Cisco Identity Services Engine (ISE) Reviews

I am head of the IT infrastructure for a company. My company is a manufacturing company, based out of India. My company has between 3,000 to 5,000 users. 

Our solution is completely on-prem.

The domain under which my company works puts a lot of importance on cybersecurity. Our management gave us clear instructions that there should be an environment where there are zero trust policies applied.

We explored various solutions that could bring in zero trust. The first level of zero trust that we wanted to bring in is a zero trust network.

We reached out to Cisco at that time, and they told us about the things that can be done around the software-defined access and the integration of Cisco ISE. And that was the time when we started doing a lot of POCs to see which use cases we could use for it. That was when we got in touch with Cisco and they told us that this would offer us network-level zero trust. 

When I say zero trust architecture, the first thing is that we wanted to have a network authentication done on a certificate basis. That was the first use case, where the only versions in the network that have a domain-based certificate could be allowed to join my network. My enterprise network should not allow anybody from outside. That was the first use case. 

The second use case was that we had to do the posturing of my endpoints. I wanted to ensure that those which are connected to my network have proper antivirus and software installed, and the operating system is permissible. That is where we started to do the posturing part of it. 

The third use case is around the access part of it. We have multiple departments in our company, and we wanted to restrict the access of particular user groups to particular IT applications. 

The first benefit is that we can implement zero trust architecture because of Cisco ISE. I can assure my CISO in my company that my network is such that nobody can just bring in their laptop, desktop, or any sort of mobile device and can directly get connected to my network. That is a benefit that I can only allow people who I trust on the network. 

I can only allow the people who I trust on the network. When an infected machine comes into the network, there is a very high chance that infection will travel laterally. Since I do the posturing part of it, I know that I'm not allowing anything in that is not safe.

It certainly has helped enhance my company's resilience.

Posturing is the most valuable feature. There are other tools available that can do some of their other features, like network authentication. The posturing was something because of the nature of the industry that we are in. There are people who go outside for work. Their machines are at times not in the network, and not patched properly. We don't know when they're going to come back, whether it is in a good state, whether it has antivirus, whether it's installed on those machines. Posturing is something that we have made our baseline policy that whenever a machine comes back to our network, it should have a certain level of the operating system and a level of security and antivirus installed. 

We couldn't have done this posturing without Cisco ISE. This is its greatest feature.

It does help me to detect and remediate my network. It enables me to detect any external threat that comes to my network and remediate. If a machine comes into my network that does not qualify per my baseline policy, I have a policy that the machine gets redirected to where it can be patched and remediated. I can ensure that it is fully patched and secure. 

The entire idea of having ISE is to enhance cybersecurity resilience. The zero trust architecture was coined by the cybersecurity team itself. It was a task given to us in the infrastructure space to see how we can bring resilience into the cybersecurity network and ISE was the solution. 

Cisco ISE integration with Cisco ACI is something that can be done in a less complex way. And the simplification in that area may help us do better. 

We started adopting Cisco a couple of years back. 

The stability is good. It is a cybersecurity product. It needs a lot of fine-tuning but that is part and parcel of the requirement. New things are coming, new technologies are coming, new softwares are coming but it is more or less stable.

It is a very scalable product. The deployment of Cisco is completely contingent on the number of endpoints that we have. It's just a matter of buying a license and uploading it. So scalability is not a problem at all. 

Cisco has very good partner support, and they're in their own support. I noticed that the first level of defense always comes from the partner ecosystem that Cisco has built. There are many partners we work with along with Cisco. Any time we are stuck, these partners are available for the first level of support.  

Any time we are stuck with anything, these partners are there as the first level of support. We get L1 level of support. When we feel that there is an issue that needs to be escalated to L3, Cisco TAC is always available. We have very good engagement with Cisco enterprise teams and the account directors. We do have dedicated people who work with us on the Cisco team. We always have their support any time something needs to get escalated. 

I would rate Cisco support an eight or nine out of ten. We have seen a lot of cases in the last ten years where any time we needed to get their support we could get it. We also have a customer support team who works with the backend tech team to ensure that we get whatever help we need on time.

We have been a Cisco shop for more than twenty years now. Cisco is a company that we can trust in every aspect of the work that we do together. Cisco is our partner for everything we do on the network.

We are very observant of the kind of solutions Cisco provides us. It is feature-rich. It is very easy to implement. There is longevity there. Our first choice is to go directly to Cisco.

In the cybersecurity space, return on investment is something that is very difficult to justify. ISE is something that is a pure network cybersecurity resiliency solution. 

I can definitely assure my management that by implementing this, we are good in the overall cybersecurity posture. 

Cisco is not cheap. Cisco is something that comes at a cost. There are various products in the market that compete with Cisco and are 30-40% cheaper and they offer 60-70% of the features that Cisco offers. 

The differentiator is the kind of engagement that Cisco offers the customer. They will prove the value, what we call the PoV. The PoV value is very good. 

Pricing-wise, they are premium. Licensing is something that is conducive. I feel that the licensing that Cisco offers is flexible.

We have an enterprise agreement as far as the licensing is concerned. There are various benefits where I can use any Cisco solution.

There are various dimensions to cybersecurity. The first thing is how you enter a network and what you do with particular use cases. My recommendation would be to focus on north-south traffic. That is what is coming from outside to inside through a normal network plane. You should also be vigilant about what your internal users bring in from the outside. My advice would be that you have to be vigilant not only from the outside traffic, but you have to be wary about the traffic that internal users bring in. 

When it comes to zero trust architecture, specifically for network authentication, this is one of the tools to go for. I would rate Cisco ISE an eight out of ten because of the ease of deployment and the support. 

I utilize Cisco ISE to access the switches on our network for monitoring configurations.

Using Cisco ISE, we are able to control access to our networks, ensuring that only authorized individuals have access to appropriate devices. Additionally, we can restrict access to devices that should be off-limits to them.

Cisco ISE helps free up 50 percent of our IT staff's time, allowing them to work on other projects. It provides quick access when available, but delays occur when we have to wait for access to be granted.

Cisco ISE helps consolidate our tools, eliminating the need to worry about multiple passwords for the various devices in our environments by using a single password key.

The consolidation of tools makes it easy for me to access and complete my work. It also facilitates finding a solution for any problem I may encounter with the switch.

Cisco ISE has enhanced our organization's cybersecurity resilience by providing us with control over device access.

It would be helpful for us to know what needs to be deployed, configured, and what changes we need to make to our devices when we don't receive the specific login which is an indication of a lack of connection or incorrect configuration.

I have been using Cisco ISE for one and a half years.

Cisco ISE has consistently performed as expected, and we have not experienced any stability issues.

Assisting a larger number of users in gaining access and guiding them through the process of getting on Cisco ISE has been seamless.

Cisco support is helpful, and they have always been responsive whenever we needed assistance.

Positive

I rate Cisco ISE a nine out of ten.

From a user's perspective, Cisco ISE is seamless. It is extremely helpful as it reduces the amount of work required to access and control device permissions.

Our organization is a major Cisco partner, and it is logical for us to increasingly integrate Cisco products into our environment.

I am a Senior Technical Consultant. I have worked in professional services as a Cisco Gold partner for the last ten years. 

I have been offering Cisco ISE for the last three to four years. We do small deployments, upgrades, and those types of things.

We see a lot of customers wanting to use Cisco ISE primarily for 802.1X wired and wireless and also for posture device administration, and guest access.

A lot of our customers who come to us do not have any sort of NAC solution in place at all. They don't have a RADIUS, they might have a Soft MPS or something along those lines, but Cisco ISE is far superior. It gives them far more visibility and the policies are more configurable. The ability to do dynamic access lists, dynamic VLAN environments, and that type of thing, and it just gives them a different level of security altogether.

It's been just great at securing our infrastructure from end to end. With the operational launch and live logs, as soon as you spot anything, you can just do one click and you can stop that device from getting access to the network. So it's very responsive and quick in that sense.

Maybe some customers with ACS and MPS can consolidate the device admin into one platform.

The most valuable feature is the visibility element, the ability for customers to be able to see what devices are actually on their network. Without a solution like ISE, they would have no idea what devices are connected to their network. It offers them the ability to authenticate devices via mobile.

I don't really know how to improve it, I think it's a great product. If I compare Cisco with something like ClearPass, for example, ISE is a lot more intuitive in terms of all the workflows and the work centers. They give you all the building blocks you need to be able to configure it. It's quite useful and quite easy to manage. 

If I was going to improve anything, it would be the ease of migration. It's really difficult at the moment if you're looking to upgrade ISE 2.1 and you want to go to ISE 3.1 or 3.2, that whole upgrade path and, particularly, the licensing is quite a minefield to sort out. If I wanted anything to be easier, it would be this.

It's been around for many years now. Since version three, stability-wise, it's been pretty reliable. We know the versions to avoid. We know the stable versions.  Besides some upgrades and that type of thing, it's generally pretty solid.

A lot of customers that I see are small deployments, maybe a single node or a two-node cluster, but we know that the product does scale. We do have customers that scale beyond just the two nodes. It's proven to be a scalable product.

We see a lot of customers getting frustrated with Cisco TAC because they don't get the responsiveness that they believe they should be getting. But as a gold partner, we are able to leverage our influence, so when our customers come to us, we can escalate a lot of stuff for them. We use our influence. We're able to get stuff remediated fairly quickly. We find that they respond to us better than maybe to our customers.

I think Cisco is fairly straightforward in terms of device admin. 802.1X  is quite easy to deploy. As you then start to look at guest access, profiling, posture, and that type of thing, it does ramp up a little bit and we get a little bit more involved. Some stuff is straightforward and other is not as much. 

Generally, over the last few years, it's been mainly deployed on-prem, but we're now starting to see a shift. Users are really willing to move to cloud with Azure-type deployments. I'm doing some labs this week because we're seeing so many requests for cloud.

If I take the two that I really compared, it would be LogSoft MPS. Cisco ISE has a lot more features, you can do a lot more regarding the policies than you can currently with MPS.

I also have limited experience with ClearPass. ClearPass is a lot more difficult to configure and manage and is less intuitive. The visibility side of ISE is far superior as well. 

I'd give it a nine out of ten. There are some hurdles with upgrading and licensing in particular, which is why I wouldn't give it a ten.

We use it for access control in our organization for network control and the guest portal of the guest users who access the wireless network.

Cisco ISE has improved our security. It's very important to us since we are a banking entity. Security is one of the most important aspects of our architecture.

The most valuable feature is the provisioning of the device so as to ensure that they are compliant with the security policy that we need to have.

I believe that Cisco can improve the way its policies are built because they're a little complex. If the operation teams do not have not a very good understanding of the solutions, they can break something because it's not so easy to view their policies through their eyes.

I have been using Cisco Identity Services Engine for six years.

Cisco's support team does a good job. Sometimes they take a long time to solve a problem, so it's difficult for us. But in general, it's a good solution with good tech support. I rate the technical support an eight out of ten.

Positive

We are using Juniper. We are also using Cisco, which is the main vendor. Before, a solution for web portal access was deployed by our internal team, and we moved it back to Cisco. We chose Cisco because, as a NAC solution, it made sense to us since it keeps things together in the last single tool.

The product's implementation was done by my team, along with handling virtual operations too. The setup is simple to do. However, the policies of the solution are a bit complex.

Regarding how the solution helps me secure my infrastructure from end to end, I would say that it is a good solution for us. We are also using all the features Cisco ISE has.

I don't believe it does save my IT staff any time because we need to build the policies and follow the configuration, then follow the user access.

After getting rid of other products, my company was able to save some money.

Regarding the solution's ability to consolidate tools and add to my security infrastructure, I would say that because Cisco ISE (Identity Services Engine) was able to get rid of those other products, it did help secure my infrastructure.

It did improve my company's cybersecurity resilience because we have deployed the solution as a high-availability solution. So if we lose one of the boxes, the other one, we all remain to stay in the job.

I would absolutely recommend the solution since it helped us a lot to improve our security and put some tools together in a single pane of glass to support and troubleshoot it. So it's easier to do that.

Regarding if the solution was able to integrate well with other solutions, I do not think we have any integrations at this moment, but I know that Cisco ISE (Identity Services Engine) has a lot of integrations.

I rate the overall solution a nine out of ten.

We use Cisco ISE for device administration with TACACS.

It's a very critical system. It is one of the most critical systems that we have.

With TACACS, we use it for endpoints like computers, devices, and network access. As a device admin, we use it to cater to users who use routers and switches.

It is a good product for what it does. I don't have a similar experience with other solutions.

The solution cannot be deployed on the cloud yet, and that is one of the things I would like to test. Also, I want to have a couple of VMs integrated with the solution.

I have been using Cisco Identity Services Engine for about six to seven years.

We contact support when there are problems. We take care of small things on our own. When we call for support, we need someone more experienced than us. Usually, that's a challenge. It takes days to get to the right people.

How long it takes to resolve an issue after getting to the right person is something that depends on the issue. If you get to the right person quickly, then it will be quick, but sometimes you have to keep escalating it. Within Cisco's team, they will have to go to someone who has answers to everything. Considering Cisco has a way of identifying issues that they have already worked on when I call them, it's as if I'm reporting that issue for the first time. 

I'm pretty sure other customers have reported the same problems before but it reflects as a new issue. Then you find out later that there was a bug in it. That means other customers have had the same issue. Cisco actually knows about the issue, and they have provided guidance for it. It takes time. Somehow, within Cisco, maybe AI is the way to go. It is better to make available quick customer service, especially if it is a known issue so that we can get a resolution or work around quickly.

The initial setup process is complex since there are so many big components. It depends on a lot of other systems starting from the device to the end user. That's quite complex. Also, if something goes wrong, it is challenging since it needs someone who knows about the endpoints to get things right.

Hardware appliances are expensive. The license pricing was good when it was perpetual. But now they have migrated into DNA-styled licensing. We haven't bought the new licensing yet because we migrated from the old licensing to the new licensing model. At some point, we'll have to buy the licenses. The license pricing was fair. Now moving to DNA-styled licensing, we have subscription-based licensing for everything. I hope it will continue to be fair, but we will have to wait and see.

We did not look for other solutions in the market. We went straight with Cisco.

We don't consider switching to another product. Cisco Identity Services Engine is the best in the market. The solution is the best for the things that we use.

Whether in terms of user experience, user interface, ease of use, and things like that, if I was to speak about something specific that I really value about the solution, I would say that upgrade processes are not simple. It's easier to just restore the state by going through the steps for the upgrade. We also use VMs and a couple of hardware appliances since sometimes we run into certain issues that nobody knows about. We've had a couple of incidents that were challenging. Cisco blamed it on VM infrastructure, while our VM team blamed Cisco. We were stuck in the middle. We had to re-provision a couple of things. All this was because sometimes it is buggy.

It hasn't really helped free up my IT staff for other projects. 

It helped my organization improve its cybersecurity resilience by making sure that untrusted devices are not connected to the network and only trusted devices get connected.

To those planning to use the product, I would say that it's a good product. You must plan ahead, test thoroughly, and do it step by step. Don't try to migrate everything at once. It is an overall good product.

I rate the overall product an eight out of ten.

We are on-prem at twelve separate sites with one main node.

We utilize Cisco ISE for authenticating both our employees and residents at our senior care center. We authenticate them either against LDAP or our network.

Cisco ISE provides us with enhanced network access control, allowing us to manage the VLAN assignments for both our residents and employees. Additionally, Cisco ISE enables us to exercise control over the devices permitted to connect to our network.

I am not aware of the extent to which we leverage Cisco ISE to remediate threats, but it serves as our first line of defense for access. It has been extremely beneficial. Our clientele consists of senior residents, and having some level of control over the devices they connect to the network has had a significant impact. 

Cisco ISE has helped to free up the time of our IT team for other projects.

Sometimes, there are instances when Cisco ISE simply fails to function without any apparent reason, and regardless of the investigation we undertake, the logs indicate that everything is functioning properly, making it somewhat inexplicable. However, after a while, it spontaneously begins functioning again. Therefore, I believe it is not a widespread problem, but when it does occur, it can be quite frustrating.

The support specifically for Cisco ISE has room for improvement.

I have been using Cisco ISE for two years, and the company has been utilizing the solution for ten years.

For the most part, Cisco ISE is stable, good, and functional. However, when it fails, we are left clueless as to the reason behind it, and that's the frustrating aspect.

Cisco ISE scales exceptionally well. However, we have encountered issues while updating to the latest version. It is a significant endeavor due to the extensive scope of our deployment. Nevertheless, I believe this challenge is not unique to us; it appears to be primarily related to the scale of the deployment. Currently, we have nearly 15,000 devices.

The times I've had to contact technical support for Cisco ISE, the experience has been somewhat unsatisfactory. I get the feeling that, at least on the surface, they perform tasks that I can do myself, such as reviewing the logs and identifying the issues. Moreover, given the integration of Cisco ISE with various network components, it's difficult to confine troubleshooting solely to that aspect. Therefore, I desire improved support specifically for Cisco ISE. I would rate the support for Cisco ISE as a six out of ten, whereas for other products in their portfolio, it would receive a nine out of ten.

Neutral

I am not aware of the current price for Cisco ISE, but considering it is a Cisco product, it is likely to be quite high. However, I do not have control over the checkbook.

We evaluated Aruba ClearPass, which was something we considered. However, since we are committed to Cisco throughout our infrastructure, we didn't believe it was worthwhile to replace it with another solution without being certain that it would be better than Cisco ISE.

Aruba ClearPass had a slightly better reputation among the people we surveyed in our industry. We frequently compared it to how college campuses manage their systems because our use case is very similar. In terms of functionality, I believe it was mostly the same. The key difference seemed to be the level of stability.

I give Cisco ISE an eight out of ten. Without knowledge of how the other implementations or competing offerings function, I believe Cisco ISE performs admirably in its intended role. Moreover, I am aware that without it, we would encounter significantly greater challenges. Therefore, I consider it to be great.

Our organization utilizes Cisco products extensively, which, in my opinion, is the reason behind the organization's decision to choose Cisco ISE.

I believe we would have a much more open network if it weren't for Cisco ISE. We would be restricted to only using PSKs, and we wouldn't have a true understanding of what our residents are connecting to the network. I think that's likely the most significant aspect of the implementation.

Cisco ISE is our network access control solution. We use it to prevent unwanted devices from connecting to our physical network. We also use it for wireless access control on the corporate network, but not on our guest internet network. That difference is because we have Cisco Meraki on the guest wireless.

The solution is in twin private data centers and we did virtual servers, not physical appliances. They're on our VMware platform.

Our business is the lending half of banking only. There are no ATMs or customers coming in with deposits or credit cards. It's a commercial lending operation. We don't have a lot of foot traffic into our locations from our customers. Some might say we're a little overly worried about our physical network, because we're pretty physically secure already. However, we occasionally do customer appreciation events in our locations, at which point there could be 100 people waltzing in and out of any one of our buildings. That's when the regulators say, "That's why you need security." Ultimately, if you let your guard down in the world of security, you're going to get attacked. So, like it or not, we have to button it up.

Cisco ISE definitely helped us pass the audit requirements we had. We're a type of federally chartered organization and we have a special regulator in the federal space. The need for network access control was born out of audit and penetration test findings. ISE is auditable and we send logs up to our SIEM for analysis.

The solution has also improved our trust situation. It's one of the many pieces that we needed to be buttoned up tight.

It does what it's supposed to. We use a certificate-based authentication method for corporate-managed devices. That means when a user walks in with their managed laptop and plugs it into the network, it chats with Cisco ISE in the background, allows it on the network, and away they go.

And when it comes to establishing trust for every access request, no matter where it comes from, it's effective. That's like a "pass/fail"  and it passes.

Our environment is a distributed network, across many locations. Cisco ISE runs in a pair of data centers for us: to each client, a primary and a secondary. The database keeps itself synchronized between the two data centers so if one data center is down, we can swing to the other for continuous service. It does its job.

A main issue is that the upgrade process, over time, is extraordinarily fragile. Repeatedly, over the past several years, when we've tried to upgrade our Cisco ISE implementation, the upgrade has broken it. Ultimately, we have then had to rebuild it because we need it. There are so many updates and, often, you can't go to a particular update unless you've done all of the updates leading up to it, although I don't think that was our issue.

If they could improve the upgrade process, that would make me sleep a lot better. It's almost like we need to have it pre-qualified before applying an update because our whole world hangs off of it. It is a "center of the known universe" implementation for us.

It is also an incredibly "nerdy" tool, one that is not really well documented for your everyday network and security engineers. It takes a village of specialists to keep something like this running. Cisco is definitely making some improvements in the user interface. It's a little more understandable and approachable. Even for the nerdiest of nerds, having what I call a "kissable baby face" makes it more usable. Cisco knows this and, from version 3 and up, they've been trying to improve the usability and it's getting better. It could use some work.

Not everything is a smart Windows or Mac OS device. We have Windows 10-based user laptops, almost exclusively, and there are some printers and phones and the like that are capable of either a certificate or other 802.1X conversation with Cisco ISE. From an engineering perspective, we just went "way-simple." We do MAC address bypass or MAB tables, which is administratively challenging.

Finally, I believe we've stretched it beyond its capabilities in attempting to make it a multi-client solution, more like a service provider implementation. It's really not architected for that yet. I think that's on the roadmap. This is what I refer to as a monolithic implementation. It is capable of servicing multiple Active Directories and saying, "I recognize this address range equals client X, and this address range equals client Y," and it can interrogate the appropriate Active Directory. But the way that we've implemented that, honestly, is a hack job. It's fully supported, but it's just not multi-client architected. If I had one message for Cisco, it would be: Please make this thing multi-client, or at least more affordable to do separate implementations that somehow get closer together. That's ultimately what multi-client is.

All our various clients are collectively involved with one another. Each of the five owners owns an equal share of the company and all profit and loss flows to each of the owners equitably. It's not that we don't have procurement relationships with one another. However, our regulator continues to believe that separating things is better. That way, if one of you gets taken down, the others aren't affected. Anytime that you have a product that is a type of monolithic implementation, it potentially could affect all of us.

For about six and a half years I worked for a cooperatively-owned service bureau, which is where I got the Cisco ISE experience on the service provider side. Now I'm on the customer side or the business side of how these technologies affect our environment, and how hard or how easy they are to integrate.

We've had Cisco ISE in production for about four years now. It was a three-year ramp getting it into production.

It works like a champ until you try to upgrade it, and then it becomes risky and fragile. I don't know whether that is because of the complexity of the architecture. We have what I would call a twin database environment. Where we're trying to keep two copies, at a great distance from one another, synchronized. One misstep and there it goes.

It is certainly scalable enough in our environment. We have between 3,000 and 4,000 managed nodes, not counting all of the extra stuff including every type of IOT thing you can imagine: printers, cameras, sensors, a security system. It also doesn't include phones, and we have a phone on every desk, whether there's a user there or not. 

When you initially think you've only got, say, 3,000 or 3,500 users, how do you get 15,000 devices on your network? But that's the sad reality these days. Everything is on the network. Every employee typically has three devices on the network at any given time: a phone, a tablet, and a computer. The numbers ratchet up quickly. 

The good news is that it's definitely scalable in our environment to handle 25,000 devices spread across between 150 to 200 locations, some of which are very remote.

It is a special class of nerds who know how to work with Cisco ISE, and that's true even inside of Cisco. We have used some third parties, Cisco authorized resellers and solution certified specialists, to deal with this, but that's a last resort. Those are the really expensive people for this because there is such a small community of people who are qualified in this product.

Because it's such a specialized skill, they are not as available as I would like.

Neutral

We did not have a previous solution.

We were nearly a 100 percent Cisco shop at the time that we selected the product. We had a couple of failed implementations when trying to get it installed. That was likely because we didn't hire the right expertise to assist. Everybody understands the components of it, but when you put it all together, it is just very scientifically complicated.

In our case, ROI wasn't really a consideration in going with Cisco ISE. It was a regulatory requirement.

It is fairly expensive and that's part of why we have implemented it in the type of "hack" that we did, to service multiple clients. It would be nice if it were less expensive.

Plan your deployment very carefully. Make sure that you really understand the licensing environment. That was a big surprise, not to my team, but to the end customers who were responsible for the budget for it. Everybody thinks "server-centric," and in this particular case, all of those devices that are being protected ultimately have to have appropriate licensing on the system. There was a lot of, "Oh, I didn't realize I had to buy that part." It's not your everyday product and the pricing model wasn't something people were super familiar with to begin with.

We've evaluated some other products since implementing this one. This is not your everyday tool.

The one thing that some of Cisco's competitors have done in this particular space, is to take this stuff to the public cloud. As long as you can do that securely, it is helpful. Maybe that would help in our world. I would love to subscribe to this as a service. In other words, we'd prefer that products like this, products that are that complex, be somebody else's problem and just subscribe to the outcome of them. I'd love this solution to be running in Cisco's world where the real expertise is.

People groan when they realize that they're going to have to do troubleshooting on Cisco ISE; even the nerdiest of nerds. But any product in this space would engender the same reaction. Trying to figure out how I prove that you're allowed to be on my network is not everybody's happy place. We all just want to set it and forget it.

The usability and the upgradability over time, for a product that is in such a critical spot, should be better. I'd love to give it a ten because it was the easiest thing in the world to upgrade. It's just not there yet.

For Cisco ISE specifically, I manage the cybersecurity as well as the networking team. The networking team uses it to track statistics of users coming in and out of the network platform. We use it to track equipment, collect information on identity, and have the help desk leverage the telemetry to troubleshoot. It is part of our day-to-day operations.

This provided security for our sizeable law firm, which has offices across the entire country. Our lawyers like to be mobile. Around six or seven months ago, we started to roll out iPads and really adopted a mobile culture. One of the things that we wanted to do was to provide flexibility for lawyers to walk with a corporate laptop, or walk with their own personal laptop and still have the capabilities to log on and do what they want to do.

We also used it for the many meeting rooms we have. A lot of law firms have tons of meeting rooms, and we needed to secure some of those meeting rooms as well. The technology allowed us to roll 802.1X. We were able to secure ports in the meeting rooms and have a little bit more flexibility as to where users log in.

For example, a couple of years back, we wanted to secure all of the endpoints for the help desk and networking team and all of the backend team and ensure that, irrespective of where one goes with that laptop, when they log in, it'll automatically move them to a secure VLAN. With ISE, we were able to do that and monitor it.

One of the things that we found most valuable over the years is the ability for it to provide information to the help desk that allows them to troubleshoot issues. We still use a lot of that today and we're going over to DNA soon. We're adopting some of the DNA technologies now, however, ISE has been the mainstay for us for quite a few years now.

The solution is great for establishing trust for every access request no matter where it comes from. That was one of the biggest use cases for us, as one of the problems that we had was to secure a specific VLAN. If a help desk person had a laptop, and they plugged it into a network cable port somewhere, it would automatically put them on a secure network. If a lawyer uses their laptop, it would put them on a separate network. If a phone is plugged in, it will know it's a phone and put it on a phone network. ISE is the only way we have been able to do that. We've streamlined a lot of our provisioning and de-provisioning processes through Cisco ISE.

It has certainly made it easier to secure our devices. For example, we have offices across the entire country. We are a large law firm and have huge offices in Toronto, Ottawa, Montreal, Calgary, and Vancouver. We also have ISO 27001 and 27017 certified as well and I run that program. One of the big things for us is when auditors come for a visit. All of our locations have a conference floor, a whole floor that's dedicated to conference rooms.

There are tons of large conference rooms. When we get audited, conference floors are usually floors that auditors are allowed to go to, as they're publicly accessible floors. We'll get asked, "How do you secure the port?" When we go into the conference room, they can see the network ports." They will ask, "Well, how do you secure these ports? What if somebody came and plugged their machine in?" We then say, "We use Cisco ISE. Cisco ISE identifies that it doesn't belong to our corporate network. It does a check and then puts them right onto the internet, so we don't need to worry about strangers on our closed network.”

The interface is a little bit complex. It doesn't really have an executive dashboard. I'm the director of cybersecurity infrastructure operations for the entire firm, and I'm a very technical person, so I go in, and I can move around and try to figure everything out.

However, the interface is very complex, and there are tons and tons and tons of options. It's quite complex to get into and take a look at. As a result, most of the time, just my networking team would be in there. It's so complex that sometimes I will find something one week, and by next week I can't find it again.

It's too deeply layered. They have to redo the whole interface and have something that's executive based, and another one that's technically based. Even the help desk team and my security team use some of its components, however, they don't go anywhere often, as there are so many options in there. They have to make the interface a little bit more use user-friendly.

I've worked with Cisco for about ten years.

The stability is ten out of ten. We have not really had issues with it. We've had one or two small things, however, in the 12 years that I've been there, I've had very few issues with their platform.

It scales well. We have no concerns at all. When we decided to roll out 802.1X, we only had it on our endpoint, just laptops. Then we said, "Well, let's scale it out to the wireless access point." We went from 2,000 endpoints to 10,000, since people have mobiles. When we rolled it out to do posture checks on everything wireless, we had no issues.

Technical support is good. I have no issues. Cisco supports its products very well, so we've never really had concerns with that aspect. Also, I have a very, very technical team. My guys are CCIE certified, and they are geniuses in their own rights. They've been in Cisco for 20 years.

They know the product very well and they also work very closely with the Cisco support team. The Cisco support team has very good people. They train their people well, and we've never really had issues that the Cisco team can't resolve if my team can't resolve them. We're taking it for granted that we're getting good support.

Positive

We did not use a different solution. We're a Cisco shop, so we've always used Cisco. 

I was involved in the initial setup. I manage the networking team. While I don't necessarily push the commands in, I go through architecture sessions with my team, sign off on it and make sure that what it's doing is worth it, it's my budget. I have to get involved.

We've seen an ROI. They last a very long time. For example, we have Cisco Campus, which is the next 7000s that we put in 2012, and ten years later, they're still there. We just changed the supervisor modules. However, the chassis is still sitting there and is still working quite fine.

If I'm not mistaken, it's at end of sales already, however, its end of support is in 2024. That's what I like about their products. They support their product for a very, very long time.  They easily last for ten years. Even our access switches, which are 4900s, are just being switched out now. Those have been in since probably 2010.

We spend $1.5 million as we have two switches on every single floor. Those are the ones that we're changing out now, and they still work quite fine. Cisco just decided to change them. Their products are very solid and they don't break. We keep them for a very long time. Therefore, the return on investment is not bad. I know when I put it in that I don't need to look at it again for ten more years. I know it's going to be supported for that long. 

Cisco is expensive, however, we have a good partnership with our Cisco partner, and we get really good discounts on it. We have a very, very tight relationship with our Cisco representative. We're the largest law firm in Canada and therefore we get special treatment from the Cisco reps in Toronto.

We've had really good relationships with the team at Cisco Canada, and they all know my team, the architects, the solutions engineers, the salespeople, et cetera. They all know us very well. They come to our offices and we go to their offices. We have a very tight relationship.

When it comes to cost, we'll talk to them. They'll tell us when is the best time to buy, and we'll get good discounts. I've never really had to forgo a technology that was critical to the firm due to cost. I can always work with Cisco to find some way to reduce the cost.

We always focus on Cisco products. 

I'd rate the solution seven out of ten. 

It has a lot of rich data in it, however, it's hard to get stuff out of it. You really have to know the product very well and live there to know where to go and find what you are looking for. There's a lot of telemetry in there, however, it's very difficult to actually see how to leverage it.

I've even been telling my security team, "Guys, there's a component in Cisco ISE that you need to work on, and you need to log in more often." Then two years later, they'll ask, "Why don't you guys use it?" The security networking team will say, "Well, we gave them access." My security team will say, "It's too complex. We have no time to go in there. We don't know where to find anything." That's the only problem that they need to fix. They need to make it easier to navigate, it's too deep.

Cisco ISE is a good product. It tightly integrates with all of the networking components, but you can leverage it and get a lot of return and investment out of it. However, you need to make sure that when you're rolling it out and when you're initially putting the platform in, you will need to get your help desk team and security team involved.

Of course, the networking team is the one that's probably going to own it, however, there are so many components in there that can help. The help desk can troubleshoot issues and can provide visibility from the security standpoint, and the networking team owns it anyway. If you get them more involved, they'll be more in tune with using it more often.

There are a lot of help desk and security capabilities in there. Still, just the networking team rolled it out, nobody wants to look at it, as it's a networking piece of the platform, yet really it's not. You can get a lot from this platform. That's probably what I would tell people, just get everyone involved from the get-go, so that they can get more value from it in the long run. 

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

Positive

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

We're just using it for authentication to our network switches.

We have more visibility and control with the tool. It has helped us improve our cybersecurity resilience.

The authentication piece was a big deal, especially because we're able to roll it out so quickly. Once we start using it to its full potential by using NAC, we can automate a lot of things that we're doing manually. MAC lockdown is one of the big things we have an issue with because I work on the classified network, so we're locking down every end device. It takes up a lot of time. That's one of the biggest things that we're rolling out. I'm not sure what other features we're going to use out of it, but I know that once we get started on it, we'll be a lot more involved with the things that we're going to roll out.

It's really easy in terms of the authentication piece. It's a big help. We've other parts of the network that are not using any authentication at all, which is scary. We've so many separate companies, and I'm hoping that we can start using this for those networks as well.

It has saved us time. We've control on our side, and we're able to add new devices as we deploy them for new buildings and things like that. We're able to give different types of access that our users need to have, which is nice. It has been huge, and then once we start deploying NAC or something like that, that's going to be a game changer for us because that'll free up a lot of time for us. It probably saves at least ten hours a week because especially right now, we're in the phase where we're getting so many new buildings. We're not only turning up new buildings; there are also all the users. So, for every single device, you have to do a MAC lockdown. Sometimes we get spreadsheets listing a ton of PCs that we've to lock down. That just takes forever, especially if you get it wrong or someone has fat fingers and things like that. It'll hopefully eliminate a lot of that too. We won't have the back and forth with other groups for that.

It has helped consolidate tools. We don't have to go outside our own group for the authentication piece. That control is a big deal. On top of that, once we start integrating NAC and other things, it's going to eliminate a lot of manual work.

Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key. 

Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out. It was a little more cumbersome than I thought.

I've been using Cisco ISE for about a year.

For the times that I have interacted with them, they've been pretty good, but I've heard of other stories. Overall, I'd rate them an eight out of ten.

Positive

We were using regular TACACS, RSA, etc. I can't remember what they were using on their side because it was more of the infrastructure team that was using this. We would just basically go to them and give them requests. Having control through Cisco ISE is much better.

The reasons for going for Cisco ISE were having that control and having a relationship with Cisco. All of our gears are Cisco. It just made it easier and more compatible. I know there are a lot of other tools that we can take advantage of such as NAC and things like that. We're hoping to do that in the future.

As far as I know, it was fairly easy. We didn't have a lot of problems with it. One of our other guys deployed it. I wasn't with him, but I didn't hear that there were a lot of problems with it, so it was fairly easy. The same guy had deployed it on the unclassified networks, so he had experience with it.

Overall, I'd rate Cisco ISE a seven out of ten.