topic Re: Essential vs. Advanced license in Network Access Control

Essential vs. Advanced license

adamscottmaster2013 — Tue, 14 Nov 2023 20:04:04 GMT

I recently upgraded my ISE from 3.0 to 3.2 patch-4. I DO NOT HAVE "PROFILING SERVICE" RUNNING ON ANY OF THE NODES. I only have essential license and NO advanced license.

After the upgrade, when I am still in evaluation mode, some devices in my environment such as Avaya and Polycom phones are now consuming "Advanced" license instead of essential license. What worries me is that once I applied smart licensing some of the devices that consume advanced license will stop working because I don't have advanced license. I opened a TAC case and the TAC person told me not to worry about it but I don't think that's true.

Anyone run into this before? TIA

Re: Essential vs. Advanced license

Arne Bier — Tue, 14 Nov 2023 22:21:24 GMT

Hi @adamscottmaster2013

You say that you don't have any profiling enabled on any of your nodes - that by itself doesn't consume Advantage Licenses. You will consume an Advantage License because somewhere in your RADIUS Policy Set Authorization Rules, you're using a Condition that relates to Endpoint Profiles, or Endpoint Logical Profiles.

I don't think there is a way to filter our Authorizations that consumed an Advantage License, but it sure would be interesting to find one of those, and see what path it took through the Policy Set.

BYOD also consumes Advantage - but you'd need the Advantage license in previous version to configure that (menus).

I think you need to check your AuthZ results to find the cause of this. ISE should not be making up licensing rules on the fly 🙂

Re: Essential vs. Advanced license

adamscottmaster2013 — Tue, 14 Nov 2023 22:34:00 GMT

Hi @Arne Bier: In my ISE version 3.0 patch-3 system, under licensing, the "Advanced" license feature is disabled and everything still works. Why is it using "advanced" license in 3.2 patch-4?

Re: Essential vs. Advanced license

Arne Bier — Tue, 14 Nov 2023 22:43:13 GMT

Without seeing your RADIUS Policy Set I wouldn't be able to answer that. It sounds like a defect, if none of your Authorization Rules are using Profiling conditions.

Did you do an ISE 3.0 config backup restore on a fresh ISE 3.2 node? That might have introduced some crud. But essentially, the only licensing difference between 3.0 and 3.2 is that since 3.2, the VM License requirements have changed - it demands the newer VMC (Common VM) SKU, and not the older Small/Medium/Large SKU. But all the rest stayed the same.

Have you found an example in LiveLogs yet, where it shows "Consumed Advantage License" at the bottom ?

Re: Essential vs. Advanced license

adamscottmaster2013 — Wed, 15 Nov 2023 00:16:48 GMT

Hi @Arne Bier: Yes, in my existing 3.0 patch-3 system, even with "Advantage" license disabled in smart licensing, this device is consumed "Advantage" license when I have NO "advantage" license. Go figure.

Yes, I did a ISE 3.0 config backup restore on the fresh ISE 3.2 node.