@milos_p  there's no real advantage to be gained for your policies and thus the network access controls ISE is enforcing for you.

You do get to see all the things you could do with the other licensing tiers but as long as you stop short of using them in a policy they are just a training exercise.

Hi Marvin,

What about Endpoint visibility, won't it give me profiled data which is available to see in endpoint list, which is right now blurred with Essential tier?

BTW I found the way to see blurred data by clicking on the endpoint and going through the list of the attributes, just it is blurred on the global endpoint list page.

And thanks a lot for the answers!

No, Profiling required Advantage.  Without an Advantage license you cannot enable the Profiling service on the PSNs.  If you would like greater context visibility, you will need to purchase Advantage licensing.

Well @ahollifield , this is where you are wrong and the whole point of why I started this thread.

With Essential license, profiling service is working on all PSNs and you can see profiled data in Live logs view and in Live sessions as well. I can see computers being profiled by manufacture and O/S, as well as IP phones without doing anything or configuring anything.

The only place where profiled data is blurred, is the Endpoint list view, but again, if you press on specific endpoints, you will see all the profiled data via other attributes.

The only time Advantage license is being used, related to profiling, is when you use some profiling data (like profiled identity group for example) in policy set, I tested this and it really consumes Advantage license.

So I am little bit confused why Cisco let us enable license tier that we don't have, and practically use extra features to some extent (until you "consume" license and you are in violation).

I will test if enabling Advantage tier, without consuming it, will unblur profiling data in Endpoints list view.

Compliance (EULA) != Enforcement

So if you go to the deployment section and select your PSN do you have the Profiling Service enabled?  Is the checkbox grayed out?  Do you have any license alarms on the main dashboard?  Do you still have temp licensing or have you registered the deployment with your Smart Account?

Hi @ahollifield ,

Sorry but I have to ask, did you ever install Cisco ISE and configure it from scratch or you just used already deployed environment?

Profiling service is enabled by default after every ISE installation (I always used OVA) on any version I have tried (mostly 2.x and 3.x).

You can disable it if you want, but I really don't see a point of doing it.

BTW there is a thing with base license in 2.x deployment, that if you disable Profiling service (again, I don't see why you would do it in the first place), which again is enabled after every fresh installation, you cannot enable it back until you add at plus license (been there), it is grayed out just like you said. This is not the case in 3.x with Smart Licensing Registration. Not sure what's going on if you use License Reservations.

I never had any license alarms, apart from actual license was expiring in 2.x deployments.

To answer your question, YES to Profiling Services enabled, NO to checkbox being grayed out, NO to licensing alarms, NO to temp licensing and YES to registered deployment with Smart Account and YES, I am in compliance.

Yes.... I am an ISE delivery engineer with a Cisco partner.  I have easily completed hundreds of ISE deployments.  Yes all features are enabled for the 90 day evaluation period.  Its a situation of compliance and EULA acceptance.  Personally, as a delivery engineer and trusted advisor to my customers, I cannot ethically leave the customer in a situation where they are in potential violation of the EULA for using features they are not licensed for.

Hi,

Well, that's a lot of experience, I am not even close to that, I did around 10 deployments.

So back to profiling:

The whole point is that you can use profiling data for visibility purposes with Base/Essential license, even Cisco is saying in older guides or you can find it in recent ISE profiling gude here in cisco community:

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--1051878349

Let me quote the licensing part: "It is possible to profile multiple endpoints and have visibility into connected devices and their classification without requiring a Plus feature license for each if the profile information is not used to authorize the endpoint"

In 2.x deployments, you cannot use features you are not licensed, simply ISE doesn't let you do it with traditional licensing and you cannot be in violation, so if you are turning off profile service at your customers, you are blinding them for really no reason, they can have access to profiling data for endpoints.

Now for 3.x and smart licensing, things changed, as you "enable" Tiers first, and then depending of your usage, you consume the license, so you can view profiling data again with only essential license but if you use profiled identity groups in rules, you will consume the license you don't have in your smart account and be in violation.

The whole point of my question is what I get can extra by enabling Advantage and Premier Tiers, but not consuming any license for them as I will not use those features in my policy rules.

Right now with just Essentials Tier enabled, I can see profiling data in many screens including Live Logs and Live Sessions, and the only dashboard where I saw few things blurred is in "Context visibility->Endpoints" page, for hostname column and one more column, I forgot right now. ISE doesn't let me use any features from upper Tiers, so violation of any kind cannot happen.

Hope I am clear what I am talking about :-).