Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Identity Services Engine Ordering Guide

Available Languages

Download Options

  • PDF
    (3.7 MB)
    View with Adobe Reader on a variety of devices
Updated:February 14, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (3.7 MB)
    View with Adobe Reader on a variety of devices
Updated:February 14, 2022

Table of Contents

 

 

1. Understanding the Cisco Identity Services Engine use cases

This section is to help you understand the various use cases that the Cisco Identity Services Engine (ISE) can empower you to solve. This is a great place to start if you are looking to understand the use cases, see what fits your needs and understand the quantity and types of licenses needed. You may choose to implement multiple use cases.

Cisco Identity Services Use-cases

Figure 1.               

Cisco Identity Services Use-cases

1.1 Guest and Secure Wireless Access

1.1.1 Why Guest

Many organizations provide free Internet access to guests visiting their organization for a short period. These guests include vendors, retail customers, short-term vendors/contractors, etc. Cisco ISE provides the ability to create accounts for these visitors and authenticate them for audit purposes. There are three ways in which Cisco ISE can provide Guest access: Hotspot (immediate non-credentialed access), Self-Registration and Sponsored Guest access. Cisco ISE also provides a rich set of APIs to integrate with other systems such as vendor management systems to create, edit and delete Guest accounts. Further, the various portals that the end user sees can be completely customized with the right font, color, themes, etc. to match the look and feel of the customer’s brand.

1.1.2 How does Guest work

Cisco ISE Guest Use-Case

Figure 2.               

Cisco ISE Guest Use-Case

Cisco ISE creates local accounts for Guests. These accounts can be created by an employee hosting the Guest (the Sponsor) using a built-in portal or created by the Guest themselves by providing some basic info. The Guest can receive credentials via email/SMS and use that to authenticate themselves to the network and thereby get network access. The admin can define what level of access to provide to such users.

Required license: ISE Essentials

1.1.3 Why Secure Wireless Access

Most organizations start securing their wireless network first. Securing the wireless network is the most basic needs for every organization. Using Cisco ISE, network administrators can secure access to the network by allowing only authorized users and wireless devices, such as mobile phones, tablets or laptops – BYOD or organization owned and other wireless “things” to connect to the network and later enforce different security policies. Authentication and Authorization are core functionalities of Cisco ISE. Every Cisco ISE session begins with authentication, whether to a user or to a device. Authentication can be active authentication or passive authentication (not including 802.1X session): An authentication is done using 802.1X when Cisco ISE authenticates the user against an Identity Source, while in passive authentication (used in Easy Connect) Cisco ISE learns about the user after the user authenticates against the Identity Source like Microsoft’s Active Directory (AD) and the AD notifies ISE.

1.1.4 How does Secure Wireless Access work

Cisco ISE Secure Wireless Use-case

Figure 3.               

Cisco ISE Secure Wireless Use-case

After successful authentication, based on group’s information Cisco ISE provides the right access the wireless connection, whether the connection is a Passive Identity session (Easy Connect), MAB (MAC Address Bypass) or 802.1X. This can be achieved by assigning the user to a VLAN, DACL, ACL, or assign an SGT or SGACL.

Required license: ISE Essentials (SGT or SGACL will require ISE Advantage)

1.2 Asset Visibility

1.2.1 Why Asset Visibility

Understanding the device type is many times a critical element in determining the type of network access that should be granted to the device. For example, a building management system such as an IP camera or an elevator should be given access to a specific part of the network (such as the building management services network) while a printer should be given access to another part of the network (such as IT services). Having visibility helps the IT administrator determine the types of devices on their network and how to provide them with the right level of permissions. Basic asset visibility profiles endpoints by matching their network attributes to known profiles. Advanced asset visibility performs deeper analysis of the different conversations that applications on these devices have with other endpoints and servers on the network through Deep Packet Inspection (DPI). While basic asset visibility will provide you with visibility to most of your network, especially to your traditional devices (printers, mobile phones, etc.), advanced asset visibility will provide you with visibility into more vertical-specific and IoT-type of devices.

1.2.2 How Basic Visibility (Cisco ISE profiling visibility) works

Cisco ISE Basic Visibility Use-case

Figure 4.               

Cisco ISE Basic Visibility Use-case

Basic asset visibility in Cisco ISE is accomplished through the Profiler service, which gathers information about a device by listening to its network communication. The likely device type is determined by weighing the information from most definitive to least definitive attributes.

Based on the asset’s visibility, the next step on securing your network asset continuum is to enforce access. Basic Asset Enforcement allows you to use the categorization of endpoints by profiles and in your network access policy. This ensures that based on the visibility learnt for an endpoint, it will be given only the network permissions for its profile. Printers will be able to only receive access to printing servers or anyone needing printing services, and mobile BYODs will be able to receive access only for internet services and low-risk internal systems.

Required license: ISE Advantage

1.2.3 How Advanced Asset Visibility (Endpoint Analytics visibility) works

Endpoint Analytics is designed to improve endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to a variety of endpoints. This is done by analyzing endpoint attributes through Deep Packet Inspection (DPI) and other probes aggregated from different sources such as SD-AVC, Cisco ISE, and other third-party components.

It uses Artificial Intelligence (AI) and machine learning to intuitively group endpoints that have common attributes and helps IT admins in providing suggestions to choose the right endpoint profiling labels. Multifactor classification classifies endpoints using label categories for flexible profiling. These endpoint labels can then be used in Cisco ISE to create custom profiles that form the basis of providing the right set of access privileges to endpoints/endpoint groups via an authorization policy.

Cisco ISE Advance Asset Visibility Use-case

Figure 5.               

Cisco ISE Advance Asset Visibility Use-case

Required license:

Basic Asset Visibility and Enforcement - ISE Advantage

Endpoint Analytics Visibility and Enforcement – ISE Advantage

1.3 Compliance (Posture)

1.3.1 Why Compliance Visibility

Saboteurs focus on intentional data corruption (ransomware) and data exfiltration which compromises endpoints on a network. The most effective and well-publicized compromises take advantage of known issues that could be simply remediated but were overlooked. Compliance Visibility allows organizations to view how user endpoints comply with corporate policy through the use of both Posture and/or integration through Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) systems (supported MDM/EMM systems can be found in  Cisco ISE Network Component Compatibility). Using either Cisco ISE’s Posture engine or an MDM, an organization can evaluate how many endpoints are compliant, and ensure that noncompliant software is not installed and/or running.

1.3.2 How does Compliance work

Cisco ISE Compliance Visibility Use-case

Figure 6.               

Cisco ISE Compliance Visibility Use-case

Posture leverages installed and temporal agents looking inside the endpoint to provide assurance that operating system patches, antimalware, firewall, and more are installed, enabled, and up to date before authorizing the device onto the network.

Having good visibility into what endpoints comply with the corporate software policy is usually not enough – customer might want to enable differentiated access to endpoints based on their compliance level. Compliance Enforcement allows taking an overall compliance status, derived through either Cisco ISE’s own Posture engine or through said MDM/EMM integrations, and use it in an access policy. Combined with other attributes, e.g. identity, this enables a powerful capability that lowers the organizational risks and shrinks the overall threat surface created by non-compliant, unhygienic endpoints trying to connect to the network. Such policy can allow fully compliant endpoints to have full access to required resources by the user using it, while allowing access to only remediation systems, help-desk systems and/or low-risk services by endpoints found non-compliant. Using either Cisco ISE’s Posture engine or an MDM, an organization can evaluate how many endpoints are compliant, and ensure that non-compliant endpoint with outdated and/or unsupported software cannot access critical resources.

Required license: ISE Premier (with AnyConnect Apex if using AnyConnect or AnyConnect Stealth)

1.4 Secure Wired Access

1.4.1 Why Secure Wired Access

Securing the wired network is essential to prevent unauthorized users from connecting their devices to the network. Using Cisco ISE, network administrators can provide secure network access by authenticating and authorizing users and devices. Authentication can be active or passive. An active authentication is done using 802.1X when Cisco ISE authenticates the user against an Identity Source. Passive authentication involves Cisco ISE learning the user’s identity via Active Directory (AD) domain logins or other indirect means. Once the user or device authenticates successfully, authorization takes place. Authorization can be achieved by assigning the endpoint’s network access session with a dynamic VLAN, downloadable ACL, or other segmentation methods.

1.4.2 How does Secure Wired Access work

Cisco ISE Secure Wired Access Use-case

Figure 7.               

Cisco ISE Secure Wired Access Use-case

Cisco ISE authenticates the users and endpoints via 802.1X, Web Authentication, MAB and other means. Cisco ISE can query external identity sources for identity resolutions and apply appropriate network policies by instructing the network devices.

Required license: ISE Essentials

1.5 Bring Your Own Device (BYOD)

1.5.1 Why BYOD

Many organizations have instituted a policy that allows the employees to connect their personal devices such as smartphones to the corporate wireless network and use it for business purposes. This is referred to as the Bring Your Own Device (BYOD) policy. However, since these devices are owned by the individuals, they don’t like to install management software that allows organizations to “manage” the endpoint. In such situations, Cisco ISE provides a very streamlined method to automate the entire BYOD onboarding process – from device registration, supplicant provisioning to certificate installation. This can be done on devices across various OS platforms like iOS, Android, Windows, macOS and ChromeOS. The Cisco ISE My Devices Portal, that is completely customizable, allows the end users to onboard and manage various devices.

1.5.2 How does BYOD work

Cisco ISE BYOD Use-case

Figure 8.               

Cisco ISE BYOD Use-case

Cisco ISE provides multiple elements that help automate the entire onboarding aspect for BYOD. This includes a built-in Certificate Authority (CA) to create and help distribute certificates to different types of devices. The built-in CA provides a complete certificate lifecycle management. Cisco ISE also provides a My Devices Portal, an end user facing portal, that allows the end user to register their BYOD endpoint as well as mark it as being lost to blocked list it from the network. BYOD on boarding can be accomplished either through a single SSID or through a dual SSID approach. In a single SSID approach, the same SSID is used to onboard and connect the end user’s device while in a Dual SSID approach a different open SSID is used to on board the devices but the device connects to a different more secure SSID after the onboarding process. For customers that want to provide a more complete management policy, BYOD can be used to connect the end user to the MDM onboarding page as well.

For a list of Enterprise and Mobility Management partners that integrate with Cisco ISE, see the Cisco Security Technology Alliance page and filter on Market Segment: EMM/MDM.

Required license: ISE Advantage

1.6 Rapid Threat Containment (RTC)

1.6.1 Why Threat Containment

Cisco RTC makes it easy to get fast answers about threats on your network and to stop them even faster. It uses an open integration of Cisco security products, technologies from Cisco partners, and the extensive network control of Cisco ISE.

With integrated network access control technology, you can manually or automatically change your users’ access privileges when there’s suspicious activity, a threat or vulnerabilities discovered. Devices that are suspected of being infected can be denied access to critical data while their users can keep working on less critical applications.

1.6.2 How does Rapid Threat Containment work

Cisco ISE RTC Use-case

Figure 9.               

Cisco ISE RTC Use-case

Upon detecting a flagrant threat on an endpoint, a pxGrid eco-system partner can instruct ISE to contain the infected endpoint either manually or automatically. The containment can involve moving the device to a sandbox for observation, moving it to a remediation domain for repair, or removing it completely. ISE can also receive the standardized Common Vulnerability Scoring System (CVSS) classifications and the Structured Threat Information Expression (STIX) threat classifications, so that graceful manual or automatic changes to a user’s access privileges based on their security score can be made.

Cisco ISE integrates with more than 75 eco-system partners over pxGrid to implement several use cases. Technical details about Cisco ISE integrations can be found in the Cisco ISE Security Ecosystem Integration Guides.

For a list of Enterprise and Mobility Management partners that integrate with Cisco ISE, see the Cisco Security Technology Alliance page and filter on Market Segment: EMM/MDM.

Required license: ISE Advantage

1.7 Segmentation

1.7.1 Why Segmentation

Network segmentation is a proven technology to protect critical business assets, but traditional approaches are complex. Cisco Group Based Policy/TrustSec software-defined segmentation is simpler to enable than VLAN- based segmentation. Policy is defined through security groups. It is an open technology in IETF, available within Open Daylight, and supported on third-party and Cisco platforms. Cisco ISE is the Segmentation controller, which simplifies the management of switch, router, wireless, and firewall rules. Group Based Policy / TrustSec Segmentation provides better security for lower cost compared to traditional segmentation. Forrester Consulting found in an analysis of customers that operational costs are reduced by 80% and policy changes are 98% faster.

1.7.2 How does Segmentation works

Cisco ISE Segmentation Use-case

Figure 10.           

Cisco ISE Segmentation Use-case

The illustration above show users and devices are assigned to security groups and consequently their group membership is known throughout the network so any enforcement device along the path can evaluate policy based on the group-to-group approved communication.

1.7.3 Software Defined Access

Segmentation is a key element of Software Defined Access (SDA). Together Cisco Digital Network Architecture (DNA) Controller and Cisco ISE automate network segmentation and group-based policy. Identity based Policy and Segmentation decouples security policy definition from VLAN and IP addresses. The Software Defined (SD) Access Design and Deployment guides detail the configuration and deployment of Group Based Policy.

Cisco ISE SDA Integration Use-case

Figure 11.           

Cisco ISE SDA Integration Use-case

To extend segmentation across the enterprise network, Cisco ISE interfaces with the Cisco Application Centric Infrastructure (ACI) Controller, which is also called Application Policy Infrastructure Controller – Data Center (APIC- DC), to learn EPG names, share Software Group (SG) names and corresponding EPG value, SGT value and Virtual Routing and Forwarding (VRF) Name. This allows Cisco ISE to create and populate SG-EPG translation tables, which are obtained by the border device to translate TrustSec-ACI identifiers as traffic passes across the domains. The TrustSec – ACI Policy Plane integration guide gives an overview of ACI and the configuration of the policy plane integration.

TrustSec technology is supported in over 50 Cisco product families and works with open source and third-party products. Cisco ISE acts as the policy controller for routers, switches, wireless, and security products. Details about product TrustSec capabilities are provided in the Platform Capability Matrix. The Quick Start Config Guide illustrates a typical TrustSec network deployment with step-by-step configuration of a sample environment. For more options, , please refer Design Guides.

Required license: ISE Advantage

Note:      Licenses that enable Segmentation via SDA: Advantage or Premier on Cisco ISE, and Cisco DNA Premier / Cisco DNA Advantage. Please find more information in the SDA Ordering Guide.

1.8 Security Ecosystem Integrations

1.8.1 Why Security Ecosystem Integrations

Cisco ISE builds contextual data about endpoints in terms of its device type, location, time of access, posture, user(s) associated to that asset and much more. Endpoints can be tagged with Scalable Group Tags (SGTs) based on these attributes. This rich contextual insight can be used to enforce effective network access control policies and can also be shared with eco-system partners to enrich their services. For example, in the Cisco Next Generation Firewall (NGFW), policies can be written based on the identity context such as device-type, location, user groups and others, received from Cisco ISE. Inversely, specific context from third-party systems can be fed into the Cisco ISE to enrich its sensing and profiling capabilities, and for Threat Containment. The context exchange between the platforms can be done via Cisco® pxGrid or REST APIs.

External RESTful Services (ERS) on Cisco ISE serves both the purpose of context sharing (in and out) and management of Cisco ISE for specific set of use cases over REST APIs.

1.8.2 How do Security Ecosystem Integrations work?

Cisco ISE Security Integration

Figure 12.           

Cisco ISE Security Integration

The context exchange between the platforms can be done via Cisco® pxGrid or REST APIs.

Cisco ISE integrates with more than 75 eco-system partners over pxGrid to implement technology partners and the technical details about integrations can be found in  ISE Security Ecosystem Integration Guides

A complete list of eco-system partners can be found in Cisco Secure Technical Alliance Partners

Required license: ISE Advantage

1.9 Device Administration (TACACS+)

1.9.1 Why Device Administration

Network and security administrators typically own the task of administering and monitoring network and security devices in an enterprise. When there are only a handful of devices, keeping track of the admin users, privileges, and changes to configuration is not very difficult. However, when the network grows to tens, hundreds, and thousands of devices, it would be a nightmare to manage the devices without automation and smooth workflow. Cisco ISE provides the capability to automate device administration tasks with clean workflows and monitoring capabilities within a controlled space in the UI using TACACS+ protocol, which allows for providing different permissions to network operators.

1.9.2 How does Device Administration work

Cisco ISE Device Administration Use-case

Figure 13.           

Cisco ISE Device Administration Use-case

When a network administrator tries to connect to a network device, the device sends out a “request for connection” to Cisco ISE, and Cisco ISE asks for their credentials. Credentials are verified against an identity source.

Next, the network device asks Cisco ISE to authorize the network administrator. Once they get access to the shell prompt, the network administrator can start executing commands. Cisco ISE can be configured to authorize individual commands as well.

1.9.3 How do I license Device Administration

     License that enables Device Administration: Device Admin License

     License consumption: Device Administration licenses are consumed per Policy Service Node (PSN). You must have Device Administration license for each of the policy service nodes that you enable TACACS+ service on. Device Administration using TACACS+ does not consume endpoints, and there is no limit on network devices for Device Administration. The user does not require an Essentials license.

     Find the SKU  in Cisco ISE Device Admin SKU .

2. What you need for your Cisco ISE deployment

This section helps new customers understand the primary components needed in order to start the deployment. This is a great place to start if you’re looking to understand the Cisco ISE licenses, appliances and services offered.

Cisco ISE Deployment

Figure 14.           

Cisco ISE Deployment

2.1 Licenses

2.1.1 Understanding the License model

Subscriptions Overview

Cisco ISE licenses are licensed on a subscription basis. Subscriptions are available for standard term lengths of 1, 3, and 5 years. Following the completion of the term, the subscription will be automatically renewed for an additional 1-year term unless the renewal is canceled.

Existing subscriptions may be changed during the term of the subscription. Changes may be made to products and/or quantities ordered. Additional quantities may be added to the subscription at any time during the subscription term by placing a “change-subscription” order. Quantities added through a Change-Subscription order will co-terminate with the existing subscription. Quantities may be decreased for a subscription renewal, but not mid-term for a current subscription. Click on this Job Aid for more information on the change-subscription transaction.

Cisco ISE Licensing

Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources. Licensing in Cisco ISE is supplied as feature-based packages with different features supported in each of the Essentials, Advantage, or Premier license. This licensing structure is referred to as a nested-doll model, which means that the higher-tier license already includes all lower-tier features. For example, the ISE Premier license includes all ISE Advantage and ISE Essential features. Similarly, the ISE Advantage license includes all ISE Essential features. The subscription term for each tier is 1, 3, and 5 years.

Related image, diagram or screenshot

Figure 15.           

Licensing Model Changes

Session Bands

The session-based license follows a tiered pricing model where pricing depends on the session count and the term of the subscription. Sales and partner representatives should determine the correct sizing for each customer deployment so that the appropriate session count is selected (the minimum is 100 sessions). Cisco Commerce (CCW) will dynamically determine the correct price associated with the session count that is entered.

Session Bands

100 – 999 Sessions

1000 – 2499 Sessions

2500 – 4999 Sessions

5000 – 9999 Sessions

10,000 – 24,999 Sessions

25,000 – 49,999 Sessions

50,000 – 99,999 Sessions

100,000+ Sessions

2.1.2 Overall feature view

Below is a list of Cisco ISE licenses offered. Each higher-tier license package is inclusive of the features of the lower Cisco ISE license tier package. Examples: Advantage includes the features of Advantage AND the features of Essentials, and Premier includes the features of Premier, Advantage, AND Essentials. Device Administration and Ipsec licenses contain only the features for that license.

Table 1.           Cisco ISE features and licenses mapping

 

Cisco ISE Feature or Service

License

Essentials

Advantage

Premier

DA

Access to the Network

Basic RADIUS authentication, authorization, and accounting, including 802.1X, MAC Authentication Bypass and Easy Connect, and Web authentication

X

MACsec (all)

X

SSO, SAML, ODBC–based authentication

X

Guest portal and sponsor services

X

Representational state transfer (monitoring) APIs

X

External RESTful services (CRUD)-capable APIs

X

PassiveID (Cisco Subscribers)

X

PassiveID (Non-Cisco Subscribers)

X

X

Secure Wired and Wireless Access

X

Device registration (My Devices portal) and provisioning for Bring Your Own Device (BYOD) with built-in Certificate Authority (CA)

X

X

Segmentation

Security Group Tagging (Cisco TrustSec® SGT) and ACI integration

X

X

Asset Visibility

Basic Asset Visibility and Enforcement (Profiling)

X

X

Basic Asset Feed Service

X

X

Advanced Asset Visibility (Endpoint Analytics)

X

X

Advanced Asset Enforcement (Endpoint Analytics)

X

X

Visibility and Enforcement based on Location-based integration

X

X

Context Sharing and Response

Context Sharing and Security Ecosystem Integrations

X

X

Endpoint Protection Services (EPS)

X

X

X

Rapid Threat Containment (RTC) (using Adaptive Network Control and context sharing)

X

X

Compliance

Posture Visibility and Enforcement(*)

X

X

X

Visibility and Enforcement through Enterprise Mobility Management and Mobile Device Management (EMM and MDM) integration

X

X

X

Threat-centric NAC

X

X

X

Device Administration

Device Administration (TACACS+)

X

X

X

( *) For deployments looking to use Cisco AnyConnect for posture across wired, wireless, and VPN, Cisco AnyConnect Apex licenses should be ordered in addition to Cisco ISE Premier licenses. Please see the Cisco AnyConnect Ordering Guide for additional information regarding AnyConnect licenses.

2.1.3 Features and exceptions to consumption of license

Mostly all the features irrespective of lSE license result in consumption of a license session except for the ones listed in the table below:

Table 2.           ISE features not consuming license sessions

Cisco ISE Feature or Service

Description

License consumed

PassiveID (Cisco-only Subscribers)

Gathering, collating, and caching authentication data (username, IP address and MAC) from other servers in the data center and distributing the authentication data to subscribing systems

No

PassiveID (Non-Cisco Subscribers)

Gathering, collating, and caching authentication data (username, IP address, and MAC) from other servers in the data center and distributing the authentication data to subscribing systems

No

Profiler feed service

Dynamic downloading of endpoint classification rules

No

My Devices portal* and NSP

Self-service web portal for users to add and manage their sessions with automatic Network Supplicant Provisioning (NSP)

No

Context sharing

User and endpoint contextual attribute (who, what, where, when, etc.) data exchange between Cisco ISE and third- party system through pxGrid

No

Endpoint Protection Services (EPS)

APIs for delivering dynamic network controls of active network sessions

No

Cisco TrustSec and ACI integration

The ACI TrustSec integration provides a solution interconnecting the administrative domains of Cisco TrustSec and Application Centric Infrastructure (ACI) to provide a consistent end-to-end policy segmentation.

No

Take me to the Cisco ISE License SKUs

Note:      It is still required to have at least the same number of licenses with the number of endpoints in the deployment even for a feature that does not directly consume sessions.

2.1.4 Context exchange licensing requirements

Table 3.           License requirement for Context Exchange

Authentication Mechanism

Context Shared With

License Requirement

Cisco ISE

Cisco platforms

Advantage 1:1 Number of endpoints

Cisco ISE

Third-party platforms

Advantage 1:1 Number of endpoints

Non-ISE Authentication (e.g., AD)

Cisco platforms

Essentials

Non-ISE Authentication (e.g., AD)

Third-party platforms

Advantage 1:1 Number of endpoints

Note:      Each active endpoint’s context shared with an external system will consume an Advantage license. Each active endpoint session information shared with an external system will need a 1:1 Advantage license. For example, when a Windows laptop authenticates via 802.1X, one Essentials license is consumed. If this endpoint’s context is shared with Cisco Stealthwatch or NGFW, one additional Advantage license will be consumed.

2.1.5 Device Admin license and corresponding features

To manage administrative access to network devices.

Take me to the Cisco ISE Device Admin SKUs

2.1.6 IPSec license and corresponding features

Allow s VPN communication between Cisco ISE PSNs and Cisco Network Access Devices.

Take me to the Cisco ISE IPSec SKUs

2.1.7 Product and solution bundle offerings

ISE licenses are also available as part of Cisco’s many product and solution bundle offerings.

     Enterprise Agreement

     Enterprise License Agreement

2.2 Appliances

Cisco ISE supports both physical and virtual appliances. For more details on Cisco ISE appliances, refer to Cisco Secure Network Server Data Sheet.

2.2.1 Hardware

These are physical appliances delivered by Cisco that reside in your deployment.

Please note that Cisco ISE appliances always ship with the latest version of software, but the software version can be changed manually. This would be in the form of a fresh installation. Please refer to the release notes and administrator guide of the Cisco ISE release you plan to install.

2.2.2 Virtual Machine

Cisco ISE virtual appliances are supported on VMware ESX/ESXi 5.x and 6.x, KVM on RedHat Enterprise Linux (RHEL) 7, and Amazon Web Services (AWS), and Microsoft Hyper-V on Microsoft Windows server 2012R2 and later. Virtual appliances should be run on hardware that equals or exceeds the configurations of the physical platforms listed in the Cisco ISE datasheet. Cisco ISE virtual target should comply with the required memory and disk space requirements which can be found in  Cisco Identity Service Installation Guide. For detailed information about Cisco ISE on AWS, please refer to Install Cisco ISE with Amazon Web Services.

2.3 Services

2.3.1 Technical Services

Support for Appliances and Perpetual licenses

Customers can purchase Smart Net Total Care® for Cisco ISE physical appliances and Software Support (SWSS) contracts for Cisco ISE virtual machines or the ISE-PIC virtual machine, along with the option to upgrade support to Solution Support. The support on Cisco ISE physical or virtual appliances also covers Base and Device Admin deployments.

Cisco Software Support Basic (SWSS) is included for the duration of all Cisco ISE subscription licenses; however, Smart Net Total Care or another level of service must be purchased on the physical or virtual appliance to activate that SWSS.

Support for Subscription licenses

Higher-value service levels, Solution Support and Software Support Enhanced and Premium, are available for all Cisco ISE subscription licenses. Note that Solution Support is not available for ISE Plus and Apex licenses.

Software Support Enhanced and Premium services provide everything included in Software Support Basic with a richer feature set such as the prioritized case handling, direct access to highly skilled engineer with solution-level expertise, and onboarding and technical adoption assistance. For additional information on Software Support for Cisco ISE, please see Cisco Software Support for Security Data Sheet. Please note that Software Support Enhanced is the recommended support level for ISE subscription licenses.

To order software support for ISE 3.0 and later, support options are available in the product configuration. Start by configuring the product in Cisco Commerce Workspace (CCW) and then editing the “ISE Support” section.

Software Support selection for ISE 3.0 and later on CCW

Figure 16.           

Software Support selection for ISE 3.0 and later on CCW

For ISE subscription licenses prior to ISE 3.0, Software Support can be ordered in CCW using this PID: CISE-SW-SUPP. For the desired ISE license, select either Software Support Enhanced or Premium based on the number of concurrent sessions. See below:

Software Support selection for subscription licenses prior to ISE 3.0 on CCW

Figure 17.           

Software Support selection for subscription licenses prior to ISE 3.0 on CCW

2.3.2 Advisory Services

Cisco offers Advisory Services to address your business objectives with the technology we offer. For example, the Cisco Security Segmentation Service provides a strategic infrastructure segmentation approach to ensure the success of your Segmentation initiative.

2.3.3 How does service work with product

Although the underlying product is perpetual, the associated support is term based. So, once the support term expires, customers should individually renew them. Software Support Basic is included for the duration of term licenses.

In case that customers upgrade the version of their virtual machine or migrate their licenses, the associated support is not automatically migrated. However, customers can continue to receive support based on the support contract they initially purchased. They can continue to renew the support until the initially purchased product is EOL’d and reaches the last date of the service renewal per the EOL bulletin. For seamless support in such cases, customers should open a case with Cisco Customer Service and request the EOL’d product PID to be replaced with the desired product PID in order to renew and receive support.

3. What’s new in 3.1

This section helps existing customers of ISE understand the latest SKUs available for ISE, information directing to end of life announcements of ISE SKUs and the comparison of legacy vs latest SKUs.

3.1 End-of-life notices

Please find all end-of-life notices announced for various ISE licenses and appliances here.

3.2 Simplified Virtual Machine License

3.2.1 Virtual Machine Common license for ISE 3.1 and the license migration

Customers need to register the VM Common license for ISE 3.1 and later. Starting with the 3.1 release, Cisco ISE is available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an infrastructure-as-code solution, helping you to rapidly deploy network accesses and control services anywhere. Extend the Cisco ISE policies in your home network to new remote deployments securely through AWS. There are three types of Cisco ISE instances in AWS, and you can configure your Policy Administration Nodes (PANs) or Monitoring and Troubleshooting (MnT) nodes on the instances as below:

Table 4.           Specification of Cisco ISE Instances

Cisco ISE Instance Type

CPU Core

RAM

Recommended Persona

Maximum Endpoint Sessions per:

Dedicated PSN

Shared PSN

MnT

c5.4xlarge

16

32

Dedicated PSN

40,000

10,000

N/A

c5.9xlarge

36

72

Dedicated PSN

100,000

25,000

N/A

m5.4xlarge

16

64

Dedicated PAN or dedicated MnT node

N/A

N/A

500,000

Because customers can select the Cisco ISE Instance type based on their own needs, we don’t have multiple tiers in the Virtual Machine license for the customers, and as such, we introduced a one-tier license for all the virtual machine use cases, which is the VM Common license. You can purchase the VM Common license with the PID, “R-ISE-VMC-K9=”, in CCW. Please note that VM Common license is also perpetual as VM Small/Medium/Large licenses.

In the license hierarchy, the VM Common license is in the highest position, so customers with the VM Common license in Cisco ISE 3.0 and later can run it as they have the VM Large license. However, as the Cisco ISE 3.1 image requires the VM Common license, customers with the Legacy VM license must migrate their VM licenses to the VM Common license when upgrading to Cisco ISE 3.1.

To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade PID, “L-ISE-VMC-UPG=,” in CCW. See ISE Licensing Migration Guide for the detailed process. In the migration, 1 VM Common license will be provided in return for 1 legacy VM license, regardless of its capacity.

Table 5.           Migration Ratio from Legacy VM to VM Common

Upgrade from

Upgrade to

Ratio

R-ISE-VML-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMM-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMS-K9=

R-ISE-VMC-K9=

1:1

Note:      If you currently use the old VM license (i.e., R-ISE-10VM-K9=) on pre-2.4 releases, you can’t directly migrate it to the VM Common license, but you should migrate it to the VM Medium license first. Refer to section 3.2.2 about how to migrate your old VM license to the VM Medium license.

3.2.2 Virtual Machine Licenses for ISE 3.0 and earlier

Customer can continue to use the legacy VM Small, Medium, and Large licenses as well as the VM Common license for ISE 2.4, 2.6, 2.7, and 3.0. Note that the legacy VM license needs to be converted to Smart Licenses for ISE 3.0.

Customers who purchased the old VM licenses will need to obtain a Product Authorization Key (PAK) for each VM license purchased when upgrading to ISE 2.4, 2.6, and 2.7. To obtain a PAK, email ise-vm-license@cisco.com. Include the sales order numbers that reflect the ISE VM purchase and your Cisco ID in your email. Cisco will, in return, provide a medium VM PAK that is reflective of the VM specifications prior to the introduction of small, medium, and large VM licenses with ISE 2.4. A Medium VM PAK can be used with Small and Medium VM installations.

If you upgrade to ISE 2.4 prior to obtaining a PAK, the deployment displays a warning, at which point you may start using the new license procured. While on ISE 2.4, this is only a warning message and does not disrupt any user’s ISE experience. If you are unable to locate the sales order number pertaining to your past purchase of ISE VM, please reach out to your Cisco sales representative or partner.

3.3 Specific License Reservation (SLR)

Cisco ISE Smart Licensing requires Cisco ISE to be connected to a Smart Software License Manager. Most commonly, Cisco ISE will connect to the CSSM, a cloud based Smart Software Manager. In air-gapped networks,  configure Smart Software Manager (SSM) On-Prem Connection Method in ISE. “Smart Software Manager (SSM) On-Prem Connection Method” is available in Cisco ISE Release 3.0 Patch 2 and later. For  more information, see Licensing Methods for Air-Gapped Networks.

If your network is air-gapped and you have not configured the SSM On-Prem Connection Method, Cisco ISE is unable to report license usage and this lack of reporting results in loss of administrative access to Cisco ISE and restrictions in Cisco ISE features.

Specific License Reservation (SLR) is a smart licensing method that helps you manage your smart licensing when your organization’s security requirements do not allow a persistent connection between Cisco ISE and CSSM. SLR allows you to reserve specific license entitlements on a Cisco ISE PAN. You create an SLR by defining the type and number of licenses you need to reserve and then activate the reservation on a Cisco ISE node. The Cisco ISE node on which you register and enable the reservation then tracks license use and enforces license consumption compliance. A SLR can be enabled only on the Cisco ISE node for which it is generated.

In a distributed deployment, we recommend that you enable SLRs on your primary and secondary PANs. In the case of a primary PAN failover, if the secondary PAN that is promoted to primary PAN does not have SLR enabled, your Cisco ISE is out of compliance and Cisco ISE services are disrupted. We recommend an 80:20 ratio of license count distribution between your primary and secondary PANs. For example, if you want to reserve 100 licenses for a deployment, register 80 licenses with your primary PAN and 20 licenses with your secondary PAN.

You will not be able to use any license entitlements that are not part of your SLR. Out-of-compliance alerts are displayed in the Cisco ISE administration portal if license usage is not in compliance with the SLR. Here are some use cases.

Table 6.           SLR Examples

Available license in your virtual account in CSSM (*1)

License you select while applying SLR in CSSM

Reserved license in ISE deployment

Remaining license in your virtual account in CSSM (*1)

Rule 1. You can reserve as many licenses as you have in your virtual account.

100 Essentials

50 Essentials

50 Essentials

50 Essentials

100 Essentials

100 Essentials

100 Essentials

N/A

100 Essentials

150 Essentials

100 Essentials(*2)

N/A

Rule 2. You should reserve the right type of license that you are entitled to.

100 Essentials

100 Advantage

N/A (*3)

100 Essentials

100 Essentials

100 Premier

150 Essentials

100 Advantage

100 Essentials(*3)

100 Premier

Rule 3. You should reserve 1 ISE-PIC license (*4) per node.

5 ISE-PIC licenses

1 ISE-PIC license

1 ISE-PIC license

4 ISE-PIC licenses

5 ISE-PIC licenses

2 ISE-PIC licenses

1 ISE-PIC license (*5)

3 ISE-PIC licenses(*5)

Rule 4. If you reserve a ISE-PIC-UPG license (*6), you should reserve 1 ISE-PIC license together.

5 ISE-PIC licenses

3 ISE-PIC-UPG licenses

1 ISE-PIC license

1 ISE-PIC-UPG license

1 ISE-PIC license

1 ISE-PIC-UPG license

4 ISE-PIC licenses

2 ISE-PIC-UPG licenses

5 ISE-PIC licenses

3 ISE-PIC-UPG licenses

1 ISE-PIC license

1 ISE-PIC license (*7)

4 ISE-PIC licenses

3 ISE-PIC-UPG licenses

Rule 5. You shouldn’t reserve Essentials, Advantage, and Premier licenses to the ISE-PIC node, and vice versa (*8).

5 ISE-PIC licenses

100 Essentials

100 Premier

1 ISE-PIC license
(to ISE-PIC node)

1 ISE-PIC license

100 Essentials

100 Premier

5 ISE-PIC licenses

100 Essentials

100 Premier

100 Essentials

100 Advantage
(to ISE node)

100 Essentials (*3)

5 ISE-PIC licenses

100 Premier

5 ISE-PIC licenses

100 Essentials

100 Premier

1 ISE-PIC license

100 Essentials
(to ISE-PIC node)

1 ISE-PIC license (*9)

4 ISE-PIC licenses

100 Premier (*9)

5 ISE-PIC licenses

100 Essentials

100 Premier

1 ISE-PIC license

100 Premier
(to ISE node)

100 Premier (*10)

4 ISE-PIC licenses

100 Essentials (*10)

( *1) It doesn’t include licenses previously reserved and not returned.
( *2) You can reserve up to as many licenses as you are entitled to.
( *3) Advantage license is not reserved as you are not entitled to.
( *4) ISE-PIC is ISE with only Passive Identity Connector (PIC) function. It allows 3000 ISE-PIC sessions to ISE deployment.
( *5) You can reserve only 1 ISE-PIC license per node. However, the number of available licenses decreases by two.
( *6) ISE-PIC-UPG license with ISE-PIC license allows 300,000 ISE-PIC sessions. Customer should reserve all the 300,000 sessions.
( *7) You can reserve ISE-PIC license only, which reserves 3000 ISE-PIC sessions to ISE deployment.
( *8) This is a rare case that a customer has both ISE-PIC deployment and ISE deployment.
( *9) Essentials license cannot be reserved to ISE-PIC node. However, the 100 Essentials is removed from the available license in CSSM as CSSM recognizes them reserved.
( *10) ISE-PIC license cannot be reserved to ISE node. However, the 1 ISE-PIC license is removed from the available license in CSSM as CSSM recognizes it reserved.

For the detail process of enabling SLR, refer to Cisco Identity Services Engine Administrator Guide, Release 3.1.

3.4 License-feature mapping update

3.4.1 Advantage license

Several features that used to be provided with Premier licenses are now available with Advantage licenses to make our licensing structure simpler and more intuitive. Such features are:

     AI Endpoint Analytics Enforcement,

     Rapid Threat Containment (RTC), and

     User-Defined Network (UDN)

Please expect the gap of functionality of Advantage license in Cisco ISE 3.0 and Cisco ISE 3.1 as applying this change to Cisco ISE 3.0 is planned for the next patch.

3.5 Other licenses

3.5.1 ISE Appliances

No action is needed. ISE appliances with valid support period can be upgraded to the latest software with no additional license action for the appliance.

3.5.2 Base, Plus, and Apex

These licenses have been migrated to the new ISE Essentials, Advantage, and Premier licenses starting in the ISE 3.0 release.

For complete behavior of these licenses upon upgrade to ISE Release 3.0, please refer to section 4.

3.5.3 Device Admin

No action is needed. Legacy Device Admin licenses are grandfathered. Upon upgrade to the ISE 3.0 release, the Device Admin license must be converted to a Smart License.

The Device Admin license entitles an entire deployment of ISE to TACACS+ feature usage. This means that all 50 ISE Policy Service Nodes (PSNs) can be enabled with TACACS+ capabilities. Upon upgrade to ISE Release 2.4, the same legacy Device Admin license continues to entitle the deployment with a total count of 50 PSNs that could be enabled with TACACS+ capabilities.

Table 7.           Device Admin License Use-Cases

License on release

Pre-2.4 release

Release 2.4, 2.6, 2.7, and 3.0

Release 3.1 and later

Device Admin license

New

Is identified and consumed as uncounted (unlimited number of ISE TACACS+ Appliances within the deployment)

Is identified and enables consumption of 1 ISE TACACS+ Policy Service Node (PSN)

Legacy

Is identified and enables consumption of up to 50 ISE TACACS+ Policy Service Node (PSN)

4. Migration from other older licenses to today

Starting with the 3.0 release, you are required to have Smart Licensing, which further requires you to have a Smart Account created and configured before you upgrade or migrate the ISE licenses. Cisco Smart Software Licensing helps you to procure, deploy, and manage licenses easily where devices self-register and report license consumption, removing the need for Product Activation Keys (PAKs). This licensing uses Cisco Smart Software Manager (CSSM) to obtain the necessary authorization.

If you purchased one of the older licenses in the past (Base, Plus, or Apex) and would like to understand how to migrate to today’s licenses, please refer to  Migration Guide.

End-of-life announcement for all these licenses can be found here.

Customers experiencing an issue with licensing and migration may open a case viaCisco Support Case Manager (SCM)  (choose ‘licensing’ option in SCM) with the Cisco sales order number reflecting the ISE purchase.

4.1 ISE Base/Plus/Apex Licenses

Theses licenses are only valid for releases prior to ISE 3.0.  Features included were:

 

Base

Plus

Apex

AAA

Profiling

Posture

Guest

Context Sharing

Enterprise Mobility Device Management Integration

PassiveID

BYOD (including the My Devices Portal)

TC-NAC

Security Group Tags

Rapid Threat Containment

 

 

The Cisco ISE Base/Plus/Apex licenses offered a similar feature, set to what is in Essentials/Advantage/Premier respectively today.

 

4.2 ISE VM Licenses

These VM licenses are valid in Cisco ISE 3.0 and earlier releases. When you upgrade your CISCO ISE to Release 3.1, you will need to have VM Common license.  Kindly refer Migration guide to convert your existing VM Licenses to VM common license.

 

Upgrade from

Upgrade to

Ratio

R-ISE-VML-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMM-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMS-K9=

R-ISE-VMC-K9=

1:1

 

5. Cisco ISE ordering (SKUs) and entitlement information

5.1 Cisco ISE License Ordering

     All Cisco ISE licenses are orderable in the Cisco Commerce Workspace (CCW) and are listed on the Global Price List (GPL)

     Cisco ISE endpoint session-based licenses can be ordered in any quantity starting with 100 sessions

     Please note for Subscription licenses:

    These can be ordered with 1-, 3 (default)-, or 5-year terms

    Support contracts on all the Cisco ISE appliances (physical or virtual) in a deployment are a prerequisite to purchasing and using ISE term-based licenses

    Default start of license usage is immediate. At the time of ordering, this start date can be adjusted up to 120 days out from the current date. This calculation can be performed by CCW for you by counting backwards from the end date the duration of the license or forward from the start date

    The term can be between 1 and 60 months, allowing the licenses to be co-termed

    Customers can use same smart account/smart licenses on multiple ISE deployments.

5.1.1 Cisco ISE License Entitlement

Customers are entitled to utilize the quantity and duration of the license per terms and conditions agreed upon at the time of purchase.

Relevant ISE releases: 2.2 and later

Out of compliance: A license is out of compliance when

(a)  the deployment uses more than 100%(*) sessions compared to the quantity purchased; or

(b)  the licenses have expired without renewal.

(*) If you’re using the classic (PAK) licensing, a license is out of compliance when the deployment uses more than 125% sessions compared to the quantity purchased to account for a temporary burst of usage.

Compliance enforcement: The impact described below is experienced after a deployment is out of compliance for 45 out of 60 consecutive days.

Alerts will be provided every day that a license is out of compliance. For term licenses, alerts are provided, 90, 60 and 30 days before expiry and also for the last 30 consecutive days before expiry.

Impact: There will be no impact to end users. Existing configuration continues to operate without disruption.

However, visibility and management of the features associated with an out-of-compliance license will be affected.

This means the ISE deployment administrator encounters limited read-only capability over the relevant features until the out-of-compliance is fixed.

These enforcement actions are subject to change in the future and will be conveyed in relevant release material.

5.1.2 Cisco ISE SKU Overview

Orders for Cisco ISE license subscription involves three SKU types:

     The subscription SKU, which is used to define the subscription term and start date

     The product SKUs, which are used to define the products and quantities that make up the subscription

     The support SKUs, which define the level of support for the subscription

Orders start with the selection of the Umbrella subscription SKU, which is followed by the configuration of the subscription by selecting the product and support SKUs that will constitute the subscription.

SKU Type

SKU

Description

Subscription

ISE-SEC-SUB

Cisco Identity Service Engine Subscription

Product SKUs: ISE Essentials, ISE Advantage, ISE Premier

There is one SKU each for ISE Essentials, ISE Advantage, and ISE Premier. Pricing follows a tiered pricing model and is calculated dynamically based on the seat count and term of the subscription.

SKU Type

SKU

Description

Billing

ISE-E-LIC

Cisco Identity Service Engine Essentials Subscription

ISE-A-LIC

Cisco Identity Service Engine Advantage Subscription

ISE-P-LIC

Cisco Identity Service Engine Premier Subscription

Cisco ISE Support

SKU Type

SKU

Description

Support

SVS-ISE-SUP-B

Cisco ISE Basic Support

SVS-ISE-SUP-S

Cisco ISE Solution Support

SVS-ISE-SUP-E

Cisco ISE Enhanced Support

SVS-ISE-SUP-P

Cisco ISE Premium Support

5.1.3 Ordering ISE licenses

Step 1.

Selecting the Subscription SKU. There is one Cisco ISE subscription SKU (ISE-SEC-SUB). There is no price for the subscription SKU. Pricing is determined when product SKUs are added and configured. A quantity of 1 should be selected because each end customer may have one, and only one, subscription. Product quantities will be entered when the product SKUs are added to the subscription.

After selecting the subscription SKU, choose “Select Options” to edit the subscription term and the requested start date.

Subscription SKU selection on CCW

Figure 18.           

Subscription SKU selection on CCW

The subscription term will default to a 36-month term.

Changing Subscription term on CCW

Figure 19.           

Changing Subscription term on CCW

The requested start date may also be changed at this time.

The service is provisioned and the subscription starts on the service start date. The provisioning of the service may take up to 72 hours, assuming the order information is complete and correct.

Step 2. Selecting the Product SKU

When the subscription terms have been set, the next step is to add products to the subscription. The term for the product is defined by the subscription term. Start by selecting the appropriate product in the subscription configuration summary. The guidance below uses ISE-P-LIC as an example. Having chosen to configure the subscription for the product, you then enter the quantity based on the number of sessions.

Selecting Billing SKUs on CCW

Figure 20.           

Selecting Billing SKUs on CCW

Pricing is determined dynamically according to the quantity ordered and term, and is based on a tiered pricing model. Per-month prices are displayed for the selected SKU. However, billing is prepaid for the term of the subscription, and the term amount is shown in the subtotal. The figure below shows an sample of dynamic pricing based on 100 sessions of ISE-E-LIC and 1500 sessions of ISE-P-LIC selected for a term of 3 years.

Selecting Billing SKU quantity on CCW to view dynamic pricing

Figure 21.           

Selecting Billing SKU quantity on CCW to view dynamic pricing

Step 3. Selecting the Support SKU

After the products have been added, the next step is to define the support level desired for the subscription. There are three Cisco ISE support SKUs, corresponding to the three levels of support. To configure support for the subscription, start by selecting “Cisco ISE Support Options” in the subscription configuration summary:

Cisco Software Support Basic is included for the duration of Cisco ISE subscription licenses. Higher-value service levels, Solution Support, or Software Support Enhanced or Premium Support may be purchased by selecting the appropriate level of support from the support options. Note that Solution Support is not available for ISE Plus and Apex licenses. Prices for these higher-value services levels are calculated dynamically based on a percentage of the product cost and must meet annual minimum requirements, where needed.

Service SKU selection on CCW

Figure 22.           

Service SKU selection on CCW

Quoting and Ordering HelpFor Quoting or Ordering questions, please contact cs-support@cisco.com.5.1.4 Changing existing orders or subscriptions

Cisco Commerce Workspace (CCW) provides you the capability to Modify, Renew, and Replace Subscriptions for your Active Orders.

For more information, refer to Change Subscription Job Aid

 

5.1.5 Cisco ISE Device Admin SKU

One ISE Device Administration license is required per Policy Service Node that operates on Device Administration transactions.

Table 8.           Cisco ISE Device Administration license

Part Number (SKU)

Description

L-ISE-TACACS-ND=

Cisco ISE Device Admin Node License

5.1.6 Cisco ISE IPSec SKU

One Cisco ISE Ipsec license is required for every Policy Services Node used for Ipsec VPN communication to the NADs. There is a maximum of 150 Ipsec tunnels per Policy Services Node.

Table 9.           Cisco ISE Ipsec licenses

Part Number (SKU)

Description

L-ISE-IPSEC

Cisco Identity Services Engine Ipsec License

5.2 Evaluation Software and Licenses

5.2.1 Download

Download the Identity Services Engine Software from software.cisco.com.

Anyone may download the ISO and OVA files of ISE 2.4 or later for evaluation. A valid cisco.com login is required to download the software. An existing ISE support contract may be required to download additional patches or packages.

Once you get your software, please see Getting Started with ISE and other guides and videos in ISE Community Resource. Cisco employees and partners wanting ISE for demos and labs should visit Selling ISE: Demos.

5.2.2 Evaluations

Every new ISE installation – either an ISO or OVA – includes 90-day free evaluation licenses for up to 100 endpoints for all ISE services.

     90-day trial licenses include Premier licenses for 100 endpoints plus Device Administration.

     Trial licenses are activated on every ISE instance upon running “setup” from the CLI.

     Trial licenses may be extended by adding another 90-day evaluation license. See Additional Evaluation Licenses below.

     Alarms will not be sent for trial license expiration notification.

     After expiration, administration will be redirected upon login to a license page on Cisco.com and will not be able to access their dashboard or other tools.

5.2.3 Additional Evaluation Licenses

If you need to extend your evaluation licenses for more than 90 days or more than 100 endpoints, please open a case at www.cisco.com/go/scm with your UDIs, your license request, and justification.

Note: Additional licenses cannot be generated without the Unique Device Identifiers (UDIs) for your ISE Administration node(s). Failure to include the ISE primary and secondary PAN will result in delays in getting your licenses.

5.2.4 Unique Device Identifier (UDI)

Licenses are generated for your ISE installation’s Unique Device Identifier (UDI) from your ISE Primary Policy Administration Node (PAN) and optionally the Secondary PAN in the case of a failover. The UDI consists of:

     Product Identifier (PID)

     Version Identifier (VID)

     Serial Number (SN)

The easiest way to obtain the ISE UDI for the primary and secondary PAN is at the bottom of the ISE page Administration > System > Licensing:

UDI Details

Primary PAN Product Identifier (PID)

ISE-VM-K9

Primary PAN Product Identifier (PID)

ISE-VM-K9

Primary PAN Version identifier (VID)

V01

Primary PAN Version identifier (VID)

V01

Primary PAN Serial Number (SN)

4DIQC598F2D

Primary PAN Serial Number (SN)

4mK86688339

 

Alternatively, you may use the About menu in the web interface of your ISE Policy Administration Node(s):

Identity Services Engine

And you may use the “show udi” CLI command from the console of your ISE Administration node(s):

Related image, diagram or screenshot

5.3 Cisco ISE Appliance SKUs

Table 10.       Cisco ISE Hardware Appliance licenses

Server Part Number

Product Description

Comments

SNS-3615-K9

Small Secure Network Server for ISE Applications

Customer must choose software option

SNS-3655-K9

Medium Secure Network Server for ISE Applications

Customer must choose software option

SNS-3695-K9

Large Secure Network Server for ISE Applications

Customer must choose software option

Table 11.       Spare components for the Cisco Secure Network Server

Secure Network Server

Component Part Number

Component Description

3515/3595

UCS-HD600G10K12G

600-GB 12-Gb SAS 10K RPM SFF hard disk; hot pluggable; drive sled mounted

3615/3655/3695

UCS-HD600G10K12N

600-GB 12-Gb SAS 10K RPM SFF hard disk; hot pluggable; drive sled mounted

3515/3595/3615/3655/3695

UCSC-PSU1-770W=

770W power supply

3515/3595/3615/3655/3695

N20-BKVM=

KVM cable

3515/3595/3615/3655/3695

UCSC-RAILB-M4=

Rail kit

Table 12.       Cisco ISE Virtual Machine licenses

Service Part No

Product Description and Support ISE Release

VM Appliance Specifications

R-ISE-VMS-K9=

VM Small license that supports ISE 3.0 and earlier (Hybrid for 2.4 and later, Smart only for 3.0)

Min 16GB RAM and 12 CPU cores for SNS-3515 equivalent

Min 32GB RAM and 16 CPU cores for SNS-3615 equivalent

R-ISE-VMM-K9=

VM Medium license that supports ISE 3.0 and earlier (Hybrid for 2.4 and later, Smart only for 3.0)

Min 64GB RAM and 16 CPU cores for SNS-3595 equivalent

Min 96GB RAM and 24 CPU cores for SNS-3655 equivalent

R-ISE-VML-K9=

VM Large license that supports ISE 3.0 and earlier (Hybrid for 2.4 and later, Smart only for 3.0)

Min 256GB RAM and 16 CPU cores for MnT in clusters supporting more than 500,000 concurrent sessions

Min 256GB RAM and 24 CPU cores for SNS-3695 equivalent

R-ISE-VMC-K9=

VM Common license that supports ISE 2.4 and later (Smart only)

N/A

6. Subscription renewals, cancellations and changes

Cisco ISE subscriptions automatically renew for an additional 12-month term by default unless auto-renewal was deselected at the time of initial order. No quoting or order is required. Starting 120 days before the end of the initial term, renewal notices will be sent to the customer or partner. The customer or partner will receive an invoice at the start of the new term.

You can cancel a renewal up to 60 days before the start date of the new term. If the subscription is not canceled 60 days before the start of the new term, the subscription will auto-renew. Mid-term cancellations of subscriptions for credit are not allowed.

Manual renewal

Any subscription can be manually renewed if the customer or partner desires, with standard terms of 12, 36, or 60 months. For manual renewals, quotes are created using the same process as the Change-Subscription process outlined below. This process will create a new quote. After a quote is approved, it can be converted to an order following the standard process.

Subscription cancellations

Renewals may be canceled up to 60 days before the start date of the new term. If the subscription is not canceled 60 days prior to the start of the new term, the subscription will automatically renew. Mid-term cancellations of subscriptions for credit are not allowed.

Subscription changes (Change-Subscription)

Changes to the products, quantities, or terms of a subscription may be made at any time during the term of the subscription. To change the subscription, please refer to this Cisco Commerce Change-Subscription Job Aide. Attempting to add products or seats by creating a new subscription will result in an ordering error.

7. License management

Starting with the ISE 3.0 release, ISE Licenses are Smart Licenses only. If you’re on an ISE release before ISE 3.0, the licenses can be used as either traditional Product Authorization Key (PAK) based or as Smart Licenses. Using traditional licenses, the license file (PAK) is imported into the ISE deployment. For more details on how to convert ISE licenses purchased into Smart licenses, please take a look at the Cisco Smart Software Licensing details.

Cisco offers a variety of license management tools in the License Registration Portal. A valid Cisco.com user name and a password are required to access the portal. Key features of the Cisco License Registration portal include:

     Simplified asset management: identifies PAKs registered to a customer and the devices with installed licenses

     Automated software activation: quickly processes PAK registration and license file distribution

     License transfers: rehosts existing licenses to new Cisco ISE Administration nodes

     Replacement of devices: uses the “return materials authorization” to request replacement PAKs and licenses

8. Abbreviation

A

ACI: (Cisco) Application Centric Infrastructure

ACL: Access Control List

AD: Active Directory

ANC: Access Network Controller (=RTC)

API: Application Programming Interface

APIC-DC: Application Policy Infrastructure – Data Center

B

BYOD: Bring Your Own Devices

C

CMDB: Configuration Management Database

CSSM: Cisco Smart Software Management

CCW: Cisco Commerce Workspace

CVSS: Common Vulnerability Scoring System

D

DACL: Discretionary Access Control List

DNA: (Cisco) Digital Network Architecture

DPI: Deep Packet Inspection

E

EMM: Enterprise Mobility Management

ERS: External RESTful Services

I

IDP: Identity Provider

IETF: Internet Engineering Task Force

ISE: Identity Services Engine

M

MAB: MAC Address Bypass

MAC Address: Media Access Control Address

MDM: Mobile Device Management

N

NBA: Network Behavior Analysis

NGFW: (Cisco) Next-Generation Firewall

NGIPS: Next-Generation Intrusion Prevention System

P

PAK: Product Activation Key

PSN: Policy Service Node

R

REST: Representational State Transfer

RTC: Rapid Threat Containment (=ANC)

S

SAML: Security Assertion Markup Language

SCM: Cisco Support Case Manager

SDA: Software-Defined Access

SD-AVC: Software Defined Application Visibility and Control

SG: Software Group

SGACL: Security Group Access Control List

SGT: Security Group Tag

SSID: Service Set Identifier

STIX: Structured Threat Information Expression

SWSS: (Cisco) Software Support Service

V

VLAN: Virtual Local Area Networks

VRF: Virtual Routing and Forwarding

 

 

 

Learn more