Cisco ISE : Base, Plus and Apex Licenses

Today I am going to cover the licensing model of Cisco ISE. Cisco ISE or so called Cisco Identity Services Engine is a NAC solution and is widely used in the networks where you can use for authentication, authorisation  and accounting (AAA). 

We wrote some of the article earlier on Cisco ISE, please check the below links to the article which talks about the Cisco ISE and the competition with the other vendors. 

Now if you understand what is NAC solution and how Cisco ISE or other NAC solution like Aruba ClearPass and ForeScout Counter ACT works you understand the authentication, authorisation  and accounting (AAA) statergy. 

Now Let's talk about the licensing model of Cisco ISE where we use Cisco ISE Base licenses, Cisco ISE Plus Licenses and Cisco ISE Apex Licenses. 

The Cisco ISE Device Administration, Cisco ISE Base, Cisco ISE Plus and Cisco ISE Apex licenses are all available as traditional PAK based licenses as well as Smart Licenses. Cisco ISE supports both physical and virtual appliances. Cisco ISE physical appliances are based on the Cisco Secure Network Server, a Cisco UCS C220 rack server configured specifically to support Cisco ISEBelow are the various form factors for Cisco ISE
  • SW-3515-ISE-K9 for the Cisco Secure Network Server 3515 - Physical 
  • SW-3595-ISE-K9 for the Cisco Secure Network Server 3595 - Physical 
  • R-ISE-VM-K9 - Virtual
Fig 1.1- Cisco ISE Licenses

Feature supported in Cisco ISE Base License
  • Basic RADIUS authentication, authorisation, and accounting, including 802.1x, MAC Authentication Bypass 
  • Web authentication (local, central, device registration) 
  • MACsec (all) 
  • SSO, SAML, ODBC – based authentication 
  • Guest portal and sponsor services 
  • Representational state transfer (monitoring) APIs 
  • External RESTful services (CRUD)-capable APIs 
  • Security group tagging (Cisco TrustSec SGT) 
  • PassiveID (Cisco Subscribers) 

Feature supported in Cisco ISE Plus License
  • Passive ID (Non-Cisco Subscribers) 
  • Profiling 
  • Profiler feed service 
  • Device registration (My Devices portal) and provisioning for Bring Your Own Device (BYOD) with built-in Certificate Authority (CA) 
  • Context sharing pxGrid 
  • Endpoint Protection Services (EPS) 
  • TrustSec – ACI Integration 
  • Location based integration using CMX/MSE 
  • Rapid Threat Containment (RTC) (using ANC and pxGrid) 
Feature supported in Cisco ISE Apex License
  • Posture (endpoint compliance and remediation)