Cisco Identity Services Engine (ISE) Reviews

We're just using it for authentication to our network switches.

We have more visibility and control with the tool. It has helped us improve our cybersecurity resilience.

The authentication piece was a big deal, especially because we're able to roll it out so quickly. Once we start using it to its full potential by using NAC, we can automate a lot of things that we're doing manually. MAC lockdown is one of the big things we have an issue with because I work on the classified network, so we're locking down every end device. It takes up a lot of time. That's one of the biggest things that we're rolling out. I'm not sure what other features we're going to use out of it, but I know that once we get started on it, we'll be a lot more involved with the things that we're going to roll out.

It's really easy in terms of the authentication piece. It's a big help. We've other parts of the network that are not using any authentication at all, which is scary. We've so many separate companies, and I'm hoping that we can start using this for those networks as well.

It has saved us time. We've control on our side, and we're able to add new devices as we deploy them for new buildings and things like that. We're able to give different types of access that our users need to have, which is nice. It has been huge, and then once we start deploying NAC or something like that, that's going to be a game changer for us because that'll free up a lot of time for us. It probably saves at least ten hours a week because especially right now, we're in the phase where we're getting so many new buildings. We're not only turning up new buildings; there are also all the users. So, for every single device, you have to do a MAC lockdown. Sometimes we get spreadsheets listing a ton of PCs that we've to lock down. That just takes forever, especially if you get it wrong or someone has fat fingers and things like that. It'll hopefully eliminate a lot of that too. We won't have the back and forth with other groups for that.

It has helped consolidate tools. We don't have to go outside our own group for the authentication piece. That control is a big deal. On top of that, once we start integrating NAC and other things, it's going to eliminate a lot of manual work.

Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key. 

Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out. It was a little more cumbersome than I thought.

I've been using Cisco ISE for about a year.

For the times that I have interacted with them, they've been pretty good, but I've heard of other stories. Overall, I'd rate them an eight out of ten.

Positive

We were using regular TACACS, RSA, etc. I can't remember what they were using on their side because it was more of the infrastructure team that was using this. We would just basically go to them and give them requests. Having control through Cisco ISE is much better.

The reasons for going for Cisco ISE were having that control and having a relationship with Cisco. All of our gears are Cisco. It just made it easier and more compatible. I know there are a lot of other tools that we can take advantage of such as NAC and things like that. We're hoping to do that in the future.

As far as I know, it was fairly easy. We didn't have a lot of problems with it. One of our other guys deployed it. I wasn't with him, but I didn't hear that there were a lot of problems with it, so it was fairly easy. The same guy had deployed it on the unclassified networks, so he had experience with it.

Overall, I'd rate Cisco ISE a seven out of ten.

We use it for network access control. For security reasons, if a vendor plugs into our network, the port is automatically shut down because it's not authenticated to our network.

Cisco ISE is a great solution. It helped us determine real users on our network. It's very useful.

From a security standpoint, Cisco ISE has improved our organization 100%. We're not guessing who is plugging into our network. It 100% protects our environment and infrastructure from end to end.

Cisco ISE has saved the time of our IT staff time to help work on other projects, but I don't have the metrics.

Cisco ISE has absolutely improved our cybersecurity resilience. Specifically, the 802.11 authentication for wireless has been huge.

Cisco ISE hasn't helped to consolidate any tools or applications.

Cisco ISE is a powerful solution. It gives us the ability to control who's accessing our network, and Cisco has made it very easy.

Some of the reporting could be improved.

We've been using it for about ten years.

It's stable. We never had any issues.

I love it. They know their stuff. Almost in one call, you get the right person. They're very good. I'd rate them a nine out of ten.

Positive

We didn't use any other solution previously.

You have to have a plan. You have to be prepared to roll it out. You need to think through what you want to configure.

It took us about three and a half months to get every angle we were after, and after that, it was a very slow rollout. We rolled it out in about eight months. It was easy.

We did it all in-house, but we did have consultants from Cisco come in and help us tweak it.

Pricing and licensing are not my expertise. As far as budgeting is concerned, we run an ELA with Cisco. It's a part of our ELA.

We didn't evaluate other products. We went straight to Cisco because you can't go wrong with their technology. They're a leader in this space, and they've got a good, robust solution, so we rolled it out.

It integrates seamlessly with other Cisco products that we have. I use Cisco Meraki for all my edge cases. We never considered switching to another vendor. 

It's a great product. I'd rate Cisco ISE a nine out of ten.

We utilize Cisco ISE for authentication by employing the AnyConnect Posture model to address vulnerabilities on the workstations. Additionally, we make use of TACACS.

It is a mature solution and it grows with our needs.

Cisco ISE has helped consolidate DNA Center.

Cisco ISE helps our cybersecurity resilience by enforcing security over the workstations.

The most valuable feature is AnyConnect Posture because it scans all the programs on the workstation and checks if the antivirus is up to date, as well as the cryptographic keys on our SSD. It also enforces data loss prevention on our workstation, which is usually the main vulnerability for network entry.

Cisco ISE has numerous features that are impractical, and I won't utilize them since they require payment.

I have been using Cisco ISE for around four years.

We encountered a few bugs that were resolved using the SMUs. However, when the solution is built properly, there are no performance issues.

We can scale Cisco ISE up using VMs.

The technical support is excellent, and we rely on their services frequently.

Positive

We previously used Cisco ACS but transitioned to Cisco ISE because it reached its end-of-life status, and we needed to progress.

We have observed a return on investment from the tasks performed by Cisco ISE for our organization.

Cisco ISE is not inexpensive, but the solution is well-built and worth the expense.

We evaluated Aruba ClearPass but ultimately chose Cisco ISE due to budgetary constraints. We were able to secure a favorable discount with Cisco.

I would rate Cisco ISE a nine out of ten. Despite the fact that the solution offers numerous features, it is challenging to use.

We do not rely solely on Cisco ISE to secure our infrastructure from end to end. Instead, we utilize various tools such as McAfee, DLP, and Endpoint Security. Additionally, we have the Domain client to check for any breaches. On our Internet edges, we perform SSL offload to enhance the performance of security projects like WAF and IPS, as well as conduct full packet scans. Furthermore, we have NGFW and NG Networks in place.

Cisco ISE is an important component in protecting our environment because it enforces security against the main point of vulnerability, which is accessing workstations. Ransomware infiltrates a network through workstations. The policies implemented are based on the posture model, ensuring that we use the necessary products on our network to mitigate such risks.

I was not involved in the initial setup, but testing the implementation of a new feature is always challenging. We need to allocate time to test it with the security team and the network team. Additionally, we need to create a separate environment to gain a better understanding of how we can improve the performance of the solution within our network. 

For organizations that do not have the funds to purchase Cisco ISE, there are good open-source solutions available. These include TACACS servers, OpenLDAP, and FreeRADIUS. However, Cisco ISE is an excellent tool for enhancing all the existing tools within an organization.

I use Cisco ISE for VPN and authentication.

Cisco ISE is a good and easy-to-use solution. We had a smooth experience with it, and we didn't face any issues. We upgraded the solution two years ago, and that version also worked fine. 

Cisco ISE's integration with other external identity servers like Duende is very simple and easy.

Cisco ISE's performance could be better, faster, and more robust. Sometimes it takes some time to move through the tabs and configure something.

I have been using Cisco ISE for three and a half years.

Cisco ISE is a stable solution. We haven't faced any major issues with the product.

Cisco ISE is a scalable solution. Our environment has a cluster distributed across three countries and seven nodes. It would be very easy to add another node or remote site.

In some areas, Cisco ISE's technical support is good. However, we had an issue with integrating Cisco ISE with DNS. So we opened a case, which escalated, and we had it for almost two years. Cisco escalated our case after hearing about our integration problem, and the issue was solved eventually.

In normal support cases, like if you are facing a bug, you will have very quick input from Cisco ISE's technical support. It is easy to find the issues in some areas, but in some cases, you might have to go along a troubleshooting path to find the issue. I used to work for Cisco tech wireless team. In some deployments, you have a complicated environment and must understand and solve the issue. Sometimes, it might take a long time to solve or find an issue, while it would be easy in other cases. It depends on the complexity of the environment.

Positive

Cisco ISE was already deployed when I joined my company, but I was present when it was upgraded. The upgrading process wasn't very easy, but we didn't face many issues. When we upgraded our Cisco ISE, it was running on the 2.3 version. We upgraded it to 2.7, and we had some issues at that time. We upgraded directly to 2.7 patch 2, and most problems were solved.

My main focus is on the .1X access. We have another security team whose focus is on VPN access. I use Cisco ISE for TechX authentication and .1X authentication.

Cisco ISE saves us time. If you deploy any security features using Cisco ISE, you don't have other options not to automate it. Part of our Cisco ISE is integrated with the Cisco DNS center. The Cisco DNS center saves time in terms of configuration, integration, upgrading, and adding other switches to the fabric. You can deploy the features in Cisco ISE using manual techniques.

Cisco ISE was already deployed in my organization when I joined. However, I know that Cisco ISE replaced ACS.

I work in the banking industry. Our main concern is securing our network from either remote or on-site access. When you get physical access to the site and connect your device, you might risk the security of the network on purpose or unknowingly. Deploying Cisco ISE has helped improve the security of our organization.

Overall, I rate Cisco ISE a nine out of ten because I have a very good experience with the solution and hear the same from other vendors.

Cisco ISE is on the back end, and all our policies and security are on it. DNS centers and all our network backbone is integrated into Cisco ISE. So, the solution is pretty critical for us.

Cisco ISE has helped improve our organization security-wise.

Cisco ISE integrates with everything else. It forms our security and identity backbone, and all our authentication goes through Cisco ISE. That's why the solution is so important to us.

Troubleshooting and multi-ISE can be challenging with the solution.

My organization has been using Cisco ISE since 2018.

Once configured properly, Cisco ISE shows good stability.

Cisco's TAC is good. Cisco support, in general, is too layered these days. Often we have to repeat the same thing over and over to the TAC guys, which is a bit frustrating. Cisco's TAC needs to be a bit better.

Neutral

Cisco ISE's deployment can take weeks, months, or years depending on how rigidly you adhere to the guidelines and how good your existing infrastructure is.

We have seen a return on investment with Cisco ISE from a security point of view.

Cisco ISE's licensing can get pricey.

Sometimes, the Cisco guys disagree about it, but other than that, the Cisco guidelines are clear and concise enough.

Cisco ISE helps to secure our infrastructure from end to end so we can detect and remediate threats. The solution does what it's supposed to do.

Cisco ISE has saved a little time for our organization.

Since Cisco ISE is a more robust solution, it has helped our organization improve its cybersecurity resilience.

Before implementing Cisco ISE, you should look into it in-depth on how it can be used, how it can be integrated with existing tools, and how your staff can be trained to troubleshoot it. The solution has its pitfalls, and when it breaks, it can break heavily. So be aware before you deploy it.

Overall, I rate Cisco ISE a seven out of ten.

The company's use case for Cisco ISE is switch access. I'm from the high-performance compute side. I'm not the back office IT. I'm what they call GSIT. Their use cases are different but very similar.

On our side, Cisco ISE has improved cybersecurity resilience. The company uses it for global WAN and other things. We haven't had any issues.

For me, the TACACS feature is the most valuable. I have also used Cisco ISE with LDAP, not with Active Directory. That works for me because I prefer LDAP versus Active Directory.

The templates could be better. When you have to do certs, especially with X.500 certs, it isn't very intuitive.

I've been using Cisco ISE since 2011.

After I set it and forget it, upgrading Cisco ISE is the only thing to do.

I've never had a problem with Cisco. Cisco has always scaled well, so it's pretty good.

Initially, it wasn't good, but once I found the right TAC person, it was fine. I had to probably get level three or above, and then I had to get a software developer because the certs didn't initially work properly to give you a special code. I'd rate their support a nine out of ten.

Positive

I used OpenRADIUS before. That was open source. I switched because I'm the support for everything. It was easy to support with Cisco ISE.

Role-based access is easy to do with Cisco ISE versus OpenRADIUS. That's because OpenRADIUS is something you have to manage yourself. You have to manage the certs and other things. You have to define the roles yourself for special read access and for certain groups and multi-groups.

The only thing I didn't like at the beginning was that Cisco ISE was limited to how many groups you could use. That problem has been fixed. I haven't run into that problem.

The initial setup was complex. The main part was the certs, especially the X.500 certs with LDAP. Azure Directory is a little bit smoother, but I prefer LDAP.

It's deployed for internal switch access. It's purely for switch access and role-based access.

I deployed it myself.

We've seen an ROI.

I get very good pricing from Cisco, so I don't have a problem with that. I also don't have a problem with licensing because we get enterprise or global licensing.

It hasn't helped to free up our IT staff. Our IT staff is already very limited anyway. We've always worked smart and don't work where we don't have to work. For example, in 2019, we were more than 60. There are 14 of us now, and we still do the same amount of work. Cisco ISE hasn't contributed to less workload. We do it with automation. We have a lot of Linux, so we do automation on all of our stuff. 

Overall, I'd rate Cisco ISE an eight out of ten.

One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

[In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

[I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

Positive

[The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

[Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

I've just been involved with the secondary deployment, using the ISE on our wired ports.

It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

[It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

[What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.

We are using it mainly for .1X authentication, and we also authenticate our VPN users, and we are doing some light profiling and posture.

We're trying to solve the problem where different users have different privileges in the network. And also we're trying to block some access from our least privileged users. Those are the main use cases for us.

We have on-prem virtual appliances and a distributed model.

It has improved our organization very much because we're now adopting the SGTs, Security Group Tags, and we're leveraging security based on those tags on our core systems and integrating with other SG firewalls.

We have a pretty distributed network and we have only one ISE deployment and it's been really good so far for managing all of those sites.

The most valuable thing in ISE is the adoption of EAP deep that came in [version] 2.7, so we can do authentication based on user and machine certificates in one authentication.

[Regarding establishing trust for every access request] it's been pretty good so far. We've been authenticating all of our users, no matter where they're coming from. If it's from our VPNs, or if it's wireless access, we are all Cisco, so the integrations are pretty good. It's very important [that the solution considers all resources to be external]. Right now, with the challenges that the multi-cloud environment poses, you have to have a solution like this.

[When it comes to securing access to your applications we are] not [using it] so much. I'll have another session with a TAC engineer on Friday, and I will have to discuss some basic concepts of securing the application with ISE. I find it very challenging to do some micro segmentation with it. I'm staying on top of it and doing it macro, but I want to go micro, and it's something I need to discuss more with an engineer.

Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them. This is a problem in ISE. This could be much simpler.

I wasn't involved in the process of choosing this particular technology. The colleagues that made the decision made it seven or eight years ago. They were using ISE for a long time. I've been in the company for four years now so I came into an already deployed solution. But it wasn't so good, so we had to migrate from physical appliances to virtual ones because they were end-of-life and end-of-support.

Sometimes, they push an update that breaks the whole deployment. It happened to me with update two. It was my fault. I updated right after it came out, and I won't ever do that again. I will wait at least a month or two or three, because the update was taken down a week later.

I was lucky enough because I had updated from update one to update two. So it didn't really break the whole deployment, just parts of it. But they fixed it in a week with update three, so I was able to put it back together. Roll back is also always an option.

Scalability is really good. The number of possible nodes in deployment is high. I don't know the exact number, but it's really high. Scalability is not a problem.

I have had some problems lately with the TAC engineers being unable to investigate the logs that I gave [them]. They always ask for more, but there is not much you can do on ISE. When you give out all the debugs from the nodes, then there is nothing else to do.

It's been a bit of a ping pong with the TAC engineers. Sometimes I have four to five TAC cases open, specifically on ISE. Most of the problems I have are with the integrations of other companies' firewalls. 

This year I would give them a six [out of 10]. Before, I would say eight.

Neutral

I have had to find my own way to do the new deployment. It wasn't that there was some documentation about how to migrate. There is none of this stuff on Cisco's site. You have to search Reddit and multiple forums to assess what you can do with the deployment. I basically built it from scratch.

We are more secure thanks to ISE. That's always a return on investment.

[When it comes to eliminating trust from our organization's network architecture] I'd say, no, ISE hasn't done that. It's been a challenge to implement this. We're trying to bridge the gap between the security guys and network guys. They're not the same teams. Sometimes the security guys also do networking, but it can be hard to cooperate on projects like this. This is a big project. ISE is a pretty big solution and security guys are sometimes lost in what's going on in the network, like equipment where you have to configure things.

It's pretty much the most resilient solution as of now.

I like this solution a lot. I would say it's a nine out of 10.