What is our primary use case?
To be able to improve security within our network. We needed Network Access Control (NAC). As such, we reviewed the available vendors who could provide this service to us and selected the Forescout CounterACT (CA) product primarily because we needed to be able to position the product in several regional locations. At the same time, we managed and controlled it locally and dynamically where we have it responding to a single control center. While we have implemented today strictly for wireless access, we will be extending that to include wired access in the future.
How has it helped my organization?
NAC: Forescout CounterACT has allowed us to better open our access and control wireless access globally from our HQ. This allows us to monitor the network access for every office globally. This has improved overall security, reducing risk and opening up the opportunity to provide greater end user flexibility.
What is most valuable?
The key feature we use is AD integration. That feature needs the least amount of attention once set up.
Monitoring and logging are the pieces that we use most day-to-day. These are used by both our network and security teams to ensure proper operation with minimal risk. Whether machines attempting access are firm managed, vendors visiting, or IoT, all are available within the CA appliance. We plan to extend the use to further support growth functionalities and new work from home initiatives going forward.
What needs improvement?
Better reporting and analysis of access (based on client) would be helpful. Also, a tool that allows tracing a user through the rules to authentication.
More detailed analysis during the authentication process, especially for troubleshooting access issues. We have found that troubleshooting RADIUS controls is quite arduous, as it is today. A trace function could easily resolve this by providing a means by which access issues from a certificate to passwords or accounts could easily be identified and remediated.
For how long have I used the solution?
What do I think about the stability of the solution?
ForeScout CA has proven itself to be very solid.
What do I think about the scalability of the solution?
It is very scalable with a lot of features that we aren't even using yet today.
How are customer service and technical support?
Technical support has been great. They are very knowledgeable, helpful, and considerate.
Which solution did I use previously and why did I switch?
We used Cisco ISE but found that it did not have the flexibility that we needed within our organization.
How was the initial setup?
Setup was anything but straightforward, but this had nothing to do with Forescout. This is the nature of NAC solutions in general.
Setup takes significant preplanning. Don't expect to just drop it in, then have it up and running, even if you already use an alternative NAC product. However, it is worth it.
What about the implementation team?
We used a Professional Services engagement from Forescout, but still experienced a lot of issues.
What was our ROI?
What's my experience with pricing, setup cost, and licensing?
The fact that we were allowed to spin up as many servers as we had need of to support our geographic requirements while paying for licensing as an enterprise truly set Forescout apart from the crowd and improved the way we could design our access.
Which other solutions did I evaluate?
We had ISE. As that product reached EOL, we considered whether there were alternatives to a NAC that we should consider but felt that a NAC is a security requirement.
Which deployment model are you using for this solution?