I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
Here is the authorization rule:
Here is the licensing page:
Here is the only active session from active session report:
And here is the live authentication:
Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set:
•MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
•Profiling is disabled
•Posture is disabled
•The device in question has not been registered via the My Devices Portal
Note There is no known workaround for this issue.
*Please rate helpful posts*
That is what I understand. I am trying to understand why static rule attached here consumes an advanced license as the endpoints are statically added to iOS asset identity group. no profile info is used to authorize. I am still seeing this behavior with 1.2 deployment too. can you help me understand why is this the case? Not if I statically assign it to unknown profile it does not consume advanced license which i do not consider a feasible solution.