Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3559
Views
15
Helpful
9
Replies

ISE Licensing Issue

Go to solution
lowfell
Level 3
Level 3

‎03-17-2021 02:28 AM

Hello all. I have a customer where they have 5000 Base licenses and the report is saying they are 400 over subscribed. The customer is Adamant that they don't have that many connections so wants to know where the licenses are being used?

 

They also have 5000 "Plus" licenses which show zero usage. Could it be that the base licenses are being used where Plus licenses should be and this would explain the shortfall?

Isn't the usage supposed to be automatic if they need plus licenses?

1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to lowfell

‎03-18-2021 08:38 AM

Hi @lowfell ,

 you asked before: "Does anyone know how to release stale sessions please?"

 Please take a look at: ISE API Reference Guide 2.7., search for Removing Stale Sessions.

 

Hope this helps !!!

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Karsten Iwen
VIP
VIP

‎03-17-2021 03:02 AM

Make sure that all network access devices have RADIUS accounting enabled. This problem could be caused by licenses not being released correctly.

Go to solution
lowfell
Level 3
Level 3
In response to Karsten Iwen

‎03-17-2021 06:17 AM

Hello and thank you, so do you make licenses release correctly please?

0 Helpful

Go to solution
lowfell
Level 3
Level 3
In response to lowfell

‎03-17-2021 07:36 AM

Does anyone know how to release stale sessions please?
0 Helpful

Go to solution
Marcelo Morais
VIP
VIP

‎03-17-2021 04:33 AM - edited ‎03-17-2021 04:34 AM

Hi @lowfell ,

 beyond what @Karsten Iwen said ... remember that:

. Licenses are counted against Concurrent Active Sessions and a session starts with a RADIUS Accounting Start message !!!
. Licenses are released for ALL features when the Endpoint's Session ends !!!
. ISE will maintain a session as active for 5 days unless one of three things happens.
1. An Interim Accounting packet is sent by the SW/WLC telling ISE that the Endpoint is still connected and active.
2. A Reauthentication of the Endpoint happens, this results in a new accounting start, and the 5 day timer resets.
3. A RADIUS Accounting Stop message is received by ISE, the session is no longer active and the license will be released.

 

Hope this helps !!!

0 Helpful

Go to solution
lowfell
Level 3
Level 3
In response to Marcelo Morais

‎03-18-2021 12:29 AM

Is there a report we can run that can give me a count of the sessions against licensing?

 

I'm sure this has occurred before and Cisco said it's just "Cosmetic" to be honest that's not very helpful, what is the point of licensing then if the machine reports out of compliance when actually you aren't?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to lowfell

‎03-18-2021 04:02 AM

Hi @lowfell 

 at Operations > Reports > Reports > Endpoints and Users > Current Active Sessions ... check for the License Type and License Details column.

 

Hope this helps !!! 

Go to solution
lowfell
Level 3
Level 3
In response to Marcelo Morais

‎03-18-2021 05:09 AM

We've opened an SR as we pulled a report and couldn't see where they were over, although we didn't look at the way you described. I wish I'd known before I opened the case, never mind. I'll let you know how we ge ton,

 

Thanks again for all your help.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to lowfell

‎03-18-2021 08:38 AM

Hi @lowfell ,

 you asked before: "Does anyone know how to release stale sessions please?"

 Please take a look at: ISE API Reference Guide 2.7., search for Removing Stale Sessions.

 

Hope this helps !!!

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-17-2021 07:14 AM - edited ‎03-17-2021 07:15 AM

ISE 2.x License Consumption:

ISE Service

ISE License

License Consumed

License Released

Authentication

Base

A Base license is consumed when an endpoint establishes an active network session (RADIUS)

RADIUS session ends

Authentication

Mobility

A Mobility license is consumed when a wireless or VPN endpoint establishes an active network session

RADIUS session ends

Authentication

Mobility Upgrade

A Mobility Upgrade license is consumed when a wired endpoint establishes an active network session

RADIUS session ends

Profiling

Plus

A Plus license is consumed when an endpoint with an active session uses profiling classification (Endpoints.EndPointPolicy or Endpoints.LogicalProfile) in an authorization policy

RADIUS session ends

BYOD

Plus

A Plus license is consumed when an endpoint with an active session uses its registration status (EndPoints.BYODRegistration) in an authorization policy

RADIUS session ends

MDM (Partner)

Apex

An Apex license is consumed when an endpoint uses an MDM attribute (MDM.*) in an authorization policy

RADIUS session ends

Threat-Centric NAC

Apex

An Apex license is consumed when an endpoint uses or triggers threat based information or action (Session:ANCPolicy) as part of the authorization policy

RADIUS session ends

Posture

Apex

An Apex license is consumed when an endpoint with an active session receives an authorization based on a posture status (Session.PostureStatus) other than “Not applicable” (for example, Compliant, Not compliant, Pending, or Unknown)

RADIUS session ends or the endpoint re-authenticates to a session that does not require posture
0 Helpful
Customers Also Viewed These Support Documents