cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2934
Views
5
Helpful
8
Replies

ISE 2.7 Pxgrid License

BBNG
Level 1
Level 1

Hello,

I'm finding pxgrid license information very confusing.

On the ordering guide, table 2 says pxgrid does not consume a license but on the license guide it states the following:

"pxGrid is used to share context collected by ISE with other products. A Plus license is required to enable pxGrid functionality. There is no session count decrement when context for session is shared. However, to use pxGrid, the number of Plus sessions licensed must be equal to the number of Base sessions licensed. For more information, see Cisco ISE Licenses and Services section in Cisco Identity Services Engine Ordering Guide."

In my deployment i see zero PLUS licenses being consumed despite using pxgrid for context sharing with third-party solutions.

Now I'm due to renew my Plus licenses, can I assume I could renew only the bare minimum for Pxgrid to be active or it should be the same number I currently have for BASE?

1 Accepted Solution

Accepted Solutions

That is correct.  If your Plus licenses expires all of the features requiring plus will continue to work, however you will lose access to portions of the GUI to make configuration changes.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#511CiscoISELicenseEntitlement

Also FYI, that all versions of ISE 2.X (that use Base, Plus, and Apex) have EOL notices announced.  The Plus license is also EoS so you will need to purchase Advantage and then have TAC convert that back to Plus.

View solution in original post

8 Replies 8

Enforcement != Compliance.  pxGrid context sharing requires a Plus/Advantage license per endpoint shared through pxGrid to remain in compliance.  Is ISE not performing active authentication in your deployment?  See here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#214Contextexchangelicensingrequirements

 

Note:      Each active endpoint’s context shared with an external system will consume an Advantage license. Each active endpoint session information shared with an external system will need a 1:1 Advantage license. For example, when a Windows laptop authenticates via 802.1X, one Essentials license is consumed. If this endpoint’s context is shared with Cisco Stealthwatch or NGFW, one additional Advantage license will be consumed.

BBNG
Level 1
Level 1

Hello,

Still not clear because I have more base licenses than plus licenses and no warnings of out of compliance so this tells me that I can have the bare minimum of plus just to keep pxgrid working.

Is there any document that describes what happens when you do no renew a plus license? for exemple, I believe my pxgrid use will be out of compliance for 45 days and then the setting will still be there but as read only and I cannot do anything new.

Would that be correct?

That is correct.  If your Plus licenses expires all of the features requiring plus will continue to work, however you will lose access to portions of the GUI to make configuration changes.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#511CiscoISELicenseEntitlement

Also FYI, that all versions of ISE 2.X (that use Base, Plus, and Apex) have EOL notices announced.  The Plus license is also EoS so you will need to purchase Advantage and then have TAC convert that back to Plus.

BBNG
Level 1
Level 1

Thanks for the reply @ahollifield, I'm aware of the EOL for 2.X and I'm already considering moving to 3.X

ForTheHorde
Level 1
Level 1

Still confusing almost a year later.
I'm using ISE for RADIUS + TACACS.
I'm also integrating with other vendors firewalls with PxGrid API and enforcing CTS policies on some sites where we don't already have C9300s. With the current license on our Cat 4500s I'm able to do Role Based Enforcement whereas the Essentials on Cat9k isn't enough. But ISE DOES NOT consume any additional higher tier licenses.
I'm on 3.2P1. Only Essential licenses in place. The activation of Advantage license without actually consuming any is enough to get these features running.
Everything in the menu is accessible including Profiling - Which I can't use in AuthZ ofc, but I can define all profiling policies and actually see if they work even without the Advantage Licenses because the profiler service is running.
CTS and PxGrid do not consume any licenses at all. Everything except the essentials are on 0 consumed with "Released Entitlement".
So am I violating Cisco's licensing policy or not? That's what I need to know because the licensing page says everything is in compliance and once again, only licenses consumed are Essential licenses.
I'm now in the process of evaluating the cost of Advantage licenses because the Profiling would be handy for me now but other than that, there seems to be a lot of confusion about the licensing scheme... VAR tells me I can't use PxGrid and definitely not CTS but guess what, I was able to do that on 3.0, I can still do it on 3.2.
I honestly think nobody from Cisco really tried so they don't know.
Or maybe some TAC Man broke something whilst truncating DB tables in our deployment during one of many Smart Licensing TAC sessions... But I doubt that.

Just because the features work and licenses aren’t consumed doesn’t mean you are automatically in compliance with the EULA. Based on what you are describing you are not: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-guide-og.html

ForTheHorde
Level 1
Level 1

Alright, so to run the features and be compliant you actually need to have those licenses in place even though they are not consumed. Kinda like the honor system with ASA/FPR RA VPN licenses (if it also didn't change in the past two years).
According to the features table, specifically the row with Group Based Enforcement (Trustsec) - Which is also confusing in itself - States following. The ISE shoud consume an Advantage license per device using any Trustsec functionality. So it doesn't do that which means it is probably broken which I'm not surprised of but it still sounds confusing. Does it mean I need license for every user/device that gets assigned an SGT even though I'm not gonna do SGACLs now and I'm using these only as identity buckets for policies on actual firewall (not Cisco) ?
SGT is assigned as a generic attribute in the Access Accept or am I mistaken? Why should I be paying extra for that...
The pxGrid row says that license is consumed when a client with RADIUS Session connects to pxCloud. Don't even know what that is but I understand that this feature also needs Advantage license although there are some conflicting information on what is available to configure in the GUI with/without the license.

Ok, so I just had a look at our Smart Account and licenses for VPN are gone. Now I see there has been some major changes post COVID with VPN licensing. SKU probably changed and nobody cared to renew. Our Firepowers 2130 on 9.16(4) show 7500 licensed Premium AC Peers. Only activated licenses are ASA Standard and Strong Encryption. I have more than 2k users per concentrator connected in peak hours so it seems like there is no enforcement for the licenses too even though the revised licensing guide states something else. Also, we never used and never needed premium Anyconnect features so it's weird.

I have a strong feeling that someone is sabotaging the licensing enforcement on the devices from inside of Cisco because they know it is a mess. And I'm not sure if Cisco is even aware that we, Network Admins have to deal with that.

TrustSec used to be part of base, that changed in 3.0. Yes, licenses in ISE are per active session, so you need them equal to the number of concurrent authentication sessions you have to remain in compliance.