Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
Cisco ISE Licenses
Downloads: This chapterpdf (PDF - 144.0KB) The complete bookPDF (PDF - 9.43MB) | Feedback

Table of Contents

Cisco ISE Licenses

Cisco ISE Licensing

90-Day Evaluation License

Base License

Advanced License

Wireless and Wireless Upgrade Licenses

Obtaining a Cisco ISE License from Cisco.com

Determining Your Hardware ID Using the CLI

Determining Your Hardware ID Using the Admin Portal

Adding or Upgrading a License

Removing a License

Cisco ISE Licenses

This chapter describes the licensing mechanism and schemes that are available for Cisco ISE and how to add and upgrade licensees.

Cisco ISE Licensing

You must have a valid license for Cisco ISE. Licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.

Licenses are centrally managed by the Administration node. Inline Posture and Policy Service nodes do not require separate licenses. If you have two Administration nodes deployed in a high-availability pair, you can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. After you obtain the license, add it only to the primary Administration node. The license gets replicated to the secondary Administration node.

After you install the Cisco ISE software and initially configure the appliance as the primary Administration node, you must obtain a license for Cisco ISE as described in Obtaining a Cisco ISE License from Cisco.com and then apply that license according to the instructions in Adding or Upgrading a License. You apply all licenses to the Cisco ISE primary Administration node by using the primary and secondary Administration node hardware ID. The primary Administration node then centrally manages all the licenses that are installed for your deployment.

Cisco ISE, Release 1.2, supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. For more information on Cisco ISE, Release 1.2 licenses, see the Cisco Identity Services Engine Licensing Note .

To avoid expiration issues that are associated with Base or Advanced features in Cisco ISE, Cisco recommends replacing the default Evaluation License with both a Base and Advanced License at the same time.

  • When you install a Base License over a default Evaluation License, the Base License overrides only the base license-related portion of the Evaluation License and keeps the Advanced License capabilities available for the remainder of the default Evaluation License duration.
  • You cannot upgrade the Evaluation License to an Advanced License without first installing the Base License.
  • When you install a Wireless License over a default Evaluation License, the Wireless License overrides the Evaluation License parameters with the specific duration and user count associated with the Wireless License.

License Count

The Cisco ISE license is counted as follows:

  • A Base or Advanced license is consumed based on the feature that is utilized.
  • An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
  • Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system.


To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts:

  • 80% Info
  • 90% Warning
  • 100% Critical

90-Day Evaluation License

All Cisco ISE appliances come with a 90-day Evaluation License that contains Base and Advanced License packages and support for 100 endpoints. The 90-day duration is based on the Cisco ISE system clock.

As the Evaluation License approaches the end of its 90-day period, the Cisco ISE system generates an alarm that prompts you to download and install a valid license. When the Evaluation License expires at the end of its 90-day period, the Admin portal prompts you to install a valid production license. After that, you must enter a base or advanced license through the Administrator user interface to keep both the Guest and Sponsor portals from returning an HTTP 503 error response, reporting to users that the service is not available.

Although the Evaluation License allows you to provide support for both wired and wireless users, purchasing and applying a Wireless License option cuts off support for any wired users that you may have been supporting during the evaluation period.

Related Topics

Base License

Base Licenses are installed by using the Admin portal. Like the Evaluation License, Cisco ISE tracks Base License concurrent user counts. Base Licenses are perpetual licenses that include the following standard Cisco ISE functions:

  • Basic network access
  • Guest management
  • Link encryption

Related Topics

Advanced License

Advanced Licenses are subscription based and can be installed only on top of the Base License. You cannot upgrade an Evaluation License to an Advanced License without first installing a Base License. The Advanced License activates the following important Cisco ISE functions:

  • Profiler
  • Posture
  • Device registration and supplicant provisioning
  • Security group access
  • Endpoint protection services

Licenses are applied to active (authenticated) endpoints. Each authenticated endpoint requires a Base license. The number of Advanced licenses cannot exceed the number of base licenses, or the number of authenticated endpoints.

The Base License is consumed whenever an authentication notification is received by Cisco ISE. A single Advanced License is consumed when any one or more of the following services or conditions are applied to the endpoint session:

  • Posture
  • Security group tag assignment
  • Authorization using profile information
  • Endpoint is registered in the MyDevices Portal

Related Topics

Wireless and Wireless Upgrade Licenses

Like Advanced License packages, Wireless Licenses are subscription based, but Wireless Licenses cannot coexist on an Cisco Administration node with Base or Base and Advanced Licenses.

Wireless Licenses are designed to provide a flexible option exclusively for wireless service providers and offer essential Base License functions such as basic network access, guest services, and link encryption, as well as all Advanced License services, including profiler, posture, and security group access services.

Cisco ISE ensures that wireless customers are able to take advantage of the Wireless License options by allowing RADIUS Wireless authentication requests that originate from a wireless LAN controller (WLC), while dropping other authentication request types.

Wireless Upgrade Licenses are designed to support users that currently subscribe to a Wireless License model and decide to offer Cisco ISE support for non-wireless endpoints in the network as well. Rather than uninstall licenses and revert to a Base and Advanced License scheme, you can upgrade to a Wireless Upgrade License, which provides the full range of Cisco ISE functions and policy management capabilities for all wireless and non-wireless client-access methods, including wired and VPN Concentrator access.

You can only install a Wireless Upgrade License option on top of an existing Wireless License with the same allowable endpoint count. You cannot install a Wireless Upgrade on top of a Base plus Advanced License package.

Related Topics

Obtaining a Cisco ISE License from Cisco.com

To continue to use Cisco ISE services after the 90-day Evaluation License expires, and to support more than 100 concurrent endpoints on the network, you must install a Base, Base and Advanced, or Wireless license package for Cisco ISE. License files are based on a combination of the Cisco ISE hardware ID and Product Authorization Key (PAK). When you purchase Cisco ISE, or before the 90-day license expires, you can research the licensing options on Cisco.com and order the package that is suitable for your deployment of Cisco ISE.

If you have two Administration nodes deployed in a high-availability pair, you must ensure each of them have the same license capabilities and add the licenses while the node is in a standalone or primary state.

Within an hour of ordering your license files from Cisco.com, you should receive an e-mail with the Cisco Supplemental End-User License Agreement and a Claim Certificate containing a PAK for each license that you order. After receiving the Claim Certificate, you can log in and access the Cisco Product License Registration website at http://www.cisco.com/go/license and provide the appropriate hardware ID information and PAK to generate your license.

You must supply the following specific information to generate your license file:

  • Product identifier (PID)
  • Version identifier (VID)
  • Serial number (SN)
  • PAK

See the Cisco Identity Services Engine Licensing Note for more details.

The day after you submit your license information in the Cisco Product License Registration website, you will receive an e-mail with your license file as an attachment. Save the license file to a known location on a local machine and use the instructions in Adding or Upgrading a License to add and update any product licenses for Cisco ISE.

For detailed information and license part numbers that are available for Cisco ISE, including licensing options for new installations as well as migration from an existing Cisco security product like Cisco Secure Access Control Server, see the Cisco Identity Services Engine Ordering Guidelines at http://
www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html
.

Related Topics

Determining Your Hardware ID Using the CLI

Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address.

To determine the Hardware ID, access the Cisco ISE direct-console CLI and enter the show inventory command. The output includes a line showing the PID, VID, and SN, similar to the following:

PID: NAC3315, VID: V01, SN: ABCDEFG

Determining Your Hardware ID Using the Admin Portal

Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address.

If your current license has not expired, you can view the Administration node hardware ID by completing the following steps:


Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing.

Step 2 In the License Operations navigation pane, click Current Licenses.

Step 3 Select the button corresponding to the Cisco ISE node that you want to check for the Administration node hardware ID, and click Administration Node to view the PID, VID, and SN.


 

Adding or Upgrading a License

You can add a license only on a standalone or a primary Administration node. You can upgrade your existing Evaluation License on or before the expiration of the 90-day evaluation period. You have two options for upgrading or replacing your Evaluation License:

  • Install a Base license and then choose whether or not to also install an Advanced license
  • Install a Wireless license

A single endpoint with multiple network connections may consume more than one Base or Advanced License. This situation can occur, for example, if an endpoint has both a wired and a wireless network connection. Each unique authenticated connection will require its own license.

Before You Begin

Make sure that you have obtained and installed an appropriate license on your Cisco ISE node. See Obtaining a Cisco ISE License from Cisco.com for more information.


Step 1 From the Cisco ISE Administration interface, choose Administration > System > Licensing > Current Licenses.

Step 2 Click the radio button next to the license name that you want to upgrade, and click Edit.

Step 3 Click Add Services.

Step 4 Click Browse and select the Licence file.

Step 5 Click Import to import the new license file that supports the added service.

Step 6 Go back to the Current Licenses page to verify the addition of the upgraded license. For further confirmation, check the features of the respective services for which the license has been upgraded.


 

Related Topics

Removing a License

You can remove individual Base, Advanced, and Wireless licenses, but keep in mind the following conditions:

  • If the Advanced package count is greater than the Base package count, then the Base package cannot be deleted.
  • If you install a combined license, all related installations in the Base and Advanced packages are also removed.
  • If you remove a production-level license within the standard 90-day evaluation period, the Evaluation License is automatically restored after you remove the production license.
  • You cannot remove Evaluation Licenses.

Before You Begin

If you have installed a Wireless Upgrade license after a Wireless license, you must remove the Wireless Upgrade license before you can remove the underlying Wireless license.


Step 1 Choose Administration > System > Licensing > Current Licenses.

Step 2 Click the radio button next to the relevant node name, and click Edit.

Step 3 Click the radio button next to the license name that you want to delete and click Remove.

Step 4 Click OK.