Aruba ClearPass vs Forescout Platform comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Sep 29, 2022
 

Categories and Ranking

Aruba ClearPass
Ranking in Network Access Control (NAC)
2nd
Average Rating
8.6
Number of Reviews
75
Ranking in other categories
No ranking in other categories
Forescout Platform
Ranking in Network Access Control (NAC)
4th
Average Rating
8.4
Number of Reviews
73
Ranking in other categories
IoT Security (1st), Endpoint Compliance (4th), Extended Detection and Response (XDR) (14th)
 

Mindshare comparison

As of June 2024, in the Network Access Control (NAC) category, the mindshare of Aruba ClearPass is 23.4%, down from 28.5% compared to the previous year. The mindshare of Forescout Platform is 12.6%, up from 11.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Network Access Control (NAC)
Unique Categories:
No other categories found
IoT Security
10.3%
Endpoint Compliance
4.3%
 

Q&A Highlights

it_user781137 - PeerSpot reviewer
Sep 24, 2018
 

Featured Reviews

MN
Dec 8, 2022
Easy to use, integrates well with other Aruba solutions, and offers good performance
After HP, their support is the worst. When you come into the production part, you want to know how easily you can do the updates or how you can easily you can do the patching. Once it comes to the support, if it is in the middle of the day when you are having some issues, and you don't get it, that's where you start thinking this is not the right product. For me, I mean, overall, it's not the pre-sales experience that needs improvement. It's post-sales. I know Aruba is one of the two products that I always like; however, it's the whole life cycle of the product that makes something good. For example, Cisco is not a good product. No one can beat their support. Aruba is a good product, yet if you need technical assistance, it's not good at all.
ILAN-YACOBY - PeerSpot reviewer
Sep 7, 2022
Robust solution with great asset management
I use Forescout Platform in the construction industry to monitor connections to our cloud for ERP and file services Forescout Platform has made it possible to block people working near our construction sites who should not have access to our network. Forescout Platform's best feature is asset…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"ClearPass prevents hackers from accessing the network. No one can get inside without authentication. It provides a lot of features we are missing. It's incredibly powerful and stable."
"It is beneficial from a security perspective because not everyone can connect to our wifi without going through an authentication process."
"I would rate the stability a nine out of ten."
"Aruba ClearPass has improved the security control in our network environment."
"The most valuable features of Aruba ClearPass are the authentication mechanisms and the integration with Active Directory(AD)."
"The solution is highly stable."
"The most valuable feature is flexibility as it supports solutions from multiple vendors."
"ClearPass's best feature is its comprehensiveness."
"The valuable feature of the product stems from the fact that it is easy to implement."
"The most valuable feature of the Forescout Platform it's highly customizable and flexible."
"The most valuable features are remote access and administration scripts."
"We use the Forescout Platform for device visibility and control in our network. It's very helpful for tracking malicious or unusual activity. We use it to track which ports are open, which machines are running specific services, and to identify vulnerabilities. For example, there was a vulnerability related to SMB, and we could use the product to determine which machines inside our organization were allowing SMB traffic."
"The initial setup is easy, taking no more than two or three weeks."
"The product is very easy to work with and easy to deploy."
"The most valuable features of the Forescout Platform are NAC for sharing, Network Access Control, and port sharing of the devices."
"The actions that the agentless visibility, allow us to perform on the endpoint, are really amazing, especially in the way that it is done."
 

Cons

"The platform's API integration could be better. Additionally, its pricing could be affordable."
"Aruba ClearPass could improve the user interface, it is a bit chunky."
"Aruba ClearPass could improve the complexity of the initial usage. It takes some time to be good at it. It's not simple to build and connect the rules to the network you want to deploy them on."
"The initial setup phase of the solution was really very difficult, owing to which the setup phase can be considered as an area that can be improved."
"The improvement can be in the cloud area. They can improve it for the cloud so that we can deploy it on the cloud."
"The setup of ClearPass can be a bit convoluted at times."
"Aruba ClearPass could improve when it comes to troubleshooting, it can be difficult. Some advanced problems are difficult."
"Lacks the ability to handle more than one certificate for both the management process and the Captive Portal."
"Logging would be one area for improvement. When we're troubleshooting, there are not a lot of clear things on Google that we can look up for ourselves. When we have an issue with it, we have to call the company to get the vendors involved. The logging of Forescout is horrible compared to other things that we've used."
"This solution is not that easy to scale but this depends on a company's needs."
"The solution does have a bit of complexity, and there's some complexity in the deployment. Users need to be trained before undertaking an initial setup."
"The fact that Forescout Platform doesn't have a presence in the South African region is a weakness because of which you can't ask for help from them if you have any problems."
"Custom integrations need to be better."
"The licensing costs are quite high. With the amount of hardware we have, we need too many licenses to make the product effective and it's ultimately just too costly."
"Multitenancy should be included in the next version so it could be used as a managed service provider."
"Definitely, having more third-party integration would be an improvement."
 

Pricing and Cost Advice

"In terms of your fixed cost, it is much less than a lot of other solutions in the market. The initial cost is very high."
"The price of Aruba ClearPass is expensive. When you want to build redundant systems it can be seen as necessary, so the enterprise will manage all of those costs."
"The licensing cost for Aruba ClearPass is a bit expensive. Its pricing could be better. The license costs around $125,000 for the perpetual license and support for one year. Aruba can give you a license with five thousand endpoint access and one thousand five hundred onboard licenses on one hundred endpoints and two controllers."
"There is a license to use Aruba ClearPass."
"On a scale of one to ten, where one is cheap, and ten is too expensive, I rate the solution's pricing a six out of ten."
"The product is very costly."
"Run a 90 day free Proof of Concept (POC) for each product by implementing and using it fully in your environment. This way you will be educated on its features, functionality, and manageability.​"
"The price of Aruba ClearPass is expensive. However, Cisco ISE was as expensive when we were comparing."
"The tool's pricing is expensive but reasonable."
"The fact that we were allowed to spin up as many servers as we had need of to support our geographic requirements while paying for licensing as an enterprise truly set Forescout apart from the crowd and improved the way we could design our access."
"The price of Forescout is reasonable when compared to Cisco ISE."
"We have a very clear licensing model for business. I don't have to have a Ph.D. to be able to understand the licensing model as you might need for other solutions. If I know exactly what we want, it can tell you which license you need. The solution is easy for purchasing, ordering, and ease of deployment as well."
"There are no additional costs that I am aware of."
"It's about $160,000, but I'm not sure how long that is for or what it includes. Because we were a test base, we were provided with servers, but now, Forescout wants us to buy servers because those servers are now end-of-life or end-of-service. For our lifecycle management program, in order to get a refresh on those servers, we would have to buy servers or use our own network resources to house Forescout. Forescout takes up about 13 or 14 virtual CPUs."
"Forescout is more expensive than Cisco because Cisco gives high discounts."
"The ROI is priceless."
report
Use our free recommendation engine to learn which Network Access Control (NAC) solutions are best for your needs.
787,779 professionals have used our research since 2012.
 

Answers from the Community

it_user781137 - PeerSpot reviewer
Sep 24, 2018
Sep 24, 2018
Thank for your nice works. I am working on the similar type comparison between Fortescout, FortiNAC(Bradford) and ISE for a project in a healthcare organization.
See 2 answers
Sep 7, 2018
Hi Nkwa, I did some research comparing ForeScout with ClearPass. Fundamentally they do the same but in a very different ways. It is important to understand these differences and how they could help you to achieve or not what you need in your organization. I will only point these differences and not every single detail. This is based on my own experience and I do not represent either ForeScout or Aruba ClearPass. DISCOVERY PROCESS / Profiler - METHODS. • NetFlow or SFlow: ForeScout do not support Sflow only NetFlow. Is this important? Yes, it is if your switches are not Cisco or any other vendor that support the NetFlow protocol. ForeScout says: "This capability becomes more relevant in large scale deployments, where the CounterACT packet engine is limited in its "ability to detect activity in remote sites and branch offices". Use of information reported by NetFlow improves visibility and speeds detection of new endpoints." Reference: https:\www.forescout.com\wp-content\uploads\2018\04\CounterACT_NetFlow_1.2.pdf Page 3. ClearPass: NetFlow V5/V9 and V10 aka IPFIX + sFLOW are supported. Reference: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.6.3/Content/WhatsNew/NewFeatures_ProfilerNWDiscovery.htm ORCHESTRATE = Integration/Collaboration with other Systems. ForeScout: * ForeScout is able to interchange contextual information with 3rd party solutions, however the most of the contextual collaboration capabilities are available using an Extended Module option and ForeScout charges separately for this. Reference Links: https://www.forescout.com/platform/extended-modules/#cmt https://www.cdw.com/product/forescout-extended-module-for-palo-alto-networks-next-generation-firewall/4589573 https://www.cdw.com/search/?key=forescout&searchscope=all&sr=1 Clear Pass: * 140+ Integrations are included as part of the core solution. Basically, you can integrate ClearPass to anything in your IT infrastructure at no extra cost to share contextual information. Firewalls, MDM, TicketSystem, SIEM, etc.. Using build-in Modules or APIs. You can request as well customized APIs. Reference Link https://www.arubanetworks.com/partners/programs/security-exchange/ Reference Link https://www.arubanetworks.com/assets/so/SO_ClearPassExchange.pdf AGENT OR AGENTLESS? Basically, an agent based solution needs a software installed, while an agentless approach don't. Independently of what NAC solution you will use, it is important to understand if you need or not an agent. When a device connects to a network, the agent software performs some actions that have been defined in a central access controller or policy management platform. If persistent, the agent performs auto-remediation functions during a connection and will permanently monitor the device throughout a session to “fix” things that may change. The dissolvable agent: a user clicks on a web portal link to download the agent, which authenticates the user and device, checks the endpoint for compliance, and allows access to the network if policy conditions are met. It then disappears until the user runs it again. ForeScout ForeScout is proud to claim that they don’t require an agent (agentless approach NAC) but this is not completely true. ForeScout needs a “dissolvable agent” for authorization & compliance of unmanaged assets e.g. Employee BYOD, Contractor Laptops, printers, CCTV cameras, Smart TVs, etc. Agentless is fine when all your devices are Windows and all of them are under your management. For none windows devices you will need the dissolvable agent to perform health check and remediation. Based on this explanation having an agent or not is irrelevant for most of the cases. there many identities sources from where you can extract contextual information to help the NAC to do his work, examples are: AD, Wireless AP, End-Point protection software, SCCM, MDM, the Switches, the Firewall, etc... To do this you need integration, this is possible with ForeScout using the extended module /Plugins and normally paying the extra cost. Reference Link: https://www.forescout.com/wp-content/uploads/2018/08/Agentless-Visibility-and-Control-ForeScout-White-Paper.pdf ClearPass Clear pass can run with an agent and without the agent. It hast the persistence option, the dissolvable option for BYOD and Guest devices. It can be easily integrated to the mentioned identity stores at no extra cost. https://www.bradfordnetworks.com/agent-based-agent-less-other-understanding-the-different-ways-to-enable-nac/ http://community.arubanetworks.com/t5/Technology-Blog/When-and-why-agents-for-NAC-It-s-not-a-Secret/ba-p/256672 https://community.extremenetworks.com/extreme/topics/nac-vs-seperate-radius-server 802.1X RADIUS AUTHENTICATION OR NOT Here is one of the major differences. Both support Radius authentication. ClearPass see it like the most secure way to protect your network and ForeScout see it like something complex that you should try to avoid if possible, in my opinion. ForeScout * says: 802.1X presents several deployments, operational and troubleshooting challenges, particularly on wired networks. * To perform RADIUS-based network authentication you need a “Plugin” to forward the authentication requests to an external authentication Sever, like the Microsoft NPS. Page 10, Reference link , you will need as well a Switch Plugin for wired network RADIUS-based deployment and a Wireless plugin for wireless network RADIUS-based deployment. All this sounds like a complexity to me. * By not having 802.1x configured you save also configuring all switches on your network. Which is not a big problem because you do this once during the useful life of the switch. * Not build-in TACACS+ - centralized remote authentication to network devices like switches, routers, etc. Reference Link: https://www.forescout.com/wp-content/uploads/2018/04/CounterACT_RADIUS_4.3.pdf ClearPass: * Is build-in CA and if you like you can use an external CA as well. * Centralizing the radius authentication make the administration and configuration very easy because you don’t have to manage the NAC and the CA separated. * No plugin is needed for non-802.1x Auth and non-domain joined devices. In this case you can enforce machine authentication and many other security layers to allow non-domain devices to safely connect without a certificate. * non-domain devices can automatically or manually be provisioned using a guest network and dissolvable agent. * Integration with the Aruba Wireless system for Radius Authentication is very easy (if you own an Aruba Wireless Infrastructure) and no extra cost. You must configure your switches to work with 802.1x. This can be easily done using a template on HPE IMC. • Build in TACACS+ DEPLOYMENT AND INITIAL POLICY SETUP: ForeScout: preferred method is: I let you in then I find out who you are. • ForeScout CounterACT propose the Post-connect deployment strategy for network visibility and access control in which endpoints are initially allowed access to the network while CounterACT profiles them to determine ownership and compliance. Access to the network is then adjusted based on profiling results and security policy. Reference link: https://www.forescout.com/wp-content/uploads/2016/12/CounterACT-Deployment-Guide-Wired-Post-Connect.pdf This makes sense on new deployments because the NAC can be configured transparent to the end user with no dramatic impact. My question is: What is the process after deployment? Do I let you in then I find a good policy for you? ClearPass: preferred method is: I let you in if you tell me something about you. Then depending on the roles/policies this unknown device will be moved to a quarantine VLAN for remediation or moved to a dead end VLAN. At the same time this will trigger a ticket to helpdesk and a message to the user to know what is happening and what is the next step. SUPPORT, SERVICE and DOCUMENTATION: ForeScout: • The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse a little and it won't be hard to find references. Online support, documentation, communities (forescout Chatter), etc. Aruba/HPE The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse anywhere on internet and it won't be hard to find references. Online support, documentation, communities (aruba airheads), etc. PRICE: This will depend on many factors. I would suggest that you consult both and make your own decision.
ZF
Sep 24, 2018
Thank for your nice works. I am working on the similar type comparison between Fortescout, FortiNAC(Bradford) and ISE for a project in a healthcare organization.
 

Top Industries

By visitors reading reviews
Computer Software Company
17%
Government
9%
Manufacturing Company
7%
Financial Services Firm
6%
Educational Organization
29%
Computer Software Company
11%
Government
8%
Financial Services Firm
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

Which is better - Aruba Clearpass or Cisco ISE?
Aruba ClearPass is a Network Access Control tool that gives secure network access to multiple device types. You can adapt the policies to VPN access, wired, or wireless access. You can securely ...
What is the biggest difference between Aruba ClearPass and FortiNAC?
I've done quite a lot of work with ClearPass, and not a lot with FortiNAC/Bradford. ClearPass incorporates a number of different functions including ClearPass Guest for creating complex wireless g...
What do you like most about Aruba ClearPass?
If you are looking at the base installation, then it was a very straightforward process, which I would rate an eight or nine out of ten.
What advice do you have for others considering Forescout Platform?
Forescout is a very powerful NAC product that does not rely on port level configuration. It can detect and block unauthorized devices very quickly. But it has a lot of capabilities and really would...
What advice do you have for others considering Forescout Platform?
I would rate the Forescout Device and Visibility Control Platform at a six out of ten.
What advice do you have for others considering Forescout Platform?
I recommend doing a compression demo. If people use it, they will buy it. So they have to see the product in place. That's the main recommendation is to do a proof of concept. If they do, they will...
 

Also Known As

Avenda eTIPS
Forescout Platform, CounterACT for Endpoint Compliance, ForeScout CounterACT
 

Overview

 

Sample Customers

Consulate Health Care, Los Angeles Unified School District, Science Applications International Corp (SAIC), San Diego State University, KFC, ACTS Retirement-Life Communities
NHS Sussex, SAP, SEGA, Vistaprint, Miami Children's Hospital, Pioneer Investments, New York Law School, OmnicomGroup, Meritrust
Find out what your peers are saying about Aruba ClearPass vs. Forescout Platform and other solutions. Updated: May 2024.
787,779 professionals have used our research since 2012.