2017-02-23T21:01:00Z
it_user440322 - PeerSpot reviewer
Director of Global Technology Infrastructure at a tech services company with 10,001+ employees
  • 11
  • 206

ForeScout vs. Cisco ISE

We are currently evaluating ForeScout and ISE and one of the areas we are not 100% sure about is the ability to centrally manage and authenticate wireless access across multiple remote locations with local internet connectivity. Our wireless currently sits outside the corporate network for PCI compliance purposes and we have a good handle on how the ISE architecture would look for this but would like more info around how ForeScout handles from a real user.

Thanks!

8
PeerSpot user
8 Answers
MV
IS-Operations Security Analyst at a energy/utilities company with 10,001+ employees
Real User
Top 10
2017-02-27T23:22:32Z
Feb 27, 2017

Unfortunately I don't have any exposure to ISE...

As far as authentication of wireless devices on Forescout, it's easy to hijack and present a AD login page provided you allow the hijack traffic through the ACL's, as the appliance already has LDAP connections with your AD controllers... I recommend allowing 443/TCP through the firewall and encrypting your pages for obvious reasons of course.

We don't use AD authentication on our visitor networks, and we've toy'd with, but not deployed guest registration which is where I'm drawing my experience. The guest registration allows an independent user database to be maintained by Forescout, associating the selected fields with the device for which it was derived. With that, you can also choose guest authorization, which would send an email to a selected individual (or a member of an email domain) to approve the guest. Again, we've toy'd with it, but haven't gone to deploying such a solution, as we've determined that while we use the hijack for information on our rules, and an 'accept' for the legal individuals, very limited value was anticipated by taking it to full registration. In addition to that, we have a number of devices that don't have a generic user interface which would be impacted by such a solution. Examples of this would be beverage machines, PPE dispensers, etc.

Let me know if you need any more information. .

Product comparison that may be of interest to you
it_user615690 - PeerSpot reviewer
Director of Systems Engineering Enablement at ForeScout Technologies Inc.
Vendor
2017-02-24T19:46:06Z
Feb 24, 2017

Stephen

Without knowing too much about your environment I will try to give you some insight on a remote location deployment. You are looking at two methods to authenticate and the choice will most likely be driven by two things, security or compliance posture, and User experience.

In the first method ForeScout can directly manage the Wireless Lan Controller and passively inspect the endpoint without the need for an agent. This inspection is based upon your security criteria on the wireless network. There are key things you want to think about when designing wireless. Are they all employees and you need to keep non-employees off? Are you solving for BYOD or guest devices? What are the standards or health of a device I want on this network. If the device doesn't meet a certain criteria you have chosen, ForeScout can tell the Wireless Lan Controller to restrict or deny access to that endpoint.

This passive method is great for user experience, management, and simplicity as only the offenders will experience any network restrictions. The accepted risk is that the device will be connected on the wireless for 20 - 30 seconds while this interrogation is happening. There are always trade-offs =)

If the risk is too high during that 20-30 seconds ForeScout can deploy and leverage 802.1x in the same manner you are familiar with in Cisco ISE. This method has greater security but user experience is usually a bit lower, and complexity is a bit higher. ForeScout does not require the use of an agent and can use the built in Windows supplicant as well for authentication. Once the device is authenticated ForeScout can continually monitor the endpoint for health and hygiene without the need of an agent. If at some point the security or compliance posture changes, a COA (Change of Authorization) can be sent to the WLC to take restrictive actions such as restricting or blocking access in general.

it_user575388 - PeerSpot reviewer
User at HP Enterprise
Vendor
2017-02-24T17:24:08Z
Feb 24, 2017

ForeScout has a guest solution, but it's somewhat limited. Aruba ClearPass is better equipped to help based on scalability, branding, ability to create separate portals based on location, domain of business, credential creation and distribution, and enforcement capabilities. While ForeScout has RADIUS & .1X capabilities they're known for SNMP enforcement. If your IP addressing scheme uses different 10.x.x.x networks in the remote locations or inside, you may run into problems as well.

it_user536484 - PeerSpot reviewer
Founder with 501-1,000 employees
Vendor
2017-02-24T16:44:35Z
Feb 24, 2017

Not knowing your environment fully I would have to make a couple of assumptions….

First of all I would make sure whatever wireless technology you are using is supported by Forescout Counteract if you have not already done so.

Then the architecture for using forescout to control and act upon policies you construct for your wireless users will first require that the Forescout scanner ( virtual or physical ) resides on the network your wireless is on since it is outside your corp network. You could set up access through the firewall if you wanted to place scanner internally for controlling network access for corp network devices as well.

Including remote sites would be dependent on how you are connecting over the internet. One way I know works is if you have set-up VPN Site-to-Site tunnels for the remote locations. The forescout will see those addresses across the tunnel and be able to control them as long as you configure the wireless LAN controller ( assumption you have these at each site ) on the forescout.

You would set up the mirror port ( SPAN ) port on the network device that has access to gather the information on the wireless ( where AP’s are connected ) and connect that to your forescout.

I would check with forescout rep and SE to verify and answer additional questions since I have limited knowledge as compared with them.

it_user440322 - PeerSpot reviewer
Director of Global Technology Infrastructure at a tech services company with 10,001+ employees
Consultant
2017-02-24T16:06:03Z
Feb 24, 2017

Thanks for the feedback. I think we have a handle on wireless for authenticated users with 802.1x, but how does forescout handle guest users on wireless? We are using Cisco WLC/APs already and need to provide QoS restrictions based on user type (Exec/Business/Guest) for wireless and are doing this today via dedicated SSIDs. thanks!

SL
MD/CEO at a tech services company with 51-200 employees
Real User
2017-02-24T15:50:35Z
Feb 24, 2017

Hi, first question , are these remote locations connected to the Internet via a single egress point at the HQ?

Secondly , do you serve DHCP centrally or at each of the remote sites ?

If your response is no to the first question, then you would require a separate ForeScout appliance at each location , to be managed by an Enterprise Manager ( central device used to manage multiple appliances ). You can then do your policy configuration and other administrative tasks from the EM..

You need further details , check us out at SMSAMdotnet

Find out what your peers are saying about Cisco ISE (Identity Services Engine) vs. Forescout Platform and other solutions. Updated: March 2023.
688,083 professionals have used our research since 2012.
it_user615540 - PeerSpot reviewer
IT Manager, Infrastructure and Operations at a consultancy with 1,001-5,000 employees
Consultant
2017-02-24T15:49:49Z
Feb 24, 2017

My apologies but I do not have any experience with ForeScout.

it_user464460 - PeerSpot reviewer
Network System Administrator at a financial services firm with 501-1,000 employees
Vendor
2017-02-24T15:43:15Z
Feb 24, 2017

Hello,

I have experience with both Cisco ISE and ForeScout CounterACT.

For Wireless, as it uses 802.1X for the authentication, I believe Cisco ISE would be a great fit due to it's robust 802.1X implementation.

ForeScout is great for passive authentication using WMI and RPC. Although, 802.1X is available they never recommend to use 802.1X on it.

Hope this answers your question.

Kind Regards,
Jay Shah

Related Questions
Aymen FHOULA - PeerSpot reviewer
Senior Network Administrator at Banque de l'Habitat Tunisie
Mar 9, 2023
Hello community,  I am a Senior Network Administrator at a large financial services firm. What are the requirements for integrating the Cisco Data Center and Cisco ISE? Thank you for your help.
See 1 answer
MOHAMEDELSHERIF - PeerSpot reviewer
Senior Technical Consultant at International Turnkey Systems - ITS
Mar 9, 2023
Hi Anyman 1- first you need to enable pixgrid setting at CIsco ISE at Admin setting. 2- You Need to activate ISE as Radius in DNA Setting tab at the left corner (user name and password is any ISE administrator user ). 3- From Network Hierarchy Tab in DNA Cisco  choose ISE as your AAA server. 4- You need to create STG  group at policy tab to create the proper user grouping. 4-Then go to provision / fabric / switch interface then apply ISE as your authentication profile. Most Importantly you need to ensure that your fabric switch has DNA advantage license
HH
User at IAM
Nov 26, 2022
Hello peers,  I work at a medium-sized information services company. I am currently researching network access control products. Which product do you prefer: Cisco ISE or Fortinet FortiNAC? What are the pros and cons of each product? Thank you for your help.
Related Articles
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 10, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the top Top 5 Network Access Control (NAC) S...
See 2 comments
AS
Engineer at IPR
Apr 7, 2022
This is based on the user's feedback. A link for Gartner report should also be available.
UM
IT Infrastructure Manager at a healthcare company with 10,001+ employees
Apr 10, 2022
As a user of Cisco ISE, I am completely not trusting this review. Cisco ISE is a buggy immature solution.
Product Comparisons
Related Articles
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 10, 2022
Top 5 Network Access Control (NAC) Software Solutions
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
Download Free Report
Download our FREE report comparing Cisco ISE (Identity Services Engine) and Forescout Platform based on reviews, features, and more! Updated: March 2023.
DOWNLOAD NOW
688,083 professionals have used our research since 2012.