Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3361
Views
0
Helpful
2
Replies

Exceeding ISE license counts - performance consequences?

andrew.chappelle
Level 1
Level 1

‎11-25-2013 05:21 PM - edited ‎03-10-2019 09:08 PM

Hello,

I have a customer that is running a 2-node ISE deployment and is licensed for 250 Base and 250 Adv. users.

We have moved the wired users over in one of their offices into Monitor Mode only, and the Base/Adv. Active license counts have exceeded both these values.

Long-term, what is the operational impact?

I understand from Chapter 7 of the ISE User Guide that "To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts"

My question is, that aside from a scenario where TAC is engaged and they see the license count exceeded, what is the operational and functional impact of exceeding the license count.  I know that ISE continues to process autthentications, because the 251st client is not refused access.

I've read the Order Guide and the User Guide and the Hardware Guide, and no actual impact is mentioned.

thanks in advance,

Andrew

Labels:
0 Helpful
2 Replies 2

George Stefanick
VIP Alumni
VIP Alumni

‎11-25-2013 05:33 PM

I had a similar question. I asked how does ISE calculate users. In the wlc I would see 10k radius clients but ISE would show half that number. This is what I was told:

Unfortunately there is no documentation on it. The active endpoints are calculated from the active sessions seen on the primary monitoring node session database, meaning active client sessions seen by PSNs and reported to the primary monitoring node. As to the rules that qualify an endpoint as active, there isn?t really even any internal documentation on that. The effective behavior seen indicates that this is calculated by endpoints who authenticate and continue to re-authenticate/periodically trigger accounting updates from NADs. Hopefully this helps!

Tac case # 627456397

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

andrew.chappelle
Level 1
Level 1
In response to George Stefanick

‎11-25-2013 07:57 PM

Hi George,

Thanks for the quick reply.

That was more or less what I was expecting.  Our Cisco Channel SE had no answer either.  Sounds like it's just some half-baked honour system.  At the price of those Advanced License subscriptions, you'd think they'd actually enforce it.  At this moment there are 321 active endpoints on this customer's network, ISE is chiming about the license count being exceeded, but is still processing new AAA requests.  I did read that the RADIUS accounting table flushes inactive endpoints older than 5 days.

Again, thanks for the reply, if I get any sort of definitive answer, I'll share it here.

Andrew

0 Helpful
Customers Also Viewed These Support Documents