COMPETITIVE BATTLECARD

Last Updated April 24, 2019

Pulse Policy Secure (PPS) vs. Audience Pulse Secure Worldwide Sales

Distribution Internal Only

Cisco ISE Comments/Questions: akanoon@pulsesecure.net

PPS Strengths / Weaknesses Cisco ISE Strengths / Weaknesses

- PPS can scale to 15K with a single physical node and 5K with
single virtual node - more than double the users as compared to
Cisco on a single virtual instance.
- PPS supports Layer 2 (802.1x), MAC auth, Layer 3, and web-
based deployments.
- PPS is standards-based and seamlessly integrates with 3rd party
equipment.
- PPS provides a unified client, GUI, and licenses, while Cisco
employs a double dipping policy which eventually leads to higher
CapEx and OpEx.
- PPS has limited administrative tools like templates and wizards.
- PPS has limited reporting.
- PPS has very limited guest functionality.
- PPS does not have native profiling. Profiling is available via a 3rd
party solution (Great Bay Software’s Beacon Server).
- Cisco has a large infrastructure install base.
- Cisco has a large marketing machine.
- Cisco ISE has native profiling.
- Cisco ISE guest scaling is superior to Pulse Secure.
- Scaling requires up to dozens of nodes.
- Cisco ISE deployment and configuration is very complicated and
requires a Cisco authorized technology partner approve a High
Level Design (HLD). Most deployments require professional
services assistance.
- Requires a Cisco infrastructure for many features (MACsec,
SGA) locking customers in Cisco-only.
- The 3rd access method, VPN, is very much ignored.
- Cisco requires a separate set of licenses and different admin
console to provide off-premises connectivity.

Series / Components
Series / Components
 Cisco ISE physical and virtual appliance
 MAG Series physical and virtual appliance  Cisco NAC Agent
 Pulse Mobility Client

Quick Comparison
Pulse Pulse
Feature Secure
Cisco Feature Secure
Cisco

Layer 2 and Layer 3 network

admission control   Basic reporting  
Guest management   Advanced reporting  
Device onboarding   Admin wizards  
Unified desktop client   Automation capable (DMI,
netconf)  
Profiling (native)   Standards-based  
Recommended number of
Profiling integration   physical nodes needed to scale to
10K
1 7
Self-service device registration   Virtual Appliance max users
(single node) 5K 2K
Common Access Licenses  
 COMPETITIVE BATTLECARD

Comparison Features Description

Layer 2 and Layer 3 network admission control: Pulse Secure and Cisco provide network admission control for both layer
2 and layer 3 for wired and wireless. Pulse Secure can also provide policy decisions and session information for connections
coming in from VPN. After all, BYOD devices are not only used when on-premises, a concept that Cisco seems to ignore.
Guest management: Pulse Secure and Cisco both provide guest management. Pulse Secure allows for customized guest
management portal for not only the look but also the fields that are needed.
Device onboarding: Pulse Secure and Cisco both provide device onboarding when on-premises. Pulse Secure can also
provide this same onboarding when trying to connect your device for the first time via VPN.
Unified desktop client: Pulse is the single desktop client needed to enable both on-premises (wired and wireless) and off-
premises (VPN) connectivity. Cisco requires multiple clients to be installed and supported on desktops.
Profiling (native) and profiler integration: While Pulse Secure does not have a native profiler, we have partnered with
Great Bay Software to integrate with its marketing leading profiler.
Self-service device registration: At this time, Pulse Secure does not provide a self-service device registration portal,
however, this feature will be available in the future.
Common Access Licenses: Pulse Secure's Common Access Licenses (CAL) can be used for both PPS and PCS saving
you money. Cisco would require two separate, premium licenses to accomplish the same thing.
Basic and Advanced reporting: Pulse Secure and Cisco both provide basic reports. Cisco provides more canned reports
for very specific, Cisco-only features.
Admin wizards: While Pulse Secure does not provide admin wizards, it should be noted that administrative tasks have been
streamlined and the GUI is simpler to understand and use, thus most wizards were not necessary.
Automation capable (DMI, netconf): Pulse Secure's PPS provide multiple methods to help in automation and deployment.
Standards-based: Pulse Secure's PPS is standard-based. Integration with 3rd parties is done via REST APIs. Session
information can be communication is TNC's IF-MAP open-standard. Cisco ISE uses pxGrid, a new and untested propreitary
method.

Silver Bullets / Questions to Ask the Customer

“Have you read Cisco ISE’s deployment guide and seen their recommended deployments?”
- A single all-in-one Cisco ISE appliance can be used for demos. In real deployments with more than 2K endpoints,
multiple physical nodes are needed. Pulse Secure can do 10K with one physical node. For deployments over 10K, Cisco
recommends two physical nodes dedicated to administration, two physical nodes dedicated to monitoring/troubleshooting,
and up to 40 physical nodes as policy engines.
“Is the rest of your infrastructure Cisco also?”
- Many of the features Cisco ISE promises use proprietary methods and protocols which can only work with Cisco
switches and wireless LAN controllers. Pulse Secure’s approach is to use open standards that work with all 3 rd party
equipment.
“Would you like VPN profiles pushed out during onboarding?”
- Cisco ISE does not support VPN profiles during onboarding. Pulse Secure knows that BYOD means having mobile
devices that will connect remotely, so VPN profiles are also part of the onboarding process.
“Do you have an SSL VPN solution for remote access?”
- Pulse Secure’s Pulse Connect Secure (PCS) has the same GUI and uses the same licenses and client as Pulse
Policy Secure. Session information can be passed between the solution to provide real access control for wired, wireless,
and VPN access. Cisco requires that you buy a completely separate appliance, have administrators that have experience
with the completely different GUI, buy different licenses, and deploy a different client on the end-point.