ISE license count for radius authentication

yongwli · ‎03-07-2019

Hi Team,

My customer has 100K endpoints, would use ISE as radius authentication and assigning IP address, user ID source is LDAP. They told us the endpoints won't send radius accounting, and seldom offline after onboard. How does ISE exhaust licenses in this senario?

Thanks

DL

ognyan.totev · ‎03-07-2019

Hi, no matter accounting ,every active radius session is 1 license after session disconnect is release the license .

yongwli · ‎03-08-2019

If the device sends authentication request and get radius acceptance, but did not do any further logoff from a network, how does ISE revoke the license? Based on time expire? If yes, how long the radius session will be expired?

ognyan.totev · ‎03-08-2019

The switch handle the session if device is active no matter lock or log off if the network adapter is active it will carry session ,only if device is turn off and adapter is off it will release the license because the switch will not see mac-address of the connected device or the name of device .....

Nadav · ‎03-08-2019

These is a 5 day automatic endpoint purge for all active sessions. There was a bug awhile back when this wasn't enforced, but it was fixed for 2.4 P2.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi79632

As I understand it, each active session that doesn't get updated with accounting packets simply has 5 days before it's removed from ISE. At that point the BASE license should be freed up.

yongwli · ‎03-11-2019

Thanks a lot!

Damien Miller · ‎03-11-2019

This is correct, once ise hits five day session timeout it will free up licenses used for that endpoint.

There are a few bugs that also cause no license usage, but those arent readily advertised. Patch 6 fixed another license bug where expected counts mismatched.