We are currently evaluating ForeScout and ISE and one of the areas we are not 100% sure about is the ability to centrally manage and authenticate wireless access across multiple remote locations with local internet connectivity. Our wireless currently sits outside the corporate network for PCI compliance purposes and we have a good handle on how the ISE architecture would look for this but would like more info around how ForeScout handles from a real user.
Unfortunately I don't have any exposure to ISE...
As far as authentication of wireless devices on Forescout, it's easy to hijack and present a AD login page provided you allow the hijack traffic through the ACL's, as the appliance already has LDAP connections with your AD controllers... I recommend allowing 443/TCP through the firewall and encrypting your pages for obvious reasons of course.
We don't use AD authentication on our visitor networks, and we've toy'd with, but not deployed guest registration which is where I'm drawing my experience. The guest registration allows an independent user database to be maintained by Forescout, associating the selected fields with the device for which it was derived. With that, you can also choose guest authorization, which would send an email to a selected individual (or a member of an email domain) to approve the guest. Again, we've toy'd with it, but haven't gone to deploying such a solution, as we've determined that while we use the hijack for information on our rules, and an 'accept' for the legal individuals, very limited value was anticipated by taking it to full registration. In addition to that, we have a number of devices that don't have a generic user interface which would be impacted by such a solution. Examples of this would be beverage machines, PPE dispensers, etc.
Let me know if you need any more information. .
Without knowing too much about your environment I will try to give you some insight on a remote location deployment. You are looking at two methods to authenticate and the choice will most likely be driven by two things, security or compliance posture, and User experience.
In the first method ForeScout can directly manage the Wireless Lan Controller and passively inspect the endpoint without the need for an agent. This inspection is based upon your security criteria on the wireless network. There are key things you want to think about when designing wireless. Are they all employees and you need to keep non-employees off? Are you solving for BYOD or guest devices? What are the standards or health of a device I want on this network. If the device doesn't meet a certain criteria you have chosen, ForeScout can tell the Wireless Lan Controller to restrict or deny access to that endpoint.
This passive method is great for user experience, management, and simplicity as only the offenders will experience any network restrictions. The accepted risk is that the device will be connected on the wireless for 20 - 30 seconds while this interrogation is happening. There are always trade-offs =)
If the risk is too high during that 20-30 seconds ForeScout can deploy and leverage 802.1x in the same manner you are familiar with in Cisco ISE. This method has greater security but user experience is usually a bit lower, and complexity is a bit higher. ForeScout does not require the use of an agent and can use the built in Windows supplicant as well for authentication. Once the device is authenticated ForeScout can continually monitor the endpoint for health and hygiene without the need of an agent. If at some point the security or compliance posture changes, a COA (Change of Authorization) can be sent to the WLC to take restrictive actions such as restricting or blocking access in general.
ForeScout has a guest solution, but it's somewhat limited. Aruba ClearPass is better equipped to help based on scalability, branding, ability to create separate portals based on location, domain of business, credential creation and distribution, and enforcement capabilities. While ForeScout has RADIUS & .1X capabilities they're known for SNMP enforcement. If your IP addressing scheme uses different 10.x.x.x networks in the remote locations or inside, you may run into problems as well.
Not knowing your environment fully I would have to make a couple of assumptions….
First of all I would make sure whatever wireless technology you are using is supported by Forescout Counteract if you have not already done so.
Then the architecture for using forescout to control and act upon policies you construct for your wireless users will first require that the Forescout scanner ( virtual or physical ) resides on the network your wireless is on since it is outside your corp network. You could set up access through the firewall if you wanted to place scanner internally for controlling network access for corp network devices as well.
Including remote sites would be dependent on how you are connecting over the internet. One way I know works is if you have set-up VPN Site-to-Site tunnels for the remote locations. The forescout will see those addresses across the tunnel and be able to control them as long as you configure the wireless LAN controller ( assumption you have these at each site ) on the forescout.
You would set up the mirror port ( SPAN ) port on the network device that has access to gather the information on the wireless ( where AP’s are connected ) and connect that to your forescout.
I would check with forescout rep and SE to verify and answer additional questions since I have limited knowledge as compared with them.
Thanks for the feedback. I think we have a handle on wireless for authenticated users with 802.1x, but how does forescout handle guest users on wireless? We are using Cisco WLC/APs already and need to provide QoS restrictions based on user type (Exec/Business/Guest) for wireless and are doing this today via dedicated SSIDs. thanks!
Hi, first question , are these remote locations connected to the Internet via a single egress point at the HQ?
Secondly , do you serve DHCP centrally or at each of the remote sites ?
If your response is no to the first question, then you would require a separate ForeScout appliance at each location , to be managed by an Enterprise Manager ( central device used to manage multiple appliances ). You can then do your policy configuration and other administrative tasks from the EM..
You need further details , check us out at SMSAMdotnet
My apologies but I do not have any experience with ForeScout.
I have experience with both Cisco ISE and ForeScout CounterACT.
For Wireless, as it uses 802.1X for the authentication, I believe Cisco ISE would be a great fit due to it's robust 802.1X implementation.
ForeScout is great for passive authentication using WMI and RPC. Although, 802.1X is available they never recommend to use 802.1X on it.
Hope this answers your question.