Cisco Identity Services Engine (ISE) Reviews

We use it for wired .1x, wireless authentication, VPN, and multi-factor authentication. We wanted to have a consistent experience for authentication and authorization of endpoints across the network, as well as security.

As a water utility organization, we're considered critical infrastructure by the feds. Everyone needs water. So it's important for us to protect our industrial control systems, our SCADA systems. ISE helps us do that by segmenting them off from the rest of the network.

And by eliminating trust, it helps us with audits, including CJIS because we have a law enforcement division, and trying to conform to the NIST standards. A lot of government agencies are becoming more familiar with the Zero Trust model and ISE makes our audits go a lot faster and a lot smoother than they used to.

The endpoint profiling feature is among the most valuable because it keeps me from having to manually maintain a MAC address bypass list to track endpoints. I can have ISE profile them for me and then put them in the right bucket.

In addition, ISE really adopts and is strong in the Zero Trust model where we consider everybody a foreign endpoint until they prove they belong on the network. ISE just seems to be built from the ground up to do that, whereas with other solutions, you have to "shoehorn" that in.

I also rate it pretty highly for securing access to our applications and network. If you have the good fortune of being a total Cisco shop, you can utilize SGTs, end to end, across the network. It can be a little tricky to get working, but once it does, it creates quite a consistent experience for any endpoint, even if it moves anywhere in the network.

I'd like to see the logging be a bit more robust in terms of what it has baked in. If I want to do any in-depth searching, I have to export all the logs to an external platform like Elastic or LogRhythm and then parse through them myself. It would be nice if I could find what I want, when I want it, on the platform itself.

I've been using Cisco ISE (Identity Services Engine) for 10 years.

Now, the stability is pretty good. I've been working on it since the product launched and it was a bit sketchy. Its current state is really good right now.

The only thing we have run into was a bug when we ran virtual appliances, but that turned out to be an issue with our storage networking QoS policies. That wasn't really an ISE problem, it was more of a storage problem.

In terms of supporting a distributed network, it's pretty powerful. You can stand it up and cluster it and it scales out pretty well. You can put nodes wherever you want to service authentication requests. We're able to scale up or out and we can choose how and when we do that with either virtual or physical machines, meaning it's very flexible. 

It scales quite well. One of the things that Cisco is good at is keeping things pretty simple when you want to scale it. If you want to scale up, you get stronger admin and monitoring nodes. If you want to scale out, you get more policy service nodes. It's quite easy to stand them up, really anywhere, if you use virtuals.

We use it around our Fort Worth campus, which has about half a dozen buildings. By the end of the summer, we'll have it deployed to all of the rest of our five campuses. We have about 30 remote locations across 12 counties in North Texas and they're all using ISE. It works out pretty well.

We have it on-prem right now, but we are moving to a hybrid cloud platform on Azure for a lot of our applications, so we're starting to do proofs of concept with ISE in Azure.

TAC is pretty good. I would definitely suggest getting their solution support, which provides higher maintenance. That way, when you do get someone, you get someone who knows what they're doing. If you get the higher level of support, you get some really smart people who can fix things pretty quickly.

We used to use Aruba ClearPass. It was somewhat clunky to use and it didn't integrate well with third-party platforms. If you used Aruba, it worked great. If you didn't use Aruba, and were pointing things at ClearPass, it had some issues. We found that ISE typically handled things a little bit better. We could point anything at ISE and take care of it.

The initial deployment was pretty straightforward. It's very simple to just turn the box on and plug into it. You go through a couple of settings and then you can log in to the GUI and pull in all the other nodes that you want.

After the gear came in, it took us about a day to deploy it. I started by implementing it at the local campus. That way, if I broke anything, I could just walk down the hall and not have to drive anywhere.

I stood up the first cluster, and then it was another engineer and me who worked on deploying it out to all the buildings. We started out in monitor mode, to see what it would do if we had turned it on. Once we had remediated anything that looked like it was authenticating incorrectly on the wired network, we went to closed mode and that's where we are now.

Return on investment falls in line with the business vision of securing our resources and protecting them against cyber attacks and nation-state attacks. It's hard to put a monetary value on clean water.

Licensing is a disaster. It's a mess and I hope they fix it soon.

In addition to ClearPass, we looked at Forescout. At the time we looked at Forescout, it was more of an inline product and we weren't looking to add more infrastructure between parts of the network to try to do inline authentications. It seemed easier to do it on the switch ports and have them talk to ISE.

It's a very strong platform, especially now that we're on version 3.1. It's definitely my go-to. I would recommend it over any other NAC platform.

It requires a lot of technical knowledge to actually get it off the ground and running. It's not quite as intuitive as it could be, but it's still a solid platform.

We use ISE primarily for RADIUS authentications on our wireless networks and VLAN segmentation for those users.

ISE makes things easier because we all work on one system and we all have the same views, so one person is not looking at a different system. We can all look at the same system and say, "Okay, go to this link." Also, you can integrate it with DNAC (Cisco DNA Center), which is something I am very into. It helps us troubleshoot from the client all the way down to the packet. DNAC can tell us, within ISE, when they're integrated, "This is the issue they're having," and we can report back.

It's great across a distributed network for securing access to all our apps and the network. We don't have to worry about which system is going through which access layer or which security system. We can just put everything into ISE. We don't have to separate the switches from the routers to the wireless. It's all just "one-stop, go." It used to be that our switches were in a separate system for authentication routers and the wireless was all on EAP. It was confusing. ISE consolidated all that.

For my use cases, the in-depth troubleshooting into why a client can't connect or why they failed, is very valuable. I can go back to someone and say, "Hey, it's not my network. It's their certificates or user error," or something else. For my coworkers the VLAN segmentation means a client got in, it dropped them into this VLAN, and that's where they belong. They can't get out. It makes things more efficient.

Also, the fact that ISE considers all resources to be external is very important. We use ISE in our retail environments for our payment sleds. We want our payment system to be secure. Zero Trust is our whole thing. It's great that everything is external to ISE and then everything has to go through the system.

The opinion of my coworkers, and it's mine as well, is that the user interface could use some tender loving care. It seems counterintuitive sometimes. If you go to the logs, it's hard to figure out which one you need to look at. My ISE admin probably has different ideas, but for us, that's the main complaint.

I've been using Cisco ISE (Identity Services Engine) for about 15 years.

Uptime is great. I don't have a complaint with ISE with uptime. It's been a rockstar. As far as I'm aware, we have probably had 95 percent uptime, or even 99 percent. Nothing is 100 percent. When there's an issue, it's usually not ISE.

Scalability is our issue: keeping up with the number of licenses we need for customers and clients. That's our main concern right now. Part of that is on us and part of that is on ISE.

For us, ISE is global between retail stores, warehouses, and world headquarters. Our entire wireless network of over 30,000 devices uses it. In North America alone, we have 13,000 access points and usually around 60,000 clients.

We've had some issues with support. We usually just get our account manager involved and they get the BU online.

It depends on the role of the dice and your TAC engineer and how well they understand the issue. We've had numerous cases where we decided to say, "Okay, escalate."

Neutral

We had ClearPass but we found some difficulties with it and those were things that ISE was better at, such as EAP authentication. We had some issues with how ClearPass interacted with the Cisco wireless environment. The merging of the two technologies was hard.

We have jumped around. We were Juniper, Aruba, and then a Cisco corporate environment, and then a mixed environment. We finally consolidated those between retail, warehouses, and our world headquarters, into a unified Cisco environment with ISE as our RADIUS backbone. ISE gave us what we needed to unify all of them. We finally shut down our last ClearPass server a couple of years ago.

Being fully honest, the Cisco licensing model right now is really confusing. We don't know what licenses we have where. We have Smart licensing, but the different levels are way confusing.

There are different levels for different accesses. We have an enterprise license agreement with Cisco, but all the details of what we have with those licenses get confused in the massive amount of licenses we have, or in the different license levels we have for different geos, et cetera. The Smart license portal is there, but right now, we just don't have the time or manpower to put into that.

I give it an eight out of 10 mostly because when you get in to start configuring the details, it's hard to find some stuff. Otherwise, it's a great platform.

We use ISE for TACACS and 802.1X authentication, wired and wireless. We also use ISE for our VPN authentication, as well as for different policies. We were trying to solve some security holes with Mac solutions, and ISE was a good fit.

It helped our security, which is nice.

I love the policy sets, they are really nice and dynamic. 

This solution helps to support an organization across a distributed network. It's built for enterprises and large-scale deployment. It does what it's supposed to do.

ISE is a little clunky. The front-end feels like it is from the 1980s.

The usability, as far as programmability goes, needs to be improved.

I've been using Cisco ISE for about three years.

The solution is pretty stable. I haven't had any problems.

Cisco ISE is very scalable.

Technical support is horrible. If we call and ask them for help, their first response is always that we should upgrade. That is a horrible response. We pay another company to support us because the technical support can't, even though we pay them to do so. I would give them a two out of ten.

Negative

We have a distributed deployment model. They're all virtual appliances, distributed geographically.

We've got six ISE nodes. Everything is redundant and distributed across multiple data centers. We then used them again for 802.1X, TACACS, and other authentications and policies.

It's hard to dig into at first, so seek help and education.

I'd give Cisco ISE (Identity Services Engine) an eight on a scale from one to ten because it's Cisco, it's reliable. It has a lot of development and other vendors around it because it is Cisco. It works and is pretty stable.

I often use Cisco ISE for guest portals to onboard devices. For example, if a company wants to allow their employees to bring their own devices, there's a large security risk. Cisco ISE can help with onboarding those devices and check whether they're up-to-date with security patches and whether they fit the criteria to join the network.

There's so much stress involved with the pressures of trying to make it easy for customers to use the product without constantly having to jump over security hurdles. On the other hand, there is the constant threat of cyber attacks. Balancing the two can be quite stressful for developers, engineers, and consultants.

Our main goal, as an intermediary between Cisco and our clients, is to help IT managers, IT engineers, and administrators have better days. There is a lot of pressure on IT staff, and by giving them the right tools and solutions, we can help them feel more empowered to do their job much more effectively and, therefore, feel proud of their work.

In terms of features, the best feedback I've received has to do with guest portals. The guest portals and sponsor portals are where a company can customize their appearance. As people join the guest network, they're presented with the branding of the company that they're in.

A lot of customers use a third party to manage their guest Wi-Fi. Cisco ISE presents the ability to bring that in-house so that customers can have full control over it, change the branding, and get extra telemetry from it and the user data. It works really well for our customers.

I first started working with ISE at version 1.2, which was quite a few years ago. Over the years, the user interface has become a lot easier. The way the different parts of ISE come together and the connections between the different sections are a lot easier to follow. The interface gives you a much clearer picture of how the different policies and standards that you are building are brought together.

I don't see as many customers as I should adopting the onboarding feature. I think Cisco should make that process a lot easier and less intrusive on the end users' devices.

I've worked with Cisco solutions since 2007.

We offer the entire suite, with SecureX, Umbrella, and Cisco ISE being the main headlines. We work a lot in developing the orchestration and automation of new security systems in line with Cisco.

The various licencing levels allow increased functionality as your requirement increases.

When it's time to generate a TAC case, it means that things have gone very wrong and that my colleagues and I have run out of ideas and are desperate. Cisco's technical support staff are very much aware of that and know that by the time an issue comes to them that all the obvious roots of troubleshooting have already been explored. It's great that they comprehend this and that they understand the urgency as well. 

I'm always thankful for their help and would rate technical support at ten out of ten.

Positive

I have previously used other portals to provide guest user access. Cisco ISE provides many more options in functionality. Also when troubleshooting ISE provides detailed logs to pinpoint the problem. I have been unable to get this detailed information from other portals.

A benefit to using Cisco ISE as far as deployments are concerned is the fact that because it's software-based, everything can be tested before deployment. You can then be confident that everything is going to work when it's deployed in the real world.

Our ROI is that once clients have a Cisco system installed, they tend to stick with Cisco. They'll upgrade to the latest Cisco product rather than looking at any other vendors.

In general, licensing can be quite complex with Cisco products. It would be nice if it was a bit more intuitive and had fewer "gotchas" in there.

I've worked with customers who have used Purple Portal, for example, for their guest wireless access. In comparison to using Cisco ISE, Purple Portal adds an extra layer of complexity on all their guest networks running through a third party. This means that the customer will not have as much visibility into their guest users or control over what their guests see when they join the Wi-Fi network.

With Cisco ISE and the way the policies are built, it gives you a lot of freedom. It covers a wide range of potential solutions. Because each bit can be built together modularly, you can build anything with it. Therefore, Cisco ISE applies to so many different applications.

On a scale from one to ten, I would rate Cisco ISE at eight because it is a complex product and requires more technical ability to deploy it, though it fits many more solution requirements.

Cisco is the main player in networking and security. Having that backing behind our company gives us credence. We're proud to sell the products and to recommend them. Cisco's portfolio is what I would sell by choice. It just makes my job a lot easier.

We use it to secure our networks. We can secure our switches and wireless networks, basically everything.

We use it primarily for wireless security, but it can be used for many other things as well, like LAN and WAN security.

There is room for improvement in CLI. Most things are done through the GUI, and there aren't many commands or troubleshooting options available compared to other Cisco products like switches and routers. We have more visibility on the CLI for those devices, but the GUI seems limited. Moreover, sometimes, GUI seems very pathetic. 

I have experience working with this solution. I have been using it for four to five years. We still use the old version, but we plan to migrate to the new version soon because they recently changed their licensing model.

The product is stable. We don't face many challenges. It's stable, so  I would rate it around a nine out of ten.

The product is scalable. I would rate the scalability a ten out of ten. We have medium-sized businesses as our clients. 

There was some delay.

Positive

Setup wasn't difficult because we already had a solution in place. It was very easy to install.

The deployment definitely took weeks.

I would rate the pricing an eight out of ten, one being cheap and ten being expensive.

Overall, I would rate the solution a nine out of ten. 

We use the solution for RADIUS authentication, device authentication, and TACACS. We also use it for Wi-Fi and guest portals.

I like the logging feature. I like that I can look at the logs for authentication issues.

I don't like the fact that we can see the logs only for 24 hours. Maybe that happens because of the way we set it up.

I have been using the solution for six years.

The stability solution is really good. Once we get it up and running, it's great. We have to do a major upgrade, and I'm not as thrilled with the upgrades as I am with just a day-to-day job integration. Upgrades aren't my favorite thing.

The product’s scalability is great. We do not have any issues. We could scale it up without any problems.

Sometimes support is better than others. It depends on who you get. Some guys are really sharp, and for some guys, it takes a little bit longer to get the thing escalated.

Neutral

We used Secure ACS, which was a Cisco tool. Cisco discontinued support for it, so we switched to Cisco Identity Services Engine.

The product runs. It does what it needs to do, and we don't have to touch it most of the time. From that standpoint, we have an ROI.

The product didn't really have a whole lot of competitors at the time. Aruba ClearPass was probably the only other competitor. We were getting rid of Aruba from our wireless. Identity Services Engine was just farther ahead than ClearPass at that time.

We have a lot of things we use for detecting threats. We use the product more for authentication issues and stuff like that. We don't use it to identify threats per se. We have other tools.

The solution helps free up our IT staff. There are only a couple of us who are Cisco Identity Services Engine administrators. In that way, other people can do other things. Once we set up the solution, there's really not a whole lot of maintenance to it. I don't know how many hours it saves. It just works, and we don't have to touch it most of the time. It does its job.

We were using Cisco ACS before using the product. We changed tools and upgraded. The tool helps us improve cybersecurity resilience. We use it for RADIUS and to validate users. There are a lot of tools that we use. Cisco Identity Services Engine is a good tool. It does 802.1X and RADIUS very well. Cisco shop is the way to go.

Overall, I rate the solution a nine out of ten.

We use it for NAC and wireless, and for our TrustSec policy. These are the three primary use cases we have so far.

It's a network access control solution for us. Previous to Cisco ISE, we didn't have one, so, from a security standpoint, it increased our security visibly.

It has enhanced our security. We have a solution now that can protect us at the access layer, which we didn't have before.

It has helped to consolidate any tools or applications. We only have to use one product for RADIUS, TACACS, and authentication servers. NAC and other things are consolidated into one system, which is nice.

It has helped our organization improve its cybersecurity resilience. The security at the access layer through NAC has been nice, and then the ability to enforce policies dynamically using profiling and NAC and TrustSec is good.

With NAC, the profiling feature is valuable. We're able to see what we have out there in the network and dynamically assign policies to it. We can then use that to enforce TrustSec policy or anything else with NAC. 

There should be more visibility into TrustSec policy actions. When TrustSec blocks something or makes any kind of changes to the network, we don't always see that. We have to log into the switch itself, or we have to get some type of Syslog parsing to do that. Cisco DNA Center may do it, but it would be better if that was integrated into Cisco ISE.

In terms of securing our infrastructure from end to end so we can detect and remediate threats, it's a little bit difficult in terms of visibility, but, generally, we would just go through the logs and see if there's a problem or not.

I've been working in this organization for three to four years, and they have been using it prior to my joining. 

It's very stable for us.

It isn't something we have had to deal with.

They're pretty good. Compared to others, Cisco is probably above average. With Cisco TAC, usually, if the first level doesn't resolve it, you can get up to a higher level within a day or two, which is better than a lot of other vendors we've been working with lately, such as Palo Alto. Cisco tech support is doing pretty well. I'd rate them a seven out of ten. Being able to access higher-level engineers and escalate things more quickly is always going to improve any case.

Neutral

Before Cisco ISE, we didn't have a similar solution.

It was implemented before I joined, but it was probably phased. It was first for wireless and then became more of a NAC thing. It was a long process. It was somewhat difficult just because of how much was required of it. I don't think it was particularly painful.

We get a return on investment from it. It's a solution that's often required for IT insurance, etc. It's definitely needed but do we need to have one from Cisco? I don't know, but there's definitely an ROI there.

To someone researching this solution who wants to improve cybersecurity in their organization, I'd say that make sure you know what you're getting into. Understand and have a good plan going into it and have operational support for not just networking, but also help desk and other IT teams before deploying this solution.

I don't know if Cisco ISE has saved us any time because it's an enhancement to our security that we didn't have before. It probably takes a little more time than not having it. Having no security is super easy because you don't have to worry about anything, but if you have any security product, you have to do work to support that.

Overall, I'd rate Cisco ISE an eight out of ten.

One of our use cases is using it for authentication for the wireless. Our internal corporate network is using the Cisco ISE server to authenticate clients and make sure that we have the right clients on the wireless side, as well as on the wired side. We just introduced that about a year ago to make sure all our wired clients are our clients and not some "rando" plugging into the network.

Definitely, getting away from pre-shared keys has been the biggest key. It is allowing users to connect to the internal network, the employee's network, from anywhere, across the entire US. It is allowing that ease of use. 

It's also allowing us to see what's connected to the network. We can see that there are only really clients. We can see what's connected on the wired side and what's getting blocked, and understand [things] from our users. "Okay, that's getting plugged in. What do you guys use this for?" It's adding a layer of defense that's super important to our organization.

I don't think we've gotten away from trust completely, but it has helped a lot. It's allowed, on the server side and on the infrastructure side, to allow certain clients. We don't have to trust the client necessarily. We know that that's a corporate client and we don't have to play any guessing games. The corporate client that we want on that specific network is going to have the right cert and the right thing. It allows access control without a lot of human involvement.

It's helped significantly. We have fewer IoT devices on internal networks and that's the key. Your clients have the right firewall protections and the right anti-virus. Those are on the internal network so you're not putting stuff [on it] that you don't know whether it has a security vulnerability or if it's easily hacked. You're allowing those to be in separated networks that silo them off with a PSK. And you're keeping the internal network to clients that you know are protected.

[One of the most valuable features] is just the ease of use. It's pretty simple to set up certs that we can add to our clients to make sure that they connect properly, [as is] whitelisting Mac addresses. 

It also integrates really well with some of our other services like ServiceNow. A ticket comes in and then, boom, it's automatically going to the ISE, and then ISE is allowing that client with that Mac address to get on the network easily.

[In addition, regarding establishing trust for every access request, no matter where it comes from] it does the job. It's a perfect solution in order to manage a large corporate network.

It allows that access control [for a distributed network]. That's super significant. It allows you to segment things and allows only certain devices to access the network.

Automation [is an area for improvement]. It seems like everywhere I look, automation is super important. Automation and integrations. That's the area it could be improved, as we get more and more away from a lot of human involvement and [into] machine learning and just trusting that these systems could automatically help us.

My name is Edward Martinez. Network engineer. Our company has about 5,000 employees, and we're in the beverage industry.

[I've been using Cisco ISE (Identity Services Engine)] ever since I started. That was one of the main services that I had to understand and get involved with as soon as I started at our company.

I haven't had many issues in terms of its stability. It doesn't really ever go down. Anytime we ever have any issues with it, it's usually human error.

In the past, I've always had pretty good support from Cisco. Their TAC is really good. They're pretty straightforward. I haven't had many experiences with ISE, honestly. It works so well we haven't had to reach out too much.

I would rate their support about a nine out of 10. It works most of the time. It depends on the engineer you run into. It depends on the people you deal with.

Positive

[The main challenge] was authentication and not using PSK, traditional pre-shared keys. They wanted to get away from pre-shared keys; people share them. They wanted something that would allow clients to just connect automatically, not have a pre-shared key, and be secure. That's the most important part, making sure that the right clients are getting on our internal corporate network.

[Our company] was just using PSK and that solution was really built around access control of our corporate networks. They were using PSKs at every site and rotating those PSKs, or had site-specific PSKs. Now, when somebody comes into the office, they can just connect to the employees' network automatically, and it's the same across the board at every site. 

It was this idea that we needed to simplify things. We needed to make it easier on our users to go into an office and connect to the internet and not have to ask an IT guy there or make a ticket. That was the important part.

I've just been involved with the secondary deployment, using the ISE on our wired ports.

It was pretty straightforward. It was funny. We did it during COVID so it was really easy when nobody was in the office to implement the solution. It kind of worked out that way, when there was nobody in the office.

But otherwise, people have started to come back and we haven't had really many issues in terms of authentication. It's really easy. People have wired in and if their client has the right cert, it's been a breeze. They've been authenticated and it takes a minimal amount of time.

We have an operations partner that we deal with pretty often. It's an Austrian company, NTS. They work with Cisco a lot on our solutions and, obviously, we're evaluating it with them and then making choices based off of that. I'm the onsite hands. I do a lot of the configuration on the switches, but they're doing a lot of the advising.

You're seeing less tickets and you have fewer security issues. I think the return on investment is there. It has really improved our situation in our corporate offices.

Resilience is super important. The solution needs to be able to hold up and promise what it [intends] to deliver. In cyber security, that's super important because if you have any slight exploit, you're going to have malware attacks, ransomware attacks. That's [a] big [issue] in our company as, more and more, you hear about legacy systems being affected. These legacy systems sometimes don't go away. Sometimes you need them. You have to do your best to either patch them up or protect them either through a firewall or an access control system. 

[It's about] protecting the network infrastructure from exploits and really allowing us to segment IoT devices and the corporate network. And because [on] the corporate network, once you get into it, there really isn't anything protecting against accessing critical storage systems, accessing mission-critical servers, [or] our sales numbers, it's super important that we have the ISE so that we're only allowing the things that we want into the network that we trust.

[What I would tell leaders who want to build more resilience within their organization would be] evaluate solutions, prioritize it, get manpower behind it. Also, too often they put cyber security on the back burner. They're trying to maintain operations and sometimes cyber security can get in the way of operations. But trust that system, once you build it up, will protect you and that it's worth the investment in terms of money, labor, and time.