What is our primary use case?
This solution ties into our Cisco Duo and Cisco AnyConnect connections to help us authenticate against the active directory and Cisco Duo multifactor authentication. It takes metrics about the connections that are connecting it and allows us to set up a rule against them. For instance, if a Windows device is not all the way up to date, we can put a message up that says, "Before you're able to connect, please do your Windows updates as they haven't been done in six months."
As this solution allows AnyConnect to authenticate with the active directory in the backend, the users won't directly use it. Still, it will be in use throughout the login process into Cisco AnyConnect as a source of authentication.
With this solution, we don't require anyone for maintenance.
What is most valuable?
The ability to integrate our Cisco AnyConnect connections to the active directory has been great. Also, as a source of authentication during the process of logging into Cisco AnyConnect has been very useful for us.
What needs improvement?
It perfectly does everything we have been looking for it to do. I have not discovered any feature sets or items that are lacking. It's a much more functional product than the old Cisco ACS that it replaced.
That being said, during deployment, they shipped us the Cisco ISE with the 3.1 operating system, which was incompatible with the license that we had purchased, which would only allow us to go up to version 2.9. Because of this, we actually had to do a factory reset and a reload to the operating system — to an older version of the operating system. This required a very extensive process. We had to take out the Cisco ISE and put it into a factory reset mode to get it to roll back to the old operating system. If we were doing an upgrade, this would have been very simple, but as we were doing a downgrade, it was extremely complex and very labor-intensive. I was crawling through the server room, through wires, to plug things in, to get it to connect in the way that it needed to be connected with an external device in order to actually get it to roll back.
I don't like that the licensing structure doesn't allow us to have the 3.1 operating system — it forces us to use version 2.9. If you don't want to pay a monthly or a yearly subscription fee, either that device should have come automatically with the 2.9 version operating system, or it should have been much easier to actually roll it back. Additionally, support should have realized that our license requires us to have the 2.9 operating system instead of the 3.1 operating system, which would have saved us a lot of time.
It would be nice if it could be configured easily by default. If you're configuring a Cisco device, you pretty much need the support of a CCNA-level technician to be able to do it. It would be nice if there was a default or a more simple way to do it. It's not really a requirement to use the device because you can purchase the premium support or you could get a CCNA in-house to do it. Just having that ability to say, "Hey, we want to set this up" without too many complications or without having to bring in support would be nice.
For how long have I used the solution?
We've only been using this solution for the past three months.
What do I think about the scalability of the solution?
The scalability reports that we could easily handle a million users.
How are customer service and technical support?
I have been extensively involved with their technical support; their technical support is very good. They're more than willing to just jump on and do things for you. My only complaint is that at one point, we were trying to configure our single channel for Cisco Duo to be able to perform a password reset. Whenever we needed to look closely at another device, the support technician would say, "Hold on, let me bring in my expert on VPN; hold on, let me bring in my expert on Cisco ASA." We basically had to wait until we were able to get the Cisco Duo support agent, the Cisco ASA support agent, the Cisco VPN support agent, and the Cisco ISE support agent — all in the WebEx meeting at the same time.
As far as I'm to understand, there are CCNAs that should have been able to do it, but they brought in the experts from each item instead of just directly doing it themselves — this made the whole process take longer. Still, they were able to do everything in a way that did not affect our live environment, even though it was on the same device. That was actually very nice because it meant that we could do it in the middle of the day instead of having to do things in the middle of the night.
How was the initial setup?
The initial setup was very simple. Everything was set up within an hour thanks to assistance from the onboarding teams from Duo and Cisco, and our network administrator. They got it set up and reviewed a bunch of options with us. It was a very easy and nice process.
What about the implementation team?
Implementation was achieved with in-house resources and premium onboarding support. The entire process only took an hour.
What's my experience with pricing, setup cost, and licensing?
We are running version 2.9 because version 2.9 of the ISE has a persistent license —it's a one-time payment. The latest version (3.1) is only available if you do a yearly subscription.
It's a licensed physical device; there is no subscription. If you want the latest operating system, then you'll need to get an annual license.
What other advice do I have?
If you're planning on using this solution, my advice is to be sure you review the full feature set available and select what is important to your users. This way you'll be able to ensure that you'll have everything you want and need.
Overall, on a scale from one to ten, I would definitely give this solution a rating of nine.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?