Is Cisco ISE PIC free? Does it allow username mappings to the logs like the cisco user agent did?

@keithcclark71 If you have cisco smart license you can download it from software download. I am not sure if its free. If I remember its not free.

It does (ISE-PIC) allow the mapping similar to user agent.

I guess ill just never move off of 6.6 version then as I can use the user agent there. I'm seeing $5000 of a Cisco ISE PIC license thats crazy. The business i am setting up firepower is small only 70-80 users and $5 grand for that is ridiculous 

Verion 6.6 in in life support so yes. you can plan it in future.

@keithcclark71 

Customers with a physical or virtual (FMCv25, FMCv300) Firepower Management Center appliance as mentioned in Table 1 with active support contracts will be eligible to receive Cisco ISE-PIC at no additional cost.

Refer to table 1 https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/bulletin-c25-744508.html

This is not at you Rob but this entire process with Cisco is ridiculous. Thank god I looked into user agent not being available in FMC 7.2 as I would have spent all that time with getting the virtual appliance up and running and then who knows how long i would of been configuring Firepower itself before I came around to do the User Agent only to find out its no longer supported and then having to go to the small business owner saying oops my bad you need to buy this Cisco ISE-PIC for 5 grand. WTF I am so tired of investing my time as an engineer which I have invested hundreds upon hundreds of hours in Cisco only to be bamboozled and to get anything procured with Cisco i'd rather smash my head into concrete. Just a vent here and I guess i am going to just download 6.5 and never upgrade this customer and if the time comes where its being forced i'll put in netgates

FYI, ISE-PIC does not cost US$5,000. The list price for R-ISE-PIC-VM-K9= (ISE Passive Identity Connector Virtual Machine 3000 sessions) is US$1337.50 and the optional support is $257.00 for a one year term. Factoring in normally available discounts means the net cost should be just under $US1,000.00.

While it's not a trivial amount, most business with as few users as the one you cite do not use user identity in their Access Control Policies and thus do not require ISE-PIC (or ISE) as an integration.

Thanks Marvin that 5K number came up on a search so my source obviously bad. I am putting in Firepower for a local pharmacy with 4 Sites all small in scope so doing FTD 1010's to all and hoping I haven't under scoped the project as I will be doing IPSEC tunnels and hairpinning the VPN  in some instances. As for Anyconnect VPN i'm planning to deploy using start before login with security card 2FA authentication.  I have deployed firepower with single FTD 1010 at a local manufacturer under NIST 800-171 compliance so I try to leverage the user-ip mapping per the NIST control framework requirements. I was hoping I could move forward with pharmacy project to deploy 7.2 but I guess I will have to roll out 6.6.5 so I can retain the user agent and possibly go the upgrade route in the future to ISE-PIC.  That being stated if you have anything that I should be aware of here I'd appreciate any feedback you can inject. Lastly what is the level of difficulty in upgrading to ISE-PIC from a 6.6.5 image, is this a difficult upgrade path to 7.2 and is ISE-PIC a steep learning curve compared to the user-agent which was very easy to setup. Thanks again Marvin I appreciate your insight over the years as you have helped me get through many confused times.

Thanks Marvin.