IT Central Station is now PeerSpot: Here's why

Cisco ISE (Identity Services Engine) OverviewUNIXBusinessApplication

Cisco ISE (Identity Services Engine) is #1 ranked solution in top Network Access Control (NAC) tools. PeerSpot users give Cisco ISE (Identity Services Engine) an average rating of 8 out of 10. Cisco ISE (Identity Services Engine) is most commonly compared to Aruba ClearPass: Cisco ISE (Identity Services Engine) vs Aruba ClearPass. Cisco ISE (Identity Services Engine) is popular among the large enterprise segment, accounting for 64% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a comms service provider, accounting for 27% of all views.
Cisco ISE (Identity Services Engine) Buyer's Guide

Download the Cisco ISE (Identity Services Engine) Buyer's Guide including reviews and more. Updated: July 2022

What is Cisco ISE (Identity Services Engine)?

Cisco ISE is an all-in-one solution that streamlines security policy management and reduces operating costs. Cisco ISE delivers visibility and access control over users and devices across wired, wireless, and VPN connections.

Identity Services Engine enables enterprises to deliver secure network access to users and devices. It shares contextual data, such as threats and vulnerabilities, with integrated solutions from Cisco technology partners. You can see what is happening in your network, which applications are running, and more.

Features of Cisco ISE

  • Centralized management helps administrators configure and manage user profile characteristics - a single pane of glass for integrated management services.
  • Contextual identity and business policy: The rule-based attribute is a driven policy model. The goal is to provide flexible access control policies.
  • Wide range of access control options, including Virtual LAN (VLAN) URL redirections, and access control lists.
  • Supplicant-less network access: You can roll out secure network access by deriving authentication from login information across application layers.
  • Guest lifecycle management streamlines the experience for implementing and customizing network access for guests.
  • Built-in AAA services: The platform uses standard RADIUS protocol for authentication, authorization, and accounting.
  • Device auditing, administration, and access control provide users with access on a need-to-know and need-to-act basis. It keeps audit trails for every change in the network.
  • Device profiling: ISE features predefined device templates for different types of endpoints.
  • Internal certificate authority: Qn easy-to-deploy single console to manage endpoints and certificates.

Benefits of Cisco ISE

Cisco’s holistic approach to network access security has several advantages:

  • Context-based access based on your company policies. ISE creates a complete contextual identity, including attributes such as user, time, location, threat, access type, and vulnerability. This contextual identity is used to enforce a secure access policy. Administrators can apply strict control over how and when endpoints are allowed in the network.
  • Better network visibility via an easy-to-use, simple console. In addition, visibility is improved by storing a detailed attribute history of all endpoints connected to the network.
  • Comprehensive policy enforcement. ISE sets easy and flexible access rules. These rules are controlled from a central console that enforces them across the network and security infrastructure. You can define policies that differentiate between registered users and guests. The system uses group tags that enable access control on business rules instead of IP addresses.
  • Self-service device onboarding enables the enterprise to implement a Bring-Your-Own-Device (BYOD) policy securely. Users can manage their devices according to the policies defined by IT administrators. (IT remains in charge of provisioning and posturing to comply with security policies.)
  • Consistent guest experiences: You can provide guests with different levels of access from different connections. You can customize guest portals via a cloud-delivered portal editor with dynamic visual tools.

Support

You can get ISE as a physical or virtual appliance. Both deployments can create ISE clusters that create scale, redundancy, and requirements.

Licensing

Cisco ISE has four primary licences. Evaluation for up to 100 endpoints with full platform functionality. The higher tiers are Partner, Advantage and Essential.

Reviews from Real Users

"The user experience of the solution is great. It's a very transparent system. according to a PeerSpot user in Cyber Security at a manufacturing company.

Omar Z., Network & Security Engineer at an engineering company, feels that "The RADIUS Server holds the most value."

“Whether I deploy in China, the US, South Africa, or wherever, I can get all the capabilities. It allows me to directly integrate with 365, and from a communications point of view, that is a good capability," says Rammohan M., Senior Consultant at a tech services company.

Hassan A.,Technology Manager at Advanced Integrated Systems, says that "The most valuable feature is the integration with StealthWatch and DNA as one fabric."




Cisco ISE (Identity Services Engine) was previously known as Cisco ISE.

Cisco ISE (Identity Services Engine) Customers

Aegean Motorway, BC Hydro, Beachbody, Bucks County Intermediate Unit , Cisco IT, Derby City Council, Global Banking Customer, Gobierno de Castilla-La Mancha, Houston Methodist, Linz AG, London Hydro, Ministry of Foreign Affairs, Molina Healthcare, MST Systems, New South Wales Rural Fire Service, Reykjavik University, Wildau University

Cisco ISE (Identity Services Engine) Video

Cisco ISE (Identity Services Engine) Pricing Advice

What users are saying about Cisco ISE (Identity Services Engine) pricing:
  • "It is fairly expensive and that's part of why we have implemented it in the type of 'hack' that we did, to service multiple clients."
  • "It's an expensive solution when compared to other vendors."
  • "Licensing is a disaster. It's a mess and I hope they fix it soon."
  • "For the Avast virus scan, we pay around USD $95 per machine for five years which includes all updates and technical support."
  • "We are running Version 2.9 because Version 2.9 of the ISE has a persistent license — it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription."
  • Cisco ISE (Identity Services Engine) Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Wayne Cross - PeerSpot reviewer
    Director of Cyber Security at Borden Ladner Gervais LLP
    Real User
    Secures devices and has good support, but needs a better interface
    Pros and Cons
    • "The solution is great for establishing trust for every access request no matter where it comes from."
    • "The interface is a little bit complex."

    What is our primary use case?

    For Cisco ISE specifically, I manage the cybersecurity as well as the networking team. The networking team uses it to track statistics of users coming in and out of the network platform. We use it to track equipment, collect information on identity, and have the help desk leverage the telemetry to troubleshoot. It is part of our day-to-day operations. This provided security for our sizeable law firm, which has offices across the entire country. Our lawyers like to be mobile. Around six or seven months ago, we started to roll out iPads and really adopted a mobile culture. One of the things that we wanted to do was to provide flexibility for lawyers to walk with a corporate laptop, or walk with their own personal laptop and still have the capabilities to log on and do what they want to do.We also used it for the many meeting rooms we have. A lot of law firms have tons of meeting rooms, and we needed to secure some of those meeting rooms as well. The technology allowed us to roll 802.1X. We were able to secure ports in the meeting rooms and have a little bit more flexibility as to where users log in.For example, a couple of years back, we wanted to secure all of the endpoints for the help desk and networking team and all of the backend team and ensure that, irrespective of where one goes with that laptop, when they log in, it'll automatically move them to a secure VLAN. With ISE, we were able to do that and monitor it.

    What is most valuable?

    One of the things that we found most valuable over the years is the ability for it to provide information to the help desk that allows them to troubleshoot issues. We still use a lot of that today and we're going over to DNA soon. We're adopting some of the DNA technologies now, however, ISE has been the mainstay for us for quite a few years now. The solution is great for establishing trust for every access request no matter where it comes from. That was one of the biggest use cases for us, as one of the problems that we had was to secure a specific VLAN. If a help desk person had a laptop, and they plugged it into a network cable port somewhere, it would automatically put them on a secure network. If a lawyer uses their laptop, it would put them on a separate network. If a phone is plugged in, it will know it's a phone and put it on a phone network. ISE is the only way we have been able to do that. We've streamlined a lot of our provisioning and de-provisioning processes through Cisco ISE. It has certainly made it easier to secure our devices. For example, we have offices across the entire country. We are a large law firm and have huge offices in Toronto, Ottawa, Montreal, Calgary, and Vancouver. We also have ISO 27001 and 27017 certified as well and I run that program. One of the big things for us is when auditors come for a visit. All of our locations have a conference floor, a whole floor that's dedicated to conference rooms. There are tons of large conference rooms. When we get audited, conference floors are usually floors that auditors are allowed to go to, as they're publicly accessible floors. We'll get asked, "How do you secure the port?" When we go into the conference room, they can see the network ports." They will ask, "Well, how do you secure these ports? What if somebody came and plugged their machine in?" We then say, "We use Cisco ISE. Cisco ISE identifies that it doesn't belong to our corporate network. It does a check and then puts them right onto the internet, so we don't need to worry about strangers on our closed network.”

    What needs improvement?

    The interface is a little bit complex. It doesn't really have an executive dashboard. I'm the director of cybersecurity infrastructure operations for the entire firm, and I'm a very technical person, so I go in, and I can move around and try to figure everything out. However, the interface is very complex, and there are tons and tons and tons of options. It's quite complex to get into and take a look at. As a result, most of the time, just my networking team would be in there. It's so complex that sometimes I will find something one week, and by next week I can't find it again. It's too deeply layered. They have to redo the whole interface and have something that's executive based, and another one that's technically based. Even the help desk team and my security team use some of its components, however, they don't go anywhere often, as there are so many options in there. They have to make the interface a little bit more use user-friendly.

    For how long have I used the solution?

    I've worked with Cisco for about ten years.
    Buyer's Guide
    Cisco ISE (Identity Services Engine)
    July 2022
    Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    610,336 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The stability is ten out of ten. We have not really had issues with it. We've had one or two small things, however, in the 12 years that I've been there, I've had very few issues with their platform.

    What do I think about the scalability of the solution?

    It scales well. We have no concerns at all. When we decided to roll out 802.1X, we only had it on our endpoint, just laptops. Then we said, "Well, let's scale it out to the wireless access point." We went from 2,000 endpoints to 10,000, since people have mobiles. When we rolled it out to do posture checks on everything wireless, we had no issues.

    How are customer service and support?

    Technical support is good. I have no issues. Cisco supports its products very well, so we've never really had concerns with that aspect. Also, I have a very, very technical team. My guys are CCIE certified, and they are geniuses in their own rights. They've been in Cisco for 20 years.They know the product very well and they also work very closely with the Cisco support team. The Cisco support team has very good people. They train their people well, and we've never really had issues that the Cisco team can't resolve if my team can't resolve them. We're taking it for granted that we're getting good support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not use a different solution. We're a Cisco shop, so we've always used Cisco. 

    How was the initial setup?

    I was involved in the initial setup. I manage the networking team. While I don't necessarily push the commands in, I go through architecture sessions with my team, sign off on it and make sure that what it's doing is worth it, it's my budget. I have to get involved.

    What was our ROI?

    We've seen an ROI. They last a very long time. For example, we have Cisco Campus, which is the next 7000s that we put in 2012, and ten years later, they're still there. We just changed the supervisor modules. However, the chassis is still sitting there and is still working quite fine.If I'm not mistaken, it's at end of sales already, however, its end of support is in 2024. That's what I like about their products. They support their product for a very, very long time.  They easily last for ten years. Even our access switches, which are 4900s, are just being switched out now. Those have been in since probably 2010. We spend $1.5 million as we have two switches on every single floor. Those are the ones that we're changing out now, and they still work quite fine. Cisco just decided to change them. Their products are very solid and they don't break. We keep them for a very long time. Therefore, the return on investment is not bad. I know when I put it in that I don't need to look at it again for ten more years. I know it's going to be supported for that long. 

    What's my experience with pricing, setup cost, and licensing?

    Cisco is expensive, however, we have a good partnership with our Cisco partner, and we get really good discounts on it. We have a very, very tight relationship with our Cisco representative. We're the largest law firm in Canada and therefore we get special treatment from the Cisco reps in Toronto.We've had really good relationships with the team at Cisco Canada, and they all know my team, the architects, the solutions engineers, the salespeople, et cetera. They all know us very well. They come to our offices and we go to their offices. We have a very tight relationship.When it comes to cost, we'll talk to them. They'll tell us when is the best time to buy, and we'll get good discounts. I've never really had to forgo a technology that was critical to the firm due to cost. I can always work with Cisco to find some way to reduce the cost.

    Which other solutions did I evaluate?

    We always focus on Cisco products. 

    What other advice do I have?

    I'd rate the solution seven out of ten.  It has a lot of rich data in it, however, it's hard to get stuff out of it. You really have to know the product very well and live there to know where to go and find what you are looking for. There's a lot of telemetry in there, however, it's very difficult to actually see how to leverage it. I've even been telling my security team, "Guys, there's a component in Cisco ISE that you need to work on, and you need to log in more often." Then two years later, they'll ask, "Why don't you guys use it?" The security networking team will say, "Well, we gave them access." My security team will say, "It's too complex. We have no time to go in there. We don't know where to find anything." That's the only problem that they need to fix. They need to make it easier to navigate, it's too deep. Cisco ISE is a good product. It tightly integrates with all of the networking components, but you can leverage it and get a lot of return and investment out of it. However, you need to make sure that when you're rolling it out and when you're initially putting the platform in, you will need to get your help desk team and security team involved.Of course, the networking team is the one that's probably going to own it, however, there are so many components in there that can help. The help desk can troubleshoot issues and can provide visibility from the security standpoint, and the networking team owns it anyway. If you get them more involved, they'll be more in tune with using it more often.There are a lot of help desk and security capabilities in there. Still, just the networking team rolled it out, nobody wants to look at it, as it's a networking piece of the platform, yet really it's not. You can get a lot from this platform. That's probably what I would tell people, just get everyone involved from the get-go, so that they can get more value from it in the long run. 

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Laurence Mcbride - PeerSpot reviewer
    Senior Business Systems Analyst at a financial services firm with 201-500 employees
    Real User
    Improved our trust situation, but usability, while improving, still needs work
    Pros and Cons
    • "It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go."
    • "A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it."

    What is our primary use case?

    Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

    The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

    Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

    How has it helped my organization?

    Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

    The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

    What is most valuable?

    It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

    And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

    Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

    What needs improvement?

    A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

    If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

    It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

    Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

    Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

    All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

    For how long have I used the solution?

    For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

    We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

    What do I think about the stability of the solution?

    It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

    What do I think about the scalability of the solution?

    It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

    When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

    The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

    How are customer service and support?

    It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

    Because it's such a specialized skill, they are not as available as I would like.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We did not have a previous solution.

    How was the initial setup?

    We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

    What was our ROI?

    In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

    What's my experience with pricing, setup cost, and licensing?

    It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

    Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

    Which other solutions did I evaluate?

    We've evaluated some other products since implementing this one. This is not your everyday tool.

    The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

    What other advice do I have?

    People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

    The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Buyer's Guide
    Cisco ISE (Identity Services Engine)
    July 2022
    Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    610,336 professionals have used our research since 2012.
    Associate Consultant at a computer software company with 201-500 employees
    Real User
    Top 5
    Streamlines security policy management and reduces operating costs
    Pros and Cons
    • "In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now."
    • "An issue with the product is it tends to have a lot of bugs whenever they release a new release."

    What is our primary use case?

    Our use cases are based around dot1x. Basically wired and wireless authentication, authorization, and accounting. 

    In terms of administration, only our networking team uses this solution. Probably five to ten administrators manage the whole product. Their role pretty much is to make sure that we configure the use cases that we use ISE for — pretty much for authenticating users to the wired and wireless networks. We might have certain other advanced use cases depending on certain other business requirements, but their job is pretty much to make sure all the use cases work. If there are issues, if users are complaining, they log into ISE to troubleshoot those issues and have a look at the logs. They basically expand ISE to the rest of the network. There is ongoing activity there as well. The usage is administrative in nature, making sure the configurations are okay, deploying new use cases, and troubleshooting issues.

    How has it helped my organization?

    This solution has definitely improved the way our organization functions.

    What is most valuable?

    In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now. ISE is always very complicated to deploy because it's GUI-based. So they came up with this feature called work centers, that kind of streamlines that process. That's a good feature in the product right now.

    What needs improvement?

    An issue with the product is it tends to have a lot of bugs whenever they release a new release.

    We've always found ourselves battling out one bug or another. I think, overall they need to form a quality assurance standpoint. ISE has always had this issue with bugs. Even if you go to a Cisco website and you type all the bug releases for ISE, you'll find a lot of bugs. Because the product is kind of intrusive, right? It's in the network. Whenever you have a bug, if something doesn't work, that always creates a lot of noise. I would say that the biggest issue we're having is with all the product bugs.

    Also, the graphical user interface is very heavy. By heavy, I mean it's quite fancy. It's equipped with a lot of features and animations that sometimes slow down the user interface.

    It's a technical product — I don't think a lot of engineers really need fancy GUIs. We pretty much look for functionality, but I think Cisco, for some reason, is putting an emphasis on its GUIs looking better. We always look for functionality over fancy features.

    We've had issues with different browsers, and sometimes it's really slow. From a functionality standpoint, we would rather the GUI was light and faster to navigate.

    ISE has a very good logging capability but because their GUI is so slow, we feel it's not as flexible or user-friendly as we would like it to be, especially when it comes to monitoring and logging. At the end of the day, we're implementing ISE for security. And that means visibility.

    Of course, you can export the data into other products to get that visibility, but we would like to have a better type of monitoring, maybe better dashboards, and better analytics capabilities within the product.

    Analytics is one thing that's really lacking. Even if you're to extract a report, it just takes a lot of time. So, again, that comes down to product design, but that's definitely an area for improvement. I think it does the job well, but they can definitely improve on the monitoring and analytics side.

    For how long have I used the solution?

    I have been using this solution since they released the first version over ten years ago.

    What do I think about the scalability of the solution?

    Scalability is pretty good, provided that you design it properly from the get-go. There are design limitations, depending on the platforms, especially the hardware platforms that you select. On the scalability front, it's not a product that can be virtualized very well — that's an issue. Because in the world of virtualization, customers are always looking for products that they can put in their virtual environments. But ISE is not a truly virtualized product, as in it doesn't do a lot of resource sharing.

    As a result, it's not truly virtualized. Although they do have the VM offering, it's not virtualization in the proper sense of the word. That's one limitation of the product. It's very resource-intensive. As a result, you always end up purchasing additional hardware, actual ISE physical servers. Whereas, we would like to have it deployed in virtual machines if it was better designed. I think when it comes to resource utilization, it probably isn't optimized very well. Ideally, we would like to have a better-virtualized platform.

    How are customer service and technical support?

    Tech support tends to be pretty good for ISE. We do use it extensively because of all of the bugs we encounter. 

    Mostly it's at the beginning of setting the whole environment up. Typically, once it's set up properly, it tends to work. But it's just that the product itself integrates with a lot of other products in the network. It integrates with your switches, with your APs, etc. So, it's a part of an ecosystem. What happens is, if those products experience bugs, then it kind of affects the overall ISE solution as well — that is a bit of a dependency. The ISE use cases are dependent on your network access devices, but that's just the nature of it. The only issue with support is you might have to open a ticket with the ISE team, but if you're looking at issues in your wireless network or switches, you might have to open another ticket with their tech team for switches. 

    For customers using Cisco, end-to-end, they should improve the integration and providing a seamless experience to the customer. But right now, they have to refer to other experts. They come in the call, but the whole process just takes some time.

    That's an area that they can improve on. But typically, I would say that the support has been good. We've been able to resolve issues. They are responsive. They've been good.

    Overall, I would give the support a rating of eight.

    How was the initial setup?

    The setup is not straightforward. It's complex. You need to have a high level of expertise.

    What's my experience with pricing, setup cost, and licensing?

    It's an expensive solution when compared to other vendors. It's definitely more expensive than ClearPass. It's expensive, but the issue, again, comes down to scalability. Because you can't virtualize the product, there's a lot of investment when it comes to your hardware resources. Your CapEx is one of the biggest issues here. That's something Cisco needs to improve because organizations are looking at reducing their hardware footprint. It's unfortunate that ISE is such a resource-intensive application to begin with. As it's not a properly virtualized application, you need to rely on physical hardware to get the best performance.

    The CapEx cost is high. When it comes to operational expenditure, it all depends on the features you're using. They have their tiers, and it all depends on the features you're using. The basic tier, which is where most of the functionality is, is relatively quite cheap. But if you're using some advanced use cases, you need to go to their higher tiers. So, I'm not too worried about operations costs. You need to buy support for the hardware: you need space, power, and cooling for the hardware-side. All of that adds up. So, that all comes down to the product design and they need to make sure it's properly scalable and it's truly virtualized going forward.

    Which other solutions did I evaluate?

    We've evaluated other products, for example, Aruba ClearPass. There's another product, Forescout, but the use case is a bit different.

    When it comes to dot1x authentication, I think it's ISE and Aruba ClearPass. Forescout also comes into the next space, but the use case is a bit different.

    We prefer ISE because, I think if you're using Cisco devices, it really kind of integrates your ecosystem — that's why we prefer ISE. When it comes to NAC or dot1x products, from a feature standpoint, ISE has had that development now for 10 to 11 years. So, we've seen the product mature over time. And right now it's a pretty stable and functional product. It has a lot of features as well. So, I think the decision is mainly kind of driven by the fact that the rest of the ecosystem is Cisco as well. From a uniform figure standpoint, the other product is probably the industry leader at this point in time for network admission control.

    What other advice do I have?

    The main advice would be in terms of upfront design — this is where a lot of people get it very wrong. Depending on the platforms you choose, there are restrictions and limitations on how many users. We've got various nodes, so how many nodes you can implement, etc. Also, latency considerations must be taken into account; especially if you're deploying it across geographically dispersed regions. The main advice would be to get the design right. Because given that directly interferes with the network, if you don't get your design right it could be disruptive to the network. Once you've got the proper design in place and that translates into a bit of material, the implementation, you can always figure it out. Getting it right, upfront, is the most important thing.

    Overall, I would give ISE a rating of eight out of ten. I don't want to give it a 10 out of 10 because of all the design issues. There is definitely room for improvement, but overall out there in the market, I think it's one of the best products. It has a good ecosystem. It integrates well with Cisco devices, but it also integrates with third-party solutions if you have to do that. It's based on open standards, and we've seen the ecosystem grow over the years. So, they're doing a good job in terms of growing the ecosystem and making sure ISE can work with other products, but there's definitely room for improvement on the product design itself — on monitoring, on analytics. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Network Infrastructure Specialist at a tech services company with 51-200 employees
    Real User
    Top 20
    Good posturing, good integration, and excellent technical support
    Pros and Cons
    • "At the moment, ISE seems to integrate very well with a number of other technologies."
    • "This product doesn't work in isolation."

    What is our primary use case?

    Mainly the use case of the solution is for ensuring that the corporate staff gets access to their authorized systems. 

    Another use case is for contractors to get access to the authorized systems. Those are the ones that hope to assist in the maintenance or for authorized admissions to the network.

    We do also use it for remote access, for example, VPN's and also for wired and wireless access to the network.

    What is most valuable?

    The posturing is the solution's most important aspect. When a user connects his or her machine to the network, the first is for ISE to check whether that machine is authorized, check that that machine is compliant with respect to antiviruses, whether it complies with respect to Windows updates, et cetera. If not, a feature is on auto-remediation, so that the proper antivirus and Windows updates can be pushed to the machine.

    At the moment, ISE seems to integrate very well with a number of other technologies. It integrates well with Microsoft and integrates well with other wireless systems.

    What needs improvement?

    In terms of the improvements I need, they've already, according to my research, done those improvements with their new versions. The features have already improved on their newer version, and that's why we need to update to that new version.

    What is required is that Cisco needs to be doing health checks and following up with the customer to ensure that their Cisco partners have done the deployment right. That's something that has really helped us.

    Whenever a partner comes and does any deployment, we would, later on, engage Cisco for a health check, so that Cisco could assist with their products. They would check whether it has been deployed following the best practices - or they would just alert us on which features that we have paid for and we are not taking advantage of that. 

    Cisco needs to continue with that health check. That engagement with their customers to reconfirm everything is like a quality assurance that the Cisco partners have given the right stuff to their customers.

    This product doesn't work in isolation. For example, when we talk of posturing the Microsoft updates, the system that does automatic updates for Microsoft needs to work in an ideal fashion. The antivirus needs to work. OF course, the antivirus is not Cisco. Those products need to work as they should so that integration of the ISE product will work as well. When all factors are held constant, Cisco works well. 

    For how long have I used the solution?

    We have been using the solution for six years now.

    What do I think about the stability of the solution?

    We have been using it, especially during alternative working arrangements (due to the COVID-19). Using it, it's been stable. We have not had any issues. The only reason we are looking to upgrade is we didn't know the benefits that the newer version offered. When we checked with Cisco, they advised us that we were missing a few items that actually gaps caused by the partner's setup which we realized we missed during the health check.

    We haven't had bugs or glitches. It doesn't crash or freeze. It's good.

    What do I think about the scalability of the solution?

    Everyone in our company is using Cisco. In terms of users, we have about 1,500, however, in terms of endpoints we have, that would be closer to about 3,000 to 4,000 endpoints, including wireless gadgets, switches, laptops, phones, and all that. We use it on a daily basis.

    Scalability probably might be an issue. Before we bought ISE, we did sizing for each. We looked at the number of users in the organization, 1,500,  and then we used a factor to look at the uppermost band. We decided we would have to go for 4,000 licenses or 4,500 licenses. We multiplied by three. Based on that, we went for a certain hardware model.

    This time, the hardware model we are going for supports up to or has the capability to support up to 10,000 users or endpoints. When we go for that, we will have used even less than 50% of what their hardware is capable of. Above 10,000, there's another hardware model that we're generally expected to go for. 

    Basically, when you get the right model, when you do the right scaling, it will be very scalable. However, from the onset, you need to write hardware for USI.

    The solution is more meant for enterprise-level organizations. It's not really for small companies, however, that has more to do with the pricing.

    How are customer service and technical support?

    We're dealt with technical support in the past. Their support is excellent, except for Umbrella. There is a technology called Cisco Umbrella, and they're a bit slow, however, the technical support in general, depending on the severity of the issue, is very prompt. I would say we are quite satisfied with their level of service.

    Which solution did I use previously and why did I switch?

    I've only ever used Cisco. I used to use NAC, however, they changed to ISE. I've never used any other product.

    How was the initial setup?

    We had a partner set up the solution, and we're not sure if they set it up correctly. The partners come straight to us, and do the deployment. Cisco only is there to be the third eye to come and check that the deployment has been done okay.

    You have to make sure that other items connected to ISE are correctly implemented and updated as well (such as the antivirus), otherwise, it won't work as you need it to. There's a lot of configuration that needs to be done at the outset.

    I'm not sure how long the deployment takes, as I wasn't at the company when it was set up. However, it's my understanding that it shouldn't take too long so long as everything surrounding it is correctly aligned.

    Any maintenance that needs to be done is handled by a third party. That includes patching, et cetera. We have an SLA with a Cisco recognized partner.

    What about the implementation team?

    We worked with a partner that assisted with the setup.

    Afterward, Cisco will also come in to do a "health check" to make sure the setup is correct and they can direct users to features they should use or are not using.

    What's my experience with pricing, setup cost, and licensing?

    Cisco does not sell directly. They have authorized partners you need to buy through.

    I don't deal directly with the licensing and therefore do not have any idea what the pricing of the product is. It's not part of my responsibilities.

    It is my understanding, however, that it would be expensive for smaller organizations. Startups may not be able to afford these products.

    We don't really worry about pricing, as cheap might be expensive in the long run if you don't get a product that is right for your organization, or is more likely to break down over time.

    Which other solutions did I evaluate?

    We are in the process of doing a refresh and I have compared other technologies to see how they stack up. I've looked at Fortinet, for example.

    I wouldn't say we are switching from Cisco. What we are doing is we were exploring other technologies that offer similar functions. Sometimes it's good to look outside as you might think you have the best and yet you don't. We are just looking for other solutions to get to know what they offer. If we feel that there is something unique that is on offer somewhere else, then we would want to check that in Cisco and see, where is this offered in Cisco's product? 

    We haven't concluded that we are switching. In any case, from what I have seen so far, it is likely we won't switch. 

    What other advice do I have?

    We're just a customer. We buy their products for our security and our connectivity.

    We're not using the latest version. We're actually using a few versions. We have ISE, which is version 2.3. We're supposed to up to version 2.7, and that requires a refresh of the hardware.

    That's why we are saying, "Should we try to look for a different solution?" That's why I have been looking for comparisons. We haven't dedicated a lot of time to that yet. From my assessments so far, however, ISE still wins the show and it's likely that the partner that was doing the deployment originally on behalf of Cisco probably missed out on a number of things. It's really about the engineers who are doing the deployment. You need to make sure you have some good ones.

    I would recommend this solution to others, especially mature organizations as the smaller organizations may not be able to afford this. 

    On a scale from one to ten, I would rate the product at an eight

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Accounting Executive at a tech services company with 11-50 employees
    MSP
    Highly granular and effective NAC, but also complex to deploy
    Pros and Cons
    • "The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get."
    • "In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions."

    What is our primary use case?

    The ISE product is used to make sure that folks can get access to the application servers that they need to get access to, let's say for accounting and another group like sales and marketing, they would have no business accessing each other's servers, those apps. So you would set up a policy that allows accounting to do what they have to do whether they're remote or on campus and then the sales and marketing folks could never access that. They are totally blocked. It's a virtual firewall, basically.

    What is most valuable?

    The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get. That you have to have that same device.

    They can get into the antivirus. They will check the antivirus to see if it's the most current version and if it's not, if that's your policy, it will let you go through and access the app if the antivirus has been updated. But if the policy was that it has to be the most current version, then it can block you until you upgrade the antivirus.

    What needs improvement?

    As far as what could be improved, to continually be thinking about ransomware, cyber attacks, and all those kinds of things. They always have to be innovating. Always have to be improving. I can't give you anything specific because these cyber guys are always coming up with new ways to get in. You just really have to be aware of what's going on.

    In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

    What do I think about the stability of the solution?

    In terms of stability, they are rock solid. If you set the policy and you implement it, it's not going to break.

    What do I think about the scalability of the solution?

    They scale. You just have to buy licenses. Whether you're talking about 5,000 users or more, it's just a licensing model.

    What I saw most customers trying to do was to outsource it to the partner. A value added reseller would have to do that. They typically haven't been trained. They have to go to school, get certifications and that kind of stuff. That's always a requirement, but most people weren't going to tackle that themselves. They're going to farm it out to somebody who has done it before, who has the expertise to do it.

    I do anticipate increased usage. Pick a vendor, like Cisco and Aruba, because for all the threats that are out there, they are always going to have some kind of a NAC strategy. You have to. You really have to. The days of the firewall or perimeter security are over. There are just too many possible ways people can come into your network - disgruntled employees, someone that got paid off, you never know. This is always going to be here.

    How are customer service and support?

    They're very good. All of them are very good.

    Which solution did I use previously and why did I switch?

    It has been pretty much Cisco from the beginning. With another VAR recently, we were pitching the Aruba ClearPass. And actually the ClearPass will run on top of a Cisco infrastructure, which is kind of cool. That's unique, but the ISE doesn't go that way. You won't run ISE on top of an Aruba infrastructure, but Aruba built that solution from day one to be compatible with Cisco switches and routers and wireless stuff. I thought that was pretty compelling.

    Cisco has their ISE, their Identity Services Engine. The other one that I would tell a customer to look at would be the Aruba ClearPass. I don't know enough about the Juniper Solution to make any comment about that. But those are the two that I think about the most for identity solutions.

    How was the initial setup?

    The first part is to figure out what you want, what the customer wants to protect, who needs to be protected, and to gather all the data you can on users, contact information, the devices they use, the Mac addresses of the devices, what time of day, what apps... I mean you really have to dig into all that. It's not easy. It's hard. The bigger the customer, the more complex it is going to be. But if you don't do that, the deployment is not going to go well. Really consulting on the front end has to occur.

    On the consulting part, it depends on how big the customer is, how many you're talking about - 5,000 users or 50 users. That drives the answer. I would say if you don't take 30 days to scope it correctly and document, if you do something less than that, the execution deployment is going to go sideways and that can be months. Those things are months. Those could be six months or so. You've got to pick a pilot case. You build a template, you do a small group, and then you see how the reactions are, see if the users accept that policy, make sure it's right. I would do it group by group. Accounting first, or IT first. And then you do the sales and marketing and HR and all those kinds of things.

    What was our ROI?

    In terms of ROI, the only thing that comes to mind is if you look at whatever the current market data says for a breach cost if you have ransomware attack or something, if you choose to rebuild your network, as opposed to paying the ransom, what does that cost? Is that $100,000 a day? Is that a million dollars a day? So whatever that cost is, go look at the cost of the NAC licensing, ISE or ClearPass. And that answers the question for you. If you can block the threats on the front end, you can avoid the whole ransomware conversation.

    What's my experience with pricing, setup cost, and licensing?

    I have not looked at the pricing in a while. I don't really know. These companies are putting together enterprise license agreements, like a site license, and they'll do multiyear and they'll make them pretty aggressive. If you are buying three security packages from them, for example, they'll give you a significant discount. If you're at two, when you look at the cost to go to a third one, they'll just do it because it discounts the whole package altogether.

    As for extra fees and costs, it is just a subscription model, pretty predictable.

    What other advice do I have?

    I can tell you, even as a Cisco person, ISE was considered very complex and difficult to deploy. That was coming from both the customers and the partners that had to deploy it. It can be very complex and you really have to know what you're doing. The thing that we always stress with customers is to go through and build a policy first. Decide what you want to block, and who is going to have access to what, and do some due diligence on the front end because once the policy is created, then you can deploy what we have all agreed to. As opposed to just trying to wing it and figure as you go - that is not a good play. That was always the comment from the Cisco customers.

    My advice to prospective users it to find a consultant or a VAR that has done it before. I think that is key. And then talk to a customer that they did it for.

    On a scale of one to ten, I would rate Cisco ISE a seven. That is because it is so complex. I mean, it's not a trivial task.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Adam Boldin - PeerSpot reviewer
    Network Architect at Tarrant Regional Water District
    Real User
    Helps us protect our SCADA systems by segmenting them from the rest of the network
    Pros and Cons
    • "The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket."
    • "I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself."

    What is our primary use case?

    We use it for wired .1x, wireless authentication, VPN, and multi-factor authentication. We wanted to have a consistent experience for authentication and authorization of endpoints across the network, as well as security.

    How has it helped my organization?

    As a water utility organization, we're considered critical infrastructure by the feds. Everyone needs water. So it's important for us to protect our industrial control systems, our SCADA systems. ISE helps us do that by segmenting them off from the rest of the network.

    And by eliminating trust, it helps us with audits, including CJIS because we have a law enforcement division, and trying to conform to the NIST standards. A lot of government agencies are becoming more familiar with the Zero Trust model and ISE makes our audits go a lot faster and a lot smoother than they used to.

    What is most valuable?

    The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

    In addition, ISE really adopts and is strong in the Zero Trust model where we consider everybody a foreign endpoint until they prove they belong on the network. ISE just seems to be built from the ground up to do that, whereas with other solutions, you have to "shoehorn" that in.

    I also rate it pretty highly for securing access to our applications and network. If you have the good fortune of being a total Cisco shop, you can utilize SGTs, end to end, across the network. It can be a little tricky to get working, but once it does, it creates quite a consistent experience for any endpoint, even if it moves anywhere in the network.

    What needs improvement?

    I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

    For how long have I used the solution?

    I've been using Cisco ISE (Identity Services Engine) for 10 years.

    What do I think about the stability of the solution?

    Now, the stability is pretty good. I've been working on it since the product launched and it was a bit sketchy. Its current state is really good right now.

    The only thing we have run into was a bug when we ran virtual appliances, but that turned out to be an issue with our storage networking QoS policies. That wasn't really an ISE problem, it was more of a storage problem.

    What do I think about the scalability of the solution?

    In terms of supporting a distributed network, it's pretty powerful. You can stand it up and cluster it and it scales out pretty well. You can put nodes wherever you want to service authentication requests. We're able to scale up or out and we can choose how and when we do that with either virtual or physical machines, meaning it's very flexible. 

    It scales quite well. One of the things that Cisco is good at is keeping things pretty simple when you want to scale it. If you want to scale up, you get stronger admin and monitoring nodes. If you want to scale out, you get more policy service nodes. It's quite easy to stand them up, really anywhere, if you use virtuals.

    We use it around our Fort Worth campus, which has about half a dozen buildings. By the end of the summer, we'll have it deployed to all of the rest of our five campuses. We have about 30 remote locations across 12 counties in North Texas and they're all using ISE. It works out pretty well.

    We have it on-prem right now, but we are moving to a hybrid cloud platform on Azure for a lot of our applications, so we're starting to do proofs of concept with ISE in Azure.

    How are customer service and support?

    TAC is pretty good. I would definitely suggest getting their solution support, which provides higher maintenance. That way, when you do get someone, you get someone who knows what they're doing. If you get the higher level of support, you get some really smart people who can fix things pretty quickly.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We used to use Aruba ClearPass. It was somewhat clunky to use and it didn't integrate well with third-party platforms. If you used Aruba, it worked great. If you didn't use Aruba, and were pointing things at ClearPass, it had some issues. We found that ISE typically handled things a little bit better. We could point anything at ISE and take care of it.

    How was the initial setup?

    The initial deployment was pretty straightforward. It's very simple to just turn the box on and plug into it. You go through a couple of settings and then you can log in to the GUI and pull in all the other nodes that you want.

    After the gear came in, it took us about a day to deploy it. I started by implementing it at the local campus. That way, if I broke anything, I could just walk down the hall and not have to drive anywhere.

    I stood up the first cluster, and then it was another engineer and me who worked on deploying it out to all the buildings. We started out in monitor mode, to see what it would do if we had turned it on. Once we had remediated anything that looked like it was authenticating incorrectly on the wired network, we went to closed mode and that's where we are now.

    What was our ROI?

    Return on investment falls in line with the business vision of securing our resources and protecting them against cyber attacks and nation-state attacks. It's hard to put a monetary value on clean water.

    What's my experience with pricing, setup cost, and licensing?

    Licensing is a disaster. It's a mess and I hope they fix it soon.

    Which other solutions did I evaluate?

    In addition to ClearPass, we looked at Forescout. At the time we looked at Forescout, it was more of an inline product and we weren't looking to add more infrastructure between parts of the network to try to do inline authentications. It seemed easier to do it on the switch ports and have them talk to ISE.

    What other advice do I have?

    It's a very strong platform, especially now that we're on version 3.1. It's definitely my go-to. I would recommend it over any other NAC platform.

    It requires a lot of technical knowledge to actually get it off the ground and running. It's not quite as intuitive as it could be, but it's still a solid platform.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Shawn Connors - PeerSpot reviewer
    Infrastructure and Cybersecurity Manager at George Washington's Mount Vernon
    Real User
    Top 20
    We've experienced first-hand the reliable protection provided against malware and ransomware
    Pros and Cons
    • "The solution cuts down on the repercussions of getting malware or ransomware."
    • "The solution can lag somewhat as we have a large database."

    What is our primary use case?

    We have two servers and they're both VMs. Every network system is issued a certificate and each device coming onto the network has to be on the domain with an active AD user logging into it. It needs an up-to-date AMP, which is our Cisco malware and virus scan product and it also needs to have the most current Microsoft security updates and the three layers that we're using: The core VPN, the Network Access Manager and the ISE profiler. When it goes through all those different things on every port on the switch, there are commands for it to be able to go through an ACL so it knows what users are there, what server, and what devices have been put onto the domain. It can verify all that.

    The user can then proceed on to the network. We've set it so that regular users are VLAN'd off and can only see the data network through ISE and are blocked from seeing the rest of the network. Depending on the department needs or other factors, we have cameras for security which are on a different VLAN, and they can see those. We also have something for O&M where the AC guy can see the AC equipment, and we can prevent all the VLAN's from being viewed by everybody.

    We are customers of Cisco and I'm the infrastructure and Cyber security manager.

    What is most valuable?

    The solution cuts down on the repercussions of getting malware or ransomware which happened to us four years ago. We regularly took very aggressive snapshots and we were able to recover in an hour and 20 minutes without any loss of data.

    What needs improvement?

    Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that.

    I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. 

    Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

    For how long have I used the solution?

    I've been using this solution for the past two years. 

    What do I think about the stability of the solution?

    ISE is pretty stable. If it does have an issue then you need to call TAC and work through the bug in it. They are very responsive and very quick to help us eliminate the issue and also come up with a plan, such as how to move forward with additional issues or different things that are coming down the pipe with Cisco ISE. When you're talking to them, you feel like they are a partner and not just a disconnected entity.

    How are customer service and technical support?

    The technical support is excellent, I would rate them very highly.

    How was the initial setup?

    The initial setup is very complex. You have to go in and manually add in all the network devices, as far as all the switches, access points are concerned. You have to go port by port and add in codes and conditions and you have to go switch by switch and add in codes and conditions. You start out with a monitor mode and then go to an impact mode and then you go towards total lockdown. Implementation took us about 18 months. We rolled it out in short bursts because we have a very small IT team and we had a consultant company come in and work with us on installing it. A lot of it was knowledge transfer from them to us.

    Our consultant was Cycorp, their main focus is network security. They are a sister Cisco partner, and we had one of their CCIE's come out and help implement everything. The gentleman at the top of the CCIE, was a former Cisco employee and a beta tester for ISE. Now that we have it in, I feel it's pretty much a game changer on locking down our network so that we're not penetrated from inside or outside because everything going through the VPN has to meet a certain standard.

    What's my experience with pricing, setup cost, and licensing?

    We did a five year deal and it was very reasonable. I think for the Avast virus scan, I think we were paying $95 a machine for five years, which nobody else could touch. And that includes all updates, technical support, etc. From the ISE side, I'm not really sure what it costs because it was all encompassed in equipment we were buying and the ISE and the AMP and the open DNS. I know that it was not more expensive than any of the things we had looked at with HP or BMC or other places. It was much more cost effective.

    Which other solutions did I evaluate?

    We have looked at other products but we are a Cisco shop so having a Cisco product rides very easy on all our switches, our access points, and our Cisco servers. I believe it's the same for other companies such as HP. It's also a priority for them that the solution works better with HP switches. Given that we weren't going to change our switches, we really needed to focus on something that was going to work well with our environment.

    What other advice do I have?

    The important thing is to have a good game plan going into it. Prep is key for everything going on with ISE. The more stuff you have prepped and the more understanding that you have upfront of how it goes through and how it behaves, the better off you are.

    I would rate this solution a nine out of 10. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Sean Muller - PeerSpot reviewer
    IT Security manager at a energy/utilities company with 201-500 employees
    Real User
    Top 5Leaderboard
    An authentication solution we can trust
    Pros and Cons
    • "The ability to integrate our Cisco AnyConnect connections to the active directory has been great."
    • "It would be nice if it could be configured easily by default."

    What is our primary use case?

    This solution ties into our Cisco Duo and Cisco AnyConnect connections to help us authenticate against the active directory and Cisco Duo multifactor authentication. It takes metrics about the connections that are connecting it and allows us to set up a rule against them. For instance, if a Windows device is not all the way up to date, we can put a message up that says, "Before you're able to connect, please do your Windows updates as they haven't been done in six months."

    As this solution allows AnyConnect to authenticate with the active directory in the backend, the users won't directly use it. Still, it will be in use throughout the login process into Cisco AnyConnect as a source of authentication.

    With this solution, we don't require anyone for maintenance.

    What is most valuable?

    The ability to integrate our Cisco AnyConnect connections to the active directory has been great. Also, as a source of authentication during the process of logging into Cisco AnyConnect has been very useful for us. 

    What needs improvement?

    It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced. 

    That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back.

    I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time. 

    It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice. 

    For how long have I used the solution?

    We've only been using this solution for the past three months. 

    What do I think about the scalability of the solution?

    The scalability reports that we could easily handle a million users. 

    How are customer service and technical support?

    I have been extensively involved with their technical support; their technical support is very good. They're more than willing to just jump on and do things for you. My only complaint is that at one point, we were trying to configure our single channel for Cisco Duo to be able to perform a password reset. Whenever we needed to look closely at another device, the support technician would say, "Hold on, let me bring in my expert on VPN; hold on, let me bring in my expert on Cisco ASA." We basically had to wait until we were able to get the Cisco Duo support agent, the Cisco ASA support agent, the Cisco VPN support agent, and the Cisco ISE support agent — all in the WebEx meeting at the same time.

    As far as I'm to understand, there are CCNAs that should have been able to do it, but they brought in the experts from each item instead of just directly doing it themselves — this made the whole process take longer. Still, they were able to do everything in a way that did not affect our live environment, even though it was on the same device. That was actually very nice because it meant that we could do it in the middle of the day instead of having to do things in the middle of the night.

    How was the initial setup?

    The initial setup was very simple. Everything was set up within an hour thanks to assistance from the onboarding teams from Duo and Cisco, and our network administrator. They got it set up and reviewed a bunch of options with us. It was a very easy and nice process.

    What about the implementation team?

    Implementation was achieved with in-house resources and premium onboarding support. The entire process only took an hour.

    What's my experience with pricing, setup cost, and licensing?

    We are running version 2.9 because version 2.9 of the ISE has a persistent license —it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription.

    It's a licensed physical device; there is no subscription. If you want the latest operating system, then you'll need to get an annual license.

    What other advice do I have?

    If you're planning on using this solution, my advice is to be sure you review the full feature set available and select what is important to your users. This way you'll be able to ensure that you'll have everything you want and need.

    Overall, on a scale from one to ten, I would definitely give this solution a rating of nine. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free Cisco ISE (Identity Services Engine) Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2022
    Buyer's Guide
    Download our free Cisco ISE (Identity Services Engine) Report and get advice and tips from experienced pros sharing their opinions.