I have finished a few juniper nac projects , but now a days i deal with cisco ise and
cisco looks smarter .Also juniper don't improve nac , for example there's no profiling for mac auth devices ,
or any interface for byod. yes....you can do it with but need lot's of configuration steps.
what do you think about juniper and cisco ise
same tests from our side, because we are fed up of features annouced by Juniper "in the next release" but never available. We think ISE is smarter too. We are a Juniper customer since several years but products are no more "sexy"...
For the "BYOD" or "mac-auth" table needs, Juniper is now in partnership with GreatBay Software, which product is dedicated to this need (scan and profiles all mac-adresses on network, and create an LDAP directory matching MAC/Profiles to be reached by UAC).
This solution is now available for installation on SM-MAG modules (a little bit expensive maybe, but it does the job.)
I actually use a lot Juniper UAC, have you more examples of what is better on Cisco/missing on Juniper?
If Juniper were smart they would QUICKLY acquire Forescout and their CounterACT product. We've used Cisco and demod Juniper and all I can say is buying CounterACT was the best move we made. Please buy them Juniper
As I said, Juniper just had a partnership with Great Bay Software, which seems to be the same kind of product than your CounterATC.
It works very well and is available on MAG SMs since a few weeks.
the advantages of cisco and juniper
Cisco screens're smarter
Cisco has own reporting tool
Cisco has integrated profiling
advanced radius function
I wanna add some extra notes ,
Cisco ise does not support two or more AD for external Identidy source , you need to define
ldap for addtional ad support but ldap does not support peap protocol you need to use eat tls
Also Cisco could not use different certificate for every ID
Cisco ise does not support accounting you need define accounting on Radius Client devices.
Cisco support sxp protocol for auhentication information exchange this protocol will be IEE standart protocol so
cisco switches and firewall support this feature now
Cisco has huge documentation and golden labs , that's great for network admins.
Also Cisco prime network management gets extra visibility about network
Base license is too cheap ,you can do most of feautere with base license .And you
can buy enough advanced license that you need. But advanced license has time range 3 or 5 years options
Juniper supports reporting in new release
Juniper supports accounting
Juniper use if-map instead of sxp , i think sxp more powerfull than if-map
Juniper still does not support onboard profiling solution ,they use beacon for profiling
The biggest missing part of juniper that you could not define policy about user and user profiling device same time.
for examle if user name x and device iphone assign y vlan.you can do it with cisco ise
There's no time time limitation for licensing but you could not use same device for AD(802.1x ) and Adncanved license on same box.Also profiling need extra license .
Both solution does not support TACACS protocol