Currently running 1.1.x. I'm in the process of copying the upgrade bundle to the repository and then I'll be upgrading to 1,2.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

So, you're saying that any authz policy that uses profiling information to make its decision is an advanced feature?

Cisco builds in the "Cisco IP Phones" authorization policy into ISE, which uses the Cisco IP Phones profile to assign the appropriate authz profile.... and this is advanced feature?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

I'm going to open a TAC case to get a concrete answer on whether authorization policies using endpoint profiling to make policy decisions will utilize advanced licensing. This doesn't make sense to me, but if it ends up being the case I have some serious redesign to do. I will post back with my results.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

If I were to go through the endpoints and statically assign them to endpoint groups and use those groups in authz policy to define access they will no longer count against advanced license?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Your best bet is to create a new endpoint identity group. Export the devices that are hitting this profile. Disable your authorization policy and build a new policy referencing the new identity group you created.

Then delete all the ip-phones form the endpoint database, this will clear the sessions that are tied to the profiled endpoint group.

Modify the csv file so that the group name is the new endpoint group you created and then import.

Keep in mind that what I referenced will kick the phones off the network, so plan accordingly.

Thanks,

Tarik Admani
*Please rate helpful posts*

Yeah, it's not the process of statically assigning endpoints that I'm having trouble understanding but more about why profiling is considered an advanced feature when it is the foundation of so many base ISE functions.

I've played with ISE extensively in the lab as it is in the CCIE Security track, though that was with eval license (base+advanced) and I've done implementations previously with advanced licenses purchased but I never really considered that the profiling piece was an advanced feature. I can easily understand SGA, Posture assessment/remediation, profile policy feed, etc. as being advanced features but I'm very surprised at dynamic profiling being included in that group.

One more clarification and I'll stop whining: After the 90-day eval period expires, will dynamic profiling still occur? I understand that I won't be able to use the dynamically profiled endpoint groups in my authorization policies but I'm curious to know if it would still occur so that devices are discovered and can then be statically assigned rather then entering MAC addresses manually.

Just to provide the last update: I was able to access an ISE box that had passed its 90-day eval period and only had base licenses installed. Absolutely no profiling occurs with base licensing. All new endpoints must be manually added to the endpoint database and statically assigned to an endpoint group if the admin desires to use that information for authz policies.

I was hopeful that even though you cannot use the profiling it might still profile devices after the eval period. I can see, from a $$ standpoint, why Cisco would make this an advanced feature because profiling makes a HUGE difference in how attractive ISE is to perspective buyers.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Hi Tarik ,

I am having one question regarding this

We are running with code 1.4 Currently we are having Avaya phones and PC are connected to Phones wherein we are using MDA for the same(machine auth + user auth) , for Avaya phone we have configured authorization policy with logical profile.

We are having base + advance license , it means my pc and phone will consume advance license each respectively ( 1 for pc + 1 for phone) so is there any way that we can restrict my Avaya Phones for cosnuimg advance license.

Thanks in advance