Cisco Identity Services Engine Administrator Guide, Release 2.7

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Identity Services Engine Administrator Guide, Release 2.7

Chapter Title

Licensing

Results

Updated:
November 18, 2019

Chapter: Licensing

Licensing

Cisco ISE Licenses

Cisco ISE licensing offers two options to manage your licenses:

  • Smart Licensing: Monitor Cisco ISE software licenses and endpoint license consumption easily and efficiently with a single token registration. The licenses that you purchase are maintained in a centralized database called the Cisco Smart Software Manager (CSSM). For more information about Smart Licensing, see Cisco ISE Smart Licensing.

  • Traditional Licensing: Purchase and import individual licenses based on your needs and manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources. For more information about Traditional Licensing, see Manage Traditional License Files.

To maximize economy for customers, licensing in Cisco ISE is supplied in different packages as Base, Plus, Apex, and Device Administration for both Traditional and Smart Licensing options. For more information about the Traditional Cisco licensing model, see Cisco ISE Licensing Model.

Once you have installed or upgraded your Cisco ISE box, Traditional Licensing is in use by default, and all license components are activated for a 90-day trial period. Once you switch to Smart Licensing, and before you register your token, this evaluation period remains active for the Smart Licensing, and the evaluation period includes all ISE licenses as part of that evaluation period. During the evaluation period, consumption is not reported to the CSSM.

You should update your installed licenses (for Traditional licensing) or license agreements (for Smart licensing) if:

  • The trial period ends and you have not yet installed or registered your license.

  • Your license has expired.

  • If endpoint consumption exceeds your licensing agreement.

Cisco ISE will notify you of license expiration or consumption problems 90, 60, and 30 days in advance. You can view and track licensing details from the License Warning icon at the top of the screen.

When upgrading from one licensing package to another more complex package, Cisco ISE will continue to offer all features that were available in the earlier package prior to upgrade and you will not need to re-configure any settings that you had already configured.

ISE Community Resource

Cisco Identity Services Engine Ordering Guide

For information on how to obtain evaluation licenses, see How to Get ISE Evaluation Licenses.

Cisco ISE Smart Licensing

Cisco offers Smart Licensing, which enables you to monitor Cisco ISE software licenses and endpoint license consumption. You can monitor license usage easily and efficiently with a single registration token, rather than individually importing separate licenses. View and manage the details of all the Cisco products and licenses that you have purchased in a centralized database, the Cisco Smart Software Manager (CSSM). Log in to the CSSM portal to easily track the endpoint licenses that are available to you, and consumption statistics.

When a smart license token is active and registered in the Cisco ISE administration portal, the CSSM monitors the consumption of licenses by each endpoint session per product license. Smart Licensing notifies the administrator about license consumption by endpoint sessions with a simple table layout in Cisco ISE. Smart Licensing reports the peak usage of each enabled license to the centralized database daily. When licenses are available and not consumed, the administrator is notified of available licenses and can continue to monitor usage. When consumption exceeds the number of licenses available, an alarm is activated and the administrator is notified through alarms and notifications.

With Smart Licensing, you can also manage the different license entitlements included through your Cisco Smart Account, such as Base, Plus, Apex, or TACACS. From Cisco ISE, you can monitor basic consumption statistics per license entitlement. From your CSSM account, you can view additional information, statistics, and notifications, as well as make changes to your account and entitlements.


Note

CSSM satellite is not supported in Cisco ISE Releases 2.7 Patch 3 and earlier.

Cisco ISE takes internal samples of license consumption every 30 minutes. License compliancy and consumption is updated accordingly. To view this information in the Licenses table in Cisco ISE, from the main menu, choose Administration > System > Licensing, and click Refresh.

From the time you register your Cisco ISE Primary Administration node (PAN) with the CSSM, Cisco ISE reports peak counts of license consumption to the CSSM server every six hours. The peak count reports help ensure that license consumption in Cisco ISE is in compliance with the licenses purchased and registered. Cisco ISE communicates with the CSSM server by storing a local copy of the CSSM certificate. The CSSM certificate is automatically reauthorized during the daily synchronization, and when you refresh the Licenses table. Typically, CSSM certificates are valid for six months.

If there is a change in the compliance status when Cisco ISE synchronizes with the CSSM server, the Last Authorization column of the Licenses table is updated accordingly. In addition, when entitlements are no longer compliant, the number of days for which they are out of compliancy appears in the Days Out of Compliancy column. Noncompliancy is also indicated in the notifications displayed at the top of the Licensing area, and on the Cisco ISE toolbar next to the License Warning link. In addition to notifications, you can view alarms.


Note

TACACS licenses are authorized when Cisco ISE communicates with the CSSM server, but they are not session-based, and therefore, no consumption count is associated with them in the Licenses table.

The compliance column of the Licenses table displays one of the following values:

  • In Compliance: The use of this license is in compliance.

  • Released Entitlement: The licenses have been purchased and released for use, but none have been consumed so far in this Cisco ISE deployment. In such a scenario, the Consumption Count for the license is 0.

  • Evaluation: Evaluation licenses are available for use.

Figure 1. License Usage Table
The Cisco ISE license consumption table to monitor usage.

Activate and Register Smart Licensing in Cisco ISE

Before you begin

Activate Smart Licensing and then register from Cisco ISE using the token issued to you by your Cisco representative through your CSSM account.

Ensure you have the necessary ISE permissions in your Cisco Smart Software Manager (CSSM) account. For more information, see https://software.cisco.com/ or contact your Cisco representative.

If you are upgrading from ISE-PIC, then prior to activating Smart Licensing with this procedure, you must first install the ISE Upgrade license and then:

  • Install the Cisco ISE Base license.

  • Or, move your PIC installation to an existing ISE deployment:

    1. From the existing Cisco ISE deployment, add another ISE node.

    2. Enable session profiling and pxGrid services from an existing Cisco ISE Administration node.

Procedure

Step 1

Choose Administration > System > Licensing to access the Licensing area of ISE.

After you install or upgrade Cisco ISE, traditional licensing is in use by default. The licensing mode appears at the top of the screen in the Licensing Method area of ISE:
Figure 2. Traditional Licensing

Step 2

Click the Cisco Smart Licensing link from the Licensing Method area to switch to Smart Licensing.

The Cisco Smart Licensing area expands with connection method fields.
Figure 3. Smart Licensing Connection Method Details

Step 3

From the Cisco Smart Licensing area, in the Secondary UDI field, if at least one additional ISE box is configured in your network, enter the secondary node you to be used if the Primary node is not available. Select a connection method by which to connect from your ISE box to the CSSM from the Connection Method dropdown list and click Enable. For Connection Method, choose:

  1. Direct HTTPS if you have a direct connection configured to reach the Internet.

  2. HTTPS Proxy if you do not have a direct connection and need to connect by proxy.

  3. Transport Gateway is the recommended proxy connection method. To install and configure the Transport Gateway, see Deploying theTransport Gateway on Cisco Unified Computing System and Red Hat Linux.

  4. SSM On-Prem Server to connect to the configured SSM on-prem server. This option is available in Cisco ISE Release 2.7 Patch 4 and later. See Configure Smart Software Manager On-Prem for Smart Licensing.

Note

 

After activating Smart Licensing, you have a 90-day evaluation period. During this time, all licenses are active. During this time, you can explore Smart Licensing and all the Cisco ISE features. If you don't register Smart Licensing with a valid token before the evaluation period expires, you cannot use Cisco ISE.

The fields in this area are dynamic. After you enter the connection details and click Enable, the area collapses. When you expand the area again, is now called Cisco Smart Licensing Registration, and you can enter smart licensing token details.

Step 4

From the Cisco Smart Licensing Registration area in ISE, enter the Registration Token you received when you purchased the smart licensing token, and click Register. To retrieve the token at any time, go to the ISE area of your CSSM account and click Copy.

You can disable any of the licenses in your smart licensing token by unchecking the checkboxes. When you disable the licenses, Smart Licensing no longer automatically validates those licenses.

Smart Licensing for Air-Gapped Networks

An air-gapped network does not allow any communication between a secured network and an external network. Cisco ISE Smart Licensing requires Cisco ISE to communicate with the CSSM. If your network is air-gapped, Cisco ISE is unable to report license usage to CSSM, and this lack of reporting results in the loss of administrative access to Cisco ISE and restrictions in Cisco ISE features.

To avoid licensing issues in air-gapped networks and enable full Cisco ISE functionality, you can configure a Smart Software Manager (SSM) On-Premises server. This licensing method is available in Cisco ISE Release 2.7 Patch 4 and later releases.

You must configure an SSM On-Prem server and ensure that Cisco ISE can reach this server. This server takes over the role of CSSM in your air-gapped network, releasing license entitlements, as needed, and tracking usage metrics. The SSM On-Prem server also sends notifications, alarms, and warning messages that are related to licensing consumption and validity.

Configure Smart Software Manager On-Prem for Smart Licensing

Before you begin

Configure an SSM On-Prem server and ensure that Cisco ISE can reach this server. For more information, see Smart Software Manager On-Prem Resources.

If you buy more licenses or modify your license purchases, you must connect the SSM On-Prem server to CSSM for the changes to be available in your local server.


Note

ISE-PIC 2.7 and earlier do not support Smart Licensing.
Procedure

Step 1

Choose Administration > System > Licensing.

Step 2

Click Cisco Smart Licensing.

Step 3

From the Connection Method drop-down list, choose SSM On-Prem server .

The Certificate window in the SSM On-Prem portal displays either the IP address or the hostname (or FQDN) of the connected SSM On-Prem server.

Step 4

In the SSM On-Prem server Host field, enter the configured IP address or the hostname (or FQDN).

Step 5

In the Tier and Virtual Appliance areas, check the check boxes for all the licenses you want to enable. The chosen licenses are activated and their consumption is tracked by CSSM.

Step 6

Click Register.

Note

 

Ensure that port 443 and the port used for ICMP communication are open while registering Cisco ISE with the SSM On-Prem server.

Manage Smart Licensing in Cisco ISE

After you activate and register your Smart Licensing token, you can manage license entitlements from Cisco ISE by:

  • Enabling, disabling, and refreshing license entitlement certificates.

  • Updating Smart Licensing registration.

  • Identifying compliant and noncompliant licensing issues.

Before you begin

Ensure that you have activated and registered your Smart Licensing token.

Procedure

Step 1

(Optional) When you first activate Smart Licensing, all the license entitlements are enabled automatically as part of the Evaluation mode. After you register your license token, if your CSSM account does not include certain entitlements and you did not disable them during registration, noncompliant notifications are displayed in Cisco ISE. Add those entitlements to your CSSM account (contact your CSSM account representative for assistance), and then, in the Licenses table, click Refresh to remove noncompliant notifications and continue to use the related features. After you refresh the authorization, log out and then log back in to Cisco ISE for the relevant noncompliancy messages to be removed.

Step 2

(Optional) If the daily automatic authorization does not succeed for any reason, noncompliancy messages may appear. Click Refresh to reauthorize your entitlements. After you refresh the authorization, log out and then log back in to Cisco ISE for the relevant noncompliancy messages to be removed.

Step 3

(Optional) When you first activate Smart Licensing, all license entitlements are enabled automatically as part of the evaluation period. After you register your token, if your CSSM account does not include certain entitlements and you did not disable them during registration, you can still disable those entitlements from Smart Licensing in ISE in order to avoid unnecessary noncompliant notifications. From the Licenses table, check the check boxes for the license entitlements that are not included in your token, and click Disable from the toolbar. After you have disabled license entitlements, log out and then log back in to Cisco ISE for the relevant features to be removed from the menus and for the noncompliancy messages to be removed.

Step 4

(Optional) After you add entitlements to your account, enable those entitlements. From the Licenses table, check the check boxes for the required disabled licenses, and click Enable from the toolbar.

Step 5

(Optional) If you initially set-up Smart Licensing with only one UDI and do not enter a Secondary UDI, you can later update your information. Click the Cisco Smart Licensing Registration Details link to open the area. Re-enter the token, enter the new Secondary UDI and click Update.

Step 6

(Optional) The registration certificate is automatically refreshed every six months. To manually refresh your Smart Licensing certificate registration, click Renew Registration at the top of the Licensing window.

Step 7

(Optional) To remove your Cisco ISE registration (indicated by UDIs) from your Smart Account, but continue to use Smart Licensing till the end of the evaluation period, click Deregister at the top of the Cisco Smart Licensing area. You can do this, for example, if you need to change the UDIs you have indicated as part of the registration process. If you still have time remaining in your evaluation period, Cisco ISE remains in Smart Licensing. If your evaluation period is at an end, a notification appears when the browser is refreshed. After you deregister your smart license, you can follow the registration process again in order to register with the same or different UDIs.

Step 8

(Optional) To remove your Cisco ISE registration (indicated by UDIs) from your Smart Account entirely, and to revert to traditional licensing, click Disable at the top of the Cisco Smart Licensing area. You can do this, for example, if you need to change the UDIs you have indicated as part of the registration process. After you disable the smart license, follow the registration process again in order to activate and register with the same or different UDIs.

Manage Traditional License Files

To continue to use Cisco ISE services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and register Base licenses for the number of concurrent users on your system. If you require additional functionality, you will need Plus and/or Apex licenses to enable that functionality.

Licenses are uploaded to the Primary Policy Administration Node and propagated to the other Cisco ISE nodes in the cluster. Licenses are centrally managed by the Administration node, the other nodes do not require separate licenses. If you have two Administration nodes deployed in a high-availability pair, you must ensure that each of them have the same license capabilities. Generate the license with both the UDIs of the Primary and the Secondary Policy Administration Nodes and then add the license to the Primary Policy Administration Node.

After you install the Cisco ISE software and initially configure the appliance as the PAN, you must obtain a license for Cisco ISE and then register that license. You register all licenses to the PAN via the Primary and Secondary Administration Node hardware UDI. The PAN then centrally manages all the licenses that are registered for your deployment.


Note

When a node is deregistered from the PAN, it becomes a standalone node and its license is reset to Evaluation.

This section explains how to register, re-host, renew, migrate, upgrade, and remove Traditional ISE licenses.

Cisco ISE Licensing Model

Cisco ISE licensing model allows you to purchase licenses based on your enterprise's needs. When using Traditional Licensing, you import all individual licenses and continue to manage them individually from ISE. When using Smart Licensing, you manage a centralized Cisco account, which contains all information about the different endpoint licenses you have purchased.

Valid license options include:

  • ISE Base only

  • ISE Base and Plus

  • ISE Base and Apex

  • ISE Base and Device Administration

  • ISE Base, Plus, Apex, and Device Administration

  • ISE Base, Plus, Apex and AnyConnect Apex

Device Administration Licenses

There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.

The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.

Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only node Licenses are available for sale.

However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.

The number of Plus license sessions can be up to the number of Base license sessions on the deployment. The same stands for Apex license sessions. Apex and Plus licenses can be installed independently without any restriction on the number of Apex versus Plus licenses. Cisco ISE licenses are based on the number of concurrent endpoints with active network connections whereas AnyConnect Apex licenses are on a per user basis. AnyConnect Apex license count can exceed Cisco ISE Base license count.


Note

The services contained within the Plus license, most notably profiling, are frequently used across the entire deployment. When you add Plus licenses to the deployment, we recommend that the Plus license count be equal to the Base license count. However, you might have a situation where the Plus license services might not be needed across the entire deployment, which is why Cisco ISE allows the Plus license count to be less than the Base license count.

Cisco recommends installing (for Traditional Licensing), or purchasing (for Smart Licensing) Base, Plus, and Apex licenses at the same time.

  • Base licenses are required to use the services enabled by Plus and/or Apex licenses. However, you do not need a Plus license in order to have an Apex license or vice versa, since there is no overlap in their functionality.

  • If the Plus and Apex licenses are not compliant, you cannot configure or edit Plus and Apex features. These features are displayed in read-only mode.

  • When you install a Base or Mobility Upgrade license, Cisco ISE continues to use the default Evaluation license as a separate license for the remainder of its duration.

  • When you install a Mobility Upgrade license, Cisco ISE enables all Wired, Wireless, and VPN services.

  • A Base or Mobility license is required to install the Device Administration license.

  • You cannot upgrade the Evaluation license to a Plus license without first installing the Base license.

Licenses for VM nodes

Cisco ISE is also sold as a virtual appliance. For Release 2.4, it is recommended that you install appropriate VM licenses for the VM nodes in your deployment. You must install the VM licenses based on the number of VM nodes and each VM node's resources such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys in Release 2.4, however, the services are not interrupted.

VM licenses are offered under three categories, Small, Medium, and Large. For instance, if you are using 3595 equivalent VM node with 16 CPUs and 64 GB RAM, you need a Medium category VM license, if you want to replicate the same capabilities on the VM.

If you only have VM Small licenses, but your VM node has the resources mapped to a VM Medium license, Cisco ISE will register the consumption of a VM Medium license. You will receive notifications of out-of-compliance license consumption. You must procure and install the appropriate license to stop receiving these notifications.

You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.

VM licenses are Infrastructure licenses, therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.

After installing or upgrading to Release 2.4, if there is any mismatch between the number of deployed VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet for every 14 days. Alarms are also displayed if there are any changes in the VM node’s resources or whenever a VM node is registered or deregistered.

VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the "Do not show this message again" check box in the notification popup.

If you have not purchased a Cisco ISE VM license before, refer to the ISE Ordering Guide to choose the appropriate VM license. If you have Cisco ISE VM licenses with no associated Product Authorization Keys (PAK), contact the Cisco licensing team with the Sales Order numbers of your Cisco ISE VM purchases. Your request will be processed to provide one medium VM license key for each ISE VM purchase made.

For assistance with licensing issues of lower severity levels, open a case online through the Support Case Manager, at http://cs.co/scmswl.

For Cisco TAC assistance with critical issues, refer to the contact information provided at http://cs.co/TAC-worldwide.

The following table shows the minimum VM resources by category:

VM Category

RAM Range

Number of CPUs

Small

16 GB

12 CPUs

Medium

64GB

16 CPUs

Large

256GB

16 CPUs
Table 1. Cisco ISE License Packages

ISE License Packages

Perpetual/Subscription (Terms Available)

ISE Functionality Covered

Notes

Base

Perpetual

  • Basic network access (AAA, IEEE-802.1X)

  • Guest services

  • Link encryption (MACSec)

  • TrustSec

  • ISE Application Programming Interfaces

Passive identity services available as part of the upgrade from ISE-PIC to a Base license include limited pxGrid features available to Cisco subscribers only.

Plus

Subscription (1, 3, or 5 years)

  • Bring Your Own Device (BYOD)—when consuming either a built-in or an external certificate authority

  • MSE integration for location services

  • Profiling and Feed Services

  • Adaptive Network Control (ANC)

  • Cisco pxGrid

Does not include Base services; a Base license is required to install the Plus license.

When onboarding an endpoint with the BYOD flow, the Plus services are consumed on the active session even when related BYOD attributes are not in use.

Plus licenses are supposed to be consumed when profiling-related authorization policies contain IdentityGroup:Name.

Apex

Subscription (1, 3, or 5 years)

  • Third Party Mobile Device Management (MDM) integration

  • Posture Compliance

  • TC NAC

Does not include Base services; a Base license is required to install the Apex license.

Note

 

When you use Cisco AnyConnect as unified posture agent across wired, wireless, and VPN deployments, you need Cisco AnyConnect Apex user licenses in addition to Cisco ISE Apex licenses.

Mobility

Subscription (1, 3, or 5 years)

Combination of Base, Plus, and Apex for wireless and VPN endpoints

Cannot coexist on a Cisco Administration node with Base, Plus, and/or Apex licenses.

Mobility Upgrade

Subscription (1, 3, or 5 years)

Provides wired support to Mobility license

You can only install a Mobility Upgrade license on top of an existing Mobility license.

Device Administration

Perpetual

TACACS+

A Base or Mobility license is required to install the Device Administration license.

The number of Device Administration licenses must be equal to the number of Policy Service Nodes with TACACS+ persona enabled on them.

ISE-PIC

Perpetual

Passive identity services

One license per node. Each license supports up to 3,000 parallel sessions.

ISE-PIC upgrade

Perpetual

This license allows these options:

  • Enable additional (up to 300,000) parallel sessions.

  • Upgrade to full ISE instance

One license per node. Each license supports up to 300,000 parallel sessions.

After installing this license, the upgraded node can join an existing ISE deployment or alternatively, base licenses can be installed on the node to function as the PAN.

Passive identity services available as part of the upgrade to a Base license include limited pxGrid features available to Cisco subscribers only.

Evaluation

Temporary (90 days)

Full Cisco ISE functionality is provided for 100 endpoints.

All Cisco ISE appliances are supplied with an Evaluation license.

Traditional License Consumption

You purchase licenses for the number of concurrent users on the system with Traditional Licensing. A Cisco ISE user consumes a license during an active session (always a Base; and a Plus and an Apex license, if you use the functionality covered by these licenses). Once the session ends, the license is released for reuse by other users.


Restriction
Cisco ISE license architecture consumption logic relies on authorization policy constructs. Cisco ISE uses the dictionaries and attributes within authorization rules to determine the license to use.

The Cisco ISE license is counted as follows:

  • A Base license is consumed for every active session. The same endpoint also consumes Plus and Apex licenses depending on the features that it is using.


    Note

    TACACS+ sessions do not consume a base license, but RADIUS sessions consume a base license.

  • The endpoint consumes the Base license before it consumes a Plus and Apex license.

  • The endpoint consumes the Plus license before it consumes an Apex license.

  • One Plus license is consumed per endpoint for any assortment of the license's features. Likewise, one Apex license is consumed per endpoint for any assortment of its features.

  • Licenses are counted against concurrent, active sessions.

  • Licenses are released for all features when the endpoint's session ends.

  • pxGrid is used to share context collected by ISE with other products. A Plus license is required to enable pxGrid functionality. There is no session count decrement when context for session is shared. However, to use pxGrid, the number of Plus sessions licensed must be equal to the number of Base sessions licensed. For more information, see Cisco ISE Licenses and Services section in Cisco Identity Services Engine Ordering Guide.

  • One AnyConnect Apex user license is consumed by each user who uses AnyConnect regardless of the number of devices that the user owns and whether or not the user has an active connection to the network.

  • You can enable the TACACS+ service by adding a Device Administration license on top of an existing Base or Mobility license.

To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generates an alarm when the endpoint count of the previous day exceeded the amount of licenses. You can view license consumption clearly from the License Usage area in the Licensing screen, where licenses that are consumed beyond the permitted quantity appear in red in the line graph.

In addition, you can view and track detailed information per license package from the License Warning icon at the top of the screen.

View License Consumption

You can view your system's current license consumption from the Licensing dashboard at: Administration > System > Licensing. Consumption is portrayed as in the following image:
Figure 4. Traditional License Consumption

The License Consumption graph, in the License Usage area, is updated every 30 minutes. This window also displays the type of licenses purchased, the total number of concurrent users permitted on the system, and the expiry date of subscription services.

If you want to see your system's license consumption over multiple weeks, click Usage Over Time. Each bar in the graph shows the maximum number of licenses used during a period of one week.

Troubleshooting: Unregistered License Usage

Issue

Endpoint license consumption relies on the attributes that are used in the authorization policy with which an endpoint is matched.

Consider a scenario where you only have a Cisco ISE Base license registered in your system, because you deleted the 90-day Evaluation license. You will be able to see and configure the corresponding Cisco ISE Base menu items and features.

If you configure an authorization policy to use a feature, for example, if you use the Session:PostureStatus attribute that requires an Apex license, and an endpoint matches this authorization policy, then:

  • The endpoint consumes a Cisco ISE Apex license despite the fact that a Cisco Apex license has not been registered in the system.

  • You see notifications of noncompliant license consumption whenever you log in.

  • Cisco ISE displays notifications and alarms with the message Exceeded license usage than allowed. This is because there are no Cisco ISE Apex licenses that are registered in CSSM for your Cisco ISE, but an endpoint is consuming one.


Note

The licensing alarm is displayed for about 60 days from the first occurrence of noncompliant license use even if you fix the licensing issue by registering the necessary licenses.

If the use of Base, Plus, and Apex licenses is out of compliance for 45 days in a 60-day period, administrative control of Cisco ISE is lost until you register the correct licenses. You will be able to access only the Licensing window in the Cisco ISE administration portal until the correct licenses are registered. However, Cisco ISE continues to handle authentications.

Possible Causes

Because of the configuration of an authorization policy, the Licensing table reports that Cisco ISE has used a license that you have not purchased and registered. Before you purchase a Plus or an Apex license, the Cisco ISE administration portal does not display the features covered by these licenses. However, after you purchase these licenses, the GUI continues to display the features that the licenses enable even after the license has expired or endpoint consumption of the license has exceeded a set limit. Thus, you can configure the features even if you do not currently have a valid license for them.

Solution

In the Cisco ISE administration portal, click the Menu icon () and choose Policy > Policy Sets, identify the authorization rule that is using the feature for which you do not have a registered license, and reconfigure that rule.

Manage License Files

This section explains how to register, re-host, renew, migrate, upgrade, and remove ISE licenses:

Register Licenses

Before you begin

Consult your Cisco partner/account team about the types of licenses and number of concurrent users you require for your installation, together with the various packages you can purchase to maximize economy.

Procedure

Step 1

From the ordering system (Cisco Commerce Workspace - CCW) on Cisco's website www.cisco.com, order the required licenses.

After about an hour, an email confirmation containing the Product Authorization Key (PAK) is sent.

Step 2

From the Cisco ISE Administration portal, choose AdministrationSystemLicensing. Make a note of the node information in the Licensing Details section: Product Identifier (PID), Version Identifier (VID), and Serial Number (SN).

Step 3

Go to www.cisco.com/go/licensing, and where prompted, enter the PAK of the license you received, the node information, and some details about your company.

The PAK number can be obtained from the sticker located on the software's CD sleeve or on a License Claim Certificate that was physically mailed to you. Post license registration, the permanent license will be sent to your provided email address. Licenses are sent from licensing@cisco.com, add this address to your safe senders list to receive emails from this mailer.

Step 4

Save this license file to a known location on your system.

Step 5

From the Cisco ISE Administration portal, choose Administration > System > Licensing. In the License Files section, click the Import License button.

Step 6

Click Choose File and select the license file you previously stored on your system.

Step 7

Click Import.

The new license is now installed on your system.
What to do next

Choose the licensing dashboard, Administration > System > Licensing, and verify that the newly-entered license appears with the correct details.

Re-Host Licenses

Re-hosting means moving a license from one Cisco ISE node to another. From the licensing portal, you select the PAK of the license you want to move and follow the instructions for re-hosting. After one day, you are sent an email with a new PAK. You then register this new PAK for the new node, and remove the old license from the original Cisco ISE node.

Renew Licenses

Subscription licenses, such as Plus and Apex licenses, are issued for 1, 3 or 5 years. Cisco ISE sends an alarm when licenses are near their expiration date and again when the licenses expire.

Licenses must be renewed after they expire. This process is carried out by your Cisco partner or account team only.

Migrate and Upgrade Licenses

Cisco licensing policy supports migration from previous Cisco ISE versions, upgrading from wireless and VPN only to include wired deployments, and adding concurrent users and functionality. You can also purchase bundles of licenses to minimize your ongoing expenses. These scenarios are all covered in the licensing site, or for more information contact your Cisco partner/account team.


Note
If you have migrated from Cisco ISE version 1.2, your Advanced license covers all the features in both Plus and Apex licenses.

Note
After upgrading from Cisco ISE version 1.3 or 1.4, the system will show the default Evaluation license only if it existed on the system prior to upgrade.

Note
Mobility/Mobility Upgrade license is always displayed as Base/Plus/Apex in the user interface with its corresponding number of end points.

If your Cisco ISE node needs to support:

  • A larger number of concurrent users than the number for which you have licenses

  • Wired (LAN) access, and your system has only the Mobility license

You will need to upgrade your license(s) for that node. This process is carried out by your Cisco partner or account team only.

Remove Licenses

Before you begin

Keep the following in mind before attempting to remove a license:

  • If you have installed a Mobility Upgrade license after a Mobility license, you must remove the Mobility Upgrade license before you can remove the underlying Mobility license.

  • If you install a combined license, all related installations in the Base, Plus, and Apex packages are also removed.

Procedure

Step 1

Choose Administration > System > Licensing

Step 2

In the License Files section, click the check next to the relevant file name, and click Delete License.

Step 3

Click OK.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco