Cisco Identity Services Engine (ISE) Reviews

One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

[In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

[I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

[The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

[Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

I've just been involved with the secondary deployment, using the ISE on our wired ports.

It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

[It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

[What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.

We are using it mainly for .1X authentication, and we also authenticate our VPN users, and we are doing some light profiling and posture.

We're trying to solve the problem where different users have different privileges in the network. And also we're trying to block some access from our least privileged users. Those are the main use cases for us.

We have on-prem virtual appliances and a distributed model.

It has improved our organization very much because we're now adopting the SGTs, Security Group Tags, and we're leveraging security based on those tags on our core systems and integrating with other SG firewalls.

We have a pretty distributed network and we have only one ISE deployment and it's been really good so far for managing all of those sites.

The most valuable thing in ISE is the adoption of EAP deep that came in [version] 2.7, so we can do authentication based on user and machine certificates in one authentication.

[Regarding establishing trust for every access request] it's been pretty good so far. We've been authenticating all of our users, no matter where they're coming from. If it's from our VPNs, or if it's wireless access, we are all Cisco, so the integrations are pretty good. It's very important [that the solution considers all resources to be external]. Right now, with the challenges that the multi-cloud environment poses, you have to have a solution like this.

[When it comes to securing access to your applications we are] not [using it] so much. I'll have another session with a TAC engineer on Friday, and I will have to discuss some basic concepts of securing the application with ISE. I find it very challenging to do some micro segmentation with it. I'm staying on top of it and doing it macro, but I want to go micro, and it's something I need to discuss more with an engineer.

Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them. This is a problem in ISE. This could be much simpler.

I wasn't involved in the process of choosing this particular technology. The colleagues that made the decision made it seven or eight years ago. They were using ISE for a long time. I've been in the company for four years now so I came into an already deployed solution. But it wasn't so good, so we had to migrate from physical appliances to virtual ones because they were end-of-life and end-of-support.

Sometimes, they push an update that breaks the whole deployment. It happened to me with update two. It was my fault. I updated right after it came out, and I won't ever do that again. I will wait at least a month or two or three, because the update was taken down a week later.

I was lucky enough because I had updated from update one to update two. So it didn't really break the whole deployment, just parts of it. But they fixed it in a week with update three, so I was able to put it back together. Roll back is also always an option.

Scalability is really good. The number of possible nodes in deployment is high. I don't know the exact number, but it's really high. Scalability is not a problem.

I have had some problems lately with the TAC engineers being unable to investigate the logs that I gave [them]. They always ask for more, but there is not much you can do on ISE. When you give out all the debugs from the nodes, then there is nothing else to do.

It's been a bit of a ping pong with the TAC engineers. Sometimes I have four to five TAC cases open, specifically on ISE. Most of the problems I have are with the integrations of other companies' firewalls. 

This year I would give them a six [out of 10]. Before, I would say eight.

Neutral

I have had to find my own way to do the new deployment. It wasn't that there was some documentation about how to migrate. There is none of this stuff on Cisco's site. You have to search Reddit and multiple forums to assess what you can do with the deployment. I basically built it from scratch.

We are more secure thanks to ISE. That's always a return on investment.

[When it comes to eliminating trust from our organization's network architecture] I'd say, no, ISE hasn't done that. It's been a challenge to implement this. We're trying to bridge the gap between the security guys and network guys. They're not the same teams. Sometimes the security guys also do networking, but it can be hard to cooperate on projects like this. This is a big project. ISE is a pretty big solution and security guys are sometimes lost in what's going on in the network, like equipment where you have to configure things.

It's pretty much the most resilient solution as of now.

I like this solution a lot. I would say it's a nine out of 10.

We have been authenticating our company's employees and certifying that they are in compliance. We have to certify our employees in regards to compliance, having all the necessary protections in our infrastructure for their endpoints, notebooks, laptops, and mobile phones.

We have implemented it across the entire company in every area and department at every single level of our organization.

So far, it has been on-premises. We are still working to expand it to integrate with multiple cloud providers, like AWS.

We have become more reliable because we do not have any vulnerabilities coming into our network, which is important since a lot of employees are using their own endpoints to connect to our infrastructure.

Every other time that we have a new employee, we need to make sure they have been using the latest version of the solution in order to connect to our infrastructure.

We have made our company more secure. As an IT guy, I have gained more importance to my company.

It is more about the features related to Apex. This is part of the solution where we can deep dive into each employees' usage according to our infrastructure needs.

There are a lot of integrations available with multiple vendors. This has made the solution easier to work with.

We use the management platform, which makes it easy for our IT to access and manage. 

We have been working with it for about 10 years.

If you have someone taking care of it, it can be quite easy to manage the solution. Otherwise, if you don't look after it and take care of it day-to-day, then it will become more complex to run. However, if you have someone taking care of it, maintenance is not that difficult.

The scalability is good and quite easy to do. If you have the licenses, then anything is possible.

We worked with customers. The last one that we worked with had 10,000 licenses, i.e., 10,000 endpoints. We started working with the corporate office, then we replicate to the distribution centers.

As an IT integrator, it is quite easy to work with their technical support. We have the correct people to deploy it as well as receive good support from the Cisco Technical Assistance Center. I would rate the support as 10 out of 10.

Positive

We have been using ISE for a while. We didn't have another solution beforehand.

We had to do some labs beforehand, in order not to breach the environment. The deployment was not too complex.

When we work with customers, it takes four or five hours. We start with a specific environment, then we replicate to other areas.

We are a reseller. My professional services implemented it, which includes a tech lead, engineer, senior engineer, and project manager to work with the solution.

It is an easy solution to implement with the correct partner.

It is difficult to measure security breaches, but since we have not been attacked so far, it has paid for itself over the years.

We worked with Fortinet to look at their solution, but ISE was more reliable and had more integration with our product vendors. Also, it had a more affordable cost.

When compared with other vendors, like Forescout, for what we need, ISE has been more usable and accessible.

Learn about the solution, then evaluate what devices it would be implemented with. I would amalgamate the devices and their versions with a systems integrator or partner who already has experience and will try only to replicate it, not to reinvent the wheel.

Part of our journey is getting everybody connected to the infrastructure and trying to avoid any breaches. We don't want to be vulnerable.

I would rate the solution as 10 out of 10.

The primary use cases include customer environments, BYOD, posture assessment, and dot1x for wireless and wired networks.

I'm customer-focused, and for my customers, Cisco ISE has enabled them to deploy secure wireless and secure wired networks and gave them a lot of flexibility to do security enforcement.

The posture assessment is a valuable feature because of the ability to do assessments on the clients before they connect to the network.

The guests' BYOD portal and onboarding are feature-rich and fairly straightforward and easy to set up.

From a zero-trust standpoint, it is critical that Cisco ISE considers all resources to be external because, in essence, we don't want to allow anybody on the network that hasn't been verified. Even when they're on the network, we want to make sure that they have the least amount of privileges to do their job.

Cisco ISE hasn't eliminated trust, but it's definitely helped us to migrate more toward zero-trust network environments. It helped us to have a much better security posture overall to help eliminate threats and also give visibility into the response.

ISE is generally deployed as a distributed environment, and it makes it easier to have local resources across the distributed environment so that you're not dependent on always-on access to a data center. In case you lose your internet connection or lose an MPLS connection, you can still have a certain amount of security control at the distributed location.

As far as securing access to applications go, with the posture assessment you get a lot more visibility into the applications on the client when you deploy it and a lot more control over enforcing connectivity in the network, especially with secure group access.

When I work with customers to do my knowledge transfer, they're really overwhelmed with the navigation of the product and the number of things you can do with it. From a user interface standpoint, Cisco could focus on making certain tasks a bit more guided and easier for customers to walk through. That is, a user-friendly interface and streamlined workflows would be great.

I've been using Cisco ISE for about eight years.

I've had very few issues with stability and haven't run into any bugs.

It scales quite well. Essentially, you can scale up to about 500,000 users, and most of my customers are south of that.

I am familiar with ClearPass. I prefer ISE because most of the environments I'm dealing with are Cisco networks. Having the device administration based on TACACS+ is a plus, with it being a proprietary protocol. ISE definitely implements it better than other solutions. From a conceptual standpoint, ISE makes more sense.

ISE may be a bit difficult for my customers because they're not used to it, but the reality is that the workflows make a lot more sense to me than they did with other solutions like ClearPass.

The first deployment I did was complex because I ran into the same thing my customers did. It's overwhelming at first to figure out because there are so many options and so many different use cases. It was tough to narrow it down to what was important and what could be added later.

However, after having done 30 or 40 deployments, it's now straightforward.

I've deployed the solution in a bunch of different environments. I have manufacturing customers with centralized management and monitoring, so the PAN and the MTS are in data centers that are separate but with PSMs deployed all across the network for the distributed model. There also are some, where everything's pretty much in a data center or is split across two data centers.

Licensing has gotten much simpler since Cisco moved to the DNA model because we just have the three tiers, but it could always stand to be improved upon.

I evaluated ClearPass.

To leaders who want to build more resilience within their organization, I would say that it's definitely worth moving toward a zero-trust environment. It's really a rebranding of an old concept of least privileged access, but the tools we have to implement it, such as Cisco ISE and firewalls, at the core and the ability to broker it out to the cloud as well, give us a lot more visibility and a lot more control over the traffic and our data, which is our biggest asset.

If you're evaluating the solution, pick two to three use cases, stick with those, and familiarize yourself with the solution. Try not to get overwhelmed with the interface, and don't try to see everything it can do and let it spin out of control; it's easy to do that. Just start with something you really need to implement and then worry about adding more features later on.

On a scale from one to ten, I would rate Cisco ISE at nine.

We use it as our complete NAC solution for both on the wire and wireless as well as guest wireless access and SGTs.

We have five hospitals. We have two service policy nodes at every hospital. We have a deployment at every hospital site.

We are a healthcare department. We deal with a lot of PHI so ISE is important. It is an integral part of keeping PHI safe.

The solution has helped with safety and keeping people who shouldn't be on our network off our network.

Cisco ISE works very well for establishing trust for every access request when it is deployed and running correctly. It is a great product. It does what it is supposed to do.

We know what is on our network because ISE is able to tell us.

The guest wireless works pretty smoothly. The SGTs came in very handy when we had to segregate traffic away from our network, even though it is part of our network. 

The SGT function would probably be the most used. This is mainly because we have a lot of vendors on our campuses but we need to keep them from seeing the traffic and being able to touch other areas of our network. Being able to use SGTs kind of keeps them in their own little lane away from us.

When it is deployed correctly, it is very helpful. It runs smoothly. It is just integrable to what we do.

I would definitely improve the deployment and maybe a little bit of the support. Our first exposure to ISE had a lot of issues. However, I have noticed as we have been implementing patches and upgrades that it has gotten a lot better.

I have been using it for about four years.

With patches and a little bit of babysitting, it is totally stable now.

It is easily scalable.

The technical support is phenomenal. I have called and opened up a ton of tech cases. Eventually, you get the right engineer who can solve all your problems. I would rate them as eight or nine out of 10. It has gotten a lot better. If someone asked me about support two or three years ago, I would have probably given them five out of 10.

Positive

We didn't use a solution before ISE.

We have seen ROI. It has done its job. It has protected us when we needed it to.

Make sure you have everything ready, including all your information. Make sure you know what you will profile and what will come on your network.

Get hardware nodes versus the VMs.

You definitely want resilience. You want to keep everything protected, especially in the day and age that we live in now. Information is power. Keeping our customers' and patients' information safe is our number one priority.

I would rate it as nine out of 10 because it has gotten better. I have seen it at its worst. Now, it is running a lot better. So, I have a better opinion of it than I did.

This solution provides access to the employees of the company.

It works. It is simple. It works very well. We have a good strategic setup. We are very happy with the solution and we have no problem using Cisco ISE solutions.

The solution is stable.

It's scalable. 

I'm not working in the IT team. I'm working the sales team. While there are a lot of features that we could improve in our organization, I can't speak to the exact changes that should be made.

We'd like to be able to integrate the product with our solutions. Sometimes we face some infrastructure where there are multiple vendors and sometimes the ISE is not the best tool to manage multiple vendor infrastructure. 

The price here in Brazil is very expensive. 

Configurations can be a bit complicated. 

Sometimes we have problems integrating logs into SIEM solutions. We have to deliver some logs to a SIEM secret platform, and sometimes it does not work well. It would be better if we had better integration or a better way to deliver the logging SIEM platforms.

I've been using the solution for five to six years. 

The stability is good. There are no bugs or glitches. It doesn't crash or freeze.

We have no problem with the management of our infrastructure when we need more accountability from the platform. Scalability was fine. There is no problem.

We have 6,000 people in Brazil using the solution. 

I consider technical support to be perfect. Anytime that I have problems with shifting solutions, they work well with me and I have no problems with working with them.

I'm a reseller from Fortinet and Cisco solutions. I also have experience with Check Point. 

I can't speak to how the setup goes. I'm not working directly in deployment. What I've heard from my customers, for example, is that it is not difficult to set up, however, it may be to run all the features.

What I've heard is the first setup is very, very easy and to do some adjustments is very easy, however, when you want to go further in the configuration, that could be a bit easier.

I can't speak to the exact pricing of the product.

I work with various versions of the solution. 

We're resellers.

Others should know it's a very good solution, very stable. There are a lot of features, and it is a secure solution. It's the first solution that we indicate to our customers and most of the time, the decision of the customer is to deploy a Cisco product. 

I'd rate the solution nine out of ten.

We were looking for secure network access.

It's important that the solution considers all resources to be external because we are introducing new endpoints to the environment every day. We want to make sure that endpoints are secured. In addition, we want to see what that endpoint is doing in our environments.

ISE has eliminated trust from our network architecture. It has changed the methodology of how we look at security. Instead of having everything open, now we know exactly what to open and what to trust.

SGTs are valuable because they make it easy to enforce policies, instead of pushing them across all the other platforms.

I would like to see them simplify the dashboard. It's very configurable, but, at the same time, it's not easy to maneuver through it. They should "Merakify" it.

The deployment is complex. I get that it's very configurable, but there is the challenge of how to get to certain things. You go to different places to get the same things done. There needs to be improvement to the GUI.

I have been using Cisco ISE (Identity Services Engine) for seven years. 

It's now way more stable than 2.0 was.

It's scalable, but we get back to the point that you have to deploy multiple nodes across the environment to get the bandwidth for larger environments.

TAC is pretty good. They're solid. The product has been out there for a little bit so that side of things is good.

Positive

We had ClearPass.

It's pretty good when it comes to supporting an organization across a distributed network but it's not easy to implement. It requires a lot of expertise. It requires a full understanding of your environment and the traffic flow.

Our clients have it in multiple locations. At the same time, there are multiple SSIDs on the wireless side and each SSID has a different function for a different group of users. It's not like there is just one set of policies. It has to be multiple policies and sometimes the policies cross each other when moving from one campus to another campus.

Deployment requires a minimum of two solid engineers. One can focus on the network side and the other one can focus on the ISE side.

The way you establish trust is that you first have to "untrust" everything and then you set your points and your profiles and, based on that, you build your policy.

It's damn expensive and the licensing is terrible. There are three different types of licenses: Essential, Advantage, and Premier, and each one of them has certain features. I work with the SLED accounts and it's not easy for customers to find the money. I'm trying to sell their product but, at the same time, to utilize the product fully they have to pay millions of dollars on the licensing alone. And it's software. It's not like I'm selling them hardware with hardware value. It's just software. The prices need to be brought down.

The majority of our clients are still using 2.7, while some have moved to 3.0 or 3.1. That's another issue with the licenses. If you have perpetual licenses on 2.7 and you upgrade to 3, you are forced to go with Essentials. That is one of the issues that I'm seeing with my clients now.

Go for it. It's a great solution. It's very configurable and you can tie your environment together from a wireless or from a wired side. I love the solution.

Right now, we are doing all wireless through ISE. We have also started migrating to wired.

We have about 20 sites. By having enough node regionalization, we have been able to have all our sites utilizing it.

It is deployed to multiple locations. We have one in Mexico, one in Kelso, two in Asia, and then two in the US.

It improved our standardization with all its policy sets being the same. 

Since migrating towards doing wired ports over ISE with 802.1X and MAB authentication, our organization's security risk has been better. We have been able to establish better layouts, so devices can move and we don't have to worry about where they need to go.

The Guest Portal is a big feature for us. 

It does a good job of establishing trust for every access request. We have had a little bit of a challenge with profiling, but we are probably about 80% there.

I have been using it for five years.

The stability is fairly good. Since we went to the 2.6 version, it has been a lot better.

Scalability is good as far as adding another node. However, if you ever wanted to increase the node that you have, then you need to buy a bigger license. You also have to build a new VM for it because you can't just scale it.

I had one problem with the portal. I got support from TAC and it worked out really well. It was really good. I would rate the support as 10 out of 10.

Positive

We did not previously use another solution.

We were looking to solve the challenge where people were moving devices that they were not supposed to.

The initial deployment was straightforward and took a couple of months. It was actually a project for a customer, then the customer backed out. So, we spent a good year without using it for anything.

The initial deployment was for a customer in Asia, so we had to deploy it in our Asia data center. We then deployed it in our US data center to kind of match that configuration.

We did use a consultant from Presidio for our first deployment project. Since then, we have been doing deployments ourselves.

Two people were needed for the deployment: the consultant and myself.

There is probably a return on investment as far as increased time for people not having to worry about devices moving around nor having to be contacted about moving them to the appropriate spot.

Its licensing could be improved. It used to be perpetual, but now they are moving away from that.

Make sure you understand where you want to deploy nodes and how far away they are from other locations since there is some latency involved.

We don't do any sort of application-based stuff right now. It is just purely assigning devices to what VLAN they are supposed to go to.

We are looking to upgrade to a newer version. Hopefully, by seeing some of the stuff at Cisco's event, I can find some more features that we could use.

I would rate the solution as eight out of 10.