Cisco Identity Services Engine (ISE)

Cisco ISE is best suited for almost all types of infra, it doesn't matter whether it's small or large. It provides zero trust architecture and compliance checks on endpoints before allowing users to connect to the office network. We can automate the entire BOYD on-boarding process and guest management process to save time.

If a colleague were to ask me what to use as an authentication server I would only recommend Cisco ISE. The in-depth policies that you can create make it extremely handy when you want to make an authentication rule as specific as possible. Even if only needed a simple RADIUS server I would still recommend Cisco ISE over anything else.

Cisco ISE is an amazing Network Access Control system. Network access authentication and authorization policies are made easy to create and maintain. ISE spreads its wings when combined with Cisco's networking hardware - switches, wireless LAN controllers, firewalls, etc. However, leveraging ISE services when other vendor networking hardware is deployed isn't impossible nor difficult - it is simple, effective, and pleasant to configure and manage too, but a few fairly advanced features might not be available. With the recent version available for the public cloud, there is no scenario where using ISE might be less appropriate than other vendors' NAC products.

It's one of the best tools for endpoint management and security of networks. It also decreases the administrative part on switch management, streamlined network visibility, robust guest experiences, extensive policy enforcement, [and] self-service device onboarding. Centralized management is the core of this tool. Device administration access control and auditing [are] also important features.

Cisco Identity Services Engine is most suitable for organizations having a larger number of employees or department groups. ISE helps to reduce network IT operations costs and manual interventions as well. We may apply the network IT policies smoothly and ensure only secure network access.

ISE is well suited for organizations that use all modern Cisco switching equipment and want to control port access as well as implement the least privileges with micro-segmentation.

Cisco Identity Services Engine (ISE) is well suited for companies that wish to keep their access restricted. Cisco Identity Services Engine (ISE) is great at AAA (authentication, authorization, and accounting) of users who log in either physically, or virtually via a client remote access VPN. Cisco Identity Services Engine (ISE) might be less appropriate for those who are on a strict budget or don't necessarily care about security.

Cisco ISE is a great addition to any mid to large size business where you'd like to manage all your device authentication in one place. Cisco ISE will handle all your TACACS, MAB and 802.11x needs in a single pane of glass, which is great in itself, but you can also use it to manage VPN ACLs amongst other things.

With all that said, ISE would be complete overkill for a smaller business as it's very expensive and would have too many features that would be wasted on a smaller network environment.

Overall, management is not terrible if you have a stable network that is not overly complex. If you don't, this product will take considerable time to plan for an effective solution. I will say support is not very helpful, so if you need assistance after the initial sales rep assisted setup, good luck and be prepared to spend hours on the phone.

ISE is well suited for companies that wish to keep their access restricted. ISE is great at AAA (authentication, authorization, and accounting) of users who log in either physically, or virtually via a client remote access VPN. ISE might be less appropriate for those who are on a strict budget or don't necessarily care about security.

Cisco Identity Services Engine (ISE) is well suited to secure company internal network, for guest authentications, to onboard personal devices, for posture checks and multiple other facilities. ISE can also provide passive context and pxgrid services.

In my humble opinion, Cisco ISE is a highly recommended product. There are multiple application scenarios but I consider that if some of the following premises are met, I would not hesitate to go for it:
- Network authentication based on LDAP or Certificates is required
- Authentication, authorization and accounting are required for administrative access.
- Granular permission delegation is required.
- It seeks to automate actions at the network access level based on security risks in real time.

We deploy Cisco Identity Service Engine (ISE) to provide the following types of services:

• Network device administration - provide AAA services (Authentication, Authorization & Accounting) for any IT users who need to access Cisco routers, switches and firewalls
• 802.1x - Network Access Control for any users accessing the network as a wired, wireless or VPN client
• Profiling services - used to profile new devices on the network and is particularly useful for devices that do not support 802.1x (e.g. some IP phones)
• A whole host of other functionality is available with particular use cases

I do think that Cisco ISE may not be appropriate for really small networks, due to the purchase costs and complication of management.

Cisco support is second to none, both in terms of how you access support but also the knowledge of the individual support teams. If you focus on one technology and provide "manufacturer support" then you can rest assured that you are accessing Cisco's top individuals.

I feel like this is a USP for Cisco support.

If you really want to do advanced authentication with profiling, posturing, etc. ISE really is a great solution. However, if you are looking for a very basic authentication solution with no further visiblity or authentication flows, cheaper solutions are available from many different vendors. Although I have only experienced Microsoft Network Policy Server as another solution, I must say that ISE is easier to troubleshoot endpoint problems and have more visibility all around.

For us the solution is very easily useable on its own. Perhaps that has to do because we started using ISE in the 1.2 days and have seen it grow during the years. Policy creation, etc. is all very visible and thus easy to use. Deployment of multiple nodes is also incredibly easy and flexible. You can easily add or remove nodes as you wish.

We usually see very little issues, but when we do our support partner usually makes contact with TAC in order to get us going again. We usually see frequent patches in the works for ISE.

Cisco ISE is well suited as an 802.1x authentication server. Other features come on top of it to accurately make the network decide who connects to what in a very secure way. Yes, there are other vendors with the same capability but I suspect that they do not have the same feature set as ISE.

It requires an expert in the ISE to be able to operate it. It requires lots of reading to be able to accomplish what you need, and yes, such solutions are expected to be complex.

Skilled TAC when it comes to such product, nothing more to say.

If you have just a few device types, fairly flat network (a limited number of VLANs and remote sites, for instance), or don't need exceptions to rules or non-802.1x devices, it might be good for you. Or if you just need guest on-boarding, then that might be a good system. But, then again, if that's your environment, then maybe you just go with the Meraki line.

Again, this should be a huge zero! So many calls back to support, hotfixes, and escalations. Once you get past the basics, you change one thing and two things break. Hours on the phone with support, time on hold with "I need to check with xyz. Hang on." Our network infrastructure is mostly Cisco, so it's not like we can blame it on a lot of non-Cisco components. And when unrecognized devices came on-board, there was a whole new set of issues that had to be escalated.

We have hundreds of devices, and it's great that we can manage them from one system. We have different vendors and Cisco ISE handles them all. We are a corporate environment where every team uses different systems and has different needs. Cisco ISE and very robust and can handle pretty much all situations and devices. We use this where TACACS is dipping into our AD system and it works great. Cisco ISE would be less Ideal if you are not using a TACACS or Radius and just have users. You could add all the users into ISE, but that seems like a lot of work.

You can always get someone to talk to right away, and I love that they have chat. For the most part, even their first contact reps are very knowledgable. With this being a Cisco product, there are a ton of online documentation and forums where you can get expert help.