05-24-2017 08:13 AM - edited 03-11-2019 12:44 AM
Can anyone help me with understanding the plus license on ISE with respect to Profiling.
I have been having a discussion with another engineer who says that with the basic license you can perform profiling but you would not be able to enforce any policies with that information without the plus license.
So I would be able to see what is on my network with profiling using basic license but not enforce policies.
Has anyone had any experience with this as I need to clear this point up before I start a POC
Thanks
Solved! Go to Solution.
05-24-2017 11:36 AM
Additional information can be found here:
Cisco ISE License Model - ISE 2.2 Admin Guide
Profiling requires the Plus License, whether you are doing enforcement or not.
Each session will consume a Base License. To begin Profiling, you must then consume a Plus license. From there, your authentication and authorization policy will do the enforcement.
The process won't even start if you do not have the license.
05-25-2017 01:57 AM
From ISE Plus licensing Q&A:
Q.When is a Plus license consumed?
A. A Plus license is consumed when the “Registration” status or an Endpoint Profile is used within an authorization policy rule
05-24-2017 11:36 AM
Additional information can be found here:
Cisco ISE License Model - ISE 2.2 Admin Guide
Profiling requires the Plus License, whether you are doing enforcement or not.
Each session will consume a Base License. To begin Profiling, you must then consume a Plus license. From there, your authentication and authorization policy will do the enforcement.
The process won't even start if you do not have the license.
05-24-2017 06:15 PM
"To begin Profiling, you must then consume a Plus license"
I believe this may be incorrect. Plus license is only consumed when a profiling condition is used in an Authz policy. This is documented in the ordering guide posted.
Also documented in the old ISE Profiling design guide is this:
"One Advanced Endpoint license is required for each endpoint that is actively authenticated to the network and where profiling data is used to make an Authorization Policy decision. Not taking into account other services, such as posture assessment, that may require an Advanced Endpoint license, endpoints that are statically assigned to a profile do not consume an Advanced license. It is possible to profile multiple endpoints and have visibility into connected devices and their classification without requiring an Advanced Endpoint license for each if the profile information is not used to authorize the endpoint. "
The Advanced Endpoint license = new Plus + Apex , so I would assume that you would not need a Plus license for ISE just to profile endpoints.
05-24-2017 07:02 PM
Rahul,
That design guide is back from 2012 which was around ISE 1.0 times. Advanced licenses have been gone since ISE 1.2. While you can still apply ISE licenses to current ISE, they are decomposed into Plus and Apex. Things are completely different. Let's not get lost in the semantics here.
First, Cisco ISE License Model:
And Cisco ISE Traditional License Consumption:
While I did not get involved in the technical detail, my original statement is accurate. To do profiling, which is a licensed feature, a Plus license is required and consumed.
Plus license is only consumed when a profiling condition is used in an Authz policy.
You can't have a AuthZ policy without a AuthC policy. That's mandatory. You make your AuthZ policy based on what you find in the AuthC policy, such as type of device, ie profiling.
05-25-2017 01:09 AM
So I need to go and buy some Plus license if I want to do profiling ?
05-25-2017 01:57 AM
From ISE Plus licensing Q&A:
Q.When is a Plus license consumed?
A. A Plus license is consumed when the “Registration” status or an Endpoint Profile is used within an authorization policy rule
05-25-2017 06:46 AM
Thank you for that information. That must be from a slightly older version. From the current ordering guide:
I think we are getting lost a little in the semantics here. =)
This is a pre-sales licensing question. It is not a post-sales deep dive into how the back end actually works.
If profiling is desired, the Plus License is mandatory.
05-25-2017 06:13 PM
Thanks for raising this question - I have also wondered about this for a while.
I have tested this and found that no Plus license is consumed
LicenseTypes | Base license consumed |
The upside of enabling Profiling without a license is that the device type can be displayed in the Endpoint Profile field in Live Logs - and also in the Endpoints Dashboard pie chart.
Just a bit of free information about the device manufacturer courtesy of the MAC OUI. Decoding that should not incur a Plus license count, which it doesn't - and shouldn't.
I only enabled RADIUS Probe under Profiling Service in my case.
05-25-2017 07:00 PM
Thanks for posting your test results here. Pretty much what I have seen in my deployments. This should answer the OP's query.
07-31-2018 02:06 AM
Hi, One thing though that I am wondering about: Has there been a plus license installed on this test-system, even if it states the license was not consumed? I wonder if the feature is enabled/ disabled by simply having the license installed, even if is just the evaluation license..
BR,
Patrick
10-31-2017 03:15 AM
Hello,
Can anyone help about this new feature "Anomalous Endpoint Detection" To configure this new feature on my environment it's necessary to buy License plus OR it no needed and i can configure with basic license? Now I'm on ISE 2.1 version and think to go on 2.3 any suggestion about this hop?
Thank you.