The rise in the popularity of remote work has caused a massive portion of the workforce to stay home. This is made possible by advanced BYOD devices with top-notch technical capabilities, such as laptops and smartphones. However, these devices are primarily designed for personal use, leaving them vulnerable to security threats. Thus, they require robust Network Access Control(NAC) solutions for optimum protection against superior cyber-attacks.
Since you are here, the chances are that you are looking for an efficient and user-friendly network access control solution for your organization that works well with your existing network devices. Cisco Identity Services Engine (ISE) and Aruba ClearPass are two popular solutions, and we’ll be comparing them here to help you make your decision.
NAC Vendor Features Comparison
Certificate Management
Modern-day network access control solutions are incomplete without profound Certificate Management, and organizations also realize this. Over the last few years, the exponential rise in cyberattacks has forced businesses to take digital certificates a little more seriously – and rightly so! Digital certificates have opened new dimensions for organizations to feel more secure with a seamless migration from credential-based protections.
Two pioneers in the network solution market, Cisco ISE, and Aruba Clearpass, have dominated the market for quite some time. Let’s analyze how their certificate management varies one by one.
Cisco ISE
Cisco ISE utilizes its administrative node for certificate management. This node is also known as the Policy Administrative Node (PAN). Cisco ISE also has a built-in function to perform Certificate Signing Requests (CSR).
In Cisco, ISE nodes work by mutually trusting the root certificates of other nodes in the same cluster of network resources. Additionally, the admin’s login details for joining nodes must be entered in the fixed nodes’ PAN. While Cisco ISE allows the creation of Wildcard SAN certificates on the CSR page itself, there is no such provision in Clearpass for the same.
Aruba Clearpass
Like Cisco ISE, Clearpass utilizes its administrative nodes for Certificate Management, which they’ve named “Publisher.” Both Clearpass and Cisco ISE have built-in functions for performing CSRs.
In Aruba Clearpass, mutual trust between nodes in the same cluster is not necessary to assign privileges. Furthermore, the login details of the app admin are essential for joining nodes within a cluster. Creating a Wildcard SAN certificate in Clearpass is only possible using external tools such as OpenSSL.
Wildcard SAN Certificate
Both ISE and Clearpass support the Wildcard SSL Certificate having a wildcard character (*) in its domain to enable multiple subdomains referring to the base one. While one can argue that by enabling TLS/SSL encryption, Wild card certificates can secure multiple websites using a single certificate. Still, it would not be advisable to do so because of the compromising vulnerabilities associated with the practice. These certificates, if infiltrated, would be hard to recognize and hamper device visibility due to false authentication by the Wildcard server itself.
Both ISE and Clearpass are pioneers in the field, but they also have drawbacks with access support for certificate management, especially with the Wildcard certificates. Clearpass also has issues with deleting multiple certificates on the client-server if the client decides to re-enroll certificates on its own device. Certificate management can become messier without proper server and client-side clean-up, and end-user experience might get impacted.
A sensible move would be to choose a certificate vendor that can provide a turnkey Managed PKI solution, essential for certificate-hardened security. These solutions offer efficient network access solutions and a role-based access tracker to simplify certificate management. They also enable organizations to generate their Root and Intermediate certificates for new devices and virtual appliances for better Firewall inspection.
Active Directory (AD) Integration
The introduction of Active Directory back in the early 2000s was seen as an iconic move by Microsoft in the field of data management and network security. AD is a hierarchical structure that provides a centralized platform to manage the access of data and information in a network. Since then, Microsoft has incorporated multiple services under its directory to cover almost all the aspects of network authentication:
Active Directory Domain Services (AD DS)
AD DS is the centralized service that acts as an umbrella for all the other directory services. It is the basis of the Windows OS domain network and stores all the data and credentials of users/devices in the network. The success of both Cisco ISE and Aruba Clearpass has a lot to do with their seamless integration with AD DS.
Let’s take a look at how these NACs function with Active Directory.
Cisco ISE
Cisco ISE supports multi-joint AD domains, which refer to joining different nodes in an AD cluster.
ISE also allows users to choose and define a subset of the domain, which is sometimes required by devices for authentication purposes. It uses security identifiers (SID) to effectively manage group and user attributes.
Aruba Clearpass
Unlike Cisco ISE, Aruba Clearpass doesn’t support the joining of multiple nodes. Since AD verifies groups of users before authentication, Clearpass is able to perform Enforcement, which is the mechanism of assigning designated tasks to users.
Clearpass performs the bind operation in conjunction with AD, allowing AD to authenticate credentials with LDAP servers for queries. It also allows users to manually type the rules to utilize attributes from any group manually. It’s user-friendly, to be sure, but you need to be cautious to avoid making typos.
Problems with on-premise AD
Active Directory was popular back when on-premise infrastructure was the only option for the network admins. With the rise in popularity of cloud computing, Azure AD (Microsoft Entra ID) became popular with its more secure authentication features. Still, Azure AD could not replace on-premise AD entirely, as it does not support LDAP, Kerberos, GPOs, or NTLM authentication. It also has limitations in supporting WPA2-Enterprise and 802.1x authentication.
The most sensible way to overcome these drawbacks is to implement digital certificates, which easily support WPA2-Enterprise, 802.1x, and provide seamless migration to the cloud. Microsoft AD CS does provide admins the power to build the on-premise PKI, but compared to Cloud-PKIs, it is very cumbersome, expensive, and time-consuming. Besides, it does not support non-Windows devices, nor does it control access of non-authorized users.
Which NAC works better with AD?
As we have seen, both ISE and Clearpass have their own set of advantages and disadvantages. Both are popular with varying access levels and integrate well with on-premise and Azure AD, but they do not provide security at par with certificates. Also, there are many security concerns and complications involved with on-prem AD, such as the cost of maintaining on-prem infrastructure or the necessity of physical security measures like an enclosed space.
If you’re looking to make a move to the cloud without relying on credentials, SecureW2 can help you make that transition, as well as upgrade your authentication with digital certificates. These certificates perform best if coupled with EAP-TLS, which provides better control to both clients and server sides. We offer versatile solutions that use WPA2-Enterprise and 802.1x protocol for authentication to organizations from every vertical.
User-Interface
A good user interface (UI) plays a vital role in determining the usability of any Network Access control solution (NAC). A good UI enables the network administrator to effectively train users and control access within an organization, ultimately saving time.
Cisco ISE and Aruba Clearpass have both received positive reviews from their customers. We’ll take a look at the two UIs offered by them based on customer reviews and our own experience.
Cisco ISE
According to various customer reviews by Gartner, ISE’s UI has a few limitations when it comes to working with complicated networks. Network configurations not supported in the UI need to implement flexconfig, which can degrade its performance over time.
Some users have also felt the UI is relatively slow compared to its other counterparts. Although ISE has updated its UI in the subsequent ISE 2.0 AND ISE 2.3 version, it still needs further improvement.
Aruba Clearpass
Although the appearance of its UI may appear a bit old-fashioned for a superior user, navigating through its sections is faster than ISE. Some users have also positively reviewed its UI on websites like Capterra and found it user-friendly. Its dashboard may not have a modern appearance like that of ISE, but Clearpass has provided quick links to some of the most visited sections for convenience.
Some users have found this more important than its looks. Also, we feel that Aruba has done a better job in its documentation. Cisco also offers documentation, but mainly on the community forums, leading to a frustrating search for answers whenever problems and queries arise.
RADIUS Server
RADIUS (Remote Access Dial-in User Service) is a server-client network authentication protocol with an advanced network security and visibility technique. It follows the AAA protocols, which stand for Authentication, Authorization, and Accounting in networking. The RADIUS server is an integral component of WPA2-Enterprise.
While RADIUS can be implemented on both on-premise and cloud environments, the perks of the latter are immense. Both Cisco ISE and Aruba Clearpass offer superior on-premise RADIUS compared to their cloud counterparts. There are many functional overlaps between the two except for some end-user experiences. The primary issue with both the RADIUS servers is that they tend to be expensive.
How do I choose the better RADIUS?
The best bet would be to choose the RADIUS, which smoothly adapts to the cloud by integrating with any network infrastructure and fits into the organization’s budget. We have already seen that Cisco ISE and Clearpass have issues with the criteria mentioned above.
SecureW2 offers practical technical support to these drawbacks with its innovative Cloud RADIUS, designed from the ground up for passwordless authentication and vendor-neutrality, allowing for seamless integration with virtually any IDP. It follows EAP-TLS passwordless authentication and works with IDPs like Azure AD, Okta, and Google to provide high privilege access.
Final Verdict: The Best NAC Vendor
Today the importance of digital certificates is not only acknowledged by network admins of large corporations but also by new startups and mid-level enterprises. Both Cisco ISE and Aruba Clearpass are industry giants and perform unique context-aware security access, but their overdependence on credentials makes them vulnerable at times.
Budget-wise, new startups, and mid-level enterprises might have a hard time installing and maintaining products from either vendor. Similarly, organizations already having a RADIUS infrastructure also face issues in the maintenance part. SecureW2’s suites can be of great help to these customers. Today we provide smooth onboarding for BYOD, ManagedDevices, K12, VPN access, higher education, and so on.
With our JoinNow Connector PKI, organizations can effectively leverage any existing RADIUS infrastructure and provide the best possible experience for the customers. Here’s our budget-friendly pricing and a one-stop gateway for your secure network authentication solutions.