cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1332
Views
15
Helpful
4
Replies

ISE 2.4 plus license used when authhorization policies contain IdentityGroup:Name

amhurst
Cisco Employee
Cisco Employee

 

In the ISE 2.4 license guide, there is a new behavior for the plus license where anyone 
using authorization policies using an IdentityGroup: Name now needs a plus license. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf [cid:image003.jpg@01D4D9AE.4C6659E0] This is catching allot of users that upgraded from a previous version of ISE and are now being
told they must purchase additional licenses that were not needed on a previous version.
This is, of course, causing CU sentiment issues.
Questions: -Is this the path going forward for users to have to purchase additional licenses on 2.4
for using a feature that worked in the past without the license?
-If yes, can we get a BU approved message to send to the CU explaining why they need to purchase additional licenses after an upgrade? -If no, do we need to get a bug filed to change the behavior back to pre-2.4 behavior?

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

If the group is not static assigned, then the endpoint session will consume PLUS license count. Otherwise, please gather debug logs and work with our escalation if needed.

View solution in original post

4 Replies 4

Arne Bier
VIP
VIP

Hi

If you use an Identity Group that is related to Profiling then, yes, this is true (e.g. below) - but that has always been the case.  Plus Licenses enable Profiling (menu options as well as the ability to perform AuthZ on Profiling Endpoint Groups)

identgroup.PNG

 

If however you are doing AuthZ on Endpoint Identity Groups that are not Profiling related then you don't need a Plus License.

ipsk.PNG

 

If I am wrong then there is indeed a problem.  I think the doco is a bit misleading.

The CU is using the second option of the non-profiled identity group. Is this a bug that we need to file?

hslai
Cisco Employee
Cisco Employee

If the group is not static assigned, then the endpoint session will consume PLUS license count. Otherwise, please gather debug logs and work with our escalation if needed.