Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3172
Views
0
Helpful
4
Replies

ISE MAB authentication license usage

west33637
Level 1
Level 1

‎10-19-2014 10:29 PM - edited ‎03-10-2019 10:07 PM

Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?

I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?

Thanks,

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎10-20-2014 04:58 PM

Yes, license will be consumed

0 Helpful

ipagliani
Level 1
Level 1
In response to Saurav Lodh

‎03-01-2016 07:24 AM

Ciao,

I'd like add a bit in a public scenario (hospital, university..): I've 5000 users per day correctly authenticated and 12000 consumed by MAB !

It's impossible use the CWA. Do you agree with me ?

Is the LWA the only way to fix it ? ( my customer doesn't wan't buy 7000 o more licenses)

Thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ipagliani

‎03-04-2016 11:08 AM

Ciao, 

Yes, LWA would do the trick as long as the AAA is kept local to the WLC. If you set the LWA to also be processed through ISE then you will still consume the license :)

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎10-21-2014 12:22 AM

Hello-

Please take a look at the following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html

So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents