Solved: Re: Profile enabled withouth the license [ISE 2.7(p10)]

Gioacchino · ‎01-17-2024

Is it true that having enabled the profiling with just the basic license makes no difference in terms of possibility of authorization, but enriches the logs of authorized devices?

I'm asking this question because I faced this scenario: with two nodes, on the primary PAN the profiling service was enabled and there was a yellow triangle. On the secondary PAN, such a feature could not be enabled.

It was a weird situation. After having discussed this in call with the partner, the representative suggested to disable it. So we did.

A colleague of mine now states that we lost all the extra info we used to have; I don't have the possibility to quickly check what he states and hance I'm asking the community.

There many folds of this topic (including the fact when going for an upgrade I don't want to start from spurious conditions) but if somebody could share his/her experience/knowledge, I would realluy appreciate it.

If indeed, the abnormal situation (profiling enable with no license) is an advantage, how to enable it again? And if it is not possible, why we ended up into that situation? (I know I should find the answer in my company by know ing the history)

TIA, Gio

Aref Alsouqi · ‎01-18-2024

Hi Gio, as you can see from the screenshot, the plus features licenses are disabled. You can try to check the tickbox next to plus and then click enable. That should then allow you to turn on profiling.

View solution in original post

Arne Bier · ‎01-17-2024

ISE 2.x or 3.x ?

In ISE 2.x you would need at least 100 Plus licenses (which have a limited lifespan) or in ISE 3.x you must have at least 100 Advantage licenses, which are also subscription based (i.e. limited life span). Without these licenses you should not enable profiling on a node. You can do it technically, but then you are in violation of Cisco licensing (yellow license icon).

It's worth purchasing 100 of these licenses to have endpoint visibility - i.e. you can see a lot of details per endpoint. Without profiling enabled, ISE will blank out the data.

If you then want to also use the profiled data in your RADIUS Authorization Policies, you will need one of these rather expense licenses PER endpoint that successfully matched one of these rules. If you have 10,000 active endpoints that rely on profiling, then you need at least 10,000 of these licenses. But if you're only using profiling for endpoint visibility, then 100 is all you need.

Gioacchino · ‎01-17-2024

Thank you @Arne Bier ,

we speak about version 2.7. All about licenses is rather clear.
I' would like to understand the following:
1) after disabling the profiling, I don't seem to find a way to enable it again the option in Administration -> System -> Deployment is grayed-out, hence even if I wanted to violate, I cannot;

2) my teammate says that the enabling of profiling without license, however enriches the logs with information that witouth that option active you won't have.

It's this second point that puzzles me and that I would like to clarify.

TIA, Gio

Arne Bier · ‎01-18-2024

I can’t remember back to the ISE 2.7 days and how the licenses are installed. Using Smart Licensing or were the licenses static installed ?
Perhaps Plus license has been un-checked under the License config. Once the license option is done, then the deployment screen for that node should allow you to tick Profiling. Click save. and then the sub tab appears to tune the profiling probe settings.

Aref Alsouqi · ‎01-18-2024

Please share the Administration > System > Licensing page for review.

Gioacchino · ‎01-18-2024

Hi @Aref Alsouqi ,

here you have it.

Gio

Aref Alsouqi · ‎01-18-2024

Hi Gio, as you can see from the screenshot, the plus features licenses are disabled. You can try to check the tickbox next to plus and then click enable. That should then allow you to turn on profiling.

Gioacchino · ‎01-18-2024

Thank you @Aref Alsouqi ,

I sense your comment closes the loop among the open points I have .
Again, the intention is not to take advantage of features we are not entitled to , but to know better how we ended up in the previous situation I faced.

Thanks again,
Gio

Aref Alsouqi · ‎01-18-2024

You're very welcome Gio, I agree, it is always good to know why and how things ended up for better visibility.

Gioacchino · ‎01-18-2024

One still open point though: it's about the richness of the logs while having the profiling enabled. Is it true?

Arne Bier · ‎01-18-2024

Depends on how you define “rich”. You will see various attributes of the endpoint such as hostname and the device profile (as determined by ISE profiling). It relies on getting the data from somewhere. IOS devices support device sensor. But you can also probe from nmap, snmp, etc. in other words, if you have setup ISE profiling then you will see this enriched data.

Gioacchino · ‎01-19-2024

Thanks @Arne Bier ,

so what you've said just confirms that enabling profiling is of help at log level, isn't it?
My teammate just says that "enabling profiling" is enough. I truly apologies for this poor information provided from my side.
In this sense profiling can be enabled, not used, to take advantage of such richness.
I wonder if such scenario is a violation of the "terms and conditions" about profiling.

Gio

Aref Alsouqi · ‎01-19-2024

Hi Gio. I think turning on the feature set without licenses would still be considered a violation of agreements with Cisco :). However, from the technical point of view, I wouldn't say enabling profiling would give enough insight in ISE RADIUS live logs. However, what it really makes difference when you turn on profiling is the bunch of attributes that will be added to the endpoints in the context visibility section. With profiling turned off you won't see much of those attributes. Another thing where profiling comes into handy is referencing the endpoints profiles in the authorization rule.

For instance, you can create an authorization rule for all the endpoints that would be profiled as Microsoft workstations, you can also rely on logical profiling which will automatically add a newly added endpoint such as a printer to a logical profile without you touching the previously created authorization rule.

One thing to keep in mind with ISE profiling is that it's not always a 100% accurate, so you should enable the profiler downloads from Cisco which should be done on a daily basis. But even though sometime ISE might not be able to accurately profile an endpoint, in those cases you can edit the profile manually to make it more accurate, or, you can rely on the external feeds as suggested by @Arne Bier such as device sensor which is very common. However, this is a feature that will be configured on the switches, not from within ISE Profiling Configuration page.

On the other hand, what you can do from within ISE Profiling Configuration page is turning on some of the supported features, the most common ones I'd seen being used are DHCP, RADIUS, and Active Directory, and SMNP.

So, by turning on those features alongside the device sensor, you will have a whole lot of data that you can rely one to create/optimize your authorization rules to manage the access levels of the endpoints and devices that will be connected to your network based on the profiles they belong to.

Please keep posting any further questions, we are here to help where we can.