Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
5
Helpful
2
Replies

ISE licenses required for profiling when integrated with MDM

Go to solution
antigles
Cisco Employee
Cisco Employee

‎10-16-2019 06:42 AM

Customer has ISE integrated with MDM. He understands that he needs Apex licenses for that. He also wants to do profiling of those endpoints but he wants MDM to do the profiling and pass the information to ISE. In that scenario does he need Plus licenses on top of Apex?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dustin Anderson
VIP
VIP

‎10-16-2019 02:50 PM

With ISE, unless it's changed, will use 1 of each sub license also. So, if you use Apex, it should be using a plus and base license also.

 

from one of my check results.

LicenseTypesBase, Plus and Apex license consumed

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Dustin Anderson

‎10-16-2019 02:59 PM

You can use an Apex license without also using Plus, but you will always use a Base with any combination of auth/posture/profiling. VPN is a good example of this, you authenticate and posture, but don't necessarily leverage profiling.

Now in the use case above, if the authorization rules don't leverage any of the profiling information gathered, then the Plus licenses may not be used. It depends how the information is being leveraged and collected. if the MDM sends details about an endpoint via pxgrid, that would require plus licensing. If the profiling information is written in to ISE via the ERS API, no plus license.

You need a plus licenses if you use any of these.
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority, MSE integration for location services, Profiling and Feed Services (in authorization rules), Adaptive Network Control (ANC), or Cisco pxGrid.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Dustin Anderson
VIP
VIP

‎10-16-2019 02:50 PM

With ISE, unless it's changed, will use 1 of each sub license also. So, if you use Apex, it should be using a plus and base license also.

 

from one of my check results.

LicenseTypesBase, Plus and Apex license consumed

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Dustin Anderson

‎10-16-2019 02:59 PM

You can use an Apex license without also using Plus, but you will always use a Base with any combination of auth/posture/profiling. VPN is a good example of this, you authenticate and posture, but don't necessarily leverage profiling.

Now in the use case above, if the authorization rules don't leverage any of the profiling information gathered, then the Plus licenses may not be used. It depends how the information is being leveraged and collected. if the MDM sends details about an endpoint via pxgrid, that would require plus licensing. If the profiling information is written in to ISE via the ERS API, no plus license.

You need a plus licenses if you use any of these.
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority, MSE integration for location services, Profiling and Feed Services (in authorization rules), Adaptive Network Control (ANC), or Cisco pxGrid.
0 Helpful
Customers Also Viewed These Support Documents