Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2431
Views
5
Helpful
6
Replies

ISE 2.4: PXgrid licensing questions

Go to solution
Nadav
Level 7
Level 7

‎06-28-2019 09:26 AM

Hi,

 

I'm interested in adding a pxGrid node to allow 3rd party systems use ISE for quarantine/COA.

My workstations are now licensed via Base licenses, and to my understanding require Plus licensing for pxGrid content sharing in order to be managed via 3rd party APIs which communicate with pxGrid.

 

From the documentation, in a dedicated node deployment, you can have up to 800 pxGrid subscriptions at most with each pxGrid node serving up to 200 subscribers. 800 is less than the number of workstations in the deployment.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

 

1) Are these subscribers in fact the workstations which can be quarantined via pxGrid API? 

2) Is the number of supported subscribers just the number of simultaenous quarantines that can be performed at a time, or is a Plus License necessary for each and every workstation in the deployment regardless of the 800 hard limit?

3) In the future, if I want to adding Apex licenses for endpoints which need to be postured, do I need to have a matching number of Base and Plus licenses for each Apex license, or is a matching Base license enough?

Thanks for your help!

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎07-03-2019 10:04 AM

...

 

C) An apex license for each endpoint which I want to posture. Must also be 20,000.

I am not seeing it must also matched Base in the ordering guide.

 

Cisco demands A = B, correct?

Yes, this info is currently in the Table 2 of the ordering guide.

Any info not clear in the Cisco ISE ordering guide, please send feedbacks directly to our PM teams.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-28-2019 11:07 AM

I am pretty sure the pxGrid (plus) licenses are one for one. Meaning for each plus license consumed you need a base. I know for a fact that if you plan to use posture assessment for endpoints that you will want a matching number between apex and base. Each posture assessment session will consume a base AND apex license. I currently run posture assessment on all VPN endpoints and that is the case. HTH!

Go to solution
Nadav
Level 7
Level 7
In response to Mike.Cifelli

‎06-30-2019 04:22 AM

Hi,

For posturing, sure. But the account manager told me they demand Plus
1-for-1 with Base which I find very odd considering the 800 subscriber
limit.

I'm just looking for another form of confirmation, and whether the 800
limit means that up to 800 endpoints can be quarantined at a time.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎06-30-2019 07:55 AM

@Nadav wrote:
... I'm just looking for another form of confirmation, and whether the 800
limit means that up to 800 endpoints can be quarantined at a time.

I hope my last response clearing it for you. Put it another way...

The max pxGrid subscribers in ISE 2.4 Platform eXchange Grid (pxGrid v2) Scaling are for pxGrid v2 and about the consumers and providers described in Communication. We may see the subscribers (clients) listed in the ISE admin web UI > Administration > pxGrid Services > All Clients. Many subscribers, including SMC and FMC, today are still in pxGrid v1.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-29-2019 07:47 PM

Adding to what Mike.Cifelli said... the definition info is in the Cisco ISE ordering guide.

On 1 & 2, subscribers are the applications making connections to pxGrid controllers and acting either as consumers or providers. Workstations are endpoints but not pxGrid subscribers, unless they are used to host such applications.

On 3, see section 1.9.3 of the ordering guide.

 

 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎07-03-2019 07:00 AM

Hi,

 

So just to make sure the licensing demands are clear:

 

A) A base license per endpoint which authenticates by 802.1x. Let's say 20,000.

B) A plus licence for each endpoint which I want via pxGrid to potentially quarantine. Let's say due to Stealthwatch policy or some 3rd part vendor. Must also be 20,000.

C) An apex license for each endpoint which I want to posture. Must also be 20,000.

 

Cisco demands A = B, correct?

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎07-03-2019 10:04 AM

...

 

C) An apex license for each endpoint which I want to posture. Must also be 20,000.

I am not seeing it must also matched Base in the ordering guide.

 

Cisco demands A = B, correct?

Yes, this info is currently in the Table 2 of the ordering guide.

Any info not clear in the Cisco ISE ordering guide, please send feedbacks directly to our PM teams.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents