cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1336
Views
0
Helpful
1
Replies

Microsoft CAL License for "ISE & AD server integration"

onevf1
Level 1
Level 1

Hello

As described in the url link below, I would like to integrate ISE and MS AD server for dot1x user authentication.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#concept_477DBF7BF0164628B0F2A471CEF445D5

The number of users is 3,000.

If so, should I purchase 3000 user CALs? Or is it okay to purchase only one device CAL for one ISE server to join?

I don't use the ad server for anything else.

Unfortunately, there is no MS EA contract.

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hello @onevf1 

 

There is no need to purchase any Microsoft CAL licenses when integrating ISE to an on-prem Microsoft Windows AD Server.

If you have an AD Domain, then ISE will simply query that as and when it needs to.

The crucial license is on ISE - each successful basic 802.1X authentication (basic means, there was no ISE Profiling involved, nor was there any posture assessment) will consume 1 ISE 2.x Base Licenses. In ISE 3.x it would consume 1 Essentials license.

ISE licenses are based on the CONCURRENT session count (i.e. users who have active session on the switch/wireless/VPN as authenticated by ISE). When those sessions end (timeout, disconnect etc.) then the ISE licenses is freed up again.

View solution in original post

1 Reply 1

Arne Bier
VIP
VIP

Hello @onevf1 

 

There is no need to purchase any Microsoft CAL licenses when integrating ISE to an on-prem Microsoft Windows AD Server.

If you have an AD Domain, then ISE will simply query that as and when it needs to.

The crucial license is on ISE - each successful basic 802.1X authentication (basic means, there was no ISE Profiling involved, nor was there any posture assessment) will consume 1 ISE 2.x Base Licenses. In ISE 3.x it would consume 1 Essentials license.

ISE licenses are based on the CONCURRENT session count (i.e. users who have active session on the switch/wireless/VPN as authenticated by ISE). When those sessions end (timeout, disconnect etc.) then the ISE licenses is freed up again.