Cisco ISE Licenses
Cisco ISE services provide visibility and control over the increasing number of endpoints in your network. Cisco ISE features are mapped to specific licenses and you can enable the licenses that provide the Cisco ISE capabilities you need to meet your organizational needs.
Cisco ISE is bundled with a licensing mechanism with the following salient features:
-
Built-in License: Cisco ISE comes with a built-in evaluation license that is valid for 90 days. You do not have to install a Cisco ISE license immediately after you install Cisco ISE. You can use the Evaluation license that provides all the Cisco ISE functionalities.
-
Central Management of Licenses: The Cisco ISE Primary Administration node (PAN) centrally manages Cisco ISE licenses. In a distributed deployment that has primary and secondary PANs, the primary PAN automatically shares the licensing information with the secondary PAN.
-
Concurrent Active Endpoint Count: Cisco ISE licenses include a count value for each tier license. Each tier license supports a specific number of active endpoints at any time. The count value refers to the number of active endpoints across the entire deployment that are using specific Cisco ISE services at any time. Because Cisco ISE licensing relies on RADIUS accounting, you must have RADIUS services enabled on the network devices.
Concurrent active endpoints refer to the total number of supported users and devices. Here, an endpoint could mean users, PCs, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.
Cisco ISE Release 3.0 and later releases do not support legacy licenses, such as Base, Plus, and Apex licenses, that were used in Cisco ISE Release 2.x. Cisco ISE Release 3.x licenses are managed entirely through a centralized database that is called the Cisco Smart Software Manager (CSSM). You can register, activate, and manage all your licenses easily and efficiently with single-token registration.
To maximize economy for customers, licensing in Cisco ISE is supplied in the following packages:
-
Tier Licenses
From Cisco ISE Release 3.0, a new set of licenses that are called Tier Licenses replace the Base, Apex, and Plus licenses used in releases earlier than Release 3.0. Tier Licenses include three licenses—Essentials, Advantage, and Premier.
If you currently have Base, Apex, or Plus licenses, use the CSSM to convert them into the new license types.
-
Device Administration Licenses
Policy Service nodes (PSN) that have the TACACS+ persona enabled on them use Device Administration licenses.
-
Virtual Appliance Licenses
Cisco ISE Release 3.1 supports the ISE VM License. This license replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases earlier than 3.1. The ISE VM License covers the Cisco ISE VM nodes in both on-prem and cloud deployments.
If a virtual appliance is used, but your Cisco ISE does not have an active VM license, you receive warnings and notifications of noncompliant license consumption until you procure and install a VM license. However, Cisco ISE services are not interrupted.
-
Evaluation Licenses
The Evaluation license is enabled by default when you first install Cisco ISE Release 3.0 and later releases and support up to 100 endpoints. Evaluation licenses are 90-day licenses that give you access to all the Cisco ISE features. During the evaluation period, license consumption is not reported to the CSSM.
If you are upgrading to Cisco ISE Release 3.0 and later releases with Base, Apex, and Plus licenses smart licenses, your smart licenses are upgraded to the new license types in Cisco ISE. However, you must register the new license types in CSSM to activate the licenses in the Cisco ISE release that you upgrade to.
If you own traditional Cisco ISE licenses, you must convert them to smart licenses to enable license consumption in Cisco ISE Release 3.0 and later releases. To convert Cisco ISE 2.x licenses to the new license types, open a case online through the Support Case Manager at http://cs.co/scmswl, or use the contact information that is provided at http://cs.co/TAC-worldwide.
Notifications about noncompliant license consumption are also displayed in Cisco ISE. If your license consumption is out of compliance for 45 days in a 60-day period, you will lose all administrative control of Cisco ISE until you purchase and activate the required licenses.
When upgrading from one licensing package to another, Cisco ISE continues to offer all the features that were available in the earlier package before the upgrade. However, you do have to reconfigure any settings that you had already configured. For example, if you currently use an Essentials license and later add an Advantage license, the features that are already configured using the Essentials license will not change.
You should update your license agreements if:
-
The evaluation period has ended, and you have not yet registered your license.
-
Your license has expired.
-
The endpoint consumption exceeds your licensing agreement.
Cisco Identity Services Engine Ordering Guide For information on how to obtain evaluation licenses, see How to Get ISE Evaluation Licenses. |
Tier Licenses
The following table specifies what the new Tier Licenses enable.
License Name |
What Does this License Enable? |
---|---|
Essentials |
|
Advantage |
|
Premier |
|
Note |
You may witness higher Cisco ISE license consumption count if the privacy settings in endpoints permit MAC randomization or rotating and changing MAC. When an endpoint authenticates with a new random MAC address, a new Cisco ISE session is created. |
Device Administration Licenses
A Device Administration license allows you to use TACACS services on a Policy Service node. In a high availability (HA) standalone deployment, a Device Administration license permits you to use TACACS services on a single Policy Service node in the HA pair.
Evaluation Licenses
Evaluation licenses are activated by default when you install or upgrade to Cisco ISE Release 3.0 and later releases and support up to 100 endpoints. The Evaluation license is active for 90 days, and you have access to all the Cisco ISE features during this time. Cisco ISE is considered to be in Evaluation mode when the Evaluation license is in use.
The Cisco ISE GUI displays messages with the number of days that are left in the Evaluation mode.
Note |
You must purchase and register Cisco ISE licenses by the end of the Evaluation mode to continue using the Cisco ISE features that you need. |