Solved: Re: ise license

bluesea2010 · ‎06-01-2022

Hi ,

I have 200 phone with dual port , and 1500 wireless users and 100 pc which are connected to the phone

So what is the total license require for ISE

I want to authorize all those device

What type of license I should buy

Thanks

Damien Miller · ‎06-01-2022

Yes, you need to buy quantity of licenses that match the number of endpoints that will be authenticated by ISE. These are often referred to as active sessions, endpoint that are actively connected to the network.

IP phones often use advantage licensing to connect to the network because we profile them for authorization.

If you plan to use profiling information to authenticate all 1800 endpoint you counted, then you need 1800 advantage licenses. Usually not all endpoints need profiling, so a mix of essential and advantage is common.

View solution in original post

ahollifield · ‎06-02-2022

Depends 100% on how you write your policies. You could always do static MAC address endpoint groups with no profiling (NOT SECURE) and you would only need Essentials licensing. Every ISE deployment is different with differing use-cases, policy structures, and endpoint counts.

View solution in original post

balaji.bandi · ‎06-01-2022

as per the information you need 802.1x authentication.

Small ISE deployment should work for you with Essential License , If you looking any profile Enforcement, then Advantage License needed

look below FAQ :

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa-c67-744190.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bluesea2010 · ‎06-01-2022

Hi,

If I buy Advantage license ,The number of devices still unlimited , or do I need to specify the numbers

Thanks

Damien Miller · ‎06-01-2022

Yes, you need to buy quantity of licenses that match the number of endpoints that will be authenticated by ISE. These are often referred to as active sessions, endpoint that are actively connected to the network.

IP phones often use advantage licensing to connect to the network because we profile them for authorization.

If you plan to use profiling information to authenticate all 1800 endpoint you counted, then you need 1800 advantage licenses. Usually not all endpoints need profiling, so a mix of essential and advantage is common.

bluesea2010 · ‎06-01-2022

Hi @Damien Miller

Thanks for the reply ,

Usually not all endpoints need profiling, so a mix of essential and advantage is common.

What endpoints usually you exclude from profiling

can you please give your common ordering of licenses

Thanks

ahollifield · ‎06-02-2022

Depends 100% on how you write your policies. You could always do static MAC address endpoint groups with no profiling (NOT SECURE) and you would only need Essentials licensing. Every ISE deployment is different with differing use-cases, policy structures, and endpoint counts.

bluesea2010 · ‎06-04-2022

Hi,

we have cisco phones ,printers ,laptops , mobile phones ,access points , security camera ,

Which one I can exclude from profiling .The purpose is to reduce the cost

Thanks

Marcelo Morais · ‎06-04-2022

Hi @bluesea2010 ,

beyond what everyone said ... please take a look at the following info at ISE Data Sheet:

For Essentials:

Built-in AAA services

● Uses standard RADIUS protocol for Authentication, Authorization, and Accounting (AAA).

● Supports a wide range of authentication protocols, including, but not limited to PAP, MS- CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible and TEAP.

Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled Transport Layer Security (TTLS). Note: Cisco ISE is the only RADIUS server to support EAP chaining of machine and user credentials.

For Advantage:

Device profiling

● Populated with predefined device templates for many types of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. with additional device templates available for specialized devices such as medical, manufacturing, and building automation.

● Creates custom device templates to automatically detect, classify, and associate administration- defined identities when endpoints connect to the network.

● Associates endpoint-specific authorization policies based on device type.

● Collects endpoint attribute data with passive network monitoring and telemetry.

Note: remember that you are always able to test your Deployment using an Evaluation license for 100 Endpoints and check the License Types for each case.

Hope this helps !!!

gcook0001 · ‎10-18-2022

So when I read the documentation it states the following

For example, when a Windows laptop authenticates via 802.1X, one Essentials license is consumed. If this endpoint’s context is shared with Cisco Stealthwatch or NGFW, one additional Advantage license will be consumed.

So this tells me that since I am using NGFW I will need both an essentials license and an Advantage license. Does this also mean that I need a license for each feature of the Advantage license. This is the confusing part of the license.

We are looking at ISE. We want to use profiling and other features of the Advantage license. We also want to use ISE for AAA and 8021.x. So does that mean for each computer or user I will need more than one license. And how many will I need.

Cisco definitely does not make this clear.

ahollifield · ‎10-18-2022

No you only need Advantage licensing in this scenario. The 3.X licensing scheme is a nested doll model. Advantage includes all of the features of essentials.