Cisco ISE (Identity Services Engine) Reviews

I'm using Cisco ISE for integration. We are currently using it for 82.X, but we are planning on using it for a different use case in the next couple of quarters.

The core point is that Cisco ISE is the same globally compared to FortiAuthenticator. Whether I deploy in China, the US, South Africa, or wherever, I'm can get all the capabilities. It allows me to directly integrate with 365, and from a communications point of view, that is a good capability. 

Cisco ISE could be simplified somewhat. I would also prefer certificate-based authentication over confirmation-based authentication for all the processes. It's possible for us to do a workaround, but the process needs to be simplified. 

I've been using Cisco ISE for more than a year.

Cisco ISE is stable.

I haven't really tried to scale ISE, but I don't think we'd face any challenges with hard gentle scaling.

We have a good relationship with Cisco support. However, when they do a new release, they take their time. I don't have much of an issue with Cisco support itself, but working with their customer success team and those types of things can be a challenge. It's not just the response time. It's the total resolution time. They'll respond quickly, but when they get the particular fix, it's a challenge. 

In the previous versions, the setup was okay. But as they add more capabilities, it gets more complicated to deploy and maintain the solution. We expect these complexities as part of the roadmap and evolution. We have to set the policy definitions manually because there is no discovery process to define what needs to be authenticated. When a new device is added, we might have to configure something so that it's integrated or set up some data flows of the service we need to do it. These are some of the maintenance activities that we must do to keep it live. We have a good IT team that numbers around 25 people and serves a decent number of customers.

Customers respond to a low price. From the point of view of integration, Cisco ISE hikes up the cost of security, but otherwise, I think it should be okay.

I rate Cisco ISE nine out of 10.

We have two servers and they're both VMs. Every network system is issued a certificate and each device coming onto the network has to be on the domain with an active AD user logging into it. It needs an up-to-date AMP, which is our Cisco malware and virus scan product and it also needs to have the most current Microsoft security updates and the three layers that we're using: The core VPN, the Network Access Manager and the ISE profiler. When it goes through all those different things on every port on the switch, there are commands for it to be able to go through an ACL so it knows what users are there, what server, and what devices have been put onto the domain. It can verify all that.

The user can then proceed on to the network. We've set it so that regular users are VLAN'd off and can only see the data network through ISE and are blocked from seeing the rest of the network. Depending on the department needs or other factors, we have cameras for security which are on a different VLAN, and they can see those. We also have something for O&M where the AC guy can see the AC equipment, and we can prevent all the VLAN's from being viewed by everybody.

We are customers of Cisco and I'm the infrastructure and Cyber security manager.

The solution cuts down on the repercussions of getting malware or ransomware which happened to us four years ago. We regularly took very aggressive snapshots and we were able to recover in an hour and 20 minutes without any loss of data.

Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that.

I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. 

Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

I've been using this solution for the past two years. 

ISE is pretty stable. If it does have an issue then you need to call TAC and work through the bug in it. They are very responsive and very quick to help us eliminate the issue and also come up with a plan, such as how to move forward with additional issues or different things that are coming down the pipe with Cisco ISE. When you're talking to them, you feel like they are a partner and not just a disconnected entity.

The technical support is excellent, I would rate them very highly.

The initial setup is very complex. You have to go in and manually add in all the network devices, as far as all the switches, access points are concerned. You have to go port by port and add in codes and conditions and you have to go switch by switch and add in codes and conditions. You start out with a monitor mode and then go to an impact mode and then you go towards total lockdown. Implementation took us about 18 months. We rolled it out in short bursts because we have a very small IT team and we had a consultant company come in and work with us on installing it. A lot of it was knowledge transfer from them to us.

Our consultant was Cycorp, their main focus is network security. They are a sister Cisco partner, and we had one of their CCIE's come out and help implement everything. The gentleman at the top of the CCIE, was a former Cisco employee and a beta tester for ISE. Now that we have it in, I feel it's pretty much a game changer on locking down our network so that we're not penetrated from inside or outside because everything going through the VPN has to meet a certain standard.

We did a five year deal and it was very reasonable. I think for the Avast virus scan, I think we were paying $95 a machine for five years, which nobody else could touch. And that includes all updates, technical support, etc. From the ISE side, I'm not really sure what it costs because it was all encompassed in equipment we were buying and the ISE and the AMP and the open DNS. I know that it was not more expensive than any of the things we had looked at with HP or BMC or other places. It was much more cost effective.

We have looked at other products but we are a Cisco shop so having a Cisco product rides very easy on all our switches, our access points, and our Cisco servers. I believe it's the same for other companies such as HP. It's also a priority for them that the solution works better with HP switches. Given that we weren't going to change our switches, we really needed to focus on something that was going to work well with our environment.

The important thing is to have a good game plan going into it. Prep is key for everything going on with ISE. The more stuff you have prepped and the more understanding that you have upfront of how it goes through and how it behaves, the better off you are.

I would rate this solution a nine out of 10. 

We primarily use the solution for network access control solution and network device access management. The solution comes with features like posturing.

The valuable feature of the solution lies in its integration capabilities with other applications. This facilitates seamless operations like Microsoft migration across networks and call center management. The ability to segregate multiple domain users in the Access Network ensures efficient, logical management.

The tracking mechanism in Cisco ISE is relatively costly, especially its vendor-specific protocol. It would be beneficial if it could support open source or other devices with a similar checking mechanism, but unfortunately, it remains proprietary.

I have been working with the solution for the past five years.

The solution is highly-stable. I rate it a perfect ten.

The solution is scalable. We have three users for the Cisco ISE.

Their customer service and support is excellent.

Positive

The setup is straightforward. Effective planning is crucial for the setup of Cisco ISE. Placement of the virtual solution requires careful consideration of network accessibility from all branches. Different components may need placement in various areas in a large network. So, thoughtful planning for the architecture is important. It takes around two days for the deployment.

Previously, Cisco ISE had a perpetual licensing model, but now they have shifted to a subscription-based licensing system. We now have to pay recurring costs. This change in the pricing model has presented challenges for many customers accustomed to the simplicity of the previous licensing model.

I recommend this solution to all. Overall, I rate it a perfect 10.

At first, Cisco ISE was a replacement for only ACS RADIUS. It was mostly for remote access VPNs and Wi-Fi. That was it, and later, it evolved into a complete ACS replacement, so it's for both TACACS and RADIUS. Nowadays, we also deploy .1X quite a lot. 

It was a driver towards .1X. With the features that were there on the network side and the features that were there with Cisco ISE, it was way easier to go to .1X.

It's the brain of many things. It's the brain for VPNs. In Cisco ISE, we control where the users are allowed to go. Customers are able to do that by themselves. It's the same for .1X. It's the heart of security.

Cisco ISE improved our cybersecurity resilience. It enabled features that were not present or possible before.

For customers, it's great. It has a GUI, so the customers themselves can edit ACLs or even modify the policies. It's also an all-in-one solution with RADIUS and TACACS.

I'm frustrated by the resource consumption and how many resources it needs to run. It takes a lot of RAM. It takes a lot of space and a lot of IO power. It's frustrating to do upgrades because it takes a long time. Things are at a much smaller scale where we are than in the US. We even have smaller virtualization farms, so it takes a considerable amount of power and resources.

We've been using this solution since its initial release. It was probably version 1.1 or 1.2.

I don't remember opening a case for Cisco ISE except for the licensing problems, but several years ago, it took some time for people to get to the right way to solve the problem. I am not sure whether it was my inability to clarify the situation or whether it was a matter of poor training, but it was sometimes very painful.

I've been working with this product for a while. It doesn't seem difficult. However, in terms of resources, it takes a while to get it running. I don't think it's necessary to be so resource-consuming and slow. That makes it complicated. 

Pricing is where things got a bit more complicated. Previously, it was a one-time purchase and we just had to renew support. These days, there's a subscription model, which is supposed to be easier and cheaper as well, but it's more pricey. Customers are aware of that, and many vendors are going the same way. They are trying to go along with the new model.

We did consider other products, but it didn't make sense to go for any competing vendor because of the integration with other Cisco products. AnyConnect is the best VPN product I am aware of, and that's usually why we stick with Cisco.

We also sell HPE products. We've deployed some HPE RADIUS solutions, but we prefer Cisco these days.

To someone researching this solution who wants to improve the cybersecurity in their organization, I would tell them to first think about what they are trying to achieve and then think about Cisco ISE as a tool. It isn't a turnkey solution.

It hasn't saved our IT staff's time. It was something that wasn't present before. It's an evolution that is necessary, but I wouldn't say it saves time.

It did help us consolidate any tools or applications. It was either a replacement of some legacy products or it was an improvement where it introduced new features that were not present before, but it didn't help get rid of some of the other products. It was a new thing to place into the network.

Overall, I'd rate Cisco ISE a six out of ten.

We use it for our AAA authentication through Active Directory. We also use it a lot to verify command line history.

We have ISE in the data center environment with redundancy, and we use it for authentication for all our devices. We have access to our third-party vendors, and for the new projects, we all use ISE. It's an awesome enterprise product for on-premises or for cloud-based deployments.

The integration of ISE with Active Directory has really been a big plus for us.

I've found two features to be the most valuable. One would be AAA reporting for historical analysis, showing what's been done and by whom. The second is the log for failures on Active Directory logins.

If I were to assess Cisco ISE for establishing trust for every access request, I would give it an eight or nine on a scale from one to ten.

Cybersecurity resilience has been very important to our organization and has been a big factor. We've had issues in the past, but one of the things I like about ISE is its logging features. Security-wise or information-wise, it really has been a powerful tool.

My impression of Cisco ISE for helping to support an organization across a distributed network is that it's invaluable. It's a monster tool; we don't even touch on all the features that it offers, but the few that we do use are extremely strong and very user-friendly.

On the network services devices, when you click on filter, the filter comes up. However, when I search and want to click on something it defaults back to the main page. I keep having an issue with that, and I'm not doing anything wrong.

I've been using Cisco ISE (Identity Services Engine) for about six to seven years.

I've had no issues with stability.

We've actually scaled before and have never had an issue.

I've used technical support only once and would give them an eight out of ten.

Positive

We previously used ACS.

The return on investment we have seen is related to time in terms of troubleshooting. The logs, such as the security logs, inform us of the issues that people have had. ISE has been very instrumental in helping isolate those issues. We've seen a lot of cost savings because we don't have to pay an IT person to waste time doing something that should be instantaneous.

If you are a leader who wants to build more resilience within your organization, I would advise you to follow what they're doing at ISE.

If you're evaluating Cisco ISE, do an apples-to-apples comparison. There are a lot of features, and ISE is a monster. If you use it the right way, I think that no other product will compare to it.

We have been authenticating our company's employees and certifying that they are in compliance. We have to certify our employees in regards to compliance, having all the necessary protections in our infrastructure for their endpoints, notebooks, laptops, and mobile phones.

We have implemented it across the entire company in every area and department at every single level of our organization.

So far, it has been on-premises. We are still working to expand it to integrate with multiple cloud providers, like AWS.

We have become more reliable because we do not have any vulnerabilities coming into our network, which is important since a lot of employees are using their own endpoints to connect to our infrastructure.

Every other time that we have a new employee, we need to make sure they have been using the latest version of the solution in order to connect to our infrastructure.

We have made our company more secure. As an IT guy, I have gained more importance to my company.

It is more about the features related to Apex. This is part of the solution where we can deep dive into each employees' usage according to our infrastructure needs.

There are a lot of integrations available with multiple vendors. This has made the solution easier to work with.

We use the management platform, which makes it easy for our IT to access and manage. 

We have been working with it for about 10 years.

If you have someone taking care of it, it can be quite easy to manage the solution. Otherwise, if you don't look after it and take care of it day-to-day, then it will become more complex to run. However, if you have someone taking care of it, maintenance is not that difficult.

The scalability is good and quite easy to do. If you have the licenses, then anything is possible.

We worked with customers. The last one that we worked with had 10,000 licenses, i.e., 10,000 endpoints. We started working with the corporate office, then we replicate to the distribution centers.

As an IT integrator, it is quite easy to work with their technical support. We have the correct people to deploy it as well as receive good support from the Cisco Technical Assistance Center. I would rate the support as 10 out of 10.

Positive

We have been using ISE for a while. We didn't have another solution beforehand.

We had to do some labs beforehand, in order not to breach the environment. The deployment was not too complex.

When we work with customers, it takes four or five hours. We start with a specific environment, then we replicate to other areas.

We are a reseller. My professional services implemented it, which includes a tech lead, engineer, senior engineer, and project manager to work with the solution.

It is an easy solution to implement with the correct partner.

It is difficult to measure security breaches, but since we have not been attacked so far, it has paid for itself over the years.

We worked with Fortinet to look at their solution, but ISE was more reliable and had more integration with our product vendors. Also, it had a more affordable cost.

When compared with other vendors, like Forescout, for what we need, ISE has been more usable and accessible.

Learn about the solution, then evaluate what devices it would be implemented with. I would amalgamate the devices and their versions with a systems integrator or partner who already has experience and will try only to replicate it, not to reinvent the wheel.

Part of our journey is getting everybody connected to the infrastructure and trying to avoid any breaches. We don't want to be vulnerable.

I would rate the solution as 10 out of 10.

We use it for the identification of our devices, users, and wireless users.

Unauthenticated devices are not allowed on our network and that has been an improvement for our company. With Cisco ISE, we control the certificates of each device so that devices have internet access. The solution has eliminated trust from our network architecture.

The access policies, and all of the policies in Cisco ISE, are important to us.

The user interface could be more user-friendly.

I have been using Cisco ISE (Identity Services Engine) for about six years.

The stability has been perfect. Our company has been using it for more than 10 years and it's stable. It's really good.

The scalability is also good.

The customer service has been perfect.

Positive

We did not have a previous solution.

The pricing is fair. We have a base license and an OpEx license.

We looked at other solutions, but that was a long time ago.

I would recommend ISE to colleagues. We are happy with it and we want to use it in the cloud, next. Our on-prem devices go end-of-support in 2023 and we will try to use it on the cloud.

We use it for identity services, profiling, and locking down devices.

We're an airport, so when anybody plugs in a device, it's obviously a really big security point for us.

We have a lot of different devices that get plugged in and we really don't have the manpower to address each one individually, as far as our network goes. Cisco ISE has really cut down a lot on the size of our ticket queues and the manpower. My boss is extremely happy about that.

The solution has also eliminated trust from our organization's network architecture and that has actually been positive because we have to meet PCI compliance. It is very important for us to be able to take cards. It has also helped to improve our pen-testing scores at the end of the year.

Resilience, in cyber security, is at the top of the list. It's one of the most valuable aspects and has been extremely important for us. Before, we had mid-range scores, but over the last couple of years, between implementing ISE and a few other technologies and SIEMs, we've gotten into the 90th percentile with our pen-testing scores. We were sitting at about 75 to 80, so this is a pretty huge jump for us.

Profiling is one of the most valuable features. We have a lot of different devices between cameras, access points, and laptops that get plugged in.

Establishing trust for every access request, no matter where it comes from, is extremely important for us, especially because we are an airport entity. We do have port security implemented throughout our airport, but on the more sensitive side of things, it's a little bit more hardcore regarding what we need to allow, per security zone.

There are always some things that I would request.

I first started using Cisco ISE (Identity Services Engine) in about 2015, but we recently just spun it up here at my current job.

The stability of the solution is a 10 out of 10.

The scalability is also a 10 out of 10.

For this particular solution, the technical support has been pretty good.

Positive

I've worked with ISE before, and it was actually my suggestion that we buy the license for it.

The initial deployment was pretty straightforward only because I had done it before. I worked on it with a colleague and taught him everything about it, just in case I was incapacitated.

From the start, including getting to an agreement, budgeting, and scheduling, the deployment took about three months.

In terms of an implementation strategy, once we got the licensing, we just stood the nodes up. Then we did the features one-by-one, with proper RFCs done, just to see, in a break-fix manner, if each thing we implemented would break something.

We used a consultant. The deployment required two people on our side. I was in charge of the initial rollout and implementation, and I'm in charge of managing it. However, if I'm not there, we have another network guy who does the day-to-day tasks and checks the logs to see if he needs to approve anything.

We have definitely seen return on investment. We have so many different security solutions in place, and ISE just works really seamlessly with them. I get to keep my job, so that's a pretty ROI from my point of view.

The pricing is fair for what it does. The only time I've really not been too crazy about the price is for Cisco Prime, which is a management solution for Cisco products.

We implemented a request for purchase and talked to a few different companies. One of the companies was Presidio. There was another company close by called Net Solutions. Three out of the five companies that we talked to were outsourcing the work to pretty much just bring in an ISE solution, so we just decided to do it in-house.

If you are on the fence about it, and you don't have someone on your team who has worked with the product before, definitely reach out to a company or a certified Cisco entity to help with the rollout. It's pretty painful if you don't know what you're doing.

Resilience is never a bad idea and it's never too late to start working towards it or to begin the journey to Zero Trust. It's very important in this day and age. 

I'm the only cyber security administrator that we have currently, so if we hadn't gotten this solution in place, I highly doubt that I would have been able to make it here to Cisco Live 2021, so it's excellent.

From 2015, when I first started using it, until now, there's not really a lot that I would ask be changed. They've been hard at it ever since I first started using it.

It's been incredible ever since we got it in place.