Solved: Mine is release 2.1.

Anastasios Kourtparasidis · ‎12-30-2016

Hello,

We manage a Cisco ISE appliance with Base license but we keep receiving every once in a while License Violation alarms.

Checking the details of the alarm I can see that one the times that the alarm was triggered there was a client that was using a Plus license at the time that the alarm was generated.

According to Cisco:

Due to authorization policy mis-configuration, the Licensing dashboard can show that Cisco ISE is consuming a license you have not purchased and registered

How can I find which of the policies that I have configured is using the Plus licence feature?

I know that Plus licence uses the following features:

Bring Your Own Device (BYOD) with built-in Certificate Authority Services
Profiling and Feed Services
Endpoint Protection Service (EPS)
Cisco pxGrid

This doesn't help me recognise which policy is mis-configured or which Policy Element or feature is been used by the Plus license.

Any ideas?

Anastasios Kourtparasidis · ‎02-23-2017

Hello everyone,

For the records, and after opening a Cisco TAC case, found out that this alarm is affected by the following Cisco bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw61638/?reffering_site=dumpcr

It can be safely ignored.

Best regards,

Anastasios

View solution in original post

nspasov · ‎12-30-2016

I have seen this issue before and I did indeed have an authorization rule that was referencing "Profiled Phones" which was in turn triggering the consumption of a Plus license.

You will basically have to go through your rules manually and which rule is referencing one of the Plus features that you have listed above. Once you find the rule, remove the argument that references it and then you should be good to go.

Also, keep in mind that the license consumption in ISE is based on the honor system so this should not be service impacting for the environment.

I hope this helps!

Thank you for rating helpful posts!

Anastasios Kourtparasidis · ‎01-03-2017

Hello Neno,

Thank you for the reply.

The problem that I am currently having is to see which of the policy elements is triggering the Plus license.

You did mention the "Profiled Phones" object. How did you find out that this was related to the Plus license? Is there a table that references which objects are related (and consume) the Plus license?

Best regards,

Anastasios

alberx · ‎01-03-2017

Hi,

in order to know wich rule is consumming you license, you can go to "Live logs" and check the detail of the Authentications/Authorizations, the bottom part of the detail shows you the "Result".

In that part last line is "license type" (I uploaded an screenshot).

Hope that helps.

Anastasios Kourtparasidis · ‎01-04-2017

Hello alberx,

Thank you for the reply.

The problem is that when the license violation happens it's usually out of hours when I am not at work.

Is it possible for the logs archive to provide an information like which device violated which Plus license feature?

Cisco could have made it easier to find that kind of information.

Best regards,

Anastasios

alberx · ‎01-04-2017

Hi Anastasios,

I don´t know if there is any log file with this information.

What I would do is: as you already know the exact time of the alarm, generate an authentication report of that period of time (Operations --> Reports --> ISE Reports --> Endpoints and Users --> Radius authentications --> time range --> Custom), and then check the detail of all the lines to find which one is consuming the Plus license.

Hope this helps.

Regards.

Anastasios Kourtparasidis · ‎01-16-2017

Hello Alberx,

Thank you for your reply but I can't find the Radius authentications under the Endpoints and User option. Could it be due to different version?

Best regards,

Anastasios

alberx · ‎01-18-2017

Mine is release 2.1.

Anastasios Kourtparasidis · ‎01-26-2017

I am using version 1.4

Thanks for the help so far alberx

Anastasios Kourtparasidis · ‎02-23-2017

Hello everyone,

For the records, and after opening a Cisco TAC case, found out that this alarm is affected by the following Cisco bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw61638/?reffering_site=dumpcr

It can be safely ignored.

Best regards,

Anastasios

jj27 · ‎01-03-2017

Any rule that is using the ISE profiling engine to authorize a user will consume a Plus license, thus giving you the alarm. Can you attach a screenshot of your policies?

nspasov · ‎02-24-2017

Glad you were able to resolve your issue! Also, thank you for taking the time to come back and update the thread with the resolution!

Looi Siew Key · ‎11-13-2017

Hi All,

We have this issue as well, but our environment bit different on bug ID details.

ISE version : 2.1.0474 patch 3

License : Base, Plus and Apex in used. No exceed license, but license violation alarm appeared.

patch 3 was installed half years back, and today suddenly prompt out not related alarms.

Cisco ISE license violation alarm