Cisco ISE (Identity Services Engine) Reviews

For Cisco ISE specifically, I manage the cybersecurity as well as the networking team. The networking team uses it to track statistics of users coming in and out of the network platform. We use it to track equipment, collect information on identity, and have the help desk leverage the telemetry to troubleshoot. It is part of our day-to-day operations.

This provided security for our sizeable law firm, which has offices across the entire country. Our lawyers like to be mobile. Around six or seven months ago, we started to roll out iPads and really adopted a mobile culture. One of the things that we wanted to do was to provide flexibility for lawyers to walk with a corporate laptop, or walk with their own personal laptop and still have the capabilities to log on and do what they want to do.

We also used it for the many meeting rooms we have. A lot of law firms have tons of meeting rooms, and we needed to secure some of those meeting rooms as well. The technology allowed us to roll 802.1X. We were able to secure ports in the meeting rooms and have a little bit more flexibility as to where users log in.

For example, a couple of years back, we wanted to secure all of the endpoints for the help desk and networking team and all of the backend team and ensure that, irrespective of where one goes with that laptop, when they log in, it'll automatically move them to a secure VLAN. With ISE, we were able to do that and monitor it.

One of the things that we found most valuable over the years is the ability for it to provide information to the help desk that allows them to troubleshoot issues. We still use a lot of that today and we're going over to DNA soon. We're adopting some of the DNA technologies now, however, ISE has been the mainstay for us for quite a few years now.

The solution is great for establishing trust for every access request no matter where it comes from. That was one of the biggest use cases for us, as one of the problems that we had was to secure a specific VLAN. If a help desk person had a laptop, and they plugged it into a network cable port somewhere, it would automatically put them on a secure network. If a lawyer uses their laptop, it would put them on a separate network. If a phone is plugged in, it will know it's a phone and put it on a phone network. ISE is the only way we have been able to do that. We've streamlined a lot of our provisioning and de-provisioning processes through Cisco ISE.

It has certainly made it easier to secure our devices. For example, we have offices across the entire country. We are a large law firm and have huge offices in Toronto, Ottawa, Montreal, Calgary, and Vancouver. We also have ISO 27001 and 27017 certified as well and I run that program. One of the big things for us is when auditors come for a visit. All of our locations have a conference floor, a whole floor that's dedicated to conference rooms.

There are tons of large conference rooms. When we get audited, conference floors are usually floors that auditors are allowed to go to, as they're publicly accessible floors. We'll get asked, "How do you secure the port?" When we go into the conference room, they can see the network ports." They will ask, "Well, how do you secure these ports? What if somebody came and plugged their machine in?" We then say, "We use Cisco ISE. Cisco ISE identifies that it doesn't belong to our corporate network. It does a check and then puts them right onto the internet, so we don't need to worry about strangers on our closed network.”

The interface is a little bit complex. It doesn't really have an executive dashboard. I'm the director of cybersecurity infrastructure operations for the entire firm, and I'm a very technical person, so I go in, and I can move around and try to figure everything out.

However, the interface is very complex, and there are tons and tons and tons of options. It's quite complex to get into and take a look at. As a result, most of the time, just my networking team would be in there. It's so complex that sometimes I will find something one week, and by next week I can't find it again.

It's too deeply layered. They have to redo the whole interface and have something that's executive based, and another one that's technically based. Even the help desk team and my security team use some of its components, however, they don't go anywhere often, as there are so many options in there. They have to make the interface a little bit more use user-friendly.

I've worked with Cisco for about ten years.

The stability is ten out of ten. We have not really had issues with it. We've had one or two small things, however, in the 12 years that I've been there, I've had very few issues with their platform.

It scales well. We have no concerns at all. When we decided to roll out 802.1X, we only had it on our endpoint, just laptops. Then we said, "Well, let's scale it out to the wireless access point." We went from 2,000 endpoints to 10,000, since people have mobiles. When we rolled it out to do posture checks on everything wireless, we had no issues.

Technical support is good. I have no issues. Cisco supports its products very well, so we've never really had concerns with that aspect. Also, I have a very, very technical team. My guys are CCIE certified, and they are geniuses in their own rights. They've been in Cisco for 20 years.

They know the product very well and they also work very closely with the Cisco support team. The Cisco support team has very good people. They train their people well, and we've never really had issues that the Cisco team can't resolve if my team can't resolve them. We're taking it for granted that we're getting good support.

Positive

We did not use a different solution. We're a Cisco shop, so we've always used Cisco. 

I was involved in the initial setup. I manage the networking team. While I don't necessarily push the commands in, I go through architecture sessions with my team, sign off on it and make sure that what it's doing is worth it, it's my budget. I have to get involved.

We've seen an ROI. They last a very long time. For example, we have Cisco Campus, which is the next 7000s that we put in 2012, and ten years later, they're still there. We just changed the supervisor modules. However, the chassis is still sitting there and is still working quite fine.

If I'm not mistaken, it's at end of sales already, however, its end of support is in 2024. That's what I like about their products. They support their product for a very, very long time.  They easily last for ten years. Even our access switches, which are 4900s, are just being switched out now. Those have been in since probably 2010.

We spend $1.5 million as we have two switches on every single floor. Those are the ones that we're changing out now, and they still work quite fine. Cisco just decided to change them. Their products are very solid and they don't break. We keep them for a very long time. Therefore, the return on investment is not bad. I know when I put it in that I don't need to look at it again for ten more years. I know it's going to be supported for that long. 

Cisco is expensive, however, we have a good partnership with our Cisco partner, and we get really good discounts on it. We have a very, very tight relationship with our Cisco representative. We're the largest law firm in Canada and therefore we get special treatment from the Cisco reps in Toronto.

We've had really good relationships with the team at Cisco Canada, and they all know my team, the architects, the solutions engineers, the salespeople, et cetera. They all know us very well. They come to our offices and we go to their offices. We have a very tight relationship.

When it comes to cost, we'll talk to them. They'll tell us when is the best time to buy, and we'll get good discounts. I've never really had to forgo a technology that was critical to the firm due to cost. I can always work with Cisco to find some way to reduce the cost.

We always focus on Cisco products. 

I'd rate the solution seven out of ten. 

It has a lot of rich data in it, however, it's hard to get stuff out of it. You really have to know the product very well and live there to know where to go and find what you are looking for. There's a lot of telemetry in there, however, it's very difficult to actually see how to leverage it.

I've even been telling my security team, "Guys, there's a component in Cisco ISE that you need to work on, and you need to log in more often." Then two years later, they'll ask, "Why don't you guys use it?" The security networking team will say, "Well, we gave them access." My security team will say, "It's too complex. We have no time to go in there. We don't know where to find anything." That's the only problem that they need to fix. They need to make it easier to navigate, it's too deep.

Cisco ISE is a good product. It tightly integrates with all of the networking components, but you can leverage it and get a lot of return and investment out of it. However, you need to make sure that when you're rolling it out and when you're initially putting the platform in, you will need to get your help desk team and security team involved.

Of course, the networking team is the one that's probably going to own it, however, there are so many components in there that can help. The help desk can troubleshoot issues and can provide visibility from the security standpoint, and the networking team owns it anyway. If you get them more involved, they'll be more in tune with using it more often.

There are a lot of help desk and security capabilities in there. Still, just the networking team rolled it out, nobody wants to look at it, as it's a networking piece of the platform, yet really it's not. You can get a lot from this platform. That's probably what I would tell people, just get everyone involved from the get-go, so that they can get more value from it in the long run. 

Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

Because it's such a specialized skill, they are not as available as I would like.

Neutral

We did not have a previous solution.

We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

We've evaluated some other products since implementing this one. This is not your everyday tool.

The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

When it comes to ISE, the main challenge that we were trying to address is with our retail environments. We don't have control over the physical access to all the ports and we didn't really have any network access control.

ISE has, and will continue to allow us to secure our edge environment at the retail stores. It's also going to provide more security as we are rolling out more wireless access.

We're expanding our footprint to just outside of the retail environment. For example, we're implementing wireless service in our lumber yards. As we progress, we really need to be focused on securing that, and ISE is going to allow us to do that.

The main way that ISE is improving our organization is by acting as an added layer of security. It's a physical layer at the actual network jacks in our retail environments.

This is also true for our corporate office in conference rooms. We've now got the ability to allow those ports to be hot for a vendor to come in and plug in, and we're not having to rush and go make it hot for them. At the same time, we can still control what access they have without having to be hands-on all of the time.

The other thing with vendors is that in our stores, a lot of times we have some older technology from vendors that is not wireless. Until now, we haven't been able to push those devices onto a guest network. But now with ISE, we are able to dynamically assign those types of devices to a wired guest network.

The fact that Cisco ISE establishes trust, regardless of where requests come from, has helped us come to realize what was on our network. We thought we knew what was on our network, and we thought we had control over devices, but there's a lot out there that can't keep track of, day to day. For example, if a different department adds a computer that handles paint and we didn't know about it, suddenly it's on our network.

Now that we've got ISE, I feel like it's a big step in the right direction in terms of increasing the trust in our network. Not having to trust devices and being able to set those levels of trust and more finely control our network is a benefit.

ISE has really helped us in supporting our distributed network because we are geographically diverse with remote sites in Texas and five surrounding states. This means that we can't always be out there, hands-on.

With retail environments, we can't rely on our employees in the stores to be technically minded all the time. As such, it really helps us not to have to worry about that. We don't have to try and train people that aren't meant to be doing that kind of work, because their job is selling lumber. It's not always being there on top of the security of the network.

The most valuable feature for us with ISE is the network access control. It provides both security and visibility to what is on our network.

The control ISE gives us with those devices, whether they're company-owned or BYOD, anything on our network, we now have a little bit more visibility into and more control over how it performs and what access it has on our network.

When it comes to improvements with ISE, even though we've been using it, there's still a lot to learn because it's such a robust product. I think that Cisco could do something to counteract the stigma that ISE is cumbersome and hard to use.

There was a big pushback against us implementing this product because as VPs and executives start to talk, they want to talk about everything they've heard, and they had it in their minds that things are the way they are. To proceed with implementing ISE, we had to push against that.

The UI is not as intuitive as some other products, even products inside of Cisco's wheelhouse. To an extent, some of it feels like it's legacy and could be improved upon.

One thing with Cisco is that we haven't ever had issues with stability, and ISE lines right up with that. We're using the virtual appliance and we're using VMs. We haven't had any issues there, as long as you know the caveats that go along with their setup.

There have been no issues as far as performance or uptime.

Scalability with ISE goes back to the setup, and that initial planning phase. You have to identify your networks and your devices and what you want to do.

Once you get it set up, then scalability is not an issue. Definitely, the more complex your network, the more time you're going to spend on the pre-setup stage.

I really like Cisco's products. Sometimes, however, I have trouble with the support because you're getting someone that doesn't know your environment. This is something that's just going to happen.

Another frustrating point is that you sometimes get a person that doesn't realize that you might know what you're doing. You've already turned it off and back on, but they've got to walk you through those steps no matter what you tell them.

You feel like it's a battle to get to the point where you actually start to work on the solution. It's not the same with everyone but when we do have to work with Cisco, it's usually a bigger problem that necessitates engaging TAC.

At that point, it's hit or miss. Sometimes they're great and just click and get the problem fixed, whereas other times it's an uphill battle back and forth where you can't get on the same page.

I would rate the technical support a six and a half out of ten.

However, our account team from Cisco, who are the systems engineers that support us, I would rate about a nine. They are always there and are great to work with. 

Neutral

This is our first solution for network access control and that level of visibility.

For visibility, we do have CrowdStrike. That gives us visibility into our network, but it only acts on the agent and it uses an ARP request to discover devices that it didn't already know about. You can't really trust that, because if someone gets on maliciously, they're going to know enough to not just be blatantly, obviously there. You want to have a little bit more security in place when they first connect.

The deployment of ISE is definitely more complex than other things, but it's inherent because there's a lot of prep and planning to set up how you're going to handle certain types of devices.

You start realizing that you hadn't even thought of some things and accounted for other things. Definitely, it's a big exercise in prep work. It involves filling out questionnaires and keeping spreadsheets on everything on your network. That said, it was eye-opening and a good experience, but there's definitely quite a bit of work to set up ISE.

We're juggling a lot of things at one time, so it took six months to deploy. A lot of that was not dedicated to ISE, and we were still doing the other parts of our job throughout the process.

We received help setting it up from our reseller, who was Accudata, but they were recently purchased by Converge Technology Solutions. We've got a great relationship with them; they've always got great resources and great account teams.

If I were to comment on the return of investment on ISE, I don't really know where to begin because it was something we never did before. It was somewhere where we were lacking. We just didn't have the time or the manpower to do what ISE will do for us.

I'm sure someone out there can crunch the numbers and quantify the ROI on stopping an attack or a breach, but I don't have those numbers and thankfully, we haven't had one yet.

For us, we didn't have the manpower to do it right. Implementing ISE has saved us the need to invest in that manpower.

When it comes to licensing, I'm hoping Cisco is improving that because that's always been a pain point. I usually rely on our account team, which thankfully we have one, to help with the licensing.

Over the years, licensing has been confusing and complicated because there are so many different licenses for each different product and each different iteration of the product.

In terms of advice for anybody who is looking into Cisco ISE, I wouldn't suggest just jumping in and buying ISE. I'm not trying to talk badly about anything, but I would say, do your due diligence and understand your network and what's going to work for you.

Definitely understand that you're getting into a lot with ISE. There's a lot of capability, but I don't feel like just one person working on a hundred networks should be taking that on and trying to manage it themselves.

Overall, this is a good product but there's definitely room for improvement. Also, we're not using everything we could within the product.

I would rate this solution a seven out of ten. 

Our main use case right now is TACACS for device administration and authentication, as well as for user authentication on the network: wireless authentication, 802.1X, and wired authentication too, for RADIUS.

The way Cisco ISE has improved our organization is [by] making sure that we have secured our network. It's making sure that if somebody comes into the office who [possibly] shouldn't be there, and they plug a computer in or try to hit our WiFi, that we know, based on the criteria we've set up, that this person should have access. They've passed all the tests we've set up to make sure that they're not a bad actor or somebody who shouldn't be on the network.

ISE can, a lot of times, be the first stop for us to troubleshoot user errors or user issues. If you start your security posture by assuming there's no trust for a device, you're going to make sure that ISE is validating the device from the ground up. It's not just assuming that something has access, it's making sure it goes through the full process to gain access to your network.

ISE has definitely helped us across a distributed network, because you have a central way of authenticating everybody. It could be switches across different vendors, it could be different switch models—whether a Cisco Catalyst 9000 or a 2960—you can make sure, although these might be different devices, that the authentication process is going to be the same for the users. You have that peace of mind that no matter where somebody's plugging in, or what AP they're authenticating to, it's going to follow the same security guidelines, the same authentication process, to be granted network access.

The most valuable features for us are ensuring that we have the right people logging in to the network as well as protecting our device configuration. If somebody goes in to make a configuration adjustment, we need to make sure it's the right person, that they have the right access, and that we have validated that.

When we use ISE, one of the helpful things is that I can go through the dashboard and get every step along the way of how a device was authenticated. If it's failing, why did it fail? Why is it unauthorized? If there's an error, what is the error and how can I fix that error? If it's something that, if they should be passing, why are they failing?

For device administration, like logging in to a switch or a router, we can see all the commands that people have put in and who made changes. If we need to fix something—a bad command, or somebody put something in that pulls a device out of what we consider our compliance—we can fix that. 

From an administrator perspective we can look at "Why did you make this change?" and figure out how we don't break something in the future, if it was something that did cause an outage. 

And when it comes to things like wireless, we can see who is hitting the network, who is hitting a corporate SSID, or a guest SSID. Are they failing? What errors are you seeing along the way?

A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on.

The upgrade process is not very simple. It's pretty time-consuming. If you follow it step by step you're probably going to have a good time, but there are still a lot of things that could be a lot more user-friendly from an administrator's perspective. [They could be] easing a lot of the issues that people have. Instead of just saying the best practice is to migrate to new nodes [what would be helpful] would be to make that upgrade process easier.

The UI is a lot nicer in 3.0. It's pretty slow, but for the most part, it's easy to find what you're looking for, especially things like RADIUS live logs, TACACS live logs. From a troubleshooting perspective, it's really nice finding stuff. For setting up policies, from that perspective, it could be a little bit better looking.

I've been using Cisco ISE (Identity Services Engine) for about five years, myself. My company has been using it for longer than that.

The stability for our virtual machines is good if you follow the best practice and give it the reservations the virtual machines need, and you're making sure that you're following how many recommended devices are going to be authenticating to it. We don't have stability issues with ISE.

The scalability has been fine for us. We're actually in the process of possibly deploying more PSN (Policy Service) Nodes, so we'll see if that helps. But scalability hasn't been an issue. I don't think we're running into device count limitations or VM performance [issues].

We're around the 600-700 mark in terms of the number of devices in our company.

Support has been pretty helpful when we've needed it. We haven't had too many issues where I was asking for an escalation immediately or sweating profusely because it's not working. I can't say anything bad about support, but I don't have enough experience to give a really substantial answer.

Positive

I did not deploy ISE. We had a partner who helped us deploy it.

I don't know what the investment was, because I'm not involved in the pricing aspect of it. But there's no way for us to run a secure, reliable, user access or device administration access without something like ISE. The return on the investment, I think, is great. It's integral to our network so I don't know what we would do without ISE.

The licensing model is pretty straightforward. There are some changes from [version] 2.x going up to 3.0 and switching to the Smart Licensing. But if you have somebody who can explain it to you, so that you know that when you're upgrading you're not losing functionality, or you're not putting yourself in a position where the license count you're used to having can go away; as long as that's set up, it's fine.

I have used Aruba ClearPass in the past. They're pretty comparable. If I'm going to be honest, I think ClearPass has a better user interface and some of the things are laid out a little bit better. But when ISE is up and running, it's more reliable, it's more stable. You just have to get it to that point and then it's a really nice product that I like using.

In terms of eliminating trust from network architecture, ISE can do so when it's implemented correctly. There are still certain functions of ISE where you have to be diligent in making sure that if a user is plugging into a network port, that that port is set up to use ISE for authentication. It's kind of a two-way street. It's a great tool, but you have to set it up correctly. You have to make sure that it's doing what you've intended it to do. When you do that, it's great for that. We don't have any issues with that and it's definitely an integral part of our network.

The advice I would give people is to decide what you are looking for in terms of your AAA. Are you looking for a secure way to authenticate VPN users, users logging in for WiFi, for wired access? Something I don't use at my organization is the Guest Portal, but I know ISE has a pretty considerable catalog for deploying guest portals, for device onboarding, and posture assessment. If those are all the things you're looking for, the features, I would definitely recommend ISE.

The ISE product is used to make sure that folks can get access to the application servers that they need to get access to, let's say for accounting and another group like sales and marketing, they would have no business accessing each other's servers, those apps. So you would set up a policy that allows accounting to do what they have to do whether they're remote or on campus and then the sales and marketing folks could never access that. They are totally blocked. It's a virtual firewall, basically.

The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get. That you have to have that same device.

They can get into the antivirus. They will check the antivirus to see if it's the most current version and if it's not, if that's your policy, it will let you go through and access the app if the antivirus has been updated. But if the policy was that it has to be the most current version, then it can block you until you upgrade the antivirus.

As far as what could be improved, to continually be thinking about ransomware, cyber attacks, and all those kinds of things. They always have to be innovating. Always have to be improving. I can't give you anything specific because these cyber guys are always coming up with new ways to get in. You just really have to be aware of what's going on.

In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

In terms of stability, they are rock solid. If you set the policy and you implement it, it's not going to break.

They scale. You just have to buy licenses. Whether you're talking about 5,000 users or more, it's just a licensing model.

What I saw most customers trying to do was to outsource it to the partner. A value added reseller would have to do that. They typically haven't been trained. They have to go to school, get certifications and that kind of stuff. That's always a requirement, but most people weren't going to tackle that themselves. They're going to farm it out to somebody who has done it before, who has the expertise to do it.

I do anticipate increased usage. Pick a vendor, like Cisco and Aruba, because for all the threats that are out there, they are always going to have some kind of a NAC strategy. You have to. You really have to. The days of the firewall or perimeter security are over. There are just too many possible ways people can come into your network - disgruntled employees, someone that got paid off, you never know. This is always going to be here.

They're very good. All of them are very good.

It has been pretty much Cisco from the beginning. With another VAR recently, we were pitching the Aruba ClearPass. And actually the ClearPass will run on top of a Cisco infrastructure, which is kind of cool. That's unique, but the ISE doesn't go that way. You won't run ISE on top of an Aruba infrastructure, but Aruba built that solution from day one to be compatible with Cisco switches and routers and wireless stuff. I thought that was pretty compelling.

Cisco has their ISE, their Identity Services Engine. The other one that I would tell a customer to look at would be the Aruba ClearPass. I don't know enough about the Juniper Solution to make any comment about that. But those are the two that I think about the most for identity solutions.

The first part is to figure out what you want, what the customer wants to protect, who needs to be protected, and to gather all the data you can on users, contact information, the devices they use, the Mac addresses of the devices, what time of day, what apps... I mean you really have to dig into all that. It's not easy. It's hard. The bigger the customer, the more complex it is going to be. But if you don't do that, the deployment is not going to go well. Really consulting on the front end has to occur.

On the consulting part, it depends on how big the customer is, how many you're talking about - 5,000 users or 50 users. That drives the answer. I would say if you don't take 30 days to scope it correctly and document, if you do something less than that, the execution deployment is going to go sideways and that can be months. Those things are months. Those could be six months or so. You've got to pick a pilot case. You build a template, you do a small group, and then you see how the reactions are, see if the users accept that policy, make sure it's right. I would do it group by group. Accounting first, or IT first. And then you do the sales and marketing and HR and all those kinds of things.

In terms of ROI, the only thing that comes to mind is if you look at whatever the current market data says for a breach cost if you have ransomware attack or something, if you choose to rebuild your network, as opposed to paying the ransom, what does that cost? Is that $100,000 a day? Is that a million dollars a day? So whatever that cost is, go look at the cost of the NAC licensing, ISE or ClearPass. And that answers the question for you. If you can block the threats on the front end, you can avoid the whole ransomware conversation.

I have not looked at the pricing in a while. I don't really know. These companies are putting together enterprise license agreements, like a site license, and they'll do multiyear and they'll make them pretty aggressive. If you are buying three security packages from them, for example, they'll give you a significant discount. If you're at two, when you look at the cost to go to a third one, they'll just do it because it discounts the whole package altogether.

As for extra fees and costs, it is just a subscription model, pretty predictable.

I can tell you, even as a Cisco person, ISE was considered very complex and difficult to deploy. That was coming from both the customers and the partners that had to deploy it. It can be very complex and you really have to know what you're doing. The thing that we always stress with customers is to go through and build a policy first. Decide what you want to block, and who is going to have access to what, and do some due diligence on the front end because once the policy is created, then you can deploy what we have all agreed to. As opposed to just trying to wing it and figure as you go - that is not a good play. That was always the comment from the Cisco customers.

My advice to prospective users it to find a consultant or a VAR that has done it before. I think that is key. And then talk to a customer that they did it for.

On a scale of one to ten, I would rate Cisco ISE a seven. That is because it is so complex. I mean, it's not a trivial task.

One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

[In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

[I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

Positive

[The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

[Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

I've just been involved with the secondary deployment, using the ISE on our wired ports.

It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

[It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

[What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.

We use it for wired .1x, wireless authentication, VPN, and multi-factor authentication. We wanted to have a consistent experience for authentication and authorization of endpoints across the network, as well as security.

As a water utility organization, we're considered critical infrastructure by the feds. Everyone needs water. So it's important for us to protect our industrial control systems, our SCADA systems. ISE helps us do that by segmenting them off from the rest of the network.

And by eliminating trust, it helps us with audits, including CJIS because we have a law enforcement division, and trying to conform to the NIST standards. A lot of government agencies are becoming more familiar with the Zero Trust model and ISE makes our audits go a lot faster and a lot smoother than they used to.

The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

In addition, ISE really adopts and is strong in the Zero Trust model where we consider everybody a foreign endpoint until they prove they belong on the network. ISE just seems to be built from the ground up to do that, whereas with other solutions, you have to "shoehorn" that in.

I also rate it pretty highly for securing access to our applications and network. If you have the good fortune of being a total Cisco shop, you can utilize SGTs, end to end, across the network. It can be a little tricky to get working, but once it does, it creates quite a consistent experience for any endpoint, even if it moves anywhere in the network.

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

I've been using Cisco ISE (Identity Services Engine) for 10 years.

Now, the stability is pretty good. I've been working on it since the product launched and it was a bit sketchy. Its current state is really good right now.

The only thing we have run into was a bug when we ran virtual appliances, but that turned out to be an issue with our storage networking QoS policies. That wasn't really an ISE problem, it was more of a storage problem.

In terms of supporting a distributed network, it's pretty powerful. You can stand it up and cluster it and it scales out pretty well. You can put nodes wherever you want to service authentication requests. We're able to scale up or out and we can choose how and when we do that with either virtual or physical machines, meaning it's very flexible. 

It scales quite well. One of the things that Cisco is good at is keeping things pretty simple when you want to scale it. If you want to scale up, you get stronger admin and monitoring nodes. If you want to scale out, you get more policy service nodes. It's quite easy to stand them up, really anywhere, if you use virtuals.

We use it around our Fort Worth campus, which has about half a dozen buildings. By the end of the summer, we'll have it deployed to all of the rest of our five campuses. We have about 30 remote locations across 12 counties in North Texas and they're all using ISE. It works out pretty well.

We have it on-prem right now, but we are moving to a hybrid cloud platform on Azure for a lot of our applications, so we're starting to do proofs of concept with ISE in Azure.

TAC is pretty good. I would definitely suggest getting their solution support, which provides higher maintenance. That way, when you do get someone, you get someone who knows what they're doing. If you get the higher level of support, you get some really smart people who can fix things pretty quickly.

Positive

We used to use Aruba ClearPass. It was somewhat clunky to use and it didn't integrate well with third-party platforms. If you used Aruba, it worked great. If you didn't use Aruba, and were pointing things at ClearPass, it had some issues. We found that ISE typically handled things a little bit better. We could point anything at ISE and take care of it.

The initial deployment was pretty straightforward. It's very simple to just turn the box on and plug into it. You go through a couple of settings and then you can log in to the GUI and pull in all the other nodes that you want.

After the gear came in, it took us about a day to deploy it. I started by implementing it at the local campus. That way, if I broke anything, I could just walk down the hall and not have to drive anywhere.

I stood up the first cluster, and then it was another engineer and me who worked on deploying it out to all the buildings. We started out in monitor mode, to see what it would do if we had turned it on. Once we had remediated anything that looked like it was authenticating incorrectly on the wired network, we went to closed mode and that's where we are now.

Return on investment falls in line with the business vision of securing our resources and protecting them against cyber attacks and nation-state attacks. It's hard to put a monetary value on clean water.

Licensing is a disaster. It's a mess and I hope they fix it soon.

In addition to ClearPass, we looked at Forescout. At the time we looked at Forescout, it was more of an inline product and we weren't looking to add more infrastructure between parts of the network to try to do inline authentications. It seemed easier to do it on the switch ports and have them talk to ISE.

It's a very strong platform, especially now that we're on version 3.1. It's definitely my go-to. I would recommend it over any other NAC platform.

It requires a lot of technical knowledge to actually get it off the ground and running. It's not quite as intuitive as it could be, but it's still a solid platform.

Today, we are performing wireless client authentication and using it as a captive portal for our guest wireless network. Eventually, I am hoping to roll into 802.1X for the wire.

In our organization, we have about 2,000 employees and 12,000 other end users whom we service.

It has tremendously improved our organization through BYOD and guest wireless access. The sponsor portal is very easy to use for our help desk team as well as just adding an endpoint for BYOD. We have given our help desk team the ability to perform those functions so they don't have to escalate tickets, and what that does is cut back on ticket time. They can quickly assist our end users and make them happy.

We haven't had an opportunity to really do much with zero trust in ISE. However, in regards to integrating it with our DNA Center appliance, we are looking to experiment more with the zero trust option, establishing policies and pushing them that way. That will really help out with 802.1X on a wire as well, preventing outside organizations from coming in, just randomly plugging in, and then being on our network.

ISE has had a good impact on our organization’s security risk. This is mainly because we see rejected clients, people just attempting to authenticate, or people attempting to sign in who don't have permission and we know they don't have permission. The visibility is very nice.

Resilience, in regards to cybersecurity, is incredibly important. We run everything in twos, including our ISE deployment. So, if we have a data center go down for whatever reason, whether it be a cyber attack or just a random power outage, then we know that we still have an ISE node up on the other side which can perform security functions for our AAA authentication.

As far as resiliency, it is very effective when it comes to upgrades or patch management. As far as cybersecurity, it provides visibility with the logs that we get, rejecting clients as needed, or even telling us a reason why an authentication request failed.

I really enjoy the live log section. Sometimes, you will have someone who is having issues connecting to the network, and then you have to ask them the dreaded question of, "Did you type a password wrong?" They will probably tell you, "No," but the live log can help sort that out. It gives us that extra ability to assist the end user and make sure that we are making them happy.

It has done a pretty good job of establishing trust for every access request, no matter where it comes from. The biggest issue that I probably have is just with the random amount of passerby or outside visitors coming in and trying to connect. Of course, they can't. ISE is very good at not only denying them, but also logging that endpoint. I would say it has done pretty good with that.

There is room for improvement in its ability to allow end users to self-enroll their devices. Instead, you should be able to assign that permission by AD group, which is currently not available.

We have been using ISE since 2018.

I have never had any stability issues with it. It has been available 100% of the time that we have needed it.

I think scalability is there. We run a two-node cluster. We haven't had a need to add any more, but I know we could add policy nodes pretty simply if needed.

They are very good and intelligent. I would rate them as eight out of 10.

Positive

Prior to this solution, we were using Microsoft NPS. We switched from the Microsoft solution because we were looking for a more current way for our BYOD devices. 

Prior to ISE, we were using Cisco ACS, which is very old, and ISE was the next logical step. Along with that, we rolled our SSID BYOD over to ISE. That was our initial deployment. 

About a year later, we moved our production SSID over to it as well. So, we have just kind of come more into using it. It has a lot to offer.

It was pretty straightforward. It was not complicated at all.

We deployed it in a week and rolled out BYOD. We moved that over from ACS to Cisco ISE within that week, so it was pretty simple.

Today, we just have it integrated with ISE, but it sits in our data center with our core networking. We consider it essential. If it is not available, then productivity suffers.

I think we have seen ROI in regards to integrating with an external MDM to enforce greater security requirements for business managed devices that aren't Active Directory joined.

I have complaints. I don't enjoy the licensing model. Once we moved from 2.7 to 3.1, switching from Base, Plus, and Apex to Essential and Advantage in Premier, we went from a perpetual, with our base licenses, to now a subscription-base. So, we will have to renew those licenses every year, and I'm not a fan of that for our base licenses. Apex/Premier, we already expected, which is fine, but for basic connectivity, I am not a fan of that.

We went straight with Cisco. We are a very heavy Cisco shop, so it just kind of seemed logical.

We have had experience with Microsoft NPS.

I would rate it as nine out of 10.