Cisco ISE (Identity Services Engine) Reviews

I am not certain if I am using the latest version. It is the one which is made for TV. 

We use the solution to access control. Prior to any device being authenticated on the network, a person must login to the solution's site for authentication purposes. 

While the solution has a host of features, we only use the one involving access control. 

We are looking into further uses for it. My aim is to deploy it across all three of our sites and not just one. 

There is much room for improvement, especially after having perused the documentation on the solution's website. 

The solution lacks properly knowledgeable support, especially internationally, and this is why I am exploring other applications. 

I would need time to expand my knowledge of the solution and consult with the Cisco engineers before I could point to other pain points. 

I have been using Cisco ISE (Identity Services Engine) since 2015. 

So far, we have had no issues with the stability. 

There should be more knowledgeable support, particularly in the international sphere. 

I have no doubt that we will get there. They contacted me yesterday, which makes it likely that by weeks-end we should be able to build a structure and do many things with the solution. This would allow me to know where I am standing, explore further and even examine the possibility of implementing some of Cisco's other features. 

We did not use other solutions prior to the current one and will likely not explore others in the future. The current one should be fine. 

The installation was straightforward, although it will likely involve a more complex implementation in the future.

As the previous installation was not complex, it did not take long. 

I believe I have paid around $1,000 in licensing fees. The license is annual. 

We did not really explore other options prior to using the solution. We considered Fortigate, but found it to not be very straightforward, which is why we decided to go with the current solution. 

While we have focused on the access control aspects of the solution, the documentation demonstrates that it has many more features, so I would like to explore it further. 

We are customers of Cisco. 

At the moment, we have around 250 users making use of the solution. 

I rate Cisco ISE (Identity Services Engine) as a five out of ten. This is because I wish to explore further any additional features that can add value to our organization, especially on the IT security side. 

My clients are small to enterprise-size companies using this networking solution. One of my clients is a leading pharmaceutical manufacturing company, providing genetic medicine. The network they have has approximately 5,000 device inventory. Additionally, I have a couple of clients in the banking industry in the USA that has quite a large networking infrastructure using this solution.

The most valuable features are the NAC and the bundles that are available with Cisco ISE, such as Cisco ACS being integrated.

The solution infrastructure configuration is complicated to set up. They have improved over the years but there is still a lot of room to improve. When comparing the simplicity to other vendors, such as Fortinet and Aruba they are behind.

I have been using this solution for approximately three years.

The solution is stable.

Cisco's support system is very good and they are well known for it.

I am also using FortiNAC and it is similar to Cisco ISE. However, Cisco is spread across the globe with bigger clients, large enterprises. FortiNAC is not as mature, but they are still working their way up in the market

The price of the solution is price fair for the features you receive.

I have evaluated other solutions from Aruba and Fortinet.

I rate Cisco ISE (Identity Services Engine) a seven out of ten.

Our use cases are based around dot1x. Basically wired and wireless authentication, authorization, and accounting. 

In terms of administration, only our networking team uses this solution. Probably five to ten administrators manage the whole product. Their role pretty much is to make sure that we configure the use cases that we use ISE for — pretty much for authenticating users to the wired and wireless networks. We might have certain other advanced use cases depending on certain other business requirements, but their job is pretty much to make sure all the use cases work. If there are issues, if users are complaining, they log into ISE to troubleshoot those issues and have a look at the logs. They basically expand ISE to the rest of the network. There is ongoing activity there as well. The usage is administrative in nature, making sure the configurations are okay, deploying new use cases, and troubleshooting issues.

This solution has definitely improved the way our organization functions.

In terms of features, I think they've done a lot of improvement on the graphical user interface — it looks really good right now. ISE is always very complicated to deploy because it's GUI-based. So they came up with this feature called work centers, that kind of streamlines that process. That's a good feature in the product right now.

An issue with the product is it tends to have a lot of bugs whenever they release a new release.

We've always found ourselves battling out one bug or another. I think, overall they need to form a quality assurance standpoint. ISE has always had this issue with bugs. Even if you go to a Cisco website and you type all the bug releases for ISE, you'll find a lot of bugs. Because the product is kind of intrusive, right? It's in the network. Whenever you have a bug, if something doesn't work, that always creates a lot of noise. I would say that the biggest issue we're having is with all the product bugs.

Also, the graphical user interface is very heavy. By heavy, I mean it's quite fancy. It's equipped with a lot of features and animations that sometimes slow down the user interface.

It's a technical product — I don't think a lot of engineers really need fancy GUIs. We pretty much look for functionality, but I think Cisco, for some reason, is putting an emphasis on its GUIs looking better. We always look for functionality over fancy features.

We've had issues with different browsers, and sometimes it's really slow. From a functionality standpoint, we would rather the GUI was light and faster to navigate.

ISE has a very good logging capability but because their GUI is so slow, we feel it's not as flexible or user-friendly as we would like it to be, especially when it comes to monitoring and logging. At the end of the day, we're implementing ISE for security. And that means visibility.

Of course, you can export the data into other products to get that visibility, but we would like to have a better type of monitoring, maybe better dashboards, and better analytics capabilities within the product.

Analytics is one thing that's really lacking. Even if you're to extract a report, it just takes a lot of time. So, again, that comes down to product design, but that's definitely an area for improvement. I think it does the job well, but they can definitely improve on the monitoring and analytics side.

I have been using this solution since they released the first version over ten years ago.

Scalability is pretty good, provided that you design it properly from the get-go. There are design limitations, depending on the platforms, especially the hardware platforms that you select. On the scalability front, it's not a product that can be virtualized very well — that's an issue. Because in the world of virtualization, customers are always looking for products that they can put in their virtual environments. But ISE is not a truly virtualized product, as in it doesn't do a lot of resource sharing.

As a result, it's not truly virtualized. Although they do have the VM offering, it's not virtualization in the proper sense of the word. That's one limitation of the product. It's very resource-intensive. As a result, you always end up purchasing additional hardware, actual ISE physical servers. Whereas, we would like to have it deployed in virtual machines if it was better designed. I think when it comes to resource utilization, it probably isn't optimized very well. Ideally, we would like to have a better-virtualized platform.

Tech support tends to be pretty good for ISE. We do use it extensively because of all of the bugs we encounter. 

Mostly it's at the beginning of setting the whole environment up. Typically, once it's set up properly, it tends to work. But it's just that the product itself integrates with a lot of other products in the network. It integrates with your switches, with your APs, etc. So, it's a part of an ecosystem. What happens is, if those products experience bugs, then it kind of affects the overall ISE solution as well — that is a bit of a dependency. The ISE use cases are dependent on your network access devices, but that's just the nature of it. The only issue with support is you might have to open a ticket with the ISE team, but if you're looking at issues in your wireless network or switches, you might have to open another ticket with their tech team for switches. 

For customers using Cisco, end-to-end, they should improve the integration and providing a seamless experience to the customer. But right now, they have to refer to other experts. They come in the call, but the whole process just takes some time.

That's an area that they can improve on. But typically, I would say that the support has been good. We've been able to resolve issues. They are responsive. They've been good.

Overall, I would give the support a rating of eight.

The setup is not straightforward. It's complex. You need to have a high level of expertise.

It's an expensive solution when compared to other vendors. It's definitely more expensive than ClearPass. It's expensive, but the issue, again, comes down to scalability. Because you can't virtualize the product, there's a lot of investment when it comes to your hardware resources. Your CapEx is one of the biggest issues here. That's something Cisco needs to improve because organizations are looking at reducing their hardware footprint. It's unfortunate that ISE is such a resource-intensive application to begin with. As it's not a properly virtualized application, you need to rely on physical hardware to get the best performance.

The CapEx cost is high. When it comes to operational expenditure, it all depends on the features you're using. They have their tiers, and it all depends on the features you're using. The basic tier, which is where most of the functionality is, is relatively quite cheap. But if you're using some advanced use cases, you need to go to their higher tiers. So, I'm not too worried about operations costs. You need to buy support for the hardware: you need space, power, and cooling for the hardware-side. All of that adds up. So, that all comes down to the product design and they need to make sure it's properly scalable and it's truly virtualized going forward.

We've evaluated other products, for example, Aruba ClearPass. There's another product, Forescout, but the use case is a bit different.

When it comes to dot1x authentication, I think it's ISE and Aruba ClearPass. Forescout also comes into the next space, but the use case is a bit different.

We prefer ISE because, I think if you're using Cisco devices, it really kind of integrates your ecosystem — that's why we prefer ISE. When it comes to NAC or dot1x products, from a feature standpoint, ISE has had that development now for 10 to 11 years. So, we've seen the product mature over time. And right now it's a pretty stable and functional product. It has a lot of features as well. So, I think the decision is mainly kind of driven by the fact that the rest of the ecosystem is Cisco as well. From a uniform figure standpoint, the other product is probably the industry leader at this point in time for network admission control.

The main advice would be in terms of upfront design — this is where a lot of people get it very wrong. Depending on the platforms you choose, there are restrictions and limitations on how many users. We've got various nodes, so how many nodes you can implement, etc. Also, latency considerations must be taken into account; especially if you're deploying it across geographically dispersed regions. The main advice would be to get the design right. Because given that directly interferes with the network, if you don't get your design right it could be disruptive to the network. Once you've got the proper design in place and that translates into a bit of material, the implementation, you can always figure it out. Getting it right, upfront, is the most important thing.

Overall, I would give ISE a rating of eight out of ten. I don't want to give it a 10 out of 10 because of all the design issues. There is definitely room for improvement, but overall out there in the market, I think it's one of the best products. It has a good ecosystem. It integrates well with Cisco devices, but it also integrates with third-party solutions if you have to do that. It's based on open standards, and we've seen the ecosystem grow over the years. So, they're doing a good job in terms of growing the ecosystem and making sure ISE can work with other products, but there's definitely room for improvement on the product design itself — on monitoring, on analytics. 

We're using version 3.1, which is very stable. There have been a lot of improvements.

I like the automation of the collection of information.

We have only been deploying this version for three months. We haven’t had any issues, but we'll see how it goes. One of the issues that we used to have was with profiling because we're working with a service provider that uses a lot of bring your own devices. We haven't had any issues since we started using version 3.1.

I have been using this solution for over 12 years.

There are no stability issues with version 3.1.

It's stable. We deployed with a client in petroleum with about 200 users worldwide, and it was stable.

Setup wasn't easy, especially if you haven’t worked with it intensively. VM is a little bit easier. If you don't deploy ISE with correct policies, it will be difficult.

If you deploy it with the correct policies, it's a wonderful product. You don't need to attach anything like your firewalls or creating rules.

ISE has always been expensive compared to other products in terms of what it does on a user level. I haven't had a client who didn't say that ISE wasn't expensive. I’ve had an issue where I was just selling four boxes, and it was four million. It was a high-end box, and the client didn't take it. They end up going with VM.

I would rate this solution 9 out of 10.

It's one of the more difficult products to deploy.

You can learn a lot about ISE from their training videos. I would suggest watching the videos before deploying the solution. They have created good videos for ISE, from version 1.3.

We use ISE for security group tagging in terms of guests and visitors who access the network to make sure that they actually go through this to control their privilege access to ensure they don't actually access the internal network, etc. 

Our clients use ISE as a form of security policy management so that users and devices between the wired, wireless, and VPN connections to the corporate network, can be managed accordingly.

Take a house for example. Sometimes you need to access a room via a certain keyhole, so you use a key that is unique to that door. With ISE, you can segment this process in terms of policy management based on the security tag. You actually grant the user access based on the tagging.

That's the IT trend — saving a lot on operating costs to manage the different users and access methods.

Within our company, we have roughly 200 employees using this solution.

My clients are always talking about the segregation capabilities. Segmentation refers to how you can actually segregate employee and non-employee client access. 

They have recently made a lot of improvements. My clients don't have much to complain about — it's a one-stop-shop.

It should be virtualized because many people have begun migrating to the cloud. They should offer a hybrid version. 

It's stable but there's a limitation of up to 200,000 users. If you have a big number of users, then you have to customize the installation process. 

It's only scalable up to 20,000 users. 

I would say Cisco's support has been getting worse. I think they outsource a lot of skillsets.

The initial setup is pretty straightforward. They actually provide a lot of help to IT administrators which makes setting it up rather easy.

The whole setup takes about three days because you need to basically configure the network, test the configuration, and then you need to cut over to production. 

Our customers definitely see a return on their investment with this solution.

I think licensing costs roughly $2,000 a year. ISE is more expensive than Network Access Control.

If you wish to use ISE, you must have a deep understanding of IT. If you don't, setting it up properly will be very complex.

Overall, on a scale from one to ten, I would give this solution a rating of nine.

We primarily use the solution for user authentication and wireless segmentation of users for actual radius purposes.

The actual radius is the most valuable aspect of the solution. We need to have a centric solution either on MarTech X and for the wireless user authentication. We were mainly on Cisco and we continue to use them. However, this is the time period for a refresh as the five-year lifespan is completed. We may look for other options.

Technical support is okay.

The solution is not so user-friendly. It's very difficult to navigate through different manuals. The documentation should be simplified so that it is easier to understand.

It would take time for a beginner to understand and familiarize themselves with the solution. There's a bit of a learning curve.

Cisco ISE is not very stable. They could work on that aspect. 

We'd like the pricing to be better.

The product is not easily scalable.

Currently, if you want to do something with authentication, you need to have an additional document agent, however, these are short on all Microsoft endpoints. We then need to come up with some alternate options so that I don't have to modify any native applications on it. By default, Windows should be able to support and onboard the devices. Right now I need to have a Cisco AnyConnect as an agent to be deployed for authentication.

I've been using the solution for over five years at this point. It's been a while.

The stability of the solution needs to be improved. It's not ideal. It's lacking overall. If we have five or six items activated, the box shakes and we're scared to touch anything. When we do have to reconfigure things, it's a nightmare as it can go down and it can take us a day or two to sort things out.

In terms of scalability, it needs to be reactivated, which means that I need to add more nodes. It's got its own design limitations. We had only a two-node deployment in it. We need to add more hardware and we need to reduce so many things. It's not an easy option to scale this hardware. Scaling, in general, is very difficult.

We have roughly 9,000 users on this product currently.

Technical support is fine. However, we may need to depend on support to resolve some of our many issues. We need to spend an enormous amount of time with them and to explain so much stuff. It would be easier if we could troubleshoot the issue ourselves or if the solution was more reliable.

I don't know about other alternative products. I don't have any experience with other alternative products. I've only ever used Cisco ISE.

The solution's initial setup can be a bit complex as there are so many features that are available. It all depends, however, upon which one you want to activate. In our case, we have five or six activated and the box always shakes. It's not stable. So my colleagues are always afraid to touch the box. If it is working well and good, you don't touch it, and we don't reconfigure it. In cases where we encounter any issues, it's a nightmare and we need to spend a minimum of twenty-four to forty-eight hours to recover everything.

We pay a fee based on a subscription model.

The pricing could always be better.

I've been looking at evaluating Aruba's Clearpass as a potential replacement option for this solution. I haven't gotten too far into my research, however. I'm looking for a solution that's scalable and easy to use.

My advice to Cisco would be to simplify as much as possible so that a normal IT guy can understand the CCD and set it up. If they can simplify the manuals, navigation, and documentation, it would be nice. It will always be difficult for a beginner, however, to, rearrange or design the network.

I would rate the solution five out of ten.

Mainly the use case of the solution is for ensuring that the corporate staff gets access to their authorized systems. 

Another use case is for contractors to get access to the authorized systems. Those are the ones that hope to assist in the maintenance or for authorized admissions to the network.

We do also use it for remote access, for example, VPN's and also for wired and wireless access to the network.

The posturing is the solution's most important aspect. When a user connects his or her machine to the network, the first is for ISE to check whether that machine is authorized, check that that machine is compliant with respect to antiviruses, whether it complies with respect to Windows updates, et cetera. If not, a feature is on auto-remediation, so that the proper antivirus and Windows updates can be pushed to the machine.

At the moment, ISE seems to integrate very well with a number of other technologies. It integrates well with Microsoft and integrates well with other wireless systems.

In terms of the improvements I need, they've already, according to my research, done those improvements with their new versions. The features have already improved on their newer version, and that's why we need to update to that new version.

What is required is that Cisco needs to be doing health checks and following up with the customer to ensure that their Cisco partners have done the deployment right. That's something that has really helped us.

Whenever a partner comes and does any deployment, we would, later on, engage Cisco for a health check, so that Cisco could assist with their products. They would check whether it has been deployed following the best practices - or they would just alert us on which features that we have paid for and we are not taking advantage of that. 

Cisco needs to continue with that health check. That engagement with their customers to reconfirm everything is like a quality assurance that the Cisco partners have given the right stuff to their customers.

This product doesn't work in isolation. For example, when we talk of posturing the Microsoft updates, the system that does automatic updates for Microsoft needs to work in an ideal fashion. The antivirus needs to work. OF course, the antivirus is not Cisco. Those products need to work as they should so that integration of the ISE product will work as well. When all factors are held constant, Cisco works well. 

We have been using the solution for six years now.

We have been using it, especially during alternative working arrangements (due to the COVID-19). Using it, it's been stable. We have not had any issues. The only reason we are looking to upgrade is we didn't know the benefits that the newer version offered. When we checked with Cisco, they advised us that we were missing a few items that actually gaps caused by the partner's setup which we realized we missed during the health check.

We haven't had bugs or glitches. It doesn't crash or freeze. It's good.

Everyone in our company is using Cisco. In terms of users, we have about 1,500, however, in terms of endpoints we have, that would be closer to about 3,000 to 4,000 endpoints, including wireless gadgets, switches, laptops, phones, and all that. We use it on a daily basis.

Scalability probably might be an issue. Before we bought ISE, we did sizing for each. We looked at the number of users in the organization, 1,500,  and then we used a factor to look at the uppermost band. We decided we would have to go for 4,000 licenses or 4,500 licenses. We multiplied by three. Based on that, we went for a certain hardware model.

This time, the hardware model we are going for supports up to or has the capability to support up to 10,000 users or endpoints. When we go for that, we will have used even less than 50% of what their hardware is capable of. Above 10,000, there's another hardware model that we're generally expected to go for. 

Basically, when you get the right model, when you do the right scaling, it will be very scalable. However, from the onset, you need to write hardware for USI.

The solution is more meant for enterprise-level organizations. It's not really for small companies, however, that has more to do with the pricing.

We're dealt with technical support in the past. Their support is excellent, except for Umbrella. There is a technology called Cisco Umbrella, and they're a bit slow, however, the technical support in general, depending on the severity of the issue, is very prompt. I would say we are quite satisfied with their level of service.

I've only ever used Cisco. I used to use NAC, however, they changed to ISE. I've never used any other product.

We had a partner set up the solution, and we're not sure if they set it up correctly. The partners come straight to us, and do the deployment. Cisco only is there to be the third eye to come and check that the deployment has been done okay.

You have to make sure that other items connected to ISE are correctly implemented and updated as well (such as the antivirus), otherwise, it won't work as you need it to. There's a lot of configuration that needs to be done at the outset.

I'm not sure how long the deployment takes, as I wasn't at the company when it was set up. However, it's my understanding that it shouldn't take too long so long as everything surrounding it is correctly aligned.

Any maintenance that needs to be done is handled by a third party. That includes patching, et cetera. We have an SLA with a Cisco recognized partner.

We worked with a partner that assisted with the setup.

Afterward, Cisco will also come in to do a "health check" to make sure the setup is correct and they can direct users to features they should use or are not using.

Cisco does not sell directly. They have authorized partners you need to buy through.

I don't deal directly with the licensing and therefore do not have any idea what the pricing of the product is. It's not part of my responsibilities.

It is my understanding, however, that it would be expensive for smaller organizations. Startups may not be able to afford these products.

We don't really worry about pricing, as cheap might be expensive in the long run if you don't get a product that is right for your organization, or is more likely to break down over time.

We are in the process of doing a refresh and I have compared other technologies to see how they stack up. I've looked at Fortinet, for example.

I wouldn't say we are switching from Cisco. What we are doing is we were exploring other technologies that offer similar functions. Sometimes it's good to look outside as you might think you have the best and yet you don't. We are just looking for other solutions to get to know what they offer. If we feel that there is something unique that is on offer somewhere else, then we would want to check that in Cisco and see, where is this offered in Cisco's product? 

We haven't concluded that we are switching. In any case, from what I have seen so far, it is likely we won't switch. 

We're just a customer. We buy their products for our security and our connectivity.

We're not using the latest version. We're actually using a few versions. We have ISE, which is version 2.3. We're supposed to up to version 2.7, and that requires a refresh of the hardware.

That's why we are saying, "Should we try to look for a different solution?" That's why I have been looking for comparisons. We haven't dedicated a lot of time to that yet. From my assessments so far, however, ISE still wins the show and it's likely that the partner that was doing the deployment originally on behalf of Cisco probably missed out on a number of things. It's really about the engineers who are doing the deployment. You need to make sure you have some good ones.

I would recommend this solution to others, especially mature organizations as the smaller organizations may not be able to afford this. 

On a scale from one to ten, I would rate the product at an eight

The .1x authentication schema is the most valuable aspect of the solution. It makes it possible to have multiple policies and it can still adapt to us. We can authenticate and calculate our trajectory and so on. The policy is very easy to put in place. It's got to be easy due to the fact that we have more than 200,000 devices.

The implementation is very simple.

The web interface needs improvement. The new web interface that they have is not as easy to manage and we find it to be very slow.

The solution might require two authentications. They should make a new authentication to authenticate both the device and the users. Right now, we are authenticating the PC, the workstation, but not as a user. A good addition would be to authenticate the user separately to get more information.

I've been using the solution for five years.

The solution is stable. I haven't witnessed bugs or glitches. It doesn't freeze or crash. It's reliable.

The solution is quite scalable.

We started with two clients and we've since scaled up to 20 clients.

Cisco ISE was the first full solution we've used.

The initial setup wasn't complex for us. We found the process of implementing the solution very straightforward.

For our organization, in terms of deployment, the first implementation took one month, and for the global implementation took six months.

For maintenance, a company needs one or two people to handle it, one of which should be full-time.

The pricing is okay. It's reasonable for functionality, however, if you're going to implement it as a full-stack with Cisco Connect, and a work station, and so on, it's very high.

I'd advise other companies to really take care in regards to the network devices that they want to authenticate. 

For most of the cases, the biggest rooms are the easiest to manage, however, the smallest ones require specific implementation in all devices. It is very tricky due to the fact that you are obliged to put in place the rules that are not so secure and that's why it's very important to know what devices are connected on the network.

I'd rate the solution eight out of ten.