Introduction
The licensing for Cisco’s AAA system Identity Services Engine, or ISE, used to be pretty straight forward but in the past years, it has been getting more and more complicated (and more expensive) to get the licenses needed for your deployments.
One of the major changes to ISE licensing is that starting with version 2.4, virtual ISE deployments require a so-called ISE VM Node License for every ISE-server in your deployment. Previous versions of ISE only used licensing to increase features or concurrent maximum users.
Sooner or later, deployments running pre-2.4 versions of ISE will have to upgrade to not fall behind in features, for security reasons or because older versions are simply going End-of-Support. Upgrading to ISE 2.4 from the previous ISE version works the same way it always has (and we’re not gonna cover that here), but when your deployment is up and running you will receive a warning that your deployment is lacking in ISE VM licenses… which is a warning you haven’t seen before.
ISE VM Node licenses come in different forms depending on the virtual hardware specifications (number of CPUs and the amount of RAM) used for your ISE nodes. However, pre-2.4 ISE customers will always be given the Medium size license because this license supports what used to be the most powerful physical ISE servers in previous version. In 2.4 and going forward there is also a Large ISE VM license available. To make thing easy for Cisco, they simply hand out the Medium license to every pre-2.4 customer. The licenses work “up to” the specifications detailed below which are coming from Cisco’s website.
How to get your hands on the ISE VM Licenses
The first thing you need to find is the original Cisco Sales Order number (also known as “SO #”) that was assigned to the purchase of your ISE virtual machines, which uses the product number “ISE-VM-K9”. If you have purchased this product in steps (for example if you started with 2 ISE nodes, then went to 4, then to 6, and so on) you will need to find all Sales Order that was used to purchase the nodes.
Send an email to licensing@cisco.com (up until June 2019 the email address ise-vm-license@cisco.com was used) with a description of your situation and include which Sales Order numbers were used to purchase your ISE-VM-K9. You should also include the name of your Cisco Account (CCOID) when making contact with Cisco.
Give it a day or two and when Cisco gets back to you they will send you one PAK-code for each Sales Order number you are requesting to get VM licenses for.
Tie the ISE VM Licenses to your ISE Policy Administration Nodes (PANs).
Just like with all ISE licenses you need to use the PAK-codes to tie them to the serial numbers of the Primary and Secondary Policy Administration Nodes (PAN), you know, the ones you use to actually manage all of the other ISE nodes. The easiest way to get the serial numbers is to SSH to each node and run the command show udi
ise01/admin# show udiSPID: ISE-VM-K9VPID: V01Serial: JFFG11XXXXXAnd the same procedure on your secondary PAN…
ise02/admin# show udiSPID: ISE-VM-K9VPID: V01Serial: JFFG11YYYYYNow head over to cisco.com/go/license, log in with your Cisco account and navigate to Get licenses > From PAK, put in your PAK-code, and fill in the ISE information which you got from the commands above. Do this once for every PAK code. As you enter the PAK codes and your ISE information you will be able to download the license file directly and usually a copy of the license files is sent to your Cisco email address.
Installing the ISE VM Licenses
When you have got your hands on the actual license files (which has the extension .lic) all you need is to install them in ISE just like you normally do with Base, Plus, and Apex licenses. Head over to Administration > Licensing and upload the license files one by one… and you’re done! No more warnings.
Notes
The ISE VM License warning does not impact the actual operation of the ISE services, but the warnings are very annoying and you never know what Cisco might change in future versions of ISE so really do make sure you make use of this process to get licenses you are entitled to.