Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6478
Views
5
Helpful
8
Replies

Cisco ISE session Licenses - consumption model

Go to solution
vikeshramnath6@gmail.com
Level 1
Level 1

‎08-22-2018 06:47 AM - edited ‎03-11-2019 01:48 AM

I see the 2018 ordering guide is now licenses per session. Can anyone explain how the session consumption work? is it the same as the per device/per user  count that uses a Base/Plus or APEX depending on the feature ? Thanks 

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-22-2018 10:05 PM - edited ‎08-22-2018 10:05 PM

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active sessions will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-22-2018 10:08 PM

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active session will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-22-2018 07:04 AM

Hi 

 

Consumption in ISE depends on your rules. If you authenticate a user, then the session is based on this user for this specific device. If he connects through a 2nd device, then a 2nd license consumed. 

If you're authenticating the device, no matter how many users log in on this device, you will get only 1 session.

 

Is that clear?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-22-2018 10:05 PM - edited ‎08-22-2018 10:05 PM

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active sessions will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-22-2018 10:08 PM

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active session will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf
0 Helpful

Go to solution
jpl861
Level 4
Level 4
In response to Damien Miller

‎03-18-2020 09:29 AM

Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active sessions will then be held for 5 days before being released.

 

Is there a way to adjust this to an hour or so?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to jpl861

‎03-18-2020 11:27 AM

No, the 5 day session timeout is not configurable in ISE.
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to jpl861

‎03-18-2020 12:39 PM

Hi,

 

   If you think about it, the problem is if users disconnect from the network in a not graceful manner; but for users that constantly reconnect, this 5 day limitation is not a limitation; you only run into issues, if you have within those 5 days many users that show up just once and they disappears.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
jpl861
Level 4
Level 4
In response to Cristian Matei

‎03-18-2020 01:42 PM

We are only using ISE for Anyconnect users authentication from the ASA using RADIUS protocol. It says we reached above 4000+ connections when we have less than 500 users. Its main purpose is just username and password auth.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4

‎09-02-2020 01:08 AM - edited ‎09-02-2020 01:13 AM

Hi Everyone .

 

I'm looking for same answer I think We have same issue. About Session per day Can i refer on current active session on Operation -> Report ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents