cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4495
Views
5
Helpful
7
Replies

ISE Licenses concurrent users and max users?

hi, 

Im new on this tech and I would like someone that has worked in the past or knows how this tech works. In the enterprise we have an ISE server, 

I need to know how many licenses we have and what is our peak? 

From where can I get this information via web:

The issue is that we suspect that due the limit of the licenses some users get disconnected.

What does it mean the Active EndPoints in the HOME screen, right on top there is a small bar graphic that says: Active  EndPoints and Authenticated Users.

Does this mean, right at this moment, currently those are the users connected at the moment I took the screenshot?

Are these active endpoints should not be released once the endpoints does not have an active session?

Whats the difference with the Authenticated User? right next to the Active Point bar graph?

I have atteched the License table:

Whats the Apex, plus and based and wired? the quantity column is the total amount of licenses? 

Are these active endpoints should not be released once the endpoints does not have an active session?

System info:

ISE server

Version: 2.0.0.306

I have attached some screenshots. We have deployed (Im not the specialist of this deployment, so please understand me) for a Wireless Solution with several wireless controllers, the wireless controllers are in sync with the ISE so that users get authenticated via the wireless controller.

If you need more info, do not hesistate to contact me please.

Please help me to undestand better. 

Thanks

7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

Hi

Depending on your screenshots, it seems that you have:

- 2000 base licences

- 2000 apex licenses

- 2000 plus licenses

Active endpoints means the number of devices connected to ISE. In the past we get some cosmetic bug on information shown on the portal; number was never decreasing (e.q: ISE 1.4 patch 5 was correcting this issue that came with ISE 1.4 patch 4). I'm not saying that you have this issue but you need to be aware of.

ISE licensing is explained: http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html

On license usage, you can see that you're using more base licenses than you have and never using apex and plus licenses.

ISE counts apex and plus licenses if you are using specific features (like BYOD for plus and Posture or MDM interconnection for Apex). If you don't have rules that are using these features, you will never use those licenses.

I don't have a full view of you current configuration, but it seems that you are using standard and basic rules that are impacting only base licenses.

I've never exceeded base license as much as you but normally there is no network (device and/or user) downtime if you exceed licenses. As soon as licenses are exceeded, you will have alerts on ISE and the right process should be to contact Cisco and pay for other licenses. Maybe there is a limit but never heard about such limit. I'm quite sure that there is no limit for now except alerts...

In your case, I would suggest to review your configuration as you bought different type of licenses that are not used anymore.

To be honest, I've always seen Wireless and Base licenses that are quite the same except that wireless is only for wifi infrastructure. Wireless is still not existing with new licensing mode. But never seen Wired licenses. I'm not a sales guy and maybe new kind of license? I don't know. I've also done a quick search to find what wired licenses stand for in ISE but found nothing.

In any case, your wired licenses are considered as base licenses. To know which feature consume which license you have to refer to the link I copy above.

Hope this explanation is clear. You can contact me if you need more information.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you so much for your valuable information. Yes, Indeed, we will contact Cisco and see how it goes. So basically, what you are saying is that the connectivity issues has nothing to do with the license, rather interference or coverage I think.

I will further investigate once I contact the Cisco guy and see what he has to say. 

Again, thank you so much, by the way, do you know where in the settings you go to change the idle time of disconection? 

For instance, I think we have in the wireless for guest users, around 20 mins, and within that time, there is a idle time, the endpoint gets disconected and re enter the credentials.

I know its a silly question, but where is that button to set it up this idle connections ?

Regards

As Jan.Nielsen said, the issue is not coming for sure from licenses exceeded.

it could be due to server platform choosed. You have some alerts, messages on the home page, box in the top middle, where you can log issues.

what is strange, it's that you have provisionned 2000 devices with base licenses and now you have around 5000+ devices authenticating.

i will check servers platform to be sure, however I will check with the guy who installed all ISE servers to know why you've bought 2000 devices and why today you have 5000+?

more than that, what are the issues you're facing? 

For idle timeout, you can do that through ISE policies or through WLC.

thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jan.nielsen
Level 7
Level 7

Adding to what supportlan said, ISE does not enforce licenses by disconnecting anything, it will just give you alarms, as you have already seen. However with >5000 active sessions, maybe your problem is that your ISE deployment isn't scaled to handle that many sessions. How many ISE servers do you have, and which models are they (3315/3355/3395,3415/3495,3515/3595, VM), how are they deployed ?

Look in menu administration/system/deployment

Hi Jan, 

Perhaps, that could be a reason, however, the folks that implemented this solution suggested these servers. Attached you will find the image.

Thank you so much for your time and response. I have been struggling finding a course where they can teach this, I cannot say is really hard but there are some things involved from the arquitecture and design point of view as you say.

Regards, 

Thats a fair amount of ISE nodes, however without knowing what platform your ISE servers are on : 3415/3495 or VMWare, there could still be performance issues. But you should probably try to explain what the actual issue is, what are you seeing in the logs in ISE ?

If you are running on 3415's ISE officially only supports up to 5000 simultaneous endpoints, even if you have 5 PSN nodes. 3495 as ADM/MNT will get you to 10000 sim. endpoints.

jwmolenaar
Level 1
Level 1

We see the weird licensing issues as well in ISE2.0 patch 2. The deployment is only wireless so it was easy to compare with the WLC. ISE is reporting much more active sessions than the WLC.

Due to our setup I initially though that RADIUS account packet were lost/blocked or ignored.

Finally I found a bug in the release notes matching our issue. It seems to be fixed in patch 3. I was not able to install and verify it. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: