Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
116
Views
1
Helpful
2
Replies

Cisco ISE License consumption question

Go to solution
JPavonM
VIP
VIP

‎07-24-2024 08:05 AM

I've found multiple answers to license consumptions in Cisco ISE, but it is not clear when an Essential license is accounted- (https://community.cisco.com/t5/network-access-control/ise-license-consumption/m-p/4283900/highlight/true#M565163 from @Marcelo Morais, or this https://community.cisco.com/t5/network-access-control/cisco-ise-session-licenses-consumption-model/m-p/3693464/highlight/true#M543028 from @Damien Miller)

As ISE accounts for active sessions, and a session starts with a RADIUS Accounting Start (so no need for authentication and/or authorization) does this mean that in order to reduce the number of concurrent active sessions we need to filter out those unwanted access request immediately? OR by Active Session it means a full successful authentication and authorization.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-25-2024 10:18 AM

See the ISE Licensing Guide ( https://cs.co/ise-licensing ) for all feature and licensing tiers behaviors.

You cannot have an authentication without an authorization in ISE.

A session is not technically Started in the ISE Live Log session and a respective license consumed until the network device sends the AAA/ISE server a RADIUS Accounting Start message. See https://cs.co/ise-berg#radius for the RADIUS protocol RFCs.

It is Stopped when the network device sends a RADIUS Accounting Stop message -or- if ISE receives no session Interim updates or Stop messages for ~4 days. A session could be terminated by ISE using RADIUS COA however it is still contingent on the network device to 1) support COA 2) be configured to handle COA and 3) acknowledge the session termination via a RADIUS Accounting Stop to the AAA/ISE server.

 

View solution in original post

2 Replies 2

Go to solution
Ben Walters
Level 3
Level 3

‎07-24-2024 08:47 AM

License consumption is based on successful auths. 

For more info if you are using smart licensing on ISE 3.x if you go to Administration > Licensing and scroll down to the bottom you should be able to click on the number of consumed licenses to see the current sessions.

When I check current sessions there are a number showing as "started" but when I check the actual RADIUS logs all of the devices/users consuming licenses have completed their auth successfully.  

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-25-2024 10:18 AM

See the ISE Licensing Guide ( https://cs.co/ise-licensing ) for all feature and licensing tiers behaviors.

You cannot have an authentication without an authorization in ISE.

A session is not technically Started in the ISE Live Log session and a respective license consumed until the network device sends the AAA/ISE server a RADIUS Accounting Start message. See https://cs.co/ise-berg#radius for the RADIUS protocol RFCs.

It is Stopped when the network device sends a RADIUS Accounting Stop message -or- if ISE receives no session Interim updates or Stop messages for ~4 days. A session could be terminated by ISE using RADIUS COA however it is still contingent on the network device to 1) support COA 2) be configured to handle COA and 3) acknowledge the session termination via a RADIUS Accounting Stop to the AAA/ISE server.

 

Customers Also Viewed These Support Documents