Cisco Identity Services Engine (ISE) Reviews

We use it mostly for identity, authentication, and authorizations for wireless and wired. The challenges we were looking to address were mostly around the authorization and authentication of the users. We wanted to use the Identity Services Engine to make sure that the users accessing our network were authorized users, with the authentication happening before.

The integration with Active Directory, and finding and authorizing users based on their Active Directory groups, rather than just their identities, was a big change for us.

The most valuable feature is 801.1x and another very good feature is the TACACS.

In addition, it establishes trust for every access request. That's very valuable. We can't authorize users without it. The fact that it considers all resources to be external is very important. Without Cisco ISE, we couldn't authorize our users, contractors, and everyone else. It's our one source of truth for authentication and authorization.

It's also very good when it comes to supporting an organization across a distributed network. We like that. 

I would like to see integration with other vendors, and the RADIUS integration needs to be improved a little bit.

Other than that, all the features that we're using look good.

I have been using Cisco ISE (Identity Services Engine) for about six years.

It has been very stable. There's no problem with that, as we have redundancy in place.

It can be scaled very quickly by adding more nodes to the solution. The scalability is very good.

We have it deployed in three data centers in Austin, Texas, Lewisville, Texas, and one in Poland. It's a distributed deployment and we have around 8,000 endpoints on it so far.

Technical support has been okay, but I wouldn't describe it as "very good." We have had some problems with technical support. Sometimes it takes them too long to resolve a problem. 

The pricing is good. The last time we purchased four new appliances the price was doable for any organization of our size.

In my previous job, I used Aruba ClearPass. It's similar to ISE. They're both good.

Design it well in the first place. If you design it well, you can scale it. Always read, line-by-line, the Cisco guide because that's where you'll find all the information about the design and the scalability. If you design it correctly in the first place, you will have a smooth ride.

We want to use it in a hybrid cloud deployment, but we currently use it 100 percent on-premises. As we move more into the cloud, we're trying to integrate that with Cisco ISE to make it our authentication and authorization source. We're not really into the cloud yet. We're just doing some dev. We're building a whole cloud strategy.

We use it for identity services, profiling, and locking down devices.

We're an airport, so when anybody plugs in a device, it's obviously a really big security point for us.

We have a lot of different devices that get plugged in and we really don't have the manpower to address each one individually, as far as our network goes. Cisco ISE has really cut down a lot on the size of our ticket queues and the manpower. My boss is extremely happy about that.

The solution has also eliminated trust from our organization's network architecture and that has actually been positive because we have to meet PCI compliance. It is very important for us to be able to take cards. It has also helped to improve our pen-testing scores at the end of the year.

Resilience, in cyber security, is at the top of the list. It's one of the most valuable aspects and has been extremely important for us. Before, we had mid-range scores, but over the last couple of years, between implementing ISE and a few other technologies and SIEMs, we've gotten into the 90th percentile with our pen-testing scores. We were sitting at about 75 to 80, so this is a pretty huge jump for us.

Profiling is one of the most valuable features. We have a lot of different devices between cameras, access points, and laptops that get plugged in.

Establishing trust for every access request, no matter where it comes from, is extremely important for us, especially because we are an airport entity. We do have port security implemented throughout our airport, but on the more sensitive side of things, it's a little bit more hardcore regarding what we need to allow, per security zone.

There are always some things that I would request.

I first started using Cisco ISE (Identity Services Engine) in about 2015, but we recently just spun it up here at my current job.

The stability of the solution is a 10 out of 10.

The scalability is also a 10 out of 10.

For this particular solution, the technical support has been pretty good.

Positive

I've worked with ISE before, and it was actually my suggestion that we buy the license for it.

The initial deployment was pretty straightforward only because I had done it before. I worked on it with a colleague and taught him everything about it, just in case I was incapacitated.

From the start, including getting to an agreement, budgeting, and scheduling, the deployment took about three months.

In terms of an implementation strategy, once we got the licensing, we just stood the nodes up. Then we did the features one-by-one, with proper RFCs done, just to see, in a break-fix manner, if each thing we implemented would break something.

We used a consultant. The deployment required two people on our side. I was in charge of the initial rollout and implementation, and I'm in charge of managing it. However, if I'm not there, we have another network guy who does the day-to-day tasks and checks the logs to see if he needs to approve anything.

We have definitely seen return on investment. We have so many different security solutions in place, and ISE just works really seamlessly with them. I get to keep my job, so that's a pretty ROI from my point of view.

The pricing is fair for what it does. The only time I've really not been too crazy about the price is for Cisco Prime, which is a management solution for Cisco products.

We implemented a request for purchase and talked to a few different companies. One of the companies was Presidio. There was another company close by called Net Solutions. Three out of the five companies that we talked to were outsourcing the work to pretty much just bring in an ISE solution, so we just decided to do it in-house.

If you are on the fence about it, and you don't have someone on your team who has worked with the product before, definitely reach out to a company or a certified Cisco entity to help with the rollout. It's pretty painful if you don't know what you're doing.

Resilience is never a bad idea and it's never too late to start working towards it or to begin the journey to Zero Trust. It's very important in this day and age. 

I'm the only cyber security administrator that we have currently, so if we hadn't gotten this solution in place, I highly doubt that I would have been able to make it here to Cisco Live 2021, so it's excellent.

From 2015, when I first started using it, until now, there's not really a lot that I would ask be changed. They've been hard at it ever since I first started using it.

It's been incredible ever since we got it in place.

We are working with packets and A011X. In some cases, we also do profiling.

We are using this solution because we wanted to improve security and reduce security gaps. This is mainly for our customers.

This solution improves security. There is a new law in the Dominican Republic, where I am from. The central bank has ordered the banks to improve their security through a law. ISE is one of the start points for those organizations to start improving their security.

The solution gives us a way to provide a professional security solution to our customers.

They provide you multiple ways to achieve security, not only on-prem, but also when you have remote and guest workers. Especially post-pandemic, a lot of our customers have remote workers. So, it has been really helpful.

Its resilience gives you a better security posture. Cybersecurity resilience is very important. Security is one of the main things in my country enforced by law.

Profiling is a really good feature. However, it sometimes is a challenge for customers when there are issues with the remediation part. I would add a built-in remediation solution. That would be a very nice feature.

I have been using the solution for six to seven years.

It is very stable.

It is very scalable. You can install several nodes in order to scale the solution.

The technical support is really good. I would rate them as 10 out of 10. You need to know how to work with the tech support. If you don't know how to work with them, then it won't work.

Positive

We have been working for 15 years with Cisco as a Cisco partner. We like the Cisco solutions.

The deployment is complex. It takes four or five to deploy it.

Deployment takes a skilled technician. The customer's help is always needed since we need to integrate Active Directory. 

Our customers see ROI. They feel more confident about their operations. It gives them time to do other things in order to be more profitable.

It has a fair price. It is better than it was before.

We have seen Aruba ClearPass, but it is not that common in the Dominican Republic.

Organizational leaders should do constant analysis of their security posture, in order to be improving every day.

I would rate them as eight out of 10 because of the remediation feature.

We currently use it for RADIUS and TACACS authentication, but we're moving to SD Campus Fabric. We're tying that in with DNA Center, making it flow with the wireless and authentications at the port, using .1X. That's where we're headed.

We have a 10-node deployment: two PSNs, four dedicated to TACACS and RADIUS, two dedicated to guest WiFi, and two dedicated to pxGrid.

While it doesn't give us a single pane of glass, it helps identify problems more quickly. You can identify what's going on in the logs most of the time.

Also, ISE, working with DNA Center, provides a trust set. It's very important to us that the solution considers all resources to be external, so that we know who is connecting, when and where, at all times; we're not just trusting you because you're internal.

At the moment, RADIUS is the most valuable feature for us. We haven't really opened it up yet, so RADIUS is the best feature because it supplies authentication to our entire campus.

Also, when it comes to securing access to applications and the network, that goes hand-in-hand with fully developing ISE, implementing .1X, tying in DNA Center, and enabling TrustSec to look at SGTs and figure out who's who and what is what.

The knocks I have against the product are the number of bugs that we encounter, constantly, and the amount of upgrading that we have to do.

I have been using Cisco ISE (Identity Services Engine) for about five years.

Because of the numerous bugs we've been hit with, on a scale of one to 10, the stability is a four or five.

In theory, the scalability is great, if it all works.

We have six 17-floor buildings, and had a little more than 1,500 users on campus, pre-COVID. ISE is providing access and authentication for everyone who uses the WiFi and it helps us get into our devices.

TAC is moving a little slowly with respect to the technology. They're not keeping up. When you call in with a question, you get 10 questions fired back at you, and it just goes round and round until you figure it out.

Neutral

We previously used ACS.

If you're not going through an agreement, it's very expensive.

We didn't evaluate other options. We're a Cisco shop.

Do a deep dive. If you're a Cisco shop you really don't have a choice. It's the direction they're moving in. Cut your teeth with it and don't rely on outside sources to implement it. Implement it yourself so you know how to troubleshoot it and move forward. If you use outside sources, as soon as they leave, you're left holding the bucket and you don't understand what's going on.

I see the theory behind ISE and if we can get it to gel in our environment, it will be a beautiful thing.

This solution ties into our Cisco Duo and Cisco AnyConnect connections to help us authenticate against the active directory and Cisco Duo multifactor authentication. It takes metrics about the connections that are connecting it and allows us to set up a rule against them. For instance, if a Windows device is not all the way up to date, we can put a message up that says, "Before you're able to connect, please do your Windows updates as they haven't been done in six months."

As this solution allows AnyConnect to authenticate with the active directory in the backend, the users won't directly use it. Still, it will be in use throughout the login process into Cisco AnyConnect as a source of authentication.

With this solution, we don't require anyone for maintenance.

The ability to integrate our Cisco AnyConnect connections to the active directory has been great. Also, as a source of authentication during the process of logging into Cisco AnyConnect has been very useful for us. 

It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced. 

That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back.

I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time. 

It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice. 

We've only been using this solution for the past three months. 

The scalability reports that we could easily handle a million users. 

I have been extensively involved with their technical support; their technical support is very good. They're more than willing to just jump on and do things for you. My only complaint is that at one point, we were trying to configure our single channel for Cisco Duo to be able to perform a password reset. Whenever we needed to look closely at another device, the support technician would say, "Hold on, let me bring in my expert on VPN; hold on, let me bring in my expert on Cisco ASA." We basically had to wait until we were able to get the Cisco Duo support agent, the Cisco ASA support agent, the Cisco VPN support agent, and the Cisco ISE support agent — all in the WebEx meeting at the same time.

As far as I'm to understand, there are CCNAs that should have been able to do it, but they brought in the experts from each item instead of just directly doing it themselves — this made the whole process take longer. Still, they were able to do everything in a way that did not affect our live environment, even though it was on the same device. That was actually very nice because it meant that we could do it in the middle of the day instead of having to do things in the middle of the night.

The initial setup was very simple. Everything was set up within an hour thanks to assistance from the onboarding teams from Duo and Cisco, and our network administrator. They got it set up and reviewed a bunch of options with us. It was a very easy and nice process.

Implementation was achieved with in-house resources and premium onboarding support. The entire process only took an hour.

We are running version 2.9 because version 2.9 of the ISE has a persistent license —it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription.

It's a licensed physical device; there is no subscription. If you want the latest operating system, then you'll need to get an annual license.

If you're planning on using this solution, my advice is to be sure you review the full feature set available and select what is important to your users. This way you'll be able to ensure that you'll have everything you want and need.

Overall, on a scale from one to ten, I would definitely give this solution a rating of nine. 

We use Cisco ISE for the authentication of wireless clients.

Cisco ISE has saved me a couple of hours per month in terms of not having to manually onboard clients. However, there are still some manual tasks that need to be uploaded to Cisco ISE.

The most valuable feature of Cisco ISE is its seamless integration with the switches and the entire suite, enabling wireless access and smooth client information retrieval.

One of the problems we have had is that there are many features on Cisco ISE that we are not utilizing. In the real world, it requires multiple parties to come together, just like the AD or OU. Therefore, it won't be solely the responsibility of the network or security personnel to ensure that the solution works as intended and utilizes all the features. It necessitates collaboration among various stakeholders. If Cisco could grant more control, the features could be more focused on network and security administration, reducing the need for integration with other components. This would be beneficial for my organization.

I have been using Cisco ISE for one and a half years.

Cisco ISE is extremely stable.

As long as we have the funds to purchase the license, Cisco ISE is highly scalable.

We have a contact person in Singapore whom we can reach at any time for support.

Positive

The initial setup was straightforward because we used an integrator.

We used an integrator for the implementation.

The cost-benefit analysis primarily considers the time saved through manual labor.

The recent changes in the licensing model have caused some issues with the team. 

We have a rigorous procurement process and carefully evaluated other options before selecting Cisco ISE.

One of the other solutions we evaluated was the Aruba Wireless feed and its accompanying authentication, but we determined that Cisco ISE was superior and more beneficial.

I would rate Cisco ISE with a nine out of ten based on its overall benefits. However, since I am unable to utilize all the features due to the need for coordination from numerous other teams, I would personally assign it a benefit score of only five out of ten.

We attempted role-based access with the Cisco ISE integration, but it didn't work out effectively because it is more of an upper-level issue regarding organization and role level. Multiple teams had to collaborate, and there was a need to configure the Active Directory and Organizational Unit groups. This also involved restructuring and similar tasks. As individuals moved between OU groups, someone had to consistently update the OU groups to ensure the success of the process.

We have made a significant investment in Cisco infrastructure; therefore, we have chosen Cisco ISE as a logical option for our authentication mechanism.

Cisco ISE has not directly assisted our organization in enhancing its cybersecurity resilience.

Right now we use Wireless.1X and TACACS for device management. It's in our wired network too, but only use it for MAC address bypass.

It has helped to consolidate tools and applications. Previously, we had Windows NPS in some places and then Cisco ACS in other places. Now, Cisco ISE is all I use. This consolidation hasn't had a whole lot of impact on our organization. It wasn't that big of a deal to begin with.

It works as a good RADIUS server. It has lots of features. It works with all the proprietary Cisco AB pairs and features.

It could be less monolithic. It's one huge application, and it does everything under the sun, so it's hard to deal with and upgrade and manage.

I've been using Cisco ISE for three or four years.

Overall, it's pretty stable.

It seems to be pretty good for what we're doing with it.

Cisco TAC support is hit or miss. It depends on who you got. I'd rate them a six out of ten.

Neutral

We didn't have any network access control. For the wireless, we had ACS, and some places used NPS from Windows.

We chose Cisco ISE because we have a Cisco network. It seemed like the obvious choice.

The initial setup was pretty easy, but trying to get all the switches to talk to ISE was pretty complex. It required a lot of configuration and learning, and we found a lot of bugs and issues along the way.

Initially, we took the help of Presidio. They were good. They knew a lot about it and helped us a lot. 

In terms of detection and remediation of threats, it wouldn't detect anything. If we integrated it with other products, it could cut certain clients off from the network, but we haven't gotten that far yet.

It hasn't helped to free up our IT staff. It has probably consumed more time.

I don't have a lot of familiarity with other products, so I'd rate it a six out of ten.

We use it for Cisco device TACACS authentication and .1X security. 

We have a better state of mind that we're secure, and we don't have unauthorized devices accessing the network. In a financial institution, we want to keep everything as secure as possible. We don't want anything plugged in.

It has helped to consolidate tools. We had arpwatch monitoring, which we no longer have to use, and then TACACS is securing the network. We didn't have a tool before, so that added a layer of security for us.

It has improved our cybersecurity resilience. We have authentication logging for everything that's authenticated or denied. We use a Splunk forwarder. We get notifications if something is denied for authentication. 

TACACS and .1X security are the most valuable features. TACACS acts for user control, so no one can authenticate to our network devices, and .1X is to validate that unauthorized devices are plugged into our network.

Its user interface could be better. It's not bad. They've just redesigned the whole user interface. It's not terribly difficult. The drop-down menus are easy to use. However, when you're looking for some things in the user interface, it takes a minute to find where you were prior.

I've been using Cisco ISE for a year.

Its stability is great.

Its scalability is also great. We have 350 users. 

Their support is excellent. I've opened two support tickets so far, and they were able to remediate the issue within a few hours.

It's fairly difficult. We have third-party support to assist with the setup.

Our setup is on-prem and virtual in Azure. 

It was a third-party support, not a reseller.

It's a very good tool for security. It's a lot of work to initially set up, but once it's set up, it's pretty easy to use.

It hasn't yet saved the time of our IT staff. It's still fairly new, so we haven't had much time to use the product fully. It has only been a year since we started using it, so it's still pretty new.

Overall, I'd rate Cisco ISE a nine out of ten.