Cisco ISE 3.x Licensing Explained

From Cisco ISE 3.0 and onwards, the licences have been revamped. The updated licenses are designed to fall more in line with Cisco’s DNA Centre.

In this lesson, we’re going to cover the updated licenses available for Cisco ISE 3.x. To help you understand which licenses you require for your deployment, this lesson will detail each available license and the use cases for each.

Overview

Within Cisco ISE 3.0 and onwards, Cisco has brought the licenses inline with the DNA Centre platform. The aim of this is to reduce the complexity between platforms.


The following list details the licenses available on ISE 3.0:

  • Essentials.
  • Advantage.
  • Premier.
  • Device Admin.
  • Evaluation.
  • R-ISE-VMS-K9=.
  • R-ISE-VMM-K9=.
  • R-ISE-VML-K9=.

As you can see, not much has changed. The major difference being that Base, Plus and Apex have been replaced. Instead, these are now known as Essentials, Advantage and Premier.

Essentials License

The Essentials license is the replacement for the old Base license on ISE 2.x. Unlike before, the Essentials license is only available as a subscription. These are offered under the following terms:

  • 1 Year.
  • 3 Year.
  • 5 Year.

With the change to Essentials licensing, some of the features available in the old Base mode have changed. The list below details the features available with the Essentials license:

  • AAA.
  • RADIUS/802.1x.
  • EasyConnect.
  • Guest services.
  • Guest services.
  • ISE API (Application Programming Interface).

There is one big difference from the old Base licensing model. With the Essential licensing, TrustSec is no longer included. Instead, this has been moved up to the Advantage tier.

An Essential license is required for each concurrent user connected via ISE with an active session.

A big difference with the new licensing is that an Essentials license is no longer a pre-requisite for higher tiered licensing. 

Advantage License

The next building block of ISE licensing is the Advantage license. This builds on top of the Essentials license and is required for the following features:

  • BYOD (Bring Your Own Device).
  • Profiling / Feed Services.
  • pxGrid.
  • MSE integration (Location Services).
  • Group based policy (TrustSec).

There is one big difference from the old Plus licensing model. With the Advantage licensing, Adaptive Network Control is no longer included. Instead, this has been moved up to the Premier tier. In addition to this, the Advantage license is now required in order to use TrustSec, which has been renamed group based policy.

Like the Essentials license, the Advantage license is only available as a subscription based model. The Advantage license is available in the following terms:

  • 1 Year.
  • 2 Year.
  • 3 Year.

The great benefit of licensing with 3.x is the “nested doll” model. With this model, the Advantage license encompasses all features included with the Essentials license.

This is a massive difference from the previous licensing model that required you to have an equivalent amount of the lower tiered licenses to be applied to the system.

Premier License

The final license that builds upon the Essentials and Advantage license is the Premier license. As before, with the Advantage license, the Premier license is a subscription based model that is required for the following features:

  • MDM (Mobile Device Management) integration.
  • Posture compliance and remediation.
  • Threat-Centric Network Access Control (TC-NAC).
  • AnyConnect Apex.
  • RTC (Rapid Threat Containment).

There is one big difference from the old Apex licensing model. With Premier licensing, has now been included. This is the new name for adaptive network control.

Again, the Premier license is a subscription based model, it’s available in three terms:

  • 1 Year.
  • 3 Year.
  • 5 Year.

As before, the Premier license uses the “nested doll” model. With this model, the Premier license encompasses all features included with both the Essentials and Advantage license.

This is a massive difference from the previous licensing model that required you to have an equivalent amount of the lower tiered licenses to be applied to the system.

Device Admin License

The Device Admin license is unique as it’s required to activate the Device Admin feature. Makes sense, right? In short, when applied, it allows us to use our ISE node as a TACACS+ server.

A Device Admin license will need to be applied to each Policy Service Node (PSN) that will be authenticating TACACS+ requests.

For example, if you have two nodes authenticating TACACS+ requests within your network, you’ll require two Device Admin licenses.

The Device Admin license is a perpetual licence. As such, once you’ve purchased the license – you own it for the lifespan of the product.

There are no differences with the Device Admin license when compared to the 2.x model.

Evaluation License

Cisco provides an evaluation license for ISE. This can be used for the following purposes:

  • ISE PoC (Proof of Concept).
  • Lab purposes.
  • Testing ISE features.

The evaluation license lasts for 90 days and can be used for up to 100 endpoints.

All features within Cisco ISE can be used as the evaluation licence includes the following:

  • Base.
  • Plus.
  • Apex.
  • Device Admin.

The evaluation license is available when deploying a virtual ISE instance using either an ISO or OVA image. The license is activated once the ‘setup’ command has been ran via the CLI setup.

There are no differences with the evaluation license when compared to the 2.x model.

Virtual Machine Licensing

Instead of running ISE as a physical appliance, we can deploy it as a virtual machine instead. If we deploy ISE using this method, we can deploy the virtual machine in one of the following sizes:

  • Small.
  • Medium.
  • Large.

Each virtual machine that we deploy within our network will require an individual license. These licenses are perpetual licenses.

Depending on the virtual machine size we decide to deploy, a different license will be required. The licenses available are as fp;;pws:

  • R-ISE-VMS-K9= – (Small virtual machine).
  • R-ISE-VMM-K9= – (Medium virtual machine).
  • R-ISE-VML-K9= – (Large virtual machine).

There are no differences with the virtual machine licenses when compared to the 2.x model.