06-01-2022 02:47 AM
Hi ,
I have 200 phone with dual port , and 1500 wireless users and 100 pc which are connected to the phone
So what is the total license require for ISE
I want to authorize all those device
What type of license I should buy
Thanks
Solved! Go to Solution.
06-01-2022 10:01 PM
Yes, you need to buy quantity of licenses that match the number of endpoints that will be authenticated by ISE. These are often referred to as active sessions, endpoint that are actively connected to the network.
IP phones often use advantage licensing to connect to the network because we profile them for authorization.
If you plan to use profiling information to authenticate all 1800 endpoint you counted, then you need 1800 advantage licenses. Usually not all endpoints need profiling, so a mix of essential and advantage is common.
06-02-2022 05:34 AM
Depends 100% on how you write your policies. You could always do static MAC address endpoint groups with no profiling (NOT SECURE) and you would only need Essentials licensing. Every ISE deployment is different with differing use-cases, policy structures, and endpoint counts.
06-01-2022 03:08 AM - edited 06-01-2022 03:09 AM
as per the information you need 802.1x authentication.
Small ISE deployment should work for you with Essential License , If you looking any profile Enforcement, then Advantage License needed
look below FAQ :
06-01-2022 09:50 PM
Hi,
If I buy Advantage license ,The number of devices still unlimited , or do I need to specify the numbers
Thanks
06-01-2022 10:01 PM
Yes, you need to buy quantity of licenses that match the number of endpoints that will be authenticated by ISE. These are often referred to as active sessions, endpoint that are actively connected to the network.
IP phones often use advantage licensing to connect to the network because we profile them for authorization.
If you plan to use profiling information to authenticate all 1800 endpoint you counted, then you need 1800 advantage licenses. Usually not all endpoints need profiling, so a mix of essential and advantage is common.
06-01-2022 10:21 PM
Thanks for the reply ,
Usually not all endpoints need profiling, so a mix of essential and advantage is common.
What endpoints usually you exclude from profiling
can you please give your common ordering of licenses
Thanks
06-02-2022 05:34 AM
Depends 100% on how you write your policies. You could always do static MAC address endpoint groups with no profiling (NOT SECURE) and you would only need Essentials licensing. Every ISE deployment is different with differing use-cases, policy structures, and endpoint counts.
06-04-2022 03:33 AM
Hi,
we have cisco phones ,printers ,laptops , mobile phones ,access points , security camera ,
Which one I can exclude from profiling .The purpose is to reduce the cost
Thanks
06-04-2022 12:03 PM
Hi @bluesea2010 ,
beyond what everyone said ... please take a look at the following info at ISE Data Sheet:
For Essentials:
Built-in AAA services |
● Uses standard RADIUS protocol for Authentication, Authorization, and Accounting (AAA).
● Supports a wide range of authentication protocols, including, but not limited to PAP, MS- CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible and TEAP.
Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled Transport Layer Security (TTLS). Note: Cisco ISE is the only RADIUS server to support EAP chaining of machine and user credentials. |
For Advantage:
Device profiling |
● Populated with predefined device templates for many types of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. with additional device templates available for specialized devices such as medical, manufacturing, and building automation.
● Creates custom device templates to automatically detect, classify, and associate administration- defined identities when endpoints connect to the network.
● Associates endpoint-specific authorization policies based on device type.
● Collects endpoint attribute data with passive network monitoring and telemetry.
|
Note: remember that you are always able to test your Deployment using an Evaluation license for 100 Endpoints and check the License Types for each case.
Hope this helps !!!
10-18-2022 01:46 PM
So when I read the documentation it states the following
For example, when a Windows laptop authenticates via 802.1X, one Essentials license is consumed. If this endpoint’s context is shared with Cisco Stealthwatch or NGFW, one additional Advantage license will be consumed.
So this tells me that since I am using NGFW I will need both an essentials license and an Advantage license. Does this also mean that I need a license for each feature of the Advantage license. This is the confusing part of the license.
We are looking at ISE. We want to use profiling and other features of the Advantage license. We also want to use ISE for AAA and 8021.x. So does that mean for each computer or user I will need more than one license. And how many will I need.
Cisco definitely does not make this clear.
10-18-2022 02:30 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide