License Consumption in BOE XI

Post Author: neheyen
CA Forum: Authentication
I don't know if we don't have enough licenses or if there is something misconfigured. Or if there is a problem with usage.
When I go to the CMS properties, I think I see who is logged in at the moment. Just what is the Session Count? The number of sessions the user has open (InfoView, Instance Manager, CMC, etc.) or the number of licenses used?
Is there a whitepaper that describe the license model?
And finally is there a setting for timeouts? I think what happens is that users just close the browser window instead of actually using the padlock icon to log out. Would this result in a 'stranded' login that consumes a license?
Thanks for any insight or hints!
Norman

Post Author: TAZ
CA Forum: Authentication
Hi Norman,
I think both these questions would be better served in the deployment forum going forward...
As for licenses it depends on your license type, CPU license wouldn't matter, concurrent would only be the user count not session, named would be the session count=licenses used.
There are timeouts for when a session is inactive but they vary per app server. You should be able to find them in KB's or open a case with support if that doesn't work so they can give you the right info based on your environment.
In IE 6 the default setting prompted for logoff even when closing the browser. IE7 I don't believe honors this setting. If this is an earlier version than XIR2 there were other issues that caused extra sessions.
Regards,
Tim

Similar Messages

ISE 1.2/1.2.1 license consumption issues

Hi all, I know this topic is somewhat done to death but I want to know whether anyone else is experiencing this issue. In summary my ISE deployment (right this minute) has 17 Active sessions with 17 base and 17 plus licenses consumed. My issue with this is that of the 17 active sessions only 8 of these sessions are utilising a plus feature ie the registration status in the authorisation policy. In short at all times the plus license consumption always matches the base license consumption.
I have continually had this issue with all ISE deployments whereby the license consumption does not reflect Cisco documentation and my configurations. Without giving screenshots I can say with certainty that the only plus feature been used is the BYOD onboarding and subsequent registration status in the authz policy. The rest of my policies are straight forward CWA guest and EAP-TLS machine cert authorisations with no profiling information used in the policy. I have gone so far as to turn off profiling and removing BYOD policies with the same results.
The following document clearly states what should and shouldn't consume a license:
http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
Any input would be appreciated.

The bug is listed as fixed, but I don't see which software it is fixed in. I must admit I've seen this problem for months, probably over a year now. It was already the case on 1.1.4 at least. I have some customers using 1300 of 500 advanced licenses.
It would be nice if it functioned exactly as the documentation always said. It would give you a warm feeling that things will keep working when the advanced license expires entirely (I'm sure we'll find out soon).
At one point I was told it was under discussion whether to fix the problem, or to fix the documentation to fit the problem, but last I heard it would be fixed at some point in the future. Every time we get a call regarding new software (1.2.1, 1.3) I make sure I ask them that the trust based licensing continues. We're OK as long as trust based licensing continues, but it's scruffy and hard to explain to customers why it shows 3 times as many advanced users as they already have. And then on occasions you see their eyes light up when they realise they can run 3000 advanced and Cisco will be none the wiser, or alternatively that they could have got away with a 100 user license and you've just cost them a 5000 user license that nobody can tell if they are using or not.

ISE 1.3, information about license consumption

Hi all
We are deploying ISE 1.3 in our network but is not clear for us how the license consumption mechanism is handled by ISE.
I saw in the administration guide that in ISE 1.3 a license is consumed for every active user, and license consumption relies on the attributes used in the authorization policy with which the endpoint is matched.
In ISE 1.2 licensing data sheet it is said that the consumption relies on RADIUS accounting functions to track concurrent endpoints (ISE uses RADIUS
accounting “start” and “stop” messages to determine when network sessions begin and end), but I didn't found any confirmation on that regarding ISE 1.3.
My question is: if I don't enable Radius accouting on the NAD, how ISE determines when the network session is ended and so when it releases the license for that user?
I ask this because during the tests we saw different behaviour; sometimes the session was considered ended and so the license was correctly released, but sometimes the user was considered active also hour later after it left the network, and his license was not correctly released
Thanks
Marco

ISE monitoring node has a session directory to track
endpoints active on the network.
Automatic Purge: A purge job runs approximately every 5 minutes to clear
sessions that meet any of the following criterion:
1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
(grace time allotted in case of authentication retries)
2.Endpoint authenticated but no accounting start or update received in the last
hour
3.Endpoint idle—no activity (authentication / accounting / posturing /
profiling updates) in the last 5 days

WEBI CPU License Required for BOE Premium Install

We are being told that our BOE Premium Install requires a WEB Intelligence CPU license for View on Demand documents in addition to our BOE Premium CPU license. This is news to us. We have been told for 5 years that our BOE Premium CPU license was inclusive of WEB Intelligence Document View on Demand consumption. Has anyone else ran into this issue? Is this a recent change in licensing by SAP?

Yes, the premium license covers Crystal - you don't have to do anything special to "turn it on".
In order to create Crystal Reports for use in BOE, you must purchase a Crystal Reports license for each person who will be designing reports. There is no web interface for designing reports in Crystal, it is a desktop application.
Reports written in Crystal can be published to BOE (Crystal XI will publish to r2 and 3.x, Crystal 2008 will only publish to 3.x from within the software, but there are ways around that) or run from either a desktop or web application - the application has to have a Crystal Viewer component. There are several viewer apps available for viewing reports outside of BOE, or you can write your own (a version Crystal comes with Visual Studio.)
-Dell
Edited by: Dell Stinnett on Aug 5, 2010 11:21 AM

ISE ver 1.1.2.145 advanced license consumption

Hello,
I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
Here is the authorization rule:
Here is the licensing page:
base                             advanced
1/20
1/20
Here is the only active session from active session report:
xp-test.ashour.local
00:22:FB:1A:59:C2
10.30.30.117
dot1x
EAP-TLS
NotApplicable
N/A
WindowsXP-Workstation
Running
ise
And here is the live authentication:
Authentication Summary
Logged At:
December 10,2012 5:27:36.331 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
xp-test.ashour.local
MAC/IP Address:
00:22:FB:1A:59:C2
Network Device:
5508-WLC : 10.255.255.20 :
Allowed Protocol:
Default Network Access
Identity Store:
Authorization Profiles:
PermitAccess
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
User-Name=xp-test.ashour.local
State=ReauthSession:0affff140000005550c6598d
Class=CACS:0affff140000005550c6598d:ise/144192099/4026
Termination-Action=RADIUS-Request
MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d
Related Events
Dec 10,12 5:27:36.072 PM
Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:
Radius authentication passed
Dec 10,12 5:23:56.647 PM
Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2 AUTHTYPE:
Radius authentication passed
Dec 10,12 5:06:07.317 PM
Radius accounting start
Radius accounting start
Authentication Details
Logged At:
December 10,2012 5:27:36.331 PM
Occurred At:
December 10,2012 5:27:36.331 PM
Server:
ise
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
xp-test.ashour.local
RADIUS Username :
host/xp-test.ashour.local
Calling Station ID:
00:22:FB:1A:59:C2
Framed IP Address:
Use Case:
Network Device:
5508-WLC
Network Device Groups:
Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
NAS IP Address:
10.255.255.20
NAS Identifier:
ASHOUR-WLC1
NAS Port:
1
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
Default Network Access
Service Type:
Framed
Identity Store:
Authorization Profiles:
PermitAccess
Active Directory Domain:
Identity Group:
Profiled:Workstation
Allowed Protocol Selection Matched Rule:
Dot1X
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
Company asset
SGA Security Group:
AAA Session ID:
ise/144192099/4026
Audit Session ID:
0affff140000005550c6598d
Tunnel Details:
Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
Cisco-AVPairs:
audit-session-id=0affff140000005550c6598d
Other Attributes:
ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
Posture Status:
NotApplicable
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12568 Lookup user certificate status in OCSP cache
12570 Lookup user certificate status in OCSP cache succeeded
12554 OCSP status of user certificate is good
12568 Lookup user certificate status in OCSP cache
12570 Lookup user certificate status in OCSP cache succeeded
12554 OCSP status of user certificate is good
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15016 Selected Authorization Profile - PermitAccess
11002 Returned RADIUS Access-Accept

Hi,
Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
CSCub56607
Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set:
•MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
•Profiling is disabled
•Posture is disabled
•The device in question has not been registered via the My Devices Portal
Note There is no known workaround for this issue.
Tarik Admani
*Please rate helpful posts*

License Consumption

Version: 2007 B
License: B1 Professional
Issue:
The user name B1i gets created itself after the installation of B1.
What is that for?

Hi Vijay
The user B1i* is created by B1, which is used by B1i to connect B1.
B1i is a tool to sync data between SBO and R/3 system.
Regards,
Syn Qin
SAP Business One Forums Team

UCCX 10.5 - License consumption about Agent

Hi,
My Customer have a solution with UCCX 10.5 and license to 400 Agents. My question is: If I use 50 CTI ports in CUCM to attend IVR, are will there decrease license about Agent of UCCX?
Thanks,
Wilson

Hi Wilson,
The Agent licenses depend on the number of Seat Licenses you have on the system. For example, if there are 25 seats, then 25 agents can login simultaneously.
These do not depend on the Port licenses.
Other components which utilize seat licenses:
Agent
Supervisor
Recording
Regards,
Arundeep

Server License Assignment

2 SBS 6.0 Servers both at sp5.
My office has been having intermittent login problems ever since I
recovered from a hard drive crash on one of my servers and had to
re-install Netware on one a new drive.
Logging in produces a variety of results, usually to 2 or three
different users every day or so. Sometimes the login window just keeps
re-appearing after a login until a user reboots. Other times there are
messages like "An unexpected error has occurred" or "Connection to the
server was terminated" usually with an 8819 error code attached, which
points to a licensing issue.
Investigating further I find that the license assigned to the previously
crashed server is not being consumed by that server even though it is
assigned to it. I also note that the installed date is back in 2003.
This seems like the original license rather than the one I thought I had
re-installed earlier this summer.
Thanks,
Scott Schaffer
Scott Schaffer
ITSA
Olive Waller Zinkhan & Waller

Sorry, didn't see your earlier email. I solved the immediate login
problem. Yesterday afternoon I ran an unattended dsrepair. There were 0
errors but it apparently did not unlock the ds when it was finished.
This morning there was a "Cannot update NDS against an entry within
subnet container: DHCP-Subnet" and " Error (-663) occurred while saving
a backup of the NDPS Manager database files" on the our main file
server console screen. The -663 error pointed me to TID 10015560 about
the DS being locked. I followed the suggestion to run dsrepair once and
that unlocked the server and people were again allowed to login. This
server also shows the proper license consumption again.
So I am back to just the one server with no licesne consumption. I have
not yet capture a pm trace when a person logs in and has tree or server
not found. I will see if I can get that to happen today as I cannot
reproduce the login error every time.
Thanks for your patience.
Scott
Scott Schaffer
ITSA
Olive Waller Zinkhan & Waller
>>> Anders Gustafsson<[email protected]> 10/23/08 09:03AM
>>>
Scott Schaffer,
> Over the night all of a sudden my other server is no longer consuming
> it's license either and nobody can login.
>
OK. Is your DS healthy? Licenses are read from DS, so if you have DS
problems, then you will have license problems. As I said earlier: What
does the PM TRACE show when you try logging in?
- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)
Discover the Novell forums at http://forums.novell.com
Novell does not monitor these forums officially.
Enhancement requests for all Novell products may be made at
http://support.novell.com/enhancement

Live Office License Key

Hi,
If we order permanent license key for BOE Premium XI3.1, do we need to order key for Live Office XI3.1 separately ? As per my understanding, BOE Premium covers LiveOffice also. Please correct me if I am wrong.
Thanks,
PASG

Hello PASG,
I found this internally
We have purchased SAP Business Objects Enterprise and wanted to activate now Live Office, but don´t have a valid license-key. Is this part of the BusinessObjects Enterprise XI 3.1 or does it need to be licensed separately ?
SAP BOE Premium is enough to use Live Office. You have to install a license key for BOE Premium and you have to install the component Live office but no key for live office is needed. It is like an add-on like Desktop Intelligence etcu2026
So to sum up, if you have a premium license, you don't need to buy any additional license for Live Office.

Basic ISE Licensing question

Hi,
Just a question on ISE license consumption.
If a user logs in and gets authenticated (user authentication) via ISE on a device that is already authenticated (device authentication), does it consume 2 licenses, one for the device and one for the user?
This is nowhere clearly told in any cisco documentation.
Can anybody help me clarify this?
Thank you,
Mohan

The base package includes all of the base services required to enable 802.1X, Guest, and Monitoring and Troubleshooting. The advanced package includes Posture, Profiler, and Security Group Access services.
Cisco ISE is bundled with a licensing mechanism that has the following important features:
•Built-in License—Cisco ISE comes with a built-in evaluation license, which is valid for 90 days. The evaluation license includes both base and advanced packages and limits the number of endpoints to 100 for both the base and advanced packages. Therefore, it is not required to install a regular license immediately upon installation.
•Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
•Concurrent Endpoint Count—The Cisco ISE license includes a count value for base and advanced packages, which restricts the number of endpoints that use those services. The count value is the number of endpoints across the entire deployment that are concurrently connected to the network and accessing the service.
Concurrent endpoints represent the total number of supported users and devices. An endpoint can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.
IMPORTANT : - Alarm is generated when the soft limit of endpoints is crossed and there is no functional impact on the users. To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. However there are plans to implement a hard limit on this soon.
Regards,
Jatin Katyal
** Do rate helpful posts **

Cisco ISE licensing...

Hi,
seeking help to reduce our ISE licensing cost, actually we are out budget and we planning to order ISE licenses less than what we required, and looking for efficiently using the same, is there any way, i mean if we reduce "user idle timeout" is it reduce our license consumption?
any kind help appreciated...
thank you,

License Count
A Cisco ISE user consumes a license during an active session. Once the sessions has ended, ISE releases the license for reuse by another user.
The Cisco ISE license is counted as follows:
A Base, Plus, or Advanced license is consumed based on the feature that is used.
An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

CMS/Licensing Rights Requied to Access WebI Extension Points

Hi Experts,
Are there any specific CMS rights (and, What are the specific minimum CMS rights?) and/or licensing requirements (have BOE premium) in order to acess WebI Extension Points added to Menu Bar using DHTML viewer under BOE XI3.1 SP3? Ask as I can see and use the implemented Extension Point when a user belongs to Administrator group but not when said user is not. This is so even if said user is given equivalent of explicit Administrator rights directly.
Apreciate any ideas or input based on experience using WebI Extension Points.
Thanks,
Nicholas.

Hi Nicholas,
Create a new user and name him Test.
By default he has no explicit rights over the particular group.
Give some explicit rights over the Group in which Extension point reports belong to that Test User.
For that Group, open the user security and Add principles.
Give the View right to Group and test the issue.
Regards,
Rohit

Setting up Guest wireless in ISE

I am setting up guest wireless in Cisco ISE 1.3. My question is do these guest wireless connections count to the concurrent ISE connections licensing?

Hi Abhishek,
Licenses are counted against concurrent, active sessions and hence guest users would be counted. You can also that in license consumption on ISE.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#task_DAB3467E79E84FAEB8F18B775407CB87
Regards,
Kanwal
Note: Please mark answers if they are helpful.

"License Not Valid" Error on BOE XI 3.1 for Web-Intelligence

Hey Everyone,
This has been going on for sometime now. I downloaded the trial version ( BOE ) and installed the temSporary key in it. Now when I go to Infoview it doesn't show the option for Web-Intelligence document. So I went over to Rich Client and tried to log in. Now it gives me the error "License not Valid".
The weird part is I can log into the Designer, DeskI , CMC , and it works perfectly, the only problems I'm getting are in WebI. I've tried doing a clean sweep and still it doesn't work. Any ideas on how to fix this?
Thanks

Can you run the following query in Query Builder and check whether SI_ENABLE_WEBI is true ?
SELECT SI_SYSTEM_INFO FROM CI_SYSTEMOBJECTS WHERE SI_ID = 4
Also, have you tried using a different temporary key?
Best,
Srinivas

How licenses are consumed in BOE XI R2

good day to all, would like to know as the licenses are consumed in BOE XI R2, perceived that this is one of the topics for the exam certification SABE 210
I wait answers
thank's

ninguem respondeu fechei para abrir outro topico

License Consumption in BOE XI

Similar Messages

Maybe you are looking for