ISE Wireless package Licensing

Greetings, we have installed ISE to backend our Wireless infrastructure. We have a 1000 endpoint Wireless package, which gives us 1000 base and 1000 advanced endpoint licensing. I know the Advanced is used for profiling and posture among other features. My question around the active license count. We currently have (per NCS) 685 clients associated to our wireless infrastructure. Back on the ISE console however, we show that we are using 941/1000 active advanced endpoint assesments license count.  How is that possible?? I thought that license count was only applied to active clients, and we do not currently have anywhere close to 941 active clients on our wireless.  Should that not be 1-1 or pretty close?                

License Count
The Cisco ISE license is counted as follows:
•A Base or Advanced license is consumed based on the feature that is utilized.
•An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
•Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
Note Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system.
To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts:
•80% Info
•90% Warning
•100% Critical

Similar Messages

  • ISE Wireless endpoint license?

    Hi all! Which means endpoint wireless license for Cisco ISE. Access point or client device? For example: I have 1 WLC, 35 access points and 500 clients. How many licenses I need to buy?

    ISE licensing is based on endpoints authenticating to the network. So in your case if all 500 devices will be connecting to the network at the same time then you will need to purchase 500 licenses. Keep in mind that those are concurrent, thus, when a client leaves the network a license is freed up. 
    Hope this helps!
    Thank you for rating helpful posts! 

  • Do We Require ATP to Re-sell ISE Wireless?

    Hi forum,
    I have reviewed the Cisco ISE Software 1.1 Q&A (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html) and it seems to me that Table 5 (Differences Between Cisco Identity Services Engine Licenses) and the penultimate Ordering and Purchasing question infer that no ATP is required to re-sell ISE with Wireless license type.
    Can anyone on the forums confirm that this is indeed the case?
    I have put the same question to my TCAM.
    Helpful posts always rated!
    Kind regards, Ash.

    Ashley,
    Here is the Q&A that I found:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
    Ordering and Purchasing
    Q. How can I purchase the Cisco Identity Services Engine?
    A. Cisco Identity Services Engine Advanced, Base, and Wireless Upgrade  licenses can be purchased only through Cisco Authorized Technology  Provider (ATP) partners.
    Note:  Cisco Identity Services Engine platforms (both physical and virtual)  and Wireless licenses are generally available for purchase through any  Cisco authorized partner.

  • ISE wireless design

    Hi all,
    Designing on an ISE wireless case, i would like seek idea about:
    1. My design goal is differentiate domain user are only capable to connect to Employee_AP; while guest connect to Guest_AP. What rule's condition should i do ?
    2. What is the best practice for BYOD's policies to permit each employee access are only able to use 2 units of personal devices. Says one notebook and one handheld device. Anyway i can enforce this rule on ISE?
    Million thanks
    Noel

    If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
    You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

  • Cisco ISE - expired demo license alarm

    Hi,
    We are implementing Cisco ISE 1.2.0.899 and have an alarm reporting expired license. This alarm refers to the Advanced License demo and is therefore a false positive.
    This issue is that we cannot remove the demo icense and stop the root cause of this false positive alarm.
    Does anyone has an idea?
    Thanks in advance.
    Regards,
    Telmo Oliveira

    Please refer the discussion below
    https://supportforums.cisco.com/discussion/12059041/ise-advanced-eval-license-alerts-after-full-base-install

  • Enterprise Wireless Mesh License needed for controller and AP's?

    If I have a 2112 WLAN Controller and 7 1240AG AP's what licensing do I need to purchase to enable enterprise wireless mesh? Do I need to get the license for the controller (AIR-AP-LIC-M-12)? A license for each AP? Both? Thanks for any replies!

    Hi Andy,
    You only require the Mesh license for the Controller not for the individual AP's :)
    Solution
    The Cisco EWM license is required for wireless mesh deployments for the indoor access point platforms, including the Cisco Aironet 1130 and 1240 Series. For the Cisco Aironet 1500 Series, these licenses are not required. These EWM licenses are required for all the WLAN controllers when mesh indoor acess points are associated with the controller. Each WLAN controller has a corresponding EWM license. The license entitles the user to configure as many mesh indoor access points as the controller allows.
    The license SKUs are as follows:
    • AIR-AP-LIC-RTU=, Cisco Advanced Feature License
    • AIR-AP-LIC-M-6, Cisco Advanced Enterprise Wireless Mesh, 6-AP Controller
    • ***AIR-AP-LIC-M-12, Cisco Advanced Enterprise Wireless Mesh, 12-AP Controller
    • AIR-AP-LIC-M-25, Cisco Advanced Enterprise Wireless Mesh, 25-AP Controller
    • AIR-AP-LIC-M-50, Cisco Advanced Enterprise Wireless Mesh, 50-AP Controller
    • AIR-AP-LIC-M-100, Cisco Advanced Enterprise Wireless Mesh, 100-AP Controller
    • AIR-AP-LIC-M-300, Cisco Advanced Enterprise Wireless Mesh, 300-AP Controller
    Cisco Enterprise Wireless Mesh Licensing and Ordering Guide
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns767/ordering_guide_c07-482365_ps6521_Products_Brochure.html
    Hope this helps!
    Rob

  • Solaris11 Wireless Package Removal

    X86 Team I know that I need to remove bad wireless packages from my laptop and I am being denied. -
    SUNWralink Ralink RT2500 802.11b/g Wireless Driver This is a Live Image. The install operation can't be performed
    The working package is from Intel that works for me.
    system
    SUNWipw                    
    Intel Pro. Wireless 802.11b IPW2100B Driver
    system
    SUNWiwi                    
    Intel Pro. Wireless 802.11a/b/g IPW2200B/G IPW2915A/B/G Driver

    For a different reason, I also have the exact same issue. In my case, it is due to a particular SAS2 controller. I have an Oracle server (X5-2L) and loaded Solaris 11.2.
    The server came with LSI MegaRAID 9361-8i controller card. I want to enable and use JBOD disks, so that I can use the disks in a ZFS file system.
    The Solaris installer runs just fine, however I cannot pass JBOD disks through to the system - only RAID virtual disks, including single-disk RAID0's. While it "works", it will not work well if/when a disk fails and I need to replace, or extend.
    The base install picks up the controller using the LMRC package. This too is a LSI MegaRAID controller driver, and is compatible with the card. However, I need to load the latest LSI drivers from LSI.com website in order to activate newer features found in the latest firmware. To do this, I've loaded the LSI driver, however Solaris refuses to favor the 3rd party driver over its own native driver.
    As a hopeful workaround, I wanted to remove the LMRC package to see if it would then pick it up using MR_SAS - which, too is a native driver, but then could be updated using the LSI package supplied by LSI. But, first things first - I need to remove LMRC.
    I may not be taking the correct approach to getting the card to run under the LSI-supplied driver - if anyone has a better suggestion than removing the stock driver, I'm open to suggestions!
    -John

  • Universal IOS Package/License

    hi all,
    just a quick question, if you say the IOS has a UNIVERSAL package, does that means i get all its features (security, voice, VPN and stuff).
    please see my show version below. would highly appreciate someone's advice.
    1941#show version
    Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Compiled Sun 18-Jul-10 01:47 by prod_rel_team
    ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
    1941 uptime is 8 hours, 14 minutes
    System returned to ROM by power-on
    System restarted at 09:23:13 SGT Sat Feb 9 2013
    System image file is "flash0:c1900-universalk9-mz.SPA.150-1.M3.bin" 
    Last reload type: Normal Reload
    <SNIP>
    Device#   PID                   SN
    *0        CISCO1941/K9          FHKxxx 
    Technology Package License Information for Module:'c1900'
    Technology    Technology-package          Technology-package
                  Current       Type          Next reboot
    ipbase        ipbasek9      Permanent     ipbasek9
    security      None          None          None
    data          None          None          None
    Configuration register is 0x2102

    ho ho ho, you're right. i'm still new to this license thingy. will arrange this with my client.
    as always, thanks for your help leo! have a nice weekend!
    #sh lic
    Index 1 Feature: ipbasek9                      
            Period left: Life time
            License Type: Permanent
            License State: Active, In Use
            License Count: Non-Counted
            License Priority: Medium
    Index 2 Feature: securityk9                    
            Period left: 8  weeks 4  days
            License Type: Evaluation
            License State: Active, Not in Use, EULA not accepted
            License Count: Non-Counted
            License Priority: None
    Index 3 Feature: datak9                        
            Period left: 8  weeks 4  days
            License Type: Evaluation
            License State: Active, Not in Use, EULA not accepted
            License Count: Non-Counted
            License Priority: None
    Index 4 Feature: SSL_VPN                       
            Period left: 8  weeks 4  days
            License Type: Evaluation
            License State: Active, Not in Use, EULA not accepted
            License Count: 75/0/0  (Active/In-use/Violation)
            License Priority: None
    Index 5 Feature: ios-ips-update  

  • Cisco ISE functionally and license

    HI. 
    I wanna configure the following on Cisco ISE 1.2.1.
    Self-registration portal for guests (SSID: guests)
    802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
    Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
    Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.

    With plus license all the above items should work.
    Here is what plus license supports:
    Bring Your Own Device (BYOD)
    Profiling
    Endpoint Protection Service (EPS)
    TrustSec SGT
    For more info, refer ISE license section:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
    Regards,
    Jatin Katyal
    **Do rate helpful posts**

  • ISE MAB authentication license usage

    Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
    I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
    Thanks,

    Hello-
    Please take a look at the following link:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
    So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 
    Hope this helps!
    Thank you for rating helpful posts!

  • Ise with base license

    Hi everyone,
    trying to make sense of ISE licensing. I'll able to use Identity store with static MAC address (manualy added) in authorization policy.
    My question is that able to be accomplished via base licensing or is  that considered posturing/profiling?
    Thanks all!
    Iarno Pagliani

    Hello Iarno Pagliani,
    For your understanding
    License Type 
    Features Supported 
    Deployment Type Supported 
    License Prerequisite 
    License Term(s) 
    Base License 
    AAA Guest Provisioning Link Encryption Policies 
    Wired Wireless VPN 
    Perpetual 
    Advanced License 
    Device Onboarding/Provisioning Device Profiling and Feed Service* Host Posture Security Group Access Integrated Vendor MDM Support* 
    Wired Wireless VPN 
    Base License 
    3- and 5-Year Terms 

  • Upgrading a distributed deployment to ise 1.2, licensing

    The current deployment is a 5 nodes (2adm 1mon 2psn)
    what the docs report is:
    You do not have to manually deregister the node before an upgrade. Use the application upgrade command to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the license file for the Primary Administration node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco Technical Assistance Center for assistance.
    we have a 10k base licence+ 100 advanced (only pri adm registered)
    deployment is 1y old
    what happens after the secondary admin node has been upgraded to 1.2?
    will it be accessiblevia gui? will it have a new grace period licence? will it use the other admin node licence?
    this cause during the upgrade we will need to check the "new" 1.2 admin status to proceed with the other nodes...
    thank you

    For distributed deployments, the upgrade  process follows a Split Deployment model. After you upgrade the  secondary Administration node to the new release, Cisco ISE creates a  new deployment. The secondary Administration node from the old  deployment becomes the primary Administration node in the new  deployment. When you upgrade the rest of the nodes in the old  deployment, they join the new deployment.
    When you upgrade the secondary Administration node from the old  deployment, it saves the old deployment configuration       and also  notifies the primary Administration node of the upgrade. The primary  Administration node in the old deployment notifies the other nodes about  the upgrade. After upgrade, the nodes from the old deployment join the  primary Administration node in the new deployment. The upgrade process  retains licenses and certificates. You do not have to reinstall or  reimport them. Cisco ISE, Release 1.2, supports license files with  two-node unique device identifiers (UDIs). You can request for a new  license with the UDI of both the primary and secondary Administration  nodes. See the Cisco Identity Services Engine Hardware Installation Guide for details.
    http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html

  • ISE advanced eval license alerts after full base install.

    Has anyone had an issue with the advanced eval license triggering the below alerts after a full base license has been installed and the advanced eval license has expired?
    How can I keep the license expiration warnings and avoid receiving warnings for an expired eval licence?
    This is on Cisco ISE Software Version 1.2.0 full running on a ISE-3315-K9. There is no requirement to go to a full advanced license.
    License Expiration
    Details :
    Advanced License expires in 30 days
    Description :
    The License installed on the ISE nodes have been expired or about to expire
    Suggested Actions :
    Please contact CISCO Account team to purchase new licenses
    *** This message is generated by Cisco Identity Services Engine (ISE) ***

    Gary,
    The way to supress this message is to disable the License Expiration Alarm.
    To do this, go to Administration > System > Settings.  Choose Alarm Settings from the Left Menu.
    Scroll down and select Licensing     |       License Expiration  from the list of Alarms.
    Click the Edit Button and use the dropdown to change the Status to Disable.  Click Submit and you're done.
    I would then set a Calendar reminder through Outlook (or on your phone) to enable this feature once the expiration date for your Advance License has passed.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE wireless CPP with redirect exclusions, possible?

    Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
    On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
    All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
    Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

    Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
    To answer your questions:
    #1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
    #2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
    Hope this helps. If you issues are resolved please mark the thread as "answered"
    Thank you for rating!

  • ISE wireless web authentication for guest management not redirecting

    Hi forumers'
    I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
    Whilst on workstation it's working well.
    attach the snapshot of what happen on the iPhone.
    Any clue to torubleshoot? Thanks
    Noel

    Hi
    I still fail whilst i testing on my iPhone.
    I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
    My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
    So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
    Can please suggest more troubleshooting guide?
    Thanks
    This is how the outcome for the safari broswer
    Noel

Maybe you are looking for

  • Move TPs in satellite system after smsy & rfc

    Dear All, We have a issue here. we did the confgn of tms & generated the rfc as well. we havent created a project yet in solman. this is charm implementation. After doing thse tms & rfc work, we tried to move the tps in satellite system from qlty to

  • Date not coming in proper format after applying formula in Update Rules

    Hi All, I have two time characteristics "Goods Issue date" and "Goods Return date" and One key figure "No. of days elapsed". The key figure "number of days elapsed" is being calculated by taking difference of "goods issue date" from "goods return dat

  • Installing a Proxy server?

    Ok. I have come a bit further then last time. I have managed to get both my internal mailserver and my external mail gateway up and running. They are talking together and mail is flowing as intended. On the mail gateway in the DMZ local delivery is t

  • Fact & Dimension Table Concept

    Hi All, I am new to OBII, I install successfully Install OBIEE and its working fine. I created repository successfully. Now i am facing a challenge. Creating BMM. I am so confused about the BMM. I need help, if any body can provide me with a simple a

  • Another iTunes 5 bug? Where is the EQ?

    All my tracks are now flat. EQ does no longer work. I change it to Bass Booster: flat. I change it to dance: flat. in iTunes 4 it worked fine, and EQ works on my iPod. What's happened to the EQ guys?