Cisco Identity Services Engine (ISE) Reviews

I am a Senior Technical Consultant. I have worked in professional services as a Cisco Gold partner for the last ten years. 

I have been offering Cisco ISE for the last three to four years. We do small deployments, upgrades, and those types of things.

We see a lot of customers wanting to use Cisco ISE primarily for 802.1X wired and wireless and also for posture device administration, and guest access.

A lot of our customers who come to us do not have any sort of NAC solution in place at all. They don't have a RADIUS, they might have a Soft MPS or something along those lines, but Cisco ISE is far superior. It gives them far more visibility and the policies are more configurable. The ability to do dynamic access lists, dynamic VLAN environments, and that type of thing, and it just gives them a different level of security altogether.

It's been just great at securing our infrastructure from end to end. With the operational launch and live logs, as soon as you spot anything, you can just do one click and you can stop that device from getting access to the network. So it's very responsive and quick in that sense.

Maybe some customers with ACS and MPS can consolidate the device admin into one platform.

The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile.

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. 

If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

It's been around for many years now. Since version three, stability-wise, it's been pretty reliable. We know the versions to avoid. We know the stable versions.  Besides some upgrades and that type of thing, it's generally pretty solid.

A lot of customers that I see are small deployments, maybe a single node or a two-node cluster, but we know that the product does scale. We do have customers that scale beyond just the two nodes. It's proven to be a scalable product.

We see a lot of customers getting frustrated with Cisco TAC because they don't get the responsiveness that they believe they should be getting. But as a gold partner, we are able to leverage our influence, so when our customers come to us, we can escalate a lot of stuff for them. We use our influence. We're able to get stuff remediated fairly quickly. We find that they respond to us better than maybe to our customers.

I think Cisco is fairly straightforward in terms of device admin. 802.1X  is quite easy to deploy. As you then start to look at guest access, profiling, posture, and that type of thing, it does ramp up a little bit and we get a little bit more involved. Some stuff is straightforward and other is not as much. 

Generally, over the last few years, it's been mainly deployed on-prem, but we're now starting to see a shift. Users are really willing to move to cloud with Azure-type deployments. I'm doing some labs this week because we're seeing so many requests for cloud.

If I take the two that I really compared, it would be LogSoft MPS. Cisco ISE has a lot more features, you can do a lot more regarding the policies than you can currently with MPS.

I also have limited experience with ClearPass. ClearPass is a lot more difficult to configure and manage and is less intuitive. The visibility side of ISE is far superior as well. 

I'd give it a nine out of ten. There are some hurdles with upgrading and licensing in particular, which is why I wouldn't give it a ten.

We use the product for TACACS, dot1x, authentication for some of our RADIUS devices, and authentication and authorization for our VPN clients.

We've become more secure. We see devices that lose certificates, and then they get denied. Before, we would only get to know that the network was down. Now, with the help of the solution, we can pull up reports, go through them and understand that the certificate has expired. So, the person who raised the ticket takes the certificate, and everything gets resolved.

We can also understand if posturing fails because the user doesn't have the current version of the software on. The product provides us with one place to look for all of these noncompliance issues. If a port keeps locking down, we can send somebody to check the devices and remove a bad device if needed. The issue doesn’t get on the network because the product ties in and locks the network down for us on that port.

Cisco ISE Identity Services Engine enables us to do everything from one interface. It makes it easy to work with top-down policies, to configure groups or the granularity we control in our dot1x environment and posturing. The product helps the granularity our InfoSec group wants to achieve within their posturing project.

They should improve the documentation. There tends to be a lot of old text, or the new things aren't always up to what's been released on the code, and sometimes the documentation is inconsistent.

Last week, we were doing a dot1x troubleshooting, and I was showing people how to look for it, and all the documentation came up for version 1.0. I wondered why version 3.0 is not the top choice since it is already out, and we've been on Version 2.0 for five years. The solution should try adjusting their tags because sometimes it's difficult to find things.

I have been using the solution since version 1.1.2 was released.

I haven't found another support group that I've been able to call that gets me where I need to be as quickly. Our account manager is great. He gets on the phone with support if we ever have an issue. Unlike other organizations, Cisco has been a trusted partner. Support has quick turnarounds. The quality of support depends on the subject we need help with.

Positive

Just getting the solution up and running was quick. Getting it to do what we wanted took us about six months. I didn't take class for it. I had the documentation to go with, but it was version 1.0.

The product has helped us save money drastically. We were able to get rid of two different service contracts. We could invest more into the solution or into people that can help us administer it. So it's been nice. We save quite a bit of money getting rid of those other products.

The solution’s pricing is reasonable. For everything that it does, it's actually great. It's part of our Security Enterprise Agreement. So, we get guaranteed pricing for the length of the agreement, including upgrades. It's worth it. There are no hidden costs with Cisco.

We looked at Microsoft, but the product was too immature. We also looked at a Linux product. The networking team told us that we have to be sysadmins to run it. It didn't do something we needed it to do.

We had looked at other products, but the mesh Cisco products have with their devices makes it more seamless. If I'm having a problem with a device, it is good to have everything from a single vendor to solve issues quickly.

A lot of the apects that needs to be improved in the product has already been done in the 3.0 version, including HTML5 and integrations with other cloud products like Azure and Intune. I just haven't upgraded yet. They are doing a good job of keeping up with new technologies. I have a small team, and it's hard to keep up with products.

With our dot1x, we've seen situations where people have inadvertently plugged their own PC into the port, and the port shuts down. We instantly know that the port got shut down. It's been great. I haven't found another product that can do it as well and as easy to set up as the implementation of dot1x.

The solution has freed up the IT staff’s time a little bit, but it also created more work in a good way. It has created more work in Cisco because now we're doing segmentation. We're taking dot1x to the next level and closer to moving towards a zero-trust network. The Cisco team gets access to the servers after authentication.

We've done a lot of research on zero-trust networks. I work for a research company, and we've been looking at ways to do it. Historically, we have done segmentation by identifying groups of servers and locking them down. This process is challenging to manage. While setting up micro VLANs, we can provide role-based access instead of just putting applications on server pools and wondering who gets what access. If user A needs to be able to update their personal information because they got a new phone number, they need access to the HR system to do that. The HR people need to be able to see all their review records. However, user C doesn't need to see anything that user A is doing. That is what we are looking for. We want zero trust so that an individual has access to what that individual needs to be able to do and nothing more and nothing less.

We had been running two other RADIUS servers just because they worked better with the product that we brought in. Cisco Identity Services Engine is more configurable, especially on ports. So, we were able to get rid of the other two RADIUS servers. We don’t have to pay service contracts for them, and there are no more upgrades. Now, we have one suite that we focus on.

The mean time for issue resolution has drastically reduced. Everybody's looking at the same pane, the network team and InfoSec. As soon as they see something blocked, if we're not already investigating it, they're investigating it. We get to share the responsibility with multiple groups with the same end goal. It has tied the team together and made things a lot easier.

I have a small team. I have seven sites and seven people. And if I applied one person to each one, we could watch it. Our InfoSec group, who's watching all their logs from the external firewalls, would watch that. With Cisco Identity Services Engine, we must have saved 100s of hours over the year. If something comes up, two groups almost instantaneously open a chat and start working on it. We know that our escalations are blocked on time. The amount of cleanup that we've had to do from malicious devices is down to almost nil.

The solution has helped our organization to improve its cybersecurity resilience. We see malicious or unknown devices and react to them. We see known devices come in with outdated software. Everything gets addressed as soon as the user connects. It all comes together.

Spend some money on classes and not on just who you think is going to lead your project. Get your whole team involved. If you are from the networking side, ensure your InfoSec team is included, and vice versa. The tool has so many capabilities that you will feel overwhelmed, but it becomes easier once the pieces start coming together.

We had two other RADIUS servers. When we moved to Cisco Identity Services Engine, we were on Cisco ACS. Not many people offer the granularity that Cisco does because it's the main protocol for authenticating on devices.

Cisco SD-WAN’s support still needs more learning. Cisco ThousandEyes started the same way. They have improved in the last two years. They're up to an eight out of ten now. Before, I didn't even want to talk to them. We love the product.

We're expanding our cloud and looking at deploying the product on a hybrid cloud. However, we've got to get done with SD-WAN first.

Overall, I rate the solution a ten out of ten.

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

Positive

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

I use the product for AAA authentication.

Before, we used to use Cisco ACS. After ACS retired, we started using Cisco Identity Services Engine. Right now, we are integrating Cisco Identity Services Engine with DNAC. Whatever we provision inside DNAC will send the information to Cisco Identity Services Engine, and the switch will be added. This process enables easy management.

The solution enables us to authenticate with AD. That way users can log in with one username to the product and access the router and switches.

The web UI should be made similar to the one in DNAC. The left pane must have the menu title followed by the submenu. Since I have moved to version 3.1, I have to go back to the old version to figure out my way. They haven't improved the left pane of the UI. The left pane is supposed to have the menu title in order.

I have been using the solution for at least seven to eight years.

So far, I have no issues with the solution’s stability. My primary and secondary systems are working fine. I have the least to worry about. It has run smoothly for seven years.

We are using the product in about 500 devices in our organization.

We have Platinum Support. When we call, everything gets through. I have no problems with support. However, if someone does not have Platinum Support, they will have to wait for probably an hour or two. I usually get a response in less than 30 minutes when I open a ticket because we pay for it. 

I am 98% happy with the support. Sometimes, I am unhappy when we have an incident and need quick support, but the support manager asks too many questions. I prefer fixing the problem in real time and then answering questions. Fixing the problem is more important than answering questions. When I talk to the engineer, they ask questions on how it has impacted our network. They must fix my problem first. I can answer all their questions later.

Positive

We have a contractor who implements the product for us. After that, they give it to me to manage. Upgrading from version 2.7 to 3.1 is easy. So far, it's good. The contractor's name is Deytek. I just provided the ACS server information from the previous server to the contractors. Then, we purchased the on-premises hardware, migrated it, and started using it. I didn’t have to do anything. It was easy for me.

The upgrade from version 2.7 to 3.1 was a little bit hard, and I had to prepare a lot to do it. We need to plan the process well. We cannot just decide to upgrade the tool without planning. We had to plan with the help of AS services, who guided us on the steps to do and the backup needed. They guided us to upgrade the secondary unit first and then the primary. I also had to talk to our corporate team in Boston. We had to inform our ISA Server team about the upgrade because once you upgrade, tools that are not authenticated might lose connection.

The solution helped me by making my job easier. I manage and deploy the solution. All the other users have to do is log in and look at what they need to do. The product makes it easy for me to manage and enables the end users to log into other systems.

The pricing is complicated. The solution uses Smart Licensing. I had to go through a lot of phone calls to convert my old license to the new one and make it work. It took me about three weeks to figure out my licensing model and why mine was different from the other teams. It's good because Cisco Identity Services Engine will automatically get our licenses from one location. It would be better this way.

The product provides an email notification if anything is detected. We set up ACL policies based on which the product would alert us through emails if anything major happens.

The solution helped me give access to many people who use Cisco products, either router switches or UCS, from other teams. Instead of creating every ACL on the tool, I only need to set up AD group permission and add their username for them to access the same policy.

I do not use the cybersecurity features of the tool much. We only use the solution for AAA authentication. I need to explore the other features we seldom use. We are upgrading to version 3.1. We recently signed a contract with Cisco Advanced Services. They might provide us with more information to use the tool in my company.

Since I joined my current organization, we have used Cisco for everything. We have deployed the tool primarily in one location, and the secondary one is 5000 miles away in another location. One tool is in California, and the other is in New York.

I implemented version 3.1 just two months ago. I need to learn more about it and enable more features on my network. I need to improve myself to learn more because version 3.1 has a lot of new features.

Overall, I rate the product a nine out of ten.

We mainly use Cisco ISE for device authentication. We are now rolling out 802.1X.

Cisco ISE has provided us with a security posture that we desire, particularly for wired connections, enabling the identification of domain users and non-domain users.

I would rate Cisco ISE an eight out of ten for its capability to secure our infrastructure from end to end, enabling us to detect and address threats. This high rating is due to its ability to establish policies and dynamically configure switch components for users.

Cisco ISE has helped our IT staff save approximately 15 hours per week, as they no longer need to manually configure the switch components.

Cisco ISE has helped improve our cybersecurity resilience, particularly through the use of 802.1X. This aspect is something we are leveraging to a great extent.

Being able to authenticate wired users through 802.1X is valuable as it enhances our security. If someone enters an unsecured room and connects to a wired connection, they will be authenticated to a guest network, completely segregated from our data networks.

The policies could be adjusted to make them more easily implementable.

I have been using Cisco ISE for four years.

Cisco ISE is extremely stable.

Cisco ISE is highly scalable, particularly for device authentication, as we have 3,000 switches in our environment.

Cisco technical support was knowledgeable about Cisco ISE deployments.

Positive

The initial setup was straightforward because we were familiar with what we wanted. When we encountered an issue with the policies, we opened a task case, and it was resolved quickly.

We utilized an internal consultant for the implementation who possessed extensive experience in Cisco technology. Our overall experience was positive.

We have witnessed a return on investment with Cisco ISE due to the protection it offers to our environment and the capability of 802.1X to assist in managing security risks.

I give Cisco ISE a nine out of ten.

Cisco is continuously improving its products. There are so many features that we're not even using in Cisco ISE. So we use what is relevant for our own use case.

I recommend that individuals conducting research on the solution take a thorough look at 802.1X and gain a comprehensive understanding of how it can offer the desired level of security.

We utilize Cisco throughout our environment and chose ISE due to our familiarity with all of Cisco's products.

Our main use case right now is TACACS for device administration and authentication, as well as for user authentication on the network: wireless authentication, 802.1X, and wired authentication too, for RADIUS.

The way Cisco ISE has improved our organization is [by] making sure that we have secured our network. It's making sure that if somebody comes into the office who [possibly] shouldn't be there, and they plug a computer in or try to hit our WiFi, that we know, based on the criteria we've set up, that this person should have access. They've passed all the tests we've set up to make sure that they're not a bad actor or somebody who shouldn't be on the network.

ISE can, a lot of times, be the first stop for us to troubleshoot user errors or user issues. If you start your security posture by assuming there's no trust for a device, you're going to make sure that ISE is validating the device from the ground up. It's not just assuming that something has access, it's making sure it goes through the full process to gain access to your network.

ISE has definitely helped us across a distributed network, because you have a central way of authenticating everybody. It could be switches across different vendors, it could be different switch models—whether a Cisco Catalyst 9000 or a 2960—you can make sure, although these might be different devices, that the authentication process is going to be the same for the users. You have that peace of mind that no matter where somebody's plugging in, or what AP they're authenticating to, it's going to follow the same security guidelines, the same authentication process, to be granted network access.

The most valuable features for us are ensuring that we have the right people logging in to the network as well as protecting our device configuration. If somebody goes in to make a configuration adjustment, we need to make sure it's the right person, that they have the right access, and that we have validated that.

When we use ISE, one of the helpful things is that I can go through the dashboard and get every step along the way of how a device was authenticated. If it's failing, why did it fail? Why is it unauthorized? If there's an error, what is the error and how can I fix that error? If it's something that, if they should be passing, why are they failing?

For device administration, like logging in to a switch or a router, we can see all the commands that people have put in and who made changes. If we need to fix something—a bad command, or somebody put something in that pulls a device out of what we consider our compliance—we can fix that. 

From an administrator perspective we can look at "Why did you make this change?" and figure out how we don't break something in the future, if it was something that did cause an outage. 

And when it comes to things like wireless, we can see who is hitting the network, who is hitting a corporate SSID, or a guest SSID. Are they failing? What errors are you seeing along the way?

A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on.

The upgrade process is not very simple. It's pretty time-consuming. If you follow it step by step you're probably going to have a good time, but there are still a lot of things that could be a lot more user-friendly from an administrator's perspective. [They could be] easing a lot of the issues that people have. Instead of just saying the best practice is to migrate to new nodes [what would be helpful] would be to make that upgrade process easier.

The UI is a lot nicer in 3.0. It's pretty slow, but for the most part, it's easy to find what you're looking for, especially things like RADIUS live logs, TACACS live logs. From a troubleshooting perspective, it's really nice finding stuff. For setting up policies, from that perspective, it could be a little bit better looking.

I've been using Cisco ISE (Identity Services Engine) for about five years, myself. My company has been using it for longer than that.

The stability for our virtual machines is good if you follow the best practice and give it the reservations the virtual machines need, and you're making sure that you're following how many recommended devices are going to be authenticating to it. We don't have stability issues with ISE.

The scalability has been fine for us. We're actually in the process of possibly deploying more PSN (Policy Service) Nodes, so we'll see if that helps. But scalability hasn't been an issue. I don't think we're running into device count limitations or VM performance [issues].

We're around the 600-700 mark in terms of the number of devices in our company.

Support has been pretty helpful when we've needed it. We haven't had too many issues where I was asking for an escalation immediately or sweating profusely because it's not working. I can't say anything bad about support, but I don't have enough experience to give a really substantial answer.

Positive

I did not deploy ISE. We had a partner who helped us deploy it.

I don't know what the investment was, because I'm not involved in the pricing aspect of it. But there's no way for us to run a secure, reliable, user access or device administration access without something like ISE. The return on the investment, I think, is great. It's integral to our network so I don't know what we would do without ISE.

The licensing model is pretty straightforward. There are some changes from [version] 2.x going up to 3.0 and switching to the Smart Licensing. But if you have somebody who can explain it to you, so that you know that when you're upgrading you're not losing functionality, or you're not putting yourself in a position where the license count you're used to having can go away; as long as that's set up, it's fine.

I have used Aruba ClearPass in the past. They're pretty comparable. If I'm going to be honest, I think ClearPass has a better user interface and some of the things are laid out a little bit better. But when ISE is up and running, it's more reliable, it's more stable. You just have to get it to that point and then it's a really nice product that I like using.

In terms of eliminating trust from network architecture, ISE can do so when it's implemented correctly. There are still certain functions of ISE where you have to be diligent in making sure that if a user is plugging into a network port, that that port is set up to use ISE for authentication. It's kind of a two-way street. It's a great tool, but you have to set it up correctly. You have to make sure that it's doing what you've intended it to do. When you do that, it's great for that. We don't have any issues with that and it's definitely an integral part of our network.

The advice I would give people is to decide what you are looking for in terms of your AAA. Are you looking for a secure way to authenticate VPN users, users logging in for WiFi, for wired access? Something I don't use at my organization is the Guest Portal, but I know ISE has a pretty considerable catalog for deploying guest portals, for device onboarding, and posture assessment. If those are all the things you're looking for, the features, I would definitely recommend ISE.

I do the designing and implementation and hand it over to the customer. Sometimes, I provide support to the customer. The solution is used for network access control. I have implemented almost all the features of the product.

TACACS is valuable. The product is useful for device administration.

We face many bugs. The vendor is trying to improve it by releasing new patches and hotfixes.

I have been using the solution for almost five years.

I rate the tool’s stability a six out of ten. It breaks down a lot.

I rate the tool’s scalability a seven out of ten. To scale the solution, we must decide which persona should be added. There are different personas for management, monitoring, and policy enforcement. It needs some calculations. I have a lot of clients. One of my clients has 20,000 to 50,000 users.

The initial setup is not easy. It should be designed properly. The solution has almost two or three personas. The design must be reviewed correctly. The implementation is not easy. It is a little bit complex compared to other NAC solutions. The time taken for deployment depends on the size of the implementation. It can take from one week to one year.

The solution is not that cheap.

We are partners. A lot of customers are using Cisco’s infrastructure. The product can be integrated easily. We have faced a lot of issues while integrating other tools. Overall, I rate the solution an eight out of ten.

Today, we are performing wireless client authentication and using it as a captive portal for our guest wireless network. Eventually, I am hoping to roll into 802.1X for the wire.

In our organization, we have about 2,000 employees and 12,000 other end users whom we service.

It has tremendously improved our organization through BYOD and guest wireless access. The sponsor portal is very easy to use for our help desk team as well as just adding an endpoint for BYOD. We have given our help desk team the ability to perform those functions so they don't have to escalate tickets, and what that does is cut back on ticket time. They can quickly assist our end users and make them happy.

We haven't had an opportunity to really do much with zero trust in ISE. However, in regards to integrating it with our DNA Center appliance, we are looking to experiment more with the zero trust option, establishing policies and pushing them that way. That will really help out with 802.1X on a wire as well, preventing outside organizations from coming in, just randomly plugging in, and then being on our network.

ISE has had a good impact on our organization’s security risk. This is mainly because we see rejected clients, people just attempting to authenticate, or people attempting to sign in who don't have permission and we know they don't have permission. The visibility is very nice.

Resilience, in regards to cybersecurity, is incredibly important. We run everything in twos, including our ISE deployment. So, if we have a data center go down for whatever reason, whether it be a cyber attack or just a random power outage, then we know that we still have an ISE node up on the other side which can perform security functions for our AAA authentication.

As far as resiliency, it is very effective when it comes to upgrades or patch management. As far as cybersecurity, it provides visibility with the logs that we get, rejecting clients as needed, or even telling us a reason why an authentication request failed.

I really enjoy the live log section. Sometimes, you will have someone who is having issues connecting to the network, and then you have to ask them the dreaded question of, "Did you type a password wrong?" They will probably tell you, "No," but the live log can help sort that out. It gives us that extra ability to assist the end user and make sure that we are making them happy.

It has done a pretty good job of establishing trust for every access request, no matter where it comes from. The biggest issue that I probably have is just with the random amount of passerby or outside visitors coming in and trying to connect. Of course, they can't. ISE is very good at not only denying them, but also logging that endpoint. I would say it has done pretty good with that.

There is room for improvement in its ability to allow end users to self-enroll their devices. Instead, you should be able to assign that permission by AD group, which is currently not available.

We have been using ISE since 2018.

I have never had any stability issues with it. It has been available 100% of the time that we have needed it.

I think scalability is there. We run a two-node cluster. We haven't had a need to add any more, but I know we could add policy nodes pretty simply if needed.

They are very good and intelligent. I would rate them as eight out of 10.

Positive

Prior to this solution, we were using Microsoft NPS. We switched from the Microsoft solution because we were looking for a more current way for our BYOD devices. 

Prior to ISE, we were using Cisco ACS, which is very old, and ISE was the next logical step. Along with that, we rolled our SSID BYOD over to ISE. That was our initial deployment. 

About a year later, we moved our production SSID over to it as well. So, we have just kind of come more into using it. It has a lot to offer.

It was pretty straightforward. It was not complicated at all.

We deployed it in a week and rolled out BYOD. We moved that over from ACS to Cisco ISE within that week, so it was pretty simple.

Today, we just have it integrated with ISE, but it sits in our data center with our core networking. We consider it essential. If it is not available, then productivity suffers.

I think we have seen ROI in regards to integrating with an external MDM to enforce greater security requirements for business managed devices that aren't Active Directory joined.

I have complaints. I don't enjoy the licensing model. Once we moved from 2.7 to 3.1, switching from Base, Plus, and Apex to Essential and Advantage in Premier, we went from a perpetual, with our base licenses, to now a subscription-base. So, we will have to renew those licenses every year, and I'm not a fan of that for our base licenses. Apex/Premier, we already expected, which is fine, but for basic connectivity, I am not a fan of that.

We went straight with Cisco. We are a very heavy Cisco shop, so it just kind of seemed logical.

We have had experience with Microsoft NPS.

I would rate it as nine out of 10.