topic Re: ISE licenses required for profiling when integrated with MDM in Network Access Control

ISE licenses required for profiling when integrated with MDM

antigles — Wed, 16 Oct 2019 13:42:35 GMT

Customer has ISE integrated with MDM. He understands that he needs Apex licenses for that. He also wants to do profiling of those endpoints but he wants MDM to do the profiling and pass the information to ISE. In that scenario does he need Plus licenses on top of Apex?

Re: ISE licenses required for profiling when integrated with MDM

Dustin Anderson — Wed, 16 Oct 2019 21:50:12 GMT

With ISE, unless it's changed, will use 1 of each sub license also. So, if you use Apex, it should be using a plus and base license also.

from one of my check results.

LicenseTypes

Base, Plus and Apex license consumed

Re: ISE licenses required for profiling when integrated with MDM

Damien Miller — Wed, 16 Oct 2019 21:59:19 GMT

You can use an Apex license without also using Plus, but you will always use a Base with any combination of auth/posture/profiling. VPN is a good example of this, you authenticate and posture, but don't necessarily leverage profiling.

Now in the use case above, if the authorization rules don't leverage any of the profiling information gathered, then the Plus licenses may not be used. It depends how the information is being leveraged and collected. if the MDM sends details about an endpoint via pxgrid, that would require plus licensing. If the profiling information is written in to ISE via the ERS API, no plus license.

You need a plus licenses if you use any of these.
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority, MSE integration for location services, Profiling and Feed Services (in authorization rules), Adaptive Network Control (ANC), or Cisco pxGrid.