Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

ISE Licensing Migration Guide

Available Languages

Download Options

  • PDF
    (4.9 MB)
    View with Adobe Reader on a variety of devices
Updated:March 14, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (4.9 MB)
    View with Adobe Reader on a variety of devices
Updated:March 14, 2022
 

 

Overview

With the release of Cisco® Identity Services Engine (ISE) 3.0 in September 2020, Cisco announced a new streamlined licensing scheme for Cisco ISE in line with the Cisco DNA Center licensing tiers, which reduces the complexity in ordering. This document will guide you through the process of determining what is required to upgrade from Cisco ISE “classic” licenses (Base, Plus, and Apex) to the new ISE license scheme with Cisco ISE Essentials, Advantage, and Premier.

Cisco ISE licensing provides the ability to manage access and the application features, such as the number of concurrent endpoints that can use Cisco ISE network resources. Licensing in Cisco ISE is supplied as feature-based packages, with different features supported in each of the Essentials, Advantage, and Premier licenses. Further information can be found in the Cisco ISE Ordering Guide. The ordering guide denotes which use cases and capabilities require which licenses.

Starting with the Cisco ISE 3.0 release, you are required to have Smart Licensing, which further requires you to have a Cisco License Smart Account created and configured before you upgrade ISE or migrate your existing “classic” ISE licenses. Cisco Smart Licensing helps you procure, deploy, and manage licenses easily, allowing devices to self-register and report license consumption. This change removes the need for Product Activation Keys (PAKs) and uses the Cisco Smart Software Manager (CSSM) to obtain the necessary authorization.

PART I. VM Common license in ISE 3.1

Evaluating ISE 3.1

Like all ISE deployments, ISE 3.1 can be deployed in a lab setting with the included 90-day evaluation license on your Smart Licensing portal. You can test ISE 3.1 prior to upgrading your entire network, ensure ISE VM Common License is working as planned, and then upgrade your production deployment.

How are licenses converted from legacy VM licenses to the VM Common license?

Each legacy VM license will be converted to a 1 VM Common license.

Upgrade from

Upgrade to

Ratio

R-ISE-VML-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMM-K9=

R-ISE-VMC-K9=

1:1

R-ISE-VMS-K9=

R-ISE-VMC-K9=

1:1

If you’re using the old VM license (i.e., R-ISE-5VM-K9=), you should migrate the old VM license to the legacy VM Medium license (“R-ISE-VMM-K9=”) and then migrate the legacy VM Medium license to the VM Common license.

How to migrate from the legacy VM Small, Medium, and Large licenses to VM Common licenses

Migrating to the new licensing scheme requires simple steps. The VM Common license is at the top of the license hierarchy, and it covers what VM Small, Medium, and Large licenses cover. As such, for the seamless customer experience, customers should migrate to the VM Common license before they upgrade the ISE image to the 3.1 release. Note that VM Small, Medium, and Large licenses do not cover what VM Common license cover, so the ISE 3.1 with the legacy VM license will be out of compliance.

Customers should take the following steps to migrate from their legacy VM Small, Medium, and Large licenses to VM Common licenses:

1.     If you have a Smart Account, log in to that account and go to step 5.

2.     If you do not have a Smart Account, you will need to create one by navigating to Cisco Software Central.

3.     From the Important News popup window, click “Get a Smart Account.”

Important News

Another option is to click “Request a Smart Account” in the Administration area on this page.

Administration

4.     Follow the process to create a Smart Account.

5.     If your ISE licenses are in your Smart Account, go to step 7.

6.     If your legacy VM licenses are PAK licenses, convert your existing PAK licenses to Smart Licenses and deposit them in your Smart Account as described in the “Convert Classic Licenses to Smart Licenses” short video or you may navigate to Software.Cisco.com and follow the below steps.

a.     Click on "Manage License" link

Cisco Software Central

b.    Click on “convert to Smart licensing” link

Smart licensing

c.     Select PAK file to convert

Select PAK file to convert

d.    Next, Click “convert to Smart Licensing” link

Next, Click “convert to Smart Licensing” link

e.    Once this window appears, select license from the PAK file, and click “Next”

Once this window appears, select license from the PAK file, and click “Next”

f.      Verify the license to convert and click “Convert Licenses”

Verify the license to convert and click “Convert Licenses”

g.   Once the PAK file has been converted, it will be deposited into the smart virtual account. Choose the “Inventory” link.

Choose the “Inventory” link

h.   Click “Licensing” tab. Converted VM license will appear in the inventory. If expanded, the details shows that the license has been converted from a PAK, and the PAK serial number is also listed for verification.

Click “Licensing” tab

i.    You will now have your VM Small, VM Medium, and VM Large licenses in your Smart Account,

7.     Purchase the VM License Upgrade PID in Cisco Commerce Workplace by following the below steps. The Upgrade PID is L-ISE-VMC-UPG= and it’s $0. Note that the Upgrade PID works only with the legacy VM licenses.

SKU

a.   Click on “Assign Smart Account”. Input your Smart and Virtual Account in the popup window. Then click “Assign”

Click on “Assign Smart Account”.

 

Click on “Assign Smart Account”.

b.   Input quantity of licenses required. Then click “Save and Continue”

Input quantity of licenses required. Then click “Save and Continue”

c.   Review the summary order which will show $0 owed. Then click “Submit Order”.

Submit Order

d.   A popup window confirms order submission.

order submission

8.     If you have trouble in purchasing upgrade PID via CCW, contact GLO Team to get the licenses manually deposited in customer’s smart account.

9.     Go to “License” under “Inventory” in Cisco Smart Software Management.

10.  Under the ISE VM row, expanded details show the inventory of VM Common licenses pending with “Upgrade Pending” link.

“Upgrade Pending” link

11.  If expanded, the details will show the inventory of VM common licenses and VM common upgrade licenses with the upgrade licenses listed as pending. From here, select the action dropdown.

If expanded, the details will show the inventory of VM common licenses

12.  Choose “complete upgrade”

Choose “complete upgrade”

13.  Input the quantity of licenses to be upgraded and click “Apply”.

Input the quantity of licenses to be upgraded and click “Apply”.

14.  On this screen, an option to choose “Perpetual to Perpetual” to ISE VM from ISE VM Small is shown. Select and click “Next”

On this screen, an option to choose “Perpetual to Perpetual”

15.  Review the license upgrade and click “Submit”

Review the license upgrade and click “Submit”

16.  The change in quantity of ISE VM license and VM Small license will be reflected.

The change in quantity of ISE VM license and VM Small license will be reflected

17.  The quantity of pending upgrade will also decrease in line with the quantity of license upgrade inputted. Expanded ISE VM entry shows the additional item from the upgrade which has just been completed.

Expanded ISE VM entry shows

18.  On the ISE licensing page, VM Small, Medium, and Large license are listed. Once the VM common license is used by the system, a single entry will be shown for the ISE VM license.

18. On the ISE licensing page, VM Small, Medium, and Large license

19.  After the migration is completed, you can upgrade your ISE deployment to ISE 3.1.

What will happen to existing legacy VM licenses

Customers who are on ISE 2.X and ISE 3.0 can continue to use the legacy VM licenses until the end-of-life date of the licenses. They also can migrate the legacy VM licenses to the VM Common license and stay on ISE 2.X or ISE 3.0.

Table 1.           Virtual Machine License Use-Cases

License on release

Pre-2.4 release

Release 2.4, 2.6, 2.7, and 3.0

Release 3.1 and later

VM license

New
(VM Common: R-ISE-VMC-K9=)

Licensed with smart licensing enforcement

Legacy
(VM Large: R-ISE-VML-K9=)
(VM Medium: R-ISE-VMM-K9=)
(VM Small: R-ISE-VMS-K9=)

Licensed with no enforcement

Licensed with PAK and smart licensing enforcement

License migration to Common is required

Old
(R-ISE-10VM-K9=)
(R-ISE-5VM-K9=)
(R-ISE-VM-K9=)

Licensed with no enforcement

License migration to Legacy or Common is required(*)

License migration to Common is required(*)

(*) Note that you can’t directly upgrade your old VM license to the VM Common license. You must upgrade it to the VM Medium license first.

Downgrade from the VM Common license to the legacy VM licenses

Downgrade is not available. However, customers can use the VM Common license for ISE 3.0 and later. In this case, the VM Common license will work as the VM Large license does.

Note that the VM Common license supports only Smart Licensing, and you need to replace the VM Common PID with the legacy VM PID if you want to go back to Classic Licensing by opening a case with the GLO team.

Support associated with the legacy VM licenses

When customers upgrade the version of their legacy VM to VM Common license, they can continue to receive support based on the support contract purchased on legacy VM license PID. They can renew the support until the legacy VM license PID is EOL and reaches last date of service renewal per the EOL bulletin. There is no support migration. For seamless support, the customer should request the legacy VM PID to be replaced with the desired VM PID in order to renew and receive support.

Pre-ISE 2.4 release to VM Common license

Customers with the old VM license (i.e., R-ISE-10VM-K9=) cannot directly migrate the VM license to the VM Common license. They must migrate it to the VM Medium license, first. To do so, email licensing@cisco.com with the sales order numbers that reflect the ISE VM purchase and your Cisco ID.

PART II. Smart Licensing in ISE 3.0 and later

Evaluating ISE 3.0

Like all ISE deployments, ISE 3.0 can be deployed in a lab setting with the included 90-day evaluation license on your Smart Licensing portal. You can test ISE 3.0 prior to upgrading your entire network, ensure Smart Licensing is working as planned, and then upgrade your production deployment.

How are licenses converted from Base, Plus, and Apex to Essentials, Advantage, and Premier licenses?

When converting existing licenses to the new scheme, the licenses will be migrated using the following rules. While functionality will be retained across licenses, notice that the license count might be different to what the Base/Plus/Apex license count is, and that all licenses will have an expiry date:

Conversion of older model to new model showing 1-1 correspondence

Figure 1.               

Conversion of older model to new model showing 1-1 correspondence
(Note: Feature to license mapping can be found in the Cisco ISE Ordering Guide)

Example 1: Base and Plus conversion

Example showing an older model with Base and Plus licenses

Figure 2.               

Example showing an older model with Base and Plus licenses

Example 2: Base, Plus, and Apex conversion

Example showing an older model with Base, Plus, and Apex licenses

Figure 3.               

Example showing an older model with Base, Plus, and Apex licenses

Note:      Because the Cisco ISE Essentials, Advantage, and Premier licenses are term based, your existing Base licenses will be converted to term-based Essentials licenses that will expire on the set date of October 31, 2023. Each Plus and Base license converted to a Cisco ISE Advantage license will expire on the same date that your Plus license would have expired, and similarly, each Apex, Plus, and Base license converted into a Cisco ISE Premier license will expire on the date of Plus or Apex, whichever is the longest.

As can be seen in Figure 3 above, if the existing Plus license expires on January 1, 2022, the existing Apex licenses expire on January 1, 2023, and the new converted licenses’ expiry dates will be as follows:

     300 Premier licenses (300 Apex + 300 Plus + 300 Base) expiring on January 1, 2023

     400 Advantage licenses (remaining 400 Plus + 400 Base) expiring on January 1, 2022

     500 Essentials licenses (remaining 500 Base) expiring on October 31, 2023

How to migrate from old Cisco ISE Base, Plus, and Apex licenses to new Cisco ISE Essentials, Advantage, and Premier licenses

Migrating to the new licensing scheme requires simple steps to convert your existing PAK licenses to Smart Licenses. ISE will reach out to the Smart Licensing Portal and will enable features and capabilities based on what licenses are available on the portal. As a result, ISE needs network connectivity to reach the CSSM. ISE currently does not support PLR, Satellite (On-Premises SSM), or SLR, and support for PLR and Satellite will be introduced soon on the 3.0 release.

Customers should take the following steps to migrate from their existing Base, Plus, and Apex licenses to the new Essentials, Advantage, and Premier licenses:

1.     If you have a Smart Account, log in to that account and go to step 5.

2.     If you do not have a Smart Account, you will need to create one by navigating to Cisco Software Central.

3.     From the Important News popup window, click “Get a Smart Account.”

Important News

Another option is to click “Request a Smart Account” in the Administration area on this page.

Administration

4.     Follow the process to create a Smart Account.

5.     If your ISE licenses are in your Smart Account, go to step 7.

6.     If you have PAK licenses, convert your existing PAK licenses to Smart Licenses and deposit them in your Smart Account as described in the “Convert Classic Licenses to Smart Licenses” short video.

7.     Navigate to the Support Case Management System to request conversion from Base/Plus/Apex licenses to the new Essentials/Advantage/Premier licenses.

8.     Select “Security Related Licensing” under “CSSM & LRP Issues” and click “OPEN CASE.”

Security related licensing

Figure 4.               

Security related licensing

9.     In the “Title” field, add a note that you are requesting migration from ISE Base/Plus/Apex to ISE Essentials/Advantage/Premier.

10.  In the “Problem Description” field, provide your Smart Account ID as created in the previous steps, in which the conversion should occur. Provide the license types (Base, Plus, and/or Apex), the license expiry date for each, and the license count for each license that you want to convert to the new licenses.

11.  Select “Open Case” and submit the case.

12.  The Cisco Global License Operations team will migrate your existing Smart License(s) to the new ISE licensing scheme.

13.  After the migration is completed, you can upgrade your ISE deployment to ISE 3.0.

14.  Ensure you configure the above virtual account in ISE so it can connect to the Smart Licensing portal and correctly consume licenses. For more information on configuring Smart Licensing for ISE 2.7, refer to CISE Admin Guide 2.7 and for ISE 3.0, refer to CISE Admin Guide 3.0

Note:      ISE provides a 90-day grace period with Smart Licensing. This is a cumulative counter so it will continue from the total number of evaluation days you have used prior to the 3.0 release.

Note:      Some features in ISE have moved to a new license. The license structure, given the nested doll model, provides the customers the entitlement for all the features that are nested. Please reach out to your Cisco account team if you have any questions on the migration.

How to renew existing ISE Base, Plus, and/or Apex licenses

Customers who are on ISE 2.X software can continue to renew existing ISE Base, Plus, and/or Apex licenses until the end-of-sale date for those licenses. There is no need to migrate to the new Essentials, Advantage, or Premier licenses in this scenario. If you do plan to upgrade to Cisco ISE 3.0 and you plan on renewing after Cisco ISE Base, Plus, and Apex licenses are no longer available for purchase, you will be required to go through the migration process as specified above so that PAK licensing is transitioned to Smart Licensing (if not already using Smart Licensing).

Rolling back from ISE 3.0 to the ISE 2.X release

In terms of licenses, a rollback from 3.0 to a 2.X version would mean that the ISE deployment will require the ISE Base, Plus, and/or Apex licenses. In this scenario, follow the process outlined below to convert from the ISE Essentials, Advantage, and Premier licenses back to ISE Base, Plus, and Apex licenses:

1.     Log in to your Smart Account and navigate to the Support Case Management System to request conversion from the new Essentials/Advantage/Premier licenses to the old Base/Plus/Apex licenses.

2.     Select “Security Related Licensing” under “CSSM & LRP Issues” and click “OPEN CASE.”

Security related licensing

Figure 5.               

Security related licensing

3.     In the “Title” field, add a note that you are requesting a conversion from ISE Essentials/Advantage/Premier to ISE Base/Plus/Apex.

4.     In the “Problem Description” field, provide your Smart Account ID, in which the conversion should occur. Provide the license types, the expiry dates for the licenses, and the license count you want to convert to the old licenses.

5.     The Cisco Global License Operations team will migrate your new Smart License(s) to the Base/Plus/Apex licensing scheme.

6.     Ensure you configure the above virtual account in ISE so it can connect to the Smart Licensing portal and correctly consume licenses that have been converted to the new ISE license types. Check the Licensing page on the ISE admin portal to confirm that ISE is connected to the CSSM.

When Essentials, Advantage, and Premier are converted to the Base, Plus, and Apex licenses, they will be converted to the corresponding terms, including the Base license. The conversion will be as shown:

Base, Plus, and Apex licenses

Migration for EA customers

Customers who purchased old ISE licenses through the EA program might have their own expiry dates for each license as per EA terms. EA terms will be honored, and customers can continue to enjoy new ISE licenses after migrating from the old licenses until the original expiry date under the EA program. Essentials licenses converted from Base will expire on the later date, between EA term end date and October 31, 2023.

Security Choice EA customers need to finalize migration to ISE 3.0 via change subscription capability on CCW once it is available in the April 2020 timeframe. EA workspace will be updated only after a customer changes their subscription on CCW.

The EAWS consumption view, displays only the licenses generated from the EA portal. The EAWS works unidirectional, that is licenses converted will directly be deposited into CSSM. In the current state of EAWS portal, it won't know if the ISE Base/Plus have been converted to ISE-Advantage later, which is outside it's parameter. The EAWS portal will still display generated ISE-Base/Plus, as ISE 3.0 has not been added to EA program.

Migration for Cisco DNA Premier EA customers

Cisco DNA Premier EA customers should follow the same migration process as non-EA customers by following the ISE Migration guide. The migration to ISE 3.0 for DNA EA customers is same as transactional ISE customers. Please note that the conversion of ISE 2.x to 3.0 happens in the smart account and their entitlements / consumption quantities in EAWS do not change.

 

Learn more