ISE 1.2/1.2.1 license consumption issues

Similar Messages

• ISE 1.3, information about license consumption

  Hi all
  We are deploying ISE 1.3 in our network but is not clear for us how the license consumption mechanism is handled by ISE.
  I saw in the administration guide that in ISE 1.3 a license is consumed for every active user, and license consumption relies on the attributes used in the authorization policy with which the endpoint is matched.
  In ISE 1.2 licensing data sheet it is said that the consumption relies on RADIUS accounting functions to track concurrent endpoints (ISE uses RADIUS
  accounting “start” and “stop” messages to determine when network sessions begin and end), but I didn't found any confirmation on that regarding ISE 1.3.
  My question is: if I don't enable Radius accouting on the NAD, how ISE determines when the network session is ended and so when it releases the license for that user? 
  I ask this because during the tests we saw different behaviour; sometimes the session was considered ended and so the license was correctly released, but sometimes the user was considered active also hour later after it left the network, and his license was not correctly released
  Thanks
  Marco

  ISE monitoring node has a session directory to track
  endpoints active on the network.
  Automatic Purge: A purge job runs approximately every 5 minutes to clear
  sessions that meet any of the following criterion:
  1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
  (grace time allotted in case of authentication retries)
  2.Endpoint authenticated but no accounting start or update received in the last
  hour
  3.Endpoint idle—no activity (authentication / accounting / posturing /
  profiling updates) in the last 5 days

• Having trouble installing ProIX on new Windows 8 machine after XP crash.  Get almost ll of the way through and get an error box ... contact system support.  Only way out is to abort and then it un-installs.  Wondering if a licensing max issue since we did

  having trouble installing ProIX on new Windows 8 machine after XP crash.  Get almost ll of the way through and get an error box ... contact system support.  Only way out is to abort and then it un-installs.  Wondering if a licensing max issue since we didn't get an opportunity to uninstall off of crashed machine?

  Hey robr72339266,
  With a single user license, you can install Acrobat on maximum two computers, say, your laptop at work and desktop at office.
  But, you cannot use Acrobat on both the machines simultaneously.
  You will first need to deactivate Acrobat from the old machine, then install and activate the software on the new OS with the same serial key.
  Please Contact | Adobe to seek help on the same.
  Regards,
  Anubha

• ISE ver 1.1.2.145 advanced license consumption

  Hello,
  I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
  I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
  Here is the authorization rule:
  Here is the licensing page:
  base                             advanced
  1/20
  1/20
  Here is the only active session from active session report:
  xp-test.ashour.local
  00:22:FB:1A:59:C2
  10.30.30.117
  dot1x
  EAP-TLS
  NotApplicable
  N/A
  WindowsXP-Workstation
  Running
  ise
  And here is the live authentication:
  Authentication Summary
  Logged At:
  December 10,2012 5:27:36.331 PM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  xp-test.ashour.local
  MAC/IP Address:
  00:22:FB:1A:59:C2
  Network Device:
  5508-WLC : 10.255.255.20 : 
  Allowed Protocol:
  Default Network Access
  Identity Store:
  Authorization Profiles:
  PermitAccess
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
  Authentication Result
  User-Name=xp-test.ashour.local
  State=ReauthSession:0affff140000005550c6598d
  Class=CACS:0affff140000005550c6598d:ise/144192099/4026
  Termination-Action=RADIUS-Request
  MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
  MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d
  Related Events
  Dec 10,12 5:27:36.072 PM
  Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:
  Radius authentication passed
  Dec 10,12 5:23:56.647 PM
  Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:
  Radius authentication passed
  Dec 10,12 5:06:07.317 PM
  Radius accounting start
  Radius accounting start
  Authentication Details
  Logged At:
  December 10,2012 5:27:36.331 PM
  Occurred At:
  December 10,2012 5:27:36.331 PM
  Server:
  ise
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  xp-test.ashour.local
  RADIUS Username :
  host/xp-test.ashour.local
  Calling Station ID:
  00:22:FB:1A:59:C2
  Framed IP Address:
  Use Case:
  Network Device:
  5508-WLC
  Network Device Groups:
  Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
  NAS IP Address:
  10.255.255.20
  NAS Identifier:
  ASHOUR-WLC1
  NAS Port:
  1
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:
  Default Network Access
  Service Type:
  Framed
  Identity Store:
  Authorization Profiles:
  PermitAccess
  Active Directory Domain:
  Identity Group:
  Profiled:Workstation
  Allowed Protocol Selection Matched Rule:
  Dot1X
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Authorization Policy Matched Rule:
  Company asset
  SGA Security Group:
  AAA Session ID:
  ise/144192099/4026
  Audit Session ID:
  0affff140000005550c6598d
  Tunnel Details:
  Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
  Cisco-AVPairs:
  audit-session-id=0affff140000005550c6598d
  Other Attributes:
  ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
  Posture Status:
  NotApplicable
  EPS Status:
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12568  Lookup user certificate status in OCSP cache
  12570  Lookup user certificate status in OCSP cache succeeded
  12554  OCSP status of user certificate is good
  12568  Lookup user certificate status in OCSP cache
  12570  Lookup user certificate status in OCSP cache succeeded
  12554  OCSP status of user certificate is good
  12811  Extracted TLS Certificate message containing client certificate
  12812  Extracted TLS ClientKeyExchange message
  12813  Extracted TLS CertificateVerify message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12509  EAP-TLS full handshake finished successfully
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  Evaluating Identity Policy
  15006  Matched Default Rule
  22037  Authentication Passed
  12506  EAP-TLS authentication succeeded
  11503  Prepared EAP-Success
  Evaluating Authorization Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  15016  Selected Authorization Profile - PermitAccess
  11002  Returned RADIUS Access-Accept

  Hi,
  Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
  It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
  CSCub56607
  Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
  The wireless session in question should be applied against the Base  license count. This issue has been observed in Cisco ISE, Release 1.1.1  where the following functions are set:
  •MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
  •Profiling is disabled
  •Posture is disabled
  •The device in question has not been registered via the My Devices Portal
  Note There is no known workaround for this issue.
  Tarik Admani
  *Please rate helpful posts*

• ISE integration with SMS gateway required license

  Hello All,
  We have cisco WLC with guest wireless access configured to use local database. the managment requires new solution to send cridintials to user throug SMS after the user signup through portal.
  we decided to use the cisco ISE. my question is what is the required license to integrate ISE with WLC and SMS gateway. should we use the Basic license, advanced or the wireless license.
  Thanks,
  Amr

  Hi Charles,
  why do you say "you would need Base and Plus Licenses at a minimum"? 
  Looking at the ISE licensing guide (table 2):
  http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
  it seems that Guest Portal services are already included in Base License (and all the AAA stuff too),
  therefore enough for the "Wireless Guest Access with SMS authentication" needed by Amr.
  Finally, the advantage of 'Base' license is that is Perpetual ...no annual fee to pay ;-)
  Regards.
  Gio

• ISE distribution system with 4 nodes & Licensing

  Hi,
  Question 1
  We have 04 ISE appliances and we are planning to deploy in distributed system such way that 02 ISE will act as PRI/SEC with the roles PAD/M&T and other 02 to be act as PRI/SEC with PDPs.
  Configuring PAD/MT pair is straighforward and has no doubts, however we have issue with other two nodes which is  (PDP) as PRI/SEC.
  ISE giving us warning that atleast one node should have monitor role enabled, however by the time Admin role is already enabled where we cant disabled.
  If someone has deployed this, appreciate can guide me in proper direction or share any document how to achieve this requirement.
  Question 2
  My other querry is about the licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against only 1 ISE appliance giving it's serial number and that will be installing on Primary PAP/MT box only, and what about other two boxes which will act as PRI/SEC PDPs and it will still giving warning that there's no licenses.
  Question 3
  When we deploy distributed system with above senario, what ISE node IP addresses that we need to configure on NAD (switch), will it be all 04 ip addres or it will be the pair of  PAP/MT or PDP..?
  Thanks in advance.

  Question 1
  We have 04 ISE appliances and we are planning to deploy in distributed system such way that 02 ISE will act as PRI/SEC with the roles PAD/M&T and other 02 to be act as PRI/SEC with PDPs. Configuring PAD/MT pair is straighforward and has no doubts, however we have issue with other two nodes which is  (PDP) as PRI/SEC.  ISE giving us warning that atleast one node should have monitor role enabled, however by the time Admin role is already enabled where we cant disabled.  If someone has deployed this, appreciate can guide me in proper direction or share any document how to achieve this requirement.
  Answer-  The type of ISE deployment you want to implement is Distributed with HA.
  In this particular case, you must have PAN and one MNT and rest nodes can be PSN, which depends as per your requirement.
  In your case you are going to run PAN & MNT on single node with HA and other 2 nodes are left for PSNs.
  There is no concept of HA for individual PSN, your all PSNs will remain active; however you can distribute the requests coming from NADs between 2 PSNs, like configure some NADs with one PSN IP and rest with other PSN.
  Question 2
  My other querry is about the licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against only 1 ISE appliance giving it's serial number and that will be installing on Primary PAP/MT box only, and what about other two boxes which will act as PRI/SEC PDPs and it will still giving warning that there's no licenses.
  Answer- First node in ISE is considered as Primary node under the ISE instance, so when you add more ISE appliances under that ISE instance all become secondary except the first one.
  Hence you install licenses on the Primary ISE node on which you installed ISE in early stage or you introduced in your network.
  So Licenses are meant for ISE instance not for the node.
  Question 3
  When we deploy distributed system with above senario, what ISE node IP addresses that we need to configure on NAD (switch), will it be all 04 ip addres or it will be the pair of  PAP/MT or PDP..?
  Answer- On NADs you have to configure PSN's IPs, like you can configure one PSN IP as a primary and other one as a secondary.

• License Consumption in BOE XI

  Post Author: neheyen
  CA Forum: Authentication
  I don't know if we don't have enough licenses or if there is something misconfigured. Or if there is a problem with usage.
  When I go to the CMS properties, I think I see who is logged in at the moment. Just what is the Session Count? The number of sessions the user has open (InfoView, Instance Manager, CMC, etc.) or the number of licenses used?
  Is there a whitepaper that describe the license model?
  And finally is there a setting for timeouts? I think what happens is that users just close the browser window instead of actually using the padlock icon to log out. Would this result in a 'stranded' login that consumes a license?
  Thanks for any insight or hints!
  Norman

  Post Author: TAZ
  CA Forum: Authentication
  Hi Norman,
  I think both these questions would be better served in the deployment forum going forward...
  As for licenses it depends on your license type, CPU license wouldn't matter, concurrent would only be the user count not session, named would be the session count=licenses used.
  There are timeouts for when a session is inactive but they vary per app server. You should be able to find them in KB's or open a case with support if that doesn't work so they can give you the right info based on your environment.
  In IE 6 the default setting prompted for logoff even when closing the browser. IE7 I don't believe honors this setting. If this is an earlier version than XIR2 there were other issues that caused extra sessions.
  Regards,
  Tim

• License Consumption

  Version: 2007 B
  License: B1 Professional
  Issue:
  The user name B1i gets created itself after the installation of B1.
  What is that for?

  Hi Vijay
  The user B1i* is created by B1, which is used by B1i to connect B1.
  B1i is a tool to sync data between SBO and R/3 system.
  Regards,
  Syn Qin
  SAP Business One Forums Team

• UCCX 10.5 - License consumption about Agent

  Hi,
  My Customer have a solution  with UCCX 10.5 and license to 400 Agents. My question is: If I use 50 CTI ports in CUCM to attend IVR, are will there decrease license about Agent of UCCX?
  Thanks,
  Wilson

  Hi Wilson,
  The Agent licenses depend on the number of Seat Licenses you have on the system. For example, if there are 25 seats, then 25 agents can login simultaneously.
  These do not depend on the Port licenses.
  Other components which utilize seat licenses:
  Agent
  Supervisor
  Recording
  Regards,
  Arundeep

• Concurrent crystal license timeout Issue, need help.

  Hi,
  My company is using crystal enterprise 10 with 18 concurrent user license.
  However, we often hit out of crystal license issues.
  Does time to wait for exporting crystal reports to excel/pdf takes up licenses?
  Does time to wait for crystal report to be printed or viewed on the web browser takes up licenses?
  We all know that user sessions take up user licenses. 1 user login take up 1 license.
  Does crystal pruning job takes up user licenses too?
  Need help urgently, much appreciated.

  Hi Daren,
  Support on Cystal Enterprise 10 has expired. Make sure that your users are actually logging off and not just closing their browser.
  One user can take up multiple licenses by not logging off or opening multiple browsers to view multiple reports. Scheduled jobs that are running do not take up license, but a user veiwing a historical instance does take up a license.
  In your metrics tab in the Cyrsatl Management Console -> Servers-> cms you should be able to see the active number of sessions- system connections are backend connections between the servers and these do not take up any licenses.
  Best Regards,
  Jadie

• ABC Analysis of Planned Consumption(Issue against Reservation).

  Hi Experts,
  Is there any standard report is available for ABC Analysis of Planned Consumption(material issued against Reservation)?
  thx in advance...

  Hi,
  I allready tested with Tcodes such as MC.9 (gives details of total & unplanned consump. not for Planned consump.) & MB51(gives details for only one Mov. Type say either 261 or 262 not possible to do ABC ana. for balance of both)
  Is there any other std report as ABC analysis of planned consp.
  Thx in advance...

• Updating license key issue

  I am attempting to move the SAP B1 application to a different server (pointing to the same database server).
  In doing so I have been told I needed to request a new license key.  I have done that however when I try to import the license key into the SAP B1 client (from the Administration->License->License Administration program) I get the following error:
  wrong license file; hardware key does not match.
  I retrieved the hardware key from the SAP B1 Server Suite Manager that is running on this new application server (from the Settings on the License Manager service).
  Also, the License Server that appears on the License Administration dialog still points to the original server.  I have tried typing in the new server's name but cannot.
  By the way I am trying to make this change in the QA enviornment.  We are running a W2003 server and serving the SAP B1 client up via citrix.  SAP B1 client and server are installed on the same server.
  Any suggesitons would be helpful.
  Thanks,
  Mike
  Edited by: Mike Hamm on Sep 29, 2009 1:45 AM

  Hi Mike,
  >
  Mike Hamm wrote:
  > How would I check the port? Is that something on the server or in SAP B1?
  Both. In the SAP Business One License Manager ->Settings -> Connection details you might like to change the default port number 30000. In order to check your firewall on the server refer to the documentation of the used firewall.
  >
  Mike Hamm wrote:
  > I do not get any error message when I change the server on the License Administration dialog is: "License server changes will take effect at next logon to a company".  Unfortunately the server name reverts back to the original server name (which is, by the way, still operational--does that make a difference?)
  You can have running the license server on another Server than the one on which SAP Business One Server application is installed. However it will revert back (to last known 'good' license server) as long no valid license file has been importet to the new license server.
  >
  Mike Hamm wrote:
  > When I try to import the license key I received from SAP (after providing the hardware key from the license manager) I get the following error message:  wrong license file; hardware key does not match.
  Try to download the license file directly from the Webpage, sometimes the files get corrupted, if sent by email.
  Further info: Note [776870|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMSZ3PTU4ODAwMDAr)/bc/bsp/spn/smb_searchnotes/display.htm?note_langu=E&note_numm=776870] and note [578256|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMSZ3PTU4ODAwMDAr)/bc/bsp/spn/smb_searchnotes/display.htm?note_langu=E&note_numm=578256]
  Kind regards
  Mario

• Mac OS X 10.7.5 Adobe license agreement issue for Acrobat Pro

  Acrobat Pro keeps popping up the License agreement whenever I try to use it. Even viewing pdf documents that already exist doesn't work. I've tried all the usual fixes including the Deactivate a different program. This didn't work either. I got Acrobat Pro as part of the CS6 suite offered to academic staff via a university agreement. Can you help?

  Deactivate. Use the Creative Suite Cleaner Tool then re-install.
  http://www.adobe.com/support/contact/cscleanertool.html

• Adobe Pro 9.0 Licensing / Upgrade issues

  We have 15 users with 9.0, most of whom periodically experience the well known Error "Licensing has stopped working". The licensing repair tool does not fix for long nor does any  of the other lengthy resolutions detailed in the licensing stopped working KB on adobe.com
  My question -
  1. How do I upgrade users from 9.0 to 9.5 if 9.0 no longer has any updates available? Will the 9.0 license cover this and how can I get media / install file as I can only find update files to an existing 9.5 file (we have tested a problematic user on a new version of Adobe and this is shown to resolve the issue)

  Hi Stefan,
  You can download the updates for Acrobat 9 from: Update, patch | Acrobat, Reader 7.x - 9.x | Windows
  or : ftp://ftp.adobe.com/pub/adobe/acrobat/win/9.x/
  For licensing error please try the following:
  Delete the Adobe PCD folder and caps.db file:
  Windows:  \Program Files\Common Files\Adobe\Adobe PCD
                      \Program Files\Common Files\Adobe\caps\caps.db
  Launch Acrobat, enter the serial number and check.
  Regards,
  Rave

• Acrobat X Pro License acceptance issue, crash

  Hi,
  I am using Acrobat X Pro on windows 7 (as part of the creative suite).
  When I open the program it asks me to accept the license agreement.  I click accept, the program opens and then closes and asks me again........continually.
  Does anyone know how I can fix this without reinstalling the whole suite again??  (have tried standard windows program repair).
  Many thanks

  Hi LauraFryer,
  You might want to refer the KB Doc : http://helpx.adobe.com/acrobat/kb/cant-click-accept-acrobat-reader.html
  You can even set the Eula acceptance manually by modifying the registry key :
  HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\AdobeViewer
  'EULA' Value = 1
  You can try using the following Command line to disable EULA & Registration dialogs.
  msiexec /i AcroPro.msi ISX_SERIALNUMBER=xxxx-xxxx-xxxx-xxxx EULA_ACCEPT=YES REGISTRATION_SUPPRESS=YES