ISE Licensing - restrict licenses per PSN

bodonogh · ‎05-08-2018

Hi there,

we have a customer who currently has 2 ISE Nodes. So - separate Admin instances. In the future (probably 6-9 months), they plan to consolidate to 1 Admin Node, but maintain 2 x PSNs (1 per current segments).

They would like to be able to control the number of licenses applied to both PSNs. So, for example - limit PSN A to 1,000 ISE Base & Plus, and limit PSN B to 500 ISE Base & Plus. Resiliency, if designed into the deployment would be within 'site A' and 'site B' PSNs...

Hope this makes sense, and possibly Smart Licensing might play a role (i.e. would the possibility exist to assign PSN A to Virtual Account A, and PSN B to Virtual Account B...I know this is not how it's done today, though)

Thanks,

Brian

Jason Kunst · ‎05-08-2018

There is no way to do this and not how ISE was designed

Licenses are applied for the whole ISE deployment (an ISE cube)

PSNs are nodes which exist in same deployment

If you want to control you will need separate deployment

Smart licensing has no way to control what licenses go to a deployment either

bodonogh · ‎05-08-2018

Appreciate the response Jason.

Might come up again, I would think. I can see scenarios where ISE Admin Nodes are centralized (e.g. EMEA), but local, in-country IT budgets pay for ISE licenses for their local staff, and would like some way of controlling access to those licenses. I suspect that’s one for an ISE PM though – I can post to an appropriate ISE PM community.

Brian

Brian O’Donoghue

Systems Engineer

bodonogh@cisco.com<mailto:nerangan@cisco.com>

Desk: +353 91 384656

Mobile: +353 87 7776668

Cisco Systems Ireland

Oranmore Business Park

Galway 

Ireland

H91 V5Y9

Let’s meet in my Collaboration Meeting Room (CMR) at: http://cs.co/BOD

You can reach my CMR in other ways:

Dialling from a SIP Device: bodonogh@acecloud.webex.com<mailto:bodonogh@acecloud.webex.com>

Dialling from a PSTN Phone: +35318192717, Meeting Number 203 710 323

gbekmezi-DD · ‎05-08-2018

You can use reporting on radius authentications and active sessions to provide values to the appropriate region owners on their respective authentication volume.

Ireland

H91 V5Y9

Let’s meet in my Collaboration Meeting Room (CMR) at: http://cs.co/BOD

You can reach my CMR in other ways:

Dialling from a SIP Device: bodonogh@acecloud.webex.com<mailto:bodonogh@acecloud.webex.com><mailto:bodonogh@acecloud.webex.com<mailto:bodonogh@acecloud.webex.com>>

Dialling from a PSTN Phone: +35318192717, Meeting Number 203 710 323

Reply to this message by replying to this email, or go to the message on Cisco Communities<https://communities.cisco.com/message/289867#289867>

Start a new discussion in Technology > Security > Policy and Access > Identity Services Engine (ISE) by email<mailto:discussions-community-technology-security-pa-ise@cisco-marketing.hosted.jivesoftware.com> or at Cisco Communities<https://communities.cisco.com/choose-container.jspa?contentType=1&containerType=14&container=5301>

Following Technology > Security > Policy and Access > Identity Services Engine (ISE)<https://communities.cisco.com/community/technology/security/pa/ise> in these streams: Inbox

hslai · ‎05-08-2018

You are correct that this constitutes a feature request so please discuss it with our PM team. George is correct that we may use ISE reports to check license consumptions.