01-26-2019 03:17 PM
Hi All,
I'm currently running ISE 2.4 and I have a question regarding base license consumption.
From my understanding, the licenses are consumed and released based on Radius Accounting Start/Stop messages, however, this doesn't reflect in my deployment.
The ISE summary screen is currently showing 124 active endpoints which is correct from the number of connected devices. This number increments/decrements correctly based on active sessions so Radius accounting appears to be working correctly. However under licensing, I'm seeing 2020 base licenses consumed. Should this not reflect the number of active sessions? As I missing something here or am I not understanding the process correctly?
Thanks
Solved! Go to Solution.
01-26-2019 05:17 PM
01-26-2019 05:17 PM
01-27-2019 01:12 AM
Hi Damien,
Thanks for the response.
Live sessions is now reporting 125 endpoints. ISE is providing dot1x/mab authentication for a couple of Meraki wireless networks so its very easy to cross reference the number of active sessions reported in ISE and the number of active wireless clients reported on the Meraki Dashboard. There is a small difference between numbers (10-20) which I believe are stale sessions but I dont expect 2000 endpoints to be on the network today. I will see the active client count rise tomorrow when users are back in the office.
Licensing is currently showing 2058 base licenses consumed.
See attached screenshots
I have not opened a TAC case yet as I want to check if was missing something fundamental before doing so
thanks
01-21-2020 04:03 AM - edited 01-21-2020 05:22 AM
Hi,
I have doubts about active endpoints, active sessions and base license consumption
On a 2.4 patch 9 deployment I used to see that at license count sampling time license count was about 10-15% lower than active endpoint counts.
We are not using profiler service but I saw that a number of active endpoints where there because of default device sensors configuration, that is there were endpoints (typically router or switches interfaces o real endpoint with no supplicant) that did not undergo authentication but for which ISE got accounting packets from switches. The number of such endpoints was roughly equal to the difference between licence count and active endpoints.
After installing patch 11 that difference disappeared. Is Cisco asking money for endpoints that do no perform dot1x or mab authentication?
Another doubt: while querying management API for active sessions at license sampling time count I got a value equal to license count from primary MNT but a considerably lower value from secondary MNT (about 12000 vs 11000 active sessions).
Is this normal?
Regards
MM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: