Cisco ISE Licensing Part 2: Plus Licenses

Be sure to check out Part 1 for Base licenses.

What functionality is included in Plus licenses

  • Bring Your Own Device (BYOD) onboarding
  • Mobility Services Engine (MSE) for location based authentication
  • Profiling and Profiler Feed services
  • Adaptive Network Control (ANC)
  • pxGrid

What is involved with each Plus license function

I’m starting with my favorite function. Profiling! Profiling is awesome. It shows you what kind of device (Windows 10 workstation, iPhone, etc.) is connected to your network. You can even create your own custom profiles for devices that may not exist in the Cisco ISE profile database.

The Profiler Feed service is used to automatically update the ISE profiler database directly from the Cisco website. You can manually update the profiler database by downloading the polices from here (Partner access required). The feed service is automatically enabled when you install a Plus license.

BYOD is used to onboard devices so they are registered within ISE. The on-boarding process involves installing a wired or wireless profile on the device to define the connection settings. You can configure the wireless connection to use a passkey or 802.1x. ISE can act as the certificate authority to hand out client certificates to BYOD devices as a root CA or as an intermediate CA to your existing PKI deployment. Profiling is needed for BYOD so that the correct network connection profile is installed.

MSE integration allows you to define specific locations where a client can authenticate. Say you have a device that can only be used when it’s on the 2nd floor of the building. Using MSE to communicate with ISE, you can craft an authorization rule to only allow network access when the device is on that floor and deny access if seen anywhere else.

ANC and pxGrid go hand in hand. ANC is disabled by default and is enabled when pxGrid is enabled. pxGrid is Cisco’s Platform Exchange Grid which allows Cisco ISE to bidirectionally integrate with other security products (not just Cisco). An example of this integration is connecting Cisco ISE to FirePower. ISE can be alerted by FirePower if a network attack is seen by a specific client. This is where ANC kicks in because ISE can be configured to use that alert to quarantine the endpoint that is doing the attack. Information can also be shared from ISE to the other products so identities can be tied to active sessions on the device (i.e. Cisco WSA).

How are Plus licenses consumed?

This is a little more tricky compared to Base licenses. Plus licenses are not always consumed by every active session like a Base license. Let’s break it down by function:

  • Profiling: A Plus license is consumed during the profiling process. If the session matches a rule based on the profile, the license is consumed during the entire time the session is active. The Plus license is released back to ISE if the session is not authorized by the profile or once the session ends.
  • MSE integration: A license is consumed if the session matches an authorization rule that utilizes location information from an MSE.
  • BYOD: During the on-boarding process, a Plus license is consumed. Any connection that utilizes a BYOD profile will also consume a Plus license when authenticating against ISE.
  • ANC and pxGrid: Any session that is being controlled due to ANC will consume a Plus license. Connecting ISE to another system using pxGrid does not consume a license because licenses are only consumed by endpoint authenticated sessions.

Here’s a gotcha with how Plus licenses are consumed: Guest devices assigned to Registered Devices. Any device that is assigned to Registered Devices, and a corresponding authorization rule that uses that endpoint group, will consume a Plus license even though they are not a BYOD device. It is hard coded into ISE that the Registered Devices endpoint group is a BYOD group. Be sure to create a custom endpoint group to assign the device MAC address to during guest registration unless you want more Plus licenses to be consumed than necessary.

Remember: Every session will consume a Base license. That means one session could consume both a Base and a Plus license at the same time. A network printer is a good example because those are usually authenticated via their profile.

How many Plus licenses do I need?

If all you care about is knowing what kind of devices are connecting to your network, you can buy a 100 pack of licenses and you’re covered. Otherwise, you will need to figure out how many devices will be authorized according to the following:

  • Based on the device profile (e.g. printer)
  • Based on the device location
  • Is it a BYOD device?
    • Not guest access. That is covered by Base licenses
  • ANC event triggered by pxGrid
    • This is probably going to be the smallest number. Hopefully. It would be bad to have hundreds of devices automatically quarantined because all those uses started surfing a banned website.

You do not need to have the same number of Plus licenses as you do Base licenses. I have seen several deployments with 10K Base licenses and only 4K Plus licenses. You cannot have more Plus licenses than Base licenses, though. Plus licenses must be equal to or less than the number of Base licenses.

The next post will cover Apex licenses.

Share this post:

3 comments / Add your comment below

  1. Small clarification regarding the Profiling and Plus license consumption – “Profiling: A Plus license is consumed during the profiling process. If the session matches a rule based on the profile, the license is consumed during the entire time the session is active. The Plus license is released back to ISE if the session is not authorized by the profile or once the session ends.”

    Plus license will be consumed if profiling information will be used in AuthZ policy. For context visibility-only purposes base license will be consumed.

  2. Just FYI: This is not true:
    You cannot have more Plus licenses than Base licenses, though. Plus licenses must be equal to or less than the number of Base licenses.

    The guides are very vague:
    Cisco ISE allows you to use more Plus and/or Apex licenses on the system than Base licenses

    But I have a deployment with 55,000 Base and 100,000 Plus (2.4p6) due to some ELA fun stuff, works fine.

    1. Unless something changed in 2.4, ISE wouldn’t allow you to install more Plus licenses than the Base licenses in the previous versions. For example: If you tried to install 10,000 Plus licenses but you only had 5,000 Base licenses installed an error would pop up in the GUI. I hadn’t tried it in 2.4 (or 2.6). Odd that you would have more Plus or Apex since you have to use a Base license in order to authenticate an endpoint and anything authenticated using a Plus license would also consume a Base license. What is your use case for having more Plus than Base? Unless it’s just a cosmetic thing because, like I said, every auth with utilize a Base license since there is no “Plus license only” authentication case.

      And it would keep working. I didn’t mean that authentications would stop if you had more Plus than Base licenses. ISE will not block authentications if you are out of compliance (ie more authentications than Base licenses). But you will receive warnings about being out of compliance with your licensing.

Leave a Reply

Your email address will not be published. Required fields are marked *