Cisco ISE 2.X Licensing
Cisco ISE licensing is another complex topic to understand, especially if you are new or migrating from the old licensing model (i.e., 2.x) to the new current version 3.1 (Cisco Recommended as of 04/2022).
Let me give you some background before we drill down further. there is quite a different type of Cisco ISE licensing model, with various Tiers (levels)
- Smart Licensing
- Traditional Licensing
Smart Licensing:
Cisco offers Smart Licensing, which enables you to monitor ISE software licenses and endpoint license consumption easily and efficiently with a single token registration rather than individually importing separate licenses. Details of all Cisco products and licenses that you have purchased are maintained in a centralized database called the Cisco Smart Software Manager (CSSM), where you can easily track which endpoint licenses are available to you and consumption statistics.
Traditional Licensing:
For some companies, there is a strict policy that Cisco ISE nodes cannot reach out to the internet directly. In this case, traditional licensing will help the ISE admin manage licenses manually. Once you buy a license from the Cisco Partner, they will generate a.lic file and send it to you, which you can import into the Cisco ISE portal.
The below pictures is valid for Cisco ISE 2.X version only (picture courtesy of Lab Minutes and Cisco)
Cisco ISE 3.X Licensing
- Starting with the Cisco ISE 3.x release, you are required to have Smart Licensing, which further requires you to have a Smart Account created and configured before you upgrade or migrate the ISE licenses. Ignore if you have that account already set up.
- Cisco ISE 3.x Licensing has different licensing levels compared to the earlier 2.x version, with some features moved between different levels. Which will be explained later in the blog.
- Version 2.x: License Tier: Base, Plus, Apex, Device Admin
- Version 3.x: Essentials, Advantage, Premier, Device Admin, and IPSec
- Before VMM, licenses were valid in Cisco ISE 3.0 and earlier releases. Starting with version 3.1, you will need to have a VM Common license. Please refer to the table below for further reference.
- Cisco ISE endpoint session-based licenses can be ordered in any quantity, starting with 100 sessions
- Subscription licenses can be ordered with 1, 3, (default), or 5-year terms.
- Generally, evaluation licenses are valid for 90 days. To extend your evaluation licenses for more than 90 days or more than 100 endpoints, please open a case at www.cisco.com/go/scm with your UDIs, your license request, and justification.
- Quick Comparison between old and new license tiers
- The below chart gives you a quick overview of all the features in each tier in the new ISE version 3.x.
- Device Administration licenses are consumed per Policy Service Node (PSN). You must have a Device Administration license for each of the policy service nodes that you enable TACACS+ service on.
- Device Administration using TACACS+ does not consume endpoints, and there is no limit on network devices for Device Administration. The user does not require an Essentials license.
- For more details, click the below links.
- Cisco ISE Licensing Ordering Guide
- Cisco ISE Licensing Migration Guide
- Cisco ISE License FAQ
- Cisco ISE Data Sheet
Adnan's Personal Blog 
Leave a comment