Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
4
Replies

ISE 1.3, information about license consumption

Go to solution
Marco Biffi
Level 1
Level 1

‎04-16-2015 02:22 AM - edited ‎03-10-2019 10:38 PM

Hi all
We are deploying ISE 1.3 in our network but is not clear for us how the license consumption mechanism is handled by ISE.
I saw in the administration guide that in ISE 1.3 a license is consumed for every active user, and license consumption relies on the attributes used in the authorization policy with which the endpoint is matched.
In ISE 1.2 licensing data sheet it is said that the consumption relies on RADIUS accounting functions to track concurrent endpoints (ISE uses RADIUS
accounting “start” and “stop” messages to determine when network sessions begin and end), but I didn't found any confirmation on that regarding ISE 1.3.
My question is: if I don't enable Radius accouting on the NAD, how ISE determines when the network session is ended and so when it releases the license for that user? 
I ask this because during the tests we saw different behaviour; sometimes the session was considered ended and so the license was correctly released, but sometimes the user was considered active also hour later after it left the network, and his license was not correctly released

 

Thanks

 

Marco

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-16-2015 03:11 AM

ISE monitoring node has a session directory to track
endpoints active on the network.

Automatic Purge: A purge job runs approximately every 5 minutes to clear
sessions that meet any of the following criterion:
1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
(grace time allotted in case of authentication retries)
2.Endpoint authenticated but no accounting start or update received in the last
hour
3.Endpoint idle—no activity (authentication / accounting / posturing /
profiling updates) in the last 5 days

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-16-2015 03:11 AM

ISE monitoring node has a session directory to track
endpoints active on the network.

Automatic Purge: A purge job runs approximately every 5 minutes to clear
sessions that meet any of the following criterion:
1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
(grace time allotted in case of authentication retries)
2.Endpoint authenticated but no accounting start or update received in the last
hour
3.Endpoint idle—no activity (authentication / accounting / posturing /
profiling updates) in the last 5 days

0 Helpful

Go to solution
Marco Biffi
Level 1
Level 1
In response to Venkatesh Attuluri

‎04-16-2015 06:25 AM

Hi Venkatesh

Thank you very much for the clarification.

So does it means that if accounting is not enabled an authenticated endopoint is automatically purged from the active users after 1 hour and his session is terminated?

 

Best Regards

 

Marco

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to Marco Biffi

‎04-17-2015 04:07 AM

yes If a endpoint is authenticated and if no accounting is received then its automatically purged

0 Helpful

Go to solution
Marco Biffi
Level 1
Level 1
In response to Venkatesh Attuluri

‎04-17-2015 07:19 AM

Thank you very much for your precious support

Regards

Marco

0 Helpful
Customers Also Viewed These Support Documents