Cisco Identity Services Engine (ISE) Reviews

I'm a network engineer. I've been at my company for about six years. 

We have about ten people on the networking team. We support up to 30,000 students. We've been using ISE for five or six years now.

Our primary use case is mainly to onboard students with the wireless authentication with our switches and network devices. 

Another big benefit for us is definitely security in terms of wireless user activity. We spent a lot of time looking at live logs and user logs to figure out where they've been in the network and in which buildings. We can get rogue granular with locations of where people are and where they're experiencing issues.

We have definitely saved time since using ISE when it comes to building some of the policies around the types of users, like library users versus student union or even admin users. The policy building is complicated, but after a while, it's pretty straightforward in terms of repeatability of staff turnover, and things like that. It's not the learning curve that's hard for continuous maintenance.

The most important feature for us is visibility in terms of user connections. It's the ability to see what devices are online for a particular user that helps a lot with our troubleshooting. 

The primary issue is the slowness of the application and the web interface. We have multiple admin nodes and app nodes. So when I need to get some information about a particular user, the GUI would take ten to fifteen seconds in loading when we need to know right away. 

In terms of scalability, we have multiple policy nodes. I know we have about ten different devices on other appliances. As far as I can imagine, setting up another policy node or something would be pretty simple. It would just require hardware to be purchased.

Our support for Cisco ISE has been pretty good. We've had pretty good luck with TAC cases, and it seems like maybe because it is a niche thing there are certain groups of support staff who are pretty savvy.

We've never really had issues that went long-term. It's because it's our main gateway for students, staff, and faculty. It seems like we've solved things pretty quickly.

I'd rate it about an eight out of ten. The only thing is that you don't necessarily get the same person every time but we've never had an issue that went unsolved so far, so I'd say eight.

Positive

In terms of evaluating other services, that's one of our reasons for being a Cisco Live, to actually know what alternatives there are in that space. We are interested in a faster-performing solution at times.

Overall, I would say our implementation is fine, but we do hesitate on major releases just because we've had some issues in the past, and rolling back is difficult. We don't want to go down that path especially because it is so critical for us.

In terms of ROI for Cisco ISE, I'm not sure what we paid to begin with, but I know that it's indispensable, since it is our only gateway for wireless users to connect. Also that it's flexible for us to school up new user grow groups fairly easily.

It doesn't seem like we have a licensing model that we're aware of. It's not something that comes down where we have to say, "Oh, boy, we have to renew ISE again." It doesn't seem like it's a significant part of the budget that we have for licensing and ongoing maintenance.

In terms of ISE for end-to-end security, it's our primary tool right now for that. It's hard to compare with other applications or hardware. Sometimes there are limitations, for example, we use it for wireless only. We don't do anything with ISE or 802.1X on the wire, which is something we'd like to do, but we're hesitant based on our experiences with the wireless side in terms of the slowness.

On a scale from one to ten, I give Cisco ISE an eight. Primarily because it seems like it's doing a pretty decent job managing our wireless connections. And there are enough tools in the GUI interface that give us feedback on performance. It's been a pretty decent install for us.

We're just using it for authentication to our network switches.

We have more visibility and control with the tool. It has helped us improve our cybersecurity resilience.

The authentication piece was a big deal, especially because we're able to roll it out so quickly. Once we start using it to its full potential by using NAC, we can automate a lot of things that we're doing manually. MAC lockdown is one of the big things we have an issue with because I work on the classified network, so we're locking down every end device. It takes up a lot of time. That's one of the biggest things that we're rolling out. I'm not sure what other features we're going to use out of it, but I know that once we get started on it, we'll be a lot more involved with the things that we're going to roll out.

It's really easy in terms of the authentication piece. It's a big help. We've other parts of the network that are not using any authentication at all, which is scary. We've so many separate companies, and I'm hoping that we can start using this for those networks as well.

It has saved us time. We've control on our side, and we're able to add new devices as we deploy them for new buildings and things like that. We're able to give different types of access that our users need to have, which is nice. It has been huge, and then once we start deploying NAC or something like that, that's going to be a game changer for us because that'll free up a lot of time for us. It probably saves at least ten hours a week because especially right now, we're in the phase where we're getting so many new buildings. We're not only turning up new buildings; there are also all the users. So, for every single device, you have to do a MAC lockdown. Sometimes we get spreadsheets listing a ton of PCs that we've to lock down. That just takes forever, especially if you get it wrong or someone has fat fingers and things like that. It'll hopefully eliminate a lot of that too. We won't have the back and forth with other groups for that.

It has helped consolidate tools. We don't have to go outside our own group for the authentication piece. That control is a big deal. On top of that, once we start integrating NAC and other things, it's going to eliminate a lot of manual work.

Having access and being able to add people or change authentication yourself is nice. In the past, we've used other group authentication services, and we always had to go to them and get permissions. Having that control is key. 

Adding new devices was a little cumbersome. I haven't done it that many times, but I remember that adding new devices to the authentication piece of it was a little cumbersome. The way I was shown to do it, I thought it was odd because we had to go into the active device, copy the file down, export it, make some changes to it, and then reimport it as opposed to being able to click it and having a template to fill out. It was a little more cumbersome than I thought.

I've been using Cisco ISE for about a year.

For the times that I have interacted with them, they've been pretty good, but I've heard of other stories. Overall, I'd rate them an eight out of ten.

Positive

We were using regular TACACS, RSA, etc. I can't remember what they were using on their side because it was more of the infrastructure team that was using this. We would just basically go to them and give them requests. Having control through Cisco ISE is much better.

The reasons for going for Cisco ISE were having that control and having a relationship with Cisco. All of our gears are Cisco. It just made it easier and more compatible. I know there are a lot of other tools that we can take advantage of such as NAC and things like that. We're hoping to do that in the future.

As far as I know, it was fairly easy. We didn't have a lot of problems with it. One of our other guys deployed it. I wasn't with him, but I didn't hear that there were a lot of problems with it, so it was fairly easy. The same guy had deployed it on the unclassified networks, so he had experience with it.

Overall, I'd rate Cisco ISE a seven out of ten.

We use it for network access control. For security reasons, if a vendor plugs into our network, the port is automatically shut down because it's not authenticated to our network.

Cisco ISE is a great solution. It helped us determine real users on our network. It's very useful.

From a security standpoint, Cisco ISE has improved our organization 100%. We're not guessing who is plugging into our network. It 100% protects our environment and infrastructure from end to end.

Cisco ISE has saved the time of our IT staff time to help work on other projects, but I don't have the metrics.

Cisco ISE has absolutely improved our cybersecurity resilience. Specifically, the 802.11 authentication for wireless has been huge.

Cisco ISE hasn't helped to consolidate any tools or applications.

Cisco ISE is a powerful solution. It gives us the ability to control who's accessing our network, and Cisco has made it very easy.

Some of the reporting could be improved.

We've been using it for about ten years.

It's stable. We never had any issues.

I love it. They know their stuff. Almost in one call, you get the right person. They're very good. I'd rate them a nine out of ten.

Positive

We didn't use any other solution previously.

You have to have a plan. You have to be prepared to roll it out. You need to think through what you want to configure.

It took us about three and a half months to get every angle we were after, and after that, it was a very slow rollout. We rolled it out in about eight months. It was easy.

We did it all in-house, but we did have consultants from Cisco come in and help us tweak it.

Pricing and licensing are not my expertise. As far as budgeting is concerned, we run an ELA with Cisco. It's a part of our ELA.

We didn't evaluate other products. We went straight to Cisco because you can't go wrong with their technology. They're a leader in this space, and they've got a good, robust solution, so we rolled it out.

It integrates seamlessly with other Cisco products that we have. I use Cisco Meraki for all my edge cases. We never considered switching to another vendor. 

It's a great product. I'd rate Cisco ISE a nine out of ten.

We utilize Cisco ISE for authentication by employing the AnyConnect Posture model to address vulnerabilities on the workstations. Additionally, we make use of TACACS.

It is a mature solution and it grows with our needs.

Cisco ISE has helped consolidate DNA Center.

Cisco ISE helps our cybersecurity resilience by enforcing security over the workstations.

The most valuable feature is AnyConnect Posture because it scans all the programs on the workstation and checks if the antivirus is up to date, as well as the cryptographic keys on our SSD. It also enforces data loss prevention on our workstation, which is usually the main vulnerability for network entry.

Cisco ISE has numerous features that are impractical, and I won't utilize them since they require payment.

I have been using Cisco ISE for around four years.

We encountered a few bugs that were resolved using the SMUs. However, when the solution is built properly, there are no performance issues.

We can scale Cisco ISE up using VMs.

The technical support is excellent, and we rely on their services frequently.

Positive

We previously used Cisco ACS but transitioned to Cisco ISE because it reached its end-of-life status, and we needed to progress.

We have observed a return on investment from the tasks performed by Cisco ISE for our organization.

Cisco ISE is not inexpensive, but the solution is well-built and worth the expense.

We evaluated Aruba ClearPass but ultimately chose Cisco ISE due to budgetary constraints. We were able to secure a favorable discount with Cisco.

I would rate Cisco ISE a nine out of ten. Despite the fact that the solution offers numerous features, it is challenging to use.

We do not rely solely on Cisco ISE to secure our infrastructure from end to end. Instead, we utilize various tools such as McAfee, DLP, and Endpoint Security. Additionally, we have the Domain client to check for any breaches. On our Internet edges, we perform SSL offload to enhance the performance of security projects like WAF and IPS, as well as conduct full packet scans. Furthermore, we have NGFW and NG Networks in place.

Cisco ISE is an important component in protecting our environment because it enforces security against the main point of vulnerability, which is accessing workstations. Ransomware infiltrates a network through workstations. The policies implemented are based on the posture model, ensuring that we use the necessary products on our network to mitigate such risks.

I was not involved in the initial setup, but testing the implementation of a new feature is always challenging. We need to allocate time to test it with the security team and the network team. Additionally, we need to create a separate environment to gain a better understanding of how we can improve the performance of the solution within our network. 

For organizations that do not have the funds to purchase Cisco ISE, there are good open-source solutions available. These include TACACS servers, OpenLDAP, and FreeRADIUS. However, Cisco ISE is an excellent tool for enhancing all the existing tools within an organization.

I use Cisco ISE for VPN and authentication.

Cisco ISE is a good and easy-to-use solution. We had a smooth experience with it, and we didn't face any issues. We upgraded the solution two years ago, and that version also worked fine. 

Cisco ISE's integration with other external identity servers like Duende is very simple and easy.

Cisco ISE's performance could be better, faster, and more robust. Sometimes it takes some time to move through the tabs and configure something.

I have been using Cisco ISE for three and a half years.

Cisco ISE is a stable solution. We haven't faced any major issues with the product.

Cisco ISE is a scalable solution. Our environment has a cluster distributed across three countries and seven nodes. It would be very easy to add another node or remote site.

In some areas, Cisco ISE's technical support is good. However, we had an issue with integrating Cisco ISE with DNS. So we opened a case, which escalated, and we had it for almost two years. Cisco escalated our case after hearing about our integration problem, and the issue was solved eventually.

In normal support cases, like if you are facing a bug, you will have very quick input from Cisco ISE's technical support. It is easy to find the issues in some areas, but in some cases, you might have to go along a troubleshooting path to find the issue. I used to work for Cisco tech wireless team. In some deployments, you have a complicated environment and must understand and solve the issue. Sometimes, it might take a long time to solve or find an issue, while it would be easy in other cases. It depends on the complexity of the environment.

Positive

Cisco ISE was already deployed when I joined my company, but I was present when it was upgraded. The upgrading process wasn't very easy, but we didn't face many issues. When we upgraded our Cisco ISE, it was running on the 2.3 version. We upgraded it to 2.7, and we had some issues at that time. We upgraded directly to 2.7 patch 2, and most problems were solved.

My main focus is on the .1X access. We have another security team whose focus is on VPN access. I use Cisco ISE for TechX authentication and .1X authentication.

Cisco ISE saves us time. If you deploy any security features using Cisco ISE, you don't have other options not to automate it. Part of our Cisco ISE is integrated with the Cisco DNS center. The Cisco DNS center saves time in terms of configuration, integration, upgrading, and adding other switches to the fabric. You can deploy the features in Cisco ISE using manual techniques.

Cisco ISE was already deployed in my organization when I joined. However, I know that Cisco ISE replaced ACS.

I work in the banking industry. Our main concern is securing our network from either remote or on-site access. When you get physical access to the site and connect your device, you might risk the security of the network on purpose or unknowingly. Deploying Cisco ISE has helped improve the security of our organization.

Overall, I rate Cisco ISE a nine out of ten because I have a very good experience with the solution and hear the same from other vendors.

Cisco ISE is on the back end, and all our policies and security are on it. DNS centers and all our network backbone is integrated into Cisco ISE. So, the solution is pretty critical for us.

Cisco ISE has helped improve our organization security-wise.

Cisco ISE integrates with everything else. It forms our security and identity backbone, and all our authentication goes through Cisco ISE. That's why the solution is so important to us.

Troubleshooting and multi-ISE can be challenging with the solution.

My organization has been using Cisco ISE since 2018.

Once configured properly, Cisco ISE shows good stability.

Cisco's TAC is good. Cisco support, in general, is too layered these days. Often we have to repeat the same thing over and over to the TAC guys, which is a bit frustrating. Cisco's TAC needs to be a bit better.

Neutral

Cisco ISE's deployment can take weeks, months, or years depending on how rigidly you adhere to the guidelines and how good your existing infrastructure is.

We have seen a return on investment with Cisco ISE from a security point of view.

Cisco ISE's licensing can get pricey.

Sometimes, the Cisco guys disagree about it, but other than that, the Cisco guidelines are clear and concise enough.

Cisco ISE helps to secure our infrastructure from end to end so we can detect and remediate threats. The solution does what it's supposed to do.

Cisco ISE has saved a little time for our organization.

Since Cisco ISE is a more robust solution, it has helped our organization improve its cybersecurity resilience.

Before implementing Cisco ISE, you should look into it in-depth on how it can be used, how it can be integrated with existing tools, and how your staff can be trained to troubleshoot it. The solution has its pitfalls, and when it breaks, it can break heavily. So be aware before you deploy it.

Overall, I rate Cisco ISE a seven out of ten.

The company's use case for Cisco ISE is switch access. I'm from the high-performance compute side. I'm not the back office IT. I'm what they call GSIT. Their use cases are different but very similar.

On our side, Cisco ISE has improved cybersecurity resilience. The company uses it for global WAN and other things. We haven't had any issues.

For me, the TACACS feature is the most valuable. I have also used Cisco ISE with LDAP, not with Active Directory. That works for me because I prefer LDAP versus Active Directory.

The templates could be better. When you have to do certs, especially with X.500 certs, it isn't very intuitive.

I've been using Cisco ISE since 2011.

After I set it and forget it, upgrading Cisco ISE is the only thing to do.

I've never had a problem with Cisco. Cisco has always scaled well, so it's pretty good.

Initially, it wasn't good, but once I found the right TAC person, it was fine. I had to probably get level three or above, and then I had to get a software developer because the certs didn't initially work properly to give you a special code. I'd rate their support a nine out of ten.

Positive

I used OpenRADIUS before. That was open source. I switched because I'm the support for everything. It was easy to support with Cisco ISE.

Role-based access is easy to do with Cisco ISE versus OpenRADIUS. That's because OpenRADIUS is something you have to manage yourself. You have to manage the certs and other things. You have to define the roles yourself for special read access and for certain groups and multi-groups.

The only thing I didn't like at the beginning was that Cisco ISE was limited to how many groups you could use. That problem has been fixed. I haven't run into that problem.

The initial setup was complex. The main part was the certs, especially the X.500 certs with LDAP. Azure Directory is a little bit smoother, but I prefer LDAP.

It's deployed for internal switch access. It's purely for switch access and role-based access.

I deployed it myself.

We've seen an ROI.

I get very good pricing from Cisco, so I don't have a problem with that. I also don't have a problem with licensing because we get enterprise or global licensing.

It hasn't helped to free up our IT staff. Our IT staff is already very limited anyway. We've always worked smart and don't work where we don't have to work. For example, in 2019, we were more than 60. There are 14 of us now, and we still do the same amount of work. Cisco ISE hasn't contributed to less workload. We do it with automation. We have a lot of Linux, so we do automation on all of our stuff. 

Overall, I'd rate Cisco ISE an eight out of ten.

We are using it mainly for .1X authentication, and we also authenticate our VPN users, and we are doing some light profiling and posture.

We're trying to solve the problem where different users have different privileges in the network. And also we're trying to block some access from our least privileged users. Those are the main use cases for us.

We have on-prem virtual appliances and a distributed model.

It has improved our organization very much because we're now adopting the SGTs, Security Group Tags, and we're leveraging security based on those tags on our core systems and integrating with other SG firewalls.

We have a pretty distributed network and we have only one ISE deployment and it's been really good so far for managing all of those sites.

The most valuable thing in ISE is the adoption of EAP deep that came in [version] 2.7, so we can do authentication based on user and machine certificates in one authentication.

[Regarding establishing trust for every access request] it's been pretty good so far. We've been authenticating all of our users, no matter where they're coming from. If it's from our VPNs, or if it's wireless access, we are all Cisco, so the integrations are pretty good. It's very important [that the solution considers all resources to be external]. Right now, with the challenges that the multi-cloud environment poses, you have to have a solution like this.

[When it comes to securing access to your applications we are] not [using it] so much. I'll have another session with a TAC engineer on Friday, and I will have to discuss some basic concepts of securing the application with ISE. I find it very challenging to do some micro segmentation with it. I'm staying on top of it and doing it macro, but I want to go micro, and it's something I need to discuss more with an engineer.

Also, the menus could have been much simpler. There are many redundant things. That's a problem with all Cisco solutions. There are too many menus and redundant things on all of them. This is a problem in ISE. This could be much simpler.

I wasn't involved in the process of choosing this particular technology. The colleagues that made the decision made it seven or eight years ago. They were using ISE for a long time. I've been in the company for four years now so I came into an already deployed solution. But it wasn't so good, so we had to migrate from physical appliances to virtual ones because they were end-of-life and end-of-support.

Sometimes, they push an update that breaks the whole deployment. It happened to me with update two. It was my fault. I updated right after it came out, and I won't ever do that again. I will wait at least a month or two or three, because the update was taken down a week later.

I was lucky enough because I had updated from update one to update two. So it didn't really break the whole deployment, just parts of it. But they fixed it in a week with update three, so I was able to put it back together. Roll back is also always an option.

Scalability is really good. The number of possible nodes in deployment is high. I don't know the exact number, but it's really high. Scalability is not a problem.

I have had some problems lately with the TAC engineers being unable to investigate the logs that I gave [them]. They always ask for more, but there is not much you can do on ISE. When you give out all the debugs from the nodes, then there is nothing else to do.

It's been a bit of a ping pong with the TAC engineers. Sometimes I have four to five TAC cases open, specifically on ISE. Most of the problems I have are with the integrations of other companies' firewalls. 

This year I would give them a six [out of 10]. Before, I would say eight.

Neutral

I have had to find my own way to do the new deployment. It wasn't that there was some documentation about how to migrate. There is none of this stuff on Cisco's site. You have to search Reddit and multiple forums to assess what you can do with the deployment. I basically built it from scratch.

We are more secure thanks to ISE. That's always a return on investment.

[When it comes to eliminating trust from our organization's network architecture] I'd say, no, ISE hasn't done that. It's been a challenge to implement this. We're trying to bridge the gap between the security guys and network guys. They're not the same teams. Sometimes the security guys also do networking, but it can be hard to cooperate on projects like this. This is a big project. ISE is a pretty big solution and security guys are sometimes lost in what's going on in the network, like equipment where you have to configure things.

It's pretty much the most resilient solution as of now.

I like this solution a lot. I would say it's a nine out of 10.