ForeScout CounterACT vs. FortiNAC

As of February 2019, ForeScout CounterACT is ranked 1st in Network Access Control with 6 reviews vs FortiNAC which is ranked 5th in Network Access Control. The top reviewer of ForeScout CounterACT writes "We like that it can do network access control either with 802.1x or without 802.1x since many network devices are not ready to do 802.1x". ForeScout CounterACT is most compared with Aruba ClearPass, Cisco ISE (Identity Services Engine) and FortiNAC. FortiNAC is most compared with Cisco ISE (Identity Services Engine), Aruba ClearPass and ForeScout CounterACT.
Cancel
You must select at least 2 products to compare!
ForeScout CounterACT Logo
32,894 views|8,481 comparisons
FortiNAC Logo
3,589 views|1,051 comparisons
Most Helpful Review
Use FortiNAC? Share your opinion.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pricing and Cost Advice
Devices with multiple IP's count multiple times against your license count.

Read more »

Information Not Available
report
Use our free recommendation engine to learn which Network Access Control solutions are best for your needs.
317,758 professionals have used our research since 2012.
Answers from the Community
Nkwa Ronnie
Zai FengReal User

Thank for your nice works. I am working on the similar type comparison between Fortescout, FortiNAC(Bradford) and ISE for a project in a healthcare organization.

24 September 18
Eliu RodriguezUser

Hi Nkwa,

I did some research comparing ForeScout with ClearPass.
Fundamentally they do the same but in a very different ways. It is important to understand these differences and how they could help you to achieve or not what you need in your organization. I will only point these differences and not every single detail. This is based on my own experience and I do not represent either ForeScout or Aruba ClearPass.

DISCOVERY PROCESS / Profiler - METHODS.
• NetFlow or SFlow: ForeScout do not support Sflow only NetFlow. Is this important? Yes, it is if your switches are not Cisco or any other vendor that support the NetFlow protocol.

ForeScout says: "This capability becomes more relevant in large scale deployments, where the CounterACT packet engine is limited in its "ability to detect activity in remote sites and branch offices". Use of information reported by NetFlow improves visibility and speeds detection of new endpoints." Reference: https:\www.forescout.com\wp-content\uploads\2018\04\CounterACT_NetFlow_1.2.pdf Page 3.

ClearPass:
NetFlow V5/V9 and V10 aka IPFIX + sFLOW are supported.
Reference: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.6.3/Content/WhatsNew/NewFeatures_ProfilerNWDiscovery.htm

ORCHESTRATE = Integration/Collaboration with other Systems.
ForeScout:

* ForeScout
is able to interchange contextual information with 3rd party solutions, however the most of the contextual collaboration capabilities are available using an Extended Module option and ForeScout charges separately for this.
Reference Links:
https://www.forescout.com/platform/extended-modules/#cmt
https://www.cdw.com/product/forescout-extended-module-for-palo-alto-networks-next-generation-firewall/4589573
https://www.cdw.com/search/?key=forescout&searchscope=all&sr=1

Clear Pass:
* 140+ Integrations are included as part of the core solution. Basically, you can integrate ClearPass to anything in your IT infrastructure at no extra cost to share contextual information. Firewalls, MDM, TicketSystem, SIEM, etc.. Using build-in Modules or APIs. You can request as well customized APIs.
Reference Link https://www.arubanetworks.com/partners/programs/security-exchange/
Reference Link https://www.arubanetworks.com/assets/so/SO_ClearPassExchange.pdf

AGENT OR AGENTLESS?
Basically, an agent based solution needs a software installed, while an agentless approach don't.
Independently of what NAC solution you will use, it is important to understand if you need or not an agent.

When a device connects to a network, the agent software performs some actions that have been defined in a central access controller or policy management platform. If persistent, the agent performs auto-remediation functions during a connection and will permanently monitor the device throughout a session to “fix” things that may change.
The dissolvable agent: a user clicks on a web portal link to download the agent, which authenticates the user and device, checks the endpoint for compliance, and allows access to the network if policy conditions are met. It then disappears until the user runs it again.

ForeScout
ForeScout is proud to claim that they don’t require an agent (agentless approach NAC) but this is not completely true. ForeScout needs a “dissolvable agent” for authorization & compliance of unmanaged assets e.g. Employee BYOD, Contractor Laptops, printers, CCTV cameras, Smart TVs, etc. Agentless is fine when all your devices are Windows and all of them are under your management. For none windows devices you will need the dissolvable agent to perform health check and remediation.
Based on this explanation having an agent or not is irrelevant for most of the cases. there many identities sources from where you can extract contextual information to help the NAC to do his work, examples are: AD, Wireless AP, End-Point protection software, SCCM, MDM, the Switches, the Firewall, etc...
To do this you need integration, this is possible with ForeScout using the extended module /Plugins and normally paying the extra cost.
Reference Link: https://www.forescout.com/wp-content/uploads/2018/08/Agentless-Visibility-and-Control-ForeScout-White-Paper.pdf

ClearPass
Clear pass can run with an agent and without the agent. It hast the persistence option, the dissolvable option for BYOD and Guest devices. It can be easily integrated to the mentioned identity stores at no extra cost.

https://www.bradfordnetworks.com/agent-based-agent-less-other-understanding-the-different-ways-to-enable-nac/
http://community.arubanetworks.com/t5/Technology-Blog/When-and-why-agents-for-NAC-It-s-not-a-Secret/ba-p/256672
https://community.extremenetworks.com/extreme/topics/nac-vs-seperate-radius-server

802.1X RADIUS AUTHENTICATION OR NOT

Here is one of the major differences. Both support Radius authentication. ClearPass see it like the most secure way to protect your network and ForeScout see it like something complex that you should try to avoid if possible, in my opinion.

ForeScout

* says: 802.1X presents several deployments, operational and troubleshooting challenges, particularly on wired networks.
* To perform RADIUS-based network authentication you need a “Plugin” to forward the authentication requests to an external authentication Sever, like the Microsoft NPS. Page 10, Reference link , you will need as well a Switch Plugin for wired network RADIUS-based deployment and a Wireless plugin for wireless network RADIUS-based deployment. All this sounds like a complexity to me.

* By not having 802.1x configured you save also configuring all switches on your network. Which is not a big problem because you do this once during the useful life of the switch.

* Not build-in TACACS+ - centralized remote authentication to network devices like switches, routers, etc.
Reference Link:
https://www.forescout.com/wp-content/uploads/2018/04/CounterACT_RADIUS_4.3.pdf

ClearPass:
* Is build-in CA and if you like you can use an external CA as well.
* Centralizing the radius authentication make the administration and configuration very easy because you don’t have to manage the NAC and the CA separated.
* No plugin is needed for non-802.1x Auth and non-domain joined devices. In this case you can enforce machine authentication and many other security layers to allow non-domain devices to safely connect without a certificate.
* non-domain devices can automatically or manually be provisioned using a guest network and dissolvable agent.
* Integration with the Aruba Wireless system for Radius Authentication is very easy (if you own an Aruba Wireless Infrastructure) and no extra cost.

You must configure your switches to work with 802.1x. This can be easily done using a template on HPE IMC.
• Build in TACACS+

DEPLOYMENT AND INITIAL POLICY SETUP:

ForeScout: preferred method is: I let you in then I find out who you are.

• ForeScout CounterACT propose the Post-connect deployment strategy for network visibility and access control in which endpoints are initially allowed access to the network while CounterACT profiles them to determine ownership and compliance. Access to the network is then adjusted based on profiling results and security policy.
Reference link: https://www.forescout.com/wp-content/uploads/2016/12/CounterACT-Deployment-Guide-Wired-Post-Connect.pdf

This makes sense on new deployments because the NAC can be configured transparent to the end user with no dramatic impact. My question is: What is the process after deployment? Do I let you in then I find a good policy for you?

ClearPass: preferred method is: I let you in if you tell me something about you. Then depending on the roles/policies this unknown device will be moved to a quarantine VLAN for remediation or moved to a dead end VLAN. At the same time this will trigger a ticket to helpdesk and a message to the user to know what is happening and what is the next step.

SUPPORT, SERVICE and DOCUMENTATION:

ForeScout:
• The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse a little and it won't be hard to find references.
Online support, documentation, communities (forescout Chatter), etc.

Aruba/HPE
The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse anywhere on internet and it won't be hard to find references.
Online support, documentation, communities (aruba airheads), etc.

PRICE:
This will depend on many factors. I would suggest that you consult both and make your own decision.

07 September 18
Ranking
1st
Views
32,894
Comparisons
8,481
Reviews
5
Followers
1,241
Avg. Rating
9.2
5th
Views
3,589
Comparisons
1,051
Reviews
0
Followers
518
Avg. Rating
N/A
Top Comparisons
Compared 4% of the time.
Compared 31% of the time.
Compared 29% of the time.
Also Known As
CounterACT for Endpoint ComplianceBradford Networks Sentry, Network Sentry Family
Learn
ForeScout
Fortinet
Overview

ForeScout offers Global 2000 enterprises and government organizations the unique ability to see devices, including non-traditional devices, the instant they connect to the network. Equally important, ForeScout lets you control these devices and orchestrate information sharing and operation among disparate security tools to accelerate incident response. Unlike traditional security alternatives, ForeScout achieves this without requiring software agents or previous device knowledge. The company’s solutions integrate with leading network, security, mobility and IT management products to overcome security silos, automate workflows and enable significant cost savings.

The proliferation of Internet of Things (IoT) devices, has made it necessary for organizations to improve their visibility into what is attached to their networks. They need to know every device and every user accessing their networks. IoT devices enable digital transformation initiatives and improve efficiency, flexibility, and optimization. However, they are inherently untrustworthy, with designs that prioritize low-cost over security. FortiNAC provides the network visibility to see everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated responses.

Offer
Learn more about ForeScout CounterACT
Learn more about FortiNAC
Sample Customers
NHS Sussex, SAP, SEGA, Vistaprint, Miami Children's Hospital, Pioneer Investments, New York Law School, OmnicomGroup, MeritrustIsavia, Pepperdine University, Medical University of South Carolina, Columbia University Medical Center, Utah Valley University
Top Industries
REVIEWERS
Financial Services Firm23%
Government15%
Energy/Utilities Company15%
Insurance Company8%
VISITORS READING REVIEWS
Financial Services Firm28%
Energy/Utilities Company22%
Government11%
Healthcare Company8%
No Data Available
Company Size
REVIEWERS
Small Business29%
Midsize Enterprise19%
Large Enterprise52%
VISITORS READING REVIEWS
Small Business22%
Midsize Enterprise10%
Large Enterprise68%
No Data Available
Find out what your peers are saying about Aruba ClearPass vs. ForeScout CounterACT and other solutions. Updated: January 2019.
317,758 professionals have used our research since 2012.
We monitor all Network Access Control reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.

Sign Up with Email