Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1483
Views
0
Helpful
3
Replies

ISE license utilisation reporting?

Go to solution
brewhite
Cisco Employee
Cisco Employee

‎04-29-2019 10:27 PM

I have a customer that is currently licensed for 1400 ISE Base licenses, but is consuming 1560+ Base licenses at present.  The utilisation count first exceeded 1400 Base licenses in February 2019.  The customer and the partner would like to get an understanding of how the ISE licenses are currently being consumed, based on a wired, wireless, and VPN user breakdown.  Is this possible?

 

Also, given that we license on concurrent connections, can you explain to me how and when the Base licenses are released for wired, wireless, and VPN users?

Finally, if I have the UDIs for the primary and secondary PANs, is there a way for us to see if all purchased licenses have been provisioned on these devices?

 

Regards,

Brett.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-29-2019 11:42 PM

ISE Licensing is consumed based on Feature sets and not on type of connectivity.

Please refer to the following admin guide explaining license consumption

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.html

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-29-2019 11:42 PM

ISE Licensing is consumed based on Feature sets and not on type of connectivity.

Please refer to the following admin guide explaining license consumption

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.html

 

 

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-02-2019 04:19 AM

Hi @brewhite 

 

I have not seen any way to see whether the license has been applied to both PAN nodes.  If you still have the original license text files that were used then you can open them up and check for the presence of both UDIs.  I am sure there is another CLI method to do this (via Linux, not ISE CLI).  Maybe it's in the show-tech - have a look.

 

The license consumption is explained in various docs.   if you don't use radius accounting then things get fuzzy.  And what about if some devices send radius acct, and others don't  - then it's also still fuzzy.  I think ISE tries to implement licensing but it's not a hard and strict policy - there is some room to manoeuvre.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎05-02-2019 11:04 AM

Running and exporting a report on active sessions may give you some more insight in to what is going on since it also includes session time.  
Reports > Endpoints and Users > Current Active Sessions

To your question about how ISE knows what is active vs not, this is usually a function of radius accounting.  Assuming ISE see's a radius stop, then it should release that session.  If ISE does not receive notification then it assumes the endpoint is still active until a 5 day timer expires.  

Oddly enough and bugs aside, in 2.2+, I've never felt ISE was using enough licenses.  The utilization always seems so much lower than active endpoint count.  Like 70k less than active endpoints at times.  So beats me how it is worked in the back end. 

0 Helpful
Customers Also Viewed These Support Documents