This chapter describes the licensing mechanism and licensing schemes that are available in the Cisco Identity Services Engine (ISE) and how to add or upgrade a license. The following topics are covered:
In Cisco ISE, licensing enables you to provide coverage for increasing numbers of endpoints and offer more complex policy services, depending on the capabilities of the license or licenses that you choose to apply.
Cisco ISE licenses are available in Base, Advanced, and Wireless packages. Each package includes THE number of SKUs that is equal to the number of licenses that are included in the package. To use Cisco ISE, you must have a valid Base, Base and Advanced, or Wireless License package.
A single endpoint with multiple network connections may consume more than one Base or Advanced License. This situation can occur, for example, if an endpoint has both a wired and a wireless network connection. Each unique authenticated connection will require its own license.
The Base package includes all of the base services that are required to enable authentication and authorization, Guest services, and link encryption. The Advanced package includes Posture, Profiler, Device Registration and Supplicant Provisioning, and Security Group Access services.
The Base License is consumed whenever an authentication notification is received by Cisco ISE. A single Advanced License is consumed when any one or more of the following services or conditions are applied to the endpoint session:
- Security Group Tag assignment
- Authorization using profile information
- Endpoint is registered in the MyDevices Portal
Cisco ISE is bundled with a licensing mechanism that has the following important features:
- Built-in License—Cisco ISE comes with a built-in evaluation license, which is valid for 90 days. The evaluation license includes both Base and Advanced packages and limits the number of endpoints to 100 for both the Base and Advanced packages. Therefore, you are not required to install a regular license immediately upon installation.
- Central Management—Licenses are centrally managed by the ISE administration node. In a distributed deployment, where two ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
- License Count —The Cisco ISE license is counted as follows:
– A Base or Advanced license is consumed based on the feature that is utilized.
– An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
– Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
Note Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system.
The following license types are available in Cisco ISE:
- Evaluation License
- Base License
- Advanced License
- Wireless License
Note Wireless Licenses cannot coexist on an Administration ISE node with Base or Base and Advanced Licenses.
Refer to the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1, for more information about the license types available in the Cisco ISE license scheme.
Viewing Current Licenses
To view current licenses in Cisco ISE, choose Administration > System > Licensing > Current Licenses. The Current License page appears, which contains the following information:
- Administration Node—Name of the Cisco ISE server instance where the primary node is installed.
- ID—Administration node ID which is obtained from the licensing information.
- Version—Version number of the Cisco ISE.
- Base Type—The status/type of the Base License that is currently installed on the Administration node.
- Advanced Type—The status or type of the Advanced License that is currently installed on the Administration node.
- Wireless Type—The status or type of the Wireless License that is currently installed on the Administration node.
After the 90-day evaluation license expires and you install a Wireless License, the Current Licenses page indicates that the Base and Advanced Licenses are “Not Installed.”
- Wireless Upgrade Type—The status or type of the Wireless Upgrade License that is currently installed on the Administration node.
After installing a Wireless Upgrade License, the Current Licenses page indicates that there is now an “Eval (0 Days)” Base License and that the Advanced License is “Not Installed.”
- Licensed To—Name of the organization to which the license has been allotted.
- Base—The ratio in this number represents the number of utilized endpoints versus the number of allowed endpoints that are supported under the current Base licensing scheme. For example, if you are using an evaluation license and have identified only one endpoint, this number is 1/100.
- Advanced—The ratio in this number represents the number of utilized endpoints versus the number of allowed endpoints that are supported under the current Advanced licensing scheme. For example, if you are using an evaluation license and have identified only one endpoint, this number is 1/100.
Viewing Licensing History
You can obtain reports about the license types and actions taken (such as when the license was installed, upgraded, deleted, and so on) from the Licensing History page. To view the licensing history, choose Operations > System > Reports > Licensing History. The Licensing History page appears, which provides the following licensing information:
- Time Stamp—The time at which a particular license was added, updated, or deleted.
- Admin User Name—Name of the Admin User who took the particular action.
- Admin IP Address—IP address of the Cisco ISE node where the license is installed.
- Action—Action taken, such as created, upgraded, deleted, and so on.
- License File—Name of the license file that has been added, updated, or deleted. This column remains blank if the license is an evaluation license.
- Description—A short description of the action taken.
See System Reports for information on how to generate a licensing history report.
Adding and Upgrading Licenses
You can add a license only on a standalone or primary Administration ISE node. You can upgrade your existing evaluation license on or before the expiration of the 90-day evaluation period. You have two options for upgrading or replacing your evaluation license. You must take either of these actions:
- Install a Base License and then choose whether or not to also install an Advanced License
- Install a Wireless License
Make sure that you have obtained and installed appropriate license on your Cisco ISE node. Refer to the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1, for more information about how to obtain a valid license and how to install it.
To add or upgrade a license, complete the following steps:
Step 1 From the ISE Administration interface, select Administration > System > Licensing > Current Licenses. The Current Licenses page appears with a list of available deployment licenses and their configuration.
Step 2 Click the radio button next to the license name that you want to upgrade, and click Edit.
The Licensed Service page appears, which contains the following information:
- Service—The services that are available on the Cisco ISE node.
- Installations—The services that are currently installed on the Cisco ISE node.
- License File—Type of license that is currently activated on the Cisco ISE node.
- End Points—The number of endpoints that are supported under the current licensing scheme.
- Updated Time—Time at which the license was updated.
- Counter—The number of licenses that are installed in the Cisco ISE node and the number of endpoints that are supported under the current licensing scheme.
Step 3 Click Add Services. The Import New License File page appears.
Step 4 Click Browse to import the new license file that supports the added service.
Step 5 Click Save.
Go back to the Current Licenses page to verify the addition of the upgraded license. For further confirmation, check the features of the respective services for which the license has been upgraded.
You can add a license only on a standalone or primary Administration ISE node. You cannot remove evaluation licenses. If you remove the production licenses within the evaluation period, the evaluation license is restored upon deletion.
If Base, Advanced, or Wireless packages are installed, you can remove each of them individually. If you have installed a combined license, all related installations in the Base and Advanced packages are removed.
Note ● If the Advanced package count is greater than the Base package count, then the Base package cannot be deleted.
- If you have installed a Wireless Upgrade License after a Wireless License, you must remove the Wireless Upgrade License before you can remove the underlying Wireless License.
To remove a license, complete the following steps:
Step 1 From the Cisco ISE Administration interface, select Administration > System > Licensing > Current Licenses. The Current Licenses page appears with a list of available deployment licenses and their configuration.
Step 2 Click the radio button next to the node name, and click Edit. The Licensed Services page appears.
Step 3 Click the radio button next to the license name that you want to delete, and click Remove.
Step 4 Click OK in the confirmation dialog box to confirm that you want to delete this licensing package.
The Licensed Services page appears, showing the modified status.