Comparing Cisco ISE Vs ForeScout Counter ACT

Today I am going to talk about the comparison or you can say the feature difference between the Cisco ISE and ForeScout Counter ACT solutions. Both these solutions are NAC solutions. Earlier I talked about the difference between Cisco ISE and Aruba Clear-pass.

Apart from it I also discuss the difference between the Aruba Clear Pass and ForeScout Counter ACT NAC solution. 

Now I am going to discuss about the feature difference between Cisco ISE and ForeScout Counter ACT. As I already discussed both these solutions in my earlier discussion so here in this article I am just going to compare the features between these.

Cisco ISE

Cisco Systems have the NAC solution named as Cisco ISE. Cisco ISE stands for Identity Services Engine (ISE) policy server and is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments. Cisco ISE supports 802.1X and guest provisioning, and the Advanced package supports endpoint baselining, granular identity policies and other more sophisticated features. A Wireless package supports advanced functionality for wireless devices only. Cisco wired and wireless customers should consider ISE, especially when the Cisco AnyConnect endpoint client will be in use.

Fig 1.1- Policy Based solution using Cisco ISE

Cisco ISE has a capability of the Device profiling and is embedded in Cisco switches and wireless controllers,If you are using the old patches for that you need to upgrade the firmwares and patches on the devices and eliminating the need to deploy stand-alone profiling sensors in the network. The ISE server can identify and classify endpoints using templates that are provided by Cisco or defined by an administrator. ISE uses a combination of active and passive profiling techniques. 

Cisco's support of identity tags (which it calls TrustSec SGA) in the Ethernet frame (via a proprietary enhancement to the 802.1AE standard) enables its more advanced customers to enforce granular identity-based policies on some Cisco LAN, WLAN and firewall products. Most organizations will require infrastructure upgrades to benefit from this feature.

So Cisco has two NAC agents and these agents are one to support VPN access (Cisco VPN AnyConnect Client) and one to support the capabilities of the ISE Advanced License (Cisco Network Admission Control Agent). Customers that need NAC for VPN and advanced NAC functionality will need both agents. 

ForeScout CounterACT

CounterACT performs these actions on corporate-issued, personally owned bring-your-own-device (BYOD) endpoints and non-traditional devices—without requiring software agents or previous device knowledge. It deploys quickly into your existing environment and rarely requires infrastructure changes, upgrades or endpoint reconfiguration. 

CounterACT can identify the device type, location, user, and whether the device is a member of your domain, as well as other basic information. It also obtains detailed information about the security posture of the device by using administrative credentials to query corporate-owned devices. 

CounterACT leverages the ForeScout ControlFabric Architecture to orchestrate information sharing and operation among the security and system management tools you already own. ControlFabric Architecture allows you to achieve this through custom integrations or plug-and-play software modules. Co-developed with ForeScout Technology Partners, ForeScout Base and Extended Modules bring the power of CounterACT to more than 70 leading network, security, mobility and IT management 

Below is the feature difference between Cisco ISE and ForeScout Counter ACT solutions.

This table is updated on 12 Nov, 2017

Fig 1.2- Cisco Vs ForeScout NAC Solutions