10-07-2024 04:35 PM
Hi,
trying to figure out how ISE will count licensing when 1 laptop is connected at same time through wired 802.1X either wireless.
The situation is, that we are pushing WiFi profile to all Windows machines through GPO and setting there "automatically connect", so each laptop is connecting now automatically using certificates and 802.1X on ISE. But each laptop can be at same time connected to docking station, which provides wired connectivity.
Is there any way how to tell ISE - hey, this laptop has 2 MACs, one user, count it as one endpoint?
Thanks
10-07-2024 07:21 PM
Nope - two unique MAC addresses will count as two different ISE endpoints - depending on how you authorized each of those MAC addresses, will count towards an Essentials, Advantage or Premier license. No way around it. Perhaps you can write some kind of a script on the laptop to shut the Wi-Fi down while the Ethernet adapter has a valid connection, and vice-versa.
10-07-2024 10:52 PM
and is it possible to force the feature license for some endpoint manually?? and can some client use only Premier and some only Essential? exact example: client authorize using 802.1x (which uses essentials) and then Posture scan will occur (which uses Premier) - which license will be counted?
10-07-2024 11:30 PM
ISE will only count one license per endpoint - as per the DNA model, all the higher tiers contain the license ability of the lower tiers. That means, a profiled endpoint will need Advantage, a Posture scanned AuthZ will need Premier, and a regular 802.1X/MAB needs Essentials. Basically, whatever the ISE Policy Set AuthZ ended up using in its rules. And I believe it will use the most expensive license if there is a complex AuthZ rule that contains mixture of Essentials/Advantage/Premier logic.
Have a look here.
10-10-2024 12:10 AM
this is sad. I understand it from income point of view for Cisco, but in real life, why should same device, just connected in parallel to wire and wireless use 2 licenses if it's authorized with same certificate and same user, just because of 2 MACs.
10-13-2024 02:15 PM
It's not quite optimal - not much I can do about it - maybe send the Cisco BU a message via this link to express your opinion - they do read these things. I am pretty sure other folks have written a small script that runs on Windows to disable the wireless if LAN is connected, and vice-versa - if there's a will, there's a way ...
10-13-2024 02:47 PM
This is how the Windows supplicant works and ISE has no visibility or control over it. The solution is using Group Policy to disable the Wireless connection when the Wired interface is connected.
https://woshub.com/disable-wi-fi-when-ethernet-cable-connected/#:~:text=You%20can%20configure%20this%20behavior,Wi%2DFi%20when%20on%20Ethernet.
This is also the default behaviour of the Cisco supplicant deployed when using the Cisco Secure Client Network Access Manager (NAM).
10-14-2024 03:09 AM
Hi, we have already configured GPO to minimising connections, so once employee connects to docking station, windows automatically disconnect wifi. We must test it to find out if it not harm any application.
Regarding NAM module - our cisco distributor told us, that currently is much better to use Windows supplicant instead of NAM, because NAM causes a lot of troubles, so we skipped it, but we do not know how it works if its good or not. What is general opinion on NAM?
10-14-2024 05:56 AM
I used to configure NAM for a few customers and that was mainly to provide EAP chaining (EAP-FAST) authentication. However, nowadays Windows can natively support that with TEAP. In addition to that NAM provides a tool to manage the network connections on the endpoint, for instance, if you don't want to allow an endpoint to add a new SSID or manipulate the network access settings, NAM can help with that. Please take a look at this link for more details about NAM:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide