US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • New licensing of Cisco ISE.

    What does it give you, what should you pay attention to and is it possible to do … nothing?

    New Cisco ISE licensing

    Date: 11.04.2023

    Category: Cisco ISE, Security

    Those who are familiar with Cisco ISE and have been using it for quite a few years have become accustomed to the licensing system known from ISE 1.x and 2.x. The well-known Base, Plus and Apex licenses end with the release of ISE 3.x. In their place, licenses of the so-called Tier Based, i.e. Essentials, Advantage and Premier. What does it change, what should you pay attention to and can you do nothing? About this in the article, but in order.

    First, a very important message for owners of ISE version 2.7.

    New NAC, new deployment

    For those who are just starting their adventure with NAC systems in their company (or home?), a new installation is the choice of solution. If it’s Cisco Identity Services Engine (Cisco ISE), this article may be useful.

    It is worth knowing that ISE can be run for free in the evaluation version, which supports all possible ISE functionalities for 90 days (i.e. those unlocked by the highest license). A great thing and an opportunity to test ISE length and breadth. Just remember that after 90 days, ISE becomes unmanageable and waits for legal licenses!

    ISE Licenses Old vs New

    As I mentioned, Base, Plus, Appex already have successors today and they are Essentials, Advantage and Premier. The nomenclature is otherwise known, because reaching for Cisco products from the Switching, Routing and Wireless shelves, we find the whole DNA licensing philosophy, Essentials and Advatage. The difference between the new and old ISE licenses is primarily a change in the approach to its validity.

    Dlaczego Grandmetric

    So far, Base licenses have been permanent licenses, i.e. once purchased, they did not expire. It was different with Plus and Apex. Since ISE 3.0 all licenses are timed! (Tier-based licenses). What functionalities can be found in individual license levels? This is very well described in the Licensing Guide, among others, so I won’t repeat it (if in doubt, you know where to find me).

    Dlaczego Grandmetric

    Another difference is the approach to functionality and “assembling” licenses for our needs. Although more or less new licenses can be treated analogously in terms of the functionalities they provide, i.e.:

    • Base – Essentials  
    • Plus – Advantage 
    • Apex – Premier 

    In ISE 3.0, higher licenses include lower licenses (the so-called Nested doll model). This means that you only need to purchase an Advantage license to have the functionality of the Essentials + Advantage license. In the old model, licenses were additive, you added different license levels, there were also requirements to have a minimum number of Base licenses to have X higher licenses, and so on.

    In simple terms, the old model looked like this: To be able to install 200 Plus licenses, you had to have min. the same (or more) Base licenses. Today, if we know we want 200 advantage licenses, we can simply buy 200 advantage licenses.

    In the picture it looks something like this:

    The prices of Cisco ISE licenses depend on the size of the package, i.e. the number of licenses we buy. In short, 10,000 licenses will be cheaper than 2,000 licenses per license.

    How do we count ISE licenses?

    We count licenses per device. You should keep in mind that one user logged in and authenticated to the network with the mechanism of 802.1x wired + at the same time 802.1x wireless will consume 2 licenses! Licensing is based on the number of simultaneously connected devices / enpoints / MAC addresses to the network.

    ISE Virtual Appliance

    Attention! Since ISE 3.1, Cisco validates licenses for so-called Node VM. If our deployment (ISE installation) consists of, for example, 5 nodes, you need to buy 5 licenses depending on how large the virtual machine is needed. If we do not, ISE will ask for such a license (per node) and send appropriate warnings.

    The price of the license in this case depends on the size of the VM appliance, and this in turn depends on the VM image solution selected for the scale. Here we have the following options:

    • VM Small
    • VM Medium
    • VM Large

    Which one to choose when? This is what the sizing guideline says, or again – let me know, we can analyze it together for your environment.

    Device Administration

    For those who like or simply use TACACS+, i.e. managing the authentication and authorization of network administrators to devices, we can run the TACACS+ service on ISE. Such a service is activated by the Device Administration license, which is installed on PSNs. One license for 1 PSN (!) we want to run this on. I described the roles of ISE nodes in this post about ISE deployment models.

    We buy ISE from scratch – how to configure?

    Pretty simple.

    1. Decide what you want to achieve with the NAC project.
    2. Determine and plan how big the deployment will be and what kind of license will be needed.
    3. Estimate the number of endpoints.
    4. Price a specific number of Essentials, Advantage, or Premier licenses
    5. Valuate the number of VM Appliance licenses specified in point 2.

    I already have ISE 1.X or 2.X – what next?

    It’s not that easy here.

    It’s best to plan an upgrade to 3.X. At the moment, the version recommended by Cisco is 3.1 (marked as the safe harbour). How to migrate?

    Migration takes place on several levels:

    • License migration: Base, Plus, Apex to Essentials, Advantage and Premier respectively
    • Migration of virtual machines (if applicable to your infrastructure)
    • Migrating physical machines in case ISE 3.1 does not support the physical machines you use with ISE 2.x. The list of supported appliances is given in the release notes for each version
    • Technical migration (upgrade). In the latter, the most important thing is to choose the correct migration path, i.e. a direct upgrade to 3.1.0 is possible from Cisco ISE 2.6, Cisco ISE 2.7, Cisco ISE 3.0.

    Read till the end!

    Remember that on September 22, 2023, there will be an End of Software maintenance for Cisco ISE 2.7, which means that the manufacturer will no longer develop or fix defects in the software. It is easy to conclude that over time, using ISE version 2.x will become increasingly dangerous and risky from the point of view of business continuity.

    In short, it’s time for a change. Along with ISE 3.X, the licensing model changes, which can significantly affect budget planning in this segment of systems. The new licenses concern the functionality, but also the number of virtual machines, ISE VM Appliance. It is worth planning tasks related to the upgrade and migration of the NAC solution in your organization now.

    Do you want to choose the right NAC system or plan a migration? Avoid common mistakes. Talk to our experts during a free consultation and learn more about which configuration will be the best for you.



    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Zac R
    21 September 2023 at 13:00

    Thanks for compiling and breaking it down.

    Marcin Bialy
    12 December 2023 at 13:14

    Good to see it was helpful


    Leave a Reply

    Your email address will not be published. Required fields are marked *