topic Thanks for posting your test in Network Access Control

ISE Profiling and Basic / Plus Licensing

roger perkin — Mon, 11 Mar 2019 07:44:31 GMT

Can anyone help me with understanding the plus license on ISE with respect to Profiling.

I have been having a discussion with another engineer who says that with the basic license you can perform profiling but you would not be able to enforce any policies with that information without the plus license.

So I would be able to see what is on my network with profiling using basic license but not enforce policies.

Has anyone had any experience with this as I need to clear this point up before I start a POC

Thanks

ISE Ordering Guide

jonathan.cuthbert — Wed, 24 May 2017 18:36:02 GMT

ISE Ordering Guide

Additional information can be found here:

Cisco ISE License Model - ISE 2.2 Admin Guide

Profiling requires the Plus License, whether you are doing enforcement or not.

Each session will consume a Base License. To begin Profiling, you must then consume a Plus license. From there, your authentication and authorization policy will do the enforcement.

The process won't even start if you do not have the license.

"To begin Profiling, you must

Rahul Govindan — Thu, 25 May 2017 01:15:42 GMT

"To begin Profiling, you must then consume a Plus license"

I believe this may be incorrect. Plus license is only consumed when a profiling condition is used in an Authz policy. This is documented in the ordering guide posted.

Also documented in the old ISE Profiling design guide is this:

"One Advanced Endpoint license is required for each endpoint that is actively authenticated to the network and where profiling data is used to make an Authorization Policy decision. Not taking into account other services, such as posture assessment, that may require an Advanced Endpoint license, endpoints that are statically assigned to a profile do not consume an Advanced license. It is possible to profile multiple endpoints and have visibility into connected devices and their classification without requiring an Advanced Endpoint license for each if the profile information is not used to authorize the endpoint. "

The Advanced Endpoint license = new Plus + Apex , so I would assume that you would not need a Plus license for ISE just to profile endpoints.

Rahul,

jonathan.cuthbert — Thu, 25 May 2017 02:02:36 GMT

Rahul,

That design guide is back from 2012 which was around ISE 1.0 times. Advanced licenses have been gone since ISE 1.2. While you can still apply ISE licenses to current ISE, they are decomposed into Plus and Apex. Things are completely different. Let's not get lost in the semantics here.

First, Cisco ISE License Model:

And Cisco ISE Traditional License Consumption:

While I did not get involved in the technical detail, my original statement is accurate. To do profiling, which is a licensed feature, a Plus license is required and consumed.

Plus license is only consumed when a profiling condition is used in an Authz policy.

You can't have a AuthZ policy without a AuthC policy. That's mandatory. You make your AuthZ policy based on what you find in the AuthC policy, such as type of device, ie profiling.

So I need to go and buy some

roger perkin — Thu, 25 May 2017 08:09:49 GMT

So I need to go and buy some Plus license if I want to do profiling ?

From ISE Plus licensing Q&A:

jonathan-jackson — Thu, 25 May 2017 08:57:14 GMT

From ISE Plus licensing Q&A:

Q.When is a Plus license consumed?
A. A Plus license is consumed when the “Registration” status or an Endpoint Profile is used within an authorization policy rule

Thank you for that

jonathan.cuthbert — Thu, 25 May 2017 13:46:03 GMT

Thank you for that information. That must be from a slightly older version. From the current ordering guide:

I think we are getting lost a little in the semantics here. 😃

This is a pre-sales licensing question. It is not a post-sales deep dive into how the back end actually works.

If profiling is desired, the Plus License is mandatory.

Thanks for raising this

Arne Bier — Fri, 26 May 2017 01:13:09 GMT

Thanks for raising this question - I have also wondered about this for a while.

I have tested this and found that no Plus license is consumed

while Profiling is enabled and
if the Profiling data is not used in any AuthZ Policies.

LicenseTypes

Base license consumed

The upside of enabling Profiling without a license is that the device type can be displayed in the Endpoint Profile field in Live Logs - and also in the Endpoints Dashboard pie chart.

Just a bit of free information about the device manufacturer courtesy of the MAC OUI. Decoding that should not incur a Plus license count, which it doesn't - and shouldn't.

I only enabled RADIUS Probe under Profiling Service in my case.

Thanks for posting your test

Rahul Govindan — Fri, 26 May 2017 02:00:48 GMT

Thanks for posting your test results here. Pretty much what I have seen in my deployments. This should answer the OP's query.

Re: ISE Ordering Guide

Sanath — Tue, 31 Oct 2017 10:15:41 GMT

Hello,

Can anyone help about this new feature "Anomalous Endpoint Detection" To configure this new feature on my environment it's necessary to buy License plus OR it no needed and i can configure with basic license? Now I'm on ISE 2.1 version and think to go on 2.3 any suggestion about this hop?

Thank you.

Re: Thanks for raising this

Patrick Meyer — Tue, 31 Jul 2018 09:06:21 GMT

Hi, One thing though that I am wondering about: Has there been a plus license installed on this test-system, even if it states the license was not consumed? I wonder if the feature is enabled/ disabled by simply having the license installed, even if is just the evaluation license..

BR,

Patrick