Cisco Identity Services Engine (ISE) licensing

Cisco Identity Services Engine (ISE) licensing is based on a tiered model that includes different types of licenses depending on the features and capabilities required.

Here's an overview of Cisco ISE licensing:?

1. License Types

Cisco ISE has transitioned from the traditional perpetual licensing model to a subscription-based model.

A. Traditional Licensing Model (Legacy)

This model included three main license types:

1. Base License – Basic AAA (Authentication, Authorization, Accounting) and device profiling.
2. Plus License – Advanced device profiling, Threat-Centric NAC (TC-NAC), and TrustSec SGT (Security Group Tags).
3. Apex License – Posture assessment, BYOD, and Threat-Centric Visibility.
4. Device Administration License – Required for TACACS+ administration.

B. Cisco ISE Smart Licensing (Current)

Cisco introduced a subscription-based licensing model that simplifies consumption and scalability. The three primary tiers include:

1. Essential – Provides basic authentication, policy enforcement, guest access, and device visibility.
2. Advantage – Includes all Essential features plus posture, threat intelligence integration, and endpoint compliance.
3. Premier – Includes all Advantage features plus full automation, deeper analytics, and endpoint behavior insights.

Cisco ISE licenses are tied to the number of endpoints/users and are managed through Cisco Smart Licensing.

2. License Duration

• Perpetual (Legacy model only) – Base License was perpetual.
• Subscription-based (1, 3, 5, or 7 years) – Used in Smart Licensing for flexibility and scalability.

?

3. Key Considerations

• Smart Licensing is mandatory for ISE 3.0 and later.
• All licenses are consumed per active session/user (e.g., if 500 users connect, ISE consumes 500 licenses).
• The ISE PAN (Policy Administration Node) must connect to Cisco Smart Licensing service for activation and compliance.
• Legacy perpetual licenses can still be used for older ISE versions, but upgrades require Smart Licensing conversion.

?

4. License Registration & Management

• Licenses are managed via Cisco Smart Account (https://software.cisco.com).
• The ISE appliance needs periodic communication with Cisco’s licensing cloud.
• If disconnected, there is a grace period before enforcement.

?

How Cisco ISE Consumes Licenses

Cisco ISE (Identity Services Engine) consumes licenses based on the number of active unique endpoints or users that are being authenticated or authorized at any given time.

Here’s how it works:

1. Per-Session Licensing Each endpoint (e.g., laptop, phone, IoT device) that actively connects to the network consumes a license. The license type consumed depends on the features being used (Essential, Advantage, Premier). If a device disconnects, the license is released after a timeout period.
2. License Consumption Per Endpoint Type A single user logging in from multiple devices (e.g., laptop and phone) consumes multiple licenses. If an endpoint moves between locations (e.g., from Wi-Fi to wired), it still consumes one license as long as it is the same device.
3. TACACS+ Device Administration If TACACS+ is used for network device administration, a Device Administration License is consumed per active network administrator session.

?

What is a Concurrent License?

A concurrent license in Cisco ISE refers to the number of simultaneously active endpoints or users that are consuming licenses at a given time.

For example:

• If you have 1,000 ISE licenses, only 1,000 endpoints can be authenticated at the same time.
• If a new device connects after reaching the limit, it may be denied access or go into a grace period (depending on policy settings).

Unlike named-user licensing (where each user always consumes a license), concurrent licensing only counts active connections, meaning that as users or devices disconnect, their licenses are freed up.

Cisco ISE License PIDs

You can find the Cisco ISE license PIDs in the following figure:

?