ISE licenses and Profiling service

Hi,
I tried to find proper explanation of how ISE licenses are used but I am still not sure of one thing.
With the Plus license, when the profiling service is turned on; is the number of endpoints consumed from the Plus license for every endpoint that has been profiled and successfully authenticated or the number will be consumed from Base license first ?

A successfully Authenticated device draws from the Base License.
A Profiled device draws from the Plus License.
A successfully Authenticated profiled device draws from both. 
This is why you need at least as many Base as Plus or Apex Licenses.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
Charles Moreton

Similar Messages

  • Cisco ISE functionally and license

    HI. 
    I wanna configure the following on Cisco ISE 1.2.1.
    Self-registration portal for guests (SSID: guests)
    802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
    Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
    Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.

    With plus license all the above items should work.
    Here is what plus license supports:
    Bring Your Own Device (BYOD)
    Profiling
    Endpoint Protection Service (EPS)
    TrustSec SGT
    For more info, refer ISE license section:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
    Regards,
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

    Hi All,
    We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
    1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
    RADIUS Probe 
    SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
    2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
     - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
    - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
    For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
    That would be really great if any one can help me on the same.
    Thanks & Regards
    Pranav

    Hi Pablo ,
    Please find below solutions 
    Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
    Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
    Regards
    Pranav

  • W7: User Profile Service service failed at log on: Apparently W7 is no longer creating any user profile data other than username and picture.

    First time poster, but I think I've done my homework on this issue.
    This issue has similar symptoms to a problem with vista: http://www.vistax64.com/tutorials/130095-user-profile-service-failed-logon-user-profile-cannot-loaded.html
    However, it is definitely not the same issue (see further).
    Current Config:
    HP dv7-1450.
    W7 RC 7100 x64
    Last update (up to date as of 8/31/09) installed succesfully 8/26/09 and should be unrelated to this issue (not verified yet by a pre-update restore).
    Running with Admin account while diagnosing/troubleshooting.
    Currently have two working accounts, one standard, one admin.
    Symptom:
    New user accounts cannot be logged into.  On an attempted login to the new account, the following information is displayed on the login screen:  "The User Profile Service service failed the logon.  User profile cannot be loaded."  Windows then logs off the operator and returns to the initial user selection screen.  All other aspects of use are normal.
    Current Diagnostics:
    First attempts to resolve this problem were to recreate the new account.  This was attempted when logged in as both Standard and Admin.  This was also attempted under safe mode.  This has been attempted with virus protection disabled.  All to no difference in the symptom.
    The similarity to the Vista issue (linked above) caused me to check the registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ for the new profile (as suggested by that link).  Unlike that issue, there simply is no entry for the new user.  Examination of the new log entries from creation of account to attempted log in provides the following entries:
    Level Date and Time Source Event ID Task Category
    Information 8/31/2009 12:34:31 PM Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
    Warning 8/31/2009 12:34:11 PM Microsoft-Windows-Winlogon 6001 None The winlogon notification subscriber <Profiles> failed a notification event.
    Information 8/31/2009 12:34:11 PM Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
    Warning 8/31/2009 12:34:11 PM Microsoft-Windows-Winlogon 6001 None The winlogon notification subscriber <Sens> failed a notification event.
    Error 8/31/2009 12:34:10 PM Microsoft-Windows-User Profiles Service 1500 None "Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
    DETAIL - Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
    Warning 8/31/2009 12:34:10 PM Microsoft-Windows-User Profiles General 1509 None "Windows cannot copy file C:\Users\Default\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm to location C:\Users\TEMP\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm. This error may be caused by network problems or insufficient security rights.
    DETAIL - Access is denied.
    Error 8/31/2009 12:34:09 PM Microsoft-Windows-User Profiles Service 1511 None Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
    Warning 8/31/2009 12:34:09 PM Microsoft-Windows-User Profiles General 1509 None "Windows cannot copy file C:\Users\Default\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm to location C:\Users\{New Username}\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm. This error may be caused by network problems or insufficient security rights.
    DETAIL - Access is denied.
    Naturally I started with the earliest error first, and decided to look to see what is going on.  The file that is trying to be copied is there, but the destination folder does not exist.  As near as I can tell, whatever process (the User Profiles General Service?) is trying to perform the copy does not have sufficient access to perform the operation.  Specifically I suspect it may not be able to create the appropriate folders before performing the copy.  Interestingly, it appears that when windows attempts to open/create a temporary account profile, the same issue occurs.  Since there is no registry entry either, I suspect that the issue also extends to the creation of registry keys, but I am not familiar enough with the sequence of events in the creation of a user profile to determine if this would come before or after a user profile's first login.
    I attempted to find more information, and was able to investigate the UPS diagnostic event log (for a different, but identical attempt at creating and using the new profile).  The following two (unhelpful to me) log entries were generated.
    Level Date and Time Source Event ID Task Category
    Information 8/31/2009 12:34:10 PM Microsoft-Windows-User Profiles Service 1002 (1001) "The description for Event ID 1002 from source Microsoft-Windows-User Profiles Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event:
    The message id for the desired message could not be found
    Information 8/31/2009 12:34:09 PM Microsoft-Windows-User Profiles Service 1001 (1001) "The description for Event ID 1001 from source Microsoft-Windows-User Profiles Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    It seems to imply that the User Profiles Service may be corrupted, but this may also be unrelated.  I do not know how to specifically repair this service anyway (but am open to try it if someone can walk me through it a bit).
    There's the info.  I'd like to figure out how to watch the account creation process in more detail to see if I gleen more, but I don't have the experience to know what to do to enable such a log.  I will not perform a reinstall and am loath to do a restore, instead looking more for a cause and effect repair: something that would actually help MS fix the problem rather than have the customer fix the symptom.
    Thanks in advance to responders!

    First time poster, but I think I've done my homework on this issue.
    This issue has similar symptoms to a problem with vista: http://www.vistax64.com/tutorials/130095-user-profile-service-failed-logon-user-profile-cannot-loaded.html
    However, it is definitely not the same issue (see further).
    Current Config:
    HP dv7-1450.
    W7 RC 7100 x64
    Last update (up to date as of 8/31/09) installed succesfully 8/26/09 and should be unrelated to this issue (not verified yet by a pre-update restore).
    Running with Admin account while diagnosing/troubleshooting.
    Currently have two working accounts, one standard, one admin.
    Symptom:
    New user accounts cannot be logged into.  On an attempted login to the new account, the following information is displayed on the login screen:  "The User Profile Service service failed the logon.  User profile cannot be loaded."  Windows then logs off the operator and returns to the initial user selection screen.  All other aspects of use are normal.
    Current Diagnostics:
    First attempts to resolve this problem were to recreate the new account.  This was attempted when logged in as both Standard and Admin.  This was also attempted under safe mode.  This has been attempted with virus protection disabled.  All to no difference in the symptom.
    The similarity to the Vista issue (linked above) caused me to check the registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ for the new profile (as suggested by that link).  Unlike that issue, there simply is no entry for the new user.  Examination of the new log entries from creation of account to attempted log in provides the following entries:
    Level Date and Time Source Event ID Task Category
    Information 8/31/2009 12:34:31 PM Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
    Warning 8/31/2009 12:34:11 PM Microsoft-Windows-Winlogon 6001 None The winlogon notification subscriber <Profiles> failed a notification event.
    Information 8/31/2009 12:34:11 PM Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
    Warning 8/31/2009 12:34:11 PM Microsoft-Windows-Winlogon 6001 None The winlogon notification subscriber <Sens> failed a notification event.
    Error 8/31/2009 12:34:10 PM Microsoft-Windows-User Profiles Service 1500 None "Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
    DETAIL - Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
    Warning 8/31/2009 12:34:10 PM Microsoft-Windows-User Profiles General 1509 None "Windows cannot copy file C:\Users\Default\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm to location C:\Users\TEMP\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm. This error may be caused by network problems or insufficient security rights.
    DETAIL - Access is denied.
    Error 8/31/2009 12:34:09 PM Microsoft-Windows-User Profiles Service 1511 None Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
    Warning 8/31/2009 12:34:09 PM Microsoft-Windows-User Profiles General 1509 None "Windows cannot copy file C:\Users\Default\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm to location C:\Users\{New Username}\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm. This error may be caused by network problems or insufficient security rights.
    DETAIL - Access is denied.
    Naturally I started with the earliest error first, and decided to look to see what is going on.  The file that is trying to be copied is there, but the destination folder does not exist.  As near as I can tell, whatever process (the User Profiles General Service?) is trying to perform the copy does not have sufficient access to perform the operation.  Specifically I suspect it may not be able to create the appropriate folders before performing the copy.  Interestingly, it appears that when windows attempts to open/create a temporary account profile, the same issue occurs.  Since there is no registry entry either, I suspect that the issue also extends to the creation of registry keys, but I am not familiar enough with the sequence of events in the creation of a user profile to determine if this would come before or after a user profile's first login.
    I attempted to find more information, and was able to investigate the UPS diagnostic event log (for a different, but identical attempt at creating and using the new profile).  The following two (unhelpful to me) log entries were generated.
    Level Date and Time Source Event ID Task Category
    Information 8/31/2009 12:34:10 PM Microsoft-Windows-User Profiles Service 1002 (1001) "The description for Event ID 1002 from source Microsoft-Windows-User Profiles Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event:
    The message id for the desired message could not be found
    Information 8/31/2009 12:34:09 PM Microsoft-Windows-User Profiles Service 1001 (1001) "The description for Event ID 1001 from source Microsoft-Windows-User Profiles Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    It seems to imply that the User Profiles Service may be corrupted, but this may also be unrelated.  I do not know how to specifically repair this service anyway (but am open to try it if someone can walk me through it a bit).
    There's the info.  I'd like to figure out how to watch the account creation process in more detail to see if I gleen more, but I don't have the experience to know what to do to enable such a log.  I will not perform a reinstall and am loath to do a restore, instead looking more for a cause and effect repair: something that would actually help MS fix the problem rather than have the customer fix the symptom.
    Thanks in advance to responders!
    To resolve this issue, I suggst you delete the file C:\Users\Default\AppData\Local\Microsoft\Windows Live\SqmApi\SqmData720896_00.sqm.Arthur Xie - MSFT

  • Error in Windows 7: User Profile Service was not logged on. The user and administra​torprofile

    Error in Windows 7: User Profile Service was not logged on. The user profile can not be loaded. Administrator profile and the code does not work. What do I do?
    HP G5384sc desktop pc

    Hello
    Unfortunately I did not manage to fix my computer yet. My printer is broken so I bought a new one, but since I do not have administrator rights, I can not connect the new printer, so I have to write all-installing notes down with pencil and simultaneously translate them into Danish so it is a very slow process. I'll tell you if it succeeds, otherwise there is of course the primitive way to buy a new computer, but it's the same as giving up. Not yet.
    Until now, many thanks for the good suggestions.
    Kind regards
    Birgeres

  • SharePoint 2010; Re-using profile and social database in User profile service applicaiton

    Hi
    Using ms server 2008r2, sql 2008r2, 2 WFE and 1 Appserver and SQL cluster.
    I have restored my User profile service application using restored databases profileDB and SocialDB, the SyncDB was recreated as i had problems starting the user profile synchronization service when using the old SyncDB.
    I mangaged to create and start a full conections sync to Active Directory and got all my 6000 profiles inn. Ok.
    This morning I noticed that the number of user profiles was only 2000, so im wondering what could have happened..
    I did notice that the user sync was very slow yesterday.
    ps; I did not think/know about exporting the Microsoft Identity Integration Server Key (MIIS) encryption key earlier,
    so i dont have this key. That is probably why the backuped old synchDB did not work. 
    Any ideas?
    brgs
    Bjorn

    http://technet.microsoft.com/en-us/library/gg576965(v=office.14).aspx Under
    " Back up a User Profile Service service application (UPA) using SQL Server tools " :
    It is very important to export the "Microsoft Identity Integration Server Key (MIIS) encryption key" from the old environment to the new farm, when restoring the UPA to a new farm. The reason being is that you will be unable to start the UPA synchronization
    service with the restored SynchDB without importing this key. And if you only use the restored SocialDB and ProfileDB with a new SynchDB, you will experience problems with losing Profiles in your UPA.
    My initial sync gave me all 6000 users, while this morning I suddenly had 2700:-).
    My problem is that we deleted the old servers and I don’t have this key:P

  • Some links and social network features not active in user profile service for some users in sharepoint 2013

    Hi everyone,
    I installed user profile service and synchronize. When I go to my site by administrator user every things is OK.
    But when I login by another user the my site is look like this
    Please guide me to resolve this problem.
    Thanks in advance.

    Can you please check and share mysite setting details. Check for below:
    Create a site collection at the root using the My Site Host template
    Assuming you want users’ MySites to be created at
    http://mySiteHost/personal/[John_Smith], create a Managed Path for the web app. The path should be personal, and the type should be
    Wildcard Inclusion.
    In User Profile Service Application, set My Site Host location to
    http://mySiteHost, and
    Personal Site Location to personal.
    Enable Self-Service Site Creation for the web app
    Check when the timerjob was mysite last executed. Try to manually run them
    Check ULS Log for possible error and share error details with us
    If this helped you resolve your issue, please mark it Answered

  • User profile service office 365 and infopath

    I'm having a very strange issue with the user profile service and InfoPath 2013 web form.  I am using Office 365. 
    I created a data connection to pre-populate user information using the _vti_bin/UserProfileService.asmx url.
    I can get everything to work when I preview the form within the client, however when I publish the form to a form library I get this error.
    "Warning
    An error occurred
    querying a data source.
    Click OK to resume filling out the form.
    You may want to check your form data for errors.
    Hide error details
    An error occurred while trying
    to connect to a Web service.
    An entry has been added to the Windows event log of the server.
    Log ID:5566
    Correlation
    ID:c525519c-4385-e07f-85c1-fd6bd35a231f"
    I have been researching the issue and have come across some cause because of looping or authentication?  Is this a known issue?  Fix?

    I've been having the same issue .... and everything I've read seems to indicate this is currently NOT supported on SharePoint Online / O365 sadly.
    See below :
    http://community.office365.com/en-us/forums/154/t/185751.aspx
    Steve

  • User profile service failed the logon And cant enter safe mode

    I'm getting this problem with a T510 thinkpad. Ive searched for this and found that the only solution seems to be to start the computer in safe mode, but when I use F8 the computer goes into:
    Error 0210: stuck key 42
    press F1 to start up.
    then F1 leads to the BIOS setup utility, with no option for safe mode.
    when I try the "ThinkVantage" button, i get:
    Startup Interruption Menu
    ESC to resume normal startup
    F1 to enter the BIOS Setup Utility
    F12 to choose temporary startup device
    again, no safe mode option.
    Using F12 during startup gives me:
    Boot Menu
    2: ATAPI CDO: Optiarc DVD RW AD-7700H- (S2)
    4: ATA HDDO: HITACHI HTS723232A7A364 - (S1)
    5: PCI LAN: IBA GE Slot 00C8 V 1351
    <enter setup>
    in other words still no safe mode!
    I'll confess I'm no techie, in fact it's taken me a loooong time to type this on a tablet...but any help would be much appreciated.
    cheers

    Hi
    please check this KB article:
    Error message when you log on to a Windows Vista-based or Windows 7-based computer by using a temporary profile: "The User Profile Service failed the logon. User profile cannot be loaded"
    http://support.microsoft.com/kb/947215
    "A programmer is just a tool which converts caffeine into code"
    Want to install RSAT on Windows 7 Sp1? Check my HowTo: http://www.msfn.org/board/index.php?showtopic=150221

  • I have this message when i try to log onto my home pc "The User Profile Service, service failed the logon. User profile cannot be loaded." can I recover my music and photos from iCloud from another user account?

    I get this message when i try to log onto my home pc account "The user Profile Service, service failed the lofon. User profile cannot be loaded" can I recover my data from another/new user account from my iCloud account??

    "Jesse.soto1" wrote in message news:1e164fdf-7370-45c0-9bc7-3b58278121c3...
    Good Afternoon Everyone,
    I am not technologically savvy as a result I'm having trouble understanding previous posts on "The user profile service service failed to logon user profile cannot be loaded." Lingo on domain reset etc, not sure that this pertains to solving my  issue
    ... I cant even get pass the sign in page let alone make changes. I am having this issue with my Dell Studio XPS 1340 with Windows 7 Home Premium. If anyone can provide their two cents I would greatly appreciate.
    Very Respectfully,
    Jesse
    Home Premium cannot logon to a Domain, nor can it be set to try it.
    when you get the logon window, try hitting the three-finger salute )Ctrl+Alt+Del) twice – it may bring up the old-style login window – enter your credentials there.
    Noel Paton | Nil Carborundum Illegitemi |
    CrashFixPC | The Three-toed Sloth

  • Trying to log in and message reads: User Profile Service failed the logon. Profile Cannot be loaded

    When I try to log on by clicking my user icon, I'm getting a message that reads:  The User Profile Service service faied the logon.  User Profile cannot be loaded.

    Hi,
    Check the guide on the link below to see if any of the options ( particularly using windows System Restore ) helps.
    http://www.vistax64.com/tutorials/130095-user-profile-service-failed-logon-user-profile-cannot-loade...
    Regards,
    DP-K
    ****Click the White thumb to say thanks****
    ****Please mark Accept As Solution if it solves your problem****
    ****I don't work for HP****
    Microsoft MVP - Windows Experience

  • ISE 1.2 Profiling

    Having sat through the Cisco class and having also looked at the Cisco Press book "Cisco ISE for BYOD and Secured Unified Access", I have a question regarding profiling.  I have a dual server implementation I'm attempting to configure, and the temporary advanced license is long gone, resulting in only my BASE license.  I know that mainly because I receive an alert every 3 hours - I've disabled it.
    The courseware and the book seem to imply that any/all profiling capability is active ONLY if an Advanced license is in effect.  Does that mean ALL profiling?  Does that mean that I should just delete ALL Profiled Endpoints, as they were profiled prior to my Advanced license expiring? 
    When I go to Admin --> System --> Deployment and select a PSN, I would expect to see both a General Settings tab and a Profiling Configuration tab.     However, I only see the General Settings tab.
    In it, Enable Profle Settings is checked, but it is also grayed out.  If I deselect Policy Service, the check mark for Enable Profile Service goes away.  If I select Policy Service again, the check mark under Enable Policy Service does NOT reappear.  If I select Reset and start over, it's all back to how it was when I started.
    So since I do not have a Prorfiling Configuration tab, I am unable to change or even verify any of the potential probes.  Is there ANY base level of profiling/identification active, at any level without the Advanced license?  I think the answer is no, but the ordering of the material could be misinterpreted...

    I'm getting there.....
    My understanding was that once an endpoint is seen, it's base profile is created, and it is fine-tuned and re-evaluated as more is learned about it.  An Apple device becomes an iPad, and iPad becomes an iPad 2, etc., all based upon the profiles that are built-in.
    Correct, as probes are used and should the ID of device change it will get updated under the end point folder.
    And this activity occurs regardless of the presence of an ADV license?  I fully understand that I might not be able to profile/posture machines, but I'd like to think that the "back-office" processing takes place regardless.  The simple answer is to buy a 100 endpoint ADV license, to boost my 750 endpoint base license, unless I can get a new eval license somehow.
    I believe the intention here was that if a device became associated with the ISE implementation, say over wireless, the user of that device could join and SSID, authenticate once, and then not have to authenticate for quite some time, a variable that oculd be set by the administrators.
    This is not the case actually. When a wireless device attaches to the network the first time, it MUST authenticate. In fact, if the device doesnt support OKC, you will see your device authenticate with radius each and everytime during a roam. Specific to guest, you can tune the timers so they dont get the AUP every few minutes.
    OK, you lost me at OKC.  Please tell me auto-correct has struck again.  Dot1X is what you meant, right? 
    I fully get the fact that the first time a device is seen it has to authenticate.  Users have complained of having to reauth each time they roam.  I believe the bulk of that can be cured by having them set their WiFi Preferences.  They also want a default landing page after they authenticate.  They appear to get left with a window saying they are renewingtheir IP, but no redirection.  This is probably something I neglected to set...

  • Basic ISE Licensing question

    Hi,
    Just a question on ISE license consumption.
    If a user logs in and gets authenticated (user authentication) via ISE on a device that is already authenticated (device authentication), does it consume 2 licenses, one for the device and one for the user?
    This is nowhere clearly told in any cisco documentation.
    Can anybody help me clarify this?
    Thank you,
    Mohan

    The base package includes all of the base services required to enable 802.1X, Guest, and Monitoring and Troubleshooting. The advanced package includes Posture, Profiler, and Security Group Access services.
    Cisco ISE is bundled with a licensing mechanism that has the following important features:
    •Built-in License—Cisco ISE comes with a built-in evaluation license, which is valid for 90 days. The evaluation license includes both base and advanced packages and limits the number of endpoints to 100 for both the base and advanced packages. Therefore, it is not required to install a regular license immediately upon installation.
    •Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
    •Concurrent Endpoint Count—The Cisco ISE license includes a count value for base and advanced packages, which restricts the number of endpoints that use those services. The count value is the number of endpoints across the entire deployment that are concurrently connected to the network and accessing the service.
    Concurrent endpoints represent the total number of supported users and devices. An endpoint can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.
    IMPORTANT : - Alarm is generated when the soft limit of endpoints is crossed and there is no functional impact on the users. To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. However there are plans to implement a hard limit on this soon.
    Regards,
    Jatin Katyal
    ** Do rate helpful posts **

  • Understand ISE Licensing

    Hello,
    I am going to Order (SNS-3415-K9) ISE product to deploy at my company, my concern is the size of license I shall order, and how to know the correct number
    I have workstations (PC’s), laptops, Printers, IP-CAM’s, and WLC with 50 AP.
    How I can determine the number of license I should get in order to have the benefits from Cisco ISE.
    Best reagrds,
    Samer Hasan

    Question:
    I am going to Order (SNS-3415-K9) ISE product to deploy at my company, my concern is the size of license I shall order, and how to know the correct number. I have workstations (PC’s), laptops, Printers, IP-CAM’s, and WLC with 50 AP. How I can determine the number of license I should get in order to have the benefits from Cisco ISE.
    Cisco Identity Services Engine (ISE) Ordering Steps
    Here’s guide which can help in finding solution of your problem
    1. Estimate the number of concurrent endpoints in the network.
    2. Estimate the number of appliances (physical or virtual) needed to support the number of concurrent endpoints
         in the network.
    3. Select the appropriate type of appliance suitable for your deployment. (Reference the appliance selection.)
    4. Select the appropriate type of license suitable for your deployment. (Reference the license selection.)
    5. Select the appropriate level of services available from Cisco Advanced Services or a Certified Partner for design,
        Deployment and sustaining services of the ISE deployment.
    Step 1: Estimate the Number of Concurrent Endpoints in the Network
    Estimating the total number of concurrent endpoints is dependent on a number of variables. An approach to consider would be to take into account:
    • Number of employees in the organization
    • Average number of devices per employee (desktop, laptop, smartphone, desk IP phone, etc.)
    • Number of switch ports currently in the organization
    • Number of access points deployed in the organization
    • Average number of devices per access point
    • Dynamic IP address range being used
    • Average number of guests expected to join the network
    • Inventory of non-user devices such as IP cameras, printers, IP-enabled projectors, etc.
    A combination of factors that includes but is not limited to the above factors could be used to determine the total number of concurrent endpoints in the network.
    Step 2: Cisco ISE Appliances and Servers* Options
    Cisco   Identity Services Engine Appliances
    Option 1: Cisco Identity Services   Engine Appliances and Servers*
    Product Number
    Endpoints Supported
    Cisco Secure Network Server 3415*
    SNS-3415-K9
    5,000
    Cisco Secure Network Server 3495*
    SNS-3495-K9
    20,000
    Step 3: Cisco Secure Network Server Support SKUs*
    Product   Number
    SMARTnet Part Number
    Description
    SNS-3415-K9*
    CON-SNT-SNS-3415
    Cisco SMARTnet support for   SNS-3415-K9 - 8x5 Next Business Day
    Step 4: Select the Type of License
    Step 5: Cisco ISE License Options
    License   Type
    Features Supported
    Deployment Type Supported
    License Prerequisite
    License Term(s)
    Base License
    AAA
    Guest Provisioning
    Link Encryption Policies
    Wired
    Wireless
    VPN
    Perpetual
    Advanced License
    Device Onboarding/Provisioning
    Device Profiling and Feed Service*
    Host Posture
    Security Group Access
    Integrated Vendor MDM Support*
    Wired
    Wireless
    VPN
    Base License
    3- and 5-Year Terms
    Wireless License
    Device Onboarding/Provisioning
    AAA
    Guest Provisioning
    Link Encryption Policies
    Device Profiling and Feed Service*
    Host Posture
    Security Group Access
    Integrated Vendor MDM Support*
    Wireless
    3- and 5-Year Terms
    Step 6. Cisco ISE Functionality-Based License Options
    License   Tiers (T)
    Number of Endpoints Supported
    Base License
    Advanced 3-Year License
    Advanced 5-Year License
    Wireless 3-Year License
    Wireless 5-Year License
    Wireless Upgrade 3-Year License
    Wireless Upgrade 5-Year License
    100
    100 Endpoints
    L-ISE-BSE-100=
    L-ISE-ADV3Y-100=
    L-ISE-ADV5Y-100=
    L-ISE-AD3Y-W-100=
    L-ISE-AD5Y-W-100=
    L-ISE-W-3UPG-100=
    L-ISE-W-UPG-100=
    250
    250 Endpoints
    L-ISE-BSE-250-
    L-ISE-ADV3Y-250=
    L-ISE-ADV5Y-250=
    L-ISE-AD3Y-W-250=
    L-ISE-AD5Y-W-250=
    L-ISE-W-3UPG-250=
    L-ISE-W-UPG-250=
    500
    500 Endpoints
    L-ISE-BSE-500=
    L-ISE-ADV3Y-500=
    L-ISE-ADV5Y-500=
    L-ISE-AD3Y-W-500=
    L-ISE-AD5Y-W-500=
    L-ISE-W-3UPG-500=
    L-ISE-W-UPG-500=
    1000
    1000 Endpoints
    L-ISE-BSE-1K=
    L-ISE-ADV3Y-1K=
    L-ISE-ADV5Y-1K=
    L-ISE-AD3Y-W-1K=
    L-ISE-AD5Y-W-1K=
    L-ISE-W-3UPG-1K=
    L-ISE-W-UPG-1K=
    1500
    1500 Endpoints
    L-ISE-BSE-1500=
    L-ISE-ADV3Y-1500=
    L-ISE-ADV5Y-1500=
    L-ISE-AD3Y-W-1500=
    L-ISE-AD5Y-W-1500=
    L-ISE-W-3UPG-1500=
    L-ISE-W-UPG-1500=
    2500
    2500 Endpoints
    L-ISE-BSE-2500=
    L-ISE-ADV3Y-2500=
    L-ISE-ADV5Y-2500=
    L-ISE-AD3Y-W-2500=
    L-ISE-AD5Y-W-2500=
    L-ISE-W-3UPG-2500=
    L-ISE-W-UPG-2500=
    3500
    3500 Endpoints
    L-ISE-BSE-3500=
    L-ISE-ADV3Y-3500=
    L-ISE-ADV5Y-3500=
    L-ISE-AD3Y-W-3500=
    L-ISE-AD5Y-W-3500=
    L-ISE-W-3UPG-3500=
    L-ISE-W-UPG-3500=
    5000
    5000 Endpoints
    L-ISE-BSE-5K=
    L-ISE-ADV3Y-5K=
    L-ISE-ADV5Y-5K=
    L-ISE-AD3Y-W-5K=
    L-ISE-AD5Y-W-5K=
    L-ISE-W-3UPG-5K=
    L-ISE-W-UPG-5K=
    10,000
    10K Endpoints
    L-ISE-BSE-10K=
    L-ISE-ADV3Y-10K=
    L-ISE-ADV5Y-10K=
    L-ISE-AD3Y-W-10K=
    L-ISE-AD5Y-W-10K=
    L-ISE-W-3UPG-10K=
    L-ISE-W-UPG-10K=
    25,000
    25K Endpoints
    L-ISE-BSE-25K=
    L-ISE-ADV3Y-25K=
    L-ISE-ADV5Y-25K=
    L-ISE-AD3Y-W-25K=
    L-ISE-AD5Y-W-25K=
    L-ISE-W-3UPG-25K=
    L-ISE-W-UPG-25K=
    50,000
    50K Endpoints
    L-ISE-BSE-50K=
    L-ISE-ADV3Y-50K=
    L-ISE-ADV5Y-50K=
    L-ISE-AD3Y-W-50K=
    L-ISE-AD5Y-W-50K=
    L-ISE-W-3UPG-50K=
    L-ISE-W-UPG-50K=
    100,000
    100K Endpoints
    L-ISE-BSE-100K=
    L-ISE-ADV3Y-100K=
    L-ISE-ADV5Y-100K=
    L-ISE-AD3Y-W-100K=
    L-ISE-AD5Y-W-100K=
    L-ISE-W-3UPG-100K=
    L-ISE-W-UPG-100K=

  • ISE 1.2 - Guest Services

    Hi All,
    I'm planning to setup Cisco ISE - GNAC services and I want to know how the licenses work for this service. Will ISE count a license for each guest user connected?
    also I have another question regarding WAN latency between personas. What's the MAX?
    Thanks in advance,
    Elyinn.-

    Elyinn,
    Yes, each Guest User counts against the license.  Here is a snippet from the link that was given earlier:
    "License Count
    The Cisco ISE license is counted as follows:
    A Base or Advanced license is consumed based on the feature that is utilized.
    An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
    Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received."
    As you can see, a single device can consume more than 1 license depending on the features you have set on your network.
    As far as Max Latency between WAN Links, that number is 200ms.  Anything longet than than can result in drops or corruption in packets.
    I hope this helps.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

Maybe you are looking for

  • Query wizard and PLD

    Hi experts, I use query wizard making a query, and I can found it in query manager. then I created a report for that query. everything is ok but i don't know how to show the report and print it out. please help, thanks.

  • Adobe Reader XI - Save button not enabled in Firefox 19, 20, 21

    This problem only seems to occur in Firefox. IE9 and Chrome 20+ seem to behave properly. We have customers complaining that they are having a difficult time figuring out how to save PDF files from our scientific research web application. While, cntrl

  • How to send  mail to  User when Deadline time is over

    Hello Everybody , My Query is that  When Deadline is over   the mail should goes to  Higher Authority  Person in his  Outlook    is that   " Dead line given to user is Already Finished   " How to Solve this  problem  .? ASAP Regrads, Sandeep Jadhav

  • Athlon II 265 on K9N6PGM2-V

    Hi, I'm using a MSI K9N6PGM2-V and I'm thinking about upgrading the processor pretty soon. At first I was thinking of a AM3 Athlon II 260, since it's pretty much the best of the ones on the list of supported processors for what I'll be using it for.

  • How to find which table is not being used ?

    Hi, I am in need of releasing space from the common schema we have. i have been permitted to drop the tables which has not been used for the last three months. Can anyone please suggest how to find the tables that has not been used for a given amount