cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1341
Views
0
Helpful
7
Replies
Highlighted

Cisco ISE session Licenses - consumption model

I see the 2018 ordering guide is now licenses per session. Can anyone explain how the session consumption work? is it the same as the per device/per user  count that uses a Base/Plus or APEX depending on the feature ? Thanks 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: Cisco ISE session Licenses - consumption model

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active sessions will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

View solution in original post

Highlighted
VIP Advisor

Re: Cisco ISE session Licenses - consumption model

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active session will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

View solution in original post

7 REPLIES 7
Highlighted
VIP Advisor

Re: Cisco ISE session Licenses - consumption model

Hi 

 

Consumption in ISE depends on your rules. If you authenticate a user, then the session is based on this user for this specific device. If he connects through a 2nd device, then a 2nd license consumed. 

If you're authenticating the device, no matter how many users log in on this device, you will get only 1 session.

 

Is that clear?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
VIP Advisor

Re: Cisco ISE session Licenses - consumption model

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active sessions will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

View solution in original post

Highlighted
VIP Advisor

Re: Cisco ISE session Licenses - consumption model

ISE tracks endpoints/licensing by MAC addresses so it's not always as simple as user/device count. Licensing in ISE is based off of the active sessions count, and active sessions are dynamically tracked. If endpoint Y authenticates on wired, it will consume 1 base license. That authentication may leverage features that also require a plus and apex license, thus using 1 Base, 1 Plus, and 1 Apex at the same time. Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active session will then be held for 5 days before being released.

Additionally, if an endpoint is connected to both wired and wireless at the same time, that will use licensing for both active sessions. ISE sees this as two devices because they have unique MACs.

Base license features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces

Plus license features:
Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority
MSE integration for location services
Profiling and Feed Services
Adaptive Network Control (ANC)
Cisco pxGrid

Apex license features:
Third Party Mobile Device Management (MDM) integration
Posture Compliance
TC NAC

This document covers the usage of licensing and a few other scenarios I did not cover. These are just the three most common endpoint licensing categories.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf

View solution in original post

Highlighted

Re: Cisco ISE session Licenses - consumption model

Where is gets complicated is if an endpoints drops off the network without notification getting to ISE. That active sessions will then be held for 5 days before being released.

 

Is there a way to adjust this to an hour or so?

Highlighted
VIP Advisor

Re: Cisco ISE session Licenses - consumption model

No, the 5 day session timeout is not configurable in ISE.
Highlighted
Collaborator

Re: Cisco ISE session Licenses - consumption model

Hi,

 

   If you think about it, the problem is if users disconnect from the network in a not graceful manner; but for users that constantly reconnect, this 5 day limitation is not a limitation; you only run into issues, if you have within those 5 days many users that show up just once and they disappears.

 

Regards,

Cristian Matei.

Highlighted

Re: Cisco ISE session Licenses - consumption model

We are only using ISE for Anyconnect users authentication from the ASA using RADIUS protocol. It says we reached above 4000+ connections when we have less than 500 users. Its main purpose is just username and password auth.