Hello,

Still not clear because I have more base licenses than plus licenses and no warnings of out of compliance so this tells me that I can have the bare minimum of plus just to keep pxgrid working.

Is there any document that describes what happens when you do no renew a plus license? for exemple, I believe my pxgrid use will be out of compliance for 45 days and then the setting will still be there but as read only and I cannot do anything new.

Would that be correct?

Thanks for the reply @ahollifield, I'm aware of the EOL for 2.X and I'm already considering moving to 3.X

Still confusing almost a year later.
I'm using ISE for RADIUS + TACACS.
I'm also integrating with other vendors firewalls with PxGrid API and enforcing CTS policies on some sites where we don't already have C9300s. With the current license on our Cat 4500s I'm able to do Role Based Enforcement whereas the Essentials on Cat9k isn't enough. But ISE DOES NOT consume any additional higher tier licenses.
I'm on 3.2P1. Only Essential licenses in place. The activation of Advantage license without actually consuming any is enough to get these features running.
Everything in the menu is accessible including Profiling - Which I can't use in AuthZ ofc, but I can define all profiling policies and actually see if they work even without the Advantage Licenses because the profiler service is running.
CTS and PxGrid do not consume any licenses at all. Everything except the essentials are on 0 consumed with "Released Entitlement".
So am I violating Cisco's licensing policy or not? That's what I need to know because the licensing page says everything is in compliance and once again, only licenses consumed are Essential licenses.
I'm now in the process of evaluating the cost of Advantage licenses because the Profiling would be handy for me now but other than that, there seems to be a lot of confusion about the licensing scheme... VAR tells me I can't use PxGrid and definitely not CTS but guess what, I was able to do that on 3.0, I can still do it on 3.2.
I honestly think nobody from Cisco really tried so they don't know.
Or maybe some TAC Man broke something whilst truncating DB tables in our deployment during one of many Smart Licensing TAC sessions... But I doubt that.

Alright, so to run the features and be compliant you actually need to have those licenses in place even though they are not consumed. Kinda like the honor system with ASA/FPR RA VPN licenses (if it also didn't change in the past two years).
According to the features table, specifically the row with Group Based Enforcement (Trustsec) - Which is also confusing in itself - States following. The ISE shoud consume an Advantage license per device using any Trustsec functionality. So it doesn't do that which means it is probably broken which I'm not surprised of but it still sounds confusing. Does it mean I need license for every user/device that gets assigned an SGT even though I'm not gonna do SGACLs now and I'm using these only as identity buckets for policies on actual firewall (not Cisco) ?
SGT is assigned as a generic attribute in the Access Accept or am I mistaken? Why should I be paying extra for that...
The pxGrid row says that license is consumed when a client with RADIUS Session connects to pxCloud. Don't even know what that is but I understand that this feature also needs Advantage license although there are some conflicting information on what is available to configure in the GUI with/without the license.

Ok, so I just had a look at our Smart Account and licenses for VPN are gone. Now I see there has been some major changes post COVID with VPN licensing. SKU probably changed and nobody cared to renew. Our Firepowers 2130 on 9.16(4) show 7500 licensed Premium AC Peers. Only activated licenses are ASA Standard and Strong Encryption. I have more than 2k users per concentrator connected in peak hours so it seems like there is no enforcement for the licenses too even though the revised licensing guide states something else. Also, we never used and never needed premium Anyconnect features so it's weird.

I have a strong feeling that someone is sabotaging the licensing enforcement on the devices from inside of Cisco because they know it is a mess. And I'm not sure if Cisco is even aware that we, Network Admins have to deal with that.