Do I still need separate Device Administration licenses for TACACS+ in ISE 3.4?

No. As of Cisco ISE 3.1 and later, the TACACS+ device administration functionality is included as part of the base license. However, the overall licensing model remains tiered (Base, Plus, Apex), and total cost is still heavily influenced by the advanced features you require.

Can Aruba's ClearPass OnGuard agent manage mobile devices like iOS and Android?

No, OnGuard is designed for traditional operating systems: Windows, macOS, and Linux. For mobile device posture, ClearPass integrates with MDM/UEM platforms like Microsoft Intune, VMware Workspace ONE, and MobileIron. ClearPass uses API calls to query the device compliance status from the UEM and uses that data in its authorization policies.

What is the key difference between ISE pxGrid and ClearPass API extensions?

Cisco's pxGrid is a centralized publish/subscribe message bus for security ecosystem integrations, enabling real-time, bidirectional data sharing. It is very powerful but adds architectural complexity. ClearPass relies more on direct REST API integrations and pre-built dictionaries for third-party systems, which is generally simpler to configure but may operate in a request/response model rather than a real-time stream.

Is a dedicated logging server (like Cisco's MNT) required for ClearPass?

No, ClearPass does not require a dedicated logging node. Any node in a ClearPass cluster can handle logging, though it is a best practice to direct logs to a centralized Syslog/SIEM platform (like Splunk or Sentinel) for long-term storage and analysis, as on-box storage is limited. For large deployments, you can designate specific subscriber nodes as primary logging targets to centralize traffic.

Can I run Cisco ISE or ClearPass in a public cloud environment?

Yes, both platforms fully support deployment in public clouds like AWS and Azure. This is a common strategy for protecting cloud-managed resources and for providing centralized NAC services to geographically dispersed sites without deploying local hardware. Licensing models have been adapted for cloud use, typically in BYOL (Bring Your Own License) formats.

Which product is better for handling a large number of IoT devices?

Both are excellent. ISE's Device Sensor on Catalyst switches provides exceptionally high-fidelity passive profiling data. ClearPass's profiler is also very strong and can be configured to use more active scanning methods (like NMAP), which can identify devices faster at the risk of setting off security alerts. The choice often comes down to whether your switches are primarily Cisco or from other vendors.

Does ClearPass support TrustSec or Scalable Group Tags (SGTs)?

ClearPass has the ability to send Cisco AV-Pairs, including the SGT value, in a RADIUS Access-Accept message. This allows ClearPass to assign an SGT to an endpoint connecting to a Cisco switch. However, it does not support the full TrustSec architecture, such as SGT Exchange Protocol (SXP) for propagating SGTs across network devices that are not in the data path. Therefore, while it can participate in a TrustSec domain, it cannot act as the central policy controller in the same way ISE does.

Aruba ClearPass vs Cisco ISE: A 2026 Head-to-Head NAC Comparison

While Cisco Identity Services Engine (ISE) remains the default choice for pure Cisco Software-Defined Access environments, Aruba ClearPass Policy Manager in 2026 offers a demonstrably lower total cost of ownership (TCO) and superior operational flexibility in the multi-vendor enterprise networks that represent the majority of real-world deployments. The fundamental architectural and licensing differences give ClearPass a sustained advantage in simplicity and adaptability, whereas ISE's strength is inextricably tied to the depth of its integration with Cisco's own ecosystem, creating a clear decision point based on network homogeneity.

Architectural Philosophies: Personas vs. Publisher/Subscriber

The most fundamental difference between ISE and ClearPass lies in their core architectural design. Cisco ISE, beginning with version 3.0 and refined in 3.4, uses a distributed model with dedicated "personas." A deployment consists of a Primary Administration Node (PAN), a Primary Monitoring and Troubleshooting Node (MNT), and multiple Policy Service Nodes (PSN). In a large-scale deployment, these roles are distinct pieces of hardware or VMs (e.g., an SNS-3755 appliance for a medium deployment, or its virtual equivalent). The PAN manages configuration, the MNT aggregates logs, and the PSNs are the RADIUS/TACACS+ workhorses that make policy decisions. This separation provides massive scalability but introduces complexity in deployment and certificate management, a common source of day-two operational pain.

Aruba ClearPass, now on version 6.12, utilizes a simpler publisher/subscriber model with clustering. A deployment consists of a single designated "Publisher" node that holds the master read/write configuration database. All other nodes are "Subscribers," which pull a replicated copy of the configuration from the Publisher and can actively process authentication requests. Any Subscriber can be promoted to Publisher if the master node fails, providing high availability. The key difference is that every node (appliance models like the CP-HW-5K or CP-HW-25K, or their virtual equivalents) can, in theory, perform any function. This architecture is inherently more flexible and intuitive to manage, reducing the initial learning curve and simplifying disaster recovery procedures.

Sizing and Licensing: The TCO Battleground

This is where the platforms diverge most significantly, directly impacting budget. Let's model a typical enterprise scenario for 2026: 12,000 users with 20,000 total endpoints, including corporate laptops, BYOD mobile, and a growing fleet of IoT devices (cameras, sensors, displays). The network is a mix of Cisco Catalyst 9300 switches, Aruba CX 6400 switches, and Aruba Wi-Fi 6E APs.

Cisco ISE 3.4 Sizing Example

For 20,000 endpoints, Cisco's sizing tools would mandate a distributed deployment. A minimal resilient setup would be two SNS-3755 appliances (or equivalent VMs) for the PAN/MNT roles and at least two to four more dedicated PSNs to handle the authentication load, depending on geographic distribution. The licensing is the critical part:

Base License: 20,000 licenses required, one per unique endpoint. This covers basic AAA and guest services.
Plus License: Required for BYOD (profiling, onboarding) and pxGrid integration. In our scenario, you'd likely license all 20,000 endpoints with Plus to gain visibility, even if only 5,000 are true BYOD.
Apex License: Required for advanced posture assessment (via the Cisco Secure Client, successor to AnyConnect) and TrustSec. If you require deep host-level compliance checks for your 10,000 corporate laptops, you need 10,000 Apex licenses.
Device Administration: Included with the base license as of ISE 3.1+, a welcome change from previous perpetual licensing.

The cost escalates quickly with the Plus and Apex tiers. The complexity isn’t just in the cost but in the bean-counting of features against license tiers. Forgetting to purchase Apex for your corporate devices means your posture policies simply will not work.

Aruba ClearPass 6.12 Sizing Example

For the same 20,000 endpoints, you would deploy a cluster of ClearPass hardware (e.g., two CP-HW-25K appliances for redundancy, each capable of handling up to 25,000 concurrent endpoints) or virtual machines. The licensing model is flatter and more predictable:

Access License: 20,000 licenses required. This is the base license, roughly equivalent to ISE's Base/Plus combination. It includes full AAA, guest, extensive profiling, and onboarding capabilities.
OnGuard License: 20,000 licenses. If you want persistent host checking (posture), you add the OnGuard license for those endpoints. Unlike ISE's Apex tier, OnGuard is a simple boolean add-on.

In ClearPass, the core features for a modern NAC deployment (profiling, BYOD) are wrapped into the base license. The only significant feature add-on is posture. This direct comparison shows that for a feature-rich, multi-vendor deployment, ClearPass typically presents a significantly lower and more predictable licensing cost than a tiered ISE model.

Policy Construction: ISE "Conditions Studio" vs. ClearPass "Services"

The user experience of building policy is a key differentiator. Cisco ISE uses a series of distinct policy sets that are processed in order: Authentication Policy and then Authorization Policy. An incoming request from a Catalyst 9500-48UXM switch first hits the Authentication policy to verify credentials (e.g., MAB, dot1x EAP-TLS). If successful, it then moves to the Authorization policy, which evaluates a granular set of conditions (device type, user group, posture status) to assign a result, such as a Dynamic VLAN or a Scalable Group Tag (SGT).

Aruba ClearPass uses an object-oriented concept called a "Service." A single Service can contain all the logic for a specific type of request. For example, you would create a "Corporate Wired 802.1X" service. Within that one service, you configure the authentication sources, role mapping rules, and enforcement policies. This approach is widely regarded as more intuitive, as it keeps all related logic in one place. Debugging is simpler; if a wired dot1x user fails, you troubleshoot that one service in the Access Tracker, rather than tracing a request through ISE's separate authentication and authorization rulebases. While ISE's Conditions Studio is incredibly powerful, ClearPass's service model is faster to learn and more efficient for day-to-day administration.

TACACS+ for Device Administration

For TACACS+, both platforms are mature and highly capable. This is largely a feature-parity area. Both provide granular command authorization, allowing you to define policies that permit a junior network administrator to run show ip interface brief on a core router like a Juniper MX204 but deny configure terminal. Both integrate seamlessly with Active Directory for admin authentication.

The difference is, again, in the ecosystem. ISE's TACACS+ functionality is a core component of Cisco's SD-Access solution, where it is used to automate device provisioning and policy enforcement in tight concert with DNA Center. If you are managing an all-Cisco network of Catalyst and Nexus switches (running NX-OS 10.4), the integration benefits are tangible. ClearPass, however, shines in the multi-vendor world. It ships with extensive TACACS+ dictionaries for a huge library of third-party devices from vendors like Palo Alto Networks, Juniper, Arista, and more. Configuring command authorization for a PA-5440 firewall administrator is often a matter of selecting pre-defined commands from a dropdown, whereas in ISE, this might require more manual configuration of permitted command strings.

When NOT to Use Each Platform

When to Avoid ClearPass

Do not choose ClearPass if your organization is deeply committed to the Cisco SD-Access fabric architecture. ISE is the policy engine for SDA. TrustSec and the propagation of Scalable Group Tags (SGTs) from the campus to the data center (on ACI) or SD-WAN is predicated on ISE's central role. Attempting to insert ClearPass into this architecture is a non-starter; you would lose the primary value proposition of the integrated Cisco solution. In this specific, all-Cisco scenario, ISE is not just the better choice; it is the only choice.

When to Avoid ISE

Avoid specifying Cisco ISE for organizations with a highly heterogeneous network environment and a lean IT staff. If your network includes a mix of Aruba, Juniper, Arista, and Cisco hardware, the operational overhead and licensing complexity of ISE become a significant burden. ClearPass’s simpler licensing, intuitive service-based policy model, and broader out-of-the-box support for third-party devices make it a far more efficient solution to manage in a non-Cisco-centric world. The TCO, when factoring in both licensing and person-hours for administration, will almost certainly favor ClearPass.

Common Pitfall: Certificate Management in ISE

A frequent and painful pitfall for ISE deployments is certificate management. A distributed ISE cluster requires multiple certificates for different functions across multiple nodes. You have the Admin certificate for the web GUI, the EAP certificate for 802.1X client authentication, the pxGrid certificate for ecosystem integration, and the Portal certificate for guest/BYOD captive portals. These must be signed by a trusted CA (often an internal Microsoft CA), and ensuring the client, PAN, MNT, and PSN nodes all trust the correct chains is a common source of protracted troubleshooting. An expired or misconfigured certificate on a single PSN can bring authentication to a halt for thousands of users.

Posture & Profiling: OnGuard vs. Cisco Secure Client

Both platforms offer robust posture assessment. ClearPass uses the OnGuard agent, a persistent client that performs health checks on Windows, macOS, and Linux endpoints. It can check for antivirus status, firewall rules, running processes (e.g., ensuring CrowdStrike Falcon is active), registry keys, and more. Failure to meet policy can result in quarantine or remediation.

Cisco ISE leverages the Cisco Secure Client (the evolution of AnyConnect) for the same function. Its capabilities are on par with OnGuard. The key difference is in the agentless story. ISE has a deep "Device Sensor" capability built into modern Catalyst switches (e.g., Catalyst 9300-48P) running IOS-XE 17.9 or later. The switch itself can collect DHCP, CDP, LLDP, and HTTP User-Agent data and feed it directly to the ISE profiler, enabling highly accurate agentless identification of endpoints like IP phones and printers. While ClearPass can use similar data sources (DHCP/SPAN), the on-switch sensor integration gives ISE an edge in the fidelity of its passive profiling in an all-Cisco wired network.

Both NAC solutions are titans of the industry for a reason. They deliver comprehensive, reliable network access control. However, they are built on different philosophies. Cisco ISE 3.4 is the unparalleled choice for deep integration within a homogeneous, automated Cisco SD-Access fabric. Aruba ClearPass 6.12, by contrast, is the pragmatic, flexible, and cost-effective choice for the majority of enterprises that operate complex, multi-vendor networks. For any organization not fully bought into the end-to-end Cisco vision, the combination of ClearPass’s simpler architecture, more predictable licensing, and intuitive policy management makes it the superior choice for 2026 and beyond.

Ready to assess which NAC solution best fits your multi-vendor environment? The experts at TechLeague can provide a data-driven analysis and TCO model tailored to your specific needs. Visit techleague.io to learn more. Continue your research by reading our deep dive on ClearPass vs FreeRADIUS or our guide to performance tuning Cisco ISE.