Tens of thousands of organizations depend on Cisco’s Identity Services Engine (ISE) to enforce a range of network access policies based on user, device, location, role, application and other attributes. Recent changes to Cisco’s licensing scheme may create some confusion for organizations preparing to upgrade to the latest versions of the ISE software.
Cisco announced the new licensing structure when ISE 3.0 was launched in September 2020. Legacy licenses issued for 2.x versions are no longer supported for ISE 3.0 and 3.1. Organizations will be required to convert their legacy Base, Plus and Apex licenses to the new ISE Essentials, Advantage and Premier licenses.
The change is designed to simplify licensing tiers across the Cisco portfolio. It mimics the licensing scheme for Cisco DNA Center, the network management command center that integrates with ISE to enable all authentication and access management functions through a central dashboard.
The legacy license structure was based on the so-called “Lego” model. The Base, Plus and Apex licenses all had different features that did not overlap. To gain all features, you had to have all three licenses. The new scheme uses a “nested doll” model in which the higher tiers include the features of the lower tiers. In this way, you only need one Premier license to gain all features.
Smart Licensing Requirements
The change also eliminated the option of purchasing perpetual licenses that allow you to use the software indefinitely. The Essentials, Advantage and Premier licenses are all subscription licenses, offered for one-, three- and five-year terms. Following the completion of the term, the subscription is automatically renewed for an additional year unless the renewal is canceled.
Additionally, you must use Cisco’s new Smart Licensing model to activate and manage licenses across the organization. With this model, your company can create a Smart Account that contains a pool of software licenses to be used throughout the enterprise.
You can procure, register, activate and manage all licenses through the Cisco Smart Software Manager (CSSM) portal. Endpoint devices self-register and report license consumption through the portal, eliminating the need to acquire and enter product activation keys to register and use software.
Upcoming Product Sunset Dates
With several earlier versions of ISE nearing end of life or end of support, organizations should begin preparing for upgrades and the licensing changes they will involve. Here are some of the milestone ISE retirement dates:
- Cisco stopped selling ISE Base, Plus and Apex licenses on March 9, 2022.
- ISE versions 2.4 and earlier will no longer be supported after Dec. 26, 2022.
- ISE 2.6 reaches end of software maintenance on Jan. 31, 2023. After this date, Cisco will no longer develop, repair, maintain or test the product. It will no longer be supported after Jan. 31, 2024.
- ISE 2.7 reaches end of software maintenance on Sept. 22, 2023, and end of support on Sept 22, 2024.
If you are planning an upgrade to ISE 3.0, you must be running version 2.4 or later. Otherwise, you’ll need to do a two-step upgrade — installing release 2.4, 2.6 or 2.7 before upgrading to 3.0. For an upgrade to ISE 3.1, you must be running version 2.6 or later to avoid a two-step upgrade.
The upgrade process can be tricky and time-consuming. Cerium can help you develop an upgrade path to maximize efficiency and ensure you don’t experience any licensing difficulties. We can also help you conduct a system health check to identify and resolve any issues that might create problems during the upgrade. Contact us to learn more.
Upgrading Cisco ISE?
Upgrading Cisco’s Identity Services Engine is a multistep process that can be tricky and time-consuming. New licensing requirements add to the challenge. Cerium can provide guidance to ease the process. Call us to learn more.