02-03-2021 09:19 AM
I am trying to get the IP phones authenticated using MAB without using the Cisco Plus license.
We have around 55000 base licenses and just 1000 Plus license.
We do have a lot of phones and computers in my network.
in order to save Plus license, you basically do is create a Administered Endpoint Profile to meet your endpoint either dynamic or static and then create a rule Authorization Rule that allows the endpoint to successfully authenticate.
I was able to successfully able to make this work for computer , but I fail to do this with IP phone.
Has anybody done this where they were able to avoid the Plus license when authenticating an IP phone ?
I can explain more if somebody didnt get my question.
Solved! Go to Solution.
02-03-2021 11:08 AM - edited 02-03-2021 11:09 AM
That is correct, the endpoint identity group is not profiling, it’s just a logical group of endpoints. The computers are not using MAB/Profiling to authenticate, they are using 802.1X.
The options are as follows:
02-03-2021 09:22 AM - edited 02-03-2021 09:29 AM
Can you elaborate on "Administered Endpoint Profile"? Are the computers using MAB or are they using EAP/802.1X? Bottom line is if you are using Profiling, you need a Plus/Advantage license equal to the number of endpoints using Profiling in the authorization policies.
Also FYI that ISE 2.2 is scheduled for end of maintenance in June so it might be time to start thinking about an upgrade: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743180.html
02-03-2021 10:10 AM
Administered Endpoint profiles are the ones that I create manually ... so basically I created endpoint profile that identifies its my companies computer by adding an attribute and then I added auth rule saying if it belongs to a particular AD group or an AD user permit access.
Here is the problem where I cant do it for the IP phones
02-03-2021 10:39 AM - edited 02-03-2021 10:40 AM
Are the computers using MAB or are they using EAP/802.1X? How are you getting the computer name or username into ISE? It doesn't sound like that is using a Profiling flow to me.
If you are doing "If endpoint profile = Cisco IP Phone" that is profiling and you need the necessary Plus licenses.
02-03-2021 10:50 AM
Yes you are right , the computers are set to 802.1x . So you are saying I would need the Plus license anyhow even if the endpoint profile is cisco provided or administrator provided. ....unless I use the 802.1X on the phones as well ?
02-03-2021 11:08 AM - edited 02-03-2021 11:09 AM
That is correct, the endpoint identity group is not profiling, it’s just a logical group of endpoints. The computers are not using MAB/Profiling to authenticate, they are using 802.1X.
The options are as follows:
02-09-2021 01:34 PM
A good question was asked today and I felt it was very important one .
We bought Cisco switches, Cisco smart licensing, Cisco ISE product and Cisco ISE VM licensing and Cisco VoIP phones .
Why should we pay for the Cisco ISE Plus license to get Cisco VoIP phone to be profiled ? Does Cisco have an answer ?
its like buying an Apple iphone and then I pay Apple Music app beside paying for Apple Music Subscription .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide