Cisco ISE (Identity Services Engine) and Aruba ClearPass, also known as CPPM (ClearPass Policy Manager), are two widely used solutions in the world of network access control (NAC). Both products are designed to provide secure access, manage policies, and enforce compliance across networks. While they achieve similar goals, they differ slightly in how they go about it.
Deployment Options
Both Cisco ISE and Aruba ClearPass offer flexible deployment options to suit different network environments. They can be deployed as virtual machines, physical appliances, or cloud-based solutions, giving organisations the freedom to choose the infrastructure that best fits their needs. Regardless of the deployment method, each instance of ISE or ClearPass is referred to as a "node."
Cluster Architecture
In a typical deployment, multiple nodes are joined together to form what is commonly referred to as a cluster. Clusters can consist of as few as two nodes or scale up to 50, depending on the size and needs of the organisation.
At the heart of every cluster is a node responsible for managing configuration and distributing policies across the entire deployment. In Cisco ISE, this central node is called the Policy Administration Node (PAN), with the option to add a secondary PAN for redundancy. In Aruba ClearPass, the primary node performing this role is referred to as the Publisher, with a Standby Publisher acting as its backup.
Node Comparison Table
| Function | Cisco ISE | Aruba ClearPass |
|---|---|---|
| Primary Management Node | Policy Administration Node (PAN) | Publisher |
| Backup Management Node | Secondary PAN | Standby Publisher |
| RADIUS Processing Node | Policy Services Node (PSN) | Subscriber |
| Maximum Cluster Size | 50 nodes | 50 nodes |
| Minimum Cluster Size | 2 nodes | 2 nodes |
Handling RADIUS Requests
Both solutions are built to handle RADIUS requests, which are fundamental to network authentication and authorisation. However, each product refers to the nodes handling these requests differently.
In Cisco ISE, nodes that process RADIUS requests are called Policy Services Nodes (PSNs). A PSN can be a dedicated node, or it can share roles with other personas, such as the PAN. On the other hand, Aruba ClearPass refers to these nodes as Subscribers. Similar to Cisco ISE, a node in ClearPass can serve as both a Publisher and a Subscriber if needed.
Cisco ISE Node Roles
- PAN: Configuration management and policy distribution
- PSN: RADIUS request processing and policy enforcement
- Combined: PAN + PSN on same node (smaller deployments)
ClearPass Node Roles
- Publisher: Configuration management and policy distribution
- Subscriber: RADIUS request processing and policy enforcement
- Combined: Publisher + Subscriber on same node
Scalability Considerations
Both platforms offer excellent scalability options:
- Start with a 2-node cluster for redundancy
- Add nodes as user base and RADIUS load increases
- Distribute RADIUS processing across multiple nodes
- Geographically distribute nodes for optimal performance
Deployment Best Practices
- Always deploy with redundancy (minimum 2 nodes)
- Separate management and RADIUS processing for large deployments
- Consider geographic distribution for global organisations
- Plan for growth - easier to add nodes than redesign architecture
- Use virtual deployments for flexibility, physical for maximum performance
Conclusion
While Cisco ISE and Aruba ClearPass share many similarities in terms of functionality and architecture, the key difference lies in how they refer to and organise their core components. Both are powerful network access control solutions that allow for highly scalable and secure network environments. Deciding between them often comes down to existing vendor relationships, feature preferences, and specific organisational needs.