Cisco Identity Services Engine - Manage Licenses

Cisco ISE Licenses

Cisco ISE services provide visibility and control over the increasing number of endpoints in your network. Cisco ISE features are mapped to specific licenses and you can enable the licenses that provide the Cisco ISE capabilities you need to meet your organizational needs.

Cisco ISE is bundled with a licensing mechanism with the following salient features:

Built-in License: Cisco ISE comes with a built-in evaluation license that is valid for 90 days. You do not have to install a Cisco ISE license immediately after you install Cisco ISE. You can use the Evaluation license that provides all the Cisco ISE functionalities.

Note

Cisco AI Analytics is not supported with the built-in evaluation license. Please check the Cisco AI Analytics section for more details.
Central Management of Licenses: The Cisco ISE Primary Administration node (PAN) centrally manages Cisco ISE licenses. In a distributed deployment that has primary and secondary PANs, the primary PAN automatically shares the licensing information with the secondary PAN.
Concurrent Active Endpoint Count: Cisco ISE licenses include a count value for each tier license. Each tier license supports a specific number of active endpoints at any time. The count value refers to the number of active endpoints across the entire deployment that are using specific Cisco ISE services at any time. Because Cisco ISE licensing relies on RADIUS accounting, you must have RADIUS services enabled on the network devices.

Concurrent active endpoints refer to the total number of supported users and devices. Here, an endpoint could mean users, PCs, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices.

Cisco ISE Release 3.0 and later releases do not support legacy licenses, such as Base, Plus, and Apex licenses, that were used in Cisco ISE Release 2.x. Cisco ISE Release 3.x licenses are managed entirely through a centralized database that is called the Cisco Smart Software Manager (CSSM). You can register, activate, and manage all your licenses easily and efficiently with single-token registration.

To maximize economy for customers, licensing in Cisco ISE is supplied in the following packages:

Tier Licenses

From Cisco ISE Release 3.0, a new set of licenses that are called Tier Licenses replace the Base, Apex, and Plus licenses used in releases earlier than Release 3.0. Tier Licenses include three licenses—Essentials, Advantage, and Premier.

If you currently have Base, Apex, or Plus licenses, use the CSSM to convert them into the new license types.
Device Administration Licenses

Policy Service nodes (PSN) that have the TACACS+ persona enabled on them use Device Administration licenses.
Virtual Appliance Licenses

Cisco ISE Release 3.1 and later releases support the ISE VM License. This license replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases earlier than 3.1. The ISE VM License covers the Cisco ISE VM nodes in both on-prem and cloud deployments.

If a virtual appliance is used, but your Cisco ISE does not have an active VM license, you receive warnings and notifications of noncompliant license consumption until you procure and install a VM license. However, Cisco ISE services are not interrupted.
Evaluation Licenses

The Evaluation license is enabled by default when you first install Cisco ISE Release 3.0 and later releases and support up to 100 endpoints. Evaluation licenses are 90-day licenses that give you access to all the Cisco ISE features. During the evaluation period, license consumption is not reported to the CSSM.

If you are upgrading to Cisco ISE Release 3.0 and later releases with Base, Apex, and Plus licenses smart licenses, your smart licenses are upgraded to the new license types in Cisco ISE. However, you must register the new license types in CSSM to activate the licenses in the Cisco ISE release that you upgrade to.

If you own traditional Cisco ISE licenses, you must convert them to smart licenses to enable license consumption in Cisco ISE Release 3.0 and later releases. To convert Cisco ISE 2.x licenses to the new license types, open a case online through the Support Case Manager at http://cs.co/scmswl, or use the contact information that is provided at http://cs.co/TAC-worldwide.

Notifications about noncompliant license consumption are also displayed in Cisco ISE. If your license consumption is out of compliance for 30 days in a 60-day period, you will lose all administrative control of Cisco ISE until you purchase and activate the required licenses.

When upgrading from one licensing package to another, Cisco ISE continues to offer all the features that were available in the earlier package before the upgrade. However, you do have to reconfigure any settings that you had already configured. For example, if you currently use an Essentials license and later add an Advantage license, the features that are already configured using the Essentials license will not change.

You should update your license agreements if:

The evaluation period has ended, and you have not yet registered your license.
Your license has expired.
The endpoint consumption exceeds your licensing agreement.

Cisco ISE Community Resource

Cisco Identity Services Engine Ordering Guide

For information on how to obtain evaluation licenses, see How to Get ISE Evaluation Licenses.

Tier Licenses

The following table specifies what the new Tier Licenses enable.

Cisco ISE Tier Licenses
License Name	What Does this License Enable?
Essentials	RADIUS authentication, authorization, and accounting, including 802.1X, MAC authentication bypass and easy connect, and web authentication. MACsec. Authentications that are based on Single Sign-On (SSO), Security Assertion Markup Language (SAML), and Open DataBase Connectivity (ODBC) standards. Guest access and sponsor services. Representational State Transfer (REST) APIs for monitoring purposes, and External RESTful Services APIs for CRUD operations. Passive ID services. Secure wired and wireless access.
Advantage	All the features that are enabled by the Cisco ISE Essentials license. Bring Your Own Device (BYOD) device registration and provisioning, with a built-in certification authority. Device registration occurs through the configured My Devices portals. Security Group Tagging, TrustSec, and Cisco Application-Centric Infrastructure (ACI) integration. Profiling services, including basic asset visibility and enforcement features. Feed services. Context sharing (such as pxGrid), and security ecosystem integrations. Rapid Threat Containment, using Adaptive Network Control and context-sharing services. Cisco AI Endpoint Analytics visibility and enforcement.
Premier	All the features that are enabled by the Cisco ISE Essentials and Advantage licenses. Posture visibility and enforcement. Compliance visibility and enforcement through Enterprise Mobility Management and Mobile Device Management. Threat-Centric Network Access Control visibility and enforcement.

Note

You may witness higher Cisco ISE license consumption count if the privacy settings in endpoints permit MAC randomization or rotating and changing MAC. When an endpoint authenticates with a new random MAC address, a new Cisco ISE session is created.

Device Administration Licenses

A Device Administration license allows you to use TACACS services on a Policy Service node. In a high availability (HA) standalone deployment, a Device Administration license permits you to use TACACS services on a single Policy Service node in the HA pair.

Evaluation Licenses

Evaluation licenses are activated by default when you install or upgrade to Cisco ISE Release 3.0 and later releases and support up to 100 endpoints. The Evaluation license is active for 90 days, and you have access to all the Cisco ISE features during this time. Cisco ISE is considered to be in Evaluation mode when the Evaluation license is in use.

The Cisco ISE GUI displays messages with the number of days that are left in the Evaluation mode. The messages are of the following types:

Informational: 90 to 60 days before Evaluation mode ends

Warning: 60 to 30 days before Evaluation mode ends

Critical: 30 days to the end of the Evaluation mode

Note

You must purchase and register Cisco ISE licenses by the end of the Evaluation mode to continue using the Cisco ISE features that you need.

Cisco ISE Smart Licensing

When a smart license token is active and registered in the Cisco ISE administration portal, the CSSM monitors the consumption of licenses by each endpoint session per product license. Smart Licensing notifies the administrator about license consumption by endpoint sessions with a simple table layout in Cisco ISE. Smart Licensing reports the peak usage of each enabled license to the centralized database daily. When licenses are available and not consumed, the administrator is notified of available licenses and can continue to monitor usage. When consumption exceeds the number of licenses available, an alarm is activated and the administrator is notified through alarms and notifications.

With Smart Licensing, you can also manage the different license entitlements included through your Cisco Smart Account, such as Essentials, Advantage, Premier, or Device Admin. From Cisco ISE, you can monitor basic consumption statistics per license entitlement. From your CSSM account, you can view additional information, statistics, and notifications, as well as make changes to your account and entitlements.

Cisco ISE takes internal samples of license consumption every 30 minutes. License compliancy and consumption is updated accordingly. To view this information in the Licenses table in Cisco ISE, from the main menu, choose Administration > System > Licensing, and click Refresh.

From the time you register your Cisco ISE Primary Administration node (PAN) with the CSSM, Cisco ISE reports peak counts of license consumption to the CSSM server every six hours. The peak count reports help ensure that license consumption in Cisco ISE is in compliance with the licenses purchased and registered. Cisco ISE communicates with the CSSM server by storing a local copy of the CSSM certificate. The CSSM certificate is automatically reauthorized during the daily synchronization, and when you refresh the Licenses table. Typically, CSSM certificates are valid for six months.

If there is a change in the compliance status when Cisco ISE synchronizes with the CSSM server, the Last Authorization column of the Licenses table is updated accordingly. In addition, when entitlements are no longer compliant, the number of days for which they are out of compliancy appears in the Days Out of Compliancy column. Noncompliancy is also indicated in the notifications displayed at the top of the Licensing area, and on the Cisco ISE toolbar next to the License Warning link. In addition to notifications, you can view alarms.

Note

Device Admin licenses are authorized when Cisco ISE communicates with the CSSM server, but they are not session-based, and therefore, no consumption count is associated with them in the Licenses table.

The compliance column of the Licenses table displays one of the following values:

In Compliance: The use of this license is in compliance.
Released Entitlement: The licenses have been purchased and released for use, but none have been consumed so far in this Cisco ISE deployment. In such a scenario, the Consumption Count for the license is 0.
Evaluation: Evaluation licenses are available for use.

Register and Activate Smart Licenses

Before you begin

If you have traditional Cisco ISE licenses, you must convert them to smart licenses.
If you are upgrading to Cisco ISE Release 3.0 and later releases with existing smart licenses, convert the licenses to the new smart license types in CSSM.
Register your new smart license types in CSSM to receive a registration token.

If you are upgrading to Cisco ISE Release 3.4 with existing smart licenses and use Transport Gateway as the licensing connection method, you must edit the setting before you upgrade to the release. You must choose a different connection method as Cisco ISE Release 3.4 does not support Transport Gateway. If you upgrade to Cisco ISE Release 3.4 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.

Procedure

Step 1	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Licensing.
Step 2	In the Licensing window that is displayed, click Registration Details.
Step 3	In the Registration Details area that is displayed, enter the registration token that you received from CSSM, in the Registration Token field.
Step 4	Choose a connection method from the Connection Method drop-down list: Choose from: Direct HTTPS if you have configured a direct connection to the internet. HTTPS Proxy if you do not have a direct connection to the internet and need to use a proxy server. (If you change your proxy server configuration after you register Cisco ISE Smart Licenses, you must update your Smart Licenses configuration in the Licensing window. Cisco ISE establishes a connection with the CSSM using the updated proxy server, avoiding disruption of Cisco ISE services.) SSM On-Prem Server to connect to the configured SSM on-prem server. This option is available in Cisco ISE Release 3.0 Patch 2 and later. See Smart Licensing for Air-Gapped Networks.
Step 5	In the Tier and Virtual Appliance areas, check the check boxes for all the licenses you need to enable. The chosen licenses are activated and their consumption is tracked by CSSM.
Step 6	Click Register.

Manage Smart Licensing in Cisco ISE

After you activate and register your Smart Licensing token, you can manage license entitlements from Cisco ISE by:

Enabling, disabling, and refreshing license entitlement certificates.
Updating Smart Licensing registration.
Identifying compliant and noncompliant licensing issues.

If you have carried out the legacy or new Cisco ISE split upgrade process, the secondary PAN is promoted to the primary PAN in the process. In the Cisco ISE administration portal, choose Administration > Licensing. In the Cisco Smart Licensing area, click Update.

A licensing alarm is displayed in your Cisco ISE until you update your licenses.

Before you begin

Ensure that you have activated and registered your Smart Licensing token.

Procedure

Step 1	(Optional) When you first install Cisco ISE Release 3.0 and later releases, all the license entitlements are enabled automatically as part of the Evaluation mode. After you register your license token, if your CSSM account does not include certain entitlements and you did not disable them during registration, noncompliant notifications are displayed in Cisco ISE. Add those entitlements to your CSSM account (contact your CSSM account representative for assistance), and then, in the Licenses table, click Refresh to remove noncompliant notifications and continue to use the related features. After you refresh the authorization, log out and then log back in to Cisco ISE for the relevant noncompliancy messages to be removed.
Step 2	(Optional) If the daily automatic authorization does not succeed for any reason, noncompliancy messages may appear. Click Refresh to reauthorize your entitlements. After you refresh the authorization, log out and then log back in to Cisco ISE for the relevant noncompliancy messages to be removed.
Step 3	(Optional) When you first install Cisco ISE Release 3.0 and later releases, all license entitlements are enabled automatically as part of the evaluation period. After you register your token, if your CSSM account does not include certain entitlements and you did not disable them during registration, you can still disable those entitlements from Smart Licensing in ISE in order to avoid unnecessary noncompliant notifications. From the Licenses table, check the check boxes for the license entitlements that are not included in your token, and click Disable from the toolbar. After you have disabled license entitlements, log out and then log back in to Cisco ISE for the relevant features to be removed from the menus and for the noncompliancy messages to be removed.
Step 4	(Optional) After you add entitlements to your account, enable those entitlements. From the Licenses table, check the check boxes for the required disabled licenses, and click Enable from the toolbar.
Step 5	(Optional) The registration certificate is automatically refreshed every six months. To manually refresh your Smart Licensing certificate registration, click Renew Registration at the top of the Licensing window.
Step 6	(Optional) To remove your Cisco ISE registration (indicated by UDIs) from your Smart Account, but continue to use Smart Licensing till the end of the evaluation period, click Deregister at the top of the Cisco Smart Licensing area. You can do this, for example, if you need to change the UDIs you have indicated as part of the registration process. If you still have time remaining in your evaluation period, Cisco ISE remains in Smart Licensing. If your evaluation period is at an end, a notification appears when the browser is refreshed. After you deregister your smart license, you can follow the registration process again in order to register with the same or different UDIs.
Step 7	(Optional) To remove your Cisco ISE registration (indicated by UDIs) from your Smart Account entirely, and to revert to traditional licensing, click Disable at the top of the Cisco Smart Licensing area. You can do this, for example, if you need to change the UDIs you have indicated as part of the registration process. After you disable the smart license, follow the registration process again in order to activate and register with the same or different UDIs.

Troubleshooting: Unregistered License Usage

Issue

Endpoint license consumption relies on the attributes that are used in the authorization policy with which an endpoint is matched.

Consider a scenario where you only have a Cisco ISE Essentials license registered in your system, because you deleted the 90-day Evaluation license. You will be able to see and configure the corresponding Cisco ISE Essentials menu items and features.

If you configure an authorization policy to use a feature, for example, if you use the Session:PostureStatus attribute that requires an Premier license, and an endpoint matches this authorization policy, then:

The endpoint consumes a Cisco ISE Premier license despite the fact that a Cisco Premier license has not been registered in the system.
You see notifications of noncompliant license consumption whenever you log in.
Cisco ISE displays notifications and alarms with the message Exceeded license usage than allowed. This is because there are no Cisco ISE Premier licenses that are registered in CSSM for your Cisco ISE, but an endpoint is consuming one.

Note

The licensing alarm is displayed for about 60 days from the first occurrence of noncompliant license use even if you fix the licensing issue by registering the necessary licenses.

If the use of all three Tier licenses is out of compliance for 30 days in a 60-day period, administrative control of Cisco ISE is lost until you register the correct licenses. You will be able to access only the Licensing window in the Cisco ISE administration portal until the correct licenses are registered. However, Cisco ISE continues to handle authentications.

Possible Causes

Because of the configuration of an authorization policy, the Licensing table reports that Cisco ISE has used a license that you have not purchased and registered. Before you purchase an Advantage or Premier license, the Cisco ISE administration portal does not display the features covered by these licenses. However, after you purchase these licenses, the GUI continues to display the features that the licenses enable even after the license has expired or endpoint consumption of the license has exceeded a set limit. Thus, you can configure the features even if you do not currently have a valid license for them.

Solution

In the Cisco ISE administration portal, click the Menu icon () and choose Policy > Policy Sets, identify the authorization rule that is using the feature for which you do not have a registered license, and reconfigure that rule.

Smart Licensing for Air-Gapped Networks

An air-gapped network does not allow any communication between a secured network and an external network. Cisco ISE Smart Licensing requires Cisco ISE to communicate with the CSSM. If your network is air-gapped, Cisco ISE is unable to report license usage to CSSM, and this lack of reporting results in the loss of administrative access to Cisco ISE and restrictions in Cisco ISE features.

To avoid licensing issues in air-gapped networks and enable full Cisco ISE functionality, you can:

Configure a Smart Software Manager (SSM) On-Premises server.

You must configure an SSM On-Prem and ensure that Cisco ISE can reach this server. This server takes over the role of CSSM in your air-gapped network, releasing license entitlements, as needed, and tracking usage metrics. The SSM On-Prem server also sends notifications, alarms, and warning messages that are related to licensing consumption and validity.
For more information on how to configure the SSM On-Prem server connection, see Configure Smart Software Manager On-Prem for Smart Licensing.
Enable Specific License Reservation, which is a smart licensing method that helps you manage Smart Licensing when your organization's security requirements do not allow a persistent connection between Cisco ISE and the SSM. Specific License Reservation allows you to reserve specific license entitlements on a Cisco ISE PAN.

For more information, see Specific License Reservation.

Configure Smart Software Manager On-Prem for Smart Licensing

Before you begin

Configure an SSM On-Prem server and ensure that Cisco ISE can reach this server. For more information, see Smart Software Manager On-Prem Resources.

You must update to SSM On-Prem Release 8-202108 or later to register your license successfully for Cisco ISE 3.0 and later.

If you buy more licenses or modify your license purchases, you must connect the SSM On-Prem server to CSSM for the changes to be available in your local server.

Note

ISE-PIC 2.7 and earlier do not support Smart Licensing.

Procedure

Step 1	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Licensing.
Step 2	Click Registration Details.
Step 3	In the Registration Details area that is displayed, in the Registration Token field, enter the registration token that you received from CSSM.
Step 4	From the Connection Method drop-down list, choose SSM On-Prem server . The Certificate window in the SSM On-Prem portal displays either the IP address or the hostname (or FQDN) of the connected SSM On-Prem server.
Step 5	In the SSM On-Prem server Host field, enter the configured IP address or the hostname (or FQDN).
Step 6	In the Tier and Virtual Appliance areas, check the check boxes for all the licenses you want to enable. The chosen licenses are activated and their consumption is tracked by CSSM.
Step 7	Click Register. Note Ensure that port 443 and the port used for ICMP communication are open while registering Cisco ISE with the SSM On-Prem server. Cisco ISE must be able to communicate directly with the SSM On-Prem server through port 443, without the interception of MITM (Man In The Middle) devices. Apart from upgrade and patch installation processes, no modifications to the Smart Licensing trust store are supported.

Specific License Reservation

Specific license reservation is a smart licensing method that helps you manage Smart Licensing when your organization's security requirements do not allow a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific license reservation allows you to reserve specific license entitlements on a Cisco ISE PAN.

While Cisco ISE smart licensing works as a nested-doll model where a higher tier license includes all the lower tier features, specific license reservation does not support such a model. In specific license reservation, you must reserve and activate the required license count for each Cisco ISE license type. For example, if you want to use Cisco ISE features enabled by Advantage and Premier licenses, you must reserve both Advantage and Premier licenses. You receive error or nonauthorized behavior notifications if your Cisco ISE contains only Premier licenses.

You can create a Specific License Reservation by defining the type and number of licenses you must reserve, and then activate the reservation on a Cisco ISE node. The Cisco ISE node on which you register and enable the reservation then tracks license use and enforces license consumption compliance.

A Specific License Reservation can be enabled only on the Cisco ISE node for which it is generated. In a distributed deployment, we recommend that you enable Specific License Reservations on your primary and secondary PANs.

If there are no Cisco ISE licenses registered on your secondary PAN, in the case of primary PAN failure, Cisco ISE access and services are impacted. You will not be able to view or modify any Cisco ISE policies or elements. We strongly recommend registering Cisco ISE licenses on both primary and secondary PANs for uninterrupted Cisco ISE access.

If Cisco ISE licenses are registered on the secondary PAN as well, in the event of a primary PAN failover, Cisco ISE will continue to be accessible through the newly promoted secondary PAN. You can then work on rejoining the primary PAN to its original state.

For tier licenses (Essentials, Advantage, Premier), we recommend that you register 100% of the required licenses on the primary PAN and an additional license count on the secondary PAN. The following table explains two approaches to ensuring uninterrupted access to Cisco ISE if you require 100 tier licenses:

Recommended License Distribution for Tier Licenses
Minimum required license distribution that ensures Cisco ISE runs uninterrupted.		What to expect in the event of a primary PAN failover	Maximum license distribution that ensures Cisco ISE runs uninterrupted, without noncompliance alarms.		What to expect in the event of a primary PAN failover
Primary PAN	Secondary PAN		Primary PAN	Secondary PAN
100	1	Since the newly promoted primary PAN doesn’t have sufficient licenses, your Cisco ISE goes out of compliance. Cisco ISE enters a 30-day grace period. Before the grace period expires, rejoin the original primary PAN with the higher license count. Alternatively, to continue working with the newly promoted primary PAN, release the licenses reserved on original PAN and reserve the required licenses on the newly promoted PAN.	100	100	No impact on Cisco ISE services or operations. No remediation actions are required. You must only rejoin the original PAN to Cisco ISE.

In the case of Device Admin and Virtual Appliance licenses, if you require 10 licenses of either type in your Cisco ISE, register ten on the primary PAN and at least one on the secondary PAN. The following table explains two approaches to ensuring uninterrupted access to Cisco ISE, if you need 10 virtual licenses or 10 device admin licenses:

Recommended License Distribution for Virtual Licenses and Device Admin Licenses
Minimum required license distribution that ensures Cisco ISE runs uninterrupted.		What to expect in the event of a primary PAN failover	Maximum license distribution that ensures Cisco ISE runs uninterrupted, without noncompliance alarms.		What to expect in the event of a primary PAN failover
Primary PAN	Secondary PAN		Primary PAN	Secondary PAN
10	1	Since the newly promoted primary PAN doesn’t have sufficient licenses, your Cisco ISE goes out of compliance. Cisco ISE enters a 30-day grace period. Before the grace period expires, rejoin the original primary PAN with the higher license count. Alternatively, to continue working with the newly promoted primary PAN, release the licenses reserved on original PAN and reserve the required licenses on the newly promoted PAN.	10	10	No impact on Cisco ISE services or operations. No remediation actions are required. You must only rejoin the original PAN to Cisco ISE.

You will not be able to use any license entitlements that are not part of your Specific License Reservation. Out-of-compliance alerts are displayed in the Cisco ISE administration portal if license usage is not in compliance with the license reservation.

Enable Specific License Reservation

Procedure

Step 1	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Licensing.
Step 2	In the License Type area, click the Specific License Reservation radio button.
Step 3	In the SLR Configuration area, click Generate Code in the Standalone/Primary PAN area. A code is displayed in the Reservation Code field next to it. Note After you generate the reservation code, click Cancel Request to return the reservation code to the CSSM server. This code is then rendered invalid. You must generate a new reservation code the next time you want to install and enable Specific License Reservation on your primary PAN.
Step 4	Copy the reservation code to submit it in the CSSM portal (Step 8).
Step 5	Log in to the software.cisco.com portal, and from the main menu, choose License > Smart Software Licensing.
Step 6	Choose Inventory > Licenses to view your purchased smart licenses, license entitlements in use, and available entitlements.
Step 7	Click License Reservation. A Smart License Reservation workflow dialog box is displayed.
Step 8	In the Step 1: Enter Request Code tab, in the field that is displayed, enter the reservation code you received from Cisco ISE (Step 3).
Step 9	Click Next.
Step 10	In the Step 2: Select Licenses tab, click the Reserve a specific license radio button. Then, in the Reserve column of the table displayed, for each license type, enter the number of license entitlements you want to reserve on the primary PAN.
Step 11	Click Next.
Step 12	In the Step 3: Review and Confirm tab, review the details of your specific license reservation, and click Generate Authorization Code.
Step 13	The Step 4: Authorization Code tab contains a field that displays the authorization code in XML format. This XML content includes information on the license reservation and the Cisco ISE node for which the SLR is generated. Do not make any modifications to this content because tampered code is rejected by Cisco ISE. Click Download As File to download the .txt file with the XML content to your local system.
Step 14	In the Licensing window of the Cisco ISE administration portal, in the Primary PAN area, click Upload SLR License Key and choose the XML file that you downloaded from the CSSM portal. It takes a few minutes for the key to upload to your node and for the activation of the Specific License Reservation.
Step 15	To configure Specific License Reservation on your secondary PAN, carry out the following steps in the Secondary PAN (optional) area: Click Generate Code. A code is displayed in the Reservation Code field next to it. Note After you generate a reservation code, click Cancel Request to return the reservation code to the CSSM server. This code is then rendered invalid. You must generate a new reservation code the next time you want to install and enable Specific License Reservation on your secondary PAN. Repeat Step 5 to Step 13 to configure the Specific License Reservation for your secondary PAN. In the Secondary PAN area, click Upload SLR License Key and choose the XML file that you downloaded from the CSSM portal. It takes a few minutes for the key to get uploaded to your node and for the activation of the Specific License Reservation.

Update Specific License Reservation

You can modify the Specific License Reservation for a node, as required. You might have to update your Specific License Reservation in the following scenarios:

Evolving business needs that require you to modify your license reservation.
A primary PAN failover after which the primary PAN cannot be recovered. When the primary PAN fails, the license entitlements reserved on it are no longer available in Cisco ISE. To avoid losing administrative access to Cisco ISE because of noncompliant license usage, you must return the Specific License Reservation that was enabled on the node, and update the Specific License Reservation on your new primary PAN (the promoted secondary PAN) accordingly.

Procedure

Step 1	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Licensing.
Step 2	From the UDI Details area, copy the serial number of the node for which you want to update the Specific License Reservation.
Step 3	Log in to the software.cisco.com portal, and from the main menu, choose License > Smart Software Licensing.
Step 4	Choose Product Inventory.
Step 5	Enter the serial number that you copied from Cisco ISE in the search bar displayed above the inventory list, to view the corresponding entry.
Step 6	From the Actions drop-down list, choose Update Reserved Licenses.
Step 7	Click the Reserve a Specific License radio button to view the list of licenses. Edit the number of license reservations in the corresponding field in the Reserve column.
Step 8	Click Next.
Step 9	In the Step 3: Review and Confirm tab, review the details of your specific license reservation and click Generate Authorization Code.
Step 10	The Step 4: Authorization Code tab contains a field that displays the authorization code in XML format. Do not make any modifications to this content because Cisco ISE rejects tampered code.
Step 11	Click Download As File. A .txt file with the XML content downloads gets downloaded to your local system.
Step 12	In the Licensing window of the Cisco ISE administration portal, in the required PAN area, click Update SLR Code and choose the XML file that you downloaded from the CSSM portal. It takes a few minutes for the key to get uploaded to your node and for the Specific License Reservation to be activated.
Step 13	After you submit the updated Specific License Reservation code, a confirmation code is displayed in the Update Reservation dialog box. Copy this confirmation code to submit it in the CSSM portal.
Step 14	Repeat Step 3 and Step 4, and in the dialog box that is displayed, click Enter Confirmation Code and enter the confirmation code generated by Cisco ISE.

Return Specific License Reservation

If Specific License Reservation is enabled on multiple nodes, you must carry out the return reservation process for each node to completely remove Specific License Reservation.

If Specific License Reservation is active on your secondary PAN, and you return the Specific License Reservation that is active on your primary PAN, the reservation on your secondary PAN is also automatically returned.

In a high-availability PAN configuration, when you return the Specific License Reservation on the primary PAN, the secondary PAN's Specific License Reservation is also returned.

Each node has a unique return code generated, and you must submit each of the return codes in the CSSM to remove Specific License Reservations from the nodes.

Procedure

Step 1	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Licensing.
Step 2	Click Return Reservation for the node whose Specific License Reservation you want to return. A return code is displayed in the Return Reservation dialog box.
Step 3	Copy this code and submit it in your CSSM to complete the reservation return process.
Step 4	Log in to the software.cisco.com portal, and from the main menu, choose License > Smart Software Licensing.
Step 5	In the Smart Software Licensing window, click Product Inventory.
Step 6	Enter the serial number that you copied from Cisco ISE in the search bar displayed above the inventory list to view the corresponding entry.
Step 7	From the Actions drop-down list, choose Remove.
Step 8	In the Remove Product Instance dialog box that is displayed, enter the Return Reservation code that you received from Cisco ISE.
Step 9	Click Remove Product Instance. The license entitlements in the license reservation are now released and available in the CSSM.

Manage Licenses

Manage Licenses

Cisco ISE Licenses

Tier Licenses

Device Administration Licenses

Evaluation Licenses

Cisco ISE Smart Licensing

Register and Activate Smart Licenses

Before you begin

Procedure

Choose from:

Manage Smart Licensing in Cisco ISE

Before you begin

Procedure

Troubleshooting: Unregistered License Usage

Issue

Possible Causes

Solution

Smart Licensing for Air-Gapped Networks

Configure Smart Software Manager On-Prem for Smart Licensing

Before you begin

Procedure

Specific License Reservation

Enable Specific License Reservation

Procedure

Update Specific License Reservation

Procedure

Return Specific License Reservation

Procedure

Bias-Free Language

Need help?