We will discuss and compare the two NAC (Network Access Control) solutions from Cisco (ISE) and Aruba (ClearPass). Gartner defines network access control (NAC) as technologies that enable organizations to implement policies for controlling access to corporate infrastructure by both user-oriented devices and Internet of Things (IoT) devices. Policies may be based on authentication, endpoint configuration (posture) or users’ role/identity. NAC can also implement post-connect policies based on integration with other security products. For example, NAC could enforce a policy to contain the endpoint based on an alert from a SIEM. An organization should evaluate the following capabilities: • Device visibility/profiling • Access control • Security posture check • Guest management • Bidirectional integration with other security products.

Cisco ISE  

Cisco ISE stands for Identity Services Engine (ISE) policy server and is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments. 

Cisco ISE supports 802.1X and guest provisioning, and the Advanced package supports endpoint baselining, granular identity policies and other more sophisticated features. A Wireless package supports advanced functionality for wireless devices only. Cisco wired and wireless customers should consider ISE, especially when the Cisco AnyConnect endpoint client will be in use.

If you are talking about the Cisco ISE, Cisco ISE has several API-level integrations with MDM vendors and SIEM vendors and in addition to its integration with Stealthwatch. 

Cisco’s Platform Exchange Grid (pxGrid) initiative will broaden its scope of partnerships for ISE. pxGrid will enable network and security solutions to coordinate the sharing of contextual information (such as identity and location) through ISE. A limited set of pxGrid integrations became available in 1H14, since then Cisco has invited many more technology partners to deliver on its vision for pxGrid.

Cisco ISE is capable of device profiling and is embedded in Cisco switches and wireless controllers, If you are using the old patches for that you need to upgrade the firmware and patches on the devices and eliminating the need to deploy stand-alone profiling sensors in the network. 

The ISE server can identify and classify endpoints using templates that are provided by Cisco or defined by an administrator. ISE uses a combination of active and passive profiling techniques. 

Cisco’s support of identity tags (which it calls TrustSec SGA) in the Ethernet frame (via a proprietary enhancement to the 802.1AE standard) enables its more advanced customers to enforce granular identity-based policies on some Cisco LAN, WLAN and firewall products. Most organizations will require infrastructure upgrades to benefit from this feature.

Cisco has two NAC agents and these agents are one to support VPN access (Cisco VPN AnyConnect Client) and one to support the capabilities of the ISE Advanced License (Cisco Network Admission Control Agent). Customers that need NAC for VPN and advanced NAC functionality will need both agents. 

The features users liked best about Cisco ISE are that the solution is very stable, flexible, and secure. Cisco ISE is a great global product that operates consistently and looks the same wherever it is deployed across the world. The GUI with Cisco ISE is top-notch and the security protocols they provide are excellent. Cisco ISE users would like to see better migration to the cloud and a hybrid option made available. They users would also welcome a solution that was more user-friendly and less complex.

Aruba Clearpass
Aruba Networks NAC solution ClearPass offers a RADIUS based solution and is available for hardware and virtual appliances.

The Strengths of Aruba’s 802.1X improvements include a built-in certificate authority to ClearPass, which eases BYOD implementations by not requiring an external certificate authority. The ClearPass Onboard module provides the ability to revoke and delete certificates.

ClearPass offers a strong guest network application. Guest portals can be customized with a wide range of options, including localized language support. Granular policies allow guests to share printers and projectors that use Apple’s Bonjour protocol.

Aruba provides detailed diagnostic information to assist network administrators in troubleshooting failed 802.1X authentications. It also needs to be understood that Aruba’s ClearPass NAC Solution does lag behind several competitors in its breadth of prepackaged integrations with SIEM vendors and advanced threat defense vendors. It also faces a difficult balancing act with its Workspace MDM offering, because it is now competing with the same MDM vendors that it partners with to enhance ClearPass

Although Cisco is a worldwide, well-known, trusted, and respected branded product, with many known complexities, Aruba ClearPass is flexible, versatile, and more user-friendly than Cisco. Aruba’s aggressive stance on keeping hackers out with strict authentication policies and its cost-effective business model and excellent technical service make it a NAC solution to consider seriously.