09-17-2013 02:39 AM - edited 03-10-2019 08:54 PM
Morning,
just trying to find some clarification on ISE end points for licensing. Im looking at moving AAA authentication for switches onto ISE. The end point licensing at the moment is primarily for mac based devices on Wireless. Will adding switches onto ISE eat into these liscense?I know on ACS5.1 had a license for Configured IP Addresses in Network Devices
Thanks
S
09-17-2013 03:06 AM
The Base License is consumed whenever an authentication notification is received by Cisco ISE. A single Advanced License is consumed when any one or more of the following services or conditions are applied to the endpoint session:
•Posture
•Security Group Tag assignment
•Authorization using profile information
•Endpoint is registered in the MyDevices Portal
09-17-2013 03:09 AM
Thanks for that. I guess we'll need more licences
Si
09-20-2013 03:03 AM
In Cisco ISE, licensing enables you to provide coverage for increasing numbers of endpoints and offer more complex policy services depending on the capabilities of the license or licenses that you choose to apply.
Cisco ISE licenses are available in Base and Advanced packages. Each package includes a number of SKUs that is equal to the number of licenses included in the package. To use Cisco ISE, you must have a valid base and advanced license package.
The base package includes all of the base services required to enable 802.1X, Guest, and Monitoring and Troubleshooting. The advanced package includes Posture, Profiler, and Security Group Access services.
Cisco ISE is bundled with a licensing mechanism that has the following important features:
• Built-in License—Cisco ISE comes with a built-in evaluation license, which is valid for 90 days. The evaluation license includes both base and advanced packages and limits the number of endpoints to 100 for both the base and advanced packages. Therefore, it is not required to install a regular license immediately upon installation.
• Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
• Concurrent Endpoint Count—The Cisco ISE license includes a count value for base and advanced packages, which restricts the number of endpoints that use those services. The count value is the number of endpoints across the entire deployment that are concurrently connected to the network and accessing the service.
Please check the below links which can give your better understanding:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_license.html
09-21-2013 02:50 PM
Hello Si P,
I think you got now that every request authentication packet hitting the ISE will use the Base License and as you say that you are usnig the authentication for the switches also, So Please make sure that you purchase your license after keeping in mind the total concurrent users(user+non user)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide