What does it give you, what should you pay attention to and is it possible to do … nothing?
Those who are familiar with Cisco ISE and have been using it for quite a few years have become accustomed to the licensing system known from ISE 1.x and 2.x. The well-known Base, Plus and Apex licenses end with the release of ISE 3.x. In their place, licenses of the so-called Tier Based, i.e. Essentials, Advantage and Premier. What does it change, what should you pay attention to and can you do nothing? About this in the article, but in order.
First, a very important message for owners of ISE version 2.7.
For those who are just starting their adventure with NAC systems in their company (or home?), a new installation is the choice of solution. If it’s Cisco Identity Services Engine (Cisco ISE), this article may be useful.
It is worth knowing that ISE can be run for free in the evaluation version, which supports all possible ISE functionalities for 90 days (i.e. those unlocked by the highest license). A great thing and an opportunity to test ISE length and breadth. Just remember that after 90 days, ISE becomes unmanageable and waits for legal licenses!
As I mentioned, Base, Plus, Appex already have successors today and they are Essentials, Advantage and Premier. The nomenclature is otherwise known, because reaching for Cisco products from the Switching, Routing and Wireless shelves, we find the whole DNA licensing philosophy, Essentials and Advatage. The difference between the new and old ISE licenses is primarily a change in the approach to its validity.
So far, Base licenses have been permanent licenses, i.e. once purchased, they did not expire. It was different with Plus and Apex. Since ISE 3.0 all licenses are timed! (Tier-based licenses). What functionalities can be found in individual license levels? This is very well described in the Licensing Guide, among others, so I won’t repeat it (if in doubt, you know where to find me).
Another difference is the approach to functionality and “assembling” licenses for our needs. Although more or less new licenses can be treated analogously in terms of the functionalities they provide, i.e.:
In ISE 3.0, higher licenses include lower licenses (the so-called Nested doll model). This means that you only need to purchase an Advantage license to have the functionality of the Essentials + Advantage license. In the old model, licenses were additive, you added different license levels, there were also requirements to have a minimum number of Base licenses to have X higher licenses, and so on.
In simple terms, the old model looked like this: To be able to install 200 Plus licenses, you had to have min. the same (or more) Base licenses. Today, if we know we want 200 advantage licenses, we can simply buy 200 advantage licenses.
In the picture it looks something like this:
The prices of Cisco ISE licenses depend on the size of the package, i.e. the number of licenses we buy. In short, 10,000 licenses will be cheaper than 2,000 licenses per license.
We count licenses per device. You should keep in mind that one user logged in and authenticated to the network with the mechanism of 802.1x wired + at the same time 802.1x wireless will consume 2 licenses! Licensing is based on the number of simultaneously connected devices / enpoints / MAC addresses to the network.
Attention! Since ISE 3.1, Cisco validates licenses for so-called Node VM. If our deployment (ISE installation) consists of, for example, 5 nodes, you need to buy 5 licenses depending on how large the virtual machine is needed. If we do not, ISE will ask for such a license (per node) and send appropriate warnings.
The price of the license in this case depends on the size of the VM appliance, and this in turn depends on the VM image solution selected for the scale. Here we have the following options:
Which one to choose when? This is what the sizing guideline says, or again – let me know, we can analyze it together for your environment.
For those who like or simply use TACACS+, i.e. managing the authentication and authorization of network administrators to devices, we can run the TACACS+ service on ISE. Such a service is activated by the Device Administration license, which is installed on PSNs. One license for 1 PSN (!) we want to run this on. I described the roles of ISE nodes in this post about ISE deployment models.
Pretty simple.
It’s not that easy here.
It’s best to plan an upgrade to 3.X. At the moment, the version recommended by Cisco is 3.1 (marked as the safe harbour). How to migrate?
Migration takes place on several levels:
Remember that on September 22, 2023, there will be an End of Software maintenance for Cisco ISE 2.7, which means that the manufacturer will no longer develop or fix defects in the software. It is easy to conclude that over time, using ISE version 2.x will become increasingly dangerous and risky from the point of view of business continuity.
In short, it’s time for a change. Along with ISE 3.X, the licensing model changes, which can significantly affect budget planning in this segment of systems. The new licenses concern the functionality, but also the number of virtual machines, ISE VM Appliance. It is worth planning tasks related to the upgrade and migration of the NAC solution in your organization now.
Do you want to choose the right NAC system or plan a migration? Avoid common mistakes. Talk to our experts during a free consultation and learn more about which configuration will be the best for you.
Thanks for compiling and breaking it down.
Good to see it was helpful