ISE Licensing Models Explained

The licensing models available on our ISE deployment varies depending upon the firmware release. Both ISE 2.x and 3.x have different options available.

In this lesson, we’ll cover the different methods of applying licenses to our ISE deployment. There are pros and cons to each method, depending on which method suits your environment best.

Overview

Depending on the version of ISE you’re using within your deployment depends heavily on the licensing method available.

With Cisco ISE deployments running firmware any 2.x release, the following methods are available:

  • Traditional Licensing
  • Smart Licensing

On the other hand, with ISE deployments running firmware 3.x and above, only the following method is available:

  • Smart Licensing

As we continue through the lesson, let’s break down each of the licensing models available.

Traditional Licensing

Traditional licensing is the classic way of licensing Cisco products. It requires us to generate licence files that are then uploaded to our ISE nodes.

The license files can be generated using one of the following methods:

  • PAK (Product Authorisation Key)
  • EA (Enterprise Agreement)

Once licenses have been generated using the appropriate Cisco portal, they are then manually uploaded to ISE.

As you can imagine, there are a number of pros and cons to licensing ISE using this method.

Pros:

  • ISE doesn’t require external access to Cisco licensing portals

Cons:

  • An additional .LIC (License File) needs to be uploaded each time you purchase additional licenses.
  • Licenses are not applied to ISE until the manual application process is completed.
  • Licenses can easily be lost.
  • Licenses are locked to a specific node.

As you can tell, there are a number of downsides to using this licensing method. It may however come in handy with certain scenarios.

Smart Licensing

Smart licensing is Cisco’s new cloud-based licensing manager. The Cisco ISE appliance will initiate a ‘call home’ request to the Cisco cloud licensing portal.

The goals of smart licensing are:

  • Remove the manual process of adding licenses to ISE.
  • Automate licensing process.
  • Single view of all licenses, software and devices.
  • Ensure licenses are more flexible.

As our ISE deployment needs to be able to communicate to Cisco’s licensing servers, this can be achieved using one of the following methods:

  • ISE has direct access to the Cisco licensing portal.
  • ISE accesses the Cisco licensing portal via proxy.
  • ISE licened via on-premise collector (Connected)
  • ISE licened via on-premise collector (Disconnected)

Direct Access

The first method we’ll look at is direct access. Using this method, our Cisco ISE nodes will have direct internet access to the Cisco licensing servers.

In order to utilise this method, ISE will require access to *.cisco.com using HTTPS.

Direct access is the easiest method of enable smart licensing. The only downside is that each additional Cisco device that is licensed via smart licensing will need access to *.cisco.com.

Access via Proxy

Similar to the direct access method we’ve just looked at is access via proxy. Unlike before, our ISE nodes will send requests to our internal proxy.

The great advantages of this method is that we can limit the exposure of our ISE nodes. Instead of allowing them direct internet access, we can lock them down to an internal proxy. This proxy server will then send the requests to *.cisco.com.

There are two methods of proxying traffic to *.cisco.com:

  • On-Premise Proxy Server.
  • Cisco Smart Call Home Transport Gateway.

Whichever of the two methods you decide upon, all license requests will be routed via a proxy or gateway. This then allows us to limit the amount of devices we provide access to *.cisco.com.

ISE Licensed via On-Premise Collector (Connected)

One of the more secure methods of enabling smart licensing is to deploy an on-premise collector. This collector then connects to the Cisco licensing portal.

The on-premise collector itself acts a a local authority that will exchange information with Cisco licensing portal.

ISE and other on-premise Cisco devices will use the on-premise collector to license themselves.

In order for the on-premise collector to be classed as ‘connected’, our collector will have access to Cisco’s licensing portal. This connection is then used to sync the locally stored database.

ISE Licensed via On-Premise Collector (Disconnected)

Like before, an on-premise collector is installed that will act as a local licensing server. However, unlike before, the collector only exchanges information with *.cisco.com during manual periods.

As such, this method is classed as disconnected. At least once a month, a manual exchange of information will be required. This is used to keep the on-premise collector synchronized with 

Pros:

  • Overall view of all licenses owned by the enterprise.
  • Additional licenses automatically applied to ISE.
  • Licence flexability.

Cons:

  • Can take a little extra effort to setup in comparison to traditional licensing.

As you can tell, there are more benefits to using smart licensing over traditional licensing. With later firmware releases, Cisco are moving away from traditional licensing methods towards smart licensing.