06-05-2019 06:21 AM
Hello team.
As a sizing exercise to ensure the correct amount of licenses are purchased, we're trying to understand when ISE plus licenses will be consumed.
My current understanding is that when an authorization policy uses endpoint profile information to authorize a device, a license is consumed for the particular session.
The requirement has approximately 70K devices in total; 30K devices that will require AuthZ policies based on profiling, however, another 40K devices connecting to the same environment will not.
Question: for the 40K device classified (not profile authorized) using profiling services, will a plus lic be required? will the classification information still be visible and accessible?
for this use case, my assumption is that only 30K PLUS lics are needed.
Reference:
Licensing
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
The full ISE Profiling feature set requires the installation of a Plus license on the Policy Administration node (PAN). Some basic profiling capabilities are enabled by default as part of the Base license to support core functions.
One Plus feature license is required for each endpoint that is actively authenticated to the network and where profiling data is used to make an Authorization Policy decision. Not considering other services, such as Scalable Group Policy and Bring Your Own Device (BYOD) that may require a Plus feature license, endpoints that are statically assigned to a profile do not consume a Plus license. It is possible to profile multiple endpoints and have visibility into connected devices and their classification without requiring a Plus feature license for each if the profile information is not used to authorize the endpoint. The minimum number of Plus feature licenses is 100.
Solved! Go to Solution.
06-05-2019 08:10 AM
06-05-2019 08:10 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: