Posted on 05-13-2016 05:50 AM
We have been using RADIUS with 802.1X for AAA, but we are wanting to switch for more control. We have a bit of a mixed bag for network equipment Cisco APs, HP switches, and Fortinet firewall. We are ~31% Mac, 16% iPads, ~43% Chromebook, and ~10% PCs. >95% of our users are on WiFi. I've been reaching out to K-12 peers, and most either don't have a NAC solution for AAA or they are using ISE. Also saw some saying that ISE doesn't work well with Macs, and that is troubling for us because we are on track to replacing the remaining PCs with Macs beyond specialty situations.
Posted on 05-13-2016 06:37 AM
In an effort to replace our ancient Cisco NAC system, we did a proof-of-concept ("bake off") with Forescout, Cisco ISE, and Aruba ClearPass toward the end of last year.
We still haven't finished the implementation part of the project, but none of that appears to be the fault of ClearPass itself; just some weirdness with our older switches running old code. I'm quite looking forward to having it, though.
Posted on 05-13-2016 06:39 AM
I can tell you we have both in our environment. We use ClearPass for wireless and ISE for wired. We use EAP-TLS without issue with ClearPass/Wireless. On the ISE side and wired, we are attempting to use EAP-TLS and so far it's been difficult to get in place. Previously, we used EAP-FAST with ISE on wired and that worked fine but we wanted to go away from user credentials to authenticate, so that's why we're using EAP-TLS on wired now.
So in a nutshell, ClearPass has been a better experience so far.
Posted on 05-13-2016 06:52 AM
We're demoing EAP TLS with ISE this week. The engineer on site had working wired and wireless workflows for us in 2 days. I don't love the client software required (we're doing posturing for osx and pc clients). Will Cisco please stop installing software to /opt ?
We haven't gotten to testing iOS or Chromebooks. Less of a priority for us and supposedly some update coming soon will improve Chromebook integration.
Posted on 05-13-2016 08:53 AM
At the last Govt organization I worked for I helped them setup Cisco ISE for their wifi network on the Mac side, it went super smoothly on both the JSS configuration and ISE configuration side.
I honestly don't remember running into any hiccups with it.
Posted on 09-12-2016 05:10 AM
Hi Everyone @CasperSally We purpose built a NAC with OSX/Windows Profiling, we onboard EAP-TLS for wired and wireless and have agentless support. We also have our Chromebook Agent which can mass deploy certs to Chromebook with zero touch to the Chromebook.
We also have JAMF integration for silent installation of our Mac client and are deployed at schools that are all Mac.
Anyway, We also don't install to opt (Mac 10.11.5 and higher can't allow that right?) Anyway.
This would be pretty much exactly what you are looking for. I'd love to show you a demo because it sounds like people are settling for two solutions and settling for no EAP-TLS on the wire! This is our bag. intelligonetworks.com.
Posted on 01-17-2017 12:50 PM
You might find this direct comparison between Cisco ISE and Aruba Clearpass from the IT Central Station user community to be helpful.
Users interested in NAC solutions also read reviews for ForeScout CounterACT. This user writes, "The most valuable features of ForeScout is the fact that it can do network access control either with 802.1x or without 802.1x. Having a non-.1x solution is critical for maintaining stability on our network." You can read the rest of his review here.