Accepted Solutions
@drr you consume the advantage license when using profiling in an authorisation rule. So for example if a phone is profiled as a Cisco-IP-Phone and you use this as a match condition in an authorisation rule.
In addition to what Rob said above, if you never plan to use Profiling Conditions in your Authorization Rules, you might want to consider just getting 100 Advantage licenses. That is the minimum quantity that qualifies you to have the Profiling Menus available, and also to see the profiled data in Live Logs and Context Visibility. And yes, you won't see those licenses consumed - you have simply "made the grade" to enable profiling visibility. An ISE system without any Advantage licenses will not have the Profiling menus available, and Live Logs will show certain columns blurred out. 100 Advantage licenses buys you that "visibility"
But if you decide to take it a step further and build Authorization logic that matches on those Profiles, then you start consuming licenses.
I don't know what Cisco means by "basic profiling" . If you are seriously budget constrained then Advantage licenses might be out of your financial reach - in that case you might consider using Custom Endpoint Attributes (as Thomas Howard explained a few times already, and also again in his latest Cisco Live presentation in Melbourne 2023 - ISE Deployment Staging and Planning - BRKSEC-2705) - it's a neat way to achieve manual profiling - YOU do all the work (not ISE) and then you can build Policies that look like you're leveraging profiling. And if you're super smart, then you would integrate your ISE with your CMDB (e.g. Service Now) using pxGrid to fetch these custom attributes automagically. It's great. But ... the work has to be done upfront. And the organisation must be set up to maintain the CMDB with all the attributes. In some ways, I see this method as superior to ISE Profiling, because it's 100% deterministic if done right. ISE profiling can be hit and miss and quite honestly, it also takes a lot of human effort to get working close to perfection.
@drr you consume the advantage license when using profiling in an authorisation rule. So for example if a phone is profiled as a Cisco-IP-Phone and you use this as a match condition in an authorisation rule.
In addition to what Rob said above, if you never plan to use Profiling Conditions in your Authorization Rules, you might want to consider just getting 100 Advantage licenses. That is the minimum quantity that qualifies you to have the Profiling Menus available, and also to see the profiled data in Live Logs and Context Visibility. And yes, you won't see those licenses consumed - you have simply "made the grade" to enable profiling visibility. An ISE system without any Advantage licenses will not have the Profiling menus available, and Live Logs will show certain columns blurred out. 100 Advantage licenses buys you that "visibility"
But if you decide to take it a step further and build Authorization logic that matches on those Profiles, then you start consuming licenses.
I don't know what Cisco means by "basic profiling" . If you are seriously budget constrained then Advantage licenses might be out of your financial reach - in that case you might consider using Custom Endpoint Attributes (as Thomas Howard explained a few times already, and also again in his latest Cisco Live presentation in Melbourne 2023 - ISE Deployment Staging and Planning - BRKSEC-2705) - it's a neat way to achieve manual profiling - YOU do all the work (not ISE) and then you can build Policies that look like you're leveraging profiling. And if you're super smart, then you would integrate your ISE with your CMDB (e.g. Service Now) using pxGrid to fetch these custom attributes automagically. It's great. But ... the work has to be done upfront. And the organisation must be set up to maintain the CMDB with all the attributes. In some ways, I see this method as superior to ISE Profiling, because it's 100% deterministic if done right. ISE profiling can be hit and miss and quite honestly, it also takes a lot of human effort to get working close to perfection.
