Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
2
Helpful
6
Replies

How does ISE get visibility of OT devices etc vs Forescout

carl_townshend
Spotlight
Spotlight

‎01-09-2025 12:14 AM

Hi All

We currently use Forescout for our NAC solution and visibility of OT assets, the data is collected via mac, arp, span, network and nmap scans.

What would an equivalent ISE solution look like, what would we need? does it use the same things to profile the devices?

Has anyone moved from Forescout to ISE and the reasons why?

Cheers

0 Helpful
6 Replies 6

ccieexpert
VIP
VIP

‎01-09-2025 01:41 AM

Similar but ISE has DHCP, netflow,snmp, and other probes besides what you mention...

all of them are documented here:

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

 

carl_townshend
Spotlight
Spotlight
In response to ccieexpert

‎01-09-2025 02:28 AM

Thank you for that info, so all these services can run one one server? how many devices can a single server cover normally?

Also, can you have a "post connect" mode, whereby you dont use 802.1x or MAB, you let the device connect first, but have it so it profiles the device and if not authorised, it simply moves the vlan etc? 

thomas
Cisco Employee
Cisco Employee
In response to carl_townshend

‎01-09-2025 08:53 AM

You need 802.1X or MAB to create a RADIUS session to control the endpoint on the network device.

You may provide a default authorization to perform some initial profiling then perform a RADIUS Change of Authorization (COA) - assuming your network device supports this capability - to update the authorization to the appropriate device type's access.  See https://cs.co/ise-profiliing for the deployment guide and options.

0 Helpful

ahollifield
VIP
VIP
In response to carl_townshend

‎01-09-2025 12:35 PM

"Post connect" is MUCH less secure than the ISE or ClearPass methods of requiring 802.1X/MAB first.  FortiNAC takes a similar approach as ForeScout.  The scale of the "post connect" solutions are also much less than those based on RADIUS.  It takes a lot more resources to constantly run SNMP walks, CLI commands, listen for SNMP or syslogs than it does to respond to simple, small RADIUS requests.

0 Helpful

JPavonM
VIP
VIP

‎01-13-2025 01:14 AM

The main question here will be if Cisco ISE support multi-vendor infrastructure to get information from.

In Forescout you can collect information and apply actions (virtaul firewall, disconnections, blocks) over any vendor device s (switches, routers, firewalls, AP/WLCs), but it seems to me like Cisco ISE does only make this with Cisco network devices, or am I wrong?

0 Helpful

ahollifield
VIP
VIP
In response to JPavonM

‎01-13-2025 03:21 AM

Incorrect, ISE uses various standards to accomplish this. https://cs.co/ise-interop
0 Helpful
Customers Also Viewed These Support Documents