Re: ISE License is out of Compliance ?

CUCA27585833 · ‎02-26-2020

Hello Cisco Expert,

I am working for ISE server maintenance. Now I find ISE server report license out of compliance ( base license) 30 days ago. But we just have a few activate endpoints at present. ISE license should be calculated by concurrent session number, right ?

I have checked the smart license portal. The result in web portal is same as ISE license view.

Would you like to give me a help to revise the license issue ? Or I must buy the additional license ?

Thanks a lot !

Arne Bier · ‎02-26-2020

Hi @CUCA27585833

do all of your RADIUS client have Accounting enabled, and sending to ISE?

Your base license usage should be n near real time then. If no accounting then you could be out by a long shot and ISE will only reset The count after 5 days.

How do you track the number of active sessions? By looking at your WLC/switch to see active clients ?

Do you use RADIUS for device management?

You might also have run into a bug. But check the basics first.

CUCA27585833 · ‎02-26-2020

Hi Arne,

Thanks for your response.

We don't have accounting for client in ISE.

In the Dashboard page, we can find the number of activate endpoints. Actually, there are a lot of mac records that are unknown (maybe come from wifi) after click the detail of activate endpoints.

We use ISE Tacacs+ for device access management.

Arne Bier · ‎02-26-2020

@CUCA27585833 You should enable RADIUS accounting to enable Start/Stop requests to allow ISE to know when a session has started and when the session has ended. Else, ISE has no clue. Accounting is easy to configure. Make sure it’s working (shared secret has to match what’s configured in ISE, and the UDP port 1813 has to flow freely between ISE nodes and the NAS). You can check ISE accounting Reports to see if it’s all working.

CUCA27585833 · ‎02-26-2020

@Arne Bier
Great thanks for your kind help. I will talk with customer for this enhancement.
I also open a case to cisco tac. But no any helpful answer like yours. Thanks again!

Cristian Matei · ‎02-26-2020

Hi,

You'll see that message in the following valid cases:

- your licenses have actually expired

- your active sessions exceed 125% of what you purchased

In either case, ISE will still be working and your users get authenticated/authorized, but in the GUI you get limited read-only capability for the features associated with an out-of-compliance license.

Chances are that you're also hitting a bug (seen it many times); apply the latest patch or upgrade to a newer version if the message annoys you or the customer.

Regards,

Cristian Matei.

CUCA27585833 · ‎02-26-2020

@Cristian Matei
Thanks for your help and response.
I will check with cisco tac. I also think it maybe a bug.

t1mc · ‎04-12-2020

Ran into similar issue after uploading PLS license, 1Y, 100 users to a deployment running version 2.6. We were not breaching the usage. Opened a support case, they are saying it might be a cosmetical bug (not confirmed, though) but I sent some additional info to the engineer.

CUCA27585833 · ‎04-12-2020

Hi Tim,

Pls update to Ver 2.6 patch 11.

t1mc · ‎04-13-2020

Latest Patch for 2.6 is P6, wich I installed just the other day.

CUCA27585833 · ‎04-13-2020

Sorry. my version is v2.4 patch 11.

Cisco TAC ask for this version. The root cause is radius start/stop message cannot be correctly handled.