Solved: ISE 2.x Device Profiling without Plus License

kenhobbs · ‎02-15-2018

Hi all,

Privileged to attend a 2 day ISE session this week delivered by the brilliant Thomas Howard and equally brilliant Danny Labandter. Unfortunately my note taking missed a key point that was covered more than once. Is the following correct ?

'Device profiling can be done with Base licensing. But you need a Plus licence when a profiling policy is put into use'

I've looked in tons of docs and training material but can't find anything matching what I thought I heard.

Thanks in advance

Ken

Craig Hyps · ‎02-16-2018

Let's clarify a few points.

#1: Profiling is NOT part of BASE License. One exception is that we have enabled the RADIUS probe as it was deemed critical for tracking specific endpoint attributes and auth activity. If remove the Plus License, you will no longer be able to configure Profiling services:

Also note that the Profiling Configuration tab is not available for the node. Profiler Policy is not available and Conditions cannot be configured as shown below...

# 2: Since RADIUS Probe is enabled even under Base, endpoint attributes learned from RADIUS and even Device Sensor will be collected. Device Sensor sends data over RADIUS Accounting and parsed by RADIUS probe.

#3: Even with minimal Plus License, you can unlock access to Profiling configuration and policies. However, any authorization based on profiling data (for example, endpoint profile, logical profile, Identity Groups derived from Profiling) will require a Plus License per session.

View solution in original post

kthiruve · ‎02-15-2018

Hi Ken,

You get Kudos for your outstanding comments my team. Thank you.

Yes, that is correct which means that ISE will be able to map devices to profiles with base license.

However when you use this in authz policy then plus license is consumed.

If you are adding the MAC address to endpoint group and using that, you dont need plus license.

Profiling as a functionality and service does not need plus license, but when you start using it in the authz policy you need one. Profiling feed service again requires plus license and does not work with base.

You mentioned you looked at a lot of docs. I am assuming you looked at the ordering guide as well.

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Hope it clarifies.

Thanks

Krishnan

Arne Bier · ‎02-15-2018

It's a fair question and one that has puzzled me for a while too.

Question to Ken: if you don't want to perform any logic with the profiled information, then what is your intention? Is it just to view your endpoints in ISE LiveLogs in more detail by way of "free profiling"? Well, then you may as well enable that at the NAD layer. E.g. I enable Radius Client Profiling (DHCP & HTTP profiling) and that comes for free via the NAS. I have not enabled the Profiling Service on any of my PSN's and I am getting a ton of information from my Cisco WLC.

If I wanted to act on that information (e.g. send Apple devices to VLAN x) then I would need to have Plus license. But what puzzles me still, is that I seem to have all this information in ISE right now, even though I didn't enable profiling. So if I had Plus license, could I use profiling logic in my policy sets using the free data from my WLC, or do I have to also enable PSN Profiling Service?

hslai · ‎02-16-2018

It still needs proper licensing and compliance to be properly supported by Cisco. Certain ISE endpoint profiling services might not work at all if the deployment has no PLUS license at all.

As to utilizing the local profiling, see Wireless Device Profiling and Policy Classification Engine on WLC - Cisco.

Craig Hyps · ‎02-16-2018

Let's clarify a few points.

#1: Profiling is NOT part of BASE License. One exception is that we have enabled the RADIUS probe as it was deemed critical for tracking specific endpoint attributes and auth activity. If remove the Plus License, you will no longer be able to configure Profiling services:

Also note that the Profiling Configuration tab is not available for the node. Profiler Policy is not available and Conditions cannot be configured as shown below...

# 2: Since RADIUS Probe is enabled even under Base, endpoint attributes learned from RADIUS and even Device Sensor will be collected. Device Sensor sends data over RADIUS Accounting and parsed by RADIUS probe.

#3: Even with minimal Plus License, you can unlock access to Profiling configuration and policies. However, any authorization based on profiling data (for example, endpoint profile, logical profile, Identity Groups derived from Profiling) will require a Plus License per session.