cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6424
Views
25
Helpful
9
Replies

Q: ISE Licensing: Anyconnect Apex License

Justin Acera
Level 1
Level 1

Hi,

 

Regarding ISE Licenses, I would like to know what the Anyconnect Apex License is for. Is it the same as Apex License? We have an existing anyconnect apex license on paper but I cannot seem to locate it in ISE Web GUI under Administration>License, also on CLI. We are about to renew our ISE licenses and I need to verify if we are consuming the anyconnect apex license we have. If anyone knows where I can find it and how many is being consumed it would be greatly appreciated. 

 

Justin

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

you can view the license usage as mentioned below document from GUI :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0110.html

 

below table explain Apex License :

 

Base

L-ISE-BSE-PLIC=**

Plus

L-ISE-PLS-LIC=**

Apex

L-ISE-APX-LIC=**

Device Admin

L-ISE-TACACS-ND=**

VM Licenses*
  • AAA
  • RADIUS/802.1x
  • Cisco TrustSec
  • Multiple APIs (ERS)
  • Guest Services
  • Device Profiling and Feed Service
  • BYOD with certificate authority
  • Cisco pxGrid identity and context sharing
  • Adaptive Network Control (ANC)
  • MSE Integration
  • Endpoint Posture compliance and remediation
  • MDM/EMM Integration
  • Threat Centric NAC (TC-NAC)

 

+AnyConnect Apex License

  • ISE Posture Module
  • TACACS+
  • Available in ISE 2.x
  • Prior to 2.4, a single license is needed for the entire deployment
  • Starting in 2.4, a separate license is required for every Device Admin Node*
  • Per deployment license is honored in 2.4 with fresh install or upgrade
  • Starting in 2.4, VMs will no longer be right-to-use
  • Key-based license dependent upon Virtual Resources asigned to the virtual appliance
  • Small, Medium, and Large VM sizes, each with a different SKU
  • Small: R-ISE-VMS-K9=
  • Medium: R-ISE-VMM-K9=
  • Large: R-ISE-VML-K9=
Perpetual (Permanent) License Subscription (1, 3, or 5 years) Subscription (1, 3, or 5 years)

Perpetual (Permanent) License

NOT Based upon Network Device count

Perpetual (Permanent) License

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Mike.Cifelli
VIP Alumni
VIP Alumni

Funny this popped up as a customer of mine and TAC just went through/over this.  The AnyConnect Apex Licenses are essentially a "right-to-use" thing when referring to ISE solutions.  ISE does not show them and you will not be able to track consumption via ISE. The ISE Apex licenses are session based and enable certain functionalities shown in the table from @balaji.bandi .  To answer your question I would determine if any of those solutions/functionalities are in use.  Here is an example: If you do posture assessment for wired, wireless, or VPN you will need an ISE base, ISE apex, and an AnyConnect Apex license for each session.  So if you perform posture on 500 users then you would need 500 AnyConnect Apex Licenses.  HTH!

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

you can view the license usage as mentioned below document from GUI :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0110.html

 

below table explain Apex License :

 

Base

L-ISE-BSE-PLIC=**

Plus

L-ISE-PLS-LIC=**

Apex

L-ISE-APX-LIC=**

Device Admin

L-ISE-TACACS-ND=**

VM Licenses*
  • AAA
  • RADIUS/802.1x
  • Cisco TrustSec
  • Multiple APIs (ERS)
  • Guest Services
  • Device Profiling and Feed Service
  • BYOD with certificate authority
  • Cisco pxGrid identity and context sharing
  • Adaptive Network Control (ANC)
  • MSE Integration
  • Endpoint Posture compliance and remediation
  • MDM/EMM Integration
  • Threat Centric NAC (TC-NAC)

 

+AnyConnect Apex License

  • ISE Posture Module
  • TACACS+
  • Available in ISE 2.x
  • Prior to 2.4, a single license is needed for the entire deployment
  • Starting in 2.4, a separate license is required for every Device Admin Node*
  • Per deployment license is honored in 2.4 with fresh install or upgrade
  • Starting in 2.4, VMs will no longer be right-to-use
  • Key-based license dependent upon Virtual Resources asigned to the virtual appliance
  • Small, Medium, and Large VM sizes, each with a different SKU
  • Small: R-ISE-VMS-K9=
  • Medium: R-ISE-VMM-K9=
  • Large: R-ISE-VML-K9=
Perpetual (Permanent) License Subscription (1, 3, or 5 years) Subscription (1, 3, or 5 years)

Perpetual (Permanent) License

NOT Based upon Network Device count

Perpetual (Permanent) License

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I appreciate this response and I have gone through below. So Anyconnect Apex license basically is just an Apex license u need when using Anyconnect as a posture agent right? Does this mean that Anyconnect Apex license is included in the Apex license usage shown on the image i attached?

 

Mike.Cifelli
VIP Alumni
VIP Alumni

Funny this popped up as a customer of mine and TAC just went through/over this.  The AnyConnect Apex Licenses are essentially a "right-to-use" thing when referring to ISE solutions.  ISE does not show them and you will not be able to track consumption via ISE. The ISE Apex licenses are session based and enable certain functionalities shown in the table from @balaji.bandi .  To answer your question I would determine if any of those solutions/functionalities are in use.  Here is an example: If you do posture assessment for wired, wireless, or VPN you will need an ISE base, ISE apex, and an AnyConnect Apex license for each session.  So if you perform posture on 500 users then you would need 500 AnyConnect Apex Licenses.  HTH!

Thank you for your response. This is greatly appreciated. So basically it just provides additional functionalities on top of the Apex license which is mainly used when doing posture check through anyconnect on the endpoints. 

manvik
Level 3
Level 3

I have been using ISE APEX and Plus license for some time. Never applied Anyconnect Apex license anywhere. Still all working fine.

Should I buy Anyconnect Apex license anymore, if it cannot be applied anywhere

The AnyConnect Apex license is a right-to-use entitlement license. If you are using those features, you should have an Apex license for each user to be compliant with the entitlement policy.

See the AnyConnect Ordering Guide and FAQ for more information.

Thank you @Greg Gibbs should the license applied in ASA or in ISE ?

As of now posturing is working fine without applying license anywhere. Will I get any extra security feature/protection by applying this license?

The AnyConnect Apex is applied on the ASA or on Firepower if you use RAVPN. 

It is not applied on WLC or ISE or switches if you use AnyConnect on LAN or WLAN.

Mahmoud.Reda
Level 1
Level 1

I think as @Peter Koltl  said Anyconnect Apex is consumed in case you need to do posture on endpoints connecting to VPN through ASA. please correct me if I am wrong.

 

@Justin Acerawhat did you do ? I am in your place right now . I don't have ASA and I am not doing posture on endpoints connecting to VPN. so I won't renew the Apex Anyconnect license .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: