Cisco ISE Licensing Part 3: Apex and Device Administration licenses

Be sure to check out Part 1 for Base licenses and Part 2 for Plus licenses.

What functionality is included in Apex licenses

  • 3rd party mobile device management (MDM) integration
  • Posture assessment/compliance
  • Threat Centric Network Access Control (TC-NAC)

What functionality is included in the Device Administration license

The Device Administration license has one function: Enable the TACACS+ server functions. That’s it. Pretty simple. If you want to use ISE as a TACACS+ server, this is the license you need.

What is involved with each Apex license function

Posture assessment is an extra layer of security. You can utilize a persistent agent like AnyConnect (with the ISE posture module) or a dissolvable agent to perform checks against a Windows or Mac client to verify they meet certain requirements. An example of the compliance requirements that can be checked are:

  • Specific antivirus program is installed, running, and updated
  • USB drive plugged in (Windows only)
  • Windows registry entries
  • Windows service status

Cisco ISE does not have posture clients available for mobile devices running  Android and iOS. That’s where MDM integration comes into play. ISE can force mobile devices to register with your company’s MDM. If it’s already registered, ISE can check with the MDM to verify it meets all of the requirements set in your MDM. MDM integration is not only for Android and iOS devices. Any device managed by an MDM like Mac OS X and JAMF can be checked by ISE for MDM compliance. ISE integrates with several 3rd party MDM servers. The list of compatible MDM servers for ISE 2.3 can be found here.

TC-NAC is yet another layer of security for your network devices. It allows ISE to react to threat and vulnerability notifications from several vulnerability scanners. ISE can take action, like quarantining, via ANC to minimize the risk from that device being on the network when a threat notification is received. This feature is huge if you have a lot of IoT devices because those devices rarely value security. Cisco ISE 2.3 supports the following vulnerability scanners:

  • SourceFire FireAMP
  • Cognitive Threat Analytics (CTA) adapter
  • Qualys
  • Rapid7 Nexpose
  • Tenable Security Center

Note: TC-NAC should only be enabled on a dedicated PSN and only the TC-NAC persona should be enabled. Only one node can have TC-NAC enabled.

How are Apex licenses consumed?

Apex licenses are consumed along with Base licenses any time an authorization rule is based on the following conditions:

  • Posture assessment is utilized against an endpoint
  • An authorization rule triggers a TC-NAC event (scanning, quarantining, etc.)
  • An endpoint is verified against an MDM for compliance

How many Apex licenses do I need?

You will need enough Apex licenses to cover any of the above consumption scenarios. The number of Apex licenses must be less than or equal to the number of Base licenses. Let’s assume you have 10k endpoints (workstations, printers, APs, etc.) but only want to run posture assessment against 2k workstations. You would only need 2k Apex licenses.

One thing to remember is that the ISE Apex license does not cover licensing for using AnyConnect as the posture enforcement agent for Windows and Mac endpoints. You will also need AnyConnect Apex licenses for every endpoint.

How are Device Administration licenses consumed and how many do I need?

You only need one (1)! There is no consumption outside of enabling the TACACS+ server functions. Once you add the Device Administration license, you can enable device administration on all of your PSNs if you wanted to. But don’t do that. Plan your deployment properly so you’re not overwhelming your PSN between RADIUS authentications and TACACS+ authentications.

Share this post:

Leave a Reply

Your email address will not be published.