Cisco ISE Licenses
Cisco ISE services provide visibility and control over the increasing number of endpoints in your network. Cisco ISE features are mapped to specific licenses and you can enable the licenses that provide the Cisco ISE capabilities you need to meet your organizational needs.
Cisco ISE is bundled with a licensing mechanism with the following salient features:
-
Built-in License: Cisco ISE comes with a built-in evaluation license that is valid for 90 days. You do not have to install a Cisco ISE license immediately after you install Cisco ISE. You can use the Evaluation license that provides all the Cisco ISE functionalities.
-
Central Management of Licenses: The Cisco ISE Primary Administration node (PAN) centrally manages Cisco ISE licenses. In a distributed deployment that has primary and secondary PANs, the primary PAN automatically shares the licensing information with the secondary PAN.
-
Concurrent Active Endpoint Count: Cisco ISE licenses include a count value for each tier license. Each tier license supports a specific number of active endpoints at any time. The count value refers to the number of active endpoints across the entire deployment that are using specific Cisco ISE services at any time. Because Cisco ISE licensing relies on RADIUS accounting, you must have RADIUS services enabled on the network devices.
Concurrent active endpoints refer to the total number of supported users and devices. Here, an endpoint could mean users, PCs, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.
Cisco ISE Release 3.0 and later releases do not support legacy licenses, such as Base, Plus, and Apex licenses, that were used in Cisco ISE Release 2.x. Cisco ISE Release 3.x licenses are managed entirely through a centralized database that is called the Cisco Smart Software Manager (CSSM). You can register, activate, and manage all your licenses easily and efficiently with single-token registration.
To maximize economy for customers, licensing in Cisco ISE is supplied in the following packages:
-
Tier Licenses
From Cisco ISE Release 3.0, a new set of licenses that are called Tier Licenses replace the Base, Apex, and Plus licenses used in releases earlier than Release 3.0. Tier Licenses include three licenses—Essentials, Advantage, and Premier.
If you currently have Base, Apex, or Plus licenses, use the CSSM to convert them into the new license types.
-
Device Administration Licenses
Policy Service nodes (PSN) that have the TACACS+ persona enabled on them use Device Administration licenses.
-
Virtual Appliance Licenses
Virtual appliance licenses are available in three forms, VM Small, VM Medium, and VM Large.
If a virtual appliance is used, but your Cisco ISE does not have an active VM license, you receive warnings and notifications of noncompliant license consumption until you procure and install a VM license. However, Cisco ISE services are not interrupted.
-
Evaluation Licenses
The Evaluation license is enabled by default when you first install Cisco ISE Release 3.0 and later releases and support up to 100 endpoints. Evaluation licenses are 90-day licenses that give you access to all the Cisco ISE features. During the evaluation period, license consumption is not reported to the CSSM.
If you are upgrading to Cisco ISE Release 3.0 and later releases with Base, Apex, and Plus licenses smart licenses, your smart licenses are upgraded to the new license types in Cisco ISE. However, you must register the new license types in CSSM to activate the licenses in the Cisco ISE release that you upgrade to.
If you own traditional Cisco ISE licenses, you must convert them to smart licenses to enable license consumption in Cisco ISE Release 3.0 and later releases. To convert Cisco ISE 2.x licenses to the new license types, open a case online through the Support Case Manager at http://cs.co/scmswl, or use the contact information that is provided at http://cs.co/TAC-worldwide.
Notifications about noncompliant license consumption are also displayed in Cisco ISE. If your license consumption is out of compliance for 45 days in a 60-day period, you will lose all administrative control of Cisco ISE until you purchase and activate the required licenses.
When upgrading from one licensing package to another, Cisco ISE continues to offer all the features that were available in the earlier package before the upgrade. However, you do have to reconfigure any settings that you had already configured. For example, if you currently use an Essentials license and later add an Advantage license, the features that are already configured using the Essentials license will not change.
You should update your license agreements if:
-
The evaluation period has ended, and you have not yet registered your license.
-
Your license has expired.
-
The endpoint consumption exceeds your licensing agreement.
Cisco Identity Services Engine Ordering Guide For information on how to obtain evaluation licenses, see How to Get ISE Evaluation Licenses. |
Tier Licenses
The following table specifies what the new Tier Licenses enable.
License Name |
What Does this License Enable? |
---|---|
Essentials |
|
Advantage |
|
Premier |
|
Note |
You may witness higher Cisco ISE license consumption count if the privacy settings in endpoints permit MAC randomization or rotating and changing MAC. When an endpoint authenticates with a new random MAC address, a new Cisco ISE session is created. |
Device Administration Licenses
A Device Administration license allows you to use TACACS services on a Policy Service node. In a high availability (HA) standalone deployment, a Device Administration license permits you to use TACACS services on a single Policy Service node in the HA pair.
Virtual Appliance Licenses
Cisco ISE is also sold as a virtual appliance. Choose your Virtual Machine (VM) licenses based on the number of VM nodes in your network, and each VM node's resource specifications, such as CPU and memory. There are three categories of VM licenses offered—VM Small, VM Medium, and VM Large.
The following table shows the minimum VM resources by category.
VM License |
RAM Capacity of VM Node |
Number of CPUs of VM Node |
---|---|---|
VM Small |
16 GB |
12 CPUs |
VM Medium |
64 GB |
16 CPUs |
VM Large |
256 GB |
16 CPUs |
For example, if you are using a 3595-equivalent VM node with 16 CPUs and 64-GB RAM, you need a VM Medium license to enable Cisco ISE services on this VM node. Even if you only have VM Small licenses registered and activated, Cisco ISE will register the consumption of a VM Medium license by the VM node. This is because the license consumed is determined by the RAM and CPU specifications of the VM node.
You will then receive warnings and notifications of noncompliant license consumption until you procure and install the required VM licenses. However, Cisco ISE services are not interrupted.
You can install multiple VM licenses based on the number of VMs in your deployment and their resources.
VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. However, in order to use the features enabled by the Tier licenses, you must also install the appropriate Tier licenses.
After installing or upgrading to Cisco ISE Release 2.4 or later releases, if there is any mismatch between the number of deployed VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet in the Home page every 14 days. Alarms are also displayed if there are any changes in the VM node’s resources, and when a VM node is registered or deregistered.
VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the dialog box displayed.
Evaluation Licenses
Evaluation licenses are activated by default when you install or upgrade to Cisco ISE Release 3.0 and later releases and support up to 100 endpoints. The Evaluation license is active for 90 days, and you have access to all the Cisco ISE features during this time. Cisco ISE is considered to be in Evaluation mode when the Evaluation license is in use.
The Cisco ISE GUI displays messages with the number of days that are left in the Evaluation mode.
Note |
You must purchase and register Cisco ISE licenses by the end of the Evaluation mode to continue using the Cisco ISE features that you need. |