Hi,

We have a ISE2.4 deployment that is used for RADIUS device and Device Admin AAA. We have started to see an increase in PLUS license consumption a few months after initial deployment and we can't understand what feature would be using a PLUS license.

Our policy sets are: -

RADIUS policy-set

Rule matches an InternalUser in a InternalUser Group and provides an Authorization profile consisting of a 'access_accept' and no common tasks but a few av-pairs such as VRF, Loopback interface, static routes etc...

We believe that Device Admin policies do not count towards a PLUS license but just in case it helps our TACACS policy is: -

Rule matches a InternalUser in a InternalUser Group and a Device in a specific Device Group then provides an Authorization consisting of a priv_lvl an a command-set.

We also use ISE to authorize VPN users via RADIUS. However, this is only for user validation: -

Rule matches an InternalUser in a InternalUser Group and provides an Authorization profile consisting of a 'access_accept' and common tasks DACL. and ASA-VPN.

The deployment is only running Session and Device Admin services. Profiling, Posture, BYOD and Guest services are not used and disabled where possible on the nodes. We don't use any of the extended AnyConnect features such as Profiling or Posture compliance on the VPN endpoints.

We have the AnyConnect APEX licenses applied to our ASAs and reading the documentation it seems that we should not need to apply the APEX licenses to ISE if all we want to do is basic RADIUS AAA for the users username.

So my questions are: -

Does the RADIUS ASA-VPN common task consume a PLUS License in ISE?

Does the RADIUS DACL common task consume a PLUS License in ISE?

Does the Security Group TAG in a RADIUS authorization profile consume a PLUS License in ISE?

Many thanks in advance