cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

489
Views
15
Helpful
2
Replies
Highlighted
Beginner

Cisco ISE for Profiling Service

Hi,

With ISE Base License ,is profiling still work?
I mean, when endpoint connect to ISE, can ISE still identity it is window or Cisco device or iphone ..etc?

 

If yes, then can I configure custom profiling with Base License?

It is true that profiling feed service is only for Advanced License?

And I also want to know , without profiling feed service, can ISE still identity endpoint OUI ?

Thank you so much

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

With ISE Base License ,is profiling still work?
I mean, when endpoint connect to ISE, can ISE still identity it is window or Cisco device or iphone ..etc?

-Yes with base licenses some basic profiling capabilities are enabled by default.  See here for further detail on workflow/design: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--1051878349

 

If yes, then can I configure custom profiling with Base License?

-AFAIK you need plus licensing to have the ability to configure custom profiling policies.  Plus licenses are needed/consumed when you rely on profiled endpoint groups to push authorization policies.  Essentially a plus license is consumed in a one:for:one ratio for each endpoint where you use profiling data to make an authz decision (primary example is via this condition in authz policy: IdentityGroup:Name.)

 

It is true that profiling feed service is only for Advanced License?

-The profiler feed service is used to update the ISE profiler database directly from Cisco.  There is the ability to manually do this as well.  When you enable plus licensing this feed service gets enabled.  See here for more licensing detail: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_license_2_7.html

 

And I also want to know , without profiling feed service, can ISE still identity endpoint OUI ?

-You have the ability to have this type of visibility on your connected endpoints and their classifications without requiring plus feature license/profiler feed service.  This type of attribute should be present via the radius probe.  See the design guide for more detail.  Similar to what I mentioned earlier if you plan to utilize these attributes to steer policy you will need plus licenses.

 

Lastly, IMO to unlock ISE profiling full potential and capabilities you should enable plus licensing otherwise you will be limited. HTH!

View solution in original post

2 REPLIES 2
Highlighted
VIP Engager

With ISE Base License ,is profiling still work?
I mean, when endpoint connect to ISE, can ISE still identity it is window or Cisco device or iphone ..etc?

-Yes with base licenses some basic profiling capabilities are enabled by default.  See here for further detail on workflow/design: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--1051878349

 

If yes, then can I configure custom profiling with Base License?

-AFAIK you need plus licensing to have the ability to configure custom profiling policies.  Plus licenses are needed/consumed when you rely on profiled endpoint groups to push authorization policies.  Essentially a plus license is consumed in a one:for:one ratio for each endpoint where you use profiling data to make an authz decision (primary example is via this condition in authz policy: IdentityGroup:Name.)

 

It is true that profiling feed service is only for Advanced License?

-The profiler feed service is used to update the ISE profiler database directly from Cisco.  There is the ability to manually do this as well.  When you enable plus licensing this feed service gets enabled.  See here for more licensing detail: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_license_2_7.html

 

And I also want to know , without profiling feed service, can ISE still identity endpoint OUI ?

-You have the ability to have this type of visibility on your connected endpoints and their classifications without requiring plus feature license/profiler feed service.  This type of attribute should be present via the radius probe.  See the design guide for more detail.  Similar to what I mentioned earlier if you plan to utilize these attributes to steer policy you will need plus licenses.

 

Lastly, IMO to unlock ISE profiling full potential and capabilities you should enable plus licensing otherwise you will be limited. HTH!

View solution in original post

Highlighted
VIP Advisor

Without 100 plus licenses, which is the minimum you can order, you will have pieces of the deployment that are not enabled. For this reason I recommend every customer order at least 100 plus licenses. It's only when you use this information in authentication/authorization policy that you will use plus licenses. The visibility is often well worth the small additional cost. 

 

ex. from the context visibility database, hostname and endpoint profile are blurred out and unavailable unless you have plus licenses installed. 

cv.png

Content for Community-Ad