cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3571
Views
11
Helpful
1
Replies

CISCO ISE License Consumption

Ilya Semenov
Level 1
Level 1

Hello, everybody,

 

I want to understand how CISCO ISE consumes licenses.

I've found the following explanation:

 

"4.1 License Consumption “License consumption” refers to a decrease in installed licenses recorded in the ISE user interface. The consumption of Cisco ISE licenses depends on sessions and the conditions related to network sessions. Cisco ISE licenses are not permanently assigned to an endpoint, so they can be continually consumed and released. Cisco ISE uses RADIUS accounting “start” and “stop” messages to determine when network sessions begin and end (see Table 7). There are a number of Cisco ISE features that do not result in license consumption recorded in the ISE user interface. These are also listed, for completeness (see Table 8)."

 

Could you please clarify this? What if there no "stop" message from RADIUS server? Client just turned off PC and gone. For how long will RADIUS keep his license?

 

What is the approximate amount of licenses for a 500-employees company?

 

Many thanks in advance,

Ilya

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

I recall having the same answer sometime back. Below is the answer that was most satisfactory for me:

 

RADIUS Accounting is Primary method to maintain sessions – Start/Update/Stop!

    If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions

 

•   Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:

    1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)

    2. Endpoint authenticated in last hour but no accounting start or update received

    3. Endpoint idle—no activity (authentication / accounting / posturing / profiling updates) in the last 5 days

 

    * Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license

 

Source is here: https://communities.cisco.com/message/250418

 

Kudos goes to Cisco TME Craig hyps for the answer.

 

Also, for a 500 employee company, you have to think of the number of unique endpoints that could connect via Wired, Wireless etc. Plus, there are phones, printers, AP's that all connect to the and take up licenses. I would assume at least 2 devices per user and add number of network devices to get the total number of endpoints to license the ISE with. 

View solution in original post

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

I recall having the same answer sometime back. Below is the answer that was most satisfactory for me:

 

RADIUS Accounting is Primary method to maintain sessions – Start/Update/Stop!

    If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions

 

•   Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:

    1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)

    2. Endpoint authenticated in last hour but no accounting start or update received

    3. Endpoint idle—no activity (authentication / accounting / posturing / profiling updates) in the last 5 days

 

    * Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license

 

Source is here: https://communities.cisco.com/message/250418

 

Kudos goes to Cisco TME Craig hyps for the answer.

 

Also, for a 500 employee company, you have to think of the number of unique endpoints that could connect via Wired, Wireless etc. Plus, there are phones, printers, AP's that all connect to the and take up licenses. I would assume at least 2 devices per user and add number of network devices to get the total number of endpoints to license the ISE with.