Network Access Control (NAC) - Cisco ISE Vs HPE Aruba Clearpass

Network Access Control (NAC) - Cisco ISE Vs HPE Aruba Clearpass

Today I am going to talk about the two NAC solutions by different vendors and these vendors are Cisco and Aruba (HPE). Cisco has NAC solution of Cisco ISE and Aruba (HPE) has NAC solution as Clearpass. Let's discuss both the solution one by one to understand more in depth. 

As per the market and the Gartner's Magic Quadrant, Cisco ISE is leading the space followed by Fore scout and Aruba Networks. Before we start with the NAC solution, First question you guys expecting is that what is NAC- Network Access Control.

What is NAC- Network Access Control ?
Network access control (NAC) and is also called network admission control, is a method of strengthen the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.

So as per the NAC, the end devices are being authenticated to access the network. Hope you understand the use of the NAC- Network Access Control. While the computer is being checked by a installed software agent, it can only access resources that can remediate any issues. 

Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC is mainly used for endpoint health checks, but it is often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check.

Cisco Systems NAC Solution: Cisco ISE
Cisco Systems have the NAC solution named as Cisco ISE. Cisco ISE stands for Identity Services Engine (ISE) policy server and is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments. 

Fig 1.1- Cisco ISE

Cisco ISE supports 802.1X and guest provisioning, and the Advanced package supports endpoint baselining, granular identity policies and other more sophisticated features. A Wireless package supports advanced functionality for wireless devices only. Cisco wired and wireless customers should consider ISE, especially when the Cisco AnyConnect endpoint client will be in use.

If you are talking about the Cisco ISE, Cisco ISE has several API-level integrations with MDM vendors and SIEM vendors and in addition to its integration with Stealthwatch 

Separately, Cisco's Platform Exchange Grid (pxGrid) initiative will broaden its scope of partnerships for ISE. pxGrid will enable network and security solutions to coordinate the sharing of contextual information (such as identity and location) through ISE. A limited set of pxGrid integrations will be available in 1H14, although Cisco needs to attract many more technology partners in more markets to deliver on its vision for pxGrid.

Cisco ISE has a capability of the Device profiling and is embedded in Cisco switches and wireless controllers, If you are using the old patches for that you need to upgrade the firmware and patches on the devices and eliminating the need to deploy stand-alone profiling sensors in the network. 

The ISE server can identify and classify endpoints using templates that are provided by Cisco or defined by an administrator. ISE uses a combination of active and passive profiling techniques. 

Cisco's support of identity tags (which it calls TrustSec SGA) in the Ethernet frame (via a proprietary enhancement to the 802.1AE standard) enables its more advanced customers to enforce granular identity-based policies on some Cisco LAN, WLAN and firewall products. Most organizations will require infrastructure upgrades to benefit from this feature.

So Cisco has two NAC agents and these agents are one to support VPN access (Cisco VPN AnyConnect Client) and one to support the capabilities of the ISE Advanced License (Cisco Network Admission Control Agent). Customers that need NAC for VPN and advanced NAC functionality will need both agents. 

Aruba Networks (HPE):  Clearpass
Aruba Networks have the NAC solution named as Clearpass and offers a RADIUS based solution and is available for hardware and the virtual appliances.

Well talk about the Strengths of Aruba's 802.1X innovations, It include a built-in certificate authority to Clearpass, which eases BYOD implementations by not requiring an external certificate authority. The Clearpass Onboard module provides the ability to revoke and delete certificates.

Clearpass offers a strong guest network application. Guest portals can be customized with a wide range of options, including localized language support. Granular policies allow guests to share printers and projectors that use Apple's Bonjour protocol.

Fig 1.2- HPE Aruba Clearpass

Aruba provides detailed diagnostic information to assist network administrators in troubleshooting failed 802.1X authentications 

There are some of the cautions for using the Aruba's Clearpass NAC Solution and It lags behind several competitors in its breadth of prepackaged integrations with SIEM vendors and advanced threat defense vendors.

It also faces a difficult balancing act with its Workspace MDM offering, because it is now competing with the same MDM vendors that it partners with to enhance Clearpass

It is still ramping up its value-added reseller (VAR) channel's ability to sell and support Clearpass. Before purchasing Clearpass from an Aruba partner, verify that the partner is Clearpass-certified.