ISE vs Packet Fence

yoshipower · ‎05-22-2013

Hello,

I'm currently studying a solution for AAA in my company. Since I've got an almost full Cisco network architecture, I've read a lot about ISE.

But recently I hear about Packet Fence, an open source project which seems to offer the same features.

So I'd like to get some of your advices about this software against ISE : is it worth it to get it ? What are advantages and drawbacks of this one ?

Since we're on a Cisco forum i'm not expecting you to tell me that Packet Fence is better, but I'd just like to get objective reviews.

Thankfully,

Yoshipower.

Ravi Singh · ‎06-08-2013

Hello Yoshipower,

I have gone through PacketFence features and I appreciate as an open source it is providing lot of features which is available in Cisco ISE. But I would like to inform you that it does not provide Mobile device Management Technology which is provided by ISE. ISE is providing Real-time Location tracking system as well as it is supported connected mobile experience and moreover highly qualified engineer to support the customer as and when they needed.

For more deatil on ISE you can go to below link.

www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/at_a_glance_c45-726284.pdf

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html

dgraystone · ‎07-05-2013

Hi Ravi,

I am also looking at the same options and I was heading entirely in the ISE direction until I realised that there is not full support for non-WLC WiFi systems. So since I have an AP1141 this seems to mean that I would be as well to go with Packet Fence as the best I will get from either solution is basic 802.1x authentication?

Footnote number 4 on Table 1 of this document seems to cover most of the limitations:-

http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html

"Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB)."

So based on the above the ISE is not able to offer me profiling services or CoA. And I can only get posture support if I have an inline node everywhere that I have an AP?

Thanks

David

Tarik Admani · ‎07-06-2013

This is my observation without an understanding of packet fence, I apologize for this being one sided.

One of the main features of ise is the view that you get with dashboard and the troubleshooting ease thay comes with this software. You can view how users are gaining access through your network whether that is vpn wired or wireless.

Also ise is designed to grow with your network so if you have plans on building a wireless infrastructure you can start with the base features, or better yet obtain the iso that comes with a 90 day base and advanced license that can be run on a virtual machine so you can see it alongside the packetfence.

In the end you have to weigh your options when it comes to your business requirements and yiur network demands. Are you looking to support a full byod infrastructure with posture and mdm integration? Also what are your expectations as far as support. Cisco AAA is designed to handle all user authentication issues whether that is supplicant provisioning, dot1x configuration on the network device, along with assisting with ise configuration, and external database troubleshooting if its ldap, ad, radius or token servers. In the end this depends on your current needs and what the network is ready for.

My apologies for the dissertation, I hope this helps!

Sent from Cisco Technical Support Android App

jcfranklin · ‎06-18-2019

Curious to see what the Packetfence users thought about PF support?

Mike.Cifelli · ‎06-18-2019

Without diving too deep into the open source solution, I would wonder if packet fence would support eap-fast if one wanted to utilize eap-chaining for their 8021x solution, and vice versa. It also looks like packet fence only supports certain Cisco platforms. If it were me and my environment was strictly Cisco and licensing costs were not a concern I would run with ISE. Good luck & HTH!