We performed a comparison between Aruba ClearPass and Forescout Platform based on our users’ reviews in four categories. After reading the collected data, you can find our conclusion below.
Comparison Results: PeerSpot users feel Aruba ClearPass is flexible, versatile, and very user friendly. The licensing issues with Forescout detract a bit from its effectiveness.
"I would rate the stability a nine out of ten."
"We are mainly using Aruba ClearPass for our clients for securing access to their on-premise assets. As per customer expectations, we are trying our best to track the complete user activity in the network. This is the main and the core feature we require."
"The most valuable thing about Aruba ClearPass is its ease of use. It has always been a very reliable and very stable policy management platform."
"The most valuable feature of Aruba ClearPass is the ease of deployment and integration with other equipment in the network."
"The support is top notch, expert, and very friendly. "
"It eliminated the management of 10 different individual discrete RADIUS servers."
"ClearPass is effortless to use and configure. It's not hard to learn the tool, and it has lots of features."
"We find that at the end of the projects we manage, all functionalities perform quite well. We've tested it a lot and find it to be overall a very good solution."
"We think it's simple. We think it's very useful and we really like reports and everything."
"Obtaining visibility into the network and connected devices is very simple with this tool. It takes me three minutes to do a base deployment when all the parameters are available."
"The actions that the agentless visibility, allow us to perform on the endpoint, are really amazing, especially in the way that it is done."
"The most valuable features of the Forescout Platform are ease of management and outstanding visibility. The visibility is simple to obtain."
"Forescout Platform has made it possible to block people working near our construction sites who should not have access to our network."
"The most valuable features of ForeScout is the fact that it can do network access control either with 802.1x or without 802.1x."
"It allows for good detection of all the vendor products we have on-site."
"Forescout Platform provides multiple features. They have a very effective device fingerprinting in their cloud. You do not need to add any devices manually, such as in Mac devices. Other solutions you have to add IoT devices and OT devices manually. This is one of the major areas that Forescout Platform is excelling in."
"The pricing policy could be more flexible."
"I remember our technical team stating that the installation front of the solution was a bit difficult when compared to other solutions."
"Aruba ClearPass could improve the complexity of the initial usage. It takes some time to be good at it. It's not simple to build and connect the rules to the network you want to deploy them on."
"An issue with Aruba ClearPass is the lack of information and poor community support. You can't find the material easily on the internet for any issues. For example, if you're looking for any configuration or exploring any issue, it's not easy to find information, and this is the problem with Aruba ClearPass. Access to helpful information and poor community support could be improved. Another area for improvement in Aruba ClearPass is that some of its advanced features aren't easy to find. For example, my team needed to apply Google single sign-on, but it wasn't easy to find. Aruba ClearPass is a big solution with a lot of capabilities, and it's a very advanced solution, so you need to either have some experience with it or undergo some training. Aruba ClearPass is a very good solution from the network perspective, but the issue is the poor support you get from the community. When you try using the solution, some areas aren't easy. When you search on YouTube, you'll find very few materials about Aruba ClearPass. It isn't like Cisco where you can find information from hundreds of websites, on YouTube, etc. This is bad for Aruba, so this area should be improved. Aruba has a training center, but the usual training offered is only for Aruba Wireless and Aruba Switches. If you have another solution, it's not easy to integrate it with Aruba ClearPass, so this is an area for improvement. You need to do some research to successfully integrate your solution with Aruba ClearPass. We integrated Aruba ClearPass with Ubiquiti WiFi, and it's working fine with no issues. My next project is to start integrating Aruba ClearPass with Cisco Switches. The solution is good, but on the website, there's no book and no video, and you can't find the material on Aruba ClearPass easily. This is one of the issues with Aruba."
"ClearPass' GUI could be more user-friendly."
"The platform's API integration could be better. Additionally, its pricing could be affordable."
"Like most security products, ClearPass is difficult to deploy. You need to use the CLI to implement security products from any vendor, so configuring the authentication is complicated."
"A specific component is part of the solution called ClearPass Onboard, which can sometimes be complex and challenging to set up. If they could simplify the process and make it easier, that would be a benefit."
"Forescout Platform needs to improve how the device works in preventing rogue servers."
"The ability to block external devices in Mac is lacking and needs to be added."
"When adding what is in scope to a policy, it would be nice if you could select multiple policies instead of one policy at a time to add what is in the scope for network segmentation. I have found that during the install and configuration of the policies that if you want to modify multiple policies or enable multiple policies that you need to define what is in the scope (IP range or segments) one rule at a time. This caused some slow downs when implementing policies."
"Forescout Platform sometimes returns false positives, so there's some fine-tuning to be done there."
"Definitely, having more third-party integration would be an improvement."
"Forescout needs to upgrade its development in the future."
"Better integration with third-party vendors is needed because as it is now, the list of third-party solutions that we can integrate and automate is quite limited."
"As a user, if I am using a laptop that is Wi-Fi connected, Forescout identifies my port connectivity as one user license, and if I take that same laptop with the same username to a wired network, which is also the same network that is used for the Wi-Fi connection, Forescout detects it as a separate license."
Aruba ClearPass is ranked 2nd in Network Access Control (NAC) with 75 reviews while Forescout Platform is ranked 4th in Network Access Control (NAC) with 69 reviews. Aruba ClearPass is rated 8.6, while Forescout Platform is rated 8.4. The top reviewer of Aruba ClearPass writes "Easy to use, multifeatured, and reliable policy management platform for identity authentication and new device onboarding". On the other hand, the top reviewer of Forescout Platform writes "We can go granular on each endpoint, quarantine non-compliant machines, and target vulnerabilities through scripting". Aruba ClearPass is most compared with Cisco ISE (Identity Services Engine), Fortinet FortiNAC, Microsoft Intune, Ruckus Cloudpath and macmon Network Access Control, whereas Forescout Platform is most compared with Cisco ISE (Identity Services Engine), Fortinet FortiNAC, Nozomi Networks, Armis and Tenable Security Center. See our Aruba ClearPass vs. Forescout Platform report.
See our list of best Network Access Control (NAC) vendors.
We monitor all Network Access Control (NAC) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Hi Nkwa,
I did some research comparing ForeScout with ClearPass.
Fundamentally they do the same but in a very different ways. It is important to understand these differences and how they could help you to achieve or not what you need in your organization. I will only point these differences and not every single detail. This is based on my own experience and I do not represent either ForeScout or Aruba ClearPass.
DISCOVERY PROCESS / Profiler - METHODS.
• NetFlow or SFlow: ForeScout do not support Sflow only NetFlow. Is this important? Yes, it is if your switches are not Cisco or any other vendor that support the NetFlow protocol.
ForeScout says: "This capability becomes more relevant in large scale deployments, where the CounterACT packet engine is limited in its "ability to detect activity in remote sites and branch offices". Use of information reported by NetFlow improves visibility and speeds detection of new endpoints." Reference: https:\www.forescout.com\wp-content\uploads\2018\04\CounterACT_NetFlow_1.2.pdf Page 3.
ClearPass:
NetFlow V5/V9 and V10 aka IPFIX + sFLOW are supported.
Reference: www.arubanetworks.com
ORCHESTRATE = Integration/Collaboration with other Systems.
ForeScout:
* ForeScout
is able to interchange contextual information with 3rd party solutions, however the most of the contextual collaboration capabilities are available using an Extended Module option and ForeScout charges separately for this.
Reference Links:
www.forescout.com
www.cdw.com
www.cdw.com
Clear Pass:
* 140+ Integrations are included as part of the core solution. Basically, you can integrate ClearPass to anything in your IT infrastructure at no extra cost to share contextual information. Firewalls, MDM, TicketSystem, SIEM, etc.. Using build-in Modules or APIs. You can request as well customized APIs.
Reference Link www.arubanetworks.com
Reference Link www.arubanetworks.com
AGENT OR AGENTLESS?
Basically, an agent based solution needs a software installed, while an agentless approach don't.
Independently of what NAC solution you will use, it is important to understand if you need or not an agent.
When a device connects to a network, the agent software performs some actions that have been defined in a central access controller or policy management platform. If persistent, the agent performs auto-remediation functions during a connection and will permanently monitor the device throughout a session to “fix” things that may change.
The dissolvable agent: a user clicks on a web portal link to download the agent, which authenticates the user and device, checks the endpoint for compliance, and allows access to the network if policy conditions are met. It then disappears until the user runs it again.
ForeScout
ForeScout is proud to claim that they don’t require an agent (agentless approach NAC) but this is not completely true. ForeScout needs a “dissolvable agent” for authorization & compliance of unmanaged assets e.g. Employee BYOD, Contractor Laptops, printers, CCTV cameras, Smart TVs, etc. Agentless is fine when all your devices are Windows and all of them are under your management. For none windows devices you will need the dissolvable agent to perform health check and remediation.
Based on this explanation having an agent or not is irrelevant for most of the cases. there many identities sources from where you can extract contextual information to help the NAC to do his work, examples are: AD, Wireless AP, End-Point protection software, SCCM, MDM, the Switches, the Firewall, etc...
To do this you need integration, this is possible with ForeScout using the extended module /Plugins and normally paying the extra cost.
Reference Link: www.forescout.com
ClearPass
Clear pass can run with an agent and without the agent. It hast the persistence option, the dissolvable option for BYOD and Guest devices. It can be easily integrated to the mentioned identity stores at no extra cost.
www.bradfordnetworks.com
community.arubanetworks.com
community.extremenetworks.com
802.1X RADIUS AUTHENTICATION OR NOT
Here is one of the major differences. Both support Radius authentication. ClearPass see it like the most secure way to protect your network and ForeScout see it like something complex that you should try to avoid if possible, in my opinion.
ForeScout
* says: 802.1X presents several deployments, operational and troubleshooting challenges, particularly on wired networks.
* To perform RADIUS-based network authentication you need a “Plugin” to forward the authentication requests to an external authentication Sever, like the Microsoft NPS. Page 10, Reference link , you will need as well a Switch Plugin for wired network RADIUS-based deployment and a Wireless plugin for wireless network RADIUS-based deployment. All this sounds like a complexity to me.
* By not having 802.1x configured you save also configuring all switches on your network. Which is not a big problem because you do this once during the useful life of the switch.
* Not build-in TACACS+ - centralized remote authentication to network devices like switches, routers, etc.
Reference Link:
www.forescout.com
ClearPass:
* Is build-in CA and if you like you can use an external CA as well.
* Centralizing the radius authentication make the administration and configuration very easy because you don’t have to manage the NAC and the CA separated.
* No plugin is needed for non-802.1x Auth and non-domain joined devices. In this case you can enforce machine authentication and many other security layers to allow non-domain devices to safely connect without a certificate.
* non-domain devices can automatically or manually be provisioned using a guest network and dissolvable agent.
* Integration with the Aruba Wireless system for Radius Authentication is very easy (if you own an Aruba Wireless Infrastructure) and no extra cost.
You must configure your switches to work with 802.1x. This can be easily done using a template on HPE IMC.
• Build in TACACS+
DEPLOYMENT AND INITIAL POLICY SETUP:
ForeScout: preferred method is: I let you in then I find out who you are.
• ForeScout CounterACT propose the Post-connect deployment strategy for network visibility and access control in which endpoints are initially allowed access to the network while CounterACT profiles them to determine ownership and compliance. Access to the network is then adjusted based on profiling results and security policy.
Reference link: www.forescout.com
This makes sense on new deployments because the NAC can be configured transparent to the end user with no dramatic impact. My question is: What is the process after deployment? Do I let you in then I find a good policy for you?
ClearPass: preferred method is: I let you in if you tell me something about you. Then depending on the roles/policies this unknown device will be moved to a quarantine VLAN for remediation or moved to a dead end VLAN. At the same time this will trigger a ticket to helpdesk and a message to the user to know what is happening and what is the next step.
SUPPORT, SERVICE and DOCUMENTATION:
ForeScout:
• The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse a little and it won't be hard to find references.
Online support, documentation, communities (forescout Chatter), etc.
Aruba/HPE
The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse anywhere on internet and it won't be hard to find references.
Online support, documentation, communities (aruba airheads), etc.
PRICE:
This will depend on many factors. I would suggest that you consult both and make your own decision.