Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
11677
Views
2
Helpful
10
Comments

Licensing updates with Cisco ISE 3.5

ghalajia
Cisco Employee
Cisco Employee

‎09-30-2025 11:41 AM - edited ‎10-17-2025 07:44 AM

ISE 3.5 Licensing Consumption Alignment Overview:  

Cisco Identity Services Engine (ISE) 3.5 implemented updates to its licensing consumption logic, aligning actual feature utilization with documented intent and existing licensing guides. This initiative clarifies consumption metrics, rather than altering the core licensing model or tier capabilities (Advantage, Premier, Apex). The primary objective is to rectify prior discrepancies where certain Advantage-tier features did not consume licenses as originally intended. In ISE 3.5 version we intend to address this by ensuring that features like pxGrid, pxGrid Direct, Profiling, and TrustSec reflect their license consumption more accurately. 

Rationale for Alignment: 

These updates are designed to provide clearer visibility into true license consumption, ensure fairness by aligning usage with documented feature utilization, eliminate inconsistent consumption logic across features, and facilitate more accurate license planning and budgeting. 

Enhanced Reporting and Visibility: 

ISE 3.5 introduces new reporting capabilities to support these alignments: 

  • Licensing Audit Report: Displays historical daily peak license usage over the last 30 days. 
  • Current Active Sessions Report: Offers real-time details on current license consumption, including feature-level breakdowns and MAC addresses. This report can be exported as CSV and scheduled for automated delivery. 

No Enforcement in ISE 3.5:  

There will be NO enforcement in ISE 3.5 for overconsumption of licenses and will trigger non-intrusive "Consumption Alerts" (replacing "Out of Compliance" messages). This will give customers enough time to understand and optimize the license consumption and make them ready for enforcement in future releases.  

Key Alignments in ISE 3.5:  

License consumption is based upon endpoints having an active RADIUS session and any of following criteria:

  • Profiling: An Advantage license is now consumed upon endpoint classification by the Profiler, irrespective of its use in an authorization policy. Existing exclusions for guest endpoints and static group assignments remain. 
  • pxGrid: License consumption now occurs per active session when session data is shared with pxGrid clients via the session topic (e.g., WebSocket updates, bulk retrieval via REST API). 
  • pxGrid Direct: A license is consumed when pxGrid Direct attributes are referenced in an authorization rule and present in the JSON payload, even if the policy does not result in a match. 
  • TrustSec: License consumption is tracked and reported based on the actual assignment of a Security Group Tag (SGT) to an endpoint/session, independent of its usage within authorization policies. 

Recommended Internal Actions: 

Organizations should leverage the new ISE 3.5 reports to assess current consumption for pxGrid, pxGrid Direct, Profiling, and TrustSec. Monitoring "Consumption Alerts" and comparing usage against purchased entitlements is crucial for identifying potential gaps and planning any necessary license adjustments prior to future enforcement. Refer to the official Cisco ISE Licensing Guide for comprehensive details. 

Key ISE Upgrade Resources: 

Comments
craig.beck
Level 1
Level 1
‎10-15-2025 08:44 AM
  • Profiling: An Advantage license is now consumed upon endpoint classification by the Profiler, irrespective of its use in an authorization policy. Existing exclusions for guest endpoints and static group assignments remain.

 

Does that mean any profiled endpoint will consume a license indefinitely, or only for the duration of their session? Once the endpoint disconnects, will the license be released?

nplusplus
Level 1
Level 1
‎10-15-2025 09:34 AM

+1 to @craig.beck 's question.

Thank you,

Nathan

kvamja
Cisco Employee
Cisco Employee
‎10-15-2025 10:33 AM

Hi @craig.beck & @nplusplus , the license will be consumed only for the active session and it will be released as soon as the session ends.

Arne Bier
VIP
VIP
‎10-15-2025 01:12 PM

If this is implemented and enforced, then it will be time for me to looking at alternative RADIUS products - Clearpass supports profiling and MDM integration as part of the base license. Profiling is not a luxury. Some customers already refuse to pay Plus/Advantage licenses just for profiling and have built their Policy Sets around that. Arista AGNI is also worth looking into.

My advice to ISE users is to migrate your Policy Sets from profiling to alternative solutions, and then disable the Advantage license (if profiling is all you need it for). Spend your efforts to use more 802.1X instead of MAB, and MAC Address prefix Rules, or, creating individual Endpoint Identity Groups that contain the MAC addresses of interest for all the remaining MAB stuff. 

Justin-Walker
Level 1
Level 1
‎10-17-2025 06:31 AM

The justification for this change is wild.  You're saying that because you cant clearly identify for customers which sessions are consuming advantage licenses, you'll just charge for all of the active sessions. 

 

This change will force customers to turn off profiling completely and complicate existing and new deployments.  Many wired implementations use profiling at a minimum for phone authorization. Converting these endpoints and others to static groups is insane. 

 

If the goal is to clear up the licensing confusion, include profiling as part of the essential license. Advantage licensing could be reserved for pxGrid and TrustSec consumption. 

craig.beck
Level 1
Level 1
‎10-17-2025 06:42 AM

I agree with the above. As Justin said, include it in the Essentials license or ISE is going to be a hard sell for some customers.

Other vendors will probably have a field day with this.

kthiruve
Cisco Employee
Cisco Employee
‎10-17-2025 06:36 PM

Hi Everyone,

Thank you for the thoughts.
We are gathering feedback from field and partners, reaching out to few of them to understand the use cases.

We will update the licensing guide with more details.

Thanks

 

Janne K.
Level 1
Level 1
‎10-21-2025 01:28 AM

A bit late to the party, but looking forward to the coming clarifications. As others have mentioned would the changes as described be very disappointing.

craig.beck
Level 1
Level 1
‎10-21-2025 07:08 AM

If an advantage license is consumed for profiling and SGT assignment, will that be a single license or two? I'm assuming single?

kthiruve
Cisco Employee
Cisco Employee
‎10-22-2025 02:37 PM

Hi,

When license change happened few years back from 2.x to 3.x the nested doll model was to enable sellers and partners to use tier based licensing and to move away from feature based licensing using active endpoints as a mechanism to track license counts.

This means that the value of advantage license comes from the Advantage tier that has several features. So to answer your question is, same advantage license can be used by Trustsec, profiling, pxGrid, pxGrid-direct. It will not be double counted.

Hope it clarifies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents