Cisco ISE (Identity Services Engine) Reviews

We use it to ensure that any device that connects to our network or wireless environment is a company-owned asset and has all the security certificates. We aren't doing too much remediation. We just identify whether it's one of our assets and whether it's allowed.

In our company, we have a lot of remote workers. Knowing that even devices that are coming through a VPN comply with our policies, whether they're in the office or they're remote, face the same level of scrutiny is a benefit to our company.

We can set as in-depth alerts as we want to. We can set up an alert through email, text, etc.

It has helped to improve our cybersecurity resilience. It helps to ensure that all devices meet the patching and certificate requirements.

It's keeping our company safe from rogue devices connecting to our network. From a security standpoint, there's peace of mind knowing that every device that connects is a good one.

The upgrades could be better. Every time we try to do an upgrade, we have problems. It's a pain.

I've only been with the company for six months, but they adopted Cisco ISE about three to five years ago.

Support has always been good. Overall, I'd rate them an eight out of ten. Sometimes it feels that their first-level support hasn't been trained in-depth.

Positive

We have redundant solutions across all of our data centers, policy nodes, and authentication nodes. As far as I know, we started off in a small deployment with our wireless. We profiled our devices to ensure that they belonged to our companies before we let them access, and then from there, we expanded into profiling wired ports as well, so we started very small and then moved to a larger solution.

In terms of our plans to increase its usage, we may use Cisco ISE in different ways, but the number of nodes that we have will probably stay the same. With version 2, we're moving more of our deployment to the cloud, so we'll move from the on-premise solution to the cloud. We've already started the process. We have some nodes built in the cloud, and we just have to move the production and then remove our on-prem. We're using Oracle Cloud for our highest deployments. It will be fully cloud.

We've seen a return on investment from the security aspect.

I'd advise starting just the way we did. Start small because there are a lot of use cases of Cisco ISE. If you try to do it all at once, you might be disappointed, so start small and pick an area that you'd like to focus on, get that piece done, and then go from there. 

It hasn't really helped to free up our IT staff for other projects. It also hasn't helped us consolidate any tools. 

Overall, I'd rate Cisco ISE an eight out of ten.

The ISE product is used to make sure that folks can get access to the application servers that they need to get access to, let's say for accounting and another group like sales and marketing, they would have no business accessing each other's servers, those apps. So you would set up a policy that allows accounting to do what they have to do whether they're remote or on campus and then the sales and marketing folks could never access that. They are totally blocked. It's a virtual firewall, basically.

The way the ISE works is you can get into defining. Let's say, in my case, I've got a Windows laptop and I've got an Apple product and those have unique identifiers, unique back addresses. It would say that this in my profile so I could get to those apps with either device, 24/seven. That's how granular the ISE or these NAC Solutions can get. That you have to have that same device.

They can get into the antivirus. They will check the antivirus to see if it's the most current version and if it's not, if that's your policy, it will let you go through and access the app if the antivirus has been updated. But if the policy was that it has to be the most current version, then it can block you until you upgrade the antivirus.

As far as what could be improved, to continually be thinking about ransomware, cyber attacks, and all those kinds of things. They always have to be innovating. Always have to be improving. I can't give you anything specific because these cyber guys are always coming up with new ways to get in. You just really have to be aware of what's going on.

In the next release, I would want to see this kind of solution in the cloud as opposed to on prem because when enhancements are made to the software, if it's in the cloud, it's overnight. I mean you're not going to have to respin the servers that the license sits on, it's all microservices kinds of things in the cloud. That would be my recommendation. If I'm a customer, that's what I'm looking at - for cloud based software subscriptions.

In terms of stability, they are rock solid. If you set the policy and you implement it, it's not going to break.

They scale. You just have to buy licenses. Whether you're talking about 5,000 users or more, it's just a licensing model.

What I saw most customers trying to do was to outsource it to the partner. A value added reseller would have to do that. They typically haven't been trained. They have to go to school, get certifications and that kind of stuff. That's always a requirement, but most people weren't going to tackle that themselves. They're going to farm it out to somebody who has done it before, who has the expertise to do it.

I do anticipate increased usage. Pick a vendor, like Cisco and Aruba, because for all the threats that are out there, they are always going to have some kind of a NAC strategy. You have to. You really have to. The days of the firewall or perimeter security are over. There are just too many possible ways people can come into your network - disgruntled employees, someone that got paid off, you never know. This is always going to be here.

They're very good. All of them are very good.

It has been pretty much Cisco from the beginning. With another VAR recently, we were pitching the Aruba ClearPass. And actually the ClearPass will run on top of a Cisco infrastructure, which is kind of cool. That's unique, but the ISE doesn't go that way. You won't run ISE on top of an Aruba infrastructure, but Aruba built that solution from day one to be compatible with Cisco switches and routers and wireless stuff. I thought that was pretty compelling.

Cisco has their ISE, their Identity Services Engine. The other one that I would tell a customer to look at would be the Aruba ClearPass. I don't know enough about the Juniper Solution to make any comment about that. But those are the two that I think about the most for identity solutions.

The first part is to figure out what you want, what the customer wants to protect, who needs to be protected, and to gather all the data you can on users, contact information, the devices they use, the Mac addresses of the devices, what time of day, what apps... I mean you really have to dig into all that. It's not easy. It's hard. The bigger the customer, the more complex it is going to be. But if you don't do that, the deployment is not going to go well. Really consulting on the front end has to occur.

On the consulting part, it depends on how big the customer is, how many you're talking about - 5,000 users or 50 users. That drives the answer. I would say if you don't take 30 days to scope it correctly and document, if you do something less than that, the execution deployment is going to go sideways and that can be months. Those things are months. Those could be six months or so. You've got to pick a pilot case. You build a template, you do a small group, and then you see how the reactions are, see if the users accept that policy, make sure it's right. I would do it group by group. Accounting first, or IT first. And then you do the sales and marketing and HR and all those kinds of things.

In terms of ROI, the only thing that comes to mind is if you look at whatever the current market data says for a breach cost if you have ransomware attack or something, if you choose to rebuild your network, as opposed to paying the ransom, what does that cost? Is that $100,000 a day? Is that a million dollars a day? So whatever that cost is, go look at the cost of the NAC licensing, ISE or ClearPass. And that answers the question for you. If you can block the threats on the front end, you can avoid the whole ransomware conversation.

I have not looked at the pricing in a while. I don't really know. These companies are putting together enterprise license agreements, like a site license, and they'll do multiyear and they'll make them pretty aggressive. If you are buying three security packages from them, for example, they'll give you a significant discount. If you're at two, when you look at the cost to go to a third one, they'll just do it because it discounts the whole package altogether.

As for extra fees and costs, it is just a subscription model, pretty predictable.

I can tell you, even as a Cisco person, ISE was considered very complex and difficult to deploy. That was coming from both the customers and the partners that had to deploy it. It can be very complex and you really have to know what you're doing. The thing that we always stress with customers is to go through and build a policy first. Decide what you want to block, and who is going to have access to what, and do some due diligence on the front end because once the policy is created, then you can deploy what we have all agreed to. As opposed to just trying to wing it and figure as you go - that is not a good play. That was always the comment from the Cisco customers.

My advice to prospective users it to find a consultant or a VAR that has done it before. I think that is key. And then talk to a customer that they did it for.

On a scale of one to ten, I would rate Cisco ISE a seven. That is because it is so complex. I mean, it's not a trivial task.

We are resellers. We provide and deploy solutions for our customers.

Cisco ISE (Identity Services Engine) helps the operation to automate.

It works very well with the network, router, and switches. It is able to enforce the policy and assigns the traffic a Security Group tag.

A Google user is able to enforce access throughout the router and switches ensuring the traffic going through has the same policy.

When you push out the policy, it is able to populate the entire network at one time.

It's quite good, the market is using this solution.

This solution has enhanced features that make it difficult to use. To make it easier, it should be made without PxGrid.

It should be able to work with third-party routers and switches. We want to work in an environment where there are multi-vendors that require PxGrid.

Their software-defined access is not easy to implement. You have to have a good understanding of how to implement it. It would be helpful if they could make it easier for the customer to adopt.

Third-party integration is important, as well as the continuous adaptation feature, which is the AIOps. It would be helpful to include the AIOps.

They are currently on version 3.1.

If the customer has more than 200,000 users, the performance becomes a bit laggy.

In terms of scalability, it's available on the cloud, but I have not yet tested the features on the cloud.

It is used mainly by our customers, who use it for their entire infrastructure. They have anywhere from 50,000 to 100,000 users.

Technical support could be better. They outsource the support.

We are brought all around the world, it is similar to following the sun.

Currently, I am using SD-WAN (Software-Defined WAN) from Silver Peak.

To complete the installation, you need to be technically knowledgeable. The setup could be easier.

For the content, and the technologies it is made to be a bit more complex. 

The technology is good, but to use some of the other features, and capabilities, they request that we purchase the Cisco DNA Center. As a result, the bundled price is a little high.

Once you purchase the DNA, you will need the SNA then the license, overall it's very expensive.

If, however, you implement Cisco ISE without the DNA and the SDA, the price is reasonable.

To avoid running into any complications when getting this solution up and running, you should get technically trained and comfortable with it before applying it.

I would rate Cisco ISE (Identity Services Engine) a seven out of ten.

We use this solution to protect the network especially when someone brings their own device and to lock out access to anybody connecting to the network. Also to make sure that the people connect to the correct VLAN. So, mainly for security wifi access so that when people want to connect to our wifi they have to log in using their credentials.

We give guests limited access to the internet when they come in so that access has been useful. Previously, we just used to give them the APN key which they would leave with. Now, we give them credentials to use that are for a limited period of time.

It is stable. Any time we found an issue we would get in touch with the reseller to help fix it. Then they tell us where the problem is and we'll know where to look. 

It is scalable. We have around 350 users. We required two staff members for maintenance but they don't have enough knowledge so we have to reach out externally for more help. 

Their technical support has been good. They have been responsive every time we have an issue. They get logs, check and then give us feedback of which corrections to do.

The initial setup was complex. We had to engage an expert. When we rolled it out we would find challenges and then we would have to find a way of fixing those challenges. Out of  nowhere, it would lock out all users. Then we discovered that no, the password had expired for the service account. We needed to make it none expiry.

Deployment took about a month. We had to do project planning, discuss the plan with the team, and by the end, it was a month.

We used a reseller for the implementation and we had a good experience with them. 

If you go directly with Cisco for the implementation it's very, very expensive.

We also looked at Aruba.

It's a good product but it requires technical support and knowledge otherwise it will be difficult to manage and run it. It requires somebody to be configuring issues. You need protection as you advance in the usage but it's a good product. 

I would rate this solution an eight out of ten. In order to make it a ten, it should be more user-friendly. You need somebody who is knowledgeable about it to use it. It's not easy to use. We have to rely heavily on technical support.

My main uses are device administration, wireless access authentication, and ethernet access.

The most valuable feature is network access control for the users coming into the network, which allows us to know who is in the network at any given time.

The intuitiveness of the user interface could be improved. They could also make the deployment process more user-friendly.

I have two years of experience with this solution.

ISE is very stable - since it was installed, I've had no issues with it.

I've had no issues with scalability. I started using it on two campuses, and now I'm using it across the country and scaling it across subsidiaries in other countries.

I've worked closely with Cisco for many years and have no complaints about their support. Sometimes it takes less than a couple of minutes to get through to their support team.

I previously used Portnox, but it only gave us network access control, so we switched to ISE, which has more features like device administration.

Deployment is usually tough the first time, though once you get it working, it works well.

We used in-house engineers and an integrator.

We have a three-year license. Standard licensing gives backup access and very few features, and then there's VM licensing - each VM we use needs to be licensed. VM licensing comes in different sizes: small, medium, and extra-large. There are also licenses for features, posturing licenses, and profiling licenses.

Before deploying, it's a good idea to read up on the product first and then get some training so that when deployed, someone in the organization understands the solution. I would rate this solution as nine out of ten.

We use this solution for network security.

The most valuable features are the ability to retrieve information about Active Directory user names, viewing the log files to see which MAC address tried to connect with the created SSIDs, portal designing for your company, hotspot tools, and creating network rules for WiFi access.

The interface could be more user-friendly and the ability to apply rules to MAC addresses, for example, if I wanted to allow a certain MAC address access at a particular time I cannot make this adjustment.

In an upcoming release, they could improve by providing rule-based bandwidth consumption, bring your own device (BYOD) need to be more mature, and the reports could be more user-friendly.

I have been using this solution for approximately four years.

The solution is stable.

The controller has to manage a certain number of access points and we did not see any problems with the scalability. It is able to handle more access points than we need it for.

We do not have experience with The technical support from Cisco directly because the technical support we receive is from our partners which they have been excellent.

We have used 3Com wireless controllers previously.

We used Cisco partners to do the implementation of the solution.

Recently, I have evaluated Aruba solutions and I found them to be better than Cisco. There is room for improvement, Cisco can do better.

When deciding to implement this solution it is a good idea to assess and define the requirements to determine whether there is a need for this solution. It is important to know what you can use from it. You can have a WiFi environment without the need for a Cisco ISE. This solution has advanced security that might not be needed for your use case. Be sure about your needs.

I rate Cisco ISE (Identity Services Engine) a seven out of ten.

We mainly use it for endpoint security.

Cisco ISE has made our network more secure. 

It has saved the time of our security team. I can't say how much time it has saved because I'm on the network side, but I'd imagine it has saved quite a bit of time. It lets them sleep better at night.

It does a good job of securing our infrastructure from end to end so that we can detect and remediate threats, but I don't have a similar product to compare.

It hasn't helped to consolidate any tools. The customer is in the process of migrating from their current ACS to ISE. When they've done that, we'll consolidate that piece. This consolidation would provide a single pane of management versus multiple tools.

I'd imagine it has helped our organization improve its cybersecurity resilience, but the security team would know more about it.

The ability to allow or deny hosts onto the network is valuable. It provides great security to the network environment.

It could be more intuitive in terms of how to configure the policies.

I've been using Cisco ISE for four years.

It's very stable.

It's very scalable. We have deployed it globally.

Their support is good. I'd rate them a seven out of ten.

Neutral

We didn't use any other solution previously. We went for Cisco ISE because we're a Cisco shop. It helps to have one vendor for network management and security.

Cisco's Professional services did the installation. I wasn't involved in its installation, but they did a pretty good job.

I'd imagine we have seen an ROI, but I'm not involved in the pricing or purchasing. The security it provides gives peace of mind. That's a good return.

My advice would be to do an evaluation of the product and purchase it.

I'd rate Cisco ISE an eight out of ten.

We use it for the TACACS authentication, for administrator login to network devices, and the RADIUS service for VPN and wireless authentication.

Initially, we were looking for a single sign-on for administrators to log in to every network device, but we also wanted a good way to control remote user access for logging in. Later we started using it for VPN and wireless.

It gives us a better way to authenticate users. It helps us identify a user with their device to establish trust. When a remote user is trying to access network resources, we need to find out who they are and where they want to go and make an appropriate decision about where they can and cannot go.

Resilience in cyber security is very important. Without security, nothing else can happen.

The TACACS and RADIUS have been the most valuable features so far.

Cisco ISE has almost all the features we are looking for now, but sometimes the configuration, such as the conditions, is a little difficult to understand and not so easy to navigate.

I have been using Cisco ISE (Identity Services Engine) for a few years.

It is stable.

They have resolved my issues, but sometimes they have been slow.

Positive

We used to use Cisco ACS and that evolved to Cisco ISE.

The initial deployment was not a process that was easy to understand. But after I completed it, looking back, I see it was reasonable. It's just hard to understand upfront. There is a steep learning curve.

I did the migration too late, so I couldn't do a direct migration and that meant I had to kind of rebuild it.

Security is something we need, but I don't think that there is a return on investment. It causes more delays to the regular workflow.

The Essentials licensing is reasonable, but I would like the Premier version to be perpetual instead of a subscription.

An idea we are looking into is associating it with the MAC address table, so that approved devices can log in to the more restricted network.

My advice is to attend training before going for it. Otherwise, it will not be easy to understand. Each product, from ACS to ISE, does similar things, but they do them in different ways.

I rate Cisco ISE a nine out of 10. If it could become a little bit easier to understand that would help.