Guest

Compare Network Access Control Solutions

Learn more about Cisco Identity Services Engine (ISE) and compare with other Network Access Control solutions.

Cisco ISE

ForeScout CounterACT

HPE ClearPass

Expand all

Network Access

Passive IdentificationISE can provide passive ID for other systemsNo passive authentication functionalityNo passive authentication functionality
ISE can provide passive ID for other systemsNo passive authentication functionalityNo passive authentication functionality
EasyConnectISE can authenticate users without using 802.1XCounterACT can use SNMP-based access control instead of 802.1XClearPass can use SNMP to control network access for endpoints
ISE can authenticate users without using 802.1XCounterACT can use SNMP-based access control instead of 802.1XClearPass can use SNMP to control network access for endpoints
802.1XISE is a standards-based RADIUS server with a built-in certificate authorityLimitedCounterACT can proxy RADIUS requests to another RADIUS serverClearPass includes an internal certificate authority that can be used for BYOD purposes
ISE is a standards-based RADIUS server with a built-in certificate authorityCounterACT can proxy RADIUS requests to another RADIUS serverClearPass includes an internal certificate authority that can be used for BYOD purposes
Third-Party DevicesISE will interoperate with many third-party vendors using RADIUS and SNMPCounterACT uses SNMP for network device integrationClearPass ships with many third-party RADIUS dictionaries
ISE will interoperate with many third-party vendors using RADIUS and SNMPCounterACT uses SNMP for network device integrationClearPass ships with many third-party RADIUS dictionaries
SAMLISE supports any SAMLv2-compliant solutionNo SAML supportLimitedClearPass supports SAMLv2 only when ClearPass is used with an Aruba wireless controller
ISE supports any SAMLv2-compliant solutionNo SAML supportClearPass supports SAMLv2 only when ClearPass is used with an Aruba wireless controller
TACACS+Provides full TACACS+ capability available on ACS 5.x and moreForeScout offers TACACS+ client, but not the ability to do device administrationLimitedLacks features such as enable password, configuration presets for different NAD types, TACACS+ proxy
Provides full TACACS+ capability available on ACS 5.x and moreForeScout offers TACACS+ client, but not the ability to do device administrationLacks features such as enable password, configuration presets for different NAD types, TACACS+ proxy

Visibility

Device VisibilityCisco ISE uses multiple probes to provide a comprehensive view of the networkCounterACT has a number of methods for learning about devices on the networkClearPass can use multiple profiling probes to identify endpoints connecting to the network
Cisco ISE uses multiple probes to provide a comprehensive view of the networkCounterACT has a number of methods for learning about devices on the networkClearPass can use multiple profiling probes to identify endpoints connecting to the network
Application VisibilityISE provides application-level visibility and the ability to build policy about which apps can be installed or runningCounterACT can use calls or a software agent to show the administrator which applications are installed and runningClearPass lets administrators set policy for endpoints with certain applications but does not offer app-level visibility
ISE provides application-level visibility and the ability to build policy about which apps can be installed or runningCounterACT can use calls or a software agent to show the administrator which applications are installed and runningClearPass lets administrators set policy for endpoints with certain applications but does not offer app-level visibility
Enhanced End-User VisibilityWith context visibility, ISE lets the administrator glean detailed information about users accessing the networkCounterACT has the ability to integrate with Active Directory and other external sources for user informationClearPass can integrate with multiple identity providers to show user information
With context visibility, ISE lets the administrator glean detailed information about users accessing the networkCounterACT has the ability to integrate with Active Directory and other external sources for user informationClearPass can integrate with multiple identity providers to show user information
Internet of ThingsISE can meet the demands of Internet-connected devices through authentication and device profilingCounterACT can profile devices accessing the network and assign privileges based on device typeClearPass can profile devices and allow the administrator to assign a different policy based on the profiles
ISE can meet the demands of Internet-connected devices through authentication and device profilingCounterACT can profile devices accessing the network and assign privileges based on device typeClearPass can profile devices and allow the administrator to assign a different policy based on the profiles
Network VisibilityIn addition to endpoint profiling, ISE can give the administrator a view into the networkCounterACT can automatically discover network devicesClearPass provides ways to discover endpoints connected to the network via network devices
In addition to endpoint profiling, ISE can give the administrator a view into the networkCounterACT can automatically discover network devicesClearPass provides ways to discover endpoints connected to the network via network devices

Mobility

Guest ServicesISE has rich life-cycle support for guest servicesLimitedCorporate branding can be challenging to completeRequires additional expense for portal setup. Network access device configuration complexity.
ISE has rich life-cycle support for guest servicesCorporate branding can be challenging to completeRequires additional expense for portal setup. Network access device configuration complexity.
BYODISE has a closed-loop BYOD solution to include MDM integrationCounterACT supports BYOD as well as MDMClearPass supports BYOD, including internal certificate authority
ISE has a closed-loop BYOD solution to include MDM integrationCounterACT supports BYOD as well as MDMClearPass supports BYOD, including internal certificate authority
MDMISE integrates with all major MDM vendorsCounterACT integrates with many MDM vendorsClearPass supports MDM integration for multiple providers
ISE integrates with all major MDM vendorsCounterACT integrates with many MDM vendorsClearPass supports MDM integration for multiple providers
Location ServicesISE integrates with Cisco MSE for wireless location-based policyCounterACT doesn't support location services for endpointsClearPass cannot integrate with location services
ISE integrates with Cisco MSE for wireless location-based policyCounterACT doesn't support location services for endpointsClearPass cannot integrate with location services

Threat Security

PostureISE supports application-level posture as well as USB detectionCounterACT has USB detection as well as application-level visibilityClearPass provides posture for Windows, macOS, and Linux
ISE supports application-level posture as well as USB detectionCounterACT has USB detection as well as application-level visibilityClearPass provides posture for Windows, macOS, and Linux
Anomaly DetectionStarting with version 2.2, ISE can detect when endpoints try to masquerade as other endpointsThrough policy, CounterACT can detect when an endpoint is attempting to change its MAC addressClearPass can detect and act when there is a conflict in the endpoint profile
Starting with version 2.2, ISE can detect when endpoints try to masquerade as other endpointsThrough policy, CounterACT can detect when an endpoint is attempting to change its MAC addressClearPass can detect and act when there is a conflict in the endpoint profile
Threat-centric NACISE can use threat intellegence to build access policyCounterACT uses Control Fabric and its ecosystem partners for threat informationClearPass does not provide native integration with a vulnerability scanner
ISE can use threat intellegence to build access policyCounterACT uses Control Fabric and its ecosystem partners for threat informationClearPass does not provide native integration with a vulnerability scanner
Rapid Threat ContainmentISE can leverage other security porfolio products to provide automatic detection and remediation of security eventsUsing Control Fabric, CounterACT can leverage threat information from its ecosystem partnersClearPass can integrate with third-party security systems to provide access control
ISE can leverage other security porfolio products to provide automatic detection and remediation of security eventsUsing Control Fabric, CounterACT can leverage threat information from its ecosystem partnersClearPass can integrate with third-party security systems to provide access control

Architecture

Standardized APIIn addition to APIs, ISE offers a scalable method for sharing context through pxGridCounterACT can use APIs to integrate with other network servicesClearPass provides both inbound and outbound APIs for sharing context
In addition to APIs, ISE offers a scalable method for sharing context through pxGridCounterACT can use APIs to integrate with other network servicesClearPass provides both inbound and outbound APIs for sharing context
Internet GatewayISE can provision endpoints for Cisco Umbrella for on- and off-network protection
ISE can provision endpoints for Cisco Umbrella for on- and off-network protection
Embedded Network SecurityWith Cisco network infrastructure, Stealthwatch, and TrustSec technology, ISE can offer scalable network protection and visibilityClearPass can be used to consume logs from security systems and to provide protection from the events
With Cisco network infrastructure, Stealthwatch, and TrustSec technology, ISE can offer scalable network protection and visibility ClearPass can be used to consume logs from security systems and to provide protection from the events
Software-Defined SegmentationISE and TrustSec technology provide customers with a more scalable approach to network securityLimitedCounterACT primarily uses VLANs and ACLs to separate network trafficClearPass uses VLANs, ACLs, and roles for access control
ISE and TrustSec technology provide customers with a more scalable approach to network securityCounterACT primarily uses VLANs and ACLs to separate network trafficClearPass uses VLANs, ACLs, and roles for access control
Group-Based PoliciesISE can leverage many sources to provide a rich set of tools for policy buildingCounterACT can leverage external resources to build group-based policyClearPass can provide roles for Aruba network devices, but the roles are only for those devices and are not scalable
ISE can leverage many sources to provide a rich set of tools for policy buildingCounterACT can leverage external resources to build group-based policyClearPass can provide roles for Aruba network devices, but the roles are only for those devices and are not scalable

Not convinced?

See what SC Mag has to say about ISE.