cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

97
Views
5
Helpful
5
Replies
Cisco Employee

New ISE Licensing schema

 

Hello,

Can anyone please unicast me if the new ISE Base license is calculated based on the qty/nr of endpoints or network type ( wired / wireless)

 

Customer has 100 Wireless endpoints and 200 wired endpoints

 

Q: How many licenses are required

  • 300 Base licenses
  • Combination of the Base and Plus based on the wireless use access ( BYOD , Guest )

 

The Ordering guide doesn’t mention any difference between licenses based on the network type while the old licenses were specific to the network type

 

Thank you very much.

 

 

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Rising star

Re: New ISE Licensing schema

If you have 300 nodes total you will require 300 base licenses. One for one relationship. The base will get you the generic network access that I assume you are inquiring about. As far as the BYOD/Guest you will need 1 Base + 1 Plus. So if you have 20 BYOD/GUEST endpoints you would need 20 base and 20 plus. Cheers & HTH!
Highlighted
VIP Engager

Re: New ISE Licensing schema

Keep in mind that licensing is based on active endpoints, not total, and every unique mac address is considered an endpoint by ISE. So if you have an iphone associated to the wireless which authenticated via ISE, that is an active endpoint. When it drops off the wireless, the WLC should send a RADIUS accounting stop packet releasing the session, and it is not longer considered active by ISE. A laptop connected to both wireless and wired where there is 802.1x on the switchport could use double the licensing if both network adapters remain active. There would be two mac addresses for the same machine.

If you don't configure RADIUS accounting correctly, every endpoint session will take 5 days to time out before it is no longer considered an active session.

As Mike indicated though, endpoints are endpoints, it doesn't matter how they come in to authentication, you will always use a base license for authentication. Features beyond basic authentication and authorization require either plus or apex and you can read about them in the ordering guide. Advanced feature licenses such as plus or apex stack on top of a base license meaning one mac address can use two licenses.

They recently added examples and explanations to the ordering guide that cover licensing scenarios such as this.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Cisco Employee

Re: New ISE Licensing schema

They are not dependant on network type with the new licenses https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf . Sections 1.1.2.3 and 1.4.3.
5 REPLIES 5
Rising star

Re: New ISE Licensing schema

If you have 300 nodes total you will require 300 base licenses. One for one relationship. The base will get you the generic network access that I assume you are inquiring about. As far as the BYOD/Guest you will need 1 Base + 1 Plus. So if you have 20 BYOD/GUEST endpoints you would need 20 base and 20 plus. Cheers & HTH!
Highlighted
VIP Engager

Re: New ISE Licensing schema

Keep in mind that licensing is based on active endpoints, not total, and every unique mac address is considered an endpoint by ISE. So if you have an iphone associated to the wireless which authenticated via ISE, that is an active endpoint. When it drops off the wireless, the WLC should send a RADIUS accounting stop packet releasing the session, and it is not longer considered active by ISE. A laptop connected to both wireless and wired where there is 802.1x on the switchport could use double the licensing if both network adapters remain active. There would be two mac addresses for the same machine.

If you don't configure RADIUS accounting correctly, every endpoint session will take 5 days to time out before it is no longer considered an active session.

As Mike indicated though, endpoints are endpoints, it doesn't matter how they come in to authentication, you will always use a base license for authentication. Features beyond basic authentication and authorization require either plus or apex and you can read about them in the ordering guide. Advanced feature licenses such as plus or apex stack on top of a base license meaning one mac address can use two licenses.

They recently added examples and explanations to the ordering guide that cover licensing scenarios such as this.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Cisco Employee

Re: New ISE Licensing schema

Mike, Damien, Thanks for the clarification . I was trying to identify between the delta of the old licenses and the new ones . In the new model, the network access doesn't depend on the network type ( wired or wireless ). It depends on the technology use cases ( BYOD , Guest, SDA ) . Again, thank you
Cisco Employee

Re: New ISE Licensing schema

They are not dependant on network type with the new licenses https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf . Sections 1.1.2.3 and 1.4.3.
Cisco Employee

Re: New ISE Licensing schema

Thank you .