Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
3
Replies

ISE Licensing for IP Phones nodes

M.Jallad
Level 1
Level 1

‎08-12-2014 04:16 AM - edited ‎03-10-2019 09:56 PM

Hi Guys,

I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:

 

 Switch <--> IP Phone <--> End User Device.

 

My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.

Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.

What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?

What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ? 

Thanks,

Muayad Jallad,

 

 

Labels:
0 Helpful
3 Replies 3

Saurav Lodh
Level 7
Level 7

‎08-12-2014 05:55 PM

The identifying device profiles doesn't consume any license however, if you are applying diff. authorization rules based on diff. devices types, an advance license would be consumed.

0 Helpful

Stephen McBride
Level 1
Level 1

‎08-13-2014 09:43 PM

If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.

In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎09-19-2014 08:43 AM

if the device profiled condition is used in authorization policy then only advanced license consumed

0 Helpful
Customers Also Viewed These Support Documents