Cisco Identity Services Engine (ISE) Reviews

Cisco Identity Service Engine (ISE) is used mostly for endpoints. If you want to know the profiling and what endpoints are connecting to your company, then ISE is a good solution because it has built-in signatures. Therefore, it knows what kinds of devices are getting added into the network.

You can install it with any cloud provider, e.g., AWS or Azure.

You can install ISE locally. If your site is critical, like in manufacturing, you need to make sure that ISE is a part of the local site. Usually, people install data centers, but you can also install at critical sites.

One of the advantages is that you can easily find rogue endpoints. For example, if you don't want to allow any endpoints where you don't know the people plugging into what kind of devices, ISE can give you a big, clear picture, e.g., what kind of endpoints are getting connected to your network. That is one of the advantages.

From our company perspective, or any company perspective, you need to be PCI compliant and follow HIPAA laws. Therefore, ISE is really instrumental from a cybersecurity perspective. You need to comply if you are PCI compliant and utilizing credit card transactions. ISE can help you become compliant from that perspective.

There is a new trend: a zero-trust kind of architecture. If a company really wants to improve their security, ISE can upscale the security in their network by creating an access policy. This ensures that if the device is not allowed to access something then ISE won't let that device access that resource. This is mostly for segmentation security.

Cisco could improve the GUIs on their hardware.

I have been using Cisco ISE for about seven or eight years.

The stability is good.

You can scale your ISE. You can use ISE for a company of any size: for a small company, a mid-size company, or a large company. ISE can be installed in a cluster-distributed environment. Thus, there is a lot of scalability and resiliency when using ISE.

I would rate the scalability as eight or nine out of 10.

Cisco support is awesome. I would rate them as eight or nine out of 10.

We did not previously use another solution.

Initially, it is always challenging. Once you get the gist of the deployment, it becomes normal and straightforward afterwards.

Definitely make sure you install ISE in a distributed fashion. Make sure there is a lot of high availability. Otherwise, if your ISE goes down, then you won't be able to authenticate your endpoint. It is better to install ISE in a high availability solution.

We have definitely seen ROI as we are getting compliant. When you are compliant, you get fewer fines from PCI and those types of organizations. 

It is not that pricey.

We have Zscaler, but it is not operating in the same zone as ISE.

Use ISE if you want to build more resilience within your organization.

I would rate the solution as eight or nine out of 10.

We use it for wired .1x, wireless authentication, VPN, and multi-factor authentication. We wanted to have a consistent experience for authentication and authorization of endpoints across the network, as well as security.

As a water utility organization, we're considered critical infrastructure by the feds. Everyone needs water. So it's important for us to protect our industrial control systems, our SCADA systems. ISE helps us do that by segmenting them off from the rest of the network.

And by eliminating trust, it helps us with audits, including CJIS because we have a law enforcement division, and trying to conform to the NIST standards. A lot of government agencies are becoming more familiar with the Zero Trust model and ISE makes our audits go a lot faster and a lot smoother than they used to.

The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

In addition, ISE really adopts and is strong in the Zero Trust model where we consider everybody a foreign endpoint until they prove they belong on the network. ISE just seems to be built from the ground up to do that, whereas with other solutions, you have to "shoehorn" that in.

I also rate it pretty highly for securing access to our applications and network. If you have the good fortune of being a total Cisco shop, you can utilize SGTs, end to end, across the network. It can be a little tricky to get working, but once it does, it creates quite a consistent experience for any endpoint, even if it moves anywhere in the network.

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

I've been using Cisco ISE (Identity Services Engine) for 10 years.

Now, the stability is pretty good. I've been working on it since the product launched and it was a bit sketchy. Its current state is really good right now.

The only thing we have run into was a bug when we ran virtual appliances, but that turned out to be an issue with our storage networking QoS policies. That wasn't really an ISE problem, it was more of a storage problem.

In terms of supporting a distributed network, it's pretty powerful. You can stand it up and cluster it and it scales out pretty well. You can put nodes wherever you want to service authentication requests. We're able to scale up or out and we can choose how and when we do that with either virtual or physical machines, meaning it's very flexible. 

It scales quite well. One of the things that Cisco is good at is keeping things pretty simple when you want to scale it. If you want to scale up, you get stronger admin and monitoring nodes. If you want to scale out, you get more policy service nodes. It's quite easy to stand them up, really anywhere, if you use virtuals.

We use it around our Fort Worth campus, which has about half a dozen buildings. By the end of the summer, we'll have it deployed to all of the rest of our five campuses. We have about 30 remote locations across 12 counties in North Texas and they're all using ISE. It works out pretty well.

We have it on-prem right now, but we are moving to a hybrid cloud platform on Azure for a lot of our applications, so we're starting to do proofs of concept with ISE in Azure.

TAC is pretty good. I would definitely suggest getting their solution support, which provides higher maintenance. That way, when you do get someone, you get someone who knows what they're doing. If you get the higher level of support, you get some really smart people who can fix things pretty quickly.

Positive

We used to use Aruba ClearPass. It was somewhat clunky to use and it didn't integrate well with third-party platforms. If you used Aruba, it worked great. If you didn't use Aruba, and were pointing things at ClearPass, it had some issues. We found that ISE typically handled things a little bit better. We could point anything at ISE and take care of it.

The initial deployment was pretty straightforward. It's very simple to just turn the box on and plug into it. You go through a couple of settings and then you can log in to the GUI and pull in all the other nodes that you want.

After the gear came in, it took us about a day to deploy it. I started by implementing it at the local campus. That way, if I broke anything, I could just walk down the hall and not have to drive anywhere.

I stood up the first cluster, and then it was another engineer and me who worked on deploying it out to all the buildings. We started out in monitor mode, to see what it would do if we had turned it on. Once we had remediated anything that looked like it was authenticating incorrectly on the wired network, we went to closed mode and that's where we are now.

Return on investment falls in line with the business vision of securing our resources and protecting them against cyber attacks and nation-state attacks. It's hard to put a monetary value on clean water.

Licensing is a disaster. It's a mess and I hope they fix it soon.

In addition to ClearPass, we looked at Forescout. At the time we looked at Forescout, it was more of an inline product and we weren't looking to add more infrastructure between parts of the network to try to do inline authentications. It seemed easier to do it on the switch ports and have them talk to ISE.

It's a very strong platform, especially now that we're on version 3.1. It's definitely my go-to. I would recommend it over any other NAC platform.

It requires a lot of technical knowledge to actually get it off the ground and running. It's not quite as intuitive as it could be, but it's still a solid platform.

We use ISE primarily for RADIUS authentications on our wireless networks and VLAN segmentation for those users.

ISE makes things easier because we all work on one system and we all have the same views, so one person is not looking at a different system. We can all look at the same system and say, "Okay, go to this link." Also, you can integrate it with DNAC (Cisco DNA Center), which is something I am very into. It helps us troubleshoot from the client all the way down to the packet. DNAC can tell us, within ISE, when they're integrated, "This is the issue they're having," and we can report back.

It's great across a distributed network for securing access to all our apps and the network. We don't have to worry about which system is going through which access layer or which security system. We can just put everything into ISE. We don't have to separate the switches from the routers to the wireless. It's all just "one-stop, go." It used to be that our switches were in a separate system for authentication routers and the wireless was all on EAP. It was confusing. ISE consolidated all that.

For my use cases, the in-depth troubleshooting into why a client can't connect or why they failed, is very valuable. I can go back to someone and say, "Hey, it's not my network. It's their certificates or user error," or something else. For my coworkers the VLAN segmentation means a client got in, it dropped them into this VLAN, and that's where they belong. They can't get out. It makes things more efficient.

Also, the fact that ISE considers all resources to be external is very important. We use ISE in our retail environments for our payment sleds. We want our payment system to be secure. Zero Trust is our whole thing. It's great that everything is external to ISE and then everything has to go through the system.

The opinion of my coworkers, and it's mine as well, is that the user interface could use some tender loving care. It seems counterintuitive sometimes. If you go to the logs, it's hard to figure out which one you need to look at. My ISE admin probably has different ideas, but for us, that's the main complaint.

I've been using Cisco ISE (Identity Services Engine) for about 15 years.

Uptime is great. I don't have a complaint with ISE with uptime. It's been a rockstar. As far as I'm aware, we have probably had 95 percent uptime, or even 99 percent. Nothing is 100 percent. When there's an issue, it's usually not ISE.

Scalability is our issue: keeping up with the number of licenses we need for customers and clients. That's our main concern right now. Part of that is on us and part of that is on ISE.

For us, ISE is global between retail stores, warehouses, and world headquarters. Our entire wireless network of over 30,000 devices uses it. In North America alone, we have 13,000 access points and usually around 60,000 clients.

We've had some issues with support. We usually just get our account manager involved and they get the BU online.

It depends on the role of the dice and your TAC engineer and how well they understand the issue. We've had numerous cases where we decided to say, "Okay, escalate."

Neutral

We had ClearPass but we found some difficulties with it and those were things that ISE was better at, such as EAP authentication. We had some issues with how ClearPass interacted with the Cisco wireless environment. The merging of the two technologies was hard.

We have jumped around. We were Juniper, Aruba, and then a Cisco corporate environment, and then a mixed environment. We finally consolidated those between retail, warehouses, and our world headquarters, into a unified Cisco environment with ISE as our RADIUS backbone. ISE gave us what we needed to unify all of them. We finally shut down our last ClearPass server a couple of years ago.

Being fully honest, the Cisco licensing model right now is really confusing. We don't know what licenses we have where. We have Smart licensing, but the different levels are way confusing.

There are different levels for different accesses. We have an enterprise license agreement with Cisco, but all the details of what we have with those licenses get confused in the massive amount of licenses we have, or in the different license levels we have for different geos, et cetera. The Smart license portal is there, but right now, we just don't have the time or manpower to put into that.

I give it an eight out of 10 mostly because when you get in to start configuring the details, it's hard to find some stuff. Otherwise, it's a great platform.

We use ISE for TACACS and 802.1X authentication, wired and wireless. We also use ISE for our VPN authentication, as well as for different policies. We were trying to solve some security holes with Mac solutions, and ISE was a good fit.

It helped our security, which is nice.

I love the policy sets, they are really nice and dynamic. 

This solution helps to support an organization across a distributed network. It's built for enterprises and large-scale deployment. It does what it's supposed to do.

ISE is a little clunky. The front-end feels like it is from the 1980s.

The usability, as far as programmability goes, needs to be improved.

I've been using Cisco ISE for about three years.

The solution is pretty stable. I haven't had any problems.

Cisco ISE is very scalable.

Technical support is horrible. If we call and ask them for help, their first response is always that we should upgrade. That is a horrible response. We pay another company to support us because the technical support can't, even though we pay them to do so. I would give them a two out of ten.

Negative

We have a distributed deployment model. They're all virtual appliances, distributed geographically.

We've got six ISE nodes. Everything is redundant and distributed across multiple data centers. We then used them again for 802.1X, TACACS, and other authentications and policies.

It's hard to dig into at first, so seek help and education.

I'd give Cisco ISE (Identity Services Engine) an eight on a scale from one to ten because it's Cisco, it's reliable. It has a lot of development and other vendors around it because it is Cisco. It works and is pretty stable.

We use Cisco ISE to set different policies for various profiles. For example, someone on their own device has a different set of policies and postures than a person on a company machine. 

Currently, we are using Cisco's dictionary for both device and user authentication. When I say "device authentication," I mean we authenticate users who access network devices. 

We consider the running policy when users want to access a data center server. The user is forwarded to the ISE servers to be authenticated, and they're given a password defined on the ISE for them according to the policy.

We have two virtual servers with different rules. For example, one is used to authenticate and audit, and the other to authorize and authenticate. And since most of our centers don't support full ISE integration, we use only some features. That means not all our users are not authenticated via the ISE.

It's easy to change and add policies.

Some of ISE's features need to be more agile. For example, we couldn't integrate our data because Cisco needs your data to be in its own format.

We implemented Cisco ISE about a year ago.

We have capacity limitations with retail, and we aren't integrating ISE for all the users. We have about 2,000 end-users that need to be integrated, and we added the entire thing to about 1,000 devices.

I rate Cisco support eight out of 10. We initially had difficulty integrating ISE with another solution we use from Huawei. We deleted the existing profiles defined on ISE and lost our definitions and profile features that were there before. We ordered the platform through these resellers, but they haven't been helpful, so we get more support from Cisco. They are very good.

Positive

Setting up this solution wasn't that difficult for me because I was involved with all of these projects. We implemented everything last year and deployed a portion of the modules integrated into our environment. It wasn't that difficult to install and apply to get these permissions.

A contractor came to help us deploy everything as part of the bank's data center solution. Since then, I have installed one of the components that we deployed at the time. It was a local tech company that got the platform given to them. That's how they got everything implemented with it together.

The return on investment depends on how you utilize the solution. We haven't utilized it well thus far, so I would rate it four or six out of 10.

There is a limit on the number of nodules supported. The number of users per license is limited to around 2,000, so the license price should be adjusted to take these limitations into account or we should be allowed to add more users to the same devices.

We use ISE because most of our networking devices are from Cisco, including the VIRL lab. I have to compare other vendors, but I don't think the cost difference is so much that I would switch solutions. 

I rate Cisco ISE eight out of 10. It works fine in our experience. 

We use it to secure our networks. We can secure our switches and wireless networks, basically everything.

We use it primarily for wireless security, but it can be used for many other things as well, like LAN and WAN security.

There is room for improvement in CLI. Most things are done through the GUI, and there aren't many commands or troubleshooting options available compared to other Cisco products like switches and routers. We have more visibility on the CLI for those devices, but the GUI seems limited. Moreover, sometimes, GUI seems very pathetic. 

I have experience working with this solution. I have been using it for four to five years. We still use the old version, but we plan to migrate to the new version soon because they recently changed their licensing model.

The product is stable. We don't face many challenges. It's stable, so  I would rate it around a nine out of ten.

The product is scalable. I would rate the scalability a ten out of ten. We have medium-sized businesses as our clients. 

There was some delay.

Positive

Setup wasn't difficult because we already had a solution in place. It was very easy to install.

The deployment definitely took weeks.

I would rate the pricing an eight out of ten, one being cheap and ten being expensive.

Overall, I would rate the solution a nine out of ten. 

We use the solution for RADIUS authentication, device authentication, and TACACS. We also use it for Wi-Fi and guest portals.

I like the logging feature. I like that I can look at the logs for authentication issues.

I don't like the fact that we can see the logs only for 24 hours. Maybe that happens because of the way we set it up.

I have been using the solution for six years.

The stability solution is really good. Once we get it up and running, it's great. We have to do a major upgrade, and I'm not as thrilled with the upgrades as I am with just a day-to-day job integration. Upgrades aren't my favorite thing.

The product’s scalability is great. We do not have any issues. We could scale it up without any problems.

Sometimes support is better than others. It depends on who you get. Some guys are really sharp, and for some guys, it takes a little bit longer to get the thing escalated.

Neutral

We used Secure ACS, which was a Cisco tool. Cisco discontinued support for it, so we switched to Cisco Identity Services Engine.

The product runs. It does what it needs to do, and we don't have to touch it most of the time. From that standpoint, we have an ROI.

The product didn't really have a whole lot of competitors at the time. Aruba ClearPass was probably the only other competitor. We were getting rid of Aruba from our wireless. Identity Services Engine was just farther ahead than ClearPass at that time.

We have a lot of things we use for detecting threats. We use the product more for authentication issues and stuff like that. We don't use it to identify threats per se. We have other tools.

The solution helps free up our IT staff. There are only a couple of us who are Cisco Identity Services Engine administrators. In that way, other people can do other things. Once we set up the solution, there's really not a whole lot of maintenance to it. I don't know how many hours it saves. It just works, and we don't have to touch it most of the time. It does its job.

We were using Cisco ACS before using the product. We changed tools and upgraded. The tool helps us improve cybersecurity resilience. We use it for RADIUS and to validate users. There are a lot of tools that we use. Cisco Identity Services Engine is a good tool. It does 802.1X and RADIUS very well. Cisco shop is the way to go.

Overall, I rate the solution a nine out of ten.

We use it for NAC and wireless, and for our TrustSec policy. These are the three primary use cases we have so far.

It's a network access control solution for us. Previous to Cisco ISE, we didn't have one, so, from a security standpoint, it increased our security visibly.

It has enhanced our security. We have a solution now that can protect us at the access layer, which we didn't have before.

It has helped to consolidate any tools or applications. We only have to use one product for RADIUS, TACACS, and authentication servers. NAC and other things are consolidated into one system, which is nice.

It has helped our organization improve its cybersecurity resilience. The security at the access layer through NAC has been nice, and then the ability to enforce policies dynamically using profiling and NAC and TrustSec is good.

With NAC, the profiling feature is valuable. We're able to see what we have out there in the network and dynamically assign policies to it. We can then use that to enforce TrustSec policy or anything else with NAC. 

There should be more visibility into TrustSec policy actions. When TrustSec blocks something or makes any kind of changes to the network, we don't always see that. We have to log into the switch itself, or we have to get some type of Syslog parsing to do that. Cisco DNA Center may do it, but it would be better if that was integrated into Cisco ISE.

In terms of securing our infrastructure from end to end so we can detect and remediate threats, it's a little bit difficult in terms of visibility, but, generally, we would just go through the logs and see if there's a problem or not.

I've been working in this organization for three to four years, and they have been using it prior to my joining. 

It's very stable for us.

It isn't something we have had to deal with.

They're pretty good. Compared to others, Cisco is probably above average. With Cisco TAC, usually, if the first level doesn't resolve it, you can get up to a higher level within a day or two, which is better than a lot of other vendors we've been working with lately, such as Palo Alto. Cisco tech support is doing pretty well. I'd rate them a seven out of ten. Being able to access higher-level engineers and escalate things more quickly is always going to improve any case.

Neutral

Before Cisco ISE, we didn't have a similar solution.

It was implemented before I joined, but it was probably phased. It was first for wireless and then became more of a NAC thing. It was a long process. It was somewhat difficult just because of how much was required of it. I don't think it was particularly painful.

We get a return on investment from it. It's a solution that's often required for IT insurance, etc. It's definitely needed but do we need to have one from Cisco? I don't know, but there's definitely an ROI there.

To someone researching this solution who wants to improve cybersecurity in their organization, I'd say that make sure you know what you're getting into. Understand and have a good plan going into it and have operational support for not just networking, but also help desk and other IT teams before deploying this solution.

I don't know if Cisco ISE has saved us any time because it's an enhancement to our security that we didn't have before. It probably takes a little more time than not having it. Having no security is super easy because you don't have to worry about anything, but if you have any security product, you have to do work to support that.

Overall, I'd rate Cisco ISE an eight out of ten.