cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1457
Views
5
Helpful
10
Replies
Beginner

ISE ver 1.1.2.145 advanced license consumption

Hello,

I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:

I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.

Here is the authorization rule:

Screenshot - 12_10_2012 , 2_26_03 PM.jpg

Here is the licensing page:

base                             advanced

1/20

1/20

Here is the only active session from active session report:

xp-test.ashour.local

00:22:FB:1A:59:C2

10.30.30.117

dot1x

EAP-TLS

NotApplicable

N/A

WindowsXP-Workstation

Running

ise

And here is the live authentication:

Authentication Summary

Logged At:

December 10,2012 5:27:36.331 PM

RADIUS Status:

Authentication succeeded

NAS Failure:


Username:

xp-test.ashour.local

MAC/IP Address:

00:22:FB:1A:59:C2

Network Device:

5508-WLC : 10.255.255.20 : 

Allowed Protocol:

Default Network Access

Identity Store:


Authorization Profiles:

PermitAccess

SGA Security Group:


Authentication Protocol :

EAP-TLS

Authentication Result

User-Name=xp-test.ashour.local
State=ReauthSession:0affff140000005550c6598d
Class=CACS:0affff140000005550c6598d:ise/144192099/4026
Termination-Action=RADIUS-Request
MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d

Related Events

Dec 10,12 5:27:36.072 PMRadius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:Radius authentication passed
Dec 10,12 5:23:56.647 PMRadius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:Radius authentication passed
Dec 10,12 5:06:07.317 PMRadius accounting startRadius accounting start

Authentication Details

Logged At:

December 10,2012 5:27:36.331 PM

Occurred At:

December 10,2012 5:27:36.331 PM

Server:

ise

Authentication Method:

dot1x

EAP Authentication Method :

EAP-TLS

EAP Tunnel Method :


Username:

xp-test.ashour.local

RADIUS Username :

host/xp-test.ashour.local

Calling Station ID:

00:22:FB:1A:59:C2

Framed IP Address:


Use Case:


Network Device:

5508-WLC

Network Device Groups:

Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE

NAS IP Address:

10.255.255.20

NAS Identifier:

ASHOUR-WLC1

NAS Port:

1

NAS Port ID:


NAS Port Type:

Wireless - IEEE 802.11

Allowed Protocol:

Default Network Access

Service Type:

Framed

Identity Store:


Authorization Profiles:

PermitAccess

Active Directory Domain:


Identity Group:

Profiled:Workstation

Allowed Protocol Selection Matched Rule:

Dot1X

Identity Policy Matched Rule:

Default

Selected Identity Stores:


Authorization Policy Matched Rule:

Company asset

SGA Security Group:


AAA Session ID:

ise/144192099/4026

Audit Session ID:

0affff140000005550c6598d

Tunnel Details:

Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30

Cisco-AVPairs:

audit-session-id=0affff140000005550c6598d

Other Attributes:

ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD

Posture Status:

NotApplicable

EPS Status:


Steps

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

11507  Extracted EAP-Response/Identity

12500  Prepared EAP-Request proposing EAP-TLS with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

12800  Extracted first TLS record; TLS handshake started

12805  Extracted TLS ClientHello message

12806  Prepared TLS ServerHello message

12807  Prepared TLS Certificate message

12809  Prepared TLS CertificateRequest message

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

12568  Lookup user certificate status in OCSP cache

12570  Lookup user certificate status in OCSP cache succeeded

12554  OCSP status of user certificate is good

12568  Lookup user certificate status in OCSP cache

12570  Lookup user certificate status in OCSP cache succeeded

12554  OCSP status of user certificate is good

12811  Extracted TLS Certificate message containing client certificate

12812  Extracted TLS ClientKeyExchange message

12813  Extracted TLS CertificateVerify message

12804  Extracted TLS Finished message

12801  Prepared TLS ChangeCipherSpec message

12802  Prepared TLS Finished message

12816  TLS handshake succeeded

12509  EAP-TLS full handshake finished successfully

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

Evaluating Identity Policy

15006  Matched Default Rule

22037  Authentication Passed

12506  EAP-TLS authentication succeeded

11503  Prepared EAP-Success

Evaluating Authorization Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

15016  Selected Authorization Profile - PermitAccess

11002  Returned RADIUS Access-Accept

10 REPLIES 10
Highlighted
Advocate

Re:ISE ver 1.1.2.145 advanced license consumption

Please provide a screenshot of your authorization policies.


Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

ISE ver 1.1.2.145 advanced license consumption

Tarik,

Thank you for responding. Here is screenshot of the authz rules, My device is hitting the third one from top per my previous note:

Highlighted
Advocate

Re:ISE ver 1.1.2.145 advanced license consumption

Please send me a screenshot of your endpoint. Is ot statically assigned to the endpoint group IOS devices?


Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

ISE ver 1.1.2.145 advanced license consumption

No, it is not part of the iOS devices which is a static group. It it part of the profiled workstation group. The rule I am hitting is the one above the iOS devices rule. The name of the rule is company assets.

Here are some screenshots of the endpoint attributes:

Highlighted
Advocate

ISE ver 1.1.2.145 advanced license consumption

Hi,

Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.

It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:

CSCub56607

Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not

The wireless session in question should be applied against the Base  license count. This issue has been observed in Cisco ISE, Release 1.1.1  where the following functions are set:

MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied

Profiling is disabled

Posture is disabled

The device in question has not been registered via the My Devices Portal

Note There is no known workaround for this issue.

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Enthusiast

ISE ver 1.1.2.145 advanced license consumption

Please disable the profile and posturing features in ISE and see the result.

Highlighted
Beginner

ISE ver 1.1.2.145 advanced license consumption

What if you need to use profiling for a subset of the endpoints and the rest use the base license only? Say I have 100 advanced and 500 base licenses? Even when I statically put devices in a static group, it still takes advanced licenses...

Highlighted
Rising star

ISE ver 1.1.2.145 advanced license consumption

Just profiling the devices would not consume the license, it would consumed when you assigne authorization policies using the profiling data.

Highlighted
Beginner

ISE ver 1.1.2.145 advanced license consumption

endpoint.jpg

That is what I understand. I am trying to understand why static rule attached here consumes an advanced license as the endpoints are statically added to iOS asset identity group. no profile info is used to authorize. I am still seeing this behavior with 1.2 deployment too. can you help me understand why is this the case? Not if I statically assign it to unknown profile it does not consume advanced license which i do not consider a feasible solution.
Thank you,
Fadiauthz.jpg

Highlighted
Rising star

ISE ver 1.1.2.145 advanced license consumption

Your rule for company assets checks for posture compliance (nac) "Session:Posture Compliance EQUALS Compliant", this is an advanced feature, and requires a license for each device that matches your "Company Assets" rule.

Jan