Be sure to check out Part 1 for Base licenses.
What functionality is included in Plus licenses
- Bring Your Own Device (BYOD) onboarding
- Mobility Services Engine (MSE) for location based authentication
- Profiling and Profiler Feed services
- Adaptive Network Control (ANC)
What is involved with each Plus license function
I’m starting with my favorite function. Profiling! Profiling is awesome. It shows you what kind of device (Windows 10 workstation, iPhone, etc.) is connected to your network. You can even create your own custom profiles for devices that may not exist in the Cisco ISE profile database.
The Profiler Feed service is used to automatically update the ISE profiler database directly from the Cisco website. You can manually update the profiler database by downloading the polices from here (Partner access required). The feed service is automatically enabled when you install a Plus license.
BYOD is used to onboard devices so they are registered within ISE. The on-boarding process involves installing a wired or wireless profile on the device to define the connection settings. You can configure the wireless connection to use a passkey or 802.1x. ISE can act as the certificate authority to hand out client certificates to BYOD devices as a root CA or as an intermediate CA to your existing PKI deployment. Profiling is needed for BYOD so that the correct network connection profile is installed.
MSE integration allows you to define specific locations where a client can authenticate. Say you have a device that can only be used when it’s on the 2nd floor of the building. Using MSE to communicate with ISE, you can craft an authorization rule to only allow network access when the device is on that floor and deny access if seen anywhere else.
ANC and pxGrid go hand in hand. ANC is disabled by default and is enabled when pxGrid is enabled. pxGrid is Cisco’s Platform Exchange Grid which allows Cisco ISE to bidirectionally integrate with other security products (not just Cisco). An example of this integration is connecting Cisco ISE to FirePower. ISE can be alerted by FirePower if a network attack is seen by a specific client. This is where ANC kicks in because ISE can be configured to use that alert to quarantine the endpoint that is doing the attack. Information can also be shared from ISE to the other products so identities can be tied to active sessions on the device (i.e. Cisco WSA).
How are Plus licenses consumed?
This is a little more tricky compared to Base licenses. Plus licenses are not always consumed by every active session like a Base license. Let’s break it down by function:
- Profiling: A Plus license is consumed during the profiling process. If the session matches a rule based on the profile, the license is consumed during the entire time the session is active. The Plus license is released back to ISE if the session is not authorized by the profile or once the session ends.
- MSE integration: A license is consumed if the session matches an authorization rule that utilizes location information from an MSE.
- BYOD: During the on-boarding process, a Plus license is consumed. Any connection that utilizes a BYOD profile will also consume a Plus license when authenticating against ISE.
- ANC and pxGrid: Any session that is being controlled due to ANC will consume a Plus license. Connecting ISE to another system using pxGrid does not consume a license because licenses are only consumed by endpoint authenticated sessions.
Here’s a gotcha with how Plus licenses are consumed: Guest devices assigned to Registered Devices. Any device that is assigned to Registered Devices, and a corresponding authorization rule that uses that endpoint group, will consume a Plus license even though they are not a BYOD device. It is hard coded into ISE that the Registered Devices endpoint group is a BYOD group. Be sure to create a custom endpoint group to assign the device MAC address to during guest registration unless you want more Plus licenses to be consumed than necessary.
Remember: Every session will consume a Base license. That means one session could consume both a Base and a Plus license at the same time. A network printer is a good example because those are usually authenticated via their profile.
How many Plus licenses do I need?
If all you care about is knowing what kind of devices are connecting to your network, you can buy a 100 pack of licenses and you’re covered. Otherwise, you will need to figure out how many devices will be authorized according to the following:
- Based on the device profile (e.g. printer)
- Based on the device location
- Is it a BYOD device?
- Not guest access. That is covered by Base licenses
- ANC event triggered by pxGrid
- This is probably going to be the smallest number. Hopefully. It would be bad to have hundreds of devices automatically quarantined because all those uses started surfing a banned website.
You do not need to have the same number of Plus licenses as you do Base licenses. I have seen several deployments with 10K Base licenses and only 4K Plus licenses. You cannot have more Plus licenses than Base licenses, though. Plus licenses must be equal to or less than the number of Base licenses.
The next post will cover Apex licenses.