cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
704
Views
5
Helpful
5
Replies

New ISE Licensing schema

crprunoi
Cisco Employee
Cisco Employee

 

Hello,

Can anyone please unicast me if the new ISE Base license is calculated based on the qty/nr of endpoints or network type ( wired / wireless)

 

Customer has 100 Wireless endpoints and 200 wired endpoints

 

Q: How many licenses are required

  • 300 Base licenses
  • Combination of the Base and Plus based on the wireless use access ( BYOD , Guest )

 

The Ordering guide doesn’t mention any difference between licenses based on the network type while the old licenses were specific to the network type

 

Thank you very much.

 

 

 

3 Accepted Solutions

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
If you have 300 nodes total you will require 300 base licenses. One for one relationship. The base will get you the generic network access that I assume you are inquiring about. As far as the BYOD/Guest you will need 1 Base + 1 Plus. So if you have 20 BYOD/GUEST endpoints you would need 20 base and 20 plus. Cheers & HTH!

View solution in original post

Damien Miller
VIP Alumni
VIP Alumni

Keep in mind that licensing is based on active endpoints, not total, and every unique mac address is considered an endpoint by ISE. So if you have an iphone associated to the wireless which authenticated via ISE, that is an active endpoint. When it drops off the wireless, the WLC should send a RADIUS accounting stop packet releasing the session, and it is not longer considered active by ISE. A laptop connected to both wireless and wired where there is 802.1x on the switchport could use double the licensing if both network adapters remain active. There would be two mac addresses for the same machine.

If you don't configure RADIUS accounting correctly, every endpoint session will take 5 days to time out before it is no longer considered an active session.

As Mike indicated though, endpoints are endpoints, it doesn't matter how they come in to authentication, you will always use a base license for authentication. Features beyond basic authentication and authorization require either plus or apex and you can read about them in the ordering guide. Advanced feature licenses such as plus or apex stack on top of a base license meaning one mac address can use two licenses.

They recently added examples and explanations to the ordering guide that cover licensing scenarios such as this.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

Surendra
Cisco Employee
Cisco Employee
They are not dependant on network type with the new licenses https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf . Sections 1.1.2.3 and 1.4.3.

View solution in original post

5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni
If you have 300 nodes total you will require 300 base licenses. One for one relationship. The base will get you the generic network access that I assume you are inquiring about. As far as the BYOD/Guest you will need 1 Base + 1 Plus. So if you have 20 BYOD/GUEST endpoints you would need 20 base and 20 plus. Cheers & HTH!

Damien Miller
VIP Alumni
VIP Alumni

Keep in mind that licensing is based on active endpoints, not total, and every unique mac address is considered an endpoint by ISE. So if you have an iphone associated to the wireless which authenticated via ISE, that is an active endpoint. When it drops off the wireless, the WLC should send a RADIUS accounting stop packet releasing the session, and it is not longer considered active by ISE. A laptop connected to both wireless and wired where there is 802.1x on the switchport could use double the licensing if both network adapters remain active. There would be two mac addresses for the same machine.

If you don't configure RADIUS accounting correctly, every endpoint session will take 5 days to time out before it is no longer considered an active session.

As Mike indicated though, endpoints are endpoints, it doesn't matter how they come in to authentication, you will always use a base license for authentication. Features beyond basic authentication and authorization require either plus or apex and you can read about them in the ordering guide. Advanced feature licenses such as plus or apex stack on top of a base license meaning one mac address can use two licenses.

They recently added examples and explanations to the ordering guide that cover licensing scenarios such as this.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Mike, Damien, Thanks for the clarification . I was trying to identify between the delta of the old licenses and the new ones . In the new model, the network access doesn't depend on the network type ( wired or wireless ). It depends on the technology use cases ( BYOD , Guest, SDA ) . Again, thank you

Surendra
Cisco Employee
Cisco Employee
They are not dependant on network type with the new licenses https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf . Sections 1.1.2.3 and 1.4.3.

Thank you .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: