Cisco ISE (Identity Services Engine) pros and cons

The solution is great for establishing trust for every access request no matter where it comes from.

It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

Not having to trust devices and being able to set those levels of trust and more finely control our network is a benefit.

When we use ISE, one of the helpful things is that I can go through the dashboard and get every step along the way of how a device was authenticated. If it's failing, why did it fail? Why is it unauthorized? If there's an error, what is the error and how can I fix that error? If it's something that, if they should be passing, why are they failing?

The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses.

The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

I really enjoy the live log section. Sometimes, you will have someone who is having issues connecting to the network, and then you have to ask them the dreaded question of, "Did you type a password wrong?" They will probably tell you, "No," but the live log can help sort that out. It gives us that extra ability to assist the end user and make sure that we are making them happy.

The most valuable thing in ISE is the adoption of EAP deep that came in [version] 2.7, so we can do authentication based on user and machine certificates in one authentication.

Profiling is one of the most valuable features. We have a lot of different devices between cameras, access points, and laptops that get plugged in.

The interface is a little bit complex.

A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it.

The UI is not as intuitive as some other products, even products inside of Cisco's wheelhouse.

A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on.

In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved...

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

There is room for improvement in its ability to allow end users to self-enroll their devices. Instead, you should be able to assign that permission by AD group, which is currently not available.

Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them.

There are always some things that I would request.