Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5038
Views
60
Helpful
10
Replies

ISE Base License Exceeded

fatalXerror
Level 5
Level 5

‎09-16-2021 06:00 AM

Hi Guys,

I have an possible issue about my ISE exceeding its base license but when I checked the RADIUS Live Sessions, it technically doesn't reach have of my base license quantity.

I am using my ISE for my wireless LAN authentication via RADIUS and my license is around 3000 but in my RADIUS Live session it only shows around 500 only.

Anybody knows what eats up the license or do I need to enable something in my WLC or ISE so that ISE can determine if the user logs off already then it can release the license?

Thank you so much.

1 person had this problem
10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

‎09-16-2021 06:07 AM

Not sure, Can you share where you see this message or error ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dustin Anderson
VIP
VIP

‎09-16-2021 06:50 AM

Looking at mine I'm not sure the RADIUS active sessions is a good judge. I would look on the main page at the top of active endpoints, this is active sessions and should be consuming licenses.

 

you should also be able to go under Administration/Licensing and be able to see what is taking the licenses.

Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-16-2021 06:52 AM

Anybody knows what eats up the license or do I need to enable something in my WLC or ISE so that ISE can determine if the user logs off already then it can release the license?

A few things:

-Base licenses are used for network onboarding features such as AAA and 802.1x, Guest Portals/onboarding, Trustsec, and Easy Connect (PassiveID).

-What do you see under Administration->System->Licensing for consumption?

-This sounds like you do not have AAA Accounting enabled.  I would verify your WLC radius settings.

fatalXerror
Level 5
Level 5
In response to Mike.Cifelli

‎09-16-2021 07:54 AM

Hi @Mike.Cifelli ,

Thanks for the feedback.

My ISE is just using 802.1x for WLAN and my license consumption is showing I exceed my current license of 3000 although when I checked my dashboard and the Live Sessions, it does not reach even half of 3000.

Let me try to check if my accounting in WLC is enabled.

Thanks.

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to fatalXerror

‎09-17-2021 12:45 AM

Hi @fatalXerror,

Since you confirmed that our licensing page shows indeed oversubscription, as @Mike.Cifelli said, most likely you have misconfigured accounting.

ISE is relying heavily on accounting messages for counting ISE licenses - once authentication is successful, an accounting packet is sent to notify ISE, and for ISE to reserve license. Once users disconnects, accounting message is sent to ISE, so ISE can free one license. If for some reson, authentication is not followed by an accounting-start packet, ISE still reserves license, but there is nothing to inform it later to free this license up. After some time, ISE does delete session, even if there is no accounting-stop message. I believe for version up to 2.6 this is 5 days, and from version 2.7 it should be reduced to 2 days.

You haven't mentioned version you are running, but I've also seen that ISE counts licenses wrong with some 2.3/2.4/2.7 versions, due to some bugs, despite the fact that accounting is configured properly. However, newer releases/patches are resolving this buggy behavior.

BR,

Milos

fatalXerror
Level 5
Level 5
In response to Milos_Jovanovic

‎09-17-2021 05:05 AM

Hi @Milos_Jovanovic , I am running 2.7.

 

Do have the Cisco documentation for this behavior that ISE 2.7 reduced it in 2 days?

 

Thank you so much for the help!

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to fatalXerror

‎09-17-2021 07:17 AM

Hi @fatalXerror,

For the sessions on older versions of ISE, you can find explanation here (search for '120 hours'). You can also find it in Cisco Live presentation, page 114.

For the changed behavior, I don't remember reading it somewhere (could be that I also heard it on some Cisco sessions), but I heard it multiple times from TAC engineers.

BR,

Milos

hslai
Cisco Employee
Cisco Employee
In response to Milos_Jovanovic

‎09-21-2021 08:26 PM

It's still 5 days.

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to hslai

‎09-21-2021 10:25 PM

Hi @hslai,

Thanks for correcting me. From couple of TAC engineers (at least two of them) I heard that it was reduced to 2 days, starting from 2.7.

Is it still 5 days in all versions available (currently up to 3.1)?

BR,

Milos

hslai
Cisco Employee
Cisco Employee

‎09-21-2021 08:29 PM

RADIUS Live Sessions page can only show limited number of rows.

Instead, use the current active sessions report under Operations > Reports > Reports > Endpoints and Users. And, export the report CSV to a repository.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents