ISE License for WLC

Similar Messages

• ISE license for TrustSec

  Hello,
  I want to know  does ISE with Plus-License support  TrustSec features ?     On the TrustSec 5.0 document, it is mentioned that you must have ISE Advance-License for TrustSec support. but  on other-hand on ISE Licensing-datasheet it is written Plus-License (Provides context about endpoints for more detailed access policies).   as per bellow table:
  ISE License Package
  Focus
  Perpetual/Subscription (Terms Available)
  Notes
  Base
  Secured access
  Perpetual
  Plus
  Provides context about endpoints for more detailed access policies
  Subscription (1, 3, or 5 years)
  Does not include Base services; Base licenses are required to install Plus licenses.
  Advanced
  Provides context and compliance details about endpoints for more detailed access policies
  Subscription (1, 3, or 5 years)
  Does not include Base services; Base licenses are required to install Advanced licenses
  http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.html
  Please let me know should I order Advanced or Plus License?      if Plus has this capability will be good for me because of its License pricing
  Thanks,

  At the beginning, there were only the Base- and Advanced licenses. There you needed Advanced for nearly everything that goes beyond basic Authentication and Authorization. In newer versions (starting 1.2.1 and one of ne newer 1.2.0 patch-levels), the plus license was introduced. And many Advanced-features were moved to Plus. As you will probably directly start with a newer version where the new licenses are used, you'll be fine with "Plus".

• ISE Licensing for IP Phones nodes

  Hi Guys,
  I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:
   Switch <--> IP Phone <--> End User Device.
  My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.
  Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.
  What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?
  What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ? 
  Thanks,
  Muayad Jallad,

  If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.
  In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license

• Updating Evaluation License for WLCS 3.5

  Hi,
  I am still evaluating WLCS 3.5 and would like to obtain a new evaluation
  license (my existing one ran out today). According to the docs this should
  just involve downloading another license and running UpdateLicense.cmd from
  the BEA_HOME directory where both the new and old license files reside.
  However, doing this has not had any noticeable effect (ie I can't start the
  server). The license.bea file still has today as the expiration date. Also
  do I need to upgrade my WLS6.0 license separately as well? A quick response
  would be appreciated.
  Regards
  Laura Allen

  Incidently, I can start the underlying WLS6.0 ok - I thought they used the
  same license file? The error I get when attempting to start WLCS is as
  follows:
  <14-Aug-01 15:48:44 BST> <Error> <COMMERCE_SERVER_FRAMEWORK> <LOG_FATAL:
  WebLogi
  c Personalization Server: Core Server: 3.5 license error.>
  Press any key to continue . . .
  "Laura Allen" <[email protected]> wrote in message
  news:3b793430$[email protected]..
  Hi,
  I am still evaluating WLCS 3.5 and would like to obtain a new evaluation
  license (my existing one ran out today). According to the docs thisshould
  just involve downloading another license and running UpdateLicense.cmdfrom
  the BEA_HOME directory where both the new and old license files reside.
  However, doing this has not had any noticeable effect (ie I can't startthe
  server). The license.bea file still has today as the expiration date.Also
  do I need to upgrade my WLS6.0 license separately as well? A quickresponse
  would be appreciated.
  Regards
  Laura Allen

• Can I use ISE demo license for wireless purposes???

  Hi all.
  We want to try an ISE deployment with one or two WLC and the license twe want to use initially is the demo embedded in the ISE appliance. We don't know whether we can do it because demo license covers base and advanced capabilities but not wireless (at least in administration/licensing this box shows "not installed" leyend) and we don't know whether a demo tape of wireless solution will work with this type of licensing; if not, is it possible to get a demo wireless license for ISE?
  Thanks.
  Best Regards.

  The evaluation license does cover the wireless. Its actaully a full license.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Generating license for ISE high availability primary/secondary nodes

  We have two ISE servers that will act as primary/secondary in a high availability setup.
  The ISE 1.0.4 installation guide, page 93, mentions that "If you have two Cisco ISE nodes configured for high availability, then you must include both the primary and secondary Administration ISE node hardware and IDs in the license file."
  However, after entering the PAK in the licensing page, the only required fields are:
  - Primary Product ID
  - Primary Version ID
  - Primary Serial No
  In this case, how can i include both primary and secondry HW and IDs?
  Thanks in advance.

  I am refering you a Cisco ISE Nodes for High Availability configuration guide, Please check:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1128454

• Floating License for Vivado and ISE

  Hi
  I am currently working on generating the bit file for Spartan 6 XC6SLX150. It was mentioned that Evaluation version of Xilinx and Vivado does not support this particular part number. Therefore we  happened to get a floating license for Vivado. It was mentioned that once the Vivado license is upgraded the Xilinx ISE would be updated and the part number will be available in Xilinx to generate the bit file. The software was set up in window 8. After the installation procedure was completed the license was not updated. Any insight on this
  Regards
  Sukaniyaa

  Hello ,
  Starting from Vivado 2014.2, new Edition purchases will receive two license entitlements, a certificate-based entitlement that may be used with ISE 14.7 or previous versions, and an activation entitlement for Vivado tools. Earlier to 2014.1, tool
  subscribers used to receive a single certificate license that enabled both ISE and Vivado. 
  So if you have purchased new Vivado Design Suite (2014.2 or later), you will also get license for ISE which doesn't need to be updated since ISE 14.7 is the last version of ISE and no further versions will be released.

• License for 5508 WLC

  Dear All,
  We have two WLC 5508 in HA mode with 100 supported AP, we need additional 25 ap support license,
  the question is I need to buy license for 125 AP or i need to buy license for 25 AP and somehow add it to 100 we have now? is it possible?,

  Hi,
  You just top-up the licenses, i.e. only buy the extra licenses you need.
  I refer you to this document, in here you will find an example explaining how increasing licenses works.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70ccfg.html#wp1879749
  HTH
  Mike

• Exceeding ISE license counts - performance consequences?

  Hello,
  I have a customer that is running a 2-node ISE deployment and is licensed for 250 Base and 250 Adv. users.
  We have moved the wired users over in one of their offices into Monitor Mode only, and the Base/Adv. Active license counts have exceeded both these values.
  Long-term, what is the operational impact?
  I understand from Chapter 7 of the ISE User Guide that "To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts"
  My question is, that aside from a scenario where TAC is engaged and they see the license count exceeded, what is the operational and functional impact of exceeding the license count.  I know that ISE continues to process autthentications, because the 251st client is not refused access.
  I've read the Order Guide and the User Guide and the Hardware Guide, and no actual impact is mentioned.
  thanks in advance,
  Andrew

  I had a similar question. I asked how does ISE calculate users. In the wlc I would see 10k radius clients but ISE would show half that number. This is what I was told:
  Unfortunately there is no documentation on it. The active endpoints are calculated from the active sessions seen on the primary monitoring node session database, meaning active client sessions seen by PSNs and reported to the primary monitoring node. As to the rules that qualify an endpoint as active, there isn?t really even any internal documentation on that. The effective behavior seen indicates that this is calculated by endpoints who authenticate and continue to re-authenticate/periodically trigger accounting updates from NADs. Hopefully this helps!
  Tac case # 627456397
  Sent from Cisco Technical Support iPad App

• Understand ISE Licensing

  Hello,
  I am going to Order (SNS-3415-K9) ISE product to deploy at my company, my concern is the size of license I shall order, and how to know the correct number
  I have workstations (PC’s), laptops, Printers, IP-CAM’s, and WLC with 50 AP.
  How I can determine the number of license I should get in order to have the benefits from Cisco ISE.
  Best reagrds,
  Samer Hasan

  Question:
  I am going to Order (SNS-3415-K9) ISE product to deploy at my company, my concern is the size of license I shall order, and how to know the correct number. I have workstations (PC’s), laptops, Printers, IP-CAM’s, and WLC with 50 AP. How I can determine the number of license I should get in order to have the benefits from Cisco ISE.
  Cisco Identity Services Engine (ISE) Ordering Steps
  Here’s guide which can help in finding solution of your problem
  1. Estimate the number of concurrent endpoints in the network.
  2. Estimate the number of appliances (physical or virtual) needed to support the number of concurrent endpoints
       in the network.
  3. Select the appropriate type of appliance suitable for your deployment. (Reference the appliance selection.)
  4. Select the appropriate type of license suitable for your deployment. (Reference the license selection.)
  5. Select the appropriate level of services available from Cisco Advanced Services or a Certified Partner for design,
      Deployment and sustaining services of the ISE deployment.
  Step 1: Estimate the Number of Concurrent Endpoints in the Network
  Estimating the total number of concurrent endpoints is dependent on a number of variables. An approach to consider would be to take into account:
  • Number of employees in the organization
  • Average number of devices per employee (desktop, laptop, smartphone, desk IP phone, etc.)
  • Number of switch ports currently in the organization
  • Number of access points deployed in the organization
  • Average number of devices per access point
  • Dynamic IP address range being used
  • Average number of guests expected to join the network
  • Inventory of non-user devices such as IP cameras, printers, IP-enabled projectors, etc.
  A combination of factors that includes but is not limited to the above factors could be used to determine the total number of concurrent endpoints in the network.
  Step 2: Cisco ISE Appliances and Servers* Options
  Cisco   Identity Services Engine Appliances
  Option 1: Cisco Identity Services   Engine Appliances and Servers*
  Product Number
  Endpoints Supported
  Cisco Secure Network Server 3415*
  SNS-3415-K9
  5,000
  Cisco Secure Network Server 3495*
  SNS-3495-K9
  20,000
  Step 3: Cisco Secure Network Server Support SKUs*
  Product   Number
  SMARTnet Part Number
  Description
  SNS-3415-K9*
  CON-SNT-SNS-3415
  Cisco SMARTnet support for   SNS-3415-K9 - 8x5 Next Business Day
  Step 4: Select the Type of License
  Step 5: Cisco ISE License Options
  License   Type
  Features Supported
  Deployment Type Supported
  License Prerequisite
  License Term(s)
  Base License
  AAA
  Guest Provisioning
  Link Encryption Policies
  Wired
  Wireless
  VPN
  Perpetual
  Advanced License
  Device Onboarding/Provisioning
  Device Profiling and Feed Service*
  Host Posture
  Security Group Access
  Integrated Vendor MDM Support*
  Wired
  Wireless
  VPN
  Base License
  3- and 5-Year Terms
  Wireless License
  Device Onboarding/Provisioning
  AAA
  Guest Provisioning
  Link Encryption Policies
  Device Profiling and Feed Service*
  Host Posture
  Security Group Access
  Integrated Vendor MDM Support*
  Wireless
  3- and 5-Year Terms
  Step 6. Cisco ISE Functionality-Based License Options
  License   Tiers (T)
  Number of Endpoints Supported
  Base License
  Advanced 3-Year License
  Advanced 5-Year License
  Wireless 3-Year License
  Wireless 5-Year License
  Wireless Upgrade 3-Year License
  Wireless Upgrade 5-Year License
  100
  100 Endpoints
  L-ISE-BSE-100=
  L-ISE-ADV3Y-100=
  L-ISE-ADV5Y-100=
  L-ISE-AD3Y-W-100=
  L-ISE-AD5Y-W-100=
  L-ISE-W-3UPG-100=
  L-ISE-W-UPG-100=
  250
  250 Endpoints
  L-ISE-BSE-250-
  L-ISE-ADV3Y-250=
  L-ISE-ADV5Y-250=
  L-ISE-AD3Y-W-250=
  L-ISE-AD5Y-W-250=
  L-ISE-W-3UPG-250=
  L-ISE-W-UPG-250=
  500
  500 Endpoints
  L-ISE-BSE-500=
  L-ISE-ADV3Y-500=
  L-ISE-ADV5Y-500=
  L-ISE-AD3Y-W-500=
  L-ISE-AD5Y-W-500=
  L-ISE-W-3UPG-500=
  L-ISE-W-UPG-500=
  1000
  1000 Endpoints
  L-ISE-BSE-1K=
  L-ISE-ADV3Y-1K=
  L-ISE-ADV5Y-1K=
  L-ISE-AD3Y-W-1K=
  L-ISE-AD5Y-W-1K=
  L-ISE-W-3UPG-1K=
  L-ISE-W-UPG-1K=
  1500
  1500 Endpoints
  L-ISE-BSE-1500=
  L-ISE-ADV3Y-1500=
  L-ISE-ADV5Y-1500=
  L-ISE-AD3Y-W-1500=
  L-ISE-AD5Y-W-1500=
  L-ISE-W-3UPG-1500=
  L-ISE-W-UPG-1500=
  2500
  2500 Endpoints
  L-ISE-BSE-2500=
  L-ISE-ADV3Y-2500=
  L-ISE-ADV5Y-2500=
  L-ISE-AD3Y-W-2500=
  L-ISE-AD5Y-W-2500=
  L-ISE-W-3UPG-2500=
  L-ISE-W-UPG-2500=
  3500
  3500 Endpoints
  L-ISE-BSE-3500=
  L-ISE-ADV3Y-3500=
  L-ISE-ADV5Y-3500=
  L-ISE-AD3Y-W-3500=
  L-ISE-AD5Y-W-3500=
  L-ISE-W-3UPG-3500=
  L-ISE-W-UPG-3500=
  5000
  5000 Endpoints
  L-ISE-BSE-5K=
  L-ISE-ADV3Y-5K=
  L-ISE-ADV5Y-5K=
  L-ISE-AD3Y-W-5K=
  L-ISE-AD5Y-W-5K=
  L-ISE-W-3UPG-5K=
  L-ISE-W-UPG-5K=
  10,000
  10K Endpoints
  L-ISE-BSE-10K=
  L-ISE-ADV3Y-10K=
  L-ISE-ADV5Y-10K=
  L-ISE-AD3Y-W-10K=
  L-ISE-AD5Y-W-10K=
  L-ISE-W-3UPG-10K=
  L-ISE-W-UPG-10K=
  25,000
  25K Endpoints
  L-ISE-BSE-25K=
  L-ISE-ADV3Y-25K=
  L-ISE-ADV5Y-25K=
  L-ISE-AD3Y-W-25K=
  L-ISE-AD5Y-W-25K=
  L-ISE-W-3UPG-25K=
  L-ISE-W-UPG-25K=
  50,000
  50K Endpoints
  L-ISE-BSE-50K=
  L-ISE-ADV3Y-50K=
  L-ISE-ADV5Y-50K=
  L-ISE-AD3Y-W-50K=
  L-ISE-AD5Y-W-50K=
  L-ISE-W-3UPG-50K=
  L-ISE-W-UPG-50K=
  100,000
  100K Endpoints
  L-ISE-BSE-100K=
  L-ISE-ADV3Y-100K=
  L-ISE-ADV5Y-100K=
  L-ISE-AD3Y-W-100K=
  L-ISE-AD5Y-W-100K=
  L-ISE-W-3UPG-100K=
  L-ISE-W-UPG-100K=

• ISE used for BYOD and Corporate

  Hello
  I have a customer currently using EAP-PEAP on both their coporate laptop and wireless phones on different SSIDs, the radius servers are a pair of IAS servers. We have recently deployed ISE BYOD for them with a single BYOD SSID. Now they want to completely get rid of the IAS and move all Radius to ISEs but want to keep EAP-PEAP for laptops and phones.
  I am thinking about the authorization rules in the ISE, now they have 3 types of access using EAP-PEAP, a user must at least belong to the Employee AD group, but he may or may not belong to BYOD or/and PHONE groups as well. The authentiation results should be something like:
  1. if Corporate Laptop  then Permit Access
  2. if BYOD then NSP
  3. if Phone then Permit Access
  I am just wondering what is the best way to classify the devices (to decide the following action) without relying on profiling, Surely they all come from different SSIDs so I could check the WLAN ID to determine what action to follow, but that will need to make sure all the WLCs have the same WLAN ID for each SSID. Is there any better or neater way of doing this? What is the best practice for this kind of senario?
  Thanks

  If we're talking purely SSIDs, you can match the name of SSID
  For example here, I'm matching a SSID of "mlatosie".

• ISE license enforcement alarms

  Getting the following alarm from my ISE:
  Cause:
  Base License Enforcement
  Details:
  Base concurrent users exceed license allowable count
  Currently only using 1656 out of 2000 base licenses so I'm not sure what the issue is. Running 1.1.2.145 patch 3.

  Hello Tom,
  As I am unclear about your issue , to make it more clear can you tell me the exact base licenses  that you have purchased for your endpoints.
  can you send me the BOM regarding  ISE licenses  that you have purchased.

• Guest Cert problems ISE and Anchor WLC

  I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
  Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
  In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
  1.1.1.1 is the Virtual interface of the Anchor WLC.
  How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
  My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor  Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says  wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
  Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
  https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

  I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
  This is when the problems started happening, I was using the default ISE Authorization profile
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
  The next step I tried was to change the Authorization Profile to
  (wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
  cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
  I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
  I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
  Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

• Apply Licensing for 5508 HA

  Hi All,
  I have 2 5508, 5508-A has 500 permanent licenses and 5508-B 200 evaluation licenses, I'm setting up location awareness by adding 180 APs
  to 5508-B and then migrating APs on 5508-A to 5508-B and then setting up HA. It is being done this way to avoid disruption to production setup whilst testing, in total I will have 300 APs.
  I just need clarification on a couple of points.
  1. can I apply additional eval licenses to 5508-B so it supports 300 APs
  2. If I apply the HA license to 5508-A, will it push the permanent license count to 5508-B and become standby or will the configuration
      on 5508-B be pushed to 5508-A and the APs disconnect from 5508-B and move to 5508-A and 5508-A is primary whilst 5508-B remains secondary.
  3. In the event of failover will this be transparent to the MSE and Prime 1.3
  I have read the High Availability (AP SSO) Deployment Guide, and wonder if I'm making it to complicated in terms of migrating APs
  between controllers and should just work on the production controller, but be careful whilst doing it.
  TIA

  Well I don't know if this migration will be transparent. The license for an HA sku WLC is 500 which is the max, but the real license count depends on the primary WLC. The HA WLC just needs a 50 ap license to perform the HA role. I don't really think you should use eval license for HA as you will have to disable AP SSO in order to add a true license and then enable AP SSO. This might become an issue if when you disable AP SSO, your wireless goes down. HA AP SSO hasn't been very stable and that's why there is always risk in doing what you want to do.
  Like the saying goes... Proceed with caution:)
  Sent from Cisco Technical Support iPhone App

• ISE Compatibility with WLC 5760

  The ISE compatibility Matrix (June 5, 2013), does have a row for WLC 5760 in its tables.
  The WLC 5760 Release Notes says it is compatible with with ISE without specfying which features.
  Why is the WLC 5760 missing from the ISE Compat Matrix and how can I get specific ISE feature support (ie CoA, DACL).
  Thanks.         

  Hello Marvin,
  ISE 1.2 is in road map and it will be available till July 17, 2013 and that will support WLC 5760 and all the features which you are looking.