Cisco ISE 2.x Licensing Explained
Depending on the firmware in use within your ISE deployment will vastly change the licenses required.
In this lesson we’re going to be covering the different licenses available for Cisco ISE 2.x. To help you understand which licenses you’ll require for your deployment, this lesson will detail each available licenses and the use cases for each.
Overview
Unlike other Cisco products, the licensing for ISE 2.x is fairly straight forward.
The features enabled within ISE will affect the licenses required as part of the deployment.
The licenses we’ll be discussing in this lesson are;
Base License
The Base license is a perpetual license. As such, once you’ve purchased the license, you own it for the lifespan of the product.
In essence, Base licenses are the foundations of ISE. Without any base licenses, none of the features will work.
A Base license is required for the following features:
A Base license is required for each concurrent user connected via ISE with an active session.
Even if you plan on using the features included with the Plus and Apex licenses, a Base license is always required for each active session.
Plus License
The next building block of ISE licensing is the Plus license. This builds on top of the Base license and is required for the following features:
Unlike the base license, the Plus license is only available as a subscription based model. The Plus license is available in the following terms:
Unfortunately, in order to use the Plus license, an equivalent amount or more Base licenses need to be applied to the system.
For example, if you require 1,000 Plus licenses, you will also require at least 1,000 Base licenses to be applied to the system.
It’s important to note that the Plus license does not include a base license, these will need to be purchased separately.
Apex License
The final license that builds upon the Base and Plus license is the Apex license. As before, with the Plus license, the Apex license is a subscription based mode that is required for the following features:
Again, the Apex license is a subscription based model, it’s available in three terms;
Again, as before, it’s important to note that the Apex license does not include a Base license. These licenses will need to be purchased separately.
Device Admin License
The Device Admin license is unique as it’s required to activate the Device Admin feature. Makes sense, right? In short, when applied, it allows us to use our ISE node as a TACACS+ server.
A Device Admin license will need to be applied to each Policy Service Node (PSN) that will be authenticating TACACS+ requests.
For example, if you have two nodes authenticating TACACS+ requests within your network, you’ll require two Device Admin licenses.
The Device Admin license is a perpetual licence. As such, once you’ve purchased the license – you own it for the lifespan of the product.
Evaluation License
Cisco provides an evaluation license for ISE. This can be used for the following purposes:
The evaluation license lasts for 90 days and can be used for up to 100 endpoints.
All features within Cisco ISE can be used as the evaluation licence includes the following:
The evaluation license is available when deploying a virtual ISE instance using either an ISO or OVA image. The license is activated once the ‘setup’ command has been ran via the CLI setup.
Virtual Machine Licensing
Instead of running ISE as a physical appliance, we can deploy it as a virtual machine instead. If we deploy ISE using this method, we can deploy the virtual machine in one of the following sizes:
Each virtual machine that we deploy within our network will require an individual license. These licenses are perpetual licenses.
Depending on the virtual machine size we decide to deploy, a different license will be required. The licenses available are as fp;;pws: