This entry in our Cisco ISE blog series picks up where our last left off. In our last post we went over the ISE deployment models and some of the decision making needed to select the correct model for your use case. Now that you hopefully have a good understanding of the different ISE deployment models, we will explore the licensing requirements for an ISE deployment.
Licensing…bleh…why do I care?
Why a blog about licensing, you say? Licensing is boring, you say? These are good questions and I couldn’t agree more with them. However, the unfortunate truth is that in a software driven world, licensing is one of the most significant costs facing IT buyers, and it can be one of the most complex to navigate with software manufacturers bottom line necessitating the monetization of every last bit of their software’s provided (or perceived – same thing!) value. This makes it critical to understand how the licensing system works when buying any IT software, Cisco ISE included.
Cisco ISE License Types
ISE licenses can generally be broken down into two high level buckets; ISE node licenses and ISE endpoints licenses. ISE nodes are pretty easy and straight-forward to understand, while the endpoint licenses require a more verbose explanation. I should add that the terms “node licenses” and “endpoint licenses” are my creation and you will not see Cisco refer to them this way. I use these terms as the license types I categorize as “node” licenses have their quantity determined based on the number of ISE servers/nodes, while the license type I categorize as “endpoint” licenses have their quantity determined based on the number of endpoints (concurrently) connecting to your ISE controlled access networks.
The table below summarizes the license types available in these two high-level buckets.
As mentioned previously, the node licenses are quite simple to understand and do not require much more than a brief mention. These licenses are both perpetual (they never expire) and are entirely based on node counts (as opposed to the endpoint licenses, which have nothing to do with node counts).
The appliance license only applies if you are deployment Cisco ISE on virtual machines. If you have purchased the Cisco Secure Network Server hardware ISE appliance, you can omit this license type as it is not needed. This license comes in three size flavors; small (12CPU + 16GB RAM), medium (16CPU + 64GB RAM), or large (16CPU + 256GB RAM). Note that you can purchase a large virtual appliance license and in practice only configure a small virtual machine, however the reverse is not true.
Device Administration License
Device Administration equals TACACS+. TACACS+ equals Device Administration. Same-same. For those Policy Service Nodes that you intend to point to as TACACS+ authentication servers, you will need to purchase a Device Administration license. It should be noted, a minimum of 100 ISE “base” endpoint licenses are required to use Device Administration, even though base licenses are not allocated during a TACACS+ session. It’s just one of those non-sensical rules you have to follow blindly. 😊
Endpoint licenses come in three different flavors; Base, Plus, and Apex. Each of which is described in further detail in the sub-sections to follow.
An ISE deployment without base licenses is like a car without wheels; you ain’t goin’ nowhere! These are mandatory. Base licenses are the fundamental ISE license type in that the purpose of Cisco ISE is to authenticate and/or authorize “things” (endpoints) connecting to the network and that is exactly what a base license entitles you to do! Any “thing”’ and every “thing” successfully authenticated to your ISE controlled networks will allocate a license from your base pool. Again, these are concurrently connected “things” and these licenses are perpetual (they don’t expire). Below is a list of all the most notable functionality you are entitled to while using base licenses.
- Wired, Wireless, and VPN Access Control
- Basic RADIUS Authentication/Authorization (802.1X and MAC Authentication Bypass)
- Web Authentication (e.g. for guests)
- Guest Portal and Sponsor Services
- Security/Scalable Group Tagging (micro-segmentation classification technology)
- PassiveID (for Cisco switches only – identity group-based access without 802.1X)
ISE Plus licenses can be looked at as building on top of the functionality provided by base licenses in that plus licenses do NOT include the functionality provided by base licenses. Plus licensing uses a subscription model because it is providing a feature-set (device profiling, BYOD, etc..) tied to an ever changing landscape (i.e. new endpoints and OS versions are released all the time!). To combat the ever-changing landscape, Cisco maintains a profiler feed service that your ISE deployment will use to stay up-to-date. Below is a list of the most notable functionality you are entitled to when using Plus licenses.
- Device Profiling (automatic identification of device type/OS type of the endpoint)
- Access to the Profiler Feed Service from Cisco
- Device Registration and On-Boarding (BYOD)
- pxGrid Context Sharing (an API for sharing security context information with 3rd parties)
- Location-based Access Control integration with Cisco CMX or MSE
- Rapid Threat Containment (Standardized, multi-vendor threat prevention via pxGrid)
- PassiveID (for non-Cisco switches – identity group-based access without 802.1X)
ISE Apex licenses can be looked at as building on top of the functionality provided by base licenses in the same way that plus licenses do. Apex licenses do NOT include any functionality provided by base or plus license types. Like Plus licenses, Apex licensing uses a subscription model because they provide a feature-set (device posturing) tied to an ever-changing landscape (i.e. new endpoints, OS, and application versions are released all the time!). To combat the ever-changing landscape, Cisco maintains a posture feed service that your ISE deployment will use to stay up-to-date. Below is a list of the most notable functionality you are entitled to when using Apex licenses.
- Device Posturing (endpoint compliance and remediation for MacOS X and Windows)
- Mobile Device Management (MDM) Integration (compliance checks on mobile devices)
- Rapid Threat Containment (Standardized, multi-vendor threat prevention via pxGrid)
Endpoint License Allocation
Now for a word on license allocation! Endpoint licenses are allocated during an endpoints network session and released at the end of an endpoints network session. The network session is dictated by RADIUS accounting start and stop messages received from the network access devices (switches, wireless controllers, VPN head-ends, etc..). A single endpoint may allocate more than one license type per network session. Meaning a single endpoint, during a single network session, could end up allocating a Base, Plus, AND Apex license! We’ve established that base licenses are allocated for each and every network session, but what about plus and apex licenses? Plus and apex license allocation is determined by the ISE authorization policy matched by and endpoint. If that authorization policy used matching attributes derived from device profiling (e.g. device type is MacBook Pro), then a plus license will be allocated in addition to a base. If that authorization policy used matching attributes derived from device posturing (e.g. anti-malware is up-to-date), then an apex license will be allocated in addition to the base. If that authorization policy used matching attributed derived from both device profile and posture, then both a plus and apex will be allocated in addition to the base!! See the diagram below for an illustration of how/when these licenses get allocated and released.
Endpoint License Management
Licenses can be uploaded directly to Cisco ISE or associated to the Cisco Smart Licensing account that your Cisco ISE deployment is a part of. Either way, you can get visibility into your Cisco ISE license usage by logging into your Primary Administration Node and navigating to Administration > System > Licensing.
Current Usage Chart Example
Usage over Time Example (hovering over bars in browser will give counts!)
Endpoint License Calculation Example
Let us suppose we have an environment with 10,000 total endpoints that may be concurrently connected to the network at any given time. Out of these 10,000 endpoints 10% (1,000) will be contractors connecting over a VPN. We want to check their anti-malware to ensure it is corporate approved, active, and up-to-date. Of the remaining 9,000 endpoints, 3,000 are miscellaneous device types that do not support 802.1X (printers, IP Phones, cameras, etc.). We will use MAC authentication bypass to get these on the network, but we want to protect ourselves from MAC spoofing, so we will use device profile checks. The remaining 6,000 endpoints are corporate sponsored laptops that belong to corporate users. For these we will stick to 802.1X using machine/user certificates with no further checking. We want to prepare for these users to simultaneously be connected to wired and wireless to ensure they are able to seamlessly move from their desk dock to a conference room with minimal interruption.
Alright, so in the last couple of posts we’ve selected our ISE deployment model and now we’ve licensed it. I think it is time we take a look at what is involved in the initial provisioning of our ISE deployment. Does it just happen? Do I have to click anything? Is there a “next” button? Stay tuned…and thanks for reading!
Check out our awesome tech talk about ISE:
Written By: Dominic Zeni, LookingPoint Consulting Services SME - CCIE #26686
If you are interested in LookingPoint installing ISE into your network, feel free to contact us here!