https://community.cisco.com/t5/network-access-control/ise-2-4-plus-licensing-consumption/m-p/3794950#M485599 <P>Hi,</P> <P>&nbsp;</P> <P>We have a ISE2.4 deployment that is used for RADIUS device and Device Admin AAA. We have started to see an increase in PLUS license consumption a few months after initial deployment and we can't understand what feature would be using a PLUS license.</P> <P>&nbsp;</P> <P>Our policy sets are: -</P> <P>RADIUS policy-set</P> <P>Rule matches an InternalUser in a InternalUser Group and provides an Authorization profile consisting of a 'access_accept' and no common tasks but a few av-pairs such as VRF, Loopback interface, static routes etc...</P> <P>&nbsp;</P> <P>We believe that Device Admin policies do not count towards a PLUS license but just in case it helps our TACACS policy is: -</P> <P><SPAN>Rule matches a InternalUser in a InternalUser Group and a Device in a specific Device Group then provides an Authorization consisting of a&nbsp;</SPAN>priv_lvl an a command-set.</P> <P>&nbsp;</P> <P>We also use ISE to authorize VPN users via RADIUS. However, this is only for user validation: -</P> <P><SPAN>Rule matches an InternalUser in a InternalUser Group and provides an Authorization profile consisting of a 'access_accept' and common tasks DACL. and&nbsp;ASA-VPN.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The deployment is only running Session and Device Admin services. Profiling, Posture, BYOD and Guest services are not used and disabled where possible on&nbsp;the nodes. We don't use any of the extended AnyConnect features such as Profiling or Posture compliance on the VPN endpoints.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We have the AnyConnect APEX&nbsp;</SPAN>licenses applied to our ASAs and reading the documentation it seems that we should not need to apply the APEX licenses to ISE if all we want to do is basic RADIUS AAA for the users username.</P> <P>&nbsp;</P> <P>So my questions are: -</P> <P><SPAN>Does the RADIUS ASA-VPN common task consume a PLUS License in ISE?</SPAN></P> <P><SPAN>Does the RADIUS DACL common task consume a PLUS License in ISE?</SPAN></P> <P><SPAN>Does the&nbsp;Security&nbsp;Group TAG in a RADIUS authorization profile&nbsp;consume a PLUS License in ISE?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Many thanks in advance</SPAN></P> Tue, 05 Feb 2019 10:54:33 GMT Peter Batchelour 2019-02-05T10:54:33Z https://community.cisco.com/t5/network-access-control/ise-2-4-plus-licensing-consumption/m-p/3794950#M485599 <P>Hi,</P> <P>&nbsp;</P> <P>We have a ISE2.4 deployment that is used for RADIUS device and Device Admin AAA. We have started to see an increase in PLUS license consumption a few months after initial deployment and we can't understand what feature would be using a PLUS license.</P> <P>&nbsp;</P> <P>Our policy sets are: -</P> <P>RADIUS policy-set</P> <P>Rule matches an InternalUser in a InternalUser Group and provides an Authorization profile consisting of a 'access_accept' and no common tasks but a few av-pairs such as VRF, Loopback interface, static routes etc...</P> <P>&nbsp;</P> <P>We believe that Device Admin policies do not count towards a PLUS license but just in case it helps our TACACS policy is: -</P> <P><SPAN>Rule matches a InternalUser in a InternalUser Group and a Device in a specific Device Group then provides an Authorization consisting of a&nbsp;</SPAN>priv_lvl an a command-set.</P> <P>&nbsp;</P> <P>We also use ISE to authorize VPN users via RADIUS. However, this is only for user validation: -</P> <P><SPAN>Rule matches an InternalUser in a InternalUser Group and provides an Authorization profile consisting of a 'access_accept' and common tasks DACL. and&nbsp;ASA-VPN.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The deployment is only running Session and Device Admin services. Profiling, Posture, BYOD and Guest services are not used and disabled where possible on&nbsp;the nodes. We don't use any of the extended AnyConnect features such as Profiling or Posture compliance on the VPN endpoints.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We have the AnyConnect APEX&nbsp;</SPAN>licenses applied to our ASAs and reading the documentation it seems that we should not need to apply the APEX licenses to ISE if all we want to do is basic RADIUS AAA for the users username.</P> <P>&nbsp;</P> <P>So my questions are: -</P> <P><SPAN>Does the RADIUS ASA-VPN common task consume a PLUS License in ISE?</SPAN></P> <P><SPAN>Does the RADIUS DACL common task consume a PLUS License in ISE?</SPAN></P> <P><SPAN>Does the&nbsp;Security&nbsp;Group TAG in a RADIUS authorization profile&nbsp;consume a PLUS License in ISE?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Many thanks in advance</SPAN></P> Tue, 05 Feb 2019 10:54:33 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-plus-licensing-consumption/m-p/3794950#M485599 Peter Batchelour 2019-02-05T10:54:33Z https://community.cisco.com/t5/network-access-control/ise-2-4-plus-licensing-consumption/m-p/3794961#M485600 It doesn’t appear like you have anything that would consume a plus license<BR /><BR />I recommend installing latest patch and if still exhibiting same before open a tac case <BR /> Tue, 05 Feb 2019 11:22:44 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-plus-licensing-consumption/m-p/3794961#M485600 Jason Kunst 2019-02-05T11:22:44Z