Solved: pxGRID Licensing for Stealthwatch Integration

tmayer · ‎07-31-2017

Hi Team,

Customer has 100K Base license and was so far using Stealthwatch and ISE via SYSLOG integration.

Now, he upgraded his Stealthwatch Environment and SYSLOG is no longer an Option, everything needs to be done via pxGRID.

What License is needed for Stealthwatch to ISE via pxGRID?

Is a 100 User License enough?

Thanks for any advise,

Toby

Timothy Abbott · ‎08-01-2017

Toby,

The identity has to be learned via PassiveID and not RADIUS authentication (802.1X, MAB, etc). Identities learned from PassiveID probes in ISE 2.2 can be shared over pxGrid to StealthWatch. If the customer wants to quarantine those endpoints, plus licensing will be required. Sorry for any confusion.

Regards,

-Tim

View solution in original post

Jason Kunst · ‎07-31-2017

Researching to double check

From reading the admin guide

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0101.pdf

pxGrid is used to share context collected by ISE with other products. A Plus license is required to enable pxGrid functionality. There is no session count decrement when context for session is shared. However, to use pxGrid, the number of Plus sessions licensed must be equal to the number of Base sessions licensed. For more information, see Cisco ISE Licenses and Services section in Cisco Identity Services Engine Ordering Guide.

tmayer · ‎07-31-2017

Hi Jason,

That means approx 1 Mio USD for three years for the Integration with Stealthwatch. That is huge , just for the sharing of the Username with the Stealthwatch events. Has there been discussions on alternative Solutions? How is everyone handling this issue?

Timothy Abbott · ‎07-31-2017

Hi,

If your customer has ISE 2.2, pxGrid functionality for integration with StealthWatch is included in ISE base license. ISE 2.1 and older requires plus licensing.

Regards,

-Tim

tmayer · ‎07-31-2017

Hi Tim,

this is actually good news! Do you have an idea if we have documented this somewhere?

Thanks,

Toby

Timothy Abbott · ‎07-31-2017

Toby,

You should be able to find it in the ISE 2.2 licensing guide.

Edit: Just to be clear. Context sharing over pxGrid in ISE 2.2 base license is limited to PassiveID only. So if the customer wants to share active (RADIUS) authentication information over pxGrid to SW 6.9, they will need plus licensing.

Regards,

-Tim

tmayer · ‎08-01-2017

So, I checked the ISE Ordering guide and in Table 6 I can see:

PassiveID (Cisco Subscribers) BASE License

and in addition:

Context sharing (pxGrid) PLUS License

Does this mean as long as the subscriber (i guess via pxGRID) is just consuming Identity Information (like Stealthwatch) and not using any of the quarantine functions, I can do it with BASE License?

if yes, ISE does not allow to configure pxGRID with Base License, so how do I activate it?

Thanks,
Toby

Timothy Abbott · ‎08-01-2017

Toby,

The identity has to be learned via PassiveID and not RADIUS authentication (802.1X, MAB, etc). Identities learned from PassiveID probes in ISE 2.2 can be shared over pxGrid to StealthWatch. If the customer wants to quarantine those endpoints, plus licensing will be required. Sorry for any confusion.

Regards,

-Tim