Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
3
Replies

Cisco ISE Authorization policy without Plus License

Go to solution
munish.dhiman1
Level 1
Level 1

‎05-27-2019 08:10 PM - edited ‎02-21-2020 11:06 AM

Hi, 

 

Can i create an Authorization policy for IP phones without having Plus (Profiling ) License ? Could you please confirm the below scenarios ?

 

Example 1 :  MAB and create an Authorization policy with OUI (if  MAC is equal to aa:bb:cc ) and apply enforcement  (Put in VLAN Voice ). This will not require a Plus License .

 

Example 2: Manually  create MAC data base for MAC authentication and create an Authorization policy with OUI (if  MAC is equal to aa:bb:cc ) and apply enforcement  (Put in VLAN Voice ). This will not require a Plus License.

 

Note : IP phones do not support  dot1x authentication, what would be the best approach to apply authorization policy without having Plus license?

 

Thanks in advance !

Regards,

MD

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-28-2019 07:31 AM

Plus licenses will be consumed if/when you use profiled endpoint groups in your auth conditions to drive network policy. You can easily accomplish this using local ise endpoint groups that you add your MACs to. Then just reference the group in your authz condition so that if the mac exists in that group then you drive policy for your voice vlan. HTH!

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-29-2019 09:59 AM

They are both valid options of manual assignment. Would recommend MAB to VOICE VLAN

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-28-2019 07:31 AM

Plus licenses will be consumed if/when you use profiled endpoint groups in your auth conditions to drive network policy. You can easily accomplish this using local ise endpoint groups that you add your MACs to. Then just reference the group in your authz condition so that if the mac exists in that group then you drive policy for your voice vlan. HTH!
0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎05-28-2019 10:53 AM

Hi @munish.dhiman1

 

For your scenario, Plus license is not required.

 

As you mentioned you can create a Authorization policy and provision VLAN through ISE.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-29-2019 09:59 AM

They are both valid options of manual assignment. Would recommend MAB to VOICE VLAN
0 Helpful
Customers Also Viewed These Support Documents