In the release of Cisco ISE 3.0, Cisco streamlined the licensing schema for Cisco Identity Service Engine (ISE) as per Cisco DNA Center to reduce the complexity of licensing tiers in ordering. This blog will guide you through the Cisco ISE “classic” licenses (Base, Plus, and Apex) and the Cisco ISE “Nested-Doll model” license scheme with Cisco ISE Essentials, Advantage, and Premier. The blog will also explain the requirement to upgrade from Cisco ISE “classic” licenses to the new ISE license scheme. The blog will determine licenses required as per use case basis.
Before upgrading to ISE 3.0, you require a smart account created and all the licenses should be mapped with a smart account. Cisco starting with the ISE 3.0 release, smart licensing will be required. In smart licensing PAK’s will not be required and uses the Cisco Smart Software Manager (CSSM) to obtain the necessary authorization.
Cisco ISE 2.7 Licenses (License Valid For Releases Prior To ISE 3.0)
Cisco ISE 2.7 has offered two methods to manage your licenses.
Smart Licensing
In smart licensing, you can monitor Cisco ISE software licenses and endpoint license consumption easily and efficiently with a single token registration. Cisco Smart Software Manager (CSSM) maintains the centralized database to manage the cisco products and licenses, where you can track the consumption of the licenses. If consumption exceeds then an alarm is activated, and the administrator is notified through alarms and notifications.
Traditional Licensing
You purchase licenses for the number of concurrent users on the system with Traditional Licensing. A Cisco ISE user consumes a license during an active session (always a Base; and a Plus and an Apex license, if you use the functionality covered by these licenses). Once the session ends, the license is released for reuse by other users.
Cisco ISE 2.7 License Packages
Base Licenses
A base license is a permanent license. The base license covers the below functionality.
– Basic network access: AAA, IEEE-802.1X
– Guest services
– Link encryption (MACSec)
– TrustSec
– ISE Application Programming Interfaces
Plus Licenses
It’s a subscription-based license (1, 3, or 5 years). Does not include Base services; a Base license is required to install the Plus license. Plus license covers the below functionality.
– Bring Your Own Device (BYOD)—When consuming either a built-in or an external certificate authority
– MSE integration for location services
– Profiling and Feed Services
– Adaptive Network Control (ANC)
– Cisco PxGrid
Apex Licenses
It is a subscription-based license (1, 3, or 5 years). Does not include Base services; a Base license is required to install the Apex license. Apex license covers the below functionality.
– Third-Party Mobile Device Management (MDM) integration
– Posture Compliance
– TC NAC
Note: When you use Cisco AnyConnect as a unified posture agent across wired, wireless, and VPN deployments, you need Cisco AnyConnect Apex user licenses in addition to Cisco ISE Apex licenses.
Device Admin Licenses
It is a permanent license. A Base or Mobility license is required to install the Device Administration license. Only one license is required per deployment (regardless of multiple nodes). It provides the TACACS+ functionality. Policy Service nodes that have the TACACS+ persona enabled on them consume Device Administration licenses.
Mobility Licenses
It is a subscription-based license (1, 3, or 5 years). Cannot coexist on a Cisco Administration node with Base, Plus, and/or Apex licenses. Combination of Base, Plus, and Apex for wireless and VPN endpoints.
Mobility Upgrade Licenses
It is a subscription-based license (1, 3, or 5 years). You can only install a Mobility Upgrade license on top of an existing Mobility license. Provides wired support to Mobility license.
Licenses for VM nodes
Cisco ISE is also deployed as a virtual appliance. For Release 2.7, it is recommended that you install appropriate VM licenses for the VM nodes in your deployment. The VM licenses are installed based on the number of VM nodes. VM licenses are offered under three categories—Small, Medium, and Large.
| VM Category | RAM Range | Number of CPUs |
| Small | 16GB | 12 CPUs |
| Medium | 64GB | 16 CPUs |
| Large | 256GB | 18 CPUs |
Evaluation Licenses
It is temporary for 90 days. All Cisco ISE appliances are supplied with evaluation licenses. It provides full ISE functionality for 100 days.
Cisco ISE 3.0 Licenses
Cisco ISE 3.0 does not support classic licenses, such as Base, Plus, and Apex licenses, that were used in prior Cisco ISE Releases 3.0. Cisco ISE 3.0 supports only smart licensing, in which licenses are managed by Cisco Smart Software Manager (CSSM).
Cisco Smart Software Manager (CSSM)
CSSM manages, registers, and activates all the licenses very easily and efficiently with single token registration. It eliminates the difficult management of Product Activation Keys (PAKs) and licenses files through License Pooling.
Cisco ISE 3.0 License Packages
Tier Licenses
In the new release of ISE 3.0, tier licenses replace the 3 classic licenses (Base license, Plus License, Apex licenses) with the Nested-Doll licenses (Essential licenses, Advantage licenses, and Premier licenses). These are subscription-based licenses (1, 3, or 5 years).
Essentials Licenses
– AAA, including 802.1X, MAC authentication bypass (MAB) and easily connect, and web auth.
– Link encryption (MACSec)
– Authentications that are based on Single Sign-On (SSO), Security Assertion Markup Language (SAML), and Open Database Connectivity (ODBC) standards.
– Guest access and sponsor services.
– Representational State Transfer (REST) APIs for monitoring purposes, and External RESTful Services APIs for CRUD operations.
– PassiveID services.
– Secure wired and wireless access.
Note: Any ISE Base licenses upgraded to ISE essential licenses will expire on 31 October 2023
Advantage Licenses
– All the features are enabled by the Cisco ISE Essentials license.
– Bring Your Own Device (BYOD) device registration and provisioning, with a built-in certification authority. Device registration occurs through the configured My Devices portals.
– Security Group Tagging, TrustSec, and Cisco Application Centric Infrastructure (ACI) integration.
– Profiling services, including basic asset visibility and enforcement features.
– Endpoint analytics, including advanced asset visibility and enforcement features.
– Feed Services.
– Visibility and enforcement of location-based services.
– Context sharing (such as PxGrid), and security ecosystem integrations.
Premier Licenses
– All the features are enabled by the Cisco ISE Essentials and Advantage licenses.
– Endpoint protection services.
– Rapid Threat Containment, using Adaptive Network Control and context sharing services.
– Posture visibility and enforcement.
– Compliance visibility and enforcement through Enterprise Mobility Management and Mobile Device Management.
– Threat-Centric Network Access Control visibility and enforcement.
Note: To use AnyConnect as the agent for endpoint posture the AnyConnect Apex licenses and ISE Posture module are needed.
Device Administration Licenses
Device Administration Licenses are the same as Cisco ISE 2.7. Policy Service nodes that have the TACACS+ persona enabled on them consume Device Administration licenses.
Virtual Appliance Licenses
Virtual appliance licenses are also the same as Cisco ISE 2.7, available in three forms, VM Small, VM Medium, and VM Large.
Evaluation Licenses
The Evaluation license is enabled by default when you first install Cisco ISE Release 3.0. Evaluation licenses are 90-day licenses that give you access to all the Cisco ISE features. During the evaluation period, license consumption is not reported to the CSSM.
We hope after reading this blog, you got a better understanding of the old “classic” licensing model and the new “nested-doll” licensing model. This blog covers the functionality of both models. In our next blog, we will continue with the migration of licensing from the old model to the new model.
We at Zindagi Technologies have a team of capable engineers that will help you in the deployment of CISCO ISE. For more details, we are available for you, give us a call on +919773973971 or reach us at Zindagi Technologies.
Author
Chakransh Awasthi
Senior Consultant – Network Security
