Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1094
Views
0
Helpful
2
Replies

ISE RADIUS Proxy Base License Consumption

Go to solution
joplant
Cisco Employee
Cisco Employee

‎05-10-2019 08:13 AM

I have researched this topic and found answers on both sides.  Some say they see RADIUS proxied sessions consuming base licenses regardless of ISE settings, and others, such as this thread, say that they do not consume a license: https://community.cisco.com/t5/identity-services-engine-ise/ise-radius-proxy-licensing-and-scaling/td-p/3819540

 

I'm trying to assist a customer in determining if ISE base licenses will be consumed when acting as proxy for EAP-AKA sessions and can't find a clear answer either way.  

 

Is there a definitive way to determine this prior to actually testing it out? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-10-2019 07:55 PM

It looks like we have defect around licensing count when proxy is used. Since it is going through the ISE node, each active session should be counted for licensing purposes. If the proxy rule is utilizing features that leverages plus license, then it should also be accounted for both base and plus.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-10-2019 07:55 PM

It looks like we have defect around licensing count when proxy is used. Since it is going through the ISE node, each active session should be counted for licensing purposes. If the proxy rule is utilizing features that leverages plus license, then it should also be accounted for both base and plus.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-12-2019 06:46 PM

Hi @joplant 

 

The AAA server you're proxying the EAP-AKA request to, will be the one performing the authentication and authorization, and in that case ISE is just passing on the Access-Requests and Access-Challenge packets - no licenses are consumed for that.

I tested this in the lab (not with EAP-AKA because I don't have a mobile packet core ;-)  - but in the proxy flow ISE doesn't discriminate on the radius authentication types.

 

ISE can get involved in the authorization flow as well - but this is not the case here - if I understand you're simply being a proxy.  In that case ISE also should not maintain any sessions at all - it's just a dumb middle man. 

If Cisco were to levy a license on this simple proxy flow in future, then I would be highly surprised.

 

regards

Arne

0 Helpful
Customers Also Viewed These Support Documents