Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE Licensing for IP Phones nodes

Hi Guys,

I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:


 Switch <--> IP Phone <--> End User Device.


My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.

Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.

What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?

What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ? 


Muayad Jallad,



Rising star

The identifying device

The identifying device profiles doesn't consume any license however, if you are applying diff. authorization rules based on diff. devices types, an advance license would be consumed.

If you are using Cisco IP

If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.

In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license

Cisco Employee

if the device profiled

if the device profiled condition is used in authorization policy then only advanced license consumed