Cisco ISE (Identity Services Engine) Review

It can handle Radius and TACACS+. It is quite complex when it comes to troubleshooting.


What is most valuable?

It can handle Radius and TACACS+.

How has it helped my organization?

Authorisation and Authentication Policy creation is easier. Access right limitation is pretty easy in ISE. Context exchange feature is present.

What needs improvement?

It is quite complex when it comes to troubleshooting.

For how long have I used the solution?

2 years

What was my experience with deployment of the solution?

Upgrade was quite a pain. It doesn't exactly go according to the document.

What do I think about the stability of the solution?

On TACACS side, we see some issues. The rest is all going well.

How are customer service and technical support?

Customer Service:

It's good.

Technical Support:

Tech support is still lacking on TACACS troubleshooting on ISE.

Which solution did I use previously and why did I switch?

We were using ACS and IAS servers for radius and TACACS. ISE is one stop shop for everything with more to offer.

What about the implementation team?

Initially done with a Cisco consultant and started with Radius services. Expertise was excellent.

What's my experience with pricing, setup cost, and licensing?

Smartnet is not so cheap depending on the deployment.

What other advice do I have?

We have deployed this solution and we keep on exploring more and more. It can do wonders for authentication and limiting access with the network.

Which version of this solution are you currently using?

2.0.1
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Cisco ISE (Identity Services Engine) reviews from users
...who work at a Comms Service Provider
...who compared it with Aruba ClearPass
Learn what your peers think about Cisco ISE (Identity Services Engine). Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
534,768 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest
11 Comments

author avatarOrlee Gillis
Consultant

Do you have any advice for other users when it comes to troubleshooting?

author avatarit_user473598 (Product Manager at a tech company with 51-200 employees)
Real User

Hi Vijay,
I'm the product manager of ISE. I will be happy to chat with you and get your feedback about the issues you have.
Tal.

author avatarit_user375078 (Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.)
Top 20Real User

I agree that troubleshooting is quite complex, however this is as much as product of RAIDUS/Dot1x as it is with ISE specifically I will say that the troubleshooting view and the fact that you need to move to report for any older AAA information can be clumsy and inconvenient.

author avatarOrlee Gillis
Consultant

Thanks, WiFiSuperman.

Do you have any advice to other users for how to overcome/alleviate the clumsiness & inconvenience of troubleshooting?

Can you share any responses you've found to be successful?

author avatarit_user375078 (Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.)
Top 20Real User

So get to know the fields in the AAA logs and pay close attention to the modifiers available for searches. Also a good design, which includes logical, consistent naming conventions will make things jump out and will make searching that much easier. I hope this helps!

author avatarit_user216399 (Senior Network Engineer with 1,001-5,000 employees)
Vendor

The Best way to troubleshoot is to go through the details of authentication from GUI. If you are good with Linux cmds, then CLI can be a good options. Always start troubleshoot, from bottom to top. The reason is you might have missed a small step in investigation, which can make troubleshoot more complex..

author avatarit_user216399 (Senior Network Engineer with 1,001-5,000 employees)
Vendor

Tal Surasky: Im Based in singapore, i'm more than happy to discuss with you. I've already filed 2 new bugs (CSCvc11975 and CSCvb87634) while troubleshooting issues on my end. Still dealing with other issues with TAC now. Unfortunately, TAC experience on ISE is not so vast. Only few are trained or experienced on it. Currently, i want to explore 2.2 version which came out recently.

author avatarOrlee Gillis
Consultant

WiFiSuperman, do you have any recommendations for how the way the solution employs naming conventions can be adopted by other companies/solutions?

This would be a great insight that others can learn and benefit from.

Looking forward to your input

author avatarit_user375078 (Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.)
Top 20Real User

Sure! Two things we find helpful are to never use any default rues as a PERMIT. #1 All default rules are to Deny as DEFAULT is generic and will exist in every Profile set multiple times and therefore be very confusing in logs. #2 Use descriptive names but do not make them long or over-descriptive without purpose. For wireless I like to separate profile sets by SSID. Then name the profile set accordingly with the SSID first in the name. Authentication and Authorization Profiles follow suit with the same SSID prefix. With Authentication profiles you will often see MAB, Dot1x, or CWA referenced. Make sure you use the same convention i.e. if Dot1x is used do not use 802.1x or dot1x. This way everything is similar and the eye keys on syntax and capitalization during troubleshooting. I hope this helps!

author avatarOrlee Gillis
Consultant

Thanks, WiFiSuperman, that really is helpful.
Are these recommendations based on rules you have set for your own software, or are they rules you have seen used by others?

author avatarit_user375078 (Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.)
Top 20Real User

We may have borrowed ideas from other sources, but I do not think so. More based on years of experience with ACLs, firewall rule sets and working on the ISE flow and best practices. Also creating a flow chart of ISE flow is great. If you can create it prior to configuration it will guide you. And then create or adjust after implementation. Remember that if your flow chart is clumsy or difficult to organize chances are that your logic is also clumsy or even incorrect. With that said if you are new to ISE (and Dot1x, EAP and RADIUS) a poor flow chart may not reflect an incorrect implementation but a lack of understanding of the underlying principles. GOOD LUCK again!