04-29-2019 10:27 PM
I have a customer that is currently licensed for 1400 ISE Base licenses, but is consuming 1560+ Base licenses at present. The utilisation count first exceeded 1400 Base licenses in February 2019. The customer and the partner would like to get an understanding of how the ISE licenses are currently being consumed, based on a wired, wireless, and VPN user breakdown. Is this possible?
Also, given that we license on concurrent connections, can you explain to me how and when the Base licenses are released for wired, wireless, and VPN users?
Finally, if I have the UDIs for the primary and secondary PANs, is there a way for us to see if all purchased licenses have been provisioned on these devices?
Regards,
Brett.
Solved! Go to Solution.
04-29-2019 11:42 PM
ISE Licensing is consumed based on Feature sets and not on type of connectivity.
Please refer to the following admin guide explaining license consumption
04-29-2019 11:42 PM
ISE Licensing is consumed based on Feature sets and not on type of connectivity.
Please refer to the following admin guide explaining license consumption
05-02-2019 04:19 AM
Hi @brewhite
I have not seen any way to see whether the license has been applied to both PAN nodes. If you still have the original license text files that were used then you can open them up and check for the presence of both UDIs. I am sure there is another CLI method to do this (via Linux, not ISE CLI). Maybe it's in the show-tech - have a look.
The license consumption is explained in various docs. if you don't use radius accounting then things get fuzzy. And what about if some devices send radius acct, and others don't - then it's also still fuzzy. I think ISE tries to implement licensing but it's not a hard and strict policy - there is some room to manoeuvre.
05-02-2019 11:04 AM
Running and exporting a report on active sessions may give you some more insight in to what is going on since it also includes session time.
Reports > Endpoints and Users > Current Active Sessions
To your question about how ISE knows what is active vs not, this is usually a function of radius accounting. Assuming ISE see's a radius stop, then it should release that session. If ISE does not receive notification then it assumes the endpoint is still active until a 5 day timer expires.
Oddly enough and bugs aside, in 2.2+, I've never felt ISE was using enough licenses. The utilization always seems so much lower than active endpoint count. Like 70k less than active endpoints at times. So beats me how it is worked in the back end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide