Jamf Nation Community

martylee · ‎05-13-2016

We have been using RADIUS with 802.1X for AAA, but we are wanting to switch for more control. We have a bit of a mixed bag for network equipment Cisco APs, HP switches, and Fortinet firewall. We are ~31% Mac, 16% iPads, ~43% Chromebook, and ~10% PCs. >95% of our users are on WiFi. I've been reaching out to K-12 peers, and most either don't have a NAC solution for AAA or they are using ISE. Also saw some saying that ISE doesn't work well with Macs, and that is troubling for us because we are on track to replacing the remaining PCs with Macs beyond specialty situations.

bvrooman · ‎05-13-2016

In an effort to replace our ancient Cisco NAC system, we did a proof-of-concept ("bake off") with Forescout, Cisco ISE, and Aruba ClearPass toward the end of last year.

Forescout wanted to be Casper and did a poor job of that, so it was out.
Cisco never successfully got ISE working, even on their own test gear, during the 4-week PoC period or the extra 3 weeks we gave them.
ClearPass was pretty awesome (and it's what we bought) – it was the only product that actually met our requirements and had some functionality that we thought would add value to the project.

We still haven't finished the implementation part of the project, but none of that appears to be the fault of ClearPass itself; just some weirdness with our older switches running old code. I'm quite looking forward to having it, though.

perrycj · ‎05-13-2016

I can tell you we have both in our environment. We use ClearPass for wireless and ISE for wired. We use EAP-TLS without issue with ClearPass/Wireless. On the ISE side and wired, we are attempting to use EAP-TLS and so far it's been difficult to get in place. Previously, we used EAP-FAST with ISE on wired and that worked fine but we wanted to go away from user credentials to authenticate, so that's why we're using EAP-TLS on wired now.

So in a nutshell, ClearPass has been a better experience so far.

CasperSally · ‎05-13-2016

We're demoing EAP TLS with ISE this week. The engineer on site had working wired and wireless workflows for us in 2 days. I don't love the client software required (we're doing posturing for osx and pc clients). Will Cisco please stop installing software to /opt ?

We haven't gotten to testing iOS or Chromebooks. Less of a priority for us and supposedly some update coming soon will improve Chromebook integration.

hkabik · ‎05-13-2016

At the last Govt organization I worked for I helped them setup Cisco ISE for their wifi network on the Mac side, it went super smoothly on both the JSS configuration and ISE configuration side.

I honestly don't remember running into any hiccups with it.

amansour · ‎09-12-2016

Hi Everyone @CasperSally We purpose built a NAC with OSX/Windows Profiling, we onboard EAP-TLS for wired and wireless and have agentless support. We also have our Chromebook Agent which can mass deploy certs to Chromebook with zero touch to the Chromebook.

We also have JAMF integration for silent installation of our Mac client and are deployed at schools that are all Mac.

Anyway, We also don't install to opt (Mac 10.11.5 and higher can't allow that right?) Anyway.

This would be pretty much exactly what you are looking for. I'd love to show you a demo because it sounds like people are settling for two solutions and settling for no EAP-TLS on the wire! This is our bag. intelligonetworks.com.

danielleitcs · ‎01-17-2017

You might find this direct comparison between Cisco ISE and Aruba Clearpass from the IT Central Station user community to be helpful.

Users interested in NAC solutions also read reviews for ForeScout CounterACT. This user writes, "The most valuable features of ForeScout is the fact that it can do network access control either with 802.1x or without 802.1x. Having a non-.1x solution is critical for maintaining stability on our network." You can read the rest of his review here.

Jamf Nation Community

Cisco ISE vs Aruba ClearPass