Hi,
Is there a comprehensible list of features of each of the MS licenses as a comparison table similar to the MX comparison of the three license type? I have only seen two separate information pages for these MS licenses and I'm not sure it gives much information on why it would be good to use one over the other.
Network Swtich Enterprise License | Cisco Meraki
Meraki Advanced License (cisco.com)
The MX page feature comparison is perfect to really view the license differences:
Meraki MX Security and SD-WAN Licensing - Cisco Meraki
Thanks!
T.
Solved! Go to solution.
The features available with advanced licensing are:
* Available in a future software release
Hi @ww ,
Thanks for your reply but that page doesn't really say anything apart from telling you that you can use the advance license in the MS390 model.
T.
The features available with advanced licensing are:
* Available in a future software release
Just to add to this, the Advanced License is only relevant to the MS390. Adaptive Policy is available now, you have to be on Per Device Licensing and you need to be on the MS14 ‘beta’ firmware - it’s built on, and is interoperable with, Cisco SGT technology.
Thanks. It seems to be overpriced for just these two features.
Also note you have to have Cisco ISE to use SGT.
So you would not use the advanced licence unless:
AND/OR
Will it work with alternatives to ICE such as ClearPass, ForeScout, etc.?
@PhilipDAth Quick clarification! 😉
Cisco ISE is not required to leverage Adaptive policy.
You can assign devices/groups/SSIDs/Interfaces SGT values via the dashboard. Likewise, you can natively:
In order to dynamically authenticate and assign unique user SGTs, then Cisco ISE is an EXCELLENT choice to do so!
(@BobbyMcLeod Likewise, Cisco ISE is only NAC that can hand out SGTs)
@Paul_H Are you sure on the "Cisco ISE is only NAC that can hand out SGTs"?
In a pure Cisco Catalyst environment this may be the case as you need Cisco ISE to no only act as the RADIUS authenticator, but also to authenticate the infrastructure and create the source SGT to destination SGT matrix that is then downloaded to the switches when requested.
In a pure Cisco Meraki environment I was under the impression that the infrastructure is authenticated by the Meraki cloud, and the source SGT to destination SGT matrix, i.e. the Adaptive Policy matrix, is also managed by the Meraki cloud. Using these alone you can statically assign a port to an Adaptive Policy Group. If you introduce 802.1x (for dynamic Adaptive Policy assignment) then my understanding is that all the RADIUS server needs to do is return the AV Pair to assign the SGT number. Now admittedly this is in the Cisco AV Pair format, but so long as the RADIUS server can return this pair in the required format then surely it can inform the switch which Adaptive Policy to use? Or have I missed something?
(Don't get me wrong, ISE is an awesome platform, but is it really needed for a simple Meraki network using dynamic Adaptive Policy?)