topic Hi Johannes- in Network Access Control

ISE license consumption and releasing of licenses [RADIUS]

Johannes Luther — Mon, 11 Mar 2019 06:38:04 GMT

Hi ISE folks,

there are a lot of ISE questions issued by me in the last time. And guess what - here's another one.

I'm asking myself how the ISE license consumption and releasing of licenses actually works. At least I didn't find any good document or post on that.

From what I understood, a license (no matter if base, plus, apex whatever) is consumed based on RADIUS accounting messages.

Example:

An endpoint is authenticating and authorized successfully with 802.1X without profiling or posture or whatever (simple). The ISE knows that this endpoint should consume one base license and the base license consumption is increased by one.

As soon as the client is disconnected from the network the NAD (switch, WLC) sends an accounting stop message to the ISE and the ISE releases the base license again.

(am I right so far?!)

Assuming I'm right with the example above:

RADIUS is not let's say really reliable. Regardless that it's using UDP (which is unreliable), RADIUS has an acknowledge mechanism built in (Accouting request / respone). But this mechanism gives up after some retries. Let's just assume a client is disconnected but the RADIUS stop message is not received by the ISE.

Does the endpoint stay forever in the active session state and therefore consuming a license forever?! (let's assume there is no dot1x reauthentication timer).

Or is there some "idle timeout" mechanism for endpoint licenses?

Kind of a side story here:

I wrote a simple wrapper for the freeradius tool "eapol_test". From a Linux command line single EAP requests (e.g. EAP-TLS) can be issued to a RADIUS server. So the Linux client acts as 802.1X supplicant and authenticator. This is cool to quickly test the availability of the authentication server service.

My simple wrapper for "eapol_test" does a "EAP" ping to measure convergence time and measure authentications per second in a lab environment. Also the wrapper can change the endpoint MAC for every RADIUS session. When I do this EAP ping in a lab my license count on the ISE is exploding, because eapol_test does not issue RADIUS accounting messages to the ISE 🙂

Cheers Johannes

Hi Johannes-

nspasov — Sat, 02 Apr 2016 02:15:01 GMT

Hi Johannes-

You are correct about the license consumption:

Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

However, in addition to that:

Note Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system.

This information used to be in the 1.x ISE documentation but for some reason it is not in the 2.x 🙂

Here is the info from 1.2:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.pdf

I hope this helps!

Thank you for rating helpful posts!

Thank you again Neno :D

Johannes Luther — Fri, 08 Apr 2016 09:29:46 GMT

Thank you again Neno 😄

Most welcome! :)

nspasov — Fri, 08 Apr 2016 15:30:06 GMT

Most welcome! 🙂

Regards,

Neno

Hi Neno,

kamlenegi — Wed, 29 Jun 2016 11:00:08 GMT

Hi Neno,

I am facing same problem, for ISE 2.0 license consumption. Can we reduce active session list from 5 days to 1 day.

Thanks

Kamlesh

Hi Kamlesh-

nspasov — Thu, 30 Jun 2016 06:57:53 GMT

Hi Kamlesh-

Unfortunately, there isn't such setting in ISE. However, keep in mind that licensing in ISE (as many other Cisco products) is on the honor system. Thus, even if you exceed the licenses, the system will continue to work and and allow additional users and hosts on the network. You will only get warning messages that you are exceeding your licenses.

With that being said, make sure that your Network Access Devices are configured correctly for 802.1x. More specifically, make sure that Accounting is configured and working properly as that is what notifies ISE when a device/user logs off the network.

If all configs are good and you are indeed close to your license limits then you should really purchase additional licenses 🙂

I hope this helps!

Thank you for rating helpful posts!

Thanks Neno Kamlesh

kamlenegi — Fri, 08 Jul 2016 11:57:57 GMT

Thanks Neno

Kamlesh