topic Re: How does ISE get visibility of OT devices etc vs Forescout in Network Access Control

How does ISE get visibility of OT devices etc vs Forescout

carl_townshend — Thu, 09 Jan 2025 08:14:42 GMT

Hi All

We currently use Forescout for our NAC solution and visibility of OT assets, the data is collected via mac, arp, span, network and nmap scans.

What would an equivalent ISE solution look like, what would we need? does it use the same things to profile the devices?

Has anyone moved from Forescout to ISE and the reasons why?

Cheers

Re: How does ISE get visibility of OT devices etc vs Forescout

ccieexpert — Thu, 09 Jan 2025 09:41:15 GMT

Similar but ISE has DHCP, netflow,snmp, and other probes besides what you mention...

all of them are documented here:

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

Re: How does ISE get visibility of OT devices etc vs Forescout

carl_townshend — Thu, 09 Jan 2025 10:28:36 GMT

Thank you for that info, so all these services can run one one server? how many devices can a single server cover normally?

Also, can you have a "post connect" mode, whereby you dont use 802.1x or MAB, you let the device connect first, but have it so it profiles the device and if not authorised, it simply moves the vlan etc?

Re: How does ISE get visibility of OT devices etc vs Forescout

thomas — Thu, 09 Jan 2025 16:53:13 GMT

You need 802.1X or MAB to create a RADIUS session to control the endpoint on the network device.

You may provide a default authorization to perform some initial profiling then perform a RADIUS Change of Authorization (COA) - assuming your network device supports this capability - to update the authorization to the appropriate device type's access. See https://cs.co/ise-profiliing for the deployment guide and options.

Re: How does ISE get visibility of OT devices etc vs Forescout

ahollifield — Thu, 09 Jan 2025 20:35:49 GMT

"Post connect" is MUCH less secure than the ISE or ClearPass methods of requiring 802.1X/MAB first. FortiNAC takes a similar approach as ForeScout. The scale of the "post connect" solutions are also much less than those based on RADIUS. It takes a lot more resources to constantly run SNMP walks, CLI commands, listen for SNMP or syslogs than it does to respond to simple, small RADIUS requests.

Re: How does ISE get visibility of OT devices etc vs Forescout

JPavonM — Mon, 13 Jan 2025 09:14:58 GMT

The main question here will be if Cisco ISE support multi-vendor infrastructure to get information from.

In Forescout you can collect information and apply actions (virtaul firewall, disconnections, blocks) over any vendor device s (switches, routers, firewalls, AP/WLCs), but it seems to me like Cisco ISE does only make this with Cisco network devices, or am I wrong?

Re: How does ISE get visibility of OT devices etc vs Forescout

ahollifield — Mon, 13 Jan 2025 11:21:27 GMT

Incorrect, ISE uses various standards to accomplish this. https://cs.co/ise-interop