cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5608
Views
9
Helpful
12
Replies

ISE - Advanced License Usage

Kevin P Sheahan
Level 5
Level 5

Can anyone provide some insight as to why I am utilizing advanced licensing features on my new ISE implementation? Please see attached screen shot for counts.

I'm not doing anything special, none of the features listed as 'advanced' in Cisco docs. Was thinking it's possibly a bug because it's the same count as I have for Base Package. Will custom profiling policies utilize advanced licensing?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.       

Kind Regards, Kevin Sheahan, CCIE # 41349
2 Accepted Solutions

Accepted Solutions

Venkatesh Attuluri
Cisco Employee
Cisco Employee

A  single Advanced License is consumed when any one or more of the  following services or conditions are applied to the endpoint session:

Posture

Security Group Tag assignment

Authorization using profile information

Endpoint is registered in the MyDevices Portal

  • Cisco ISE consumes Advanced licenses when endpoints are matched to an authorization policy.

If you make the entry static, then it will be statically assigned and not use a license

View solution in original post

Kevin,

Venkatesh is correct, when using dynamic profiling in an authorization policy will consume and advanced endpoint license. Here is some documentation that will help:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html

With a base license installed, you cannot profile  endpoints on your network. You can only manage endpoints including  import and the static assignment of endpoints by using the Endpoints  page, and viewing on the Endpoint Identity Groups page. For more  details, see

Endpoints, page 4-14

, and

Endpoint Identity Groups, page 4-62

sections in

Chapter 4, "Managing Identities and Admin Access."

Tarik Admani
*Please rate helpful posts*

View solution in original post

12 Replies 12

Tarik Admani
VIP Alumni
VIP Alumni

Which version of code are you on?

Tarik Admani
*Please rate helpful posts*

Currently running 1.1.x. I'm in the process of copying the upgrade bundle to the repository and then I'll be upgrading to 1,2.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Venkatesh Attuluri
Cisco Employee
Cisco Employee

A  single Advanced License is consumed when any one or more of the  following services or conditions are applied to the endpoint session:

Posture

Security Group Tag assignment

Authorization using profile information

Endpoint is registered in the MyDevices Portal

  • Cisco ISE consumes Advanced licenses when endpoints are matched to an authorization policy.

If you make the entry static, then it will be statically assigned and not use a license

So, you're saying that any authz policy that uses profiling information to make its decision is an advanced feature?

Cisco builds in the "Cisco IP Phones" authorization policy into ISE, which uses the Cisco IP Phones profile to assign the appropriate authz profile.... and this is advanced feature?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

I'm going to open a TAC case to get a concrete answer on whether authorization policies using endpoint profiling to make policy decisions will utilize advanced licensing. This doesn't make sense to me, but if it ends up being the case I have some serious redesign to do. I will post back with my results.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Kevin,

Venkatesh is correct, when using dynamic profiling in an authorization policy will consume and advanced endpoint license. Here is some documentation that will help:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html

With a base license installed, you cannot profile  endpoints on your network. You can only manage endpoints including  import and the static assignment of endpoints by using the Endpoints  page, and viewing on the Endpoint Identity Groups page. For more  details, see

Endpoints, page 4-14

, and

Endpoint Identity Groups, page 4-62

sections in

Chapter 4, "Managing Identities and Admin Access."

Tarik Admani
*Please rate helpful posts*

If I were to go through the endpoints and statically assign them to endpoint groups and use those groups in authz policy to define access they will no longer count against advanced license?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Your best bet is to create a new endpoint identity group. Export the devices that are hitting this profile. Disable your authorization policy and build a new policy referencing the new identity group you created.

Then delete all the ip-phones form the endpoint database, this will clear the sessions that are tied to the profiled endpoint group.

Modify the csv file so that the group name is the new endpoint group you created and then import.

Keep in mind that what I referenced will kick the phones off the network, so plan accordingly.

Thanks,

Tarik Admani
*Please rate helpful posts*

Yeah, it's not the process of statically assigning endpoints that I'm having trouble understanding but more about why profiling is considered an advanced feature when it is the foundation of so many base ISE functions.

I've played with ISE extensively in the lab as it is in the CCIE Security track, though that was with eval license (base+advanced) and I've done implementations previously with advanced licenses purchased but I never really considered that the profiling piece was an advanced feature. I can easily understand SGA, Posture assessment/remediation, profile policy feed, etc. as being advanced features but I'm very surprised at dynamic profiling being included in that group.

One more clarification and I'll stop whining: After the 90-day eval period expires, will dynamic profiling still occur? I understand that I won't be able to use the dynamically profiled endpoint groups in my authorization policies but I'm curious to know if it would still occur so that devices are discovered and can then be statically assigned rather then entering MAC addresses manually.

Kind Regards, Kevin Sheahan, CCIE # 41349

Just to provide the last update: I was able to access an ISE box that had passed its 90-day eval period and only had base licenses installed. Absolutely no profiling occurs with base licensing. All new endpoints must be manually added to the endpoint database and statically assigned to an endpoint group if the admin desires to use that information for authz policies.

I was hopeful that even though you cannot use the profiling it might still profile devices after the eval period. I can see, from a $$ standpoint, why Cisco would make this an advanced feature because profiling makes a HUGE difference in how attractive ISE is to perspective buyers.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Hi Tarik ,

 

I am having one question regarding this

We are running with code 1.4 Currently we are having Avaya phones and PC are connected to Phones wherein we are using MDA for the same(machine auth + user auth) , for Avaya phone we have configured authorization policy with logical profile.

We are having base + advance license , it means my pc and phone will consume advance license each respectively ( 1 for pc + 1 for phone) so is there any way that we can restrict my Avaya Phones for cosnuimg advance license.

 

Thanks in advance

manjeets
Level 3
Level 3

Kindly review the atached license PPTs :