Coming October 25: PeerSpot Awards will be announced! Learn more
2017-02-23T21:01:00Z
PeerSpot user
Director of Global Technology Infrastructure at a tech services company with 10,001+ employees
  • 11
  • 118

ForeScout vs. Cisco ISE

We are currently evaluating ForeScout and ISE and one of the areas we are not 100% sure about is the ability to centrally manage and authenticate wireless access across multiple remote locations with local internet connectivity. Our wireless currently sits outside the corporate network for PCI compliance purposes and we have a good handle on how the ISE architecture would look for this but would like more info around how ForeScout handles from a real user.

Thanks!

8
PeerSpot user
8 Answers
Michael Varga - PeerSpot reviewer
IS-Operations Security Analyst at a energy/utilities company with 10,001+ employees
Real User
Top 5Leaderboard
2017-02-27T23:22:32Z
27 February 17

Unfortunately I don't have any exposure to ISE...

As far as authentication of wireless devices on Forescout, it's easy to hijack and present a AD login page provided you allow the hijack traffic through the ACL's, as the appliance already has LDAP connections with your AD controllers... I recommend allowing 443/TCP through the firewall and encrypting your pages for obvious reasons of course.

We don't use AD authentication on our visitor networks, and we've toy'd with, but not deployed guest registration which is where I'm drawing my experience. The guest registration allows an independent user database to be maintained by Forescout, associating the selected fields with the device for which it was derived. With that, you can also choose guest authorization, which would send an email to a selected individual (or a member of an email domain) to approve the guest. Again, we've toy'd with it, but haven't gone to deploying such a solution, as we've determined that while we use the hijack for information on our rules, and an 'accept' for the legal individuals, very limited value was anticipated by taking it to full registration. In addition to that, we have a number of devices that don't have a generic user interface which would be impacted by such a solution. Examples of this would be beverage machines, PPE dispensers, etc.

Let me know if you need any more information. .

Product comparison that may be of interest to you
PeerSpot user
Director of Systems Engineering Enablement at ForeScout Technologies Inc.
Vendor
2017-02-24T19:46:06Z
24 February 17

Stephen

Without knowing too much about your environment I will try to give you some insight on a remote location deployment. You are looking at two methods to authenticate and the choice will most likely be driven by two things, security or compliance posture, and User experience.

In the first method ForeScout can directly manage the Wireless Lan Controller and passively inspect the endpoint without the need for an agent. This inspection is based upon your security criteria on the wireless network. There are key things you want to think about when designing wireless. Are they all employees and you need to keep non-employees off? Are you solving for BYOD or guest devices? What are the standards or health of a device I want on this network. If the device doesn't meet a certain criteria you have chosen, ForeScout can tell the Wireless Lan Controller to restrict or deny access to that endpoint.

This passive method is great for user experience, management, and simplicity as only the offenders will experience any network restrictions. The accepted risk is that the device will be connected on the wireless for 20 - 30 seconds while this interrogation is happening. There are always trade-offs =)

If the risk is too high during that 20-30 seconds ForeScout can deploy and leverage 802.1x in the same manner you are familiar with in Cisco ISE. This method has greater security but user experience is usually a bit lower, and complexity is a bit higher. ForeScout does not require the use of an agent and can use the built in Windows supplicant as well for authentication. Once the device is authenticated ForeScout can continually monitor the endpoint for health and hygiene without the need of an agent. If at some point the security or compliance posture changes, a COA (Change of Authorization) can be sent to the WLC to take restrictive actions such as restricting or blocking access in general.

it_user575388 - PeerSpot reviewer
User at HP Enterprise
Vendor
2017-02-24T17:24:08Z
24 February 17

ForeScout has a guest solution, but it's somewhat limited. Aruba ClearPass is better equipped to help based on scalability, branding, ability to create separate portals based on location, domain of business, credential creation and distribution, and enforcement capabilities. While ForeScout has RADIUS & .1X capabilities they're known for SNMP enforcement. If your IP addressing scheme uses different 10.x.x.x networks in the remote locations or inside, you may run into problems as well.

it_user536484 - PeerSpot reviewer
Founder with 501-1,000 employees
Vendor
2017-02-24T16:44:35Z
24 February 17

Not knowing your environment fully I would have to make a couple of assumptions….

First of all I would make sure whatever wireless technology you are using is supported by Forescout Counteract if you have not already done so.

Then the architecture for using forescout to control and act upon policies you construct for your wireless users will first require that the Forescout scanner ( virtual or physical ) resides on the network your wireless is on since it is outside your corp network. You could set up access through the firewall if you wanted to place scanner internally for controlling network access for corp network devices as well.

Including remote sites would be dependent on how you are connecting over the internet. One way I know works is if you have set-up VPN Site-to-Site tunnels for the remote locations. The forescout will see those addresses across the tunnel and be able to control them as long as you configure the wireless LAN controller ( assumption you have these at each site ) on the forescout.

You would set up the mirror port ( SPAN ) port on the network device that has access to gather the information on the wireless ( where AP’s are connected ) and connect that to your forescout.

I would check with forescout rep and SE to verify and answer additional questions since I have limited knowledge as compared with them.

PeerSpot user
Director of Global Technology Infrastructure at a tech services company with 10,001+ employees
Consultant
2017-02-24T16:06:03Z
24 February 17

Thanks for the feedback. I think we have a handle on wireless for authenticated users with 802.1x, but how does forescout handle guest users on wireless? We are using Cisco WLC/APs already and need to provide QoS restrictions based on user type (Exec/Business/Guest) for wireless and are doing this today via dedicated SSIDs. thanks!

SMSAM SYSTEMS LTD - PeerSpot reviewer
MD/CEO at a tech services company with 51-200 employees
Real User
2017-02-24T15:50:35Z
24 February 17

Hi, first question , are these remote locations connected to the Internet via a single egress point at the HQ?

Secondly , do you serve DHCP centrally or at each of the remote sites ?

If your response is no to the first question, then you would require a separate ForeScout appliance at each location , to be managed by an Enterprise Manager ( central device used to manage multiple appliances ). You can then do your policy configuration and other administrative tasks from the EM..

You need further details , check us out at SMSAMdotnet

Find out what your peers are saying about Cisco ISE (Identity Services Engine) vs. Forescout Platform and other solutions. Updated: September 2022.
636,406 professionals have used our research since 2012.
PeerSpot user
IT Manager, Infrastructure and Operations at a consultancy with 1,001-5,000 employees
Consultant
2017-02-24T15:49:49Z
24 February 17

My apologies but I do not have any experience with ForeScout.

PeerSpot user
Network System Administrator at a financial services firm with 501-1,000 employees
Vendor
2017-02-24T15:43:15Z
24 February 17

Hello,

I have experience with both Cisco ISE and ForeScout CounterACT.

For Wireless, as it uses 802.1X for the authentication, I believe Cisco ISE would be a great fit due to it's robust 802.1X implementation.

ForeScout is great for passive authentication using WMI and RPC. Although, 802.1X is available they never recommend to use 802.1X on it.

Hope this answers your question.

Kind Regards,
Jay Shah

Related Questions
MJ
IT Network Manager at Payment Alliance International, Inc.
May 01, 2022
Hi peers, I work as an IT Network Manager at a Financial Services firm. We have begun using EnGenius switches at smaller sites replacing typical Catalyst 36xx switches and Cisco Wireless Controllers.   Can you share any good or bad experiences in deploying 802.1X with EnGenius devices (switches and WAPs) with Cisco ISE 2.1 AD integrated?  *We are not 802.1X- enabled yet. Thanks.
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Oct 31, 2021
How does Cisco ISE compare with Fortinet FortiNAC? Which is better and why?
See 1 answer
31 October 21
Cisco ISE uses AI endpoint analytics to identify new devices based on their behavior. It will also notify you if someone plugs in with a device that is not allowed and will block it. The user experience is intuitive, supportive, and, once learned, easy to use. This is a very stable and flexible product overall. This solution works well with many different cloud options. Cisco ISE can be complex and complicated to deploy and use. You have to have a lot of understanding of the product to use all of the functions successfully. The end-user interface is complicated and not user-friendly. We also found that this solution can be slow and a bit buggy at times. Fortinet FortiNac’s interface is very user-friendly, stable, and scales easily. But its setup and deployment was slow and complex - everything needed to be done manually. It would be good if they developed some templates to improve the setup process. Currently, it just takes too long. If your organization is very large, it is not very feasible. The dashboard could be more user friendly and the reporting capability should be better. We also found this solution to be on the expensive side. Conclusion Both of these products have excellent scalability and are very stable. They provide solid endpoint user security and work well with mobiles, gadgets, laptops, etc. Cisco can be very expensive and complex to use - it is best for larger, enterprise-level organizations with a Cisco-trained tech team. Fortinet Fortigate is very user friendly, flexible and agile. It is simple to use and manage and it’s very good for smaller to mid-level organizations, and can do well for larger enterprise organizations as well.
Related Articles
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Apr 10, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the top Top 5 Network Access Control (NAC) S...
See 2 comments
Arvind Singh - PeerSpot reviewer
Engineer at IPR
07 April 22
This is based on the user's feedback. A link for Gartner report should also be available.
UM
IT Infrastructure Manager at a consultancy with 10,001+ employees
10 April 22
As a user of Cisco ISE, I am completely not trusting this review. Cisco ISE is a buggy immature solution.
Related Articles
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Apr 10, 2022
Top 5 Network Access Control (NAC) Software Solutions
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
Download Free Report
Download our free Forescout Platform Report and get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
DOWNLOAD NOW
636,406 professionals have used our research since 2012.