cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1795
Views
15
Helpful
13
Replies

ISE base license and import of enddevices

Hi,

Been going through the intire internet (or so it seems) and most guides and tips are about features that is included in the advanced license, profiling and so on.

I am facing a case where base license should be enough. But I am confused about the import of endpoints.

When using the base license is the only way to import devices manualy or through file or LDAP? Can't ISE scan the network an pick up MAC addresses automaticly?

We dont have LDAP and about 20 000 endpoints, so adding them manualy or to a csv-file is too much work.

Regards,

Philip

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Phillip,

You are correct, those are the only 2 methods to lookup mac addresses, those are the only two methods that ISE will only apply base licenses. If you choose to have ISE scan your network for devices then that would be seen as "dynamic profiling" which is an advanced feature.

Hope that helps,

Tarik Admani
*Please rate helpful posts*

View solution in original post

13 Replies 13

Tarik Admani
VIP Alumni
VIP Alumni

Phillip,

You are correct, those are the only 2 methods to lookup mac addresses, those are the only two methods that ISE will only apply base licenses. If you choose to have ISE scan your network for devices then that would be seen as "dynamic profiling" which is an advanced feature.

Hope that helps,

Tarik Admani
*Please rate helpful posts*

Thank you Tarik. You are a goldmine when it comes to information about ISE

Then it is time to go MAC address hunting!

Edit: A second question. If I have the eval license. What do I have to turn off in ISE beside the Profiling Configuration to evaluate only base license?

And another question about base license (I can guess the answer but some confirmation would be good)

When the user has registered a device through the My Devices Portal webpage the device will end up in RegisteredDevices Identity Group.

Is there anyway to change this? Is there  a way for the user to choose what group the device should be in? Or is the only way to change ID group that an administrator of ISE do it manually?

The problem that we are facing are that some devices should go to VLAN X and other on VLAN Y. But since they all are assigned to the RegisteredDevices group there is no way to differentiate them in a authorization profile.

Regards

Philip

Edit: Just found out that this might be solved in 1.2. It will implement the use of Endpoint Profile as an attribute in authorization profiles.

Phil,

You can not do this but I have a trick that you can use. You can build another web portal (device registration web authenticaion), then you can set the endpoint identity group you want to stick the users that hit this portal in. Let me know if that leads you down the right path. i can elaborate if you want me to.

Thanks,

Tarik Admani
*Please rate helpful posts*

That sounds intresting. Do you mean builing an webportal out side of ISE and somehow connect it to ISE?

What I would like the most is a dropdown menu on the device registration page where the user can choose what device they are registrering.

Phil,

Here is some overview on the device registration portal I was discussing.

https://supportforums.cisco.com/docs/DOC-26667

What you can do is set this portal above the policy that registers the endpoints manually, it is a bit tedious but give this a try and see if you like it.

Thanks,

Tarik Admani
*Please rate helpful posts*

I read through it and it looks intresting. I don't have access to ISE at the moment so I can't do any testing. But you are writing about the guest portal. Can this be used on the My Device portal too?

Keep in mind that the article you read is a different type of portal. It is a portal that is designed to statically assign an endpoint to a endpoint group. So you can use this portal once a device is mapped to the RegisteredDevices endpoint group after a user registers their device. After you create the authorization profile that utilizes this portal, you can then use other condtions in order to move the registereddevice to another endpoint group. This solution doesnt scale well but I wanted to throw this out there as an option that may work for you.

I hope that helps.

Tarik Admani
*Please rate helpful posts*

Aha thank you! Now I understand it a bit better. Will lab it when I get my hands on ISE again.

Hi Tarik and others.

I have a question on the same subject.

When you are running base license can you still check if the computer is in a Active Directory group? and then do authorization policy based on that. Or is it ONLY mac-address?

//Philip

Hello Philip,

Yes, you can check computer in AD group i.e machine auth.

Tarik Admani
VIP Alumni
VIP Alumni

When you check the ad group of a user, that is part of the authentication phase and consumes a base license.


Sent from Cisco Technical Support Android App

Ok, thanks. What I want to do is to check the ad group of a device not user.