That has MASSIVE implications

Stephen McBride · ‎07-22-2014

Hi all, I know this topic is somewhat done to death but I want to know whether anyone else is experiencing this issue. In summary my ISE deployment (right this minute) has 17 Active sessions with 17 base and 17 plus licenses consumed. My issue with this is that of the 17 active sessions only 8 of these sessions are utilising a plus feature ie the registration status in the authorisation policy. In short at all times the plus license consumption always matches the base license consumption.

I have continually had this issue with all ISE deployments whereby the license consumption does not reflect Cisco documentation and my configurations. Without giving screenshots I can say with certainty that the only plus feature been used is the BYOD onboarding and subsequent registration status in the authz policy. The rest of my policies are straight forward CWA guest and EAP-TLS machine cert authorisations with no profiling information used in the policy. I have gone so far as to turn off profiling and removing BYOD policies with the same results.

The following document clearly states what should and shouldn't consume a license:

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf

Any input would be appreciated.

nspasov · ‎07-23-2014

I am pretty sure you are hitting the following bug: CSCuh36055. The good news is that the bug is only cosmetic and won't actually affect your environment.

Thank you for rating helpful posts!

bikespace · ‎07-29-2014

The bug is listed as fixed, but I don't see which software it is fixed in. I must admit I've seen this problem for months, probably over a year now. It was already the case on 1.1.4 at least. I have some customers using 1300 of 500 advanced licenses.

It would be nice if it functioned exactly as the documentation always said. It would give you a warm feeling that things will keep working when the advanced license expires entirely (I'm sure we'll find out soon).

At one point I was told it was under discussion whether to fix the problem, or to fix the documentation to fit the problem, but last I heard it would be fixed at some point in the future. Every time we get a call regarding new software (1.2.1, 1.3) I make sure I ask them that the trust based licensing continues. We're OK as long as trust based licensing continues, but it's scruffy and hard to explain to customers why it shows 3 times as many advanced users as they already have. And then on occasions you see their eyes light up when they realise they can run 3000 advanced and Cisco will be none the wiser, or alternatively that they could have got away with a 100 user license and you've just cost them a 5000 user license that nobody can tell if they are using or not.

mohanak · ‎07-23-2014

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html

Stephen McBride · ‎07-23-2014

I have seen this bug listed before and mistakenly assumed it would be fixed by now. The wording of that bug is bit worrying in that the author seems to believe that there is a wording issue with documentation rather than with ISE:

"We need to fix the documentation because the doc says the license is only consumed if the info is used in the authorization policy"

If that is correct I would imagine that Cisco would require everyone to have equal base and plus license counts - would get expensive in large corporate environments that only require maybe 200 onboarded devices whilst having a total host count of around 50000

bikespace · ‎08-07-2014

That has MASSIVE implications for any customer using any advanced license. It's not just a quick little correction to the documentation, it's a correction to every tech briefing, presentations at networkers, Cisco deep dive, and conversation with Cisco that almost any engineer will have had. It is a U-TURN!

Many customers won't bother with advanced license if they are aware that even if they don't use other spurious profiling information received, they will use a device license.

Here's an example - I have 30,000 base users, and I want to allow profiling and posturing for a tiny subset of my people, lets say 300 users that will travel around any of my sites.

So you're saying that if I turn on any kind of profiling on any switch, every single user I have will be classed as an advanced user?

Is this the official line?

If it is I need to bring it up with Cisco because of the implications.

I suspect, it's broken, there isn't an easy fix, change what th documentation says. I hope they realise how widely the licensing details were distributed - everybody discussed this to death, and now its wrong???

manjeets · ‎11-17-2014

Prior to the introduction of the Plus license, SAMPG used this low-cost “visibility” sales motion to help seed Advanced functionality. Now that we have the Plus license at a competitive price point, we are deprecating this functionality. To provide the field with enough time to adjust to the new ISE sales motion, we are not removing this feature immediately with the launch of ISE 1.2 Patch 8 or ISE 1.2.1. This functionality will be deprecated in future version of ISE. Thus Cisco recommends purchasing an equal number of Plus licenses as Base licenses as the default sale motion.”

ISE 1.2/1.2.1 license consumption issues