Cisco ISE (Identity Services Engine) OverviewUNIXBusinessApplication

Cisco ISE (Identity Services Engine) is the #1 ranked solution in top Network Access Control (NAC) tools and #3 ranked solution in top Cisco Security Suite tools. PeerSpot users give Cisco ISE (Identity Services Engine) an average rating of 8.0 out of 10. Cisco ISE (Identity Services Engine) is most commonly compared to Aruba ClearPass: Cisco ISE (Identity Services Engine) vs Aruba ClearPass. Cisco ISE (Identity Services Engine) is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.
Cisco ISE (Identity Services Engine) Buyer's Guide

Download the Cisco ISE (Identity Services Engine) Buyer's Guide including reviews and more. Updated: January 2023

What is Cisco ISE (Identity Services Engine)?

Cisco ISE is an all-in-one solution that streamlines security policy management and reduces operating costs. Cisco ISE delivers visibility and access control over users and devices across wired, wireless, and VPN connections.

Identity Services Engine enables enterprises to deliver secure network access to users and devices. It shares contextual data, such as threats and vulnerabilities, with integrated solutions from Cisco technology partners. You can see what is happening in your network, which applications are running, and more.

Features of Cisco ISE

  • Centralized management helps administrators configure and manage user profile characteristics - a single pane of glass for integrated management services.
  • Contextual identity and business policy: The rule-based attribute is a driven policy model. The goal is to provide flexible access control policies.
  • Wide range of access control options, including Virtual LAN (VLAN) URL redirections, and access control lists.
  • Supplicant-less network access: You can roll out secure network access by deriving authentication from login information across application layers.
  • Guest lifecycle management streamlines the experience for implementing and customizing network access for guests.
  • Built-in AAA services: The platform uses standard RADIUS protocol for authentication, authorization, and accounting.
  • Device auditing, administration, and access control provide users with access on a need-to-know and need-to-act basis. It keeps audit trails for every change in the network.
  • Device profiling: ISE features predefined device templates for different types of endpoints.
  • Internal certificate authority: Qn easy-to-deploy single console to manage endpoints and certificates.

Benefits of Cisco ISE

Cisco’s holistic approach to network access security has several advantages:

  • Context-based access based on your company policies. ISE creates a complete contextual identity, including attributes such as user, time, location, threat, access type, and vulnerability. This contextual identity is used to enforce a secure access policy. Administrators can apply strict control over how and when endpoints are allowed in the network.
  • Better network visibility via an easy-to-use, simple console. In addition, visibility is improved by storing a detailed attribute history of all endpoints connected to the network.
  • Comprehensive policy enforcement. ISE sets easy and flexible access rules. These rules are controlled from a central console that enforces them across the network and security infrastructure. You can define policies that differentiate between registered users and guests. The system uses group tags that enable access control on business rules instead of IP addresses.
  • Self-service device onboarding enables the enterprise to implement a Bring-Your-Own-Device (BYOD) policy securely. Users can manage their devices according to the policies defined by IT administrators. (IT remains in charge of provisioning and posturing to comply with security policies.)
  • Consistent guest experiences: You can provide guests with different levels of access from different connections. You can customize guest portals via a cloud-delivered portal editor with dynamic visual tools.

Support

You can get ISE as a physical or virtual appliance. Both deployments can create ISE clusters that create scale, redundancy, and requirements.

Licensing

Cisco ISE has four primary licences. Evaluation for up to 100 endpoints with full platform functionality. The higher tiers are Partner, Advantage and Essential.

Reviews from Real Users

"The user experience of the solution is great. It's a very transparent system. according to a PeerSpot user in Cyber Security at a manufacturing company.

Omar Z., Network & Security Engineer at an engineering company, feels that "The RADIUS Server holds the most value."

“Whether I deploy in China, the US, South Africa, or wherever, I can get all the capabilities. It allows me to directly integrate with 365, and from a communications point of view, that is a good capability," says Rammohan M., Senior Consultant at a tech services company.

Hassan A.,Technology Manager at Advanced Integrated Systems, says that "The most valuable feature is the integration with StealthWatch and DNA as one fabric."




Cisco ISE (Identity Services Engine) was previously known as Cisco ISE.

Cisco ISE (Identity Services Engine) Customers

Aegean Motorway, BC Hydro, Beachbody, Bucks County Intermediate Unit , Cisco IT, Derby City Council, Global Banking Customer, Gobierno de Castilla-La Mancha, Houston Methodist, Linz AG, London Hydro, Ministry of Foreign Affairs, Molina Healthcare, MST Systems, New South Wales Rural Fire Service, Reykjavik University, Wildau University

Cisco ISE (Identity Services Engine) Video

Cisco ISE (Identity Services Engine) Pricing Advice

What users are saying about Cisco ISE (Identity Services Engine) pricing:
  • "It is fairly expensive and that's part of why we have implemented it in the type of 'hack' that we did, to service multiple clients."
  • "It's an expensive solution when compared to other vendors."
  • "Over the years, licensing has been confusing and complicated because there are so many different licenses for each different product and each different iteration of the product."
  • Cisco ISE (Identity Services Engine) Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Wayne Cross - PeerSpot reviewer
    Director of Cyber Security at Borden Ladner Gervais LLP
    Real User
    Secures devices and has good support, but needs a better interface
    Pros and Cons
    • "The solution is great for establishing trust for every access request no matter where it comes from."
    • "The interface is a little bit complex."

    What is our primary use case?

    For Cisco ISE specifically, I manage the cybersecurity as well as the networking team. The networking team uses it to track statistics of users coming in and out of the network platform. We use it to track equipment, collect information on identity, and have the help desk leverage the telemetry to troubleshoot. It is part of our day-to-day operations.

    This provided security for our sizeable law firm, which has offices across the entire country. Our lawyers like to be mobile. Around six or seven months ago, we started to roll out iPads and really adopted a mobile culture. One of the things that we wanted to do was to provide flexibility for lawyers to walk with a corporate laptop, or walk with their own personal laptop and still have the capabilities to log on and do what they want to do.

    We also used it for the many meeting rooms we have. A lot of law firms have tons of meeting rooms, and we needed to secure some of those meeting rooms as well. The technology allowed us to roll 802.1X. We were able to secure ports in the meeting rooms and have a little bit more flexibility as to where users log in.

    For example, a couple of years back, we wanted to secure all of the endpoints for the help desk and networking team and all of the backend team and ensure that, irrespective of where one goes with that laptop, when they log in, it'll automatically move them to a secure VLAN. With ISE, we were able to do that and monitor it.

    What is most valuable?

    One of the things that we found most valuable over the years is the ability for it to provide information to the help desk that allows them to troubleshoot issues. We still use a lot of that today and we're going over to DNA soon. We're adopting some of the DNA technologies now, however, ISE has been the mainstay for us for quite a few years now.

    The solution is great for establishing trust for every access request no matter where it comes from. That was one of the biggest use cases for us, as one of the problems that we had was to secure a specific VLAN. If a help desk person had a laptop, and they plugged it into a network cable port somewhere, it would automatically put them on a secure network. If a lawyer uses their laptop, it would put them on a separate network. If a phone is plugged in, it will know it's a phone and put it on a phone network. ISE is the only way we have been able to do that. We've streamlined a lot of our provisioning and de-provisioning processes through Cisco ISE.

    It has certainly made it easier to secure our devices. For example, we have offices across the entire country. We are a large law firm and have huge offices in Toronto, Ottawa, Montreal, Calgary, and Vancouver. We also have ISO 27001 and 27017 certified as well and I run that program. One of the big things for us is when auditors come for a visit. All of our locations have a conference floor, a whole floor that's dedicated to conference rooms.

    There are tons of large conference rooms. When we get audited, conference floors are usually floors that auditors are allowed to go to, as they're publicly accessible floors. We'll get asked, "How do you secure the port?" When we go into the conference room, they can see the network ports." They will ask, "Well, how do you secure these ports? What if somebody came and plugged their machine in?" We then say, "We use Cisco ISE. Cisco ISE identifies that it doesn't belong to our corporate network. It does a check and then puts them right onto the internet, so we don't need to worry about strangers on our closed network.”

    What needs improvement?

    The interface is a little bit complex. It doesn't really have an executive dashboard. I'm the director of cybersecurity infrastructure operations for the entire firm, and I'm a very technical person, so I go in, and I can move around and try to figure everything out.

    However, the interface is very complex, and there are tons and tons and tons of options. It's quite complex to get into and take a look at. As a result, most of the time, just my networking team would be in there. It's so complex that sometimes I will find something one week, and by next week I can't find it again.

    It's too deeply layered. They have to redo the whole interface and have something that's executive based, and another one that's technically based. Even the help desk team and my security team use some of its components, however, they don't go anywhere often, as there are so many options in there. They have to make the interface a little bit more use user-friendly.

    For how long have I used the solution?

    I've worked with Cisco for about ten years.

    Buyer's Guide
    Cisco ISE (Identity Services Engine)
    January 2023
    Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
    670,523 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The stability is ten out of ten. We have not really had issues with it. We've had one or two small things, however, in the 12 years that I've been there, I've had very few issues with their platform.

    What do I think about the scalability of the solution?

    It scales well. We have no concerns at all. When we decided to roll out 802.1X, we only had it on our endpoint, just laptops. Then we said, "Well, let's scale it out to the wireless access point." We went from 2,000 endpoints to 10,000, since people have mobiles. When we rolled it out to do posture checks on everything wireless, we had no issues.

    How are customer service and support?

    Technical support is good. I have no issues. Cisco supports its products very well, so we've never really had concerns with that aspect. Also, I have a very, very technical team. My guys are CCIE certified, and they are geniuses in their own rights. They've been in Cisco for 20 years.

    They know the product very well and they also work very closely with the Cisco support team. The Cisco support team has very good people. They train their people well, and we've never really had issues that the Cisco team can't resolve if my team can't resolve them. We're taking it for granted that we're getting good support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not use a different solution. We're a Cisco shop, so we've always used Cisco. 

    How was the initial setup?

    I was involved in the initial setup. I manage the networking team. While I don't necessarily push the commands in, I go through architecture sessions with my team, sign off on it and make sure that what it's doing is worth it, it's my budget. I have to get involved.

    What was our ROI?

    We've seen an ROI. They last a very long time. For example, we have Cisco Campus, which is the next 7000s that we put in 2012, and ten years later, they're still there. We just changed the supervisor modules. However, the chassis is still sitting there and is still working quite fine.

    If I'm not mistaken, it's at end of sales already, however, its end of support is in 2024. That's what I like about their products. They support their product for a very, very long time.  They easily last for ten years. Even our access switches, which are 4900s, are just being switched out now. Those have been in since probably 2010.

    We spend $1.5 million as we have two switches on every single floor. Those are the ones that we're changing out now, and they still work quite fine. Cisco just decided to change them. Their products are very solid and they don't break. We keep them for a very long time. Therefore, the return on investment is not bad. I know when I put it in that I don't need to look at it again for ten more years. I know it's going to be supported for that long. 

    What's my experience with pricing, setup cost, and licensing?

    Cisco is expensive, however, we have a good partnership with our Cisco partner, and we get really good discounts on it. We have a very, very tight relationship with our Cisco representative. We're the largest law firm in Canada and therefore we get special treatment from the Cisco reps in Toronto.

    We've had really good relationships with the team at Cisco Canada, and they all know my team, the architects, the solutions engineers, the salespeople, et cetera. They all know us very well. They come to our offices and we go to their offices. We have a very tight relationship.

    When it comes to cost, we'll talk to them. They'll tell us when is the best time to buy, and we'll get good discounts. I've never really had to forgo a technology that was critical to the firm due to cost. I can always work with Cisco to find some way to reduce the cost.

    Which other solutions did I evaluate?

    We always focus on Cisco products. 

    What other advice do I have?

    I'd rate the solution seven out of ten. 

    It has a lot of rich data in it, however, it's hard to get stuff out of it. You really have to know the product very well and live there to know where to go and find what you are looking for. There's a lot of telemetry in there, however, it's very difficult to actually see how to leverage it.

    I've even been telling my security team, "Guys, there's a component in Cisco ISE that you need to work on, and you need to log in more often." Then two years later, they'll ask, "Why don't you guys use it?" The security networking team will say, "Well, we gave them access." My security team will say, "It's too complex. We have no time to go in there. We don't know where to find anything." That's the only problem that they need to fix. They need to make it easier to navigate, it's too deep.

    Cisco ISE is a good product. It tightly integrates with all of the networking components, but you can leverage it and get a lot of return and investment out of it. However, you need to make sure that when you're rolling it out and when you're initially putting the platform in, you will need to get your help desk team and security team involved.

    Of course, the networking team is the one that's probably going to own it, however, there are so many components in there that can help. The help desk can troubleshoot issues and can provide visibility from the security standpoint, and the networking team owns it anyway. If you get them more involved, they'll be more in tune with using it more often.

    There are a lot of help desk and security capabilities in there. Still, just the networking team rolled it out, nobody wants to look at it, as it's a networking piece of the platform, yet really it's not. You can get a lot from this platform. That's probably what I would tell people, just get everyone involved from the get-go, so that they can get more value from it in the long run. 

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Laurence Mcbride - PeerSpot reviewer
    Senior Business Systems Analyst at a financial services firm with 201-500 employees
    Real User
    Improved our trust situation, but usability, while improving, still needs work
    Pros and Cons
    • "It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go."
    • "A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it."

    What is our primary use case?

    Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

    The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

    Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

    How has it helped my organization?

    Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

    The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

    What is most valuable?

    It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

    And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

    Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

    What needs improvement?

    A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

    If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

    It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

    Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

    Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

    All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

    For how long have I used the solution?

    For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

    We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

    What do I think about the stability of the solution?

    It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

    What do I think about the scalability of the solution?

    It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

    When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

    The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

    How are customer service and support?

    It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

    Because it's such a specialized skill, they are not as available as I would like.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We did not have a previous solution.

    How was the initial setup?

    We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

    What was our ROI?

    In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

    What's my experience with pricing, setup cost, and licensing?

    It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

    Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

    Which other solutions did I evaluate?

    We've evaluated some other products since implementing this one. This is not your everyday tool.

    The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

    What other advice do I have?

    People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

    The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Cisco ISE (Identity Services Engine)
    January 2023
    Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
    670,523 professionals have used our research since 2012.
    Associate Consultant at a computer software company with 201-500 employees
    Real User
    Top 20
    Streamlines security policy management and reduces operating costs
    Pros and Cons
    • "In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now."
    • "An issue with the product is it tends to have a lot of bugs whenever they release a new release."

    What is our primary use case?

    Our use cases are based around dot1x. Basically wired and wireless authentication, authorization, and accounting. 

    In terms of administration, only our networking team uses this solution. Probably five to ten administrators manage the whole product. Their role pretty much is to make sure that we configure the use cases that we use ISE for — pretty much for authenticating users to the wired and wireless networks. We might have certain other advanced use cases depending on certain other business requirements, but their job is pretty much to make sure all the use cases work. If there are issues, if users are complaining, they log into ISE to troubleshoot those issues and have a look at the logs. They basically expand ISE to the rest of the network. There is ongoing activity there as well. The usage is administrative in nature, making sure the configurations are okay, deploying new use cases, and troubleshooting issues.

    How has it helped my organization?

    This solution has definitely improved the way our organization functions.

    What is most valuable?

    In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now. ISE is always very complicated to deploy because it's GUI-based. So they came up with this feature called work centers, that kind of streamlines that process. That's a good feature in the product right now.

    What needs improvement?

    An issue with the product is it tends to have a lot of bugs whenever they release a new release.

    We've always found ourselves battling out one bug or another. I think, overall they need to form a quality assurance standpoint. ISE has always had this issue with bugs. Even if you go to a Cisco website and you type all the bug releases for ISE, you'll find a lot of bugs. Because the product is kind of intrusive, right? It's in the network. Whenever you have a bug, if something doesn't work, that always creates a lot of noise. I would say that the biggest issue we're having is with all the product bugs.

    Also, the graphical user interface is very heavy. By heavy, I mean it's quite fancy. It's equipped with a lot of features and animations that sometimes slow down the user interface.

    It's a technical product — I don't think a lot of engineers really need fancy GUIs. We pretty much look for functionality, but I think Cisco, for some reason, is putting an emphasis on its GUIs looking better. We always look for functionality over fancy features.

    We've had issues with different browsers, and sometimes it's really slow. From a functionality standpoint, we would rather the GUI was light and faster to navigate.

    ISE has a very good logging capability but because their GUI is so slow, we feel it's not as flexible or user-friendly as we would like it to be, especially when it comes to monitoring and logging. At the end of the day, we're implementing ISE for security. And that means visibility.

    Of course, you can export the data into other products to get that visibility, but we would like to have a better type of monitoring, maybe better dashboards, and better analytics capabilities within the product.

    Analytics is one thing that's really lacking. Even if you're to extract a report, it just takes a lot of time. So, again, that comes down to product design, but that's definitely an area for improvement. I think it does the job well, but they can definitely improve on the monitoring and analytics side.

    For how long have I used the solution?

    I have been using this solution since they released the first version over ten years ago.

    What do I think about the scalability of the solution?

    Scalability is pretty good, provided that you design it properly from the get-go. There are design limitations, depending on the platforms, especially the hardware platforms that you select. On the scalability front, it's not a product that can be virtualized very well — that's an issue. Because in the world of virtualization, customers are always looking for products that they can put in their virtual environments. But ISE is not a truly virtualized product, as in it doesn't do a lot of resource sharing.

    As a result, it's not truly virtualized. Although they do have the VM offering, it's not virtualization in the proper sense of the word. That's one limitation of the product. It's very resource-intensive. As a result, you always end up purchasing additional hardware, actual ISE physical servers. Whereas, we would like to have it deployed in virtual machines if it was better designed. I think when it comes to resource utilization, it probably isn't optimized very well. Ideally, we would like to have a better-virtualized platform.

    How are customer service and technical support?

    Tech support tends to be pretty good for ISE. We do use it extensively because of all of the bugs we encounter. 

    Mostly it's at the beginning of setting the whole environment up. Typically, once it's set up properly, it tends to work. But it's just that the product itself integrates with a lot of other products in the network. It integrates with your switches, with your APs, etc. So, it's a part of an ecosystem. What happens is, if those products experience bugs, then it kind of affects the overall ISE solution as well — that is a bit of a dependency. The ISE use cases are dependent on your network access devices, but that's just the nature of it. The only issue with support is you might have to open a ticket with the ISE team, but if you're looking at issues in your wireless network or switches, you might have to open another ticket with their tech team for switches. 

    For customers using Cisco, end-to-end, they should improve the integration and providing a seamless experience to the customer. But right now, they have to refer to other experts. They come in the call, but the whole process just takes some time.

    That's an area that they can improve on. But typically, I would say that the support has been good. We've been able to resolve issues. They are responsive. They've been good.

    Overall, I would give the support a rating of eight.

    How was the initial setup?

    The setup is not straightforward. It's complex. You need to have a high level of expertise.

    What's my experience with pricing, setup cost, and licensing?

    It's an expensive solution when compared to other vendors. It's definitely more expensive than ClearPass. It's expensive, but the issue, again, comes down to scalability. Because you can't virtualize the product, there's a lot of investment when it comes to your hardware resources. Your CapEx is one of the biggest issues here. That's something Cisco needs to improve because organizations are looking at reducing their hardware footprint. It's unfortunate that ISE is such a resource-intensive application to begin with. As it's not a properly virtualized application, you need to rely on physical hardware to get the best performance.

    The CapEx cost is high. When it comes to operational expenditure, it all depends on the features you're using. They have their tiers, and it all depends on the features you're using. The basic tier, which is where most of the functionality is, is relatively quite cheap. But if you're using some advanced use cases, you need to go to their higher tiers. So, I'm not too worried about operations costs. You need to buy support for the hardware: you need space, power, and cooling for the hardware-side. All of that adds up. So, that all comes down to the product design and they need to make sure it's properly scalable and it's truly virtualized going forward.

    Which other solutions did I evaluate?

    We've evaluated other products, for example, Aruba ClearPass. There's another product, Forescout, but the use case is a bit different.

    When it comes to dot1x authentication, I think it's ISE and Aruba ClearPass. Forescout also comes into the next space, but the use case is a bit different.

    We prefer ISE because, I think if you're using Cisco devices, it really kind of integrates your ecosystem — that's why we prefer ISE. When it comes to NAC or dot1x products, from a feature standpoint, ISE has had that development now for 10 to 11 years. So, we've seen the product mature over time. And right now it's a pretty stable and functional product. It has a lot of features as well. So, I think the decision is mainly kind of driven by the fact that the rest of the ecosystem is Cisco as well. From a uniform figure standpoint, the other product is probably the industry leader at this point in time for network admission control.

    What other advice do I have?

    The main advice would be in terms of upfront design — this is where a lot of people get it very wrong. Depending on the platforms you choose, there are restrictions and limitations on how many users. We've got various nodes, so how many nodes you can implement, etc. Also, latency considerations must be taken into account; especially if you're deploying it across geographically dispersed regions. The main advice would be to get the design right. Because given that directly interferes with the network, if you don't get your design right it could be disruptive to the network. Once you've got the proper design in place and that translates into a bit of material, the implementation, you can always figure it out. Getting it right, upfront, is the most important thing.

    Overall, I would give ISE a rating of eight out of ten. I don't want to give it a 10 out of 10 because of all the design issues. There is definitely room for improvement, but overall out there in the market, I think it's one of the best products. It has a good ecosystem. It integrates well with Cisco devices, but it also integrates with third-party solutions if you have to do that. It's based on open standards, and we've seen the ecosystem grow over the years. So, they're doing a good job in terms of growing the ecosystem and making sure ISE can work with other products, but there's definitely room for improvement on the product design itself — on monitoring, on analytics. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Network Operations Supervisor at McCoy's Building Supply
    Video Review
    Real User
    Improves network visibility and control over devices, but the user interface could be improved
    Pros and Cons
    • "Not having to trust devices and being able to set those levels of trust and more finely control our network is a benefit."
    • "The UI is not as intuitive as some other products, even products inside of Cisco's wheelhouse."

    What is our primary use case?

    When it comes to ISE, the main challenge that we were trying to address is with our retail environments. We don't have control over the physical access to all the ports and we didn't really have any network access control.

    ISE has, and will continue to allow us to secure our edge environment at the retail stores. It's also going to provide more security as we are rolling out more wireless access.

    We're expanding our footprint to just outside of the retail environment. For example, we're implementing wireless service in our lumber yards. As we progress, we really need to be focused on securing that, and ISE is going to allow us to do that.

    How has it helped my organization?

    The main way that ISE is improving our organization is by acting as an added layer of security. It's a physical layer at the actual network jacks in our retail environments.

    This is also true for our corporate office in conference rooms. We've now got the ability to allow those ports to be hot for a vendor to come in and plug in, and we're not having to rush and go make it hot for them. At the same time, we can still control what access they have without having to be hands-on all of the time.

    The other thing with vendors is that in our stores, a lot of times we have some older technology from vendors that is not wireless. Until now, we haven't been able to push those devices onto a guest network. But now with ISE, we are able to dynamically assign those types of devices to a wired guest network.

    The fact that Cisco ISE establishes trust, regardless of where requests come from, has helped us come to realize what was on our network. We thought we knew what was on our network, and we thought we had control over devices, but there's a lot out there that can't keep track of, day to day. For example, if a different department adds a computer that handles paint and we didn't know about it, suddenly it's on our network.

    Now that we've got ISE, I feel like it's a big step in the right direction in terms of increasing the trust in our network. Not having to trust devices and being able to set those levels of trust and more finely control our network is a benefit.

    ISE has really helped us in supporting our distributed network because we are geographically diverse with remote sites in Texas and five surrounding states. This means that we can't always be out there, hands-on.

    With retail environments, we can't rely on our employees in the stores to be technically minded all the time. As such, it really helps us not to have to worry about that. We don't have to try and train people that aren't meant to be doing that kind of work, because their job is selling lumber. It's not always being there on top of the security of the network.

    What is most valuable?

    The most valuable feature for us with ISE is the network access control. It provides both security and visibility to what is on our network.

    The control ISE gives us with those devices, whether they're company-owned or BYOD, anything on our network, we now have a little bit more visibility into and more control over how it performs and what access it has on our network.

    What needs improvement?

    When it comes to improvements with ISE, even though we've been using it, there's still a lot to learn because it's such a robust product. I think that Cisco could do something to counteract the stigma that ISE is cumbersome and hard to use.

    There was a big pushback against us implementing this product because as VPs and executives start to talk, they want to talk about everything they've heard, and they had it in their minds that things are the way they are. To proceed with implementing ISE, we had to push against that.

    The UI is not as intuitive as some other products, even products inside of Cisco's wheelhouse. To an extent, some of it feels like it's legacy and could be improved upon.

    What do I think about the stability of the solution?

    One thing with Cisco is that we haven't ever had issues with stability, and ISE lines right up with that. We're using the virtual appliance and we're using VMs. We haven't had any issues there, as long as you know the caveats that go along with their setup.

    There have been no issues as far as performance or uptime.

    What do I think about the scalability of the solution?

    Scalability with ISE goes back to the setup, and that initial planning phase. You have to identify your networks and your devices and what you want to do.

    Once you get it set up, then scalability is not an issue. Definitely, the more complex your network, the more time you're going to spend on the pre-setup stage.

    How are customer service and support?

    I really like Cisco's products. Sometimes, however, I have trouble with the support because you're getting someone that doesn't know your environment. This is something that's just going to happen.

    Another frustrating point is that you sometimes get a person that doesn't realize that you might know what you're doing. You've already turned it off and back on, but they've got to walk you through those steps no matter what you tell them.

    You feel like it's a battle to get to the point where you actually start to work on the solution. It's not the same with everyone but when we do have to work with Cisco, it's usually a bigger problem that necessitates engaging TAC.

    At that point, it's hit or miss. Sometimes they're great and just click and get the problem fixed, whereas other times it's an uphill battle back and forth where you can't get on the same page.

    I would rate the technical support a six and a half out of ten.

    However, our account team from Cisco, who are the systems engineers that support us, I would rate about a nine. They are always there and are great to work with. 

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    This is our first solution for network access control and that level of visibility.

    For visibility, we do have CrowdStrike. That gives us visibility into our network, but it only acts on the agent and it uses an ARP request to discover devices that it didn't already know about. You can't really trust that, because if someone gets on maliciously, they're going to know enough to not just be blatantly, obviously there. You want to have a little bit more security in place when they first connect.

    How was the initial setup?

    The deployment of ISE is definitely more complex than other things, but it's inherent because there's a lot of prep and planning to set up how you're going to handle certain types of devices.

    You start realizing that you hadn't even thought of some things and accounted for other things. Definitely, it's a big exercise in prep work. It involves filling out questionnaires and keeping spreadsheets on everything on your network. That said, it was eye-opening and a good experience, but there's definitely quite a bit of work to set up ISE.

    We're juggling a lot of things at one time, so it took six months to deploy. A lot of that was not dedicated to ISE, and we were still doing the other parts of our job throughout the process.

    What about the implementation team?

    We received help setting it up from our reseller, who was Accudata, but they were recently purchased by Converge Technology Solutions. We've got a great relationship with them; they've always got great resources and great account teams.

    What was our ROI?

    If I were to comment on the return of investment on ISE, I don't really know where to begin because it was something we never did before. It was somewhere where we were lacking. We just didn't have the time or the manpower to do what ISE will do for us.

    I'm sure someone out there can crunch the numbers and quantify the ROI on stopping an attack or a breach, but I don't have those numbers and thankfully, we haven't had one yet.

    For us, we didn't have the manpower to do it right. Implementing ISE has saved us the need to invest in that manpower.

    What's my experience with pricing, setup cost, and licensing?

    When it comes to licensing, I'm hoping Cisco is improving that because that's always been a pain point. I usually rely on our account team, which thankfully we have one, to help with the licensing.

    Over the years, licensing has been confusing and complicated because there are so many different licenses for each different product and each different iteration of the product.

    What other advice do I have?

    In terms of advice for anybody who is looking into Cisco ISE, I wouldn't suggest just jumping in and buying ISE. I'm not trying to talk badly about anything, but I would say, do your due diligence and understand your network and what's going to work for you.

    Definitely understand that you're getting into a lot with ISE. There's a lot of capability, but I don't feel like just one person working on a hundred networks should be taking that on and trying to manage it themselves.

    Overall, this is a good product but there's definitely room for improvement. Also, we're not using everything we could within the product.

    I would rate this solution a seven out of ten. 

    Which deployment model are you using for this solution?

    Private Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Network Infrastructure Specialist at a tech services company with 51-200 employees
    Real User
    Top 20
    Good posturing, good integration, and excellent technical support
    Pros and Cons
    • "At the moment, ISE seems to integrate very well with a number of other technologies."
    • "This product doesn't work in isolation."

    What is our primary use case?

    Mainly the use case of the solution is for ensuring that the corporate staff gets access to their authorized systems. 

    Another use case is for contractors to get access to the authorized systems. Those are the ones that hope to assist in the maintenance or for authorized admissions to the network.

    We do also use it for remote access, for example, VPN's and also for wired and wireless access to the network.

    What is most valuable?

    The posturing is the solution's most important aspect. When a user connects his or her machine to the network, the first is for ISE to check whether that machine is authorized, check that that machine is compliant with respect to antiviruses, whether it complies with respect to Windows updates, et cetera. If not, a feature is on auto-remediation, so that the proper antivirus and Windows updates can be pushed to the machine.

    At the moment, ISE seems to integrate very well with a number of other technologies. It integrates well with Microsoft and integrates well with other wireless systems.

    What needs improvement?

    In terms of the improvements I need, they've already, according to my research, done those improvements with their new versions. The features have already improved on their newer version, and that's why we need to update to that new version.

    What is required is that Cisco needs to be doing health checks and following up with the customer to ensure that their Cisco partners have done the deployment right. That's something that has really helped us.

    Whenever a partner comes and does any deployment, we would, later on, engage Cisco for a health check, so that Cisco could assist with their products. They would check whether it has been deployed following the best practices - or they would just alert us on which features that we have paid for and we are not taking advantage of that. 

    Cisco needs to continue with that health check. That engagement with their customers to reconfirm everything is like a quality assurance that the Cisco partners have given the right stuff to their customers.

    This product doesn't work in isolation. For example, when we talk of posturing the Microsoft updates, the system that does automatic updates for Microsoft needs to work in an ideal fashion. The antivirus needs to work. OF course, the antivirus is not Cisco. Those products need to work as they should so that integration of the ISE product will work as well. When all factors are held constant, Cisco works well. 

    For how long have I used the solution?

    We have been using the solution for six years now.

    What do I think about the stability of the solution?

    We have been using it, especially during alternative working arrangements (due to the COVID-19). Using it, it's been stable. We have not had any issues. The only reason we are looking to upgrade is we didn't know the benefits that the newer version offered. When we checked with Cisco, they advised us that we were missing a few items that actually gaps caused by the partner's setup which we realized we missed during the health check.

    We haven't had bugs or glitches. It doesn't crash or freeze. It's good.

    What do I think about the scalability of the solution?

    Everyone in our company is using Cisco. In terms of users, we have about 1,500, however, in terms of endpoints we have, that would be closer to about 3,000 to 4,000 endpoints, including wireless gadgets, switches, laptops, phones, and all that. We use it on a daily basis.

    Scalability probably might be an issue. Before we bought ISE, we did sizing for each. We looked at the number of users in the organization, 1,500,  and then we used a factor to look at the uppermost band. We decided we would have to go for 4,000 licenses or 4,500 licenses. We multiplied by three. Based on that, we went for a certain hardware model.

    This time, the hardware model we are going for supports up to or has the capability to support up to 10,000 users or endpoints. When we go for that, we will have used even less than 50% of what their hardware is capable of. Above 10,000, there's another hardware model that we're generally expected to go for. 

    Basically, when you get the right model, when you do the right scaling, it will be very scalable. However, from the onset, you need to write hardware for USI.

    The solution is more meant for enterprise-level organizations. It's not really for small companies, however, that has more to do with the pricing.

    How are customer service and technical support?

    We're dealt with technical support in the past. Their support is excellent, except for Umbrella. There is a technology called Cisco Umbrella, and they're a bit slow, however, the technical support in general, depending on the severity of the issue, is very prompt. I would say we are quite satisfied with their level of service.

    Which solution did I use previously and why did I switch?

    I've only ever used Cisco. I used to use NAC, however, they changed to ISE. I've never used any other product.

    How was the initial setup?

    We had a partner set up the solution, and we're not sure if they set it up correctly. The partners come straight to us, and do the deployment. Cisco only is there to be the third eye to come and check that the deployment has been done okay.

    You have to make sure that other items connected to ISE are correctly implemented and updated as well (such as the antivirus), otherwise, it won't work as you need it to. There's a lot of configuration that needs to be done at the outset.

    I'm not sure how long the deployment takes, as I wasn't at the company when it was set up. However, it's my understanding that it shouldn't take too long so long as everything surrounding it is correctly aligned.

    Any maintenance that needs to be done is handled by a third party. That includes patching, et cetera. We have an SLA with a Cisco recognized partner.

    What about the implementation team?

    We worked with a partner that assisted with the setup.

    Afterward, Cisco will also come in to do a "health check" to make sure the setup is correct and they can direct users to features they should use or are not using.

    What's my experience with pricing, setup cost, and licensing?

    Cisco does not sell directly. They have authorized partners you need to buy through.

    I don't deal directly with the licensing and therefore do not have any idea what the pricing of the product is. It's not part of my responsibilities.

    It is my understanding, however, that it would be expensive for smaller organizations. Startups may not be able to afford these products.

    We don't really worry about pricing, as cheap might be expensive in the long run if you don't get a product that is right for your organization, or is more likely to break down over time.

    Which other solutions did I evaluate?

    We are in the process of doing a refresh and I have compared other technologies to see how they stack up. I've looked at Fortinet, for example.

    I wouldn't say we are switching from Cisco. What we are doing is we were exploring other technologies that offer similar functions. Sometimes it's good to look outside as you might think you have the best and yet you don't. We are just looking for other solutions to get to know what they offer. If we feel that there is something unique that is on offer somewhere else, then we would want to check that in Cisco and see, where is this offered in Cisco's product? 

    We haven't concluded that we are switching. In any case, from what I have seen so far, it is likely we won't switch. 

    What other advice do I have?

    We're just a customer. We buy their products for our security and our connectivity.

    We're not using the latest version. We're actually using a few versions. We have ISE, which is version 2.3. We're supposed to up to version 2.7, and that requires a refresh of the hardware.

    That's why we are saying, "Should we try to look for a different solution?" That's why I have been looking for comparisons. We haven't dedicated a lot of time to that yet. From my assessments so far, however, ISE still wins the show and it's likely that the partner that was doing the deployment originally on behalf of Cisco probably missed out on a number of things. It's really about the engineers who are doing the deployment. You need to make sure you have some good ones.

    I would recommend this solution to others, especially mature organizations as the smaller organizations may not be able to afford this. 

    On a scale from one to ten, I would rate the product at an eight

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Bill Masci - PeerSpot reviewer
    Senior Network Admin at Iridium
    Video Review
    Real User
    Top 20
    Helps across a distributed network, giving you a central way of authenticating everybody
    Pros and Cons
    • "When we use ISE, one of the helpful things is that I can go through the dashboard and get every step along the way of how a device was authenticated. If it's failing, why did it fail? Why is it unauthorized? If there's an error, what is the error and how can I fix that error? If it's something that, if they should be passing, why are they failing?"
    • "A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on."

    What is our primary use case?

    Our main use case right now is TACACS for device administration and authentication, as well as for user authentication on the network: wireless authentication, 802.1X, and wired authentication too, for RADIUS.

    How has it helped my organization?

    The way Cisco ISE has improved our organization is [by] making sure that we have secured our network. It's making sure that if somebody comes into the office who [possibly] shouldn't be there, and they plug a computer in or try to hit our WiFi, that we know, based on the criteria we've set up, that this person should have access. They've passed all the tests we've set up to make sure that they're not a bad actor or somebody who shouldn't be on the network.

    ISE can, a lot of times, be the first stop for us to troubleshoot user errors or user issues. If you start your security posture by assuming there's no trust for a device, you're going to make sure that ISE is validating the device from the ground up. It's not just assuming that something has access, it's making sure it goes through the full process to gain access to your network.

    ISE has definitely helped us across a distributed network, because you have a central way of authenticating everybody. It could be switches across different vendors, it could be different switch models—whether a Cisco Catalyst 9000 or a 2960—you can make sure, although these might be different devices, that the authentication process is going to be the same for the users. You have that peace of mind that no matter where somebody's plugging in, or what AP they're authenticating to, it's going to follow the same security guidelines, the same authentication process, to be granted network access.

    What is most valuable?

    The most valuable features for us are ensuring that we have the right people logging in to the network as well as protecting our device configuration. If somebody goes in to make a configuration adjustment, we need to make sure it's the right person, that they have the right access, and that we have validated that.

    When we use ISE, one of the helpful things is that I can go through the dashboard and get every step along the way of how a device was authenticated. If it's failing, why did it fail? Why is it unauthorized? If there's an error, what is the error and how can I fix that error? If it's something that, if they should be passing, why are they failing?

    For device administration, like logging in to a switch or a router, we can see all the commands that people have put in and who made changes. If we need to fix something—a bad command, or somebody put something in that pulls a device out of what we consider our compliance—we can fix that. 

    From an administrator perspective we can look at "Why did you make this change?" and figure out how we don't break something in the future, if it was something that did cause an outage. 

    And when it comes to things like wireless, we can see who is hitting the network, who is hitting a corporate SSID, or a guest SSID. Are they failing? What errors are you seeing along the way?

    What needs improvement?

    A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on.

    The upgrade process is not very simple. It's pretty time-consuming. If you follow it step by step you're probably going to have a good time, but there are still a lot of things that could be a lot more user-friendly from an administrator's perspective. [They could be] easing a lot of the issues that people have. Instead of just saying the best practice is to migrate to new nodes [what would be helpful] would be to make that upgrade process easier.

    The UI is a lot nicer in 3.0. It's pretty slow, but for the most part, it's easy to find what you're looking for, especially things like RADIUS live logs, TACACS live logs. From a troubleshooting perspective, it's really nice finding stuff. For setting up policies, from that perspective, it could be a little bit better looking.

    For how long have I used the solution?

    I've been using Cisco ISE (Identity Services Engine) for about five years, myself. My company has been using it for longer than that.

    What do I think about the stability of the solution?

    The stability for our virtual machines is good if you follow the best practice and give it the reservations the virtual machines need, and you're making sure that you're following how many recommended devices are going to be authenticating to it. We don't have stability issues with ISE.

    What do I think about the scalability of the solution?

    The scalability has been fine for us. We're actually in the process of possibly deploying more PSN (Policy Service) Nodes, so we'll see if that helps. But scalability hasn't been an issue. I don't think we're running into device count limitations or VM performance [issues].

    We're around the 600-700 mark in terms of the number of devices in our company.

    How are customer service and support?

    Support has been pretty helpful when we've needed it. We haven't had too many issues where I was asking for an escalation immediately or sweating profusely because it's not working. I can't say anything bad about support, but I don't have enough experience to give a really substantial answer.

    How would you rate customer service and support?

    Positive

    What about the implementation team?

    I did not deploy ISE. We had a partner who helped us deploy it.

    What was our ROI?

    I don't know what the investment was, because I'm not involved in the pricing aspect of it. But there's no way for us to run a secure, reliable, user access or device administration access without something like ISE. The return on the investment, I think, is great. It's integral to our network so I don't know what we would do without ISE.

    What's my experience with pricing, setup cost, and licensing?

    The licensing model is pretty straightforward. There are some changes from [version] 2.x going up to 3.0 and switching to the Smart Licensing. But if you have somebody who can explain it to you, so that you know that when you're upgrading you're not losing functionality, or you're not putting yourself in a position where the license count you're used to having can go away; as long as that's set up, it's fine.

    Which other solutions did I evaluate?

    I have used Aruba ClearPass in the past. They're pretty comparable. If I'm going to be honest, I think ClearPass has a better user interface and some of the things are laid out a little bit better. But when ISE is up and running, it's more reliable, it's more stable. You just have to get it to that point and then it's a really nice product that I like using.

    What other advice do I have?

    In terms of eliminating trust from network architecture, ISE can do so when it's implemented correctly. There are still certain functions of ISE where you have to be diligent in making sure that if a user is plugging into a network port, that that port is set up to use ISE for authentication. It's kind of a two-way street. It's a great tool, but you have to set it up correctly. You have to make sure that it's doing what you've intended it to do. When you do that, it's great for that. We don't have any issues with that and it's definitely an integral part of our network.

    The advice I would give people is to decide what you are looking for in terms of your AAA. Are you looking for a secure way to authenticate VPN users, users logging in for WiFi, for wired access? Something I don't use at my organization is the Guest Portal, but I know ISE has a pretty considerable catalog for deploying guest portals, for device onboarding, and posture assessment. If those are all the things you're looking for, the features, I would definitely recommend ISE.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Accounting Executive at a tech services company with 11-50 employees
    MSP
    Highly granular and effective NAC, but also complex to deploy
    Pros and Cons
    • "The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get."
    • "In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions."

    What is our primary use case?

    The ISE product is used to make sure that folks can get access to the application servers that they need to get access to, let's say for accounting and another group like sales and marketing, they would have no business accessing each other's servers, those apps. So you would set up a policy that allows accounting to do what they have to do whether they're remote or on campus and then the sales and marketing folks could never access that. They are totally blocked. It's a virtual firewall, basically.

    What is most valuable?

    The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get. That you have to have that same device.

    They can get into the antivirus. They will check the antivirus to see if it's the most current version and if it's not, if that's your policy, it will let you go through and access the app if the antivirus has been updated. But if the policy was that it has to be the most current version, then it can block you until you upgrade the antivirus.

    What needs improvement?

    As far as what could be improved, to continually be thinking about ransomware, cyber attacks, and all those kinds of things. They always have to be innovating. Always have to be improving. I can't give you anything specific because these cyber guys are always coming up with new ways to get in. You just really have to be aware of what's going on.

    In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

    What do I think about the stability of the solution?

    In terms of stability, they are rock solid. If you set the policy and you implement it, it's not going to break.

    What do I think about the scalability of the solution?

    They scale. You just have to buy licenses. Whether you're talking about 5,000 users or more, it's just a licensing model.

    What I saw most customers trying to do was to outsource it to the partner. A value added reseller would have to do that. They typically haven't been trained. They have to go to school, get certifications and that kind of stuff. That's always a requirement, but most people weren't going to tackle that themselves. They're going to farm it out to somebody who has done it before, who has the expertise to do it.

    I do anticipate increased usage. Pick a vendor, like Cisco and Aruba, because for all the threats that are out there, they are always going to have some kind of a NAC strategy. You have to. You really have to. The days of the firewall or perimeter security are over. There are just too many possible ways people can come into your network - disgruntled employees, someone that got paid off, you never know. This is always going to be here.

    How are customer service and support?

    They're very good. All of them are very good.

    Which solution did I use previously and why did I switch?

    It has been pretty much Cisco from the beginning. With another VAR recently, we were pitching the Aruba ClearPass. And actually the ClearPass will run on top of a Cisco infrastructure, which is kind of cool. That's unique, but the ISE doesn't go that way. You won't run ISE on top of an Aruba infrastructure, but Aruba built that solution from day one to be compatible with Cisco switches and routers and wireless stuff. I thought that was pretty compelling.

    Cisco has their ISE, their Identity Services Engine. The other one that I would tell a customer to look at would be the Aruba ClearPass. I don't know enough about the Juniper Solution to make any comment about that. But those are the two that I think about the most for identity solutions.

    How was the initial setup?

    The first part is to figure out what you want, what the customer wants to protect, who needs to be protected, and to gather all the data you can on users, contact information, the devices they use, the Mac addresses of the devices, what time of day, what apps... I mean you really have to dig into all that. It's not easy. It's hard. The bigger the customer, the more complex it is going to be. But if you don't do that, the deployment is not going to go well. Really consulting on the front end has to occur.

    On the consulting part, it depends on how big the customer is, how many you're talking about - 5,000 users or 50 users. That drives the answer. I would say if you don't take 30 days to scope it correctly and document, if you do something less than that, the execution deployment is going to go sideways and that can be months. Those things are months. Those could be six months or so. You've got to pick a pilot case. You build a template, you do a small group, and then you see how the reactions are, see if the users accept that policy, make sure it's right. I would do it group by group. Accounting first, or IT first. And then you do the sales and marketing and HR and all those kinds of things.

    What was our ROI?

    In terms of ROI, the only thing that comes to mind is if you look at whatever the current market data says for a breach cost if you have ransomware attack or something, if you choose to rebuild your network, as opposed to paying the ransom, what does that cost? Is that $100,000 a day? Is that a million dollars a day? So whatever that cost is, go look at the cost of the NAC licensing, ISE or ClearPass. And that answers the question for you. If you can block the threats on the front end, you can avoid the whole ransomware conversation.

    What's my experience with pricing, setup cost, and licensing?

    I have not looked at the pricing in a while. I don't really know. These companies are putting together enterprise license agreements, like a site license, and they'll do multiyear and they'll make them pretty aggressive. If you are buying three security packages from them, for example, they'll give you a significant discount. If you're at two, when you look at the cost to go to a third one, they'll just do it because it discounts the whole package altogether.

    As for extra fees and costs, it is just a subscription model, pretty predictable.

    What other advice do I have?

    I can tell you, even as a Cisco person, ISE was considered very complex and difficult to deploy. That was coming from both the customers and the partners that had to deploy it. It can be very complex and you really have to know what you're doing. The thing that we always stress with customers is to go through and build a policy first. Decide what you want to block, and who is going to have access to what, and do some due diligence on the front end because once the policy is created, then you can deploy what we have all agreed to. As opposed to just trying to wing it and figure as you go - that is not a good play. That was always the comment from the Cisco customers.

    My advice to prospective users it to find a consultant or a VAR that has done it before. I think that is key. And then talk to a customer that they did it for.

    On a scale of one to ten, I would rate Cisco ISE a seven. That is because it is so complex. I mean, it's not a trivial task.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Network Engineer at a hospitality company with 10,001+ employees
    Video Review
    Real User
    Helped us get away from pre-shared keys, and allows us to see what's connected to the network
    Pros and Cons
    • "[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses."
    • "Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved..."

    What is our primary use case?

    One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

    How has it helped my organization?

    Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

    It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

    I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

    It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

    What is most valuable?

    [One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

    It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

    [In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

    It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

    What needs improvement?

    Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

    For how long have I used the solution?

    My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

    [I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

    What do I think about the stability of the solution?

    I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

    How are customer service and support?

    In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

    I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    [The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

    [Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

    It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

    How was the initial setup?

    I've just been involved with the secondary deployment, using the ISE on our wired ports.

    It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

    But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

    What about the implementation team?

    We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

    What was our ROI?

    You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

    What other advice do I have?

    Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

    [It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

    [What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Cisco ISE (Identity Services Engine) Report and get advice and tips from experienced pros sharing their opinions.
    Updated: January 2023
    Buyer's Guide
    Download our free Cisco ISE (Identity Services Engine) Report and get advice and tips from experienced pros sharing their opinions.