https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734169#M57224 <P>Welcome and best wishes on your learning.</P><P>ASA vs. ISE ... there's only about 5% overlap in those products.</P><P>The ASA does control network access for endpoints if they are, say, remote access VPN clients. It can do a little bit of posture checking to make sure the host is compliant with policy. It does a whole lot of other things - stateful firewalling, network address translation, site-site VPN, protocol inspection, etc.</P><P>ISE gives you context-based network access control via classic AAA features (Authentication Authorization and Accounting) combined with rich features such as endpoint profiling, posture assessment, extremely rich rule set creation and processing etc. Ise integrates with many external identity stores such as AD, LDAP, RADIUS etc. and can itself act as a RADIUS server. In fact, a lot of what it does in the context of 802.1x network access control is via Change of Authorization (CoA) using RADIUS Attribute-Value (A-V) pairs. CoA can do things like dynamically change the end user's VLAN assignment, push down a port-specific dynamic access-list, assign a Security Group Tag (SGT), redirect to a web portal for authentication, remediation, device registration etc.</P><P>That's just a quick compare and contrast. You can literally spend years learning both and still not know all of either one.</P> Thu, 08 Oct 2015 01:58:59 GMT Marvin Rhoads 2015-10-08T01:58:59Z https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734168#M57223 <P>Hi guys,</P><P>&nbsp;</P><P>I'm a noob when it comes to ASA and almost no experience with ISE other than what I can find online. &nbsp;It seems like they both do the same sort of things for us. &nbsp;Security for VPNs. &nbsp;What other differences or similarities are there between these products? &nbsp;Even the most basic differences would be helpful since I'm just starting with ISE.</P><P>&nbsp;</P><P>Thanks!</P> Mon, 11 Mar 2019 06:08:14 GMT https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734168#M57223 douglaswhitwill 2019-03-11T06:08:14Z https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734169#M57224 <P>Welcome and best wishes on your learning.</P><P>ASA vs. ISE ... there's only about 5% overlap in those products.</P><P>The ASA does control network access for endpoints if they are, say, remote access VPN clients. It can do a little bit of posture checking to make sure the host is compliant with policy. It does a whole lot of other things - stateful firewalling, network address translation, site-site VPN, protocol inspection, etc.</P><P>ISE gives you context-based network access control via classic AAA features (Authentication Authorization and Accounting) combined with rich features such as endpoint profiling, posture assessment, extremely rich rule set creation and processing etc. Ise integrates with many external identity stores such as AD, LDAP, RADIUS etc. and can itself act as a RADIUS server. In fact, a lot of what it does in the context of 802.1x network access control is via Change of Authorization (CoA) using RADIUS Attribute-Value (A-V) pairs. CoA can do things like dynamically change the end user's VLAN assignment, push down a port-specific dynamic access-list, assign a Security Group Tag (SGT), redirect to a web portal for authentication, remediation, device registration etc.</P><P>That's just a quick compare and contrast. You can literally spend years learning both and still not know all of either one.</P> Thu, 08 Oct 2015 01:58:59 GMT https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734169#M57224 Marvin Rhoads 2015-10-08T01:58:59Z https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734170#M57226 <P>Thanks Marvin for the explanation!</P> Fri, 09 Oct 2015 03:17:57 GMT https://community.cisco.com/t5/network-access-control/asa-vs-ise/m-p/2734170#M57226 douglaswhitwill 2015-10-09T03:17:57Z