Alternatives to ISE?

Mel Beckman mel at
Sun Dec 3 15:22:31 CST 2017

I’ve used PacketFence for several years, but it’s kind of fragile. Compared to many FOSS systems, it’s exceptionally well documented, and uses reasonably good Web GUI standards. It also supports Cisco switches well. However, I routinely have to twiddle with it when one or another internal components silently crashes. It’s about ads fiddly as Asterisk is for telephony: just when you think you’ve got it working, some unpredicted external event — a new device or an OS security patch — breaks it. What PF really needs is some kind of internal monitoring and notification system to let you know when and what stopped working. Various users have jury rigged their own scripts and published them, but they’re too customized to work generically for any PF installation.

I’ve seen commercial NAC systems that appear to be much more reliable. Cisco’s is not among them. I haven’t taken the time to try them out yet, however. 


> On Dec 3, 2017, at 7:06 AM, Jean | via NANOG <nanog at> wrote:
> I'm about to try this one.
> Not sure if it covers all the features you need though, but it seems
> promising. In case you give it a try, could you share your experience
> please?
> Thanks
> Jean
> On 17-12-03 09:48 AM, segs wrote:
>> Forescout but if you want something simpler with SNMP authentication of
>> switches and Domain Controller of authorized PCs you can have a look at
>> Portnox. Done couple of deployments with Portnox.
>> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff <cjwolff at>
>> wrote:
>>> I've about reached my limit with the dumpster fire that is Cisco's
>>> Identity Service Engine.  Are there any reliable alternatives that do
>>> endpoint classification, central web auth, and .1x auth?
>>> Thanks in advance,
>>> Christopher

More information about the NANOG mailing list