cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
548
Views
0
Helpful
4
Replies

Cisco ISE profiling license

Hi

 

i have 700 plus license for the profiling but we had a issue and we crossed the limit for the devices.


Now we want to reduce the license count so we decided to use MAB for the authentication for the know devices so we don't use the plus or profiling license.

 

Just want to confirm when we restart the session, will the plus license count will keep decreasing as we migrate from profiling mab to normal mab for the same.

 

Can someone suggest me a way forward for the same?

 

Thanks,

 

Regards,

4 Replies 4

Arne Bier
VIP
VIP

The license count will decrease when the NAS sends a Radius accounting stop for the sessions that were terminated.  if you don't have radius accounting enabled on your NAS, then ISE has some internal logic whereby it will declare the session dead after some time.  I wish I could remember - I think it's 5 days?  Either way, the license counts will always be decremented as a result of that logic.  To be more precise, radius accounting should be enabled to give you near real-time license usage.  But it's not quite real time - can take a few minutes to catch up.

Hi,

I have this configured as per best practice:-

 

aaa accounting update newinfo periodic 2880

aaa accounting dot1x default start-stop group ISE

 

Now whats happening in the ISE is this when i re-authenticate them it's still taking the old profile but in the live log it shows correctly but in detail logs it says below and takes the old policy set.

 

There have been 5 repeated authentications with the same authentication result.
The authentication details of the first passed attempt is shown here.

 

Now when i am redoing authentication as well it's not changing the same.

 

is it possible to re-authenticate them faster and get this sorted out sooner???

 

Thanks,


Regards,

 

You may still be consuming Plus licenses even if you are using MAB. If you are configuring your authz conditions based on profiled endpoint identity groups then you will consume a plus license. How are your MAB policies configured? Also, are you pushing the re-authentication timer via your authz result profile or via switchport?

Sometimes ISE PSN nodes stop sync'ing to the PAN, even after stopping/starting application services. 

 

Try to force a re-sync to that one PSN.  I have had this happen to me even in ISE 2.4 some months ago.