Solved: Re: PXGrid licensing ?

tuenoerg · ‎06-01-2017

HI all,

Use case :

ISE and Firepower integration with PXGrid for users validated on an ISE portal and identity information shared to Firepower to make different rules for internet access.

Total users : 10000

Concurrent users: 3000

What terms apply for number of PLUS licenses :

Is 100 plus licenses enough - YES/NO ?

Number of Concurrent users connected – YES/NO ?

Total number of users in identity store using the ISE portal – YES/NO ?

Best regards

Tue

Craig Hyps · ‎06-01-2017

Licenses are tied to features, not specifically to pxGrid itself. A typical pxGrid use case is the sharing of context (session, endpoints, TrustSec elements, profiles, etc) outbound to other Cisco or 3rd-party vendor solutions. This requires a 1:1 license for active sessions, or 3,000 Base and 3,000 Plus in your example.

Starting in ISE 2.2, in order to deliver parity with ISE-PIC for sharing Passive Identity (User-IP mapping) and Group information with Cisco consumers (external applications that receive ISE context via pxGrid), all that is needed is ISE Base (any license count). To share other pxGrid topics, non-passive session data, or to share context with non-Cisco consumers, a Plus license is required using the 1:1 ratio explained above.

Hope that clarifies the licensing requirements for these specific use cases.

/Craig

View solution in original post

Craig Hyps · ‎06-01-2017

Licenses are tied to features, not specifically to pxGrid itself. A typical pxGrid use case is the sharing of context (session, endpoints, TrustSec elements, profiles, etc) outbound to other Cisco or 3rd-party vendor solutions. This requires a 1:1 license for active sessions, or 3,000 Base and 3,000 Plus in your example.

Starting in ISE 2.2, in order to deliver parity with ISE-PIC for sharing Passive Identity (User-IP mapping) and Group information with Cisco consumers (external applications that receive ISE context via pxGrid), all that is needed is ISE Base (any license count). To share other pxGrid topics, non-passive session data, or to share context with non-Cisco consumers, a Plus license is required using the 1:1 ratio explained above.

Hope that clarifies the licensing requirements for these specific use cases.

/Craig

daniel.chuayh · ‎08-14-2017

Hi,

What happens if the base licenses is more than plus licenses? I am trying to achieve passive authentication for FMC integration. WIll the solution still work with ratio of 2:1? Thank you in advanced.

gbekmezi-DD · ‎08-14-2017

Passive authentication contextual information shared to FMC via PXGrid doesn't require plus licenses as of ISE 2.3 (or was it 2.2).

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

daniel.chuayh · ‎08-14-2017

Thanks George for your prompt response. I shall advice my customer to upgrade to ISE 2.3 to eliminate such concern.

Pete Cowen · ‎08-23-2018

Hello,

I am currently proposing a campus ISE system for a 35,000 user campus with 4 x 3595 comprising 2 x PSN; 1 x MnT & 1 Admin. For PxGrid what are the persona requirements, do I just add an 5th node ?

Then for licencing I have 50K Base and 10K Plus for profiling non-supplicant devices. The customer requires user based URL filtering (control over who is allowed to access what). Is linking FMC URL filtering to ISE via PxGrid the answer? If so do I need to add 1:1 Plus licences for max concurrent URL usage?