Professional Documents
Culture Documents
Cisco public
Figure 1.
Cisco Identity Services Use-cases
Many organizations provide free Internet access to guests visiting their organization for a short period. These
guests include vendors, retail customers, short-term vendors/contractors, etc. ISE provides the ability to create
accounts for these visitors and authenticate them for audit purposes. There are three ways in which ISE can
provide Guest access: Hotspot (immediate non-credentialed access), Self-Registration and Sponsored Guest
access. ISE also provides a rich set of APIs to integrate with other systems such as vendor management
systems to create, edit and delete Guest accounts. Further, the various portals that the end user sees can be
completely customized with the right font, color, themes, etc. to match the look and feel of the customer’s
brand.
Figure 2.
Cisco ISE Guest Use-Case
ISE creates local accounts for Guests. These accounts can be created by an employee hosting the Guest (the
Sponsor) using a built-in portal or created by the Guest themselves by providing some basic info. The Guest
can receive credentials via email/SMS and use that to authenticate themselves to the network and thereby get
network access. The admin can define what level of access to provide to such users.
Most organizations start securing their wireless network first. Securing the wireless network is the most basic
needs for every organization. Using ISE, network administrators can secure access to the network by allowing
only authorized users and wireless devices, such as mobile phones, tablets or laptops – BYOD or organization
owned and other wireless “things” to connect to the network and later enforce different security policies.
Authentication and Authorization are core functionalities of ISE. Every ISE session begins with authentication,
whether to a user or to a device. Authentication can be active authentication or passive authentication (not
including 802.1x session): An authentication is done using 802.1x when ISE authenticates the user against an
Identity Source, while in passive authentication (used in Easy Connect) ISE learns about the user after the user
authenticates against the Identity Source like Microsoft’s Active Directory (AD) and the AD notifies ISE.
Figure 3.
Cisco ISE Secure Wireless Use-case
After successful authentication, based on group’s information ISE provides the right access the wireless
connection, whether the connection is a Passive Identity session (Easy Connect), MAB (MAC Address Bypass)
or 802.1x. This can be achieved by assigning the user to a VLAN, DACL, ACL, or assign an SGT or SGACL.
Required license: ISE Essentials or ISE Advantage (for SGT or SGACL only)
Understanding the device type is many times a critical element in determining the type of network access that
should be granted to the device. For example, a building management system such as an IP camera or an
elevator should be given access to a specific part of the network (such as the building management services
network) while a printer should be given access to another part of the network (such as IT services). Having
visibility helps the IT administrator determine the types of devices on their network and how to provide them
with the right level of permissions. Basic asset visibility profiles endpoints by matching their network attributes
to known profiles. Advanced asset visibility performs deeper analysis of the different conversations that
applications on these devices have with other endpoints and servers on the network through Deep Packet
Inspection (DPI). While basic asset visibility will provide you with visibility to most of your network, especially to
your traditional devices (printers, mobile phones, etc.), advanced asset visibility will provide you with visibility
into more vertical-specific and IoT-type of devices.
Figure 4.
Cisco ISE Basic Visibility Use-case
Basic asset visibility in ISE is accomplished through the Profiler service, which gathers information about a
device by listening to its network communication. The likely device type is determined by weighing the
information from most definitive to least definitive attributes.
Based on the asset’s visibility, the next step on securing your network asset continuum is to enforce access.
Basic Asset Enforcement allows you to use the categorization of endpoints by profiles and in your network
access policy. This ensures that based on the visibility learnt for an endpoint, it will be given only the network
permissions for its profile. Printers will be able to only receive access to printing servers or anyone needing
printing services, and mobile BYODs will be able to receive access only for internet services and low-risk
internal systems.
Endpoint Analytics is designed to improve endpoint profiling fidelity. It provides fine-grained endpoint
identification and assigns labels to a variety of endpoints. This is done by analyzing endpoint attributes through
Deep Packet Inspection (DPI) and other probes aggregated from different sources such as SD-AVC, Cisco ISE,
and other third-party components.
It uses Artificial Intelligence (AI) and machine learning to intuitively group endpoints that have common
attributes and helps IT admins in providing suggestions to choose the right endpoint profiling labels. Multifactor
classification classifies endpoints using label categories for flexible profiling. These endpoint labels can then be
used in Cisco ISE to create custom profiles that form the basis of providing the right set of access privileges to
endpoints/endpoint groups via an authorization policy.
Figure 5.
Cisco ISE Advance Asset Visibility Use-case
Required license:
Saboteurs focus on intentional data corruption (ransomware) and data exfiltration which compromises
endpoints on a network. The most effective and well-publicized compromises take advantage of known issues
that could be simply remediated but were overlooked. Compliance Visibility allows organizations to view how
user endpoints comply with corporate policy through the use of both Posture and/or integration through Mobile
Device Management (MDM) and Enterprise Mobility Management (EMM) systems (supported MDM/EMM
systems can be found here). Using either ISE’s Posture engine or an MDM, an organization can evaluate how
many endpoints are compliant, and ensure that noncompliant software is not installed and/or running.
Figure 6.
Cisco ISE Compliance Visibility Use-case
Posture leverages installed and temporal agents looking inside the endpoint to provide assurance that operating
system patches, antimalware, firewall, and more are installed, enabled, and up to date before authorizing the
device onto the network.
Having good visibility into what endpoints comply with the corporate software policy is usually not enough –
customer might want to enable differentiated access to endpoints based on their compliance level. Compliance
Enforcement allows taking an overall compliance status, derived through either ISE’s own Posture engine or
through said MDM/EMM integrations, and use it in an access policy. Combined with other attributes, e.g.
identity, this enables a powerful capability that lowers the organizational risks and shrinks the overall threat
surface created by non-compliant, unhygienic endpoints trying to connect to the network. Such policy can allow
fully compliant endpoints to have full access to required resources by the user using it, while allowing access to
only remediation systems, help-desk systems and/or low-risk services by endpoints found non-compliant.
Using either ISE’s Posture engine or an MDM, an organization can evaluate how many endpoints are compliant,
and ensure that non-compliant endpoint with outdated and/or unsupported software cannot access critical
resources.
Securing the wired network is essential to prevent unauthorized users from connecting their devices to the
network. Using ISE, network administrators can provide secure network access by authenticating and
authorizing users and devices. Authentication can be active or passive. An active authentication is done using
802.1x when ISE authenticates the user against an Identity Source. Passive authentication involves ISE learning
the user’s identity via Active Directory (AD) domain logins or other indirect means. Once the user or device
authenticates successfully, authorization takes place. Authorization can be achieved by assigning the endpoint’s
network access session with a dynamic VLAN, downloadable ACL, or other segmentation methods.
Figure 7.
Cisco ISE Secure Wired Access Use-case
ISE authenticates the users and endpoints via 802.1X, Web Authentication, MAB and other means. ISE can
query external identity sources for identity resolutions and apply appropriate network policies by instructing the
network devices.
Many organizations have instituted a policy that allows the employees to connect their personal devices such as
smartphones to the corporate wireless network and use it for business purposes. This is referred to as the Bring
Your Own Device (BYOD) policy. However, since these devices are owned by the individuals, they don’t like to
install management software that allows organizations to “manage” the endpoint. In such situations, ISE
provides a very streamlined method to automate the entire BYOD onboarding process – from device
registration, supplicant provisioning to certificate installation. This can be done on devices across various OS
platforms like iOS, Android, Windows, macOS and ChromeOS. The ISE My Devices Portal, that is completely
customizable, allows the end users to onboard and manage various devices.
https://cisco.com/go/csta
Figure 8.
Cisco ISE BYOD Use-case
ISE provides multiple elements that help automate the entire onboarding aspect for BYOD. This includes a built-
in Certificate Authority (CA) to create and help distribute certificates to different types of devices. The built-in
CA provides a complete certificate lifecycle management. ISE also provides a My Devices Portal, an end user
facing portal, that allows the end user to register their BYOD endpoint as well as mark it as being lost to
blacklist it from the network. BYOD on boarding can be accomplished either through a single SSID or through a
dual SSID approach. In a single SSID approach, the same SSID is used to onboard and connect the end user’s
device while in a Dual SSID approach a different open SSID is used to on board the devices but the device
connects to a different more secure SSID after the onboarding process. For customers that want to provide a
more complete management policy, BYOD can be used to connect the end user to the MDM onboarding page
as well.
Cisco RTC makes it easy to get fast answers about threats on your network and to stop them even faster. It
uses an open integration of Cisco security products, technologies from Cisco partners, and the extensive
network control of Cisco ISE.
With integrated network access control technology, you can manually or automatically change your users’
access privileges when there’s suspicious activity, a threat or vulnerabilities discovered. Devices that are
suspected of being infected can be denied access to critical data while their users can keep working on less
critical applications.
Figure 9.
Cisco ISE RTC Use-case
Cisco ISE integrates with security eco-system partners over pxGrid and/or Application Programming Interfaces
(APIs) to learn threat level of the endpoints to take mitigation actions.
Upon detecting a flagrant threat on an endpoint, a pxGrid eco-system partner can instruct ISE to contain the
infected endpoint either manually or automatically. The containment can involve moving the device to a
sandbox for observation, moving it to a remediation domain for repair, or removing it completely. ISE can also
receive the standardized Common Vulnerability Scoring System (CVSS) classifications and the Structured
Threat Information Expression (STIX) threat classifications, so that graceful manual or automatic changes to a
user’s access privileges based on their security score can be made.
Cisco ISE integrates with more than 75 eco-system partners over pxGrid to implement several use cases. All
the technology partners and the technical details about integrations can be found here:
https://community.cisco.com/t5/security-documents/ise-design-amp- integration-guides/ta-p/3621164
Network segmentation is a proven technology to protect critical business assets, but traditional approaches are
complex. Cisco Group Based Policy/TrustSec software-defined segmentation is simpler to enable than VLAN-
based segmentation. Policy is defined through security groups. It is an open technology in IETF, available within
Open Daylight, and supported on third-party and Cisco platforms. ISE is the Segmentation controller, which
simplifies the management of switch, router, wireless, and firewall rules. Group Based Policy / TrustSec
Segmentation provides better security for lower cost compared to traditional segmentation. Forrester
Consulting found in an analysis of customers that operational costs are reduced by 80% and policy changes are
98% faster.
Figure 10.
Cisco ISE Segmentation Use-case
The illustration above show users and devices are assigned to security groups and consequently their group
membership is known throughout the network so any enforcement device along the path can evaluate policy
based on the group-to-group approved communication.
To extend segmentation across the enterprise network, ISE interfaces with the Cisco Application Centric
Infrastructure (ACI) Controller, which is also called Application Policy Infrastructure Controller – Data Center
(APIC- DC), to learn EPG names, share Software Group (SG) names and corresponding EPG value, SGT value
and Virtual Routing and Forwarding (VRF) Name. This allows Cisco ISE to create and populate SG-EPG
translation tables, which are obtained by the border device to translate TrustSec-ACI identifiers as traffic
passes across the domains. The TrustSec – ACI Policy Plane integration guide gives an overview of ACI and the
configuration of the policy plane integration.
TrustSec technology is supported in over 50 Cisco product families and works with open source and third-party
products. ISE acts as the policy controller for routers, switches, wireless, and security products. Details about
product TrustSec capabilities are provided in the Platform Capability Matrix. The Quick Start Config Guide
illustrates a typical TrustSec network deployment with step by step configuration of a sample environment.
More design guides are also provided here.
Note: Licenses that enable Segmentation via SDA: Advantage or Premier on ISE, and Cisco DNA Premier
/ Cisco DNA Advantage. Please find more information in the SDA Ordering Guide
ISE builds contextual data about endpoints in terms of its device type, location, time of access, posture, user(s)
associated to that asset and much more. Endpoints can be tagged with Scalable Group Tags (SGTs) based on
these attributes. This rich contextual insight can be used to enforce effective network access control policies
and can also be shared with eco-system partners to enrich their services. For example, in the Cisco Next
Generation Firewall (NGFW), policies can be written based on the identity context such as device-type,
location, user groups and others, received from ISE. Inversely, specific context from 3rd party systems can be
fed in to the ISE to enrich its sensing and profiling capabilities, and for Threat Containment. The context
exchange between the platforms can be done via Cisco® pxGrid or REST APIs.
Figure 12.
Cisco ISE Security Integration
The context exchange between the platforms can be done via Cisco® pxGrid or REST APIs.
Cisco ISE integrates with more than 75 eco-system partners over pxGrid to implement technology partners and
the technical details about integrations can be found here: https://community.cisco.com/t5/security-
documents/ise-design-amp- integration-guides/ta-p/3621164
Network and security administrators typically own the task of administering and monitoring network and security
devices in an enterprise. When there are only a handful of devices, keeping track of the admin users, privileges,
and changes to configuration is not very difficult. However, when the network grows to tens, hundreds, and
thousands of devices, it would be a nightmare to manage the devices without automation and smooth workflow.
ISE provides the capability to automate device administration tasks with clean workflows and monitoring
capabilities within a controlled space in the UI using TACACS+ protocol, which allows for providing different
permissions to network operators.
Figure 13.
Cisco ISE Device Administration Use-case
When a network administrator tries to connect to a network device, the device sends out a “request for
connection” to ISE, and ISE asks for their credentials. Credentials are verified against an identity source.
Next, the network device asks ISE to authorize the network administrator. Once they get access to the shell
prompt, the network administrator can start executing commands. ISE can be configured to authorize individual
commands as well.
Figure 14.
Cisco ISE Deployment
2.1 Licenses
Subscriptions Overview
Cisco ISE licenses are licensed on a subscription basis. Subscriptions are available for standard term lengths of
1, 3, and 5 years. Following the completion of the term, the subscription will be automatically renewed for an
additional 1-year term unless the renewal is canceled.
Existing subscriptions may be changed during the term of the subscription. Changes may be made to products
and/or quantities ordered. Additional quantities may be added to the subscription at any time during the
subscription term by placing a “change-subscription” order. Quantities added through a Change-Subscription
order will co-terminate with the existing subscription. Quantities may be decreased for a subscription renewal,
but not mid-term for a current subscription. Click here for more information on the change-subscription
transaction.
Cisco ISE licensing provides the ability to manage the application features and access, such as the number of
concurrent endpoints that can use Cisco ISE network resources. Licensing in Cisco ISE is supplied as feature-
based packages with different features supported in each of the Essentials, Advantage, or Premier license. Full
details on features support is listed in Table 1.
The session-based license follows a tiered pricing model where pricing depends on the session count and the
term of the subscription. Sales and partner representatives should determine the correct sizing for each
customer deployment so that the appropriate session count is selected (the minimum is 100 sessions).
Cisco Commerce (CCW) will dynamically determine the correct price associated with the session count that is
entered.
Session Bands
100,000+ Sessions
Below is a list of ISE licenses offered. Features under the licenses are mutually exclusive.
Device Administration (DA) Enables Device Perpetual One license per ISE Policy
Administration/TACA CS+ Service Node (PSN) with
support for networking TACACS+ Persona enabled.
devices
IPSec Enables VPN communication Perpetual One license per ISE PSN
between Cisco ISE PSNs and used for IPsec VPN
Cisco Network Access communication to NADs with
Devices up to 150 IPsec tunnels per
ISE PSN
MACsec (all) ✓ ✓ ✓ X
Threat-centric NAC X X ✓ X
Mostly all the features irrespective of lSE license result in consumption of a license session except for the ones
listed in the table below:
PassiveID (Cisco-only Gathering, collating, and caching authentication data (username, IP address No
Subscribers) and MAC) from other servers in the data center and distributing the
authentication data to subscribing systems
PassiveID (Non-Cisco Gathering, collating, and caching authentication data (username, IP address, No
Subscribers) and MAC) from other servers in the data center and distributing the
authentication data to subscribing systems
My Devices portal* and Self-service web portal for users to add and manage their sessions with No
NSP automatic Network Supplicant Provisioning (NSP)
Context sharing User and endpoint contextual attribute (who, what, where, when, etc.) data No
exchange between Cisco ISE and third- party system through pxGrid
Endpoint Protection APIs for delivering dynamic network controls of active network sessions No
Services (EPS)
Cisco TrustSec and The ACI TrustSec integration provides a solution interconnecting the No
ACI integration administrative domains of Cisco TrustSec and Application Centric
Infrastructure (ACI) to provide a consistent end-to-end policy segmentation.
Note: For all features that do not directly consume sessions, it is required to still match the number of
licenses with the number of devices in the deployment.
Non-ISE Authentication (e.g., AD) Third-party platforms Advantage 1:1 Number of endpoints
Note: Each active endpoint’s context shared with an external system will consume an Advantage license.
Each active endpoint session information shared with an external system will need a 1:1 Advantage
license. For example, when a Windows laptop authenticates via 802.1X, one Essentials license is
consumed. If this endpoint’s context is shared with Cisco Stealthwatch or NGFW, one additional Advantage
license will be consumed.
Allow s VPN communication between Cisco ISE PSNs and Cisco Network Access Devices.
ISE licenses are also available as part of Cisco’s many product and solution bundle offerings.
2.2 Appliances
Cisco ISE supports both physical and virtual appliances. You can find more details on Cisco ISE appliances
here.
2.2.1 Hardware
These are physical appliances delivered by Cisco that reside in your deployment.
Please note that ISE appliances always ship with the latest version of software, but the software version can be
changed manually. This would be in the form of a fresh installation. Please refer to the release notes and
administrator guide of the ISE release you plan to install.
Cisco ISE virtual appliances are supported on VMware ESX/ESXi 5.x and 6.x and KVM on RedHat Enterprise
Linux (RHEL) 7. Virtual appliances should be run on hardware that equals or exceeds the configurations of the
physical platforms listed in the Cisco ISE datasheet. Cisco ISEvirtual target should comply with the required
memory and disk space requirements which can be found in the installation guide here: Cisco Identity Service
Installation Guide
Smart Net Total Care® or SWSS contracts for Cisco ISE physical and virtual appliances are available. Smart Net
Total Care and SWSS contracts for Cisco ISE physical and virtual appliances cover Base and Device Admin
deployments as well. Cisco Software Support Service (SWSS) Basic is included for the duration of all Cisco ISE
subscription licenses however, Smartnet SNT or another level of service must be purchased to activate that
SWSS.
Higher-value service levels, Software Support Enhanced and Premium, are available for Cisco Base license and
all Cisco ISE subscription licenses. These service levels provide everything included in Software Support Basic
with a richer feature set such as software configuration guidance, direct access to experts with faster response
time and technical adoption support. Software Support Enhanced and Premium is available on two billing
platforms: Subscription Billing Platform (SBP) and Term and Content. For the ISE 3.0 purchase on SBP, support
options will be available in the product ordering configuration. For the product purchase on term and content
platform, the support is available via a top-level ATO PID in CCW: CISE-SW-SUPP.
Cisco offers Advisory Services to address your business objectives with the technology we offer. For example,
the Cisco Security Segmentation Service provides a strategic infrastructure segmentation approach to ensure
the success of your Segmentation initiative.
3. What’s new
This section helps existing customers of ISE understand the latest SKUs available for ISE, information directing
to end of life announcements of ISE SKUs and the comparison of legacy vs latest SKUs.
3.1 Highlights
We are introducing a new model for ISE Licensing, which is a subscription-only model with Smart License
SKUs. In the new model, three subscription-based license tiers exist, namely ISE Essentials, ISE Advantage, and
ISE Premier. This new model is referred to as a nested-doll model, which means that the higher tier license
already includes all lower-tier features. For example, the ISE Premier license includes all ISE Advantage and ISE
Essential features. Similarly, the ISE Advantage license includes all ISE Essential features. The subscription term
for each tier is 1, 3, and 5 years.
New VM license Licensed with no enforcement Licensed with PAK and smart licensing
enforcement
Legacy VM license Licensed with no enforcement Licensed with PAK and smart licensing
enforcement
New Device Admin license Is identified and consumed as Is identified and enables consumption
uncounted (unlimited number of ISE of 1 ISE TACACS+ node
TACACS+ nodes within the
Legacy Device Admin license deployment) Is identified and enables consumption
of up to 50 ISE TACACS+ nodes
For Essentials, Advantage, and Premier licenses, there is no change in the license identification or consumption
behavior.
Customers who purchased the Legacy VM licenses will need to obtain a Product Authorization Key (PAK)
for each VM licenses purchased when upgrading to ISE 2.4 and beyond. To obtain a PAK, email ise-vm-
license@cisco.com. Include the Sales Order numbers that reflect the ISE VM purchase, and your Cisco ID in
your email. Cisco will, in return, provide a medium VM PAK which is reflective of the VM specifications prior to
the introduction of small, medium, and large VM licenses with ISE 2.4. A medium VM PAK can be used with
small and medium VM installations.
If you upgrade to ISE 2.4 prior to obtaining a PAK, the deployment displays a warning, at which point you may
start using the new license procured. While on ISE 2.4, this is only a warning message and does not disrupt any
user’s ISE experience.
If you are unable to locate the sales order number pertaining to your past purchase of ISE VM, please reach out
to your Cisco sales representative or partner.
No action is needed. ISE appliances with valid support period can be upgraded to the latest software with
no additional license action for the appliance.
The legacy Device Admin license entitles an entire deployment of ISE to TACACS+ feature usage. This means
that all 50 ISE Policy Service Nodes (PSNs) can be enabled with TACACS+ capabilities.
Upon upgrade to ISE Release 2.4, the same legacy Device Admin license continues to entitle the deployment
with a total count of 50 PSNs that could be enabled with TACACS+ capabilities.
Upon upgrade to the ISE 3.0 release, the Device Admin license must be converted to a Smart License.
These licenses have been migrated to the new ISE Essentials, Advantage, and Premier licenses starting in
the ISE 3.0 release.
For complete behavior of these licenses upon upgrade to ISE Release 3.0, please refer to the section on
Migration below.
If you purchased one of the older licenses in the past (Base, Plus, or Apex) and would like to understand how to
migrate to today’s licenses, please go here.
Customers experiencing an issue with licensing and migration may open a case via Cisco Support Case
Manager (SCM) at https://cs.co/scmswl (choose ‘licensing’ option in SCM) with the Cisco sales order number
reflecting the ISE purchase.
This license is only valid for releases prior to ISE 3.0. Features included were: Authentication, Authorization,
Accounting, Guest, PassiveID, and Security Group Tags. The Cisco ISE Base license offered a similar feature set
to what is in Essentials today.
◦ Support contracts on all the Cisco ISE appliances (physical or virtual) in a deployment are a
prerequisite to purchasing and using ISE term-based licenses
◦ Default start of license usage is immediate. At the time of ordering, this start date can be adjusted up
to 60 days out from the current date. This calculation can be performed by CCW for you by counting
backwards from the end date the duration of the license or forward from the start date
◦ The term can be between 12 and 60 months, allowing the licenses to be co-termed
Customers are entitled to utilize the quantity and duration of the license per terms and conditions agreed upon
at the time of purchase.
(a) the deployment uses more than 125% (to account for a temporary burst of usage) sessions compared
to the quantity purchased; or
Compliance enforcement: The impact described below is experienced after a deployment is out of compliance
for 45 out of 60 consecutive days.
Alerts will be provided every day that a license is out of compliance. For term licenses, alerts are provided, 90,
60 and 30 days before expiry and also for the last 30 consecutive days before expiry.
Impact: There will be no impact to end users. Existing configuration continues to operate without disruption.
However, visibility and management of the features associated with an out-of-compliance license will be
affected.
These enforcement actions are subject to change in the future and will be conveyed in relevant release
material.
Orders for Cisco ISE license subscription involves three SKU types:
● The subscription SKU, which is used to define the subscription term and start date
● The product SKUs, which are used to define the products and quantities that make up the subscription
● The support SKUs, which define the level of support for the subscription
Orders start with the selection of the Umbrella subscription SKU, which is followed by the configuration of the
subscription by selecting the product and support SKUs that will constitute the subscription.
There is one SKU each for ISE Essentials, ISE Advantage, and ISE Premier. Pricing follows a tiered pricing model
and is calculated dynamically based on the seat count and term of the subscription.
Selecting the Subscription SKU. There is one Cisco ISE subscription SKU (ISE-SEC-SUB). There is no price for
the subscription SKU. Pricing is determined when product SKUs are added and configured. A quantity of 1
should be selected because each end customer may have one, and only one, subscription. Product quantities
will be entered when the product SKUs are added to the subscription.
After selecting the subscription SKU, choose “Select Options” to edit the subscription term and the requested
start date.
Figure 15.
Subscription SKU selection on CCW
The service is provisioned and the subscription starts on the service start date. The provisioning of the service
may take up to 72 hours, assuming the order information is complete and correct.
When the subscription terms have been set, the next step is to add products to the subscription. The term for
the product is defined by the subscription term. Start by selecting the appropriate product in the subscription
configuration summary. The guidance below uses ISE-P-LIC as an example. Having chosen to configure the
subscription for the product, you then enter the quantity based on the number of sessions.
Figure 17.
Selecting Billing SKUs on CCW
Figure 18.
Selecting Billing SKU quantity on CCW to view dynamic pricing
After the products have been added, the next step is to define the support level desired for the subscription.
There are three Cisco ISE support SKUs, corresponding to the three levels of support. To configure support for
the subscription, start by selecting “Cisco ISE Support Options” in the subscription configuration summary:
Basic Support is the standard support model and is selected by default. Enhanced or Premium Support may be
purchased by selecting the appropriate level of support from the support options. Enhanced and Premium
Support prices are calculated dynamically based on a percentage of the product cost and must meet annual
minimum requirements.
One ISE Device Administration license is required per Policy Service Node that operates on Device
Administration transactions.
One Cisco ISE IPsec license is required for every Policy Services Node used for IPsec VPN communication to
the NADs. There is a maximum of 150 IPsec tunnels per Policy Services Node.
SNS-3515-K9 Small Secure Network Server for ISE Customer must choose either upgrade or new
Applications purchase
SNS-3595-K9 Large Secure Server for ISE Customer must choose either upgrade or new
Applications purchase
SNS-3615-K9 Small Secure Network Server for ISE Customer must choose software option
Applications
SNS-3655-K9 Medium Secure Network Server for ISE Customer must choose software option
Applications
SNS-3695-K9 Large Secure Network Server for ISE Customer must choose software option
Applications
3515/3595 UCS-HD600G10K12G 600-GB 12-Gb SAS 10K RPM SFF hard disk; hot
pluggable; drive sled mounted
3615/3655/3695 UCS-HD600G10K12N 600-GB 12-Gb SAS 10K RPM SFF hard disk; hot
pluggable; drive sled mounted
R-ISE-VMS-K9= Cisco ISE Virtual Machine Small Min 16GB RAM and 12 CPU cores for SNS-3515
equivalent
R-ISE-VMM-K9= Cisco ISE Virtual Machine Medium Min 64GB RAM and 16 CPU cores for SNS-3595
equivalent
R-ISE-VML-K9= Cisco ISE Virtual Machine Large Min 256GB RAM and 16 CPU cores for MnT in
clusters supporting more than 500,000
concurrent sessions
You can cancel a renewal up to 60 days prior to the start date of the new term. If the subscription is not
cancelled 60 days prior to the start of the new term, the subscription will auto-renew. Mid-term cancellations of
subscriptions for credit are not allowed.
Manual renewal
Any subscription can be manually renewed if the customer or partner desires, with standard terms of 12, 36, or
60 months. For manual renewals, quotes are created using the same process as the Change-Subscription
process outlined below. This process will create a new quote. After a quote is approved, it can be converted to
an order following the standard process.
Subscription cancellations
Renewals may be cancelled up to 60 days before the start date of the new term. If the subscription is not
cancelled 60 days prior to the start of the new term, the subscription will automatically renew. Mid-term
cancellations of subscriptions for credit are not allowed.
Cisco offers a variety of license management tools at the License Registration Portal. A valid Cisco.com user
name and a password are required to access the portal. Key features of the Cisco License Registration portal
include:
● Simplified asset management: identifies PAKs registered to a customer and the devices with installed
licenses
● Automated software activation: quickly processes PAK registration and license file distribution
● License transfers: rehosts existing licenses to new Cisco ISE Administration nodes
● Replacement of devices: uses the “return materials authorization” to request replacement PAKs and
licenses