Cisco Identity Services Engine (ISE) Reviews

Cisco ISE is on the back end, and all our policies and security are on it. DNS centers and all our network backbone is integrated into Cisco ISE. So, the solution is pretty critical for us.

Cisco ISE has helped improve our organization security-wise.

Cisco ISE integrates with everything else. It forms our security and identity backbone, and all our authentication goes through Cisco ISE. That's why the solution is so important to us.

Troubleshooting and multi-ISE can be challenging with the solution.

My organization has been using Cisco ISE since 2018.

Once configured properly, Cisco ISE shows good stability.

Cisco's TAC is good. Cisco support, in general, is too layered these days. Often we have to repeat the same thing over and over to the TAC guys, which is a bit frustrating. Cisco's TAC needs to be a bit better.

Cisco ISE's deployment can take weeks, months, or years depending on how rigidly you adhere to the guidelines and how good your existing infrastructure is.

We have seen a return on investment with Cisco ISE from a security point of view.

Cisco ISE's licensing can get pricey.

Sometimes, the Cisco guys disagree about it, but other than that, the Cisco guidelines are clear and concise enough.

Cisco ISE helps to secure our infrastructure from end to end so we can detect and remediate threats. The solution does what it's supposed to do.

Cisco ISE has saved a little time for our organization.

Since Cisco ISE is a more robust solution, it has helped our organization improve its cybersecurity resilience.

Before implementing Cisco ISE, you should look into it in-depth on how it can be used, how it can be integrated with existing tools, and how your staff can be trained to troubleshoot it. The solution has its pitfalls, and when it breaks, it can break heavily. So be aware before you deploy it.

Overall, I rate Cisco ISE a seven out of ten.

The company's use case for Cisco ISE is switch access. I'm from the high-performance compute side. I'm not the back office IT. I'm what they call GSIT. Their use cases are different but very similar.

On our side, Cisco ISE has improved cybersecurity resilience. The company uses it for global WAN and other things. We haven't had any issues.

For me, the TACACS feature is the most valuable. I have also used Cisco ISE with LDAP, not with Active Directory. That works for me because I prefer LDAP versus Active Directory.

The templates could be better. When you have to do certs, especially with X.500 certs, it isn't very intuitive.

I've been using Cisco ISE since 2011.

After I set it and forget it, upgrading Cisco ISE is the only thing to do.

I've never had a problem with Cisco. Cisco has always scaled well, so it's pretty good.

Initially, it wasn't good, but once I found the right TAC person, it was fine. I had to probably get level three or above, and then I had to get a software developer because the certs didn't initially work properly to give you a special code. I'd rate their support a nine out of ten.

Positive

I used OpenRADIUS before. That was open source. I switched because I'm the support for everything. It was easy to support with Cisco ISE.

Role-based access is easy to do with Cisco ISE versus OpenRADIUS. That's because OpenRADIUS is something you have to manage yourself. You have to manage the certs and other things. You have to define the roles yourself for special read access and for certain groups and multi-groups.

The only thing I didn't like at the beginning was that Cisco ISE was limited to how many groups you could use. That problem has been fixed. I haven't run into that problem.

The initial setup was complex. The main part was the certs, especially the X.500 certs with LDAP. Azure Directory is a little bit smoother, but I prefer LDAP.

It's deployed for internal switch access. It's purely for switch access and role-based access.

I deployed it myself.

We've seen an ROI.

I get very good pricing from Cisco, so I don't have a problem with that. I also don't have a problem with licensing because we get enterprise or global licensing.

It hasn't helped to free up our IT staff. Our IT staff is already very limited anyway. We've always worked smart and don't work where we don't have to work. For example, in 2019, we were more than 60. There are 14 of us now, and we still do the same amount of work. Cisco ISE hasn't contributed to less workload. We do it with automation. We have a lot of Linux, so we do automation on all of our stuff. 

Overall, I'd rate Cisco ISE an eight out of ten.

We mainly use Cisco ISE for device authentication. We are now rolling out 802.1X.

Cisco ISE has provided us with a security posture that we desire, particularly for wired connections, enabling the identification of domain users and non-domain users.

I would rate Cisco ISE an eight out of ten for its capability to secure our infrastructure from end to end, enabling us to detect and address threats. This high rating is due to its ability to establish policies and dynamically configure switch components for users.

Cisco ISE has helped our IT staff save approximately 15 hours per week, as they no longer need to manually configure the switch components.

Cisco ISE has helped improve our cybersecurity resilience, particularly through the use of 802.1X. This aspect is something we are leveraging to a great extent.

Being able to authenticate wired users through 802.1X is valuable as it enhances our security. If someone enters an unsecured room and connects to a wired connection, they will be authenticated to a guest network, completely segregated from our data networks.

The policies could be adjusted to make them more easily implementable.

I have been using Cisco ISE for four years.

Cisco ISE is extremely stable.

Cisco ISE is highly scalable, particularly for device authentication, as we have 3,000 switches in our environment.

Cisco technical support was knowledgeable about Cisco ISE deployments.

Positive

The initial setup was straightforward because we were familiar with what we wanted. When we encountered an issue with the policies, we opened a task case, and it was resolved quickly.

We utilized an internal consultant for the implementation who possessed extensive experience in Cisco technology. Our overall experience was positive.

We have witnessed a return on investment with Cisco ISE due to the protection it offers to our environment and the capability of 802.1X to assist in managing security risks.

I give Cisco ISE a nine out of ten.

Cisco is continuously improving its products. There are so many features that we're not even using in Cisco ISE. So we use what is relevant for our own use case.

I recommend that individuals conducting research on the solution take a thorough look at 802.1X and gain a comprehensive understanding of how it can offer the desired level of security.

We utilize Cisco throughout our environment and chose ISE due to our familiarity with all of Cisco's products.

Today, we are performing wireless client authentication and using it as a captive portal for our guest wireless network. Eventually, I am hoping to roll into 802.1X for the wire.

In our organization, we have about 2,000 employees and 12,000 other end users whom we service.

It has tremendously improved our organization through BYOD and guest wireless access. The sponsor portal is very easy to use for our help desk team as well as just adding an endpoint for BYOD. We have given our help desk team the ability to perform those functions so they don't have to escalate tickets, and what that does is cut back on ticket time. They can quickly assist our end users and make them happy.

We haven't had an opportunity to really do much with zero trust in ISE. However, in regards to integrating it with our DNA Center appliance, we are looking to experiment more with the zero trust option, establishing policies and pushing them that way. That will really help out with 802.1X on a wire as well, preventing outside organizations from coming in, just randomly plugging in, and then being on our network.

ISE has had a good impact on our organization’s security risk. This is mainly because we see rejected clients, people just attempting to authenticate, or people attempting to sign in who don't have permission and we know they don't have permission. The visibility is very nice.

Resilience, in regards to cybersecurity, is incredibly important. We run everything in twos, including our ISE deployment. So, if we have a data center go down for whatever reason, whether it be a cyber attack or just a random power outage, then we know that we still have an ISE node up on the other side which can perform security functions for our AAA authentication.

As far as resiliency, it is very effective when it comes to upgrades or patch management. As far as cybersecurity, it provides visibility with the logs that we get, rejecting clients as needed, or even telling us a reason why an authentication request failed.

I really enjoy the live log section. Sometimes, you will have someone who is having issues connecting to the network, and then you have to ask them the dreaded question of, "Did you type a password wrong?" They will probably tell you, "No," but the live log can help sort that out. It gives us that extra ability to assist the end user and make sure that we are making them happy.

It has done a pretty good job of establishing trust for every access request, no matter where it comes from. The biggest issue that I probably have is just with the random amount of passerby or outside visitors coming in and trying to connect. Of course, they can't. ISE is very good at not only denying them, but also logging that endpoint. I would say it has done pretty good with that.

There is room for improvement in its ability to allow end users to self-enroll their devices. Instead, you should be able to assign that permission by AD group, which is currently not available.

We have been using ISE since 2018.

I have never had any stability issues with it. It has been available 100% of the time that we have needed it.

I think scalability is there. We run a two-node cluster. We haven't had a need to add any more, but I know we could add policy nodes pretty simply if needed.

They are very good and intelligent. I would rate them as eight out of 10.

Positive

Prior to this solution, we were using Microsoft NPS. We switched from the Microsoft solution because we were looking for a more current way for our BYOD devices. 

Prior to ISE, we were using Cisco ACS, which is very old, and ISE was the next logical step. Along with that, we rolled our SSID BYOD over to ISE. That was our initial deployment. 

About a year later, we moved our production SSID over to it as well. So, we have just kind of come more into using it. It has a lot to offer.

It was pretty straightforward. It was not complicated at all.

We deployed it in a week and rolled out BYOD. We moved that over from ACS to Cisco ISE within that week, so it was pretty simple.

Today, we just have it integrated with ISE, but it sits in our data center with our core networking. We consider it essential. If it is not available, then productivity suffers.

I think we have seen ROI in regards to integrating with an external MDM to enforce greater security requirements for business managed devices that aren't Active Directory joined.

I have complaints. I don't enjoy the licensing model. Once we moved from 2.7 to 3.1, switching from Base, Plus, and Apex to Essential and Advantage in Premier, we went from a perpetual, with our base licenses, to now a subscription-base. So, we will have to renew those licenses every year, and I'm not a fan of that for our base licenses. Apex/Premier, we already expected, which is fine, but for basic connectivity, I am not a fan of that.

We went straight with Cisco. We are a very heavy Cisco shop, so it just kind of seemed logical.

We have had experience with Microsoft NPS.

I would rate it as nine out of 10.

Our main use case right now is TACACS for device administration and authentication, as well as for user authentication on the network: wireless authentication, 802.1X, and wired authentication too, for RADIUS.

The way Cisco ISE has improved our organization is [by] making sure that we have secured our network. It's making sure that if somebody comes into the office who [possibly] shouldn't be there, and they plug a computer in or try to hit our WiFi, that we know, based on the criteria we've set up, that this person should have access. They've passed all the tests we've set up to make sure that they're not a bad actor or somebody who shouldn't be on the network.

ISE can, a lot of times, be the first stop for us to troubleshoot user errors or user issues. If you start your security posture by assuming there's no trust for a device, you're going to make sure that ISE is validating the device from the ground up. It's not just assuming that something has access, it's making sure it goes through the full process to gain access to your network.

ISE has definitely helped us across a distributed network, because you have a central way of authenticating everybody. It could be switches across different vendors, it could be different switch models—whether a Cisco Catalyst 9000 or a 2960—you can make sure, although these might be different devices, that the authentication process is going to be the same for the users. You have that peace of mind that no matter where somebody's plugging in, or what AP they're authenticating to, it's going to follow the same security guidelines, the same authentication process, to be granted network access.

The most valuable features for us are ensuring that we have the right people logging in to the network as well as protecting our device configuration. If somebody goes in to make a configuration adjustment, we need to make sure it's the right person, that they have the right access, and that we have validated that.

When we use ISE, one of the helpful things is that I can go through the dashboard and get every step along the way of how a device was authenticated. If it's failing, why did it fail? Why is it unauthorized? If there's an error, what is the error and how can I fix that error? If it's something that, if they should be passing, why are they failing?

For device administration, like logging in to a switch or a router, we can see all the commands that people have put in and who made changes. If we need to fix something—a bad command, or somebody put something in that pulls a device out of what we consider our compliance—we can fix that. 

From an administrator perspective we can look at "Why did you make this change?" and figure out how we don't break something in the future, if it was something that did cause an outage. 

And when it comes to things like wireless, we can see who is hitting the network, who is hitting a corporate SSID, or a guest SSID. Are they failing? What errors are you seeing along the way?

A lot of people tell you the hardware requirements for ISE are pretty substantial. If you're running a virtual environment, you're going to be dedicating quite a bit of resources to an ISE VM. That is something that could be worked on.

The upgrade process is not very simple. It's pretty time-consuming. If you follow it step by step you're probably going to have a good time, but there are still a lot of things that could be a lot more user-friendly from an administrator's perspective. [They could be] easing a lot of the issues that people have. Instead of just saying the best practice is to migrate to new nodes [what would be helpful] would be to make that upgrade process easier.

The UI is a lot nicer in 3.0. It's pretty slow, but for the most part, it's easy to find what you're looking for, especially things like RADIUS live logs, TACACS live logs. From a troubleshooting perspective, it's really nice finding stuff. For setting up policies, from that perspective, it could be a little bit better looking.

I've been using Cisco ISE (Identity Services Engine) for about five years, myself. My company has been using it for longer than that.

The stability for our virtual machines is good if you follow the best practice and give it the reservations the virtual machines need, and you're making sure that you're following how many recommended devices are going to be authenticating to it. We don't have stability issues with ISE.

The scalability has been fine for us. We're actually in the process of possibly deploying more PSN (Policy Service) Nodes, so we'll see if that helps. But scalability hasn't been an issue. I don't think we're running into device count limitations or VM performance [issues].

We're around the 600-700 mark in terms of the number of devices in our company.

Support has been pretty helpful when we've needed it. We haven't had too many issues where I was asking for an escalation immediately or sweating profusely because it's not working. I can't say anything bad about support, but I don't have enough experience to give a really substantial answer.

Positive

I did not deploy ISE. We had a partner who helped us deploy it.

I don't know what the investment was, because I'm not involved in the pricing aspect of it. But there's no way for us to run a secure, reliable, user access or device administration access without something like ISE. The return on the investment, I think, is great. It's integral to our network so I don't know what we would do without ISE.

The licensing model is pretty straightforward. There are some changes from [version] 2.x going up to 3.0 and switching to the Smart Licensing. But if you have somebody who can explain it to you, so that you know that when you're upgrading you're not losing functionality, or you're not putting yourself in a position where the license count you're used to having can go away; as long as that's set up, it's fine.

I have used Aruba ClearPass in the past. They're pretty comparable. If I'm going to be honest, I think ClearPass has a better user interface and some of the things are laid out a little bit better. But when ISE is up and running, it's more reliable, it's more stable. You just have to get it to that point and then it's a really nice product that I like using.

In terms of eliminating trust from network architecture, ISE can do so when it's implemented correctly. There are still certain functions of ISE where you have to be diligent in making sure that if a user is plugging into a network port, that that port is set up to use ISE for authentication. It's kind of a two-way street. It's a great tool, but you have to set it up correctly. You have to make sure that it's doing what you've intended it to do. When you do that, it's great for that. We don't have any issues with that and it's definitely an integral part of our network.

The advice I would give people is to decide what you are looking for in terms of your AAA. Are you looking for a secure way to authenticate VPN users, users logging in for WiFi, for wired access? Something I don't use at my organization is the Guest Portal, but I know ISE has a pretty considerable catalog for deploying guest portals, for device onboarding, and posture assessment. If those are all the things you're looking for, the features, I would definitely recommend ISE.

We used it mainly for network access control and full stream for devices.

The product is expensive. It would also be a good add-on to have some machine learning.

I have been using Cisco Secure Firewall for one year.

The product is stable.

The solution is scalable.

The initial setup is straightforward.

It's also recommended for clients during deployment. You're making everything very efficiently managed within the policies. The deployment is also very smooth, allowing you to configure your rooms easily. Once the initial setup is done, it becomes straightforward to understand, especially regarding Windows maintenance.

It was deployed to protect the network from unauthorized users but does not contribute directly to operational efficiency.

Cisco ISE doesn't come cheap but it's still valid working.

We recommend it to our customers.

Cisco ISE provides authentication for various applications. It can integrate with other applications to manage access, including Privileged Access Management for those applications. For a comprehensive environment, Cisco ISE should be able to integrate and provide asset management for an IT organization or any organization.

Overall, I rate the solution an eight out of ten.

I do the designing and implementation and hand it over to the customer. Sometimes, I provide support to the customer. The solution is used for network access control. I have implemented almost all the features of the product.

TACACS is valuable. The product is useful for device administration.

We face many bugs. The vendor is trying to improve it by releasing new patches and hotfixes.

I have been using the solution for almost five years.

I rate the tool’s stability a six out of ten. It breaks down a lot.

I rate the tool’s scalability a seven out of ten. To scale the solution, we must decide which persona should be added. There are different personas for management, monitoring, and policy enforcement. It needs some calculations. I have a lot of clients. One of my clients has 20,000 to 50,000 users.

The initial setup is not easy. It should be designed properly. The solution has almost two or three personas. The design must be reviewed correctly. The implementation is not easy. It is a little bit complex compared to other NAC solutions. The time taken for deployment depends on the size of the implementation. It can take from one week to one year.

The solution is not that cheap.

We are partners. A lot of customers are using Cisco’s infrastructure. The product can be integrated easily. We have faced a lot of issues while integrating other tools. Overall, I rate the solution an eight out of ten.

We use Cisco ISE Identity Services Engine currently for TACACS and posturing.

The product elevated my organization’s security level, helped us meet some guidelines, and made our life easy.

We found all the features of the product to be valuable. We have no complaints about it. Posturing is valuable to my organization. Now, we're improving our whole environment to go into a Zero Trust policy, and Cisco Identity Services Engine plays a huge role in it. We're defense contractors, so we support DOD and have specific stakes and a baseline to go with. Our strict environment requires us to do certain things, and the solution plays a role in it.

They should improve their licensing. Licensing is always trouble with Cisco, and Cisco Identity Services Engine is no different. The way the product is licensed could be improved.

I have been using the solution for almost three years.

The solution’s stability is good to go so far. Some vulnerabilities had popped up like any other solution, but Cisco remediated them. There was no problem.

We haven’t even scraped to the surface of what the tool could do. It's very scalable, and we will try to use it as much as we can in the future.

We have had no issues with the product’s customer support so far. We had a neutral experience with support.

Positive

We have seen a return on investment in terms of not pursuing any other solutions. We didn't need to look further. The product did what it does for us now. We are very content with it. We don't have to invest further into something else.

The solution’s pricing is okay.

The tool secures our infrastructure to a certain point. However, we're not using it in terms of detection. My team is only four people, and we take all the tasks together.

The solution did not help us consolidate tools. However, it does help us with TACACS. TACACS was a big thing that we needed. We are trying to get rid of NPS and RADIUS, and we will probably use the product in the future for Certificate Authority. It could probably consolidate tools, but it's not doing it now. However, it will in the future.

The product has absolutely improved our cybersecurity resilience. With all the posturing we're doing and the Zero Trust policy we are bringing, it prevents other users from insider threats. It helps big time with insider threats. It's a big thing for us in our specific programs.

Give it a shot because we did give it a shot. People at first said it was very pricey, but it wasn't really as pricey as people say it is. It's worth trying it. Zero Trust will be mandated later, especially if you're in the government. The product will play a big role in it.

One of our team members was pursuing a certification in CCMP security. He was specifically on the Cisco Identity Services Engine track. We got that for him to demo and test it out. Eventually, it became part of our product. TACACS, Posturing, and Certificate Authority could be the reason why we chose the solution. We are using it now for 802.1X. All port security is not a thing anymore for us.

Overall, I rate the product a nine out of ten.

We use Cisco ISE to authenticate users or devices onto the network and then drop them into the appropriate VLANs to isolate them and maintain network segmentation.

Cisco ISE has been a great tool to segment our traffic and get the users into the right VLANs. It definitely does free up a lot of time from manual configurations.

It has definitely improved our security a lot. We used to be a single flat network, and now, we are a segmented network where we have all our different traffic isolated so that in case we do get a breach, not all the customers are affected.

Cisco ISE has been great for securing our infrastructure from end to end so that we can detect and remediate threats. We've already seen it detect some devices that we didn't know about, and they quarantine those devices, allowing us to take the appropriate security actions against them.

Our IT staff has been freed up for other projects with Cisco ISE because we're able to do a little bit more automated configuration. We just throw out a single configuration to the ports, and then the users get dropped into whatever VLAN they need to be in without us having to go to each site and configure these things manually. On a usual workday, it has freed up at least a couple of engineers for two to three hours.

Our cybersecurity resilience has improved with Cisco. Users are now segmented. We have firewalls in between, so we can take a look at all the traffic. We have quarantine enabled in there so that if we get a device on our network that we don't recognize, we can lock it down.

The feature that I found most valuable is profiling. We use that to profile certain types of devices, and then depending on the manufacturer, drop them into the appropriate VLAN without us having to go in and manually add the devices.

We would definitely like to see a little bit of an improvement in the web GUI navigation. Some of the things are a little bit hidden in the drop-down menu. If we could get a way to get to those quicker, it'd be much more useful.

We've been using Cisco ISE for about three years.

So far, from what we've been using, we haven't had any problems even with any of the additional patches that we've added. It has been great.

Scalability-wise, it's great. We have plenty of space to add additional nodes. Right now, the ones we do have are not being utilized to a hundred percent, so if we ever do need to add additional, it seems pretty straightforward.

Cisco support has been pretty good over the years, helping us get this stuff up and running. It has definitely taken us a while, and some of the cases have been pretty long, but Cisco support has been pretty good. I'd rate their support a nine out of ten.

Positive

We weren't using anything in place of Cisco ISE previously. We were pretty lacking in that department. When we got Cisco ISE, we improved our security significantly.

We went for Cisco ISE based on a suggestion from one of our vendor partners who helped us with our network refresh. They said that Cisco ISE was something that they had used previously in lots of larger deployments, and they had seen great success with it.

I was involved in its deployment. It was pretty straightforward. A lot of the issues that we ran into were related to coordination with the users just because it was a change for them, but the actual deployment and everything else were pretty straightforward.

We used MTT. They were great. They walked us through the whole process. They designed the network refresh for us as well as the Cisco ISE integration portion of it.

We've seen an ROI. We've freed up some hours, so those engineers who were previously doing more mundane tasks are now able to do something else.

I don't know too much about the actual pricing on it. The licensing part is pretty straightforward. It's a lot more simple than some of the other Cisco licensing models. In that aspect, it's great.

Overall, I'd rate Cisco ISE a nine out of ten.

We primarily use Cisco ISE as a network access control solution. We do a lot of quarantine actions from our CSOC. We use the AnyConnect VPN by setting multiple deployments for dedicated purposes, where we use it to provide wireless.

Cisco ISE has brought a level of visibility that my organization hadn't had beforehand. At the same time, it has mitigated a lot of potential attack factors and brought in a sense of control in the hardware during the onboarding process.

I found the CMDB Direct Connect in Cisco ISE 3.2 the most promising feature for my use case. We have a lot of wired map devices and having an externally approved source to validate if a machine is legitimate or approved to be on the network is extremely valuable for us. It helps make the whole process of authorizing endpoints quick.

Cisco ISE's real-time data analytics for database logging could be improved. Earlier, you didn't have direct read access to the database. You'd have to rely on logs through some other sources like Splunk and be able to put everything that you want together. Being able to review logs in real-time, customized to your filtering, adds a lot of context and visibility.

I have been using Cisco Identity Services Engine for about four and a half years.

I do not like the stability of Cisco ISE in the virtual environment. That might have been more of an underlying host issue rather than an ISE issue. But we've moved to hardware right now, and I wouldn't have looked back. The next place we're looking to explore is potentially in the cloud, but that's still up in the air because our environment is not small. We're one of the larger 700,000-plus endpoints.

Cisco ISE's scalability is nice. However, not many people can deploy Cisco ISE in a very large environment. In other words, there are no large environments that are hitting around 100,000 plus clients for active concurrent sessions. If you're trying to create multiple deployments to distribute the workload evenly, I don't like that there's no centralized management platform for Cisco ISE. You still have to go into each deployment and do your configuration.

From my account team, I rate Cisco ISE's technical support ten out of ten. However, from a tech perspective, if I'm talking to tech level one, tech tier one, or tech tier two, I'd have to give it a six out of ten. Once you start getting into the more advanced tiers and even the business units, the support goes through the roof.

Positive

I've always worked with Cisco ISE. However, in my organization, there's another part of my infrastructure where they use Forescout. The way Forescout implements a NAC solution differs vastly from how Cisco ISE does it. The way Cisco ISE does it is more ingrained in the whole radius process and enhances the security features on a switch or wireless line controller.

Our organization chose to go with Cisco ISE instead of Forescout because, holistically, the solution checked all the boxes needed for a NAC solution.

I was not involved in our organization's first iteration of Cisco ISE. We've since migrated and modernized our Cisco ISE deployment, and I've been heavily involved in that. 

The ease of deployment depends on the environment you're deploying in, understanding what use cases you have out there, and understanding what kind of endpoints you're exposed to or exposing your network.

Overall, Cisco ISE's initial setup is not overly complicated right now. But since our organization is moving into a multi-vendor or managed services contract, we're bringing in many vendors like Meraki, Juniper Mist, Aruba, and Fortinet. That's when things get complicated because they don't all use the same type of authorization results.

We implemented Cisco ISE in our organization directly through Cisco. My experience with Cisco has been phenomenal because they listen. We've run into many technical issues, but they've been at our beck and call and have been there to support us to a point where they've rushed certain fixes. We've had a couple of engineering specialits because of things we've encountered. They worked hard for us.

The product is positive regarding a return on investment, considering the cost we're bringing in for Cisco ISE's deployment versus the value we're adding to the environment.

According to my sales and account team, the prices we're getting are pretty good. I wouldn't say they're the manufacturing or listed price by any means, but we do a lot of business with them. So the price points that they're coming in at are pretty manageable.

When it comes to securing our infrastructure from end to end so that we can detect intermediate threats, a lot of it has to do with integrating Cisco ISE with other products. For example, Cisco ISE primarily deals with either the access layer or remote connections. However, when you start integrating it with other things like titration or secure network analytics, you can get a bigger grasp of the overall picture. When you bring other security teams into it, they can start creating their policies, alerts, etc. They can start automating some of the incident mitigations and stuff like that.

My use case is a little bit different in that there's no end to our work. There are a lot of other business groups within my organization that aren't complying with what the network security policy should be. So I have to reach out to them and get them to use a dot1x protocol or ensure that their stuff is in our CMDB database.

We're in a big migration and shift in our overall security policy. So there's a lot of moving aspects going on right now. However, as we start getting things moved into an MDM, as we start getting things moved into using a dot1x protocol, we can get an active identity of an endpoint.

Cisco helps reduce the amount of staff we have to chase down and figure out what kind of policies should be implemented. We can then incorporate our onboarding process into that, preventing unauthorized devices from connecting in or at least be reassured that if anything that we haven't had any chance to look at connects in, we can deny it with confidence. Down the road, it'll alleviate a lot of the time and planning we're doing right now.

My organization is a bit different. I've tried to get them onto the posture feature of Cisco ISE, but they're pursuing other vendors for that. We've decided to incorporate through a pxGrid integration with other applications such as Tanium, Forescout, or whatever application my security organization uses. They can pull contacts from the Cisco ISE endpoint and then be able to issue a quarantine action to Cisco ISE on that particular endpoint.

Overall, I rate Cisco ISE ten out of ten.