Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1779
Views
5
Helpful
1
Replies

ISE license consumption when using RDP

Go to solution
mlawrimo
Cisco Employee
Cisco Employee

‎05-12-2020 04:59 AM - edited ‎05-12-2020 04:59 AM

I have a customer that would like to deploy ISE in their environment.  We are in the initial stages of discovery and education.  A scenario that was brought up is, how many licenses are consumed when multiple users are logged into the same machine via rdp.  also on the other end of that, is a second license consumed for a user when they rdp TO another system?  I believe the answer is that a license is consumed for each login on each system, but i want to be sure before answering the customer.

The customer would like to run posture assessment on their servers as well as their desktops.  i dont recommend this, but can you confirm that if we do something like this, and RDP is a known protocol in the server farm, do we need a special anyconnect client or configuration?  Ive seen in past articles some special terminal services clients may be used for citrix remote desktop, but citrix is not in play here, just remote administration of windows servers.

 

thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-12-2020 07:52 AM

I would definitely agree that running posture assessment on the servers is not a good idea.  I am not even sure if that is supported.

 

As far as the RDP goes that is a whole can of worms.  The windows native supplicant doesn't even recognize an RDP session as  a reason to transition to user mode authentication.  The 802.1x authentication will stay at the computer account. 

 

If you install AnyConnect NAM (again never tried this on servers), by default it doesn't allow multiple logged in users.  There is a registry setting you can add to override this behavior.  AnyConnect NAM does recognize an RDP session as a reason to transition to user mode authentication, but will only provide user 802.1x credentials for the first user logged in.  All other users won't result in an 802.1x authentication.

 

So from a licensing perspective you are only going to consume 1 license as everything is tied to the MAC address.  You still only have one MAC address that is being authenticated.

View solution in original post

1 Reply 1

Go to solution
paul
Level 10
Level 10

‎05-12-2020 07:52 AM

I would definitely agree that running posture assessment on the servers is not a good idea.  I am not even sure if that is supported.

 

As far as the RDP goes that is a whole can of worms.  The windows native supplicant doesn't even recognize an RDP session as  a reason to transition to user mode authentication.  The 802.1x authentication will stay at the computer account. 

 

If you install AnyConnect NAM (again never tried this on servers), by default it doesn't allow multiple logged in users.  There is a registry setting you can add to override this behavior.  AnyConnect NAM does recognize an RDP session as a reason to transition to user mode authentication, but will only provide user 802.1x credentials for the first user logged in.  All other users won't result in an 802.1x authentication.

 

So from a licensing perspective you are only going to consume 1 license as everything is tied to the MAC address.  You still only have one MAC address that is being authenticated.

Customers Also Viewed These Support Documents