I am a Senior Network & Security Engineer at a large computer software company.
I am currently researching network access control solutions. What are the differences between Cisco ISE and Fortinet FortiNAC? Which solutions do you prefer and why?
Thank you for your help.
Senior Technical Consultant at International Turnkey Systems - ITS
Mar 9, 2023
1- first you need to enable pixgrid setting at CIsco ISE at Admin setting.
2- You Need to activate ISE as Radius in DNA Setting tab at the left corner (user name and password is any ISE administrator user ).
3- From Network Hierarchy Tab in DNA Cisco choose ISE as your AAA server.
4- You need to create STG group at policy tab to create the proper user grouping.
4-Then go to provision / fabric / switch interface then apply ISE as your authentication profile.
Most Importantly you need to ensure that your fabric switch has DNA advantage license
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.
Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why.
You can read user reviews for the top Top 5 Network Access Control (NAC) S...
OK, so Cisco ISE uses 802.1X to secure switchports against unauthorized access. The drawback of this is that ISE cannot secure the port if a device does not support 802.1x. Cameras, badge readers, temp sensors, etc would fall into this category. Then you have to leave the port unsecured. Also, 802.1x requires you to drop config on every switchport, and have other infrastructure installed to support it. Also, Cisco ISE licensing is complicated and draconian. In some cases, the same endpoint might need to utilize 4 different licenses at the same time.
Forescout operates differently and does not rely on 802.1x. Forescout listens to a variety of sources. For one thing, Forescout can listen to the wire through SPAN. Forescout also uses SNMP to monitor and control switches, routers, and APs. So Forescout can hear when a connection is made to a switchport, discover the IP of the endpoint on that port, control the endpoint if possible through AD or an installed agent, place the switchport into a quarantine VLAN if needed, and if SPAN traffic is available, place a virtual firewall rule in front of the endpoint. It can query the endpoint for processes, apps, OS, AV, and many other things.
The main advantage of Forescout is it doesn't need 802.1x on every switchport to control access, which is quite burdensome to configure. It senses every device on the network instantly, can listen to the wire, has multiple ways of gathering data, and can control switches. Licensing is simple and is per IP address.
Cisco ISE may be required for certain Cisco technologies or environments - then you don't have a choice. ISE is expensive and has extensive licensing requirements. You will need to dedicate at least one person to become an ISE SME, and training will be mandatory. The main advantage of Cisco ISE over Forescout is it can be a TACACS server natively.
Both Cisco ISE and Forescout are highly regarded as both are at the very top of the Garner Magic Quadrant (if you follow Gartner). Looking at them both on their own the nod tends to go to Forescout as the Best of Breed. Best of Platform, however, the nod goes to Cisco ISE.
So in simplest terms, Cisco ISE is a better solution when in a strong Cisco environment, and Forescout is the better solution if there are disparate security flows within your organization.
Now I would also throw into the mix (not meant to overcomplicate your decision) HPE/Aruba Clearpath as well. In any case, they can all be a bear to implement so make sure you have a great organization to work with you on implementation that has a specialty with a particular vendor.
Hi @Sean Muller, @Nayef Hamzeh, @Chandra-Prakash, @Josept Conde, @Dilan Jayamantri, @Jonathan Soto, @Miguel Santiago and
It seems you should be able to share some professional advice in relation to this question.
Thanks in advance for helping other community members!