ISE 3.5 Licensing Consumption Alignment Overview

Cisco Identity Services Engine (ISE) 3.5 implements crucial updates to its licensing consumption logic, aligning actual feature utilization with documented intent and existing licensing guides. This initiative clarifies consumption metrics, rather than altering the core licensing model or tier capabilities (Advantage, Premier, Apex). The primary objective is to rectify prior discrepancies where certain Advantage-tier features did not consume licenses as originally intended. In ISE 3.5 version we intend to address this by ensuring that features like pxGrid, pxGrid Direct, Profiling, and TrustSec now accurately reflect their license consumption more accurately.

Key Alignments in ISE 3.5:

• Profiling: An Advantage license is now consumed upon endpoint classification by the Profiler, irrespective of its use in an authorization policy. Existing exclusions for guest endpoints and static group assignments remain.
• pxGrid: License consumption now occurs per active session when session data is shared with pxGrid clients via the session topic (e.g., WebSocket updates, bulk retrieval via REST API).
• pxGrid Direct: A license is consumed when pxGrid Direct attributes are referenced in an authorization rule and present in the JSON payload, even if the policy does not result in a match.
• TrustSec: License consumption is tracked and reported based on the actual assignment of a Security Group Tag (SGT) to an endpoint/session, independent of its usage within authorization policies.

Rationale for Alignment:

These updates are designed to provide clearer visibility into true license consumption, ensure fairness by aligning usage with documented feature utilization, eliminate inconsistent consumption logic across features, and facilitate more accurate license planning and budgeting.

Enhanced Reporting and Visibility:

ISE 3.5 introduces new reporting capabilities to support these alignments:

• Licensing Audit Report: Displays historical daily peak license usage over the last 30 days.
• Current Active Sessions Report: Offers real-time details on current license consumption, including feature-level breakdowns and MAC addresses. This report can be exported as CSV and scheduled for automated delivery.

Enforcement Posture:

For ISE 3.5 (Base version), these changes are for visibility only, with no immediate enforcement of license limits. Instances of usage exceeding purchased licenses will trigger non-intrusive "Consumption Alerts" (replacing "Out of Compliance" messages). It is critical to note that future ISE 3.5 patches (e.g., 3.5 p3/p4) and subsequent releases will enforce licensing based on these updated consumption metrics.

Recommended Internal Actions:

Organizations should leverage the new ISE 3.5 reports to assess current consumption for pxGrid, pxGrid Direct, Profiling, and TrustSec. Monitoring "Consumption Alerts" and comparing usage against purchased entitlements is crucial for identifying potential gaps and planning any necessary license adjustments prior to future enforcement. Refer to the official Cisco ISE Licensing Guide for comprehensive details.

Key ISE Upgrade Resources:

• Refer to the ISE 3.x Licensing Migration Guide for key next steps from migrating your license, software upgrade and potential hardware updates
• View the Cisco ISE End-User Resource guide
• Review the latest release notes for ISE 3.x
• Watch the ISE Upgrade recording
• Check out the Network Access Control Guided Resource