Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
5
Helpful
5
Replies

New ISE Licensing schema

Go to solution
crprunoi
Cisco Employee
Cisco Employee

‎08-05-2019 09:31 AM

 

Hello,

Can anyone please unicast me if the new ISE Base license is calculated based on the qty/nr of endpoints or network type ( wired / wireless)

 

Customer has 100 Wireless endpoints and 200 wired endpoints

 

Q: How many licenses are required

  • 300 Base licenses
  • Combination of the Base and Plus based on the wireless use access ( BYOD , Guest )

 

The Ordering guide doesn’t mention any difference between licenses based on the network type while the old licenses were specific to the network type

 

Thank you very much.

 

 

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-05-2019 09:38 AM

If you have 300 nodes total you will require 300 base licenses. One for one relationship. The base will get you the generic network access that I assume you are inquiring about. As far as the BYOD/Guest you will need 1 Base + 1 Plus. So if you have 20 BYOD/GUEST endpoints you would need 20 base and 20 plus. Cheers & HTH!

View solution in original post

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-05-2019 10:02 AM - edited ‎08-05-2019 10:04 AM

Keep in mind that licensing is based on active endpoints, not total, and every unique mac address is considered an endpoint by ISE. So if you have an iphone associated to the wireless which authenticated via ISE, that is an active endpoint. When it drops off the wireless, the WLC should send a RADIUS accounting stop packet releasing the session, and it is not longer considered active by ISE. A laptop connected to both wireless and wired where there is 802.1x on the switchport could use double the licensing if both network adapters remain active. There would be two mac addresses for the same machine.

If you don't configure RADIUS accounting correctly, every endpoint session will take 5 days to time out before it is no longer considered an active session.

As Mike indicated though, endpoints are endpoints, it doesn't matter how they come in to authentication, you will always use a base license for authentication. Features beyond basic authentication and authorization require either plus or apex and you can read about them in the ordering guide. Advanced feature licenses such as plus or apex stack on top of a base license meaning one mac address can use two licenses.

They recently added examples and explanations to the ordering guide that cover licensing scenarios such as this.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎08-05-2019 10:04 AM

They are not dependant on network type with the new licenses https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf . Sections 1.1.2.3 and 1.4.3.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-05-2019 09:38 AM

If you have 300 nodes total you will require 300 base licenses. One for one relationship. The base will get you the generic network access that I assume you are inquiring about. As far as the BYOD/Guest you will need 1 Base + 1 Plus. So if you have 20 BYOD/GUEST endpoints you would need 20 base and 20 plus. Cheers & HTH!
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-05-2019 10:02 AM - edited ‎08-05-2019 10:04 AM

Keep in mind that licensing is based on active endpoints, not total, and every unique mac address is considered an endpoint by ISE. So if you have an iphone associated to the wireless which authenticated via ISE, that is an active endpoint. When it drops off the wireless, the WLC should send a RADIUS accounting stop packet releasing the session, and it is not longer considered active by ISE. A laptop connected to both wireless and wired where there is 802.1x on the switchport could use double the licensing if both network adapters remain active. There would be two mac addresses for the same machine.

If you don't configure RADIUS accounting correctly, every endpoint session will take 5 days to time out before it is no longer considered an active session.

As Mike indicated though, endpoints are endpoints, it doesn't matter how they come in to authentication, you will always use a base license for authentication. Features beyond basic authentication and authorization require either plus or apex and you can read about them in the ordering guide. Advanced feature licenses such as plus or apex stack on top of a base license meaning one mac address can use two licenses.

They recently added examples and explanations to the ordering guide that cover licensing scenarios such as this.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Go to solution
crprunoi
Cisco Employee
Cisco Employee
In response to Damien Miller

‎08-05-2019 10:06 AM

Mike, Damien, Thanks for the clarification . I was trying to identify between the delta of the old licenses and the new ones . In the new model, the network access doesn't depend on the network type ( wired or wireless ). It depends on the technology use cases ( BYOD , Guest, SDA ) . Again, thank you
0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎08-05-2019 10:04 AM

They are not dependant on network type with the new licenses https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf . Sections 1.1.2.3 and 1.4.3.
0 Helpful

Go to solution
crprunoi
Cisco Employee
Cisco Employee
In response to Surendra

‎08-05-2019 10:30 AM

Thank you .

0 Helpful
Customers Also Viewed These Support Documents