Network Analyst at a mining and metals company with 10,001+ employees
Real User
Top 20
Helps enhance our cybersecurity, performs well, and helps consolidate our tools
Pros and Cons
  • "Assisting a larger number of users in gaining access and guiding them through the process of getting on Cisco ISE has been seamless."
  • "It would be helpful for us to know what needs to be deployed, configured, and what changes we need to make to our devices when we don't receive the specific login which is an indication of a lack of connection or incorrect configuration."

What is our primary use case?

I utilize Cisco ISE to access the switches on our network for monitoring configurations.

How has it helped my organization?

Using Cisco ISE, we are able to control access to our networks, ensuring that only authorized individuals have access to appropriate devices. Additionally, we can restrict access to devices that should be off-limits to them.

Cisco ISE helps free up 50 percent of our IT staff's time, allowing them to work on other projects. It provides quick access when available, but delays occur when we have to wait for access to be granted.

Cisco ISE helps consolidate our tools, eliminating the need to worry about multiple passwords for the various devices in our environments by using a single password key.

The consolidation of tools makes it easy for me to access and complete my work. It also facilitates finding a solution for any problem I may encounter with the switch.

Cisco ISE has enhanced our organization's cybersecurity resilience by providing us with control over device access.

What needs improvement?

It would be helpful for us to know what needs to be deployed, configured, and what changes we need to make to our devices when we don't receive the specific login which is an indication of a lack of connection or incorrect configuration.

For how long have I used the solution?

I have been using Cisco ISE for one and a half years.

Buyer's Guide
Cisco ISE (Identity Services Engine)
March 2024
Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

What do I think about the stability of the solution?

Cisco ISE has consistently performed as expected, and we have not experienced any stability issues.

What do I think about the scalability of the solution?

Assisting a larger number of users in gaining access and guiding them through the process of getting on Cisco ISE has been seamless.

How are customer service and support?

Cisco support is helpful, and they have always been responsive whenever we needed assistance.

How would you rate customer service and support?

Positive

What other advice do I have?

I rate Cisco ISE a nine out of ten.

From a user's perspective, Cisco ISE is seamless. It is extremely helpful as it reduces the amount of work required to access and control device permissions.

Our organization is a major Cisco partner, and it is logical for us to increasingly integrate Cisco products into our environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Aaron-Brown - PeerSpot reviewer
Network Engineer at Universal Health Services, Inc.
Real User
The solution is reliable and the policy sets are really nice and dynamic
Pros and Cons
  • "I love the policy sets, they are really nice and dynamic."
  • "ISE is a little clunky. The front-end feels like it is from the 1980s."

What is our primary use case?

We use ISE for TACACS and 802.1X authentication, wired and wireless. We also use ISE for our VPN authentication, as well as for different policies. We were trying to solve some security holes with Mac solutions, and ISE was a good fit.

How has it helped my organization?

It helped our security, which is nice.

What is most valuable?

I love the policy sets, they are really nice and dynamic. 

This solution helps to support an organization across a distributed network. It's built for enterprises and large-scale deployment. It does what it's supposed to do.

What needs improvement?

ISE is a little clunky. The front-end feels like it is from the 1980s.

The usability, as far as programmability goes, needs to be improved.

For how long have I used the solution?

I've been using Cisco ISE for about three years.

What do I think about the stability of the solution?

The solution is pretty stable. I haven't had any problems.

What do I think about the scalability of the solution?

Cisco ISE is very scalable.

How are customer service and support?

Technical support is horrible. If we call and ask them for help, their first response is always that we should upgrade. That is a horrible response. We pay another company to support us because the technical support can't, even though we pay them to do so. I would give them a two out of ten.

How would you rate customer service and support?

Negative

How was the initial setup?

We have a distributed deployment model. They're all virtual appliances, distributed geographically.

We've got six ISE nodes. Everything is redundant and distributed across multiple data centers. We then used them again for 802.1X, TACACS, and other authentications and policies.

What other advice do I have?

It's hard to dig into at first, so seek help and education.

I'd give Cisco ISE (Identity Services Engine) an eight on a scale from one to ten because it's Cisco, it's reliable. It has a lot of development and other vendors around it because it is Cisco. It works and is pretty stable.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Cisco ISE (Identity Services Engine)
March 2024
Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Network Engineer at a financial services firm with 10,001+ employees
Real User
Enables us to authenticate with AD
Pros and Cons
  • "The solution enables us to authenticate with AD."
  • "The web UI should be made similar to the one in DNAC."

What is our primary use case?

I use the product for AAA authentication.

How has it helped my organization?

Before, we used to use Cisco ACS. After ACS retired, we started using Cisco Identity Services Engine. Right now, we are integrating Cisco Identity Services Engine with DNAC. Whatever we provision inside DNAC will send the information to Cisco Identity Services Engine, and the switch will be added. This process enables easy management.

What is most valuable?

The solution enables us to authenticate with AD. That way users can log in with one username to the product and access the router and switches.

What needs improvement?

The web UI should be made similar to the one in DNAC. The left pane must have the menu title followed by the submenu. Since I have moved to version 3.1, I have to go back to the old version to figure out my way. They haven't improved the left pane of the UI. The left pane is supposed to have the menu title in order.

For how long have I used the solution?

I have been using the solution for at least seven to eight years.

What do I think about the stability of the solution?

So far, I have no issues with the solution’s stability. My primary and secondary systems are working fine. I have the least to worry about. It has run smoothly for seven years.

What do I think about the scalability of the solution?

We are using the product in about 500 devices in our organization.

How are customer service and support?

We have Platinum Support. When we call, everything gets through. I have no problems with support. However, if someone does not have Platinum Support, they will have to wait for probably an hour or two. I usually get a response in less than 30 minutes when I open a ticket because we pay for it. 

I am 98% happy with the support. Sometimes, I am unhappy when we have an incident and need quick support, but the support manager asks too many questions. I prefer fixing the problem in real time and then answering questions. Fixing the problem is more important than answering questions. When I talk to the engineer, they ask questions on how it has impacted our network. They must fix my problem first. I can answer all their questions later.

How would you rate customer service and support?

Positive

What about the implementation team?

We have a contractor who implements the product for us. After that, they give it to me to manage. Upgrading from version 2.7 to 3.1 is easy. So far, it's good. The contractor's name is Deytek. I just provided the ACS server information from the previous server to the contractors. Then, we purchased the on-premises hardware, migrated it, and started using it. I didn’t have to do anything. It was easy for me.

The upgrade from version 2.7 to 3.1 was a little bit hard, and I had to prepare a lot to do it. We need to plan the process well. We cannot just decide to upgrade the tool without planning. We had to plan with the help of AS services, who guided us on the steps to do and the backup needed. They guided us to upgrade the secondary unit first and then the primary. I also had to talk to our corporate team in Boston. We had to inform our ISA Server team about the upgrade because once you upgrade, tools that are not authenticated might lose connection.

What was our ROI?

The solution helped me by making my job easier. I manage and deploy the solution. All the other users have to do is log in and look at what they need to do. The product makes it easy for me to manage and enables the end users to log into other systems.

What's my experience with pricing, setup cost, and licensing?

The pricing is complicated. The solution uses Smart Licensing. I had to go through a lot of phone calls to convert my old license to the new one and make it work. It took me about three weeks to figure out my licensing model and why mine was different from the other teams. It's good because Cisco Identity Services Engine will automatically get our licenses from one location. It would be better this way.

What other advice do I have?

The product provides an email notification if anything is detected. We set up ACL policies based on which the product would alert us through emails if anything major happens.

The solution helped me give access to many people who use Cisco products, either router switches or UCS, from other teams. Instead of creating every ACL on the tool, I only need to set up AD group permission and add their username for them to access the same policy.

I do not use the cybersecurity features of the tool much. We only use the solution for AAA authentication. I need to explore the other features we seldom use. We are upgrading to version 3.1. We recently signed a contract with Cisco Advanced Services. They might provide us with more information to use the tool in my company.

Since I joined my current organization, we have used Cisco for everything. We have deployed the tool primarily in one location, and the secondary one is 5000 miles away in another location. One tool is in California, and the other is in New York.

I implemented version 3.1 just two months ago. I need to learn more about it and enable more features on my network. I need to improve myself to learn more because version 3.1 has a lot of new features.

Overall, I rate the product a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Security manager at a energy/utilities company with 201-500 employees
Real User
An authentication solution we can trust
Pros and Cons
  • "The ability to integrate our Cisco AnyConnect connections to the active directory has been great."
  • "It would be nice if it could be configured easily by default."

What is our primary use case?

This solution ties into our Cisco Duo and Cisco AnyConnect connections to help us authenticate against the active directory and Cisco Duo multifactor authentication. It takes metrics about the connections that are connecting it and allows us to set up a rule against them. For instance, if a Windows device is not all the way up to date, we can put a message up that says, "Before you're able to connect, please do your Windows updates as they haven't been done in six months."

As this solution allows AnyConnect to authenticate with the active directory in the backend, the users won't directly use it. Still, it will be in use throughout the login process into Cisco AnyConnect as a source of authentication.

With this solution, we don't require anyone for maintenance.

What is most valuable?

The ability to integrate our Cisco AnyConnect connections to the active directory has been great. Also, as a source of authentication during the process of logging into Cisco AnyConnect has been very useful for us. 

What needs improvement?

It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced. 

That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back.

I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time. 

It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice. 

For how long have I used the solution?

We've only been using this solution for the past three months. 

What do I think about the scalability of the solution?

The scalability reports that we could easily handle a million users. 

How are customer service and technical support?

I have been extensively involved with their technical support; their technical support is very good. They're more than willing to just jump on and do things for you. My only complaint is that at one point, we were trying to configure our single channel for Cisco Duo to be able to perform a password reset. Whenever we needed to look closely at another device, the support technician would say, "Hold on, let me bring in my expert on VPN; hold on, let me bring in my expert on Cisco ASA." We basically had to wait until we were able to get the Cisco Duo support agent, the Cisco ASA support agent, the Cisco VPN support agent, and the Cisco ISE support agent — all in the WebEx meeting at the same time.

As far as I'm to understand, there are CCNAs that should have been able to do it, but they brought in the experts from each item instead of just directly doing it themselves — this made the whole process take longer. Still, they were able to do everything in a way that did not affect our live environment, even though it was on the same device. That was actually very nice because it meant that we could do it in the middle of the day instead of having to do things in the middle of the night.

How was the initial setup?

The initial setup was very simple. Everything was set up within an hour thanks to assistance from the onboarding teams from Duo and Cisco, and our network administrator. They got it set up and reviewed a bunch of options with us. It was a very easy and nice process.

What about the implementation team?

Implementation was achieved with in-house resources and premium onboarding support. The entire process only took an hour.

What's my experience with pricing, setup cost, and licensing?

We are running version 2.9 because version 2.9 of the ISE has a persistent license —it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription.

It's a licensed physical device; there is no subscription. If you want the latest operating system, then you'll need to get an annual license.

What other advice do I have?

If you're planning on using this solution, my advice is to be sure you review the full feature set available and select what is important to your users. This way you'll be able to ensure that you'll have everything you want and need.

Overall, on a scale from one to ten, I would definitely give this solution a rating of nine. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Brad Davenport - PeerSpot reviewer
VP of Technical Architecture at Logicalis
Video Review
MSP
Offers rich contact sharing, many self-service features, and the ability to categorically list all the endpoints in the infrastructure
Pros and Cons
  • "For us and our clients, the most valuable features of Identity Services Engine are really around the rich contact sharing that ISE gives you."
  • "I think some areas where ISE could be better are perhaps in the number of integrations that they offer from a virtual standpoint, as well as having a better and more comprehensive pathway for the customer to go from a physical environment to a virtual one."

What is our primary use case?

Identity Services Engine for us has an incredible number of use cases, predominantly around identity and contact sharing within the enterprise or Endpoint onboarding for, authentication and authorization. Most recently, in the last few years, we've actually finally added device authentication and device management into that with the TACACS implementation. And now we have a comprehensive set of features to perform enterprise NAC, pure RADIUS authentication, and user authorization.

How has it helped my organization?

Cisco Identity Services Engine has provided two incredibly beneficial outcomes for our clients. First and foremost, they've been able to limit and minimize the number of different discrete platforms they need to use to deliver things such as network admission control, device authorization, and posturing, as well as do device and policy enforcement at the endpoint level. The second one that really is under sung is the ability to comprehensively manage guests in BYOD wireless access. The ability for the enterprise pretty much out of the box to deploy an end-to-end solution to manage guest onboarding, user self-service, as well as bring your own device has been a real boom to network access.

Using ISE to detect and remediate threats is really the hinge pin for pretty much everything in the Cisco security infrastructure. Without identity and without context, you really can't do any enforcement. It's fine to be able to detect a threat with an IPS, with a threat appliance, with anomaly detection, but being able to use things like RADIUS chains of authorization to then blacklist a host or remove a host from a production relay is an incredibly important outcome, not the least of which because that's all automated in ISE. And that's an incredible benefit to IT teams who perhaps don't have a NOC, don't have a SOC that can run out, and respond to a threat immediately. Having those SOAR automation capabilities inherent to the system is a really powerful feature set.

I think it's inevitable when a customer is deploying or using ISE that they're gonna find additional cycles that they can spend their time on. The rich automation and the quick startup out of the box, for instance, ISA has a really rich onboarding wizard. Pretty much out of the box, you can go through a series of steps, input your IP address, your domain names, etcetera. You don't have to do a lot of the upfront planning and design work that was required of previous systems that did network admission control, certainly more so than the old NAC. And so I believe that many customers will find they have extra cycles to go and use that IT talent to do more impactful projects than spending months and months and months deploying admission control.

Identity Services Engine has done a great advantage to our clients in the fact that Cisco has begun to move more capabilities into the platform over time. As they started out with the basic AAA capability, authentication, authorization, and accounting that was present in ACS and the older service architecture, they've now begun to move in, device administration in the form of the TACACS server and other capabilities within ISE. When they previously introduced the pxGrid capability, you now have the ability to bring other enterprise platforms such as your IPS, your threat systems, and your DNS security platforms directly into ISE for performing all those automation. And so it absolutely has consolidated the number of platforms that you need to deploy to achieve that secure outcome.

The effect of the consolidation of all of these functionalities within Identity Services Engine has had on IT is that now you have a single platform with which to maintain. I think sometimes we overlook the fact that security platforms themselves have a lifecycle associated with them. We have to patch these systems. We have to maintain currency on the devices. And over time, those devices like anything else become a little long in the tooth and require refreshing. The flexibility to deploy Identity Services Engine in multiple persona types on hardware or in a virtual machine is a huge advantage to customers who want to consolidate the number of vendors and hardware platforms that they have to support and manage.

Identity Services Engine has helped a lot of our clients as well as Logicalis simplify the way that we approach compliance governance and risk consulting within our own enterprise, being able to have a single source context for when devices were on the network when they were last authenticated, and, of course, that rich user context that we get. We can now share contextual information from Identity Services Engine within an Azure environment, within an AWS environment with our own active directory, and that's an enormous advantage when you're not only threat hunting, but when you're trying to pass those checks and balances that are required for cybersecurity insurance or your own internal compliance auditing.

What is most valuable?

For us and our clients, the most valuable features of Identity Services Engine are really around the rich contact sharing that ISE gives you. The ability to categorically list all the endpoints in the infrastructure, understand where they are, how they made it onto the wire, whether that was through wireless, through a wired engagement, And all of the self-service features that allow you to manage guest access to wired and wireless infrastructure are an incredible number of use cases that our clients are constantly deploying now.

What needs improvement?

I think in any technology infrastructure, you're going to have environments where improvements could occur. I think some areas where ISE could be better are perhaps in the number of integrations that they offer from a virtual standpoint, as well as having a better and more comprehensive pathway for the customer to go from a physical environment to a virtual one. Many of our clients today are hybrid. They have a physical footprint in a data center somewhere, as well as a public cloud instance for things. Today there really isn't an elegant pathway for a client that wants to go 100 percent cloud, and that's an improvement I think that could be along the way.

For how long have I used the solution?

I have been using Cisco ISE for close to ten years.

What do I think about the stability of the solution?

The stability of the Cisco Identity Services Engine has continued to improve over time as the product has matured. Anytime you're dealing with something like a database product that has millions or hundreds of thousands of endpoints and entries in it, inevitably you're going to have performance creep over time. Because of the scale of the Cisco purpose-built UCS appliances, the SNS appliances that predominantly run identity services engine, we've seen an enormous advantage by staying up to date on the most current Cisco SNS appliances. We've also seen an enormous advantage by leveraging ISE in a hybrid capacity. So the ability to deploy PSMs on a hybrid cloud environment, on a public cloud environment, as either additional capacity or as a failover point for that on-premise install base is a really nice advantage to have.

What do I think about the scalability of the solution?

The beauty of Identity Service Engine is the fact that there's really no environment too small. If you have 500 to 1000, maybe up to 2000 endpoints, We're talking laptops, mobile devices, access point switches, etcetera. You're really not too small to deploy Identity Service Engine. The beauty of the multi-persona design of the Identity Service Engine is that you can leverage that capability to split off those PSN personas which is actually the persona within the Identity Service Engine that processes all of that high rate of radius authorization and authentication traffic. So the scalability of ISE is really well thought out. It was really well thought out from the get-go. You can also split off the admin personas and the monitoring and logging personas as well to give you that horizontal scale. I'm not sure today what the exact endpoint count that ISE scales to is, but it is certainly into the hundreds of thousands of endpoints.

How are customer service and support?

Cisco support for Identity Services Engine has been world-class. The guts of ISE are still a RADIUS server. They're still AAA-based functionality. So many folks that have been deploying and supporting the Cisco Secure ACS Server as well as the TACACS server and all of the things that have come along with that, continue to use the same skill set to support and deploy ISE. Really, the differences nowadays in terms of support are bringing about more comprehensive offerings to support the systems that surround ISE. Many things plug into ISE and provide much richer context, and really that's where the complexity tends to creep in. Our support from Cisco both as an end user and a partner has been beyond reproach, and we really appreciate Cisco's continued investment in the TAC, and in all the areas they bring to bear to help you receive that business outcome you're after.

Cisco support is always going to be ranked a strong nine with me, mainly because we know there's always room to improve things. We don't want to give a full passing score, but without a doubt, I don't know how anyone could consume and deploy business outcomes with Cisco technologies without leveraging support. And so Cisco leads the way and continues to invest in that area.

How would you rate customer service and support?

Positive

How was the initial setup?

The deployment experience with ISE in the early stages was without a doubt, very daunting. There is a huge number of things that you need to understand about the existing infrastructure, about the existing customer environment to properly deploy that solution. As time has gone on, however, the designers and the developers of that software have begun to create wizard, have begun to create additional upfront deployment tactics within the tool itself so that essentially a journeyman network engineer or security architect can deploy the minimum level of functionality right out of the box.

What was our ROI?

It's difficult to say whether the clients have seen an immediate ROI with the deployment of the Identity Services Engine. Oftentimes, you have to take on additional technologies in the ISE product family in order to receive that comprehensive benefit. So I think only time will tell what the true ROI is. I can tell you that the value exchange that occurs between a partner and a client when we're talking about everything within the Cisco security portfolio being fully integrated together and working comprehensively has been an enormous advantage to customers who today have a complex act of multi-vendor products. Being able to consolidate on a platform-based solution is an incredibly powerful story to tell, and it's also incredibly powerful from a cost-benefit standpoint as well.

What's my experience with pricing, setup cost, and licensing?

In terms of the licensing and the pricing structure of the Cisco Identity Services Engine, there's been a huge advantage to our clients recently with the advent of the enterprise agreement. You now have an enterprise agreement choice, which now allows you to buy as few as two security products to unlock additional discounting and additional life cycle advantages when you consume that solution for security business outcomes. At Logicalis, we deliver a full life cycle approach to Identity Services Engine when embedded into a Cisco security enterprise agreement. We're able to deliver not only the onboarding and the design guidance that the customer needs to deliver that secure business outcome, but also provide the ancillary services to support all of the other infrastructure that often comes along with deploying a solution like ice.

Which other solutions did I evaluate?

Identity Services Engine compares favorably with many of the other competitor's products that are in that space. I won't mention them now, but I think we know that all of the same industry competitors have been delivering identity solutions and NAC solutions over the last decade or so. Cisco continues to rank in the upper and farther to the right in Gartner Magic Quadrant for those identity solutions, and I think they'll continue on that trajectory. Cisco has long been the number one network vendor in the world, and I think you'll continue to see that growth as the network continues to be important to business.

What other advice do I have?

I rate Cisco Identity Services Engine a ten, on a scale of one to ten. It's a necessary solution to deploy in order to achieve many of the business outcomes such as some of the smart business architectures, certainly anything within the automated campus designs that are out there with DNA Center. It's just an incredibly powerful tool to manage both identity and endpoints within the infrastructure, and it really does become the hub of a hub and spoke comprehensive security architecture.

When Identity Services Engine became the de facto migration path from ACS Access Control Server, we were very early adopting and getting that product into our labs and in the hands of our customers for proofs of concept, proofs of value, and enterprise pilots.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
PeerSpot user
Darren Hill - PeerSpot reviewer
Technical Consultant at a computer software company with 1,001-5,000 employees
Consultant
Top 20
Offers users the ability to be able to see what devices are actually on their network
Pros and Cons
  • "The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile."
  • "If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out."

What is our primary use case?

I am a Senior Technical Consultant. I have worked in professional services as a Cisco Gold partner for the last ten years. 

I have been offering Cisco ISE for the last three to four years. We do small deployments, upgrades, and those types of things.

We see a lot of customers wanting to use Cisco ISE primarily for 802.1X wired and wireless and also for posture device administration, and guest access.

A lot of our customers who come to us do not have any sort of NAC solution in place at all. They don't have a RADIUS, they might have a Soft MPS or something along those lines, but Cisco ISE is far superior. It gives them far more visibility and the policies are more configurable. The ability to do dynamic access lists, dynamic VLAN environments, and that type of thing, and it just gives them a different level of security altogether.

How has it helped my organization?

It's been just great at securing our infrastructure from end to end. With the operational launch and live logs, as soon as you spot anything, you can just do one click and you can stop that device from getting access to the network. So it's very responsive and quick in that sense.

Maybe some customers with ACS and MPS can consolidate the device admin into one platform.

What is most valuable?

The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile.

What needs improvement?

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. 

If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

What do I think about the stability of the solution?

It's been around for many years now. Since version three, stability-wise, it's been pretty reliable. We know the versions to avoid. We know the stable versions.  Besides some upgrades and that type of thing, it's generally pretty solid.

What do I think about the scalability of the solution?

A lot of customers that I see are small deployments, maybe a single node or a two-node cluster, but we know that the product does scale. We do have customers that scale beyond just the two nodes. It's proven to be a scalable product.

How are customer service and support?

We see a lot of customers getting frustrated with Cisco TAC because they don't get the responsiveness that they believe they should be getting. But as a gold partner, we are able to leverage our influence, so when our customers come to us, we can escalate a lot of stuff for them. We use our influence. We're able to get stuff remediated fairly quickly. We find that they respond to us better than maybe to our customers.

How was the initial setup?

I think Cisco is fairly straightforward in terms of device admin. 802.1X  is quite easy to deploy. As you then start to look at guest access, profiling, posture, and that type of thing, it does ramp up a little bit and we get a little bit more involved. Some stuff is straightforward and other is not as much. 

Generally, over the last few years, it's been mainly deployed on-prem, but we're now starting to see a shift. Users are really willing to move to cloud with Azure-type deployments. I'm doing some labs this week because we're seeing so many requests for cloud.

Which other solutions did I evaluate?

If I take the two that I really compared, it would be LogSoft MPS. Cisco ISE has a lot more features, you can do a lot more regarding the policies than you can currently with MPS.

I also have limited experience with ClearPass. ClearPass is a lot more difficult to configure and manage and is less intuitive. The visibility side of ISE is far superior as well. 

What other advice do I have?

I'd give it a nine out of ten. There are some hurdles with upgrading and licensing in particular, which is why I wouldn't give it a ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Adarge Ekholt - PeerSpot reviewer
Network Engineer at a university with 1,001-5,000 employees
Video Review
Real User
Top 10
The ability to see what devices are online for a particular user helps a lot with our troubleshooting
Pros and Cons
  • "The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting."
  • "The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away."

What is our primary use case?

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

How has it helped my organization?

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

What is most valuable?

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

What needs improvement?

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

What do I think about the scalability of the solution?

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

How are customer service and support?

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

How was the initial setup?

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

What was our ROI?

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

What's my experience with pricing, setup cost, and licensing?

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

What other advice do I have?

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Laurence Mcbride - PeerSpot reviewer
Senior Business Systems Analyst at a financial services firm with 201-500 employees
Real User
Improved our trust situation, but usability, while improving, still needs work
Pros and Cons
  • "It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go."
  • "A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it."

What is our primary use case?

Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

How has it helped my organization?

Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

What is most valuable?

It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

What needs improvement?

A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

For how long have I used the solution?

For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

What do I think about the stability of the solution?

It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

What do I think about the scalability of the solution?

It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

How are customer service and support?

It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

Because it's such a specialized skill, they are not as available as I would like.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

What was our ROI?

In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

What's my experience with pricing, setup cost, and licensing?

It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

Which other solutions did I evaluate?

We've evaluated some other products since implementing this one. This is not your everyday tool.

The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

What other advice do I have?

People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Cisco ISE (Identity Services Engine) Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free Cisco ISE (Identity Services Engine) Report and get advice and tips from experienced pros sharing their opinions.