There has been some license changes since the 1.x releases. The current license structure for 2.x has remained almost unchanged. Does that mean it is easy to understand? Of course not. So I’m going to do a few posts to describe the different levels and hopefully make it easier to understand.
Licenses available in Cisco ISE 2.3
- Base – Perpetual
- Plus – 1, 3, or 5 year subscription
- Apex – 1, 3, or 5 year subscription
- Device Administration (TACACS+) – Perpetual
- ISE-PIC – Perpetual
- ISE-PIC Upgrade – Perpetual
- Evaluation – 90 days
Source: Cisco ISE Licenses
Evaluation is pretty easy. When you first install Cisco ISE, you have 90 day evaluation licenses for Base, Plus, Apex, and Device Administration. Can you get extended evaluation licenses from your friendly, local Cisco rep? Yes but only for Base, Plus, and Apex. Device Admin evaluation licenses are generally not extended.
The post will focus on the Base licenses. Base, as the name implies, is the most basic license you are required to have. You can’t install Plus, Apex, or Device Admin licenses without an equal (or greater) number of valid Base licenses. Base licenses are a “buy it once” license since they are perpetual.
What functionality is included in Base licenses
- Basic network access: AAA, IEEE-802.1X
- Guest Services
- ISE API access
What is involved with each Base license function
Basic network access includes all AAA, MAC Address Bypass (MAB) auth, and 802.1x authentication. Anything that connects to a wired port or wireless network protected by ISE will consume a Base license.
Guest services covers wired and wireless guest access. You will be able to create guest portals so unknown/non-corporate devices can have limited access to your network (based on your ACL/SGT configuration).
MACSec secures all Ethernet traffic where it is configured. That means links between clients and switches as well as uplinks between switches can have forced encryption of all traffic. Utilizing MACSec between the client and switch requires the use of a 3rd party program like Cisco AnyConnect Secure Mobility Client. Switch-to-switch MACSec requires compatible hardware. Encryption and decryption is handled at line speeds thanks to the hardware inside compatible network access devices.
TrustSec allows you to segment your network without the use of VLANs. How? By using Security Group Tags (SGT) and Security Groups. The SGT is mapped to a security group matrix of who can access what. When an endpoint or user is authenticated via Cisco ISE, ISE assigns a security group ID to that connection. All traffic from that connection will contain the SGT. Compatible network devices (switches, firewalls, etc.) that subscribe to the security group matrix will then only allow that connection to access what is approved inside the matrix.
Cisco ISE includes a powerful API that can be utilized to manage many functions of ISE without using the built-in ISE GUI. You can create internal ISE users, create or delete guest users, or view current live sessions to name a few options. More information about the available API calls can be found in the Cisco Identity Services Engine API Reference Guide, Release 2.x.
How are Base licenses consumed?
Base licenses are consumed by every active session. It does not matter what type of session is active (802.1x versus MAB). If an endpoint is connected to your network, it is consuming a Base license. The endpoint connection may also be consuming another license but that will be covered in subsequent posts. Once an endpoint disconnects from your network, the Base license is released back to the ISE deployment. That is why it is important to take into consideration every type of endpoint that is on your network. Customers sometimes forget to count how many printers they have or network based door locks are onsite.
What happens if I don’t buy enough Base licenses?
Will we stop authenticating? Will people be blocked from accessing my network? Will payroll withhold my checks?!?!
Not exactly. If you exceed your Base license amount, ISE will start displaying a lot of warnings. Everyone will continue to authenticate. That means even if you have 510 connections but only 500 Base licenses all 510 connections will authenticate to the network.
Awesome! That means I can just buy 100 licenses for my 5,000 endpoint network!
No. No you can’t. Well….technically I guess you could. It’s a very bad idea. You will not have support if you run into authentication issues unless you get your licensing in order. You are better off doing the right thing and having your licenses in order versus running into a major issue but having to wait for licenses to be purchased before it can be resolved.
The next post will cover Plus licenses.