Configure ISE Licensing Using Open API
Available Languages
Contents
Introduction
This document describes how to configure Cisco Identity Service Engine 3.3 Licensing using Open API.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco ISE 3.3
- REST API
- Smart Software Licensing
Components Used
The information in this document is based on these software and hardware versions:
- Cisco ISE 3.3
- Insomnia REST API client.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent active endpoints that can use Cisco ISE network resources at any time. Licensing in Cisco ISE is supplied as feature-based packages wherein different features are supported by each license type.
Cisco ISE is a subscription-based solution. Cisco ISE subscription licenses are nested, which means that the higher tier licenses include all the lower-tier features. For example, the ISE Premier license includes all the features that are mapped to the ISE Advantage and ISE Essentials licenses. Similarly, the ISE Advantage license includes all the features that are mapped to the ISE Essentials license. With this model, you can directly purchase Premier or Advantage licenses without the need for an Essentials license.
Initial Steps
Enable Open API on ISE
Open API is disabled by default on ISE. To enable it, navigate to Administration > System > API Settings > API Service Settings. Toggle the Open API options. Click Save.
Open API settings
Swagger UI
To access all Open API definitions on ISE, navigate to Administration > System > Settings > API Settings. Click the link For more information on ISE Open API, please visit:.
The URLs for the definition use on this document is: https://<ISE-PAN-IP>/api/swagger-ui/index.html?urls.primaryName=License
Configure Licensing using Open API
GET License Tier-State
In order to configure the license, the compliance attribute needs to be known using the tier-state as no License had been configure the compliance attribute can be set to Evaluation.
| Method | GET |
| URL | https://<ISE-PAN-IP>:443/api/v1/license/system/tier-state |
| Authentication Type | Basic |
| Credentials | Use Open API account credentials |
| Headers |
Accept:application/json Content-Type:application/json |
Authentication
Tier-state Authentication
Headers
Tier-state Headers
Expected Output
Tier-state Expected Output
GET Days Remaining for Evaluation License
In order to know the remaining days for evaluation license use this API call.
| Method | GET |
| URL | https://<ISE-PAN-IP>:443/api/v1/license/system/eval-license |
| Authentication Type | Basic |
| Credentials | Use Open API account credentials |
| Headers |
Accept:application/json Content-Type:application/json |
Authentication
Evaluation License Authentication
Headers
Evaluation License Headers
Expected Output
Evaluation License Expected Output
Register License
Note: Smart Licensing token creation is out of the scope of this document.
In order to register the license you need to enter the connectionType, registrationType and the tier.
Conection Types:
- HTTP_DIRECT
- PROXY
- SSM_ONPREM_SERVER If this attribute is selected you must diclare the ssmOnPremServer key and the value.
- TRANSPORT_GATEWAY
Registration Types:
- DEREGISTER
- REGISTER
- RENEW
- UPDATE
Tier:
- ADVANTAGE
- DEVICEADMIN
- ESSENTIAL
- PREMIER
- VM
| Method | POST |
| URL | https://<ISE-PAN-IP>:443/api/v1/license/system/register |
| Authentication Type | Basic |
| Credentials | Use Open api account credentials |
| Headers |
Accept:application/json Content-Type:application/json |
|
Body |
{
|
Body
POST - Register License Body
Authentication
POST - Register License Authentication
Headers
POST - Register License Headers
Expected Output
POST - Register License Expected Output
Verify
GET Register License Information
In order to know the key-value pairs used to configure the registration use this API call.
| Method | GET |
| URL | https://<ISE-PAN-IP>:443/api/v1/license/system/register |
| Authentication Type | Basic |
| Credentials | Use Open API account credentials |
| Headers |
Accept:application/json Content-Type:application/json |
Authentication
GET - Register License Authentication
Headers
GET - Register License Headers
Expected Output
GET - Register License Expected Output
GET Smart License Information
In order to know the state for the connection with Smart Licensig use this API call.
| Method | GET |
| URL | https://<ISE-PAN-IP>:443/api/v1/license/system/register |
| Authentication Type | Basic |
| Credentials | Use Open API account credentials |
| Headers |
Accept:application/json Content-Type:application/json |
Authentication
Smart Licensing Information Authentication
Headers
Smart Licensing Information Headers
Expected Output
Smart Licensing Information Expected Output
ISE GUI License Verification
In order verify the proper installation on the GUI. Navigate to Administration > System > Licensing > Licenses.
Smart Licensing GUI Verification
Note: Released Entitlement means the licenses have been purchased and released for use, but none have been consumed so far in this Cisco ISE deployment. In such a scenario, the Consumption Count for the license is 0. The licenses can change to Compliance once the Consumption Count change from 0
Troubleshoot
Licensing
From ISE navigate to Operation > Troubleshoot > Debug Wizard > Debug Log Configuration. Select your Primary Admin Node (PAN) and clickEdit.
Filter theComponent Nameby License and admin-license then select the Log Level need it. ClickSave.
Debug Level Configuration Licensing
- On ISE PAN CLI the logs are found at:
admin#show logging application ise-psc.log
- On ISE GUI navigate to Operations > Troubleshoot > Download Logs > Select ISE PAN > Debug log > Debug Log Type > Application Logs. Download the zip files for ise-psc.log.
Open API
From ISE navigate to Operation > Troubleshoot > Debug Wizard > Debug Log Configuration. Select your Primary Admin Node (PAN) and clickEdit.
Filter theComponent Nameby apiservice and select the Log Level need it. ClickSave.
Debug Level Configuration Open API
- On ISE PAN CLI the logs are found at:
admin#show logging application api-service.log
- On ISE GUI navigate to Operations > Troubleshoot > Download Logs > Select ISE PAN > Debug log > Debug Log Type > Application Logs. Download the zip files for api-service.log.
- API response codes and their possible meanings:
- 200 (OK): Indicates the Open API successfully carried out the desired action.
- 201 (Created): Indicates the resource was created and the request was successful.
- 400 (Bad Request): Server not able to process the request. Recognize client error due to malformed request syntax, invalid parameters and so on. Read the message details if available.
- 401 (Unauthorised): This indicates that the action was undertaken with wrong credentials, no credentials or the account is not authorized to perform this action.
- 403 (Forbidden): This indicates the server is capable to understand the request but is not authorized.
- 404 (Not Found): This indicates the server is not able to find the requested resource.
- 500 (Internal Server Error): Indicates an issue on the server side. Logs on ISE can help understand the cause.
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
10-Oct-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)