topic Re: ISE 3 - licensing and one device wired and wireless at same time in Network Access Control

ISE 3 - licensing and one device wired and wireless at same time

Tibor M — Mon, 07 Oct 2024 23:35:19 GMT

Hi,

trying to figure out how ISE will count licensing when 1 laptop is connected at same time through wired 802.1X either wireless.

The situation is, that we are pushing WiFi profile to all Windows machines through GPO and setting there "automatically connect", so each laptop is connecting now automatically using certificates and 802.1X on ISE. But each laptop can be at same time connected to docking station, which provides wired connectivity.

Is there any way how to tell ISE - hey, this laptop has 2 MACs, one user, count it as one endpoint?

Thanks

Re: ISE 3 - licensing and one device wired and wireless at same time

Arne Bier — Tue, 08 Oct 2024 02:21:55 GMT

Nope - two unique MAC addresses will count as two different ISE endpoints - depending on how you authorized each of those MAC addresses, will count towards an Essentials, Advantage or Premier license. No way around it. Perhaps you can write some kind of a script on the laptop to shut the Wi-Fi down while the Ethernet adapter has a valid connection, and vice-versa.

Re: ISE 3 - licensing and one device wired and wireless at same time

Tibor M — Tue, 08 Oct 2024 05:52:42 GMT

and is it possible to force the feature license for some endpoint manually?? and can some client use only Premier and some only Essential? exact example: client authorize using 802.1x (which uses essentials) and then Posture scan will occur (which uses Premier) - which license will be counted?

Re: ISE 3 - licensing and one device wired and wireless at same time

Arne Bier — Tue, 08 Oct 2024 06:30:11 GMT

ISE will only count one license per endpoint - as per the DNA model, all the higher tiers contain the license ability of the lower tiers. That means, a profiled endpoint will need Advantage, a Posture scanned AuthZ will need Premier, and a regular 802.1X/MAB needs Essentials. Basically, whatever the ISE Policy Set AuthZ ended up using in its rules. And I believe it will use the most expensive license if there is a complex AuthZ rule that contains mixture of Essentials/Advantage/Premier logic.

Have a look here.

Re: ISE 3 - licensing and one device wired and wireless at same time

Tibor M — Thu, 10 Oct 2024 07:10:56 GMT

this is sad. I understand it from income point of view for Cisco, but in real life, why should same device, just connected in parallel to wire and wireless use 2 licenses if it's authorized with same certificate and same user, just because of 2 MACs.

Re: ISE 3 - licensing and one device wired and wireless at same time

Arne Bier — Sun, 13 Oct 2024 21:15:58 GMT

It's not quite optimal - not much I can do about it - maybe send the Cisco BU a message via this link to express your opinion - they do read these things. I am pretty sure other folks have written a small script that runs on Windows to disable the wireless if LAN is connected, and vice-versa - if there's a will, there's a way ...

Re: ISE 3 - licensing and one device wired and wireless at same time

Greg Gibbs — Sun, 13 Oct 2024 21:47:08 GMT

This is how the Windows supplicant works and ISE has no visibility or control over it. The solution is using Group Policy to disable the Wireless connection when the Wired interface is connected.
https://woshub.com/disable-wi-fi-when-ethernet-cable-connected/#:~:text=You%20can%20configure%20this%20behavior,Wi%2DFi%20when%20on%20Ethernet.

This is also the default behaviour of the Cisco supplicant deployed when using the Cisco Secure Client Network Access Manager (NAM).

Re: ISE 3 - licensing and one device wired and wireless at same time

Tibor M — Mon, 14 Oct 2024 10:09:52 GMT

Hi, we have already configured GPO to minimising connections, so once employee connects to docking station, windows automatically disconnect wifi. We must test it to find out if it not harm any application.

Regarding NAM module - our cisco distributor told us, that currently is much better to use Windows supplicant instead of NAM, because NAM causes a lot of troubles, so we skipped it, but we do not know how it works if its good or not. What is general opinion on NAM?

Re: ISE 3 - licensing and one device wired and wireless at same time

Aref Alsouqi — Mon, 14 Oct 2024 12:56:45 GMT

I used to configure NAM for a few customers and that was mainly to provide EAP chaining (EAP-FAST) authentication. However, nowadays Windows can natively support that with TEAP. In addition to that NAM provides a tool to manage the network connections on the endpoint, for instance, if you don't want to allow an endpoint to add a new SSID or manipulate the network access settings, NAM can help with that. Please take a look at this link for more details about NAM:

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Network Access Manager [Cisco Secure Client (including AnyConnect)] - Cisco