ISE 1.2.1 Advanced Licsense Consumption
Hi experts,
I run a ISE 1.2.1 (Patch 1 from Jul/14) with 5000 Base and 100 Advanced Licenses. I'm currently in phase of testing. I noticed that the advanced counter rises without any Advanced featue is used.I enabled profiling for the ISE nodes but I do not use this information in the policy. Posture and SGA is also not used so far.
All I do is matching against Internal hosts, Guest Portal and 802.1X
I hope you have an idea
Best Regards
Michael
Hello Michael-
I think you are hitting the following bug/defect: CSCuh36055
I have spoken with TAC about it and it will be fixed in v1.3
Thank you for rating helpful posts!
Similar Messages
-
ISE ver 1.1.2.145 advanced license consumption
Hello,
I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
Here is the authorization rule:
Here is the licensing page:
base advanced
1/20
1/20
Here is the only active session from active session report:
xp-test.ashour.local
00:22:FB:1A:59:C2
10.30.30.117
dot1x
EAP-TLS
NotApplicable
N/A
WindowsXP-Workstation
Running
ise
And here is the live authentication:
Authentication Summary
Logged At:
December 10,2012 5:27:36.331 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
xp-test.ashour.local
MAC/IP Address:
00:22:FB:1A:59:C2
Network Device:
5508-WLC : 10.255.255.20 :
Allowed Protocol:
Default Network Access
Identity Store:
Authorization Profiles:
PermitAccess
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
User-Name=xp-test.ashour.local
State=ReauthSession:0affff140000005550c6598d
Class=CACS:0affff140000005550c6598d:ise/144192099/4026
Termination-Action=RADIUS-Request
MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d
Related Events
Dec 10,12 5:27:36.072 PM
Radius authentication passed for USER: CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:
Radius authentication passed
Dec 10,12 5:23:56.647 PM
Radius authentication passed for USER: CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:
Radius authentication passed
Dec 10,12 5:06:07.317 PM
Radius accounting start
Radius accounting start
Authentication Details
Logged At:
December 10,2012 5:27:36.331 PM
Occurred At:
December 10,2012 5:27:36.331 PM
Server:
ise
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
xp-test.ashour.local
RADIUS Username :
host/xp-test.ashour.local
Calling Station ID:
00:22:FB:1A:59:C2
Framed IP Address:
Use Case:
Network Device:
5508-WLC
Network Device Groups:
Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
NAS IP Address:
10.255.255.20
NAS Identifier:
ASHOUR-WLC1
NAS Port:
1
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
Default Network Access
Service Type:
Framed
Identity Store:
Authorization Profiles:
PermitAccess
Active Directory Domain:
Identity Group:
Profiled:Workstation
Allowed Protocol Selection Matched Rule:
Dot1X
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
Company asset
SGA Security Group:
AAA Session ID:
ise/144192099/4026
Audit Session ID:
0affff140000005550c6598d
Tunnel Details:
Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
Cisco-AVPairs:
audit-session-id=0affff140000005550c6598d
Other Attributes:
ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
Posture Status:
NotApplicable
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12568 Lookup user certificate status in OCSP cache
12570 Lookup user certificate status in OCSP cache succeeded
12554 OCSP status of user certificate is good
12568 Lookup user certificate status in OCSP cache
12570 Lookup user certificate status in OCSP cache succeeded
12554 OCSP status of user certificate is good
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15016 Selected Authorization Profile - PermitAccess
11002 Returned RADIUS Access-AcceptHi,
Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
CSCub56607
Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set:
•MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
•Profiling is disabled
•Posture is disabled
•The device in question has not been registered via the My Devices Portal
Note There is no known workaround for this issue.
Tarik Admani
*Please rate helpful posts* -
ISE 1.3, information about license consumption
Hi all
We are deploying ISE 1.3 in our network but is not clear for us how the license consumption mechanism is handled by ISE.
I saw in the administration guide that in ISE 1.3 a license is consumed for every active user, and license consumption relies on the attributes used in the authorization policy with which the endpoint is matched.
In ISE 1.2 licensing data sheet it is said that the consumption relies on RADIUS accounting functions to track concurrent endpoints (ISE uses RADIUS
accounting “start” and “stop” messages to determine when network sessions begin and end), but I didn't found any confirmation on that regarding ISE 1.3.
My question is: if I don't enable Radius accouting on the NAD, how ISE determines when the network session is ended and so when it releases the license for that user?
I ask this because during the tests we saw different behaviour; sometimes the session was considered ended and so the license was correctly released, but sometimes the user was considered active also hour later after it left the network, and his license was not correctly released
Thanks
MarcoISE monitoring node has a session directory to track
endpoints active on the network.
Automatic Purge: A purge job runs approximately every 5 minutes to clear
sessions that meet any of the following criterion:
1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
(grace time allotted in case of authentication retries)
2.Endpoint authenticated but no accounting start or update received in the last
hour
3.Endpoint idle—no activity (authentication / accounting / posturing /
profiling updates) in the last 5 days -
Dear,
Initial I was looking to use VMPS (dynamic VLAN assignment to ports based on MAC).But after some reading I understand 802.1X with Radius is a better solution, and finally I came to ISE. My question: Is the BASE license for ISE sufficient to use the dynamic VLAN assignment (I.e. After authentication and authorization, a port will be set to a VLAN) or do I need to install the ADVANCED license ?
Regards
JanThe Base License is consumed whenever an authentication notification is received by Cisco ISE. A single Advanced License is consumed when any one or more of the following services or conditions are applied to the endpoint session:
•Posture
•Security Group Tag assignment
•Authorization using profile information
•Endpoint is registered in the MyDevices Portal -
ISE license - base/advanced
Hello,
I have a small ISE deployment, wireless only, and purchased a 250 user license. When I applied the license file, I noticed that under Administration -> Licensing, the information looks like this...
Base Advanced
90/100 0/250
What will happen once we hit 101 concurrent wireless users? Will user 101 be denied, or will ISE start to apply Advanced licenses?Cisco Identity Services Engine (ISE) Ordering Steps
Estimate the number of concurrent endpoints in the network.
Estimate the number of appliances (physical or virtual) needed to support the number of concurrent endpoints in the network.
Please consult a network professional that has been Cisco ISE-trained and certified to design and estimate the number of ISE appliances needed.
Select the appropriate type of appliance suitable for your deployment. (Reference the appliance selection.)
Select the appropriate level of support needed for the appliances in your deployment. (Reference the appliance support selection.)
Select the appropriate type of license suitable for your deployment. (Reference the license selection.)
Select the appropriate level of services available from Cisco Advanced Services or a Certified Partner for design, deployment, and sustaining services of the ISE deployment.
Please check the below link which can helpful in making decision about licensing:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html -
Hi I have 2 ise 3315 working in stanalone mode
I have 2 sites
ISE_1 is installed on site 1 and manage user groupe_1
ISE_2 is installed on site 2 and manage user groupe_2
I am plannig to use the 2 ISE in fail over
I would like to configure
1. ISE_1 to be primary for user groupe_1 and secondary (backup) for user groupe_2
2. ISE_2 to be primary for user groupe_2 and secondary (backup) for user groupe_1
Please how can I configure it ?
Which midofication would I add on the switch, WLC and ISE ?
Thanks in advance for your helpHello,
In this case, you can use a simple 2-node deployment scenario, in this scenario you will have ISE-1 as: primary admin, secondary monitor, and PSN. you'll have ISE-2 as: secondary admin, primary monior, and PSN.
Be aware of these points:
1- If ISE-1 went down, you have to access ISE-2 GUI and promote it manually.
2- If ISE-2 fails, no problem the monitoring persona failover happens automatically.
3- To load balance the users you are talking about, you have to do this based on NADs. for example you have 4 switches, so do the following:
A.make SW1 and SW2 point to ISE-1 and ISE-2 as the radius servers but give higher priority to ISE-1.
B.make SW3 and SW4 point to ISE-1 and ISE-2 as the radius servers but give higher priority to ISE-2.
So you have divided the job on the two nodes, if one is down the other will handle all the communications with the NADs.
check this document for all the info you mau need regarding distributed deployments ( and yes the connection speed between the two nodes should be 1Gbps)
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf
Message was edited by: Ahmed AboRahal to add the document link. -
Forescout mobile security solution vs Cisco ISE
Hi,
Can anyone provide me any link or document for comparison between "Forescout mobile security solution vs Cisco ISE".
Thanks in Advance
ManthanManthan,
Please ask your question in AAA, Identity and NAC community. There are experts in that community who can asnwer this question.
-Rajeev -
Return of semifinished material to vendor
hi gurus,
i have a peculiar situation in one of our client place. the scenario is like this:
raw material is received at stores and issued for production. here they have got some 8 steps to get the finished product.
say after 2 or 3 steps (ie) the semifinished material at this stage has to be returned to the vendor.
how can this be achieved.
thanks in advance.If consumption in bom is in equal ratio (1:1) then adopt below procedure,
Bring semi finished material stock to quality inspection,In QA32 record usage decison,In inspection stock tab
enter stock of material you want to return "To new material"(ie. Raw material),enter storage location(meant for return).
Now stock will come back to raw material.
or
Reverse production confirmations done already,bring stock to raw material
Then do vendor return using return delivery in migo,reverse excise using J1IS if invoice not done for GR material.
or
Other wise
Create return purchase order(with return tick),do migo(161 mvmt),reverse excise using J1IS,post credit memo(MIRO).
Edited by: Jeyakanthan A on Jul 14, 2010 4:49 PM -
FlexConnect Access Point - Wired 802.1X or MAB Authentication
Hi all,
We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
Thanks in advance.
Regards,
Stephen.Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
1. AP, authenticates via MAB and profiling
2. Client authenticates via PEAP/EAP-TLS, etc
3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
So I have ran into this issue in my deployments and you have the following options (listed in preference order):
1. Eliminate FlexConnect :)
2. Utilize AutoSmartPorts where:
- If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
- If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
More info on auto smart ports:
http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
Hope this helps!
Thank you for rating helpful posts! -
Hi Folks,
Well I thought I was pretty happy with licensing, and what I understood was:
1. Licensing is based on number of concurrently active users.
2. An advanced license is used if an endpoint is allocated an authentication profile based on a rule which uses profiling information/posturing.
This shows my currentl licensing page:
and here's a summary from the front page:
Don't these two already contradict each other?
I've no idea where 28 advanced licenses have been used. No posturing in place, fairly simple setup, dot1x certs and MAB. Any tips for troubleshooting license usage?
Ver 1.1.4 Patch 3bikespace,
In ISE 1.1.x, Advanced license is the count of postured, BYOD, or profiled endpoints
that are active in session directory.
You can make use of this API reference guide to check the Active session count.
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1068744
The API to check for Active Session count is as follows :
https://MNTise-node-name/ise/mnt/Session/ActiveList
Looks like issue with Dashboard query . Dashboard might be taking the count of stale Endpoint sessions as well. -
Export User Accounts/AAA Local Database from 4404 WLC
Hi,
Guest User Accounts have been created in the local database of the WLC 4404. Because we are going to use Cisco ISE for Guest user authentication, I would like to know if there is a way to export these accounts and import them into Cisco ISE.
Thanks in advance.
Joana.Ok, thanks for your response.
Joana. -
Run as for .msc and Server Manager
I have installed RSAT for Win 8.1 Pro x64 and created custom .msc console with ADUC, DNS, DHCP and other snapins, put it on my desktop. Also I put shortcut for Server Manager on my desktop. Is there any way to start these as domain admin account which I
have along with my "normal" user account - using run as in some way. I could use shift+right click and run as different user but I prefer the other way if possible. I want the same for Windows PowerShell and Windows PowerShell ISE.
Thanks in advance!seems only the domain administrator who have right to open the MMC console saved by other user. Right click the console document and choose Run
as administrator, then enter your user name and password. The console opened with the Administrator right...
Best,
Howtodo -
Hi Folks,
I have a clarification related with ACS 1121. Client needs a solution for ACS feature, instead of investing on ISE Base, is there any model exists as ACS appliance only. I beleive ACS 1121 is going to be EOS and it says SNS 3415 is the replacement model .
What I am confused is , It is an ISE as well as ACS and there is separate licensing for ISE (as base and advanced). What should i do , if i need to select SNS 3415 as ACS appliance ? is it built in or should i need to add anything extra ?
Appreciate your kind help and support .
REgards,
SIDEnd-of-Sale Date of 1121 : February 26, 2013
The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.
Last Date of Support: HW : August 31, 2018
The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete.
for more information:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/eol__C51-726880.html
The licence will be different for both ACS 5.x and ISE 1.x. When ordering a Secure Network Server, the customer has the flexibility to install the Cisco Identity Services Engine (ISE), Network Admission Control (NAC), or Access Control System (ACS) security applications.
The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The Secure Network Server supports these applications in two versions. The Cisco Secure Network Server 3415 is designed for small and medium-sized deployments.
The new Cisco 3415 Secure Access Control System appliance, based on the Cisco UCS C220 M3 platform. Cisco Secure ACS 5.4 will support the Cisco 3415 and 1121 Secure Access Control System appliances. Yes, this box will eventually replace the 1121.
For more info
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/data_sheet_c78-715717.html
Jatin Katyal
- Do rate helpful posts - -
ISE 1.2/1.2.1 license consumption issues
Hi all, I know this topic is somewhat done to death but I want to know whether anyone else is experiencing this issue. In summary my ISE deployment (right this minute) has 17 Active sessions with 17 base and 17 plus licenses consumed. My issue with this is that of the 17 active sessions only 8 of these sessions are utilising a plus feature ie the registration status in the authorisation policy. In short at all times the plus license consumption always matches the base license consumption.
I have continually had this issue with all ISE deployments whereby the license consumption does not reflect Cisco documentation and my configurations. Without giving screenshots I can say with certainty that the only plus feature been used is the BYOD onboarding and subsequent registration status in the authz policy. The rest of my policies are straight forward CWA guest and EAP-TLS machine cert authorisations with no profiling information used in the policy. I have gone so far as to turn off profiling and removing BYOD policies with the same results.
The following document clearly states what should and shouldn't consume a license:
http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
Any input would be appreciated.The bug is listed as fixed, but I don't see which software it is fixed in. I must admit I've seen this problem for months, probably over a year now. It was already the case on 1.1.4 at least. I have some customers using 1300 of 500 advanced licenses.
It would be nice if it functioned exactly as the documentation always said. It would give you a warm feeling that things will keep working when the advanced license expires entirely (I'm sure we'll find out soon).
At one point I was told it was under discussion whether to fix the problem, or to fix the documentation to fit the problem, but last I heard it would be fixed at some point in the future. Every time we get a call regarding new software (1.2.1, 1.3) I make sure I ask them that the trust based licensing continues. We're OK as long as trust based licensing continues, but it's scruffy and hard to explain to customers why it shows 3 times as many advanced users as they already have. And then on occasions you see their eyes light up when they realise they can run 3000 advanced and Cisco will be none the wiser, or alternatively that they could have got away with a 100 user license and you've just cost them a 5000 user license that nobody can tell if they are using or not. -
We have 2000 base and advanced license we are running ISE 1.2 , if we upgrade to 1.3 what happens to the license do we need to buy plus/apex license
when you migrate to 1.3 your license will be updated , advance license become plus,apex
Maybe you are looking for
-
Problems with Pages 5 docs converting to Word docs
It seems with the new upgrade on my MacBook Air, I have a glitch. Now when I convert a Pages doc to Word, the page breaks get removed and the doc turns into a sea. Also, I sent this new Word doc to my Kindle to upload into ebook form (never had a pro
-
MouseEvents on JPopupMenu and JMenuItem
Hi I am trying to get the mouse events from JPopupMenu and JMenuItem , but nothing happens I display the popup once a button is pressed , the popup is displayed but once I click it there is no response can some one help I am attaching the code import
-
How can I monitor Status word From the other side of the GPIB bus
I develop Thermal system control that should be operate thru the GPIB IEE 488.2 bus , my instrument application already written in Visual Basic ,The system knowes to do basic operation such as SETPOINT ,AIRDUT , BEGIN , STOP and more but I have do a
-
How to delete Unprocessed Payment Run
Hi, Is it possible to delete Unprocessed Payment Run, if so how? Thanks Jyothi
-
F4 for variable on 0FISCPER takes too long
Hi , I have a multiprovider on an ODS( DSO) on which I am creating my query. One of the characteristic is 0FISCPER on which I have created a varibale. The setting of the infoobject is as follows. In the advance tab of the infoobject 0FISCPER in the q