Solved: ISE 1.2 Profiling

David Fitzgerald · ‎10-04-2013

Having sat through the Cisco class and having also looked at the Cisco Press book "Cisco ISE for BYOD and Secured Unified Access", I have a question regarding profiling. I have a dual server implementation I'm attempting to configure, and the temporary advanced license is long gone, resulting in only my BASE license. I know that mainly because I receive an alert every 3 hours - I've disabled it.

The courseware and the book seem to imply that any/all profiling capability is active ONLY if an Advanced license is in effect. Does that mean ALL profiling? Does that mean that I should just delete ALL Profiled Endpoints, as they were profiled prior to my Advanced license expiring?

When I go to Admin --> System --> Deployment and select a PSN, I would expect to see both a General Settings tab and a Profiling Configuration tab. However, I only see the General Settings tab.

In it, Enable Profle Settings is checked, but it is also grayed out. If I deselect Policy Service, the check mark for Enable Profile Service goes away. If I select Policy Service again, the check mark under Enable Policy Service does NOT reappear. If I select Reset and start over, it's all back to how it was when I started.

So since I do not have a Prorfiling Configuration tab, I am unable to change or even verify any of the potential probes. Is there ANY base level of profiling/identification active, at any level without the Advanced license? I think the answer is no, but the ordering of the material could be misinterpreted...

George Stefanick · ‎10-09-2013

From a wireless perspective ..Wireless includes advance .. Just to be clear ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Scott Fella · ‎10-05-2013

Yeah, the answer is no. You do need the advanced license for any profiling on ISE.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

kaaftab · ‎10-08-2013

Following is the License details for ISE

Base

Capabilities: Basic network access and guest access

Network deployment support: Wired, wireless, and VPN

License prerequisite: None

Perpetual license

Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints

Advanced

Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)

Network deployment support: Wired, wireless, and VPN

License prerequisite: Base license

Term license: 1, 3- and 5-year terms

Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints

George Stefanick · ‎10-09-2013

From a wireless perspective ..Wireless includes advance .. Just to be clear ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

David Fitzgerald · ‎10-10-2013

Just to be clear, while we were installing the product and configuring the basics, and before the evaluation ADV license expired, every time a new device was seen, it was added to the list of endpoints.

My understanding was that once an endpoint is seen, it's base profile is created, and it is fine-tuned and re-evaluated as more is learned about it. An Apple device becomes an iPad, and iPad becomes an iPad 2, etc., all based upon the profiles that are built-in.

I believe the intention here was that if a device became associated with the ISE implementation, say over wireless, the user of that device could join and SSID, authenticate once, and then not have to authenticate for quite some time, a variable that oculd be set by the administrators.

So if the ADV license expires, does that mean that an endpoint will never be remebered and that a user will be required to authenticate EVERY time that attempt to use an ISE-managed NAD?

George Stefanick · ‎10-11-2013

Hi David,

Thank you for supporting the rating system. Let me see fi I can help clear up some of this ..

My understanding was that once an endpoint is seen, it's base profile is created, and it is fine-tuned and re-evaluated as more is learned about it. An Apple device becomes an iPad, and iPad becomes an iPad 2, etc., all based upon the profiles that are built-in.

Correct, as probes are used and should the ID of device change it will get updated under the end point folder.

I believe the intention here was that if a device became associated with the ISE implementation, say over wireless, the user of that device could join and SSID, authenticate once, and then not have to authenticate for quite some time, a variable that oculd be set by the administrators.

This is not the case actually. When a wireless device attaches to the network the first time, it MUST authenticate. In fact, if the device doesnt support OKC, you will see your device authenticate with radius each and everytime during a roam. Specific to guest, you can tune the timers so they dont get the AUP every few minutes.

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

David Fitzgerald · ‎10-11-2013

I'm getting there.....

My understanding was that once an endpoint is seen, it's base profile is created, and it is fine-tuned and re-evaluated as more is learned about it. An Apple device becomes an iPad, and iPad becomes an iPad 2, etc., all based upon the profiles that are built-in.

Correct, as probes are used and should the ID of device change it will get updated under the end point folder.

And this activity occurs regardless of the presence of an ADV license? I fully understand that I might not be able to profile/posture machines, but I'd like to think that the "back-office" processing takes place regardless. The simple answer is to buy a 100 endpoint ADV license, to boost my 750 endpoint base license, unless I can get a new eval license somehow.

I believe the intention here was that if a device became associated with the ISE implementation, say over wireless, the user of that device could join and SSID, authenticate once, and then not have to authenticate for quite some time, a variable that oculd be set by the administrators.

This is not the case actually. When a wireless device attaches to the network the first time, it MUST authenticate. In fact, if the device doesnt support OKC, you will see your device authenticate with radius each and everytime during a roam. Specific to guest, you can tune the timers so they dont get the AUP every few minutes.

OK, you lost me at OKC. Please tell me auto-correct has struck again. Dot1X is what you meant, right?

I fully get the fact that the first time a device is seen it has to authenticate. Users have complained of having to reauth each time they roam. I believe the bulk of that can be cured by having them set their WiFi Preferences. They also want a default landing page after they authenticate. They appear to get left with a window saying they are renewingtheir IP, but no redirection. This is probably something I neglected to set...