Cisco ISE Licensing Guide

Available Languages

Download Options

  • PDF
    (6.2 MB)
    View with Adobe Reader on a variety of devices
Updated:October 24, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (6.2 MB)
    View with Adobe Reader on a variety of devices
Updated:October 24, 2022

Table of Contents

 

         

I. Ordering Cisco ISE Licenses

For users of Cisco ISE Release 2.4 and later releases

1 Overview of Cisco Identity Services Engine use cases

Cisco® Identity Services Engine (ISE) empowers you to solve a wide range of use cases. This Cisco ISE Licensing Guide is a great place to start if you are looking to understand how Cisco ISE licensing works and how to calculate the quantity and types of licenses you need for your network.

To understand the types and quantities of Cisco ISE licenses you may need, you must first understand the capabilities of Cisco ISE. Cisco ISE is a product that supports a wide range of use cases. See Cisco ISE Services to understand the features of Cisco ISE and how you can address multiple use cases of network visibility, segmentation, and security with Cisco ISE.

Cisco Identity Services Use-cases

Figure 1.            

Cisco Identity Services Use-cases

1.1 Guest and Secure Wireless Access

1.1.1 Why Guest

Many organizations provide free internet access to guests visiting their organization for a short period. These guests include vendors, retail customers, short-term vendors/contractors, and so on. Cisco ISE provides the ability to create accounts for these visitors and authenticate them for audit purposes. There are three ways in which Cisco ISE can provide Guest access: Hotspot (immediate noncredentialled access), Self-Registration, and Sponsored Guest access. Cisco ISE also provides a rich set of APIs to integrate with other systems such as vendor management systems to create, edit, and delete Guest accounts. Further, the various portals that the end user sees can be completely customized with the right font, color, themes, and so on to match the look and feel of the customer’s brand.

1.1.2 How Does Guest Work

Related image, diagram or screenshot

Figure 2.            

Cisco ISE Guest Use Case

Cisco ISE creates local accounts for Guests. These accounts can be created by an employee hosting the Guest (the Sponsor) using a built-in portal or created by the Guest themselves by providing some basic info. The Guest can receive credentials via email/SMS and use that to authenticate themselves to the network and thereby get network access. The admin can define what level of access to provide to such users.

Required license: ISE Essentials

1.1.3 Why Secure Wireless Access

Most organizations start securing their wireless network first. Securing the wireless network is the most basic need for every organization. Using Cisco ISE, network administrators can secure access to the network by allowing only authorized users and wireless devices, such as mobile phones, tablets, or laptops – BYOD or organization owned — and other wireless “things” to connect to the network and later enforce different security policies. Authentication and Authorization are core functionalities of Cisco ISE. Every Cisco ISE session begins with authentication, whether to a user or to a device. Authentication can be active authentication or passive authentication (not including 802.1X session): An authentication is done using 802.1X when Cisco ISE authenticates the user against an Identity Source, while in passive authentication (used in Easy Connect) Cisco ISE learns about the user after the user authenticates against the Identity Source like Microsoft’s Active Directory (AD) and the AD notifies ISE.

1.1.4 How Does Secure Wireless Access Work

Cisco ISE Secure Wireless Use Case

Figure 3.            

Cisco ISE Secure Wireless Use Case

After successful authentication, based on the group’s information, Cisco ISE provides the right access to the wireless connection, whether the connection is a Passive Identity session (Easy Connect), MAB (MAC Address Bypass), or 802.1X. This can be achieved by assigning the user to a VLAN, DACL, and ACL or an SGT or SGACL.

Required license: ISE Essentials (SGT or SGACL will require ISE Advantage)

1.2 Asset Visibility

1.2.1 Why Asset Visibility

Understanding the device type is many times a critical element in determining the type of network access that should be granted to the device. For example, a building management system such as an IP camera or an elevator should be given access to a specific part of the network (such as the building management services network), while a printer should be given access to another part of the network (such as IT services). Having visibility helps the IT administrator determine the types of devices on their network and how to provide them with the right level of permissions. Basic asset visibility profiles endpoints by matching their network attributes to known profiles. Advanced asset visibility performs deeper analysis of the different conversations that applications on these devices have with other endpoints and servers on the network through Deep Packet Inspection (DPI). While basic asset visibility will provide you with visibility to most of your network, especially to your traditional devices (printers, mobile phones, etc.), advanced asset visibility will provide you with visibility into more vertical-specific and IoT-types of devices.

1.2.2 How Basic Visibility (Cisco ISE Profiling Visibility) Works

Related image, diagram or screenshot

Figure 4.            

Cisco ISE Basic Visibility Use Case

Basic asset visibility in Cisco ISE is accomplished through the Profiler service, which gathers information about a device by listening to its network communication. The likely device type is determined by weighing the information from most definitive to least definitive attributes.

Based on the asset’s profile, the next step on securing your network asset continuum is to enforce access. Basic Asset Enforcement allows you to use the categorization of endpoints by profiles and in your network access policy. This ensures that based on the visibility learnt for an endpoint, it will be given only the network permissions for its profile. Printers will be able to only receive access to printing servers or anyone needing printing services, and mobile BYODs will be able to receive access only for internet services and low-risk internal systems.

Required license: ISE Advantage

1.2.3 How Advanced Asset Visibility (Endpoint Analytics visibility) Works

Endpoint Analytics is designed to improve endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to a variety of endpoints. This is done by analyzing endpoint attributes through Deep Packet Inspection (DPI) and other probes aggregated from different sources such as SD-AVC, Cisco ISE, and other third-party components.

It uses artificial intelligence (AI) and machine learning to intuitively group endpoints that have common attributes and helps IT admins in providing suggestions to choose the right endpoint profiling labels. Multifactor classification classifies endpoints using label categories for flexible profiling. These endpoint labels can then be used in Cisco ISE to create custom profiles that form the basis of providing the right set of access privileges to endpoints/endpoint groups via an authorization policy.

Related image, diagram or screenshot

Figure 5.            

Cisco ISE Advance Asset Visibility Use Case

Required license: ISE Advantage, Cisco DNA-C

1.3 Compliance (Posture)

1.3.1 Why Compliance Visibility

Saboteurs focus on intentional data corruption (ransomware) and data exfiltration, which compromises endpoints on a network. The most effective and well-publicized compromises take advantage of known issues that could be simply remediated but were overlooked. Compliance Visibility allows organizations to view how user endpoints comply with corporate policy through the use of both Posture and/or integration through Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) systems (supported MDM/EMM systems can be found in Cisco ISE Network Component Compatibility). Using either Cisco ISE’s Posture engine or an MDM, an organization can evaluate how many endpoints are compliant, and ensure that noncompliant software is not installed and/or running.

1.3.2 How Does Compliance Work

Cisco ISE Compliance Visibility Use Case

Figure 6.            

Cisco ISE Compliance Visibility Use Case

Posture leverages installed and temporal agents looking inside the endpoint to provide assurance that operating system patches, antimalware, firewall, and more are installed, enabled, and up to date before authorizing the device onto the network.

Having good visibility into what endpoints comply with the corporate software policy is usually not enough – a customer might want to enable differentiated access to endpoints based on their compliance level. Compliance Enforcement allows taking an overall compliance status, derived through either Cisco ISE’s own Posture engine or through said MDM/EMM integrations, and using it in an access policy. Combined with other attributes (e.g. identity), this enables a powerful capability that lowers the organizational risks and shrinks the overall threat surface created by noncompliant, unhygienic endpoints trying to connect to the network. Such policy can allow fully compliant endpoints to have full access to required resources by the user using it, while allowing access to only remediation systems, help desk systems, and/or low-risk services by endpoints found noncompliant. Using either Cisco ISE’s Posture engine or an MDM, an organization can evaluate how many endpoints are compliant and ensure that noncompliant endpoints with outdated and/or unsupported software cannot access critical resources.

Required license: ISE Premier (with Cisco AnyConnect® Apex if using AnyConnect or AnyConnect Stealth)

1.4 Secure Wired Access

1.4.1 Why Secure Wired Access

Securing the wired network is essential to prevent unauthorized users from connecting their devices to the network. Using Cisco ISE, network administrators can provide secure network access by authenticating and authorizing users and devices. Authentication can be active or passive. An active authentication is done using 802.1X when Cisco ISE authenticates the user against an Identity Source. Passive authentication involves Cisco ISE learning the user’s identity via Active Directory (AD) domain logins or other indirect means. Once the user or device authenticates successfully, authorization takes place. Authorization can be achieved by assigning the endpoint’s network access session with a dynamic VLAN, a downloadable ACL, or other segmentation methods.

1.4.2 How Does Secure Wired Access Work

Cisco ISE Secure Wired Access Use Case

Figure 7.            

Cisco ISE Secure Wired Access Use Case

Cisco ISE authenticates the users and endpoints via 802.1X, Web Authentication, MAB, and other means. Cisco ISE can query external identity sources for identity resolutions and apply appropriate network policies by instructing the network devices.

Required license: ISE Essentials

1.5 Bring Your Own Device (BYOD)

1.5.1 Why BYOD

Many organizations have instituted a policy that allows the employees to connect their personal devices such as smartphones to the corporate wireless network and use it for business purposes. This is referred to as the bring-your-own-device (BYOD) policy. However, since these devices are owned by the individuals, they don’t like to install management software that allows organizations to “manage” the endpoint. In such situations, Cisco ISE provides a very streamlined method to automate the entire BYOD onboarding process – from device registration, and supplicant provisioning to certificate installation. This can be done on devices across various OS platforms like iOS, Android, Windows, macOS, and ChromeOS. The Cisco ISE My Devices Portal, which is completely customizable, allows the end users to onboard and manage various devices.

1.5.2 How Does BYOD Work

Cisco ISE BYOD Use Case

Figure 8.            

Cisco ISE BYOD Use Case

Cisco ISE provides multiple elements that help automate the entire onboarding aspect for BYOD. This includes a built-in Certificate Authority (CA) to create and help distribute certificates to different types of devices. The built-in CA provides a complete certificate lifecycle management. Cisco ISE also provides a My Devices Portal, an end-user-facing portal, that allows the end user to register their BYOD endpoint as well as mark it as being lost to blocked list it from the network. BYOD onboarding can be accomplished either through a single-SSID or through a dual-SSID approach. In a single-SSID approach, the same SSID is used to onboard and connect the end user’s device, while in a dual-SSID approach, a different open SSID is used to onboard the devices but the device connects to a different more secure SSID after the onboarding process. For customers that want to provide a more complete management policy, BYOD can be used to connect the end user to the MDM onboarding page as well.

For a list of Enterprise and Mobility Management partners that integrate with Cisco ISE, see the Cisco Security Technology Alliance page and filter on Market Segment: EMM/MDM.

Required license: ISE Advantage

1.6 Rapid Threat Containment (RTC)

1.6.1 Why Threat Containment

Cisco RTC makes it easy to get fast answers about threats on your network and to stop them even faster. It uses an open integration of Cisco security products, technologies from Cisco partners, and the extensive network control of Cisco ISE.

With integrated network access control technology, you can manually or automatically change your users’ access privileges when there’s suspicious activity, a threat, or vulnerabilities discovered. Devices that are suspected of being infected can be denied access to critical data while their users can keep working on less-critical applications.

1.6.2 How Does Rapid Threat Containment Work

Cisco ISE RTC Use Case

Figure 9.            

Cisco ISE RTC Use Case

Upon detecting a flagrant threat on an endpoint, a pxGrid ecosystem partner can instruct ISE to contain the infected endpoint either manually or automatically. The containment can involve moving the device to a sandbox for observation, moving it to a remediation domain for repair, or removing it completely. ISE can also receive the standardized Common Vulnerability Scoring System (CVSS) classifications and the Structured Threat Information Expression (STIX) threat classifications, so that graceful manual or automatic changes to a user’s access privileges based on their security score can be made.

Cisco ISE integrates with more than 75 ecosystem partners over pxGrid to implement several use cases. Technical details about Cisco ISE integrations can be found in the Cisco ISE Security Ecosystem Integration Guides.

For a list of Enterprise and Mobility Management partners that integrate with Cisco ISE, see the Cisco Security Technology Alliance page and filter on Market Segment: EMM/MDM.

Required license: ISE Advantage

1.7 Segmentation

1.7.1 Why Segmentation

Network segmentation is a proven concept to protect critical business assets, but traditional approaches are complex. Cisco Group-Based Policy/TrustSec software-defined segmentation is simpler to enable than VLAN- based segmentation. Policy is defined through security groups. It is an open concept in IETF, available within Open Daylight, and supported on third-party and Cisco platforms. Cisco ISE is the Segmentation controller, which simplifies the management of switch, router, wireless, and firewall rules. Group-Based Policy/TrustSec Segmentation provides better security for lower costs compared to traditional segmentation. Forrester Consulting found in an analysis of customers that operational costs are reduced by 80% and policy changes are 98% faster.

1.7.2 How Does Segmentation Work

Cisco ISE Segmentation Use Case

Figure 10.         

Cisco ISE Segmentation Use Case

The illustration above show users and devices are assigned to security groups, and consequently their group membership is known throughout the network so any enforcement device along the path can evaluate policy based on the group-to-group approved communication.

1.7.3 Software-Defined Access

Segmentation is a key element of Software-Defined Access (SDA). Together Cisco Digital Network Architecture (DNA) Controller and Cisco ISE automate network segmentation and group-based policy. Identity-based Policy and Segmentation decouples security policy definition from VLAN and IP addresses. The Software-Defined (SD) Access Design and Deployment Guides detail the configuration and deployment of Group-Based Policy.

Cisco ISE SDA Integration Use Case -  Cisco ISE SDA Integration Use Case

Figure 11.         

Cisco ISE SDA Integration Use Case

To extend segmentation across the enterprise network, Cisco ISE interfaces with the Cisco Application Centric Infrastructure (ACI) Controller, which is also called Application Policy Infrastructure Controller – Data Center (APIC- DC), to learn EPG names and share Software Group (SG) names and corresponding EPG values, SGT values, and the Virtual Routing and Forwarding (VRF) Name. This allows Cisco ISE to create and populate SG-EPG translation tables, which are obtained by the border device to translate TrustSec-ACI identifiers as traffic passes across the domains. The TrustSec – ACI Policy Plane Integration Guide gives an overview of ACI and the configuration of the policy plane integration.

TrustSec technology is supported in over 50 Cisco product families and works with open-source and third-party products. Cisco ISE acts as the policy controller for routers, switches, wireless, and security products. Details about product TrustSec capabilities are provided in the Platform Capability Matrix. The Quick Start Config Guide illustrates a typical TrustSec network deployment with step-by-step configuration of a sample environment. For more options, please refer to the Design Guides.

Required license: ISE Advantage

Note:     Licenses that enable Segmentation via SDA: Advantage or Premier on Cisco ISE, and Cisco DNA Premier/Cisco DNA Advantage. Please find more information in the SDA Ordering Guide.

1.8 Security Ecosystem Integrations

1.8.1 Why Security Ecosystem Integrations

Cisco ISE builds contextual data about endpoints in terms of its device type, location, time of access, posture, user(s) associated to that asset, and much more. Endpoints can be tagged with Scalable Group Tags (SGTs) based on these attributes. This rich contextual insight can be used to enforce effective network access control policies and can also be shared with ecosystem partners to enrich their services. For example, in the Cisco Next-Generation Firewall (NGFW), policies can be written based on the identity context, such as device type, location, user groups, and others, received from Cisco ISE. Inversely, specific context from third-party systems can be fed into the Cisco ISE to enrich its sensing and profiling capabilities, and for Threat Containment. The context exchange between the platforms can be done via Cisco pxGrid (including pxGrid Cloud and pxGrid Direct) or REST APIs.

External RESTful Services (ERS) on Cisco ISE serves both the purpose of context sharing (in and out) and management of Cisco ISE for a specific set of use cases over REST APIs.

1.8.2 How Does Security Ecosystem Integrations Work

Related image, diagram or screenshot

Figure 12.         

Cisco ISE Security Integration

Cisco ISE integrates with more than 75 ecosystem partners over pxGrid to implement technology partners, and the technical details about integrations can be found in ISE Security Ecosystem Integration Guides.

A complete list of ecosystem partners can be found in Cisco Secure Technical Alliance Partners.

Required license: ISE Advantage

1.9 Device Administration (TACACS+)

1.9.1 Why Device Administration

Network and security administrators typically own the task of administering and monitoring network and security devices in an enterprise. When there are a limited number of devices, keeping track of admin users, privileges, or changes in configuration can be easy. However, as the network grows to tens, hundreds, or even thousands of devices, it becomes exceedingly complex to manage devices without automation and a smooth workflow. Cisco ISE provides the capability to automate device administration tasks with clean workflows and monitoring capabilities with TACACS+ within a controlled space in the UI.

1.9.2 How Does Device Administration Work

Related image, diagram or screenshot

Figure 13.         

Cisco ISE Device Administration Use Case

When a network administrator tries to connect to a network device, the device sends out a “request for connection” to Cisco ISE, and Cisco ISE asks for their credentials. Credentials are verified against an identity source.

Next, the network device asks Cisco ISE to authorize the network administrator. Once they get access to the shell prompt, the network administrator can start executing commands. Cisco ISE can be configured to authorize individual commands as well.

1.9.3 How to License Device Administration

    License that enables Device Administration: Device Admin License

    License consumption: Device Administration licenses are consumed per Policy Service Node (PSN). You must have a Device Administration license for each of the policy service nodes that you enable TACACS+ service on. Device Administration using TACACS+ does not consume endpoints, and there is no limit on network devices for Device Administration. The user does not require an Essentials license.

2. What You Need for Your Cisco ISE Deployment

Cisco ISE deployment consists of three primary components: Cisco ISE licenses, appliances, and services.

Cisco ISE Deployment -  Cisco ISE Deployment

Figure 14.         

Cisco ISE Deployment

2.1 Appliances

Cisco ISE may be deployed on any combination of physical and virtual appliances, as well as IaaS instances in AWS, Azure, and Oracle Cloud. For more details on Cisco ISE appliances, refer to the Cisco Secure Network Server Data Sheet. For more details on virtual machine, refer to Virtual Machine licenses. For detailed information about Cisco ISE on cloud platforms, please refer to Deploy Cisco ISE Natively on Cloud Platforms.

For detailed information about performance and scalability, please refer to the Performance and Scalability Guide.

2.2 Cisco ISE Licensing

Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent active endpoints that can use Cisco ISE network resources at any time. Licensing in Cisco ISE is supplied as feature-based packages wherein different features are supported by each license type.

Cisco ISE licenses are of the nested-doll model, which means that the higher tier license includes all the lower-tier features. For example, the ISE Premier license includes all the features that are mapped to ISE Advantage and ISE Essential licenses. Similarly, the ISE Advantage license includes all the features that are mapped to the ISE Essential license.

With the new model, you can directly purchase Premier or Advantage licenses without the need for an Essentials license.

Note:     2.x licenses are now End-of-Life (EOL) and no longer for sale effective March 9, 2022.

Related image, diagram or screenshot

Figure 15.         

Cisco ISE Licenses Nested-doll model

Cisco ISE is a subscription-based solution. Cisco ISE licenses are available for term lengths of 1, 3, and 5 years. Three years is the default choice in Cisco Commerce (CCW), and you can choose the term length you need when configuring your order. At the end of the purchased term, you can:

    Renew your Cisco ISE licenses for the same term or a different term.

    Cancel your Cisco ISE license subscription. For more information on cancellation, please refer to Subscription Cancellations.

    Purchase a new license for the reason of co-termination of licenses.

Cisco ISE licenses are available in the following formats:

1.     Smart Licensing through Cisco Smart Software Manager (CSSM). The Cisco Smart Software Manager is an intuitive portal where you can activate and manage all your Cisco licenses.

Smart Licensing is a new, flexible software licensing model that simplifies the way you can activate and manage licenses across your organization. Instead of using Product Activation Keys (PAKs), Smart Licenses establish a pool of software licenses in a customer-defined Smart Account that can be used across an enterprise. Smart Accounts are mandatory for any subscription. They help identify and connect the right customer accounts into which the license subscriptions purchased by a customer must be deposited. The combination of Smart Licensing and Smart Accounts delivers visibility into your license ownership and consumption (through a cloud portal) to help you reduce operational costs.

With Smart Licensing, you can easily register, monitor, and manage your Cisco Smart Licenses through the Cisco Smart Software Manager (CSSM). If you would like to edit your existing subscriptions during the subscription term to change the license types ordered or quantities, or both, you may refer to the Cisco Change Subscription Job Aid.

You can add to the subscription at any time during the subscription term by placing a “change-subscription” order. Quantities added through a Change-Subscription Job Aide co-terminate with the existing subscription. Quantities can be reduced for a subscription renewal, but not mid-term for a current subscription.

2.     Traditional Licensing—PAK Files

Cisco ISE Releases 2.x support a hybrid licensing model that allows PAK files and smart licensing.

PAK files are not supported in Cisco ISE Release 3.0 and later releases. You must convert your PAK licensing files to smart licenses to be able to use Cisco ISE Release 3.0 and later releases.

2.3 Services

2.3.1 Technical Services

Support for Appliances and Perpetual Licenses

Customers can purchase Cisco Smart Net Total Care® for Cisco ISE physical appliances and Software Support (SWSS) contracts for Cisco ISE virtual machines or the ISE-PIC virtual machine, along with the option to upgrade support to Solution Support. The support for Cisco ISE physical or virtual appliances also covers Base (for customers on 2.x) and Device Admin deployments.

Cisco Software Support Basic (SWSS) is included for the duration of all Cisco ISE subscription licenses; however, Smart Net Total Care or another level of service must be purchased on the physical or virtual appliance to activate that SWSS.

Support for Subscription Licenses

Higher-value service levels, Solution Support and Software Support Enhanced and Premium, are available for all Cisco ISE subscription licenses. Note that Solution Support is not available for ISE Plus and Apex licenses.

Software Support Enhanced and Premium services provide everything included in Software Support Basic with a richer feature set such as prioritized case handling, direct access to highly skilled engineers with solution-level expertise, and onboarding and technical adoption assistance. For additional information on Software Support for Cisco ISE, please see the Cisco Software Support for Security Data Sheet. Please note that Software Support Enhanced is the recommended support level for ISE subscription licenses.

To order extended software support for ISE 3.0 and later, support options are available in the product configuration. Start by configuring the product in Cisco Commerce Workspace (CCW) and then editing the “ISE Support” section.

Software Support selection for ISE 3.0 and later on CCW

Figure 16.         

Software Support selection for ISE 3.0 and later on CCW

For ISE subscription licenses prior to ISE 3.0, Software Support can be ordered in CCW using this PID: CISE-SW-SUPP. For the desired ISE license, select either Software Support Enhanced or Premium based on the number of concurrent sessions. See below:

Software Support selection for subscription licenses prior to ISE 3.0 on CCW

Figure 17.         

Software Support selection for subscription licenses prior to ISE 3.0 on CCW

2.3.2 Advisory Services

Cisco offers Advisory Services to address your business objectives with the technology we offer. For example, the Cisco Security Segmentation Service provides a strategic infrastructure segmentation approach to ensure the success of your Segmentation initiative.

2.3.3 How Does Service Work with Product

Software Support Basic is included for the duration of term licenses. Customer may choose to purchase a more advanced support.

When customers upgrade the version of their legacy VM to VM Common license, they can continue to receive support based on the support contract purchased with legacy VM license PID. The support can be renewed until the legacy VM license PID is EOL and reaches last date of service renewal per the End-of-life notices. There is no migration for support. Therefore, for seamless support in such cases, customers should open a case with Cisco Customer Service and request the End-of-Life product PID to be replaced with the desired product PID in order to renew and receive support.

If customers want to migrate their ISE licenses from 2.x to 3.x, that process is handled via a case in SCM Tool with the Cisco Global Licensing Team in which support is also addressed and migrated. However, customers can continue to receive support based on the support contract they initially purchased.

2.3.4 Cisco Talos Incident Response

The Cisco Talos Incident Response (CTIR) retainer provides a full suite of proactive and emergency services to help you prepare, respond, and recover from a cybersecurity breach. CTIR enables 24-hour emergency response capabilities and direct access to Cisco Talos®, the world's largest threat intelligence and research group.

You can order and transact CTIR with Cisco ISE subscriptions ordering. This will provide you yet another option to create a stronger security posture and stay protected in case of a security breach. CTIR will be an auto-attach with right sizing based on product order size. The auto-attached CTIR SKU can be removed and is not mandatory. Also, you can manually select from the available CTIR options in case of no auto-attach.

CTIR options available in Cisco ISE configuration:

Table 1.             CTIR SKUs

CTIR SKU

Description

SVS-CTIR-ISE-S

Cisco Talos Incident Response Retainer-Small, Attach with ISE

SVS-CTIR-ISE-M

Cisco Talos Incident Response Retainer-Medium, Attach with ISE

SVS-CTIR-ISE-L

Cisco Talos Incident Response Retainer-Large, Attach with ISE

To learn more on CTIR, click here.

Note:     If you have any further questions on Services, reach out to your account manager.

3. Cisco ISE Licenses

3.1 Changes in License – Feature Mapping in Tier Licenses

The following diagram shows the mapping of features between the 2.x and 3.x licenses.

Licensing model features

Figure 18.         

Licensing model features

**For more information on pxGrid Cloud, please refer to the Cisco pxGrid Cloud Solution Guide.

In ISE 3.0 FCS through to patch 3, the following features were part of Premier.

In ISE 3.0 patch 4 and later, the following features are mapped to Advantage.

    AI Endpoint Analytics enforcement

    Rapid Threat Containment (RTC)

    User-Defined Network (UDN)

3.2 Cisco ISE License Types

Evaluation License

Cisco ISE License Types

    Cisco ISE, upon installation, grants a 90-day Evaluation license that supports 100 endpoints and enables all Cisco ISE features. You can set up a limited deployment in Evaluation mode and explore all the capabilities and features within Cisco ISE.

A valid Cisco.com login is required to download the software. An existing Cisco ISE support contract may be required to download additional patches or packages.

For more information on your ISE release, please refer to Cisco ISE Admin Guide 3.1.

When Evaluation licenses expire at the 90-day mark, administrators can only view the Licensing window in the Cisco ISE administrator portal. No alarms are sent to administrators to notify Evaluation license expiration.

You may request an extension to your Evaluation licenses by adding another 90-day Evaluation license. You can also ask for your Evaluation license to support more than 100 endpoints. To increase endpoint support or to extend the Evaluation license duration, open a case via SCM Tool with your Unique Device Identifiers (UDIs), your license request, and a justification message.

Note that the UDI information for your Cisco ISE primary and secondary Policy Administration Nodes is essential to modify your Evaluation license.

A UDI consists of:

    Product Identifier (PID)

    Version Identifier (VID)

    Serial Number (SN)

To view your Cisco ISE UDI, log in to your Cisco ISE administrator portal. From the main menu, choose Administration > System > Licensing. The UDI Details area contains the required information.

Administration > System > Licensing

Alternatively, you can also see the About Identity Services Engine option in the Cisco ISE administrator portal:

ISE and Server

To view the UDI details through the Cisco ISE CLI, use the show udi command:

Admin CLI

Positron-vm-3/admin#show udi

SPID: ISE-VM-K9

VPID: V01

Serial: TNEG8ID3JQ5

3.3 Cisco ISE License Entitlement

When you purchase a license, you agree upon a quantity and duration for which you are purchasing a license. License Entitlement refers to the monitoring and enforcement of license usage according to these terms.

A license is out of compliance when:

    The deployment uses more than 100 percent of sessions compared to the quantity purchased.

    The licenses have expired without renewal.

In the case of PAK licensing, a license is out of compliance when the deployment uses more than 125 percent sessions as compared to the quantity that was purchased, to account for a temporary burst of usage.

When a license is out of compliance or is nearing renewal:

    Alerts are displayed in your Cisco ISE GUI every day that a license is out of compliance.

    For term licenses that are nearing expiry, alerts are displayed at 90, 60 and 30 day marks before expiry, and every day for the last 30 consecutive days before expiry.

During the time that the alerts are displayed, there is no impact to Cisco ISE usage. Existing configurations continue to operate without disruption.

If your Cisco ISE deployment is out of compliance for 30 days in a 60-day period, you will lose all administrative control of Cisco ISE until you purchase and activate the required licenses. Also, visibility and management of the features associated with an out-of-compliance license are affected. A Cisco ISE administrator has a limited read-only capability over the relevant features until the causes of noncompliance are fixed. Authentications and features will continue to work as configured prior to license expiry.

In case, if you lose administrative access due to over consumption and after this, you reduce the license consumption, the system recovers at the next synchronization with the Smart License Portal. Also, Over-consumption for any amount of time during that day will count as a day (within a 24-hour period).

3.4 License Consumption

ISE consumes license when a RADIUS session hits the authorization policy having the specific Dictionary Attributes. For Example, we consume Advantage license for all the RADIUS sessions hitting the Authorization policy having Dictionary Attributes.

The following table shows ISE licensing consumption.

Table 2.             ISE licensing consumption

Feature

License tier

Dictionary/attribute(*1)

Trigger of license consumption

When license is released

AAA and 802.1X

Essentials

 

An endpoint establishes RADIUS session

RADIUS session ends

Guest

Essentials

 

An endpoint with RADIUS session uses any Guest authorization

RADIUS session ends

Easy Connect (PassiveID)

Essentials

 

An endpoint with RADIUS session uses any Easy Connect functionality

RADIUS session ends

Profiling

Advantage

EndPoints.EndPointPolicy

EndPoints.LogicalProfile

An endpoint with RADIUS session uses profiling classification in an authorization policy

RADIUS session ends

BYOD
(+CA, MDP)

Advantage

EndPoints.BYODRegistration

An endpoint with RADIUS session uses its registration status in an authorization policy

RADIUS session ends

pxGrid and pxGrid Cloud (Out) (*2)

Advantage

 

An endpoint with RADIUS session connects to the pxCloud

RADIUS session ends

Group Based Policy (TrustSec)

Advantage

 

An endpoint with RADIUS session uses any TrustSec functionality

RADIUS session ends

Endpoint Analytics Visibility/Enforcement

Advantage/Premier

CMDB_MODELCATEGORY

CMDB_SERIAL_NUMBER

CONCURRENT_MAC_ADDRESS

EA_DEVICE_TYPE

EA_HIERARCHY

EA_MANUFACTURER

EA_HW_MODEL

CHANGE_IN_MFC_RESULT

NAT_DETECTION_RESULT

EA_OS

When you use these conditions, its going to be under Enforcement. If no, its just for visibility.

 

AnyConnect with Agent

Premier

Session.PostureStatus

An endpoint with RADIUS session receives an authorization based on a posture status other than “Not applicable”

RADIUS session ends

MDM

Premier

MDM.DevicelsRegistered

MDM.DeviceCompliantStatus

An endpoint uses an MDM attribute in an authorization policy

RADIUS session ends

TC-NAC

Premier

 

An endpoint uses or triggers threat based information or action as part of the authorization policy

RADIUS session ends

RTC (ANC)

Premier

Session:ANCPolicy

An endpoint with RADIUS session uses ANC policy in an authorization policy

RADIUS session ends

User Defined Network

Premier

UDN:Private-group-id

UDN:Private-group-name

UDN:Private-group-owner

An endpoint with RADIUS uses UDN* attribute in an Authorization policy

RADIUS sessions ends

3.5 Cisco ISE Device Admin Licenses

The Device Admin license (PID: L-ISE-TACACS-ND=) enables TACACS services on a Policy Service Node (PSN).

Cisco ISE Release 2.4 and earlier releases also support a classic Device Admin license, which is no longer available for purchase. The classic Device Admin license was a cluster license that allowed TACACS services on all the PSNs in a deployment. 2.6 and later require the node license.

Classic DA licenses are grandfathered. If you are migrating from 2.X release to 3.X release, DA license must be migrated to smart account.

The Legacy Device Admin license entitled an entire deployment of ISE to TACACS+ feature usage. This meant that up to all 50 ISE Policy Service Nodes (PSNs) could be enabled with TACACS+ capabilities. This license works up to and including ISE 2.4.

At the time of the release of 2.4, a new Device Admin license was introduced, which enables TACACS+ feature usage on a per-node basis. This new license is required from ISE 2.6 and later.

Customers with the Legacy Device Admin license upgrading to 2.4 or later are entitled to upgrade and receive the number of new Device Admin licenses equivalent to the number of PSNs in their deployment.

Table 3.             Device admin license use cases

License on release

Pre-2.4 release

Release 2.4 and later

Device Admin license

New

Not Applicable

Is identified and enables consumption of 1 ISE TACACS+ Policy Service Node (PSN)

Classic

Is identified and consumed as uncounted (unlimited number of ISE TACACS+ Appliances within the deployment)

Is identified and enables consumption of up to 50 ISE TACACS+ Policy Service Node (PSN)

3.6 Cisco ISE Virtual Machine Licenses

Starting with the 3.1 release, Cisco ISE is available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an infrastructure-as-code solution, helping you to rapidly deploy network accesses and control services anywhere. Extend the Cisco ISE policies in your home network to new remote deployments securely through AWS, Azure, or OCI. In order to simplify the ability to select Cisco ISE Instance sizes based on your own needs, and to give you the ability to freely move your instances between different clouds, or between on-premises VMs and cloud instances, Cisco offers a single VM Common license applicable across all VM and cloud platforms and irrespective of VM size.

For information on Specification of Cisco ISE Instances, please refer to the Performance and Scalability Guide.

A simplified common virtual machine license replaces the VM Small, VM Medium, and VM Large licenses. You must first convert each of your classic VM licenses to a VM Medium license and then convert the VM Medium license to the common VM license.

For old and classic VM licenses, support comes with a service contract that if not expired, will continue to be in place for VMC (customer doesn't have to do anything in this case.) However, if the support contract has expired, customers will have to follow the PID swap steps mentioned below.

PID Swap Steps for Expired Old VM PID Support

If the old VM PID support expired, a case needs to be created with customer support to do a PID swap. This will create a new instance number with the desired VM PID (R-ISE-VMM-K9=). Then you will be able to buy support on the new PID. Below are the steps for PID swap request:

1.     Create a case: https://customerservice.cloudapps.cisco.com/

2.     Search for “Service Contract Creation” and select IB creation as type of request and explain the request in the comments or business justification column available in Optional Information details for the agent to understand the request.

Service contract creation

Figure 19.         

Service contract creation

Table 4.             The PID for the new simplified VM license is R-ISE-VMC-K9=.

License PID to upgrade from

License PID to upgrade to

Ratio

R-ISE-VML-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMM-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMS-K9=

R-ISE-VMC-K9=

1:1

You must convert your VM licenses to the common or simplified VM license (PID: R-ISE-VMC-K9=) for Cisco ISE Release 3.1 and later. However, Common VM licenses can also be used in earlier releases beginning with version 2.4 with smart licensing including version 3.0.

Note:     The common VM license is also required for using Cisco ISE natively on cloud platforms like Amazon Web Services.

4. How to Order Cisco ISE Licenses

3.     You can order any Cisco ISE license from the Cisco Commerce Workspace (CCW). Cisco ISE endpoint session-based licenses can be ordered in any quantity starting with 100 sessions.

Subscription-based licenses are available in 1, 3 and 5 year terms, allowing the licenses to be co-termed.

To purchase and to use subscription licenses, you must have support contracts on all your Cisco ISE appliances (physical or virtual) in a deployment.

By default, the start date of license consumption is the day that the purchase is complete. You can choose a different start date, up to 60 days from the date of purchase. However, you must specify the request to change the start date at the time of order purchase.

4.1 Cisco ISE SKUs

You can order three types of SKUs for Cisco ISE

    Subscription SKU: used to define the subscription term and start date

    Product SKU: used to define the products and quantities that make up the subscription

    Support SKU: used to define the level of support for the subscription

Steps are mentioned below:

Related image, diagram or screenshot

Figure 20.         

Steps for ordering ISE licenses

4.2 Ordering ISE Licenses

Step 1.    Selecting the Subscription SKU. There is one Cisco ISE subscription SKU (ISE-SEC-SUB). There is no price for the subscription SKU. Pricing is determined when product SKUs are added and configured. A quantity of 1 should be selected because each end customer may have one, and only one, subscription. Product quantities will be entered when the product SKUs are added to the subscription.

After selecting the subscription SKU, choose “Select Options” to edit the subscription term and the requested start date.

Subscription SKU selection on CCW
Figure 21.         

Subscription SKU selection on CCW

The subscription term will default to a 36-month term

Changing Subscription term on CCW

Figure 22.         

Changing subscription term on CCW

Step 2.    The requested start date may also be changed at this time.

The service is provisioned and the subscription starts on the service start date. The provisioning of the service may take up to 72 hours, assuming the order information is complete and correct.

Step 3.    Selecting the Product SKU

When the subscription terms have been set, the next step is to add products to the subscription. The term for the product is defined by the subscription term. Start by selecting the appropriate product in the subscription configuration summary. The guidance below uses ISE-P-LIC as an example. Having chosen to configure the subscription for the product, you then enter the quantity based on the number of sessions.

Selecting Billing SKUs on CCW

Figure 23.         

Selecting billing SKUs on CCW

Pricing is determined dynamically according to the quantity ordered and term, and is based on a tiered pricing model. Per-month prices are displayed for the selected SKU. However, billing is prepaid for the term of the subscription, and the term amount is shown in the subtotal. The figure below shows an sample of dynamic pricing based on 100 sessions of ISE-E-LIC and 1500 sessions of ISE-P-LIC selected for a term of 3 years.

Selecting Billing SKU quantity on CCW to view dynamic pricing

Figure 24.         

Selecting billing SKU quantity on CCW to view dynamic pricing

Step 4.    Selecting the Support SKU

After the products have been added, the next step is to define the support level desired for the subscription. There are three Cisco ISE support SKUs, corresponding to the three levels of support. To configure support for the subscription, start by selecting “Cisco ISE Support Options” in the subscription configuration summary:

Cisco Software Support Basic is included for the duration of Cisco ISE subscription licenses. Higher-value service levels, Solution Support, or Software Support Enhanced or Premium Support may be purchased by selecting the appropriate level of support from the support options.

Prices for these higher-value services levels are calculated dynamically based on a percentage of the product cost and must meet annual minimum requirements, where needed. The support level must be consistent across all endpoints. Customers cannot purchase one support level for some endpoints and use a different support level for others.

Service SKU selection on CCW

Figure 25.         

Service SKU selection on CCW

Quoting and Ordering Help For Quoting or Ordering questions, please contact cs-support@cisco.com.

4.3 Changing Existing Orders or Subscriptions

Cisco Commerce Workspace (CCW) provides you the capability to Modify, Renew, and Replace Subscriptions for your Active Orders.

For more information, refer to Change Subscription Job Aid.

4.4 Licenses SKUs Based on Your Deployment

Apart from the subscription, product, and service SKUs, you also need to choose SKUs, as required, to cover the Cisco hardware appliances, virtual machines, and Device Admin nodes in your deployment.

    Cisco ISE Device Admin SKU (L-ISE-TACACS-ND=): Purchase one license for each PSN on which you wish to enable TACACS services.

    Cisco ISE IPSec SKU (L-ISE-IPSEC): Purchase one license for each PSN that you use for IPSec VPN communication with network access devices. A maximum of 150 IPSec tunnels are supported on each PSN.

    Cisco ISE VM License SKU (R-ISE-VMC-K9=): Purchase a license for each virtual machine or cloud-deployed ISE node in your deployment.

For ordering information on ISE Hardware Appliance SKUs, please refer to the Cisco Secure Network Server Data Sheet.

5. Cisco ISE Licensing Methods

1.     Purchase Licenses: Place an order for Cisco ISE licenses that you require through the Cisco Commerce Portal.

2.     CSSM Licensing Inventory: The Cisco ISE licenses that are available in your account are displayed in the CSSM portal for you to monitor and manage.

3.     Choose a Licensing Method:

Smart Licensing for connected networks

Smart Licensing for Air-Gapped networks (SSM On-Prem servers)

Specific License Reservation

4.     Register and Activate Licenses in the Cisco ISE administration portal: See the Cisco ISE Administrator Guide for your Cisco ISE release.

You can configure Cisco ISE Smart Licensing through various methods, depending on the needs of your organization.

5.1 Cisco ISE Smart Licensing in a Network with a Persistent Internet Connection

Support Notes: This licensing method is supported by Cisco ISE Release 2.4 and later releases.

If your Cisco ISE has a persistent internet connection, smart licensing is easily managed through consistent communication between Cisco ISE and the CSSM. Direct internet connections and proxy servers are both supported by this smart licensing method.

5.2 Cisco ISE Smart Licensing in an Air-Gapped Network with SSM On-Prem Servers

Cisco ISE Release 2.6 and later support the use of SSM On-Prem servers for smart licensing.

Cisco ISE Smart Licensing requires Cisco ISE to be connected to the CSSM. If your network is air-gapped, Cisco ISE is unable to report license usage to CSSM. This lack of reporting results in loss of administrative access to Cisco ISE and restrictions in Cisco ISE features.

To avoid licensing issues in air-gapped networks and enable full Cisco ISE functionality, configure Smart Software Manager (SSM) On-Prem. This server takes over the role of CSSM in your air-gapped network, releasing license entitlements, as needed, and tracking usage metrics. The SSM On-Prem server also sends notifications, alarms, and warning messages that are related to licensing consumption and validity.

5.3 Specific License Reservation (SLR)

Support Notes: Supported in Cisco ISE Release 3.1 and later.

Cisco ISE Smart Licensing requires Cisco ISE to be connected to the CSSM. Cisco ISE Release 3.0 and later releases support only smart licensing. If your network is air-gapped, Cisco ISE 3.x deployments are unable to report license usage to CSSM, and this results in loss of administrative access to Cisco ISE and restrictions in Cisco ISE features.

In a distributed deployment, we recommend that you enable SLRs on your primary and secondary PANs. In the case of a primary PAN failover, if the secondary PAN that is promoted to primary PAN does not have SLR enabled, your Cisco ISE is out of compliance and Cisco ISE services are disrupted. We recommend an 80:20 ratio of license count distribution between your primary and secondary PANs.

Note:     For SLR, ensure you have the full allocation of licenses required in your deployment on the Primary PAN. Your secondary PAN also requires an SLR in case of failover, to ensure that the deployment can continue running instantly after the failover. The license allocation on the Secondary PAN is recommended to be 20% of the PPAN. These licenses do not get consumed unless and until there is a failover. Upon failover, the deployment will likely be out of compliance, at which point you will have 30 days grace period to re-allocate the required licenses to the failed over PAN.

You will not be able to use any license entitlements that are not part of your SLR. Out-of-compliance alerts are displayed in the Cisco ISE administration portal if license usage is not in compliance with the SLR.

5.4 Licensing Directives Related to SLR

1.     The number of licenses you can reserve through SLR can be lower than or equal to the total number of licenses listed in the Purchased column, in the Licenses Inventory window of your CSSM portal.

2.     You can only reserve the license type that you have purchased. For example, if you have not purchased any ISE Advantage licenses, you will not be able to reserve any ISE Advantage licenses through the License Reservation option.

3.     You can reserve ISE-PIC licenses for Cisco ISE nodes that only contain the Passive Identity Connector (PIC) function. Each ISE-PIC license supports 3000 Cisco ISE-PIC sessions in a deployment. You can only reserve one ISE-PIC license per node, Hence the number of available licenses decreases by one. If you have purchased 5 ISE-PIC licenses, and reserve 4 ISE-PIC licenses, then:

License

Purchased

In Use

Balance

ISE-PIC

5

 (4 Reserved)

1

4.     One ISE-PIC-UPG license supports 300,000 ISE-PIC sessions. To reserve an ISE-PIC-UPG license, you must also reserve an ISE-PIC license.

5.     You cannot reserve tier licenses (ISE Essentials, ISE Advantage, and ISE Premier) in a Cisco ISE-PIC node.

6.     You cannot reserve an ISE-PIC license on a Cisco ISE node. However, the License Reservation workflow in the CSSM portal allows you to assign an ISE-PIC license to a Cisco ISE node. The CSSM portal displays that the ISE-PIC license is reserved until you modify the reservation to remove the ISE-PIC license.

7.     The License Reservation workflow in the CSSM portal allows you to assign ISE Essentials licenses for an ISE-PIC node, even though the ISE-PIC node does not allow the use of these licenses. The CSSM portal displays that the ISE Essentials licenses are reserved until you modify the reservation to remove the ISE Essentials licenses.

5.5 SLR Examples

Table 5.             SLR examples

Available license in your virtual account in CSSM(*1)

License you select while applying SLR in CSSM

Reserved license in ISE deployment

Remaining license in your virtual account in CSSM(*1)

Rule 1. You can reserve as many licenses as you have in your virtual account.

100 Essentials

50 Essentials

50 Essentials

50 Essentials

100 Essentials

100 Essentials

100 Essentials

N/A

100 Essentials

150 Essentials

100 Essentials(*2)

N/A

Rule 2. You should reserve the right type of license that you are entitled to.

100 Essentials

100 Advantage

N/A(*3)

100 Essentials

100 Essentials

100 Premier

150 Essentials

100 Advantage

100 Essentials(*3)

100 Premier

Rule 3. You should reserve 1 ISE-PIC license (*4) per node.

5 ISE-PIC licenses

1 ISE-PIC license

1 ISE-PIC license

4 ISE-PIC licenses

5 ISE-PIC licenses

2 ISE-PIC licenses

1 ISE-PIC licenses(*5)

3 ISE-PIC licenses(*5)

Rule 4. If you reserve a ISE-PIC-UPG license (*6), you must reserve 1 ISE-PIC license together.

5 ISE-PIC licenses

3 ISE-PIC-UPG licenses

1 ISE-PIC licenses

1 ISE-PIC-UPG licenses

1 ISE-PIC license

1 ISE-PIC-UPG licenses

4 ISE-PIC licenses

2 ISE-PIC-UPG licenses

5 ISE-PIC licenses

3 ISE-PIC-UPG licenses

1 ISE-PIC license

1 ISE-PIC license(*7)

4 ISE-PIC licenses

3 ISE-PIC-UPG licenses

Rule 5. You shouldn't reserve Essentials, Advantage, and Premier licenses to the ISE-PIC node, unless you are upgrading ISE-PIC to the ISE full version(*8).

5 ISE-PIC licenses

100 Essentials

100 Premier

1 ISE-PIC license
(to ISE-PIC node)

1 ISE-PIC license

100 Essentials

100 Premier

5 ISE-PIC licenses

100 Essentials

100 Premier

100 Essentials

100 Advantage
(to ISE node)

100 Essentials(*3)

5 ISE-PIC licenses

100 Premier

5 ISE-PIC licenses

100 Essentials

100 Premier

1 ISE-PIC license

100 Essentials
(to ISE-PIC node)

1 ISE-PIC license(*9)

4 ISE-PIC licenses

100 Premier (*9)

5 ISE-PIC licenses

100 Essentials

100 Premier

1 ISE-PIC license

100 Essentials
(to ISE node)

100 Premier(*10)

4 ISE-PIC licenses

100 Premier (*10)

( *1) It doesn't include licenses previously reserved and not returned.
( *2) You can reserve up to as many licenses as you are entitled to.
( *3) Advantage license is not reserved as you are not entitled to.
( *4) ISE-PIC is ISE with only Passive Identity Connector (PIC) function. It allows 3000 ISE-PIC sessions to ISE deployment.
( *5) You can reserve only 1 ISE-PIC license per node. However, the number of available licenses decreases by one.
( *6) ISE-PIC-UPG license with ISE-PIC license allows 300,000 ISE-PIC sessions.
( *7) You can reserve ISE-PIC license only, which allows for up to 3000 ISE-PIC sessions per ISE-PIC deployment.
( *8) This is a rare case that a customer has both ISE-PIC deployment and ISE deployment.
( *9) If an ISE-PIC node also has the ISE-PIC Upgrade license, you can assign Essentials Licenses to it, thereby making it an ISE server with full functionality.
( *10) ISE-PIC license cannot be reserved to ISE node. However, the 1 ISE-PIC license is removed from the available license in CSSM as CSSM recognizes it reserved.

For more information on ISE, please refer to Cisco ISE Passive Identity Connector Data Sheet.

6. Subscription Renewals, Cancellations, and Changes

Cisco ISE subscriptions automatically renew for an additional 12-month term by default unless auto-renewal was deselected at the time of initial order. No quoting or order is required. Starting 120 days before the end of the initial term, renewal notices will be sent to the customer or partner. The customer or partner will receive an invoice at the start of the new term.

You can cancel a renewal up to 60 days before the start date of the new term. If the subscription is not canceled 60 days before the start of the new term, the subscription will auto-renew. Mid-term cancellations of subscriptions for credit are not allowed.

Manual renewal

Any subscription can be manually renewed if the customer or partner desires, with standard terms of 12, 36, or 60 months. For manual renewals, quotes are created using the same process as the Change-Subscription process outlined below. This process will create a new quote. After a quote is approved, it can be converted to an order following the standard process.

Subscription cancellations

Renewals may be canceled up to 60 days before the start date of the new term. If the subscription is not canceled 60 days prior to the start of the new term, the subscription will automatically renew. Mid-term cancellations of subscriptions for credit are not allowed.

Subscription changes (Change-Subscription)

Changes to the products, quantities, or terms of a subscription may be made at any time during the term of the subscription. To change the subscription, please refer to this Cisco Commerce Change-Subscription Job Aid. Attempting to add products or seats by creating a new subscription will result in an ordering error.

7. License Management

Starting with the ISE 3.0 release, ISE Licenses are Smart Licenses only. If you’re on an ISE release before ISE 3.0, the licenses can be used as either traditional Product Authorization Key (PAK) based or as Smart Licenses. Using traditional licenses, the license file (PAK) is imported into the ISE deployment. For more details on how to convert ISE licenses purchased into Smart Licenses, please take a look at the Cisco Smart Software Licensing details.

Cisco offers a variety of license management tools in the License Registration Portal. A valid Cisco.com username and a password are required to access the portal. Key features of the Cisco License Registration portal include:

    Simplified asset management: Identifies PAKs registered to a customer and the devices with installed licenses

    Automated software activation: Quickly processes PAK registration and license file distribution

    License transfers: Rehosts existing licenses to new Cisco ISE Administration nodes

    Replacement of devices: Uses the “return materials authorization” to request replacement PAKs and licenses

II. Cisco ISE License Migration

Cisco ISE licenses have undergone some changes to help streamline and optimize Cisco ISE purchasing and management.

New licenses introduced in Cisco ISE are typically smart licenses. Therefore, to migrate an existing 2.x license type to a new 3.x license type, you will need:

A Smart Account for Cisco Smart Licensing. Here is a video with instructions for how to create a Smart Account.

The old licenses that need to be migrated to new license types must be available in your Smart Account as smart licenses—if you currently use PAK licenses, convert the PAK licenses to smart licenses. For instructions, see Convert Classic Licenses to Smart Licenses.

This section will address the following:

    How to migrate from classic Cisco ISE Base, Plus, and Apex licenses to new Cisco ISE Essentials, Advantage, and Premier licenses

    How to migrate from the classic VM Small, VM Medium, and VM Large licenses to VM Common licenses

1 Migrate from Classic Licenses to Tier Licenses

1.1 Evaluating ISE 3.x

The classic licenses—Base, Plus, and Apex—must be converted to tier licenses if you are upgrading to Cisco ISE Release 3.0 and later releases, as the former licenses cannot be used in ISE 3.x software. At a high level, most of the features that were mapped to Base licenses are enabled by ISE Essentials. Similarly, Plus and Apex licenses are comparable to ISE Advantage and ISE Premier, respectively.

When migrating from classic licenses to tier licenses, there is a difference in the count of licenses because of the structural differences between the two types of licenses. A Plus license is layered atop a Base license. An Apex license is layered atop a Base and a Plus license.

The following illustration shows how your inventory changes when migrating from classic licenses to tier licenses.

Conversion of older model to new model showing 1-1 correspondence

Figure 26.         

Conversion of older model to new model showing 1-1 correspondence

Example 1: Base and Plus conversion

Example showing an older model with Base and Plus licenses

Figure 27.         

Example showing an older model with Base and Plus licenses

Example 2: Base, Plus, and Apex conversion

Graphical user interfaceDescription automatically generated

Figure 28.         

Example showing an older model with Base, Plus, and Apex licenses

Example 3: Base and Apex with no plus conversion

Graphical user interfaceDescription automatically generated

Figure 29.         

Example showing an older model with Base and Apex with no Plus

Note:     Because the Cisco ISE Essentials, Advantage, and Premier licenses are term based, your existing Base licenses will be converted to term-based Essentials licenses that will expire on the set date of October 31, 2023. Each Plus and Base license converted to a Cisco ISE Advantage license will expire on the same date that your Plus license would have expired, and similarly, each Apex, Plus, and Base license converted into a Cisco ISE Premier license will expire on the date of Plus or Apex, whichever is the longest.

As can be seen in Figure 28 above, if the existing Plus license expires on January 2, 2022, the existing Apex licenses expire on January 1, 2023, and the new converted licenses’ expiry dates will be as follows:

    300 Premier licenses (300 Apex + 300 Plus + 300 Base) expiring on January 1, 2023

    400 Advantage licenses (remaining 400 Plus + 400 Base) expiring on January 1, 2022

    500 Essentials licenses (remaining 500 Base) expiring on October 31, 2023

Note:     With “ISE One Year on Us” promotion, customer migrating from 2.x to 3.x starting Q4FY22 will have their classic Base licenses converted to term based Essential licenses with an additional one-year term until October 31, 2024. This offer is valid until end of Q1 FY2023 and applies only to new migrations and won’t apply retroactively.

For more information on “ISE One Year on Us”, please refer to CISE One Year on Us

1.2 How Do You Migrate from Existing Cisco ISE Base, Plus, and Apex Licenses to Cisco ISE Essentials, Advantage, and Premier Licenses?

Customers should take the following steps to migrate from their existing Base, Plus, and Apex licenses to the new Essentials, Advantage, and Premier licenses:

1.     If you have a Smart Account, log in to that account and go to step 5.

2.     If you do not have a Smart Account, you will need to create one by navigating to Cisco Software Central.

3.     From the Important News popup window, click “Get a Smart Account.”

Important News

Another option is to click “Request a Smart Account” in the Administration area on this page.

Administration

4.     Follow the process to create a Smart Account.

5.     If your ISE licenses are in your Smart Account, go to step 7.

6.     If you have PAK licenses, convert your existing PAK licenses to Smart Licenses and deposit them in your Smart Account as described in the “Convert Classic Licenses to Smart Licenses” short video.

7.     For a-la-carte licenses, navigate to Support Case Management System to request conversion from Base/Plus/Apex licenses to the new Essentials/Advantage/Premier licenses

8.     For EA customers, go to EA Workspace to provision ISE 2.X license entitlement. Then navigate to Support Case Management System. Follow these steps: Click on “Open New Case.” Choose “Software Licensing” and then “Enterprise Agreement (EAWS).” Under the drop-down, select “Enterprise Agreement (EAWS)” and click “Open Case.”

9.     Select “Security Related Licensing” under “CSSM & LRP Issues” and click “OPEN CASE.”

Software licensing

10.  In the “Title” field, add a note that you are requesting migration from ISE Base/Plus/Apex to ISE Essentials/Advantage/Premier.

11.  In the “Problem Description” field, provide your Smart Account ID as created in the previous steps, in which the conversion should occur. Provide the license types (Base, Plus, and/or Apex), the license expiry date for each, and the license count for each license that you want to convert to the new licenses.

12.  Select “Open Case” and submit the case.

13.  The Cisco Global License Operations team will migrate your existing Smart License(s) to the new ISE licensing scheme.

14.  After the migration is completed, you can upgrade your ISE deployment to ISE 3.0.

15.  Ensure you configure the above virtual account in ISE so it can connect to the Smart Licensing portal and correctly consume licenses. For more information on configuring Smart Licensing for ISE 2.7, refer to CISE Admin Guide 2.7 and, for ISE 3.0, refer to CISE Admin Guide 3.0

Note:     Cisco ISE provides a 90-day grace period with Smart Licensing. This is a cumulative counter so it will continue from the total number of evaluation days you have used prior to the 3.0 release.

1.3 How to Renew Existing ISE Base, Plus, and/or Apex Licenses

As per Cisco EOL Policy, old licenses are gone end-of-life and renewals are not an option. Currently ISE 3.1 is the recommended release. If you do plan to upgrade to Cisco ISE 3.0, you will be required to go through the migration process as specified above so that PAK licensing is transitioned to Smart Licensing (if not already using Smart Licensing).

1.4 Rollback from Tier Licenses to Classic Licenses

If you are rolling back from Cisco ISE 3.x licenses to Cisco ISE 2.x licenses, carry out this conversion:

1.     Log in to the Support Case Management System portal.

2.     Click Open New Case.

3.     From the drop-down list, choose Software Licensing > CSSM & LRP Issues > Security Related Licensing, and click Open Case.

4.     In the Title field, add a title that specifies that you want to migrate from Cisco ISE Essentials, Advantage, and Premier licenses to Cisco ISE Base, Plus, and Apex.

5.     Click Submit Case.

6.     The Cisco Global License Operations team will migrate your tier licenses to classic licenses as required. Please note that Base license will take the expiry date of the Essentials license and will not be perpetual after conversion.

7.     Ensure that you configure your virtual account in Cisco ISE so it can connect to the Smart Licensing portal and correctly consume the licenses that have been converted. Check the Licensing window in the Cisco ISE administration portal to confirm that Cisco ISE is connected to the CSSM.

When Essentials, Advantage, and Premier are converted to the Base, Plus, and Apex licenses, they will be converted to the corresponding terms, including the Base license. The conversion will be as shown:

Example showing an older model with Base and Apex with no Plus

Figure 30.         

 

2 Migrate to VM Common License

Each VM license—Small, Medium, or Large—is converted to a VM Common license. If you currently own 50 VM Small licenses, 30 VM Medium licenses, and 20 VM Large licenses, you will own 100 Virtual Machine common licenses after the migration process is complete.

Upgrade from

Upgrade to

Ratio

R-ISE-VML-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMM-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMS-K9=

R-ISE-VMC-K9=

1:1

2.1 Migrating from Pre-Cisco ISE Release 2.4 VM Licenses

If you own a VM license (R-ISE-10VM-K9=) from a release earlier than Cisco ISE Release 2.4, you cannot directly migrate the VM license to the VM Common license. You must migrate it to the VM Medium license, first. To do so, open a support case with the GLO team via SCM Tool with the sales order numbers that reflect the ISE VM purchase and your Cisco ID.

You must migrate from the classic VM licenses to the VM Common license before you upgrade to Cisco ISE Release 3.1.

Existing users of Cisco ISE Releases 2.x and Cisco ISE Release 3.0 can continue to use the classic VM licenses until the end-of-life date of the licenses. You can also choose to migrate to the VM Common license and stay with your existing Cisco ISE release.

2.2 How to Migrate from the Classic VM Small, Medium, and Large Licenses to VM Common Licenses

Migrating to the new licensing scheme requires simple steps. The VM Common license is at the top of the license hierarchy, and it covers what VM Small, Medium, and Large licenses cover. As such, for the seamless customer experience, customers should migrate to the VM Common license before they upgrade the ISE image to the 3.1 or later release. Note that VM Small, Medium, and Large licenses do not cover what the VM Common license covers, so ISE 3.1 or later with the classic VM license will be out of compliance.

Customers should take the following steps to migrate from their classic VM Small, Medium, and Large licenses to VM Common licenses:

1.     If you have a Smart Account, log in to that account and go to step 5.

2.     If you do not have a Smart Account, you will need to create one by navigating to Cisco Software Central.

3.     From the Important News popup window, click “Get a Smart Account.”

Important News

Another option is to click “Request a Smart Account” in the Administration area on this page.

Administration

4.     Follow the process to create a Smart Account.

5.     If your ISE licenses are in your Smart Account, go to step 7.

6.     If your classic VM licenses are PAK licenses, convert your existing PAK licenses to Smart Licenses and deposit them in your Smart Account as described in the “Convert Classic Licenses to Smart Licenses” short video or you may navigate to https://software.cisco.com/ and follow the below steps.

a.   Click on the "Manage Licenses" link.

Cisco Software central

b.   Click on “Convert to Smart Licensing” link.

Convert to Smart Licensing

c.   Select the PAK file to convert.

Select the PAK file to convert

d.   Next, click the “Convert to Smart Licensing” link.

Next, click the “Convert to Smart Licensing” link.

e.   Once this window appears, select the license from the PAK file, and click “Next.”

Once this window appears, select the license from the PAK file, and click “Next.”

f.    Verify the license to convert and click “Convert Licenses.”

Verify the license to convert and click “Convert Licenses.”

g.   Once the PAK file has been converted, it will be deposited into the smart virtual account. Choose the “Inventory” link.

Inventory

h.   Click the “Licensing” tab. The converted VM license will appear in the inventory. If expanded, the details show that the license has been converted from a PAK, and the PAK serial number is also listed for verification.

Click the “Licensing” tab.

i.    You will now have your VM Small, VM Medium, and VM Large licenses in your Smart Account.

7.     Purchase the VM License Upgrade PID in Cisco Commerce Workplace by following the below steps. The Upgrade PID is L-ISE-VMC-UPG=, and it’s marked as “0.00.” Note that the Upgrade PID works only with the classic VM licenses.

Cisco Commerce Workplace

a.   Click on “Assign Smart Account.” Input your Smart and Virtual Account in the popup window. Then click “Assign.”

Assign Smart Account.”

 

Assign Smart Account

b.   Input the quantity of licenses required. Then click “Save and Continue.”

Save and Continue

c.   Review the summary order, which will show “0.00” owed. Then click “Submit Order.”

Submit

d.   A popup window will confirm the order submission.

Submission

8.     If you have trouble purchasing the upgrade PID via CCW, contact the GLO Team to get the licenses manually deposited in the customer’s smart account.

9.     Go to “License” under “Inventory” in Cisco Smart Software Management.

10.  Under the ISE VM row, expanded details show the inventory of VM Common licenses pending with an “Upgrade Pending” link.

Software central

11.  If expanded, the details will show the inventory of VM common licenses and VM common upgrade licenses with the upgrade licenses listed as pending. From here, select the action drop-down.

Software central

12.  Choose “complete upgrade.”

complete upgrade

13.  Input the quantity of licenses to be upgraded and click “Apply.”

upgraded and click “Apply.”

14.  On this screen, an option to choose “Perpetual to Perpetual” to ISE VM from ISE VM Small is shown. Select and click “Next.”

Perpetual to Perpetual

15.  Review the license upgrade, and click “Submit.”

license upgrade, and click “Submit.”

16.  The change in quantity of the ISE VM license and VM Small license will be reflected.

ISE VM license and VM Small license

17.  The quantity of the pending upgrade will also decrease in line with the quantity of the license upgrade inputted. The expanded ISE VM entry shows the additional item from the upgrade that has just been completed.

complete upgrade

18.  On the ISE licensing page, VM Small, Medium, and Large licenses are listed. Once the VM Common license is used by the system, a single entry will be shown for the ISE VM license.

upgrade your ISE deployment to ISE 3.1

19.  After the migration is completed, you can upgrade your ISE deployment to ISE 3.1 or later.

2.3 What Will Happen to Existing Classic VM Licenses?

Customer can continue to use the classic VM Small, Medium, and Large licenses as well as the VM Common license for ISE 2.4, 2.6, 2.7, and 3.0. Note that the classic VM license needs to be converted to Smart Licenses for ISE 3.0. If you upgrade your Cisco ISE to Release 3.1 or later, you must migrate your VM Small, VM Medium, and VM Large license to the VM Common license.

Prior to ISE 2.4, Virtual Machine (VM) Licenses were not enforced in ISE and therefore PAKs were not created. After 2.4, the VM Licenses are broken down into three tiers: Small, Medium, and Large. Customers who already purchased one of the following PIDs (R-ISE-GST-BUN-K9=, ISE-VM-K9=, ISE-5VM-K9=, ISE-10VM-K9=, ISE-VM-M-K9=) are entitled to obtain a Product Authorization Key (PAK) containing VM Medium License for each VM license when upgrading. If you are looking to obtain a PAK with VM licenses, please include all of the details from the original VM appliance purchase and raise a case with the Licensing Team (GLO) through Support Case Manager.

If you upgrade to ISE 2.4 prior to obtaining a PAK, the deployment displays a warning as “Fewer VM Licenses installed than VM Resources/VM Nodes deployed,” at which point you may start using the new license procured. While on ISE 2.4, this is only a warning message and does not disrupt any user’s ISE experience. If you are unable to locate the sales order number pertaining to your past purchase of ISE VM, please reach out to your Cisco sales representative or partner.

Customers who are on ISE 2.X and ISE 3.0 can continue to use the classic VM licenses until the end-of-life date of the licenses. They also can migrate the classic VM licenses to the VM Common license and stay on ISE 2.X or ISE 3.0.

Virtual Machine Licenses use License Hierarchy – usage for a tier can be covered by any available licenses in a higher tier at a 1:1 ratio.

VM Common (Smart Only) > VM Large > VM Medium > VM Small

Table 6.             Virtual machine license use cases

License on release 

Pre-2.4 release 

Release 2.4, 2.6, 2.7, and 3.0 

Release 3.1 and later 

VM license 

New
(VM Common: R-ISE-VMC-K9=)

Licensed with smart licensing enforcement 

Classic 
(VM Large: R-ISE-VML-K9=)
(VM Medium: R-ISE-VMM-K9=)
(VM Small: R-ISE-VMS-K9=)

Licensed with out enforcement

Licensed with PAK and smart licensing enforcement 

License migration to Common is required 

Old
(R-ISE-10VM-K9=)
(R-ISE-5VM-K9=)
(R-ISE-VM-K9=)

Licensed with out enforcement

License migration to Classic or Common is required(*

License migration to Common is required(*

( *) Note that you can’t directly upgrade your old VM license to the VM Common license. You must upgrade it to the VM Medium license first.

2.4 Downgrade from the VM Common License to the Classic VM Licenses

A downgrade is not recommended. You can use the VM Common license in Cisco ISE Release with Smart Licensing enforcement. Once you migrate your VM license to the VM Common license (which works as the VM Large license does), you can use the VM Common license even if you rollback to Cisco ISE Release 3.0 or earlier releases (Cisco ISE Release 2.4 and later) that have Smart Licensing enabled. The VM Common license covers VM Small, VM Medium, and VM Large licenses.

If customer purchased VM Common and has ISE in Traditional Licensing, they will not be able to use the VMC license and will have two options:

Moving to Smart Licensing to utilize License Hierarchy

Upgrading to 3.1 for SLR (if offline mode is needed)

2.5 Support Associated with the Classic VM Licenses

When you migrate your classic VM license to the VM Common license, you continue to receive support based on the support contract purchased with the classic VM license PID. You can renew the support for your VM license until the classic VM license PID is End-of-Life and reaches last date of service renewal per the End-of-Life bulletin. There is no support migration. For seamless support, request for the classic VM PID to be replaced with the desired VM PID to renew and receive support.

3. Migration for Enterprise Agreement Customers

Customers who purchased ISE base licenses through the EA program might have their own expiry dates for each licenses as per EA term end date. EA term end date will be honored when the ISE base license is converted to ISE Essentials.

Example: Any 3.x licenses converted from 2.x will expire on the later date, between EA term end date and October 31, 2023.

Security Choice EA customers need to finalize migration to ISE 3.0 in Cisco Smart Licensing (similar to ALC/transactional license) via the Support Case Management System and select “Enterprise Agreement Workspace (EAWS)” under “ENTERPRISE AGREEMENT (EAWS)” and click “OPEN CASE.” After migration to ISE 3.0, the customer will need to manage their ISE entitlement in Cisco Smart Licensing and not in EAWS. EAWS will only be used if the customer needs additional licenses to request provisioning and then true forward will apply.

EA customers need to contact the Cisco Licensing team for the following migration scenarios.

1.     Migration from 2.x to 3.x – EA L2 licensing team

2.     Rollback from 3.x to 2.x - GLO

3.     Partial migration – GLO

4. Migration for DNA Premier Enterprise Agreement Customers

Cisco DNA Premier EA customers should follow the same migration process as non-EA customers. The migration to ISE 3.0 for DNA EA customers is the same as transactional ISE customers. Please note that the conversion of ISE 2.x to 3.0 happens in the smart account and their entitlements/consumption quantities in EAWS do not change.

 

 

 

Learn more