Solved: Re: Cisco ISE for Profiling Service

SaintEvn · ‎09-16-2020

Hi,

With ISE Base License ,is profiling still work?
I mean, when endpoint connect to ISE, can ISE still identity it is window or Cisco device or iphone ..etc?

If yes, then can I configure custom profiling with Base License?

It is true that profiling feed service is only for Advanced License?

And I also want to know , without profiling feed service, can ISE still identity endpoint OUI ?

Thank you so much

Mike.Cifelli · ‎09-16-2020

With ISE Base License ,is profiling still work?
I mean, when endpoint connect to ISE, can ISE still identity it is window or Cisco device or iphone ..etc?

-Yes with base licenses some basic profiling capabilities are enabled by default. See here for further detail on workflow/design: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--1051878349

If yes, then can I configure custom profiling with Base License?

-AFAIK you need plus licensing to have the ability to configure custom profiling policies. Plus licenses are needed/consumed when you rely on profiled endpoint groups to push authorization policies. Essentially a plus license is consumed in a one:for:one ratio for each endpoint where you use profiling data to make an authz decision (primary example is via this condition in authz policy: IdentityGroup:Name.)

It is true that profiling feed service is only for Advanced License?

-The profiler feed service is used to update the ISE profiler database directly from Cisco. There is the ability to manually do this as well. When you enable plus licensing this feed service gets enabled. See here for more licensing detail: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_license_2_7.html

And I also want to know , without profiling feed service, can ISE still identity endpoint OUI ?

-You have the ability to have this type of visibility on your connected endpoints and their classifications without requiring plus feature license/profiler feed service. This type of attribute should be present via the radius probe. See the design guide for more detail. Similar to what I mentioned earlier if you plan to utilize these attributes to steer policy you will need plus licenses.

Lastly, IMO to unlock ISE profiling full potential and capabilities you should enable plus licensing otherwise you will be limited. HTH!

View solution in original post

Mike.Cifelli · ‎09-16-2020

With ISE Base License ,is profiling still work?
I mean, when endpoint connect to ISE, can ISE still identity it is window or Cisco device or iphone ..etc?

-Yes with base licenses some basic profiling capabilities are enabled by default. See here for further detail on workflow/design: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--1051878349

If yes, then can I configure custom profiling with Base License?

-AFAIK you need plus licensing to have the ability to configure custom profiling policies. Plus licenses are needed/consumed when you rely on profiled endpoint groups to push authorization policies. Essentially a plus license is consumed in a one:for:one ratio for each endpoint where you use profiling data to make an authz decision (primary example is via this condition in authz policy: IdentityGroup:Name.)

It is true that profiling feed service is only for Advanced License?

-The profiler feed service is used to update the ISE profiler database directly from Cisco. There is the ability to manually do this as well. When you enable plus licensing this feed service gets enabled. See here for more licensing detail: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_license_2_7.html

And I also want to know , without profiling feed service, can ISE still identity endpoint OUI ?

-You have the ability to have this type of visibility on your connected endpoints and their classifications without requiring plus feature license/profiler feed service. This type of attribute should be present via the radius probe. See the design guide for more detail. Similar to what I mentioned earlier if you plan to utilize these attributes to steer policy you will need plus licenses.

Lastly, IMO to unlock ISE profiling full potential and capabilities you should enable plus licensing otherwise you will be limited. HTH!

Damien Miller · ‎09-16-2020

Without 100 plus licenses, which is the minimum you can order, you will have pieces of the deployment that are not enabled. For this reason I recommend every customer order at least 100 plus licenses. It's only when you use this information in authentication/authorization policy that you will use plus licenses. The visibility is often well worth the small additional cost.

ex. from the context visibility database, hostname and endpoint profile are blurred out and unavailable unless you have plus licenses installed.

hrvoje.brlek · ‎02-07-2021

Hi,

Is this still valid? Is Plus License (100 of them) needed to "unlock" or better say make visible the hostname, endpoint and other fields?

We currently have 100 Plus licenses, which are expiring, so just checking if they need to be extended.

Thanks!

Marcelo Morais · ‎02-08-2021

Hi @hrvoje.brlek

please take a look at: ISE Ordering Guide 3.0 (search for Plus).

"3.4.4 Base, Plus, and Apex

These licenses have been migrated to the new ISE Essentials, Advantage, and Premier licenses starting in the ISE 3.0 release."

"4.7 ISE Plus License

This license is only valid for releases prior to ISE 3.0. Features included were: Profiling, Context Sharing, BYOD (including the My Devices Portal), and Rapid Threat Containment..."

Hope this helps