This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm currently running ISE 2.4 and I have a question regarding base license consumption.
From my understanding, the licenses are consumed and released based on Radius Accounting Start/Stop messages, however, this doesn't reflect in my deployment.
The ISE summary screen is currently showing 124 active endpoints which is correct from the number of connected devices. This number increments/decrements correctly based on active sessions so Radius accounting appears to be working correctly. However under licensing, I'm seeing 2020 base licenses consumed. Should this not reflect the number of active sessions? As I missing something here or am I not understanding the process correctly?
Solved! Go to Solution.
Thanks for the response.
Live sessions is now reporting 125 endpoints. ISE is providing dot1x/mab authentication for a couple of Meraki wireless networks so its very easy to cross reference the number of active sessions reported in ISE and the number of active wireless clients reported on the Meraki Dashboard. There is a small difference between numbers (10-20) which I believe are stale sessions but I dont expect 2000 endpoints to be on the network today. I will see the active client count rise tomorrow when users are back in the office.
Licensing is currently showing 2058 base licenses consumed.
See attached screenshots
I have not opened a TAC case yet as I want to check if was missing something fundamental before doing so
I have doubts about active endpoints, active sessions and base license consumption
On a 2.4 patch 9 deployment I used to see that at license count sampling time license count was about 10-15% lower than active endpoint counts.
We are not using profiler service but I saw that a number of active endpoints where there because of default device sensors configuration, that is there were endpoints (typically router or switches interfaces o real endpoint with no supplicant) that did not undergo authentication but for which ISE got accounting packets from switches. The number of such endpoints was roughly equal to the difference between licence count and active endpoints.
After installing patch 11 that difference disappeared. Is Cisco asking money for endpoints that do no perform dot1x or mab authentication?
Another doubt: while querying management API for active sessions at license sampling time count I got a value equal to license count from primary MNT but a considerably lower value from secondary MNT (about 12000 vs 11000 active sessions).
Is this normal?