ISE - Advanced License Usage

Similar Messages

• ISE Advanced license details (how to?)

  I'm currently checking an ise deployment recently migrated to production phase
  in the license count it shows 1-3 advanced licenses used but none of the authorization policies use explicit conditions that make use of the profiling grouping (profiling enabled but not used in any authorization condition)
  it is still showing (after 2 days) this 3 advanced license used... note that the test switches are still connected but no port is used....
  is there a way to correlate this 3 consumed licences to the endpoint using it?
  thank you very much for your help
  Giuliano

  Please disable the posturing and pforiling feature in ISE appliance. After this there is no chance to consume the advance license.

• ISE 3315 License needed for integration with PxGrid SealthWatch

  Hello Experts,
  i have ISE 3315 with Version 1.3
  i want to integrate it with pxgrid and ordering Sealthwatch. Can anyone tell me do i need To have ISE Advance-License for this integration ? Or with ISE  Base-License it can work?
  Thanks

  ISE License Packages
  Perpetual/Subscription (Terms Available)
  ISE Functionality Covered
  Notes
  Base
  Perpetual
  Basic network access: AAA, IEEE-802.1X
  Guest management
  Link encryption (MACSec)
  TrustSec
  ISE Application Programming Interfaces
  Plus
  Subscription (1, 3, or 5 years)
  Bring Your Own Device (BYOD) with built-in Certificate Authority Services
  Profiling and Feed Services
  Endpoint Protection Service (EPS)
  Cisco pxGrid
  Does not include Base services; a Base license is required to install the Plus license.
  Apex
  Subscription (1, 3, or 5 years)
  Third Party Mobile Device Management (MDM)
  Posture Compliance
  Does not include Base or Plus services; a Base license is required to install the Apex license.
  Note   
  When you use Cisco AnyConnect as unified posture agent across wired, wireless, and VPN deployments, you need Cisco AnyConnect Apex user licenses in addition to Cisco ISE Apex licenses.
  Mobility
  Subscription (1, 3, or 5 years)
  Combination of Base, Plus, and Apex for wireless and VPN endpoints
  Cannot coexist on a Cisco Administration node with Base, Plus, and/or Apex Licenses.
  Mobility Upgrade
  Subscription (1, 3, or 5 years)
  Provides wired support to Mobility license
  You can only install a Mobility Upgrade License on top of an existing Mobility license.
  Evaluation
  Temporary (90 days)
  Full Cisco ISE functionality is provided for 100 endpoints.
  All Cisco ISE appliances are supplied with an Evaluation license.

• ISE ver 1.1.2.145 advanced license consumption

  Hello,
  I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
  I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
  Here is the authorization rule:
  Here is the licensing page:
  base                             advanced
  1/20
  1/20
  Here is the only active session from active session report:
  xp-test.ashour.local
  00:22:FB:1A:59:C2
  10.30.30.117
  dot1x
  EAP-TLS
  NotApplicable
  N/A
  WindowsXP-Workstation
  Running
  ise
  And here is the live authentication:
  Authentication Summary
  Logged At:
  December 10,2012 5:27:36.331 PM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  xp-test.ashour.local
  MAC/IP Address:
  00:22:FB:1A:59:C2
  Network Device:
  5508-WLC : 10.255.255.20 : 
  Allowed Protocol:
  Default Network Access
  Identity Store:
  Authorization Profiles:
  PermitAccess
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
  Authentication Result
  User-Name=xp-test.ashour.local
  State=ReauthSession:0affff140000005550c6598d
  Class=CACS:0affff140000005550c6598d:ise/144192099/4026
  Termination-Action=RADIUS-Request
  MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
  MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d
  Related Events
  Dec 10,12 5:27:36.072 PM
  Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:
  Radius authentication passed
  Dec 10,12 5:23:56.647 PM
  Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:
  Radius authentication passed
  Dec 10,12 5:06:07.317 PM
  Radius accounting start
  Radius accounting start
  Authentication Details
  Logged At:
  December 10,2012 5:27:36.331 PM
  Occurred At:
  December 10,2012 5:27:36.331 PM
  Server:
  ise
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  xp-test.ashour.local
  RADIUS Username :
  host/xp-test.ashour.local
  Calling Station ID:
  00:22:FB:1A:59:C2
  Framed IP Address:
  Use Case:
  Network Device:
  5508-WLC
  Network Device Groups:
  Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
  NAS IP Address:
  10.255.255.20
  NAS Identifier:
  ASHOUR-WLC1
  NAS Port:
  1
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:
  Default Network Access
  Service Type:
  Framed
  Identity Store:
  Authorization Profiles:
  PermitAccess
  Active Directory Domain:
  Identity Group:
  Profiled:Workstation
  Allowed Protocol Selection Matched Rule:
  Dot1X
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Authorization Policy Matched Rule:
  Company asset
  SGA Security Group:
  AAA Session ID:
  ise/144192099/4026
  Audit Session ID:
  0affff140000005550c6598d
  Tunnel Details:
  Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
  Cisco-AVPairs:
  audit-session-id=0affff140000005550c6598d
  Other Attributes:
  ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
  Posture Status:
  NotApplicable
  EPS Status:
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12568  Lookup user certificate status in OCSP cache
  12570  Lookup user certificate status in OCSP cache succeeded
  12554  OCSP status of user certificate is good
  12568  Lookup user certificate status in OCSP cache
  12570  Lookup user certificate status in OCSP cache succeeded
  12554  OCSP status of user certificate is good
  12811  Extracted TLS Certificate message containing client certificate
  12812  Extracted TLS ClientKeyExchange message
  12813  Extracted TLS CertificateVerify message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12509  EAP-TLS full handshake finished successfully
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  Evaluating Identity Policy
  15006  Matched Default Rule
  22037  Authentication Passed
  12506  EAP-TLS authentication succeeded
  11503  Prepared EAP-Success
  Evaluating Authorization Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  15016  Selected Authorization Profile - PermitAccess
  11002  Returned RADIUS Access-Accept

  Hi,
  Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
  It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
  CSCub56607
  Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
  The wireless session in question should be applied against the Base  license count. This issue has been observed in Cisco ISE, Release 1.1.1  where the following functions are set:
  •MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
  •Profiling is disabled
  •Posture is disabled
  •The device in question has not been registered via the My Devices Portal
  Note There is no known workaround for this issue.
  Tarik Admani
  *Please rate helpful posts*

• We have 2000 base and advanced license we are running ISE 1.2 , if we upgrade to 1.3 what happens to the license do we need to buy plus/apex license

  We have 2000 base and advanced license we are running ISE 1.2 , if we upgrade to 1.3  what happens to the license do we need to buy plus/apex license

  when you migrate to 1.3 your license will be updated , advance license become plus,apex

• ISE advanced eval license alerts after full base install.

  Has anyone had an issue with the advanced eval license triggering the below alerts after a full base license has been installed and the advanced eval license has expired?
  How can I keep the license expiration warnings and avoid receiving warnings for an expired eval licence?
  This is on Cisco ISE Software Version 1.2.0 full running on a ISE-3315-K9. There is no requirement to go to a full advanced license.
  License Expiration
  Details :
  Advanced License expires in 30 days
  Description :
  The License installed on the ISE nodes have been expired or about to expire
  Suggested Actions :
  Please contact CISCO Account team to purchase new licenses
  *** This message is generated by Cisco Identity Services Engine (ISE) ***

  Gary,
  The way to supress this message is to disable the License Expiration Alarm.
  To do this, go to Administration > System > Settings.  Choose Alarm Settings from the Left Menu.
  Scroll down and select Licensing     |       License Expiration  from the list of Alarms.
  Click the Edit Button and use the dropdown to change the Status to Disable.  Click Submit and you're done.
  I would then set a Calendar reminder through Outlook (or on your phone) to enable this feature once the expiration date for your Advance License has passed.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE base vs advanced license

  Dear,
  Initial I was looking to use VMPS (dynamic VLAN assignment to ports based on MAC).But after some reading I understand 802.1X with Radius is a better solution, and finally I came to ISE.  My question: Is the BASE license for ISE sufficient to use the dynamic VLAN assignment (I.e. After authentication and authorization, a port will be set to a VLAN) or do I need to install the ADVANCED license ?
  Regards
  Jan

  The Base License is consumed whenever an authentication notification is  received by Cisco ISE. A single Advanced License is consumed when any  one or more of the following services or conditions are applied to the  endpoint session:
  •Posture
  •Security Group Tag assignment
  •Authorization using profile information
  •Endpoint is registered in the MyDevices Portal

• License usage

  Hi Folks,
  Well I thought I was pretty happy with licensing, and what I understood was:
  1. Licensing is based on number of concurrently active users.
  2. An advanced license is used if an endpoint is allocated an authentication profile based on a rule which uses profiling information/posturing.
  This shows my currentl licensing page:
  and here's a summary from the front page:
  Don't these two already contradict each other?
  I've no idea where 28 advanced licenses have been used. No posturing in place, fairly simple setup, dot1x certs and MAB. Any tips for troubleshooting license usage?
  Ver 1.1.4 Patch 3

  bikespace,
  In ISE 1.1.x, Advanced license is the count of postured, BYOD, or profiled endpoints
  that are active in session directory.
  You can make use of this API reference guide to check the Active session count.
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1068744
  The API to check for Active Session count is as follows :
  https://MNTise-node-name/ise/mnt/Session/ActiveList
  Looks like issue with Dashboard query . Dashboard might be taking the count of stale Endpoint sessions as well.

• Cisco ISE Active Endpoint Usage Reset

  Hi,
  I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
  The following methods have been tried however without any success:
  1. Reboot ise server/service
  2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
  3. Deleted all endpoints usage in identies/identies group
  4. Disable profiling on ise
  As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
  Any help is appreciated on how to reset the active endpoint/license usage.
  Thanks.                  

  Here is a method for removing the stale records. Please give this a try:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE base license and import of enddevices

  Hi,
  Been going through the intire internet (or so it seems) and most guides and tips are about features that is included in the advanced license, profiling and so on.
  I am facing a case where base license should be enough. But I am confused about the import of endpoints.
  When using the base license is the only way to import devices manualy or through file or LDAP? Can't ISE scan the network an pick up MAC addresses automaticly?
  We dont have LDAP and about 20 000 endpoints, so adding them manualy or to a csv-file is too much work.
  Regards,
  Philip

  And another question about base license (I can guess the answer but some confirmation would be good)
  When the user has registered a device through the My Devices Portal webpage the device will end up in RegisteredDevices Identity Group.
  Is there anyway to change this? Is there  a way for the user to choose what group the device should be in? Or is the only way to change ID group that an administrator of ISE do it manually?
  The problem that we are facing are that some devices should go to VLAN X and other on VLAN Y. But since they all are assigned to the RegisteredDevices group there is no way to differentiate them in a authorization profile.
  Regards
  Philip
  Edit: Just found out that this might be solved in 1.2. It will implement the use of Endpoint Profile as an attribute in authorization profiles.

• ISE false licensing alarms

  Hello,
  I have an ISE 3315 with 250 base licenses and 250 advanced licenses. I have been receiving regular alarms (every two hours) stating the following...
  "Base concurrent users exceed license allowable count"
  However, the active device count is 202 and has never been above 206. The advanced is currently 57..
  Service Installations       License File        License Expires EndPoints           Updated Time   Counter
  Base Package                                                                    250                                         202/250
  I cannot clear the alarms either.
  Many thanks,
  Dave

  This is due to a known defect.
  CSCtw73946    Invalid ISE License Enforcement Alarm
  Symptom:
  With correct Base and Advanced License already installed correctly - ISE generates alert;-
  "Base concurrent users exceed license allowable count".
  "Advanced concurrent users/endpoints exceed license allowable count"
  Conditions:
  This is not Service Affecting.
  Workaround:
  None
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE Secondary licensing

  There used to be a facility to add the secondary ISE admin node to the licensing so that there weren't problems when the primary fell over.
  I licensed a primary and secondary yesterday for base in this way. When I filled out the advanced license in the same way it failed and suggested I raise a TAC case.
  TAC telling me that only the primary is licensed. Has this changed?
  I did ask if this was only for advanced, but got the same answer back "ISE is only licensed on the primary".
  Thanks.

  If you have two Administration nodes deployed in a high-availability pair, you can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. After you obtain the license, add it only to the primary Administration node. The license gets replicated to the secondary Administration node.
  Refer
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html

• SD Billing - EPCG & Advance License

  Guys,
  Hi,
  Points will be given for all relevant / close answers.
  We are planning for a development for EPCG and Advance License tracking. but, these two numbers have to be mentioned in sD Billing.
  Can you suggest any user exit or any field exit to capture these details in SD Billing?
  Has anyone done this before, pl throw some light.
  regards,
  rahul asai

  Dear rahul
  Yes as for as exports from India is concerned, SAP has not addressed the requirement of export obligations.  Government incentives to Indian exporters like Advance Licence, EPCG, Drawback etc., are all have to be developed on our own.
  While developing, you can take into consideration the following to add new fields
  For Advance Licence
  -  Licence Type
  -  Licence Number
  -  Issue Date
  -  Validity period
  -  Export Item
  -  Obligation quantity
  -  Import components
  -  Export value
  For EPCG
  -  Licence Type
  -  Licence Number
  -  Issue Date
  -  Validity period
  -  Obligation period
  -  Obligation amount in Local currency
  -  Obligation amount in Foreign currency
  -  Type of EPCG Licence
  -  Item exported
  -  Asset Number
  -  po ref
  -  Plant to which the machinery would be imported
  Once you develop fields for maintaining the above basic datas, you can tell the ABAPer the logic as follows
  For Advance Licence
  Whenever export invoice is generated for an item which is maintained in Advance Licence, for print out, it has to fetch the text (as prescribed by the Government) from the above area and also based on the billing quantity, it should cumulate and ensure that the billing quantity should not exceed over and above the obligation quantity.
  For EPCG
  But for EPCG, the above condition is not applicable.  You can define a logic that if any of the items generated in billing is maintained in EPCG licence, the respective text (may be you can hard code this) should flow to invoice. 
  thanks
  G. Lakshmipathi

• Logged-in Resources stat not the same as license usage

  Hello,
  If I look in Real-Time Reporting, the number of logged-in resources is 29.  If I go on the CLI and run show uccx cad license usage, it's telling me that there are 26 licences in use.
  What's the reason for the difference?
  I've tried counting the supervisors, but that doesn't give me the difference.

  Hi Jemima,
  Could you please cross check wih the UCCX's Real Time reporting ,Overall Cisco Unified Contact Center Express Stats report.
  To access the Overall Unified CCX Stats report, choose              Reports                   > Overall Cisco Unified Contact Center Express                     Stats from the Application Reporting menu bar.
  Number of resources currently logged in.
  This will give the accurate results.
  Hope this helps.
  Anand
  Please rate helpful posts !!

• ISE SGT License

  We are using  150 servers and using Security Groups and 1500 clients connecting to them,  think I  need advance licenses?, do I need to worry about licenses for the clients connecting to the servers? pls assist me on this

  Every package is licensed based on the total  number of concurrent endpoints that use the services in the package. The  total number of endpoints includes all the endpoints connecting to the  Cisco Identity Services Engine within a deployment. Every time an  endpoint connects to the Cisco Identity Services Engine, it consumes one  license from one or more packages (depending on what services it uses);  when the endpoint disconnects from the network, it releases that  license from the Cisco Identity Services Engine (after the Cisco  Identity Services Engine receives a RADIUS stop message).
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Advanced
  Capabilities: Profiler and feed service, posture, MDM integration*, automated endpoint onboarding, and Security Group Access (SGA)
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Base license
  Term license: 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  ~BR
  Jatin Katyal
  **Do rate helpful posts**