Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5298
Views
5
Helpful
8
Replies

Basic ISE Licensing question

muthumohan
Level 1
Level 1

‎03-27-2014 08:09 AM - edited ‎03-10-2019 09:34 PM

Hi,

Just a question on ISE license consumption.

If a user logs in and gets authenticated (user authentication) via ISE on a device that is already authenticated (device authentication), does it consume 2 licenses, one for the device and one for the user?

This is nowhere clearly told in any cisco documentation.

Can anybody help me clarify this?

Thank you,

Mohan

Labels:
0 Helpful
8 Replies 8

nspasov
Cisco Employee
Cisco Employee

‎03-27-2014 01:11 PM

No, it will not. The license consumption is not based on user but on the device. More specificially the MAC address of the device. So in your example, only a single license will be consumed. However, a single device can consume more than one license if for instance it authenticates on both wired and wireless or goes behind a docking station since a different MAC address will be presented to the system. 

Hope this helps!

Thank you for rating!

Thank you for rating helpful posts!
0 Helpful

sinisa.djokic
Level 1
Level 1
In response to nspasov

‎12-10-2014 12:41 AM

and what happens if we use ISE just for basic AAA over radius as a replacement for ACS..for example, 500 routers&switches which need AAA for admin&management access..do we need 500 basic licenses or not?..

 

thanx..

 

regards..

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to sinisa.djokic

‎12-10-2014 06:29 AM

Yes, you would need 500 Base Licenses.  Note the table from the ISE 1.3 Admin Guide detailing the Base License needed for AAA:

 

Here is the link for reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#concept_DE1C38E055794B198ED352D1528B5182

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

base.png
Preview file
9 KB

sinisa.djokic
Level 1
Level 1
In response to Charlie Moreton

‎12-10-2014 10:39 PM

hi charles..

 

thanx on your answer..

 

regards..

0 Helpful

abwahid
Level 4
Level 4

‎06-05-2014 11:45 AM

Hi,

ISE always count the licenses on the base of endpoints connected.
Endpoints can be personal computers, laptops, IP phones, smart phones, gaming consoles, printers, and fax machines.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-05-2014 08:18 PM

The base package includes all of the base services required to enable 802.1X, Guest, and Monitoring and Troubleshooting. The advanced package includes Posture, Profiler, and Security Group Access services.

Cisco ISE is bundled with a licensing mechanism that has the following important features:
•Built-in License—Cisco ISE comes with a built-in evaluation license, which is valid for 90 days. The evaluation license includes both base and advanced packages and limits the number of endpoints to 100 for both the base and advanced packages. Therefore, it is not required to install a regular license immediately upon installation.

Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.

•Concurrent Endpoint Count—The Cisco ISE license includes a count value for base and advanced packages, which restricts the number of endpoints that use those services. The count value is the number of endpoints across the entire deployment that are concurrently connected to the network and accessing the service.

Concurrent endpoints represent the total number of supported users and devices. An endpoint can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.

IMPORTANT : - Alarm is generated when the soft limit of endpoints is crossed and there is no functional impact on the users. To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. However there are plans to implement a hard limit on this soon.

 

Regards,

Jatin Katyal

** Do rate helpful posts **

 

~Jatin
0 Helpful

Saurav Lodh
Level 7
Level 7

‎06-05-2014 11:27 PM

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-06-2014 02:03 AM

A Cisco ISE user consumes a license during an active session. Once the sessions has ended, ISE releases the license for reuse by another user.

The Cisco ISE license is counted as follows:

  • A Base, Plus, or Advanced license is consumed based on the feature that is used.
  • An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
  • Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
0 Helpful
Customers Also Viewed These Support Documents
Top