Cisco Identity Services Engine (ISE) Reviews

We have two servers and they're both VMs. Every network system is issued a certificate and each device coming onto the network has to be on the domain with an active AD user logging into it. It needs an up-to-date AMP, which is our Cisco malware and virus scan product and it also needs to have the most current Microsoft security updates and the three layers that we're using: The core VPN, the Network Access Manager and the ISE profiler. When it goes through all those different things on every port on the switch, there are commands for it to be able to go through an ACL so it knows what users are there, what server, and what devices have been put onto the domain. It can verify all that.

The user can then proceed on to the network. We've set it so that regular users are VLAN'd off and can only see the data network through ISE and are blocked from seeing the rest of the network. Depending on the department needs or other factors, we have cameras for security which are on a different VLAN, and they can see those. We also have something for O&M where the AC guy can see the AC equipment, and we can prevent all the VLAN's from being viewed by everybody.

We are customers of Cisco and I'm the infrastructure and Cyber security manager.

The solution cuts down on the repercussions of getting malware or ransomware which happened to us four years ago. We regularly took very aggressive snapshots and we were able to recover in an hour and 20 minutes without any loss of data.

Because we have a large database and 4,000 network devices, the solution can lag a bit when you're running updates or different things because of the fact that it's so big and it is such a resource hog. But the biggest problem we've encountered is that it finds errors or people are rejected or not authenticated without a clear explanation as to why. A second issue is that we're currently on 2.4 and Cisco's gold standard now is 2.7. They are a little slow with that.

I'd really like the solution to dive down a little deeper when something's not profiling. As it stands now, you have to go through and search what hasn't profiled. Microsoft, for example, gives you a direction to look at and will even be specific sometimes and tell you there is a password error, or the password hasn't been updated, or it's not meeting the policy and that's why it won't let it through. Those are very helpful because you know exactly what's required to solve a problem. 

Cisco is getting better with it, but they fail in some areas because of a network connectivity issue, or it's not getting DCAP quick enough and it fails. Those things would be more helpful to understand when it's going through, so you are able to triage it a little better. I mean, it does point you in a direction, but sometimes you have to dig a lot deeper to find the right direction and figure out what kept it from profiling. One big issue we've discovered is that people are not rebooting their machines or powering them off at night. We're trying to ensure that is done by sticking messages on screens.

I've been using this solution for the past two years. 

ISE is pretty stable. If it does have an issue then you need to call TAC and work through the bug in it. They are very responsive and very quick to help us eliminate the issue and also come up with a plan, such as how to move forward with additional issues or different things that are coming down the pipe with Cisco ISE. When you're talking to them, you feel like they are a partner and not just a disconnected entity.

The technical support is excellent, I would rate them very highly.

The initial setup is very complex. You have to go in and manually add in all the network devices, as far as all the switches, access points are concerned. You have to go port by port and add in codes and conditions and you have to go switch by switch and add in codes and conditions. You start out with a monitor mode and then go to an impact mode and then you go towards total lockdown. Implementation took us about 18 months. We rolled it out in short bursts because we have a very small IT team and we had a consultant company come in and work with us on installing it. A lot of it was knowledge transfer from them to us.

Our consultant was Cycorp, their main focus is network security. They are a sister Cisco partner, and we had one of their CCIE's come out and help implement everything. The gentleman at the top of the CCIE, was a former Cisco employee and a beta tester for ISE. Now that we have it in, I feel it's pretty much a game changer on locking down our network so that we're not penetrated from inside or outside because everything going through the VPN has to meet a certain standard.

We did a five year deal and it was very reasonable. I think for the Avast virus scan, I think we were paying $95 a machine for five years, which nobody else could touch. And that includes all updates, technical support, etc. From the ISE side, I'm not really sure what it costs because it was all encompassed in equipment we were buying and the ISE and the AMP and the open DNS. I know that it was not more expensive than any of the things we had looked at with HP or BMC or other places. It was much more cost effective.

We have looked at other products but we are a Cisco shop so having a Cisco product rides very easy on all our switches, our access points, and our Cisco servers. I believe it's the same for other companies such as HP. It's also a priority for them that the solution works better with HP switches. Given that we weren't going to change our switches, we really needed to focus on something that was going to work well with our environment.

The important thing is to have a good game plan going into it. Prep is key for everything going on with ISE. The more stuff you have prepped and the more understanding that you have upfront of how it goes through and how it behaves, the better off you are.

I would rate this solution a nine out of 10. 

We use it to ensure that any device that connects to our network or wireless environment is a company-owned asset and has all the security certificates. We aren't doing too much remediation. We just identify whether it's one of our assets and whether it's allowed.

In our company, we have a lot of remote workers. Knowing that even devices that are coming through a VPN comply with our policies, whether they're in the office or they're remote, face the same level of scrutiny is a benefit to our company.

We can set as in-depth alerts as we want to. We can set up an alert through email, text, etc.

It has helped to improve our cybersecurity resilience. It helps to ensure that all devices meet the patching and certificate requirements.

It's keeping our company safe from rogue devices connecting to our network. From a security standpoint, there's peace of mind knowing that every device that connects is a good one.

The upgrades could be better. Every time we try to do an upgrade, we have problems. It's a pain.

I've only been with the company for six months, but they adopted Cisco ISE about three to five years ago.

Support has always been good. Overall, I'd rate them an eight out of ten. Sometimes it feels that their first-level support hasn't been trained in-depth.

Positive

We have redundant solutions across all of our data centers, policy nodes, and authentication nodes. As far as I know, we started off in a small deployment with our wireless. We profiled our devices to ensure that they belonged to our companies before we let them access, and then from there, we expanded into profiling wired ports as well, so we started very small and then moved to a larger solution.

In terms of our plans to increase its usage, we may use Cisco ISE in different ways, but the number of nodes that we have will probably stay the same. With version 2, we're moving more of our deployment to the cloud, so we'll move from the on-premise solution to the cloud. We've already started the process. We have some nodes built in the cloud, and we just have to move the production and then remove our on-prem. We're using Oracle Cloud for our highest deployments. It will be fully cloud.

We've seen a return on investment from the security aspect.

I'd advise starting just the way we did. Start small because there are a lot of use cases of Cisco ISE. If you try to do it all at once, you might be disappointed, so start small and pick an area that you'd like to focus on, get that piece done, and then go from there. 

It hasn't really helped to free up our IT staff for other projects. It also hasn't helped us consolidate any tools. 

Overall, I'd rate Cisco ISE an eight out of ten.

We mainly use it for endpoint security.

Cisco ISE has made our network more secure. 

It has saved the time of our security team. I can't say how much time it has saved because I'm on the network side, but I'd imagine it has saved quite a bit of time. It lets them sleep better at night.

It does a good job of securing our infrastructure from end to end so that we can detect and remediate threats, but I don't have a similar product to compare.

It hasn't helped to consolidate any tools. The customer is in the process of migrating from their current ACS to ISE. When they've done that, we'll consolidate that piece. This consolidation would provide a single pane of management versus multiple tools.

I'd imagine it has helped our organization improve its cybersecurity resilience, but the security team would know more about it.

The ability to allow or deny hosts onto the network is valuable. It provides great security to the network environment.

It could be more intuitive in terms of how to configure the policies.

I've been using Cisco ISE for four years.

It's very stable.

It's very scalable. We have deployed it globally.

Their support is good. I'd rate them a seven out of ten.

Neutral

We didn't use any other solution previously. We went for Cisco ISE because we're a Cisco shop. It helps to have one vendor for network management and security.

Cisco's Professional services did the installation. I wasn't involved in its installation, but they did a pretty good job.

I'd imagine we have seen an ROI, but I'm not involved in the pricing or purchasing. The security it provides gives peace of mind. That's a good return.

My advice would be to do an evaluation of the product and purchase it.

I'd rate Cisco ISE an eight out of ten.

We use it for our AAA authentication through Active Directory. We also use it a lot to verify command line history.

We have ISE in the data center environment with redundancy, and we use it for authentication for all our devices. We have access to our third-party vendors, and for the new projects, we all use ISE. It's an awesome enterprise product for on-premises or for cloud-based deployments.

The integration of ISE with Active Directory has really been a big plus for us.

I've found two features to be the most valuable. One would be AAA reporting for historical analysis, showing what's been done and by whom. The second is the log for failures on Active Directory logins.

If I were to assess Cisco ISE for establishing trust for every access request, I would give it an eight or nine on a scale from one to ten.

Cybersecurity resilience has been very important to our organization and has been a big factor. We've had issues in the past, but one of the things I like about ISE is its logging features. Security-wise or information-wise, it really has been a powerful tool.

My impression of Cisco ISE for helping to support an organization across a distributed network is that it's invaluable. It's a monster tool; we don't even touch on all the features that it offers, but the few that we do use are extremely strong and very user-friendly.

On the network services devices, when you click on filter, the filter comes up. However, when I search and want to click on something it defaults back to the main page. I keep having an issue with that, and I'm not doing anything wrong.

I've been using Cisco ISE (Identity Services Engine) for about six to seven years.

I've had no issues with stability.

We've actually scaled before and have never had an issue.

I've used technical support only once and would give them an eight out of ten.

Positive

We previously used ACS.

The return on investment we have seen is related to time in terms of troubleshooting. The logs, such as the security logs, inform us of the issues that people have had. ISE has been very instrumental in helping isolate those issues. We've seen a lot of cost savings because we don't have to pay an IT person to waste time doing something that should be instantaneous.

If you are a leader who wants to build more resilience within your organization, I would advise you to follow what they're doing at ISE.

If you're evaluating Cisco ISE, do an apples-to-apples comparison. There are a lot of features, and ISE is a monster. If you use it the right way, I think that no other product will compare to it.

Our use case is managing access to network devices for IT as well as end-users. Making that seamless is the challenge we were looking to handle.

ISE made implementation and connecting things easy.

It does a good job of establishing trust for each access request, no matter the source. It's also very effective at helping with the distributed network and at securing access.

The UI and UX could be more seamless and easier to use.

I've been using Cisco ISE (Identity Services Engine) for six years.

The stability of the solution is pretty good. I've only had a couple of issues.

I've never tried to scale it up.

We have it deployed in multiple locations with users across the US and Canada.

I have never used the technical support.

It's done the job that we put it in place to do.

It's mostly for authentication to our network for our end-users.

It's allowed us to create groups for different vendors and for employees in various groups in our company, without giving everyone access.

It has also given us a lot of extra security as the backbone of authentication for our VPN and wireless network.

The policy sets give us more granular groups for end-user access.

I've been using Cisco ISE (Identity Services Engine) for five years.

The stability is really great. We haven't had any issues with it. We've had it for a long time. We ran an old version for three or four years without any issues.

From what I have read, the scalability seems good. We haven't had to deal much with that. We have two nodes and about 2,000 sessions going at once.

Technical support is very good. They've always been there to answer any questions, and if they don't know the answer they make sure to find someone who can give me the answer.

Positive

Cyber security resilience has been at the top of our list since 2020 because we had so many people working from home and that increased as time went on. That opened our eyes.

I was involved when we upgraded at the beginning of this year. It was pretty straightforward, although we reached out for outsourced help.

We used a CDW consultant.

For us, the return on investment is that it gives us easy ways to divide up our end-users for authentication, especially for our VPN.

The pricing seems fair. The licensing can be confusing, but it is still pretty good.

I was asked a couple of years ago, when we were having issues with ISE, if there were alternatives, and I said I didn't want to switch because we're so embedded in this solution already.

Talk to someone outside of Cisco too, if you're thinking about ISE. That way, you can get all the information.

We wanted to outsource some of our work because I only have two years of admin experience and another of our network engineers has about a year. This way, if the system goes down, we have a quick way to get it back up.

I would tell leaders who want to add cyber security resiliency to make sure they include team members who are involved and not just make decisions on their own.

We use it for the TACACS authentication, for administrator login to network devices, and the RADIUS service for VPN and wireless authentication.

Initially, we were looking for a single sign-on for administrators to log in to every network device, but we also wanted a good way to control remote user access for logging in. Later we started using it for VPN and wireless.

It gives us a better way to authenticate users. It helps us identify a user with their device to establish trust. When a remote user is trying to access network resources, we need to find out who they are and where they want to go and make an appropriate decision about where they can and cannot go.

Resilience in cyber security is very important. Without security, nothing else can happen.

The TACACS and RADIUS have been the most valuable features so far.

Cisco ISE has almost all the features we are looking for now, but sometimes the configuration, such as the conditions, is a little difficult to understand and not so easy to navigate.

I have been using Cisco ISE (Identity Services Engine) for a few years.

It is stable.

They have resolved my issues, but sometimes they have been slow.

Positive

We used to use Cisco ACS and that evolved to Cisco ISE.

The initial deployment was not a process that was easy to understand. But after I completed it, looking back, I see it was reasonable. It's just hard to understand upfront. There is a steep learning curve.

I did the migration too late, so I couldn't do a direct migration and that meant I had to kind of rebuild it.

Security is something we need, but I don't think that there is a return on investment. It causes more delays to the regular workflow.

The Essentials licensing is reasonable, but I would like the Premier version to be perpetual instead of a subscription.

An idea we are looking into is associating it with the MAC address table, so that approved devices can log in to the more restricted network.

My advice is to attend training before going for it. Otherwise, it will not be easy to understand. Each product, from ACS to ISE, does similar things, but they do them in different ways.

I rate Cisco ISE a nine out of 10. If it could become a little bit easier to understand that would help.

We use it for network device administration and for user access.

It has really helped us when it comes to security. It has eliminated trust from our network architecture because, with the solution in place, you tell us who you are and, based on who you are, we give you access. The solution provides us with a platform to define our policies. Users get into our system based on those policies. That eliminates threats. If you are not who you say you are, it will block you completely from our network.

It integrates with the rest of our platform, like our firewall, and helps us a lot. It also does a good job establishing trust for every access request.

With the recent release of the solution, we had a bunch of bugs and we had to delay our deployment. Other than that, the solution is good.

I have been using Cisco ISE (Identity Services Engine) for 10 years.

Cisco ISE has come a long way when it comes to stability. It's getting better.

It's very scalable. We have it deployed in two data centers, and we're managing about 10,000 endpoints.

TAC is very responsive whenever we call them.

Positive

Currently we have two solutions that do the same kinds of things. For our wireless infrastructure, we use Aruba, but for our wired access, we use ISE.

The ROI we have seen is because Cisco gives us what they promised us. They deliver. Our requirements are being met and that results in getting value for what we pay.

Since we have a complete Cisco portfolio, including an Enterprise Agreement, it's not simple for me to compare what we're paying with the prices of other platforms.

We evaluated other companies and what they each do differently and looked at what was the better fit for our requirements.

Cisco TAC is really good. Whenever we have issues, we know they are there and that they will help us out with troubleshooting. The support of the other companies we looked at is not that great.

When I compare it with Aruba ClearPass and other solutions out there, I prefer Cisco. Cisco is number-one for user access, managing devices, and for network devices.

We don't leverage Cisco ISE for application access. We have another solution for that.

Get some hands-on familiarity with it first. Do a PoC and get people who really know the solution to help you out during phase one before you deploy it.