a big deal. On top of that, once we start integrating NAC and other things, it's going to eliminate a lot of manual work.

Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key. 

Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out. It was a little more cumbersome than I thought.

I've been using Cisco ISE for about a year.

For the times that I have interacted with them, they've been pretty good, but I've heard of other stories. Overall, I'd rate them an eight out of ten.

Positive

We were using regular TACACS, RSA, etc. I can't remember what they were using on their side because it was more of the infrastructure team that was using this. We would just basically go to them and give them requests. Having control through Cisco ISE is much better.

The reasons for going for Cisco ISE were having that control and having a relationship with Cisco. All of our gears are Cisco. It just made it easier and more compatible. I know there are a lot of other tools that we can take advantage of such as NAC and things like that. We're hoping to do that in the future.

As far as I know, it was fairly easy. We didn't have a lot of problems with it. One of our other guys deployed it. I wasn't with him, but I didn't hear that there were a lot of problems with it, so it was fairly easy. The same guy had deployed it on the unclassified networks, so he had experience with it.

Overall, I'd rate Cisco ISE a seven out of ten.

We utilize Cisco ISE for wireless user authentication, as well as authentication, authorization, and accounting for our network devices.

Cisco ISE has made us much more secure. It has streamlined the process of adding new devices to our wireless network, specifically wireless-only devices. Moreover, thanks to scripting capabilities and flexibility on the Cisco ISE side, it has significantly reduced the amount of manual effort required by everyone involved.

Cisco ISE effectively secures our infrastructure from end to end, enabling us to detect and remediate threats. It does a commendable job of securing both end users and their devices, including guest-wired devices for anonymous access. Its ability to compartmentalize everything makes it incredibly convenient, and the comprehensive tracking features are particularly valuable.

Cisco ISE has helped to free up our IT staff's time by saving approximately 40 hours per month, as we are constantly uploading new devices. 

Cisco ISE has helped our organization improve its cybersecurity resilience by authenticating users. It ensures that only certain MAC addresses can be on our network, particularly on our production wireless network. Additionally, it keeps track of authentication frequency and alerts us if clients authenticate too often, allowing us to optimize CPU cycles.

The live logs and live sessions for troubleshooting are the most valuable features because they provide a detailed report of any issues. I appreciate that they guide us through every step that a user or authenticator goes through.

Cisco ISE can become quite complex, especially with policy sets, the entire authentication process, and everything involved. I would appreciate a more comprehensive visual depiction of the steps from the beginning to the end.

I have been using Cisco ISE for five years.

We have never experienced any stability issues with Cisco ISE.

We can scale Cisco ISE by adding additional licenses or servers.

Cisco technical support is excellent. They respond promptly, and their thoroughness is remarkable. For instance, we can send them numerous logs, and they will analyze them in detail for us.

Positive

We have seen a return on investment around the soft cost, with how streamlined everything is, how we don't have to really worry about wrong devices getting on our production Wi-Fi.

I give Cisco ISE a ten out of ten.

Cisco ISE is a great tool. It integrates well with Active Directory and numerous other components. The solution has become a fundamental part of our network and I recommend Cisco ISE to others who are looking to improve their cybersecurity.

Right now, we are doing all wireless through ISE. We have also started migrating to wired.

We have about 20 sites. By having enough node regionalization, we have been able to have all our sites utilizing it.

It is deployed to multiple locations. We have one in Mexico, one in Kelso, two in Asia, and then two in the US.

It improved our standardization with all its policy sets being the same. 

Since migrating towards doing wired ports over ISE with 802.1X and MAB authentication, our organization's security risk has been better. We have been able to establish better layouts, so devices can move and we don't have to worry about where they need to go.

The Guest Portal is a big feature for us. 

It does a good job of establishing trust for every access request. We have had a little bit of a challenge with profiling, but we are probably about 80% there.

I have been using it for five years.

The stability is fairly good. Since we went to the 2.6 version, it has been a lot better.

Scalability is good as far as adding another node. However, if you ever wanted to increase the node that you have, then you need to buy a bigger license. You also have to build a new VM for it because you can't just scale it.

I had one problem with the portal. I got support from TAC and it worked out really well. It was really good. I would rate the support as 10 out of 10.

Positive

We did not previously use another solution.

We were looking to solve the challenge where people were moving devices that they were not supposed to.

The initial deployment was straightforward and took a couple of months. It was actually a project for a customer, then the customer backed out. So, we spent a good year without using it for anything.

The initial deployment was for a customer in Asia, so we had to deploy it in our Asia data center. We then deployed it in our US data center to kind of match that configuration.

We did use a consultant from Presidio for our first deployment project. Since then, we have been doing deployments ourselves.

Two people were needed for the deployment: the consultant and myself.

There is probably a return on investment as far as increased time for people not having to worry about devices moving around nor having to be contacted about moving them to the appropriate spot.

Its licensing could be improved. It used to be perpetual, but now they are moving away from that.

Make sure you understand where you want to deploy nodes and how far away they are from other locations since there is some latency involved.

We don't do any sort of application-based stuff right now. It is just purely assigning devices to what VLAN they are supposed to go to.

We are looking to upgrade to a newer version. Hopefully, by seeing some of the stuff at Cisco's event, I can find some more features that we could use.

I would rate the solution as eight out of 10.

We use Cisco ISE to set different policies for various profiles. For example, someone on their own device has a different set of policies and postures than a person on a company machine. 

Currently, we are using Cisco's dictionary for both device and user authentication. When I say "device authentication," I mean we authenticate users who access network devices. 

We consider the running policy when users want to access a data center server. The user is forwarded to the ISE servers to be authenticated, and they're given a password defined on the ISE for them according to the policy.

We have two virtual servers with different rules. For example, one is used to authenticate and audit, and the other to authorize and authenticate. And since most of our centers don't support full ISE integration, we use only some features. That means not all our users are not authenticated via the ISE.

It's easy to change and add policies.

Some of ISE's features need to be more agile. For example, we couldn't integrate our data because Cisco needs your data to be in its own format.

We implemented Cisco ISE about a year ago.

We have capacity limitations with retail, and we aren't integrating ISE for all the users. We have about 2,000 end-users that need to be integrated, and we added the entire thing to about 1,000 devices.

I rate Cisco support eight out of 10. We initially had difficulty integrating ISE with another solution we use from Huawei. We deleted the existing profiles defined on ISE and lost our definitions and profile features that were there before. We ordered the platform through these resellers, but they haven't been helpful, so we get more support from Cisco. They are very good.

Positive

Setting up this solution wasn't that difficult for me because I was involved with all of these projects. We implemented everything last year and deployed a portion of the modules integrated into our environment. It wasn't that difficult to install and apply to get these permissions.

A contractor came to help us deploy everything as part of the bank's data center solution. Since then, I have installed one of the components that we deployed at the time. It was a local tech company that got the platform given to them. That's how they got everything implemented with it together.

The return on investment depends on how you utilize the solution. We haven't utilized it well thus far, so I would rate it four or six out of 10.

There is a limit on the number of nodules supported. The number of users per license is limited to around 2,000, so the license price should be adjusted to take these limitations into account or we should be allowed to add more users to the same devices.

We use ISE because most of our networking devices are from Cisco, including the VIRL lab. I have to compare other vendors, but I don't think the cost difference is so much that I would switch solutions. 

I rate Cisco ISE eight out of 10. It works fine in our experience.