top of page

Cisco Identity Services Engine 2.4 (Apex Licenses) Why? When? How?


Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.To maximize economy for customers, licensing in Cisco ISE is supplied in different packages as Base, Plus, Apex, and Mobility Upgrade.

In today's article I will explain what Apex License is and why /when you need it :

  • Posture assessment/compliance

  • Threat Centric Network Access Control (TC-NAC)

  • 3rd party mobile device management (MDM) integration

What functionality is included in the Device Administration license?

The Device Administration license has one function: Enable the TACACS+ server functions. That’s it. Pretty straight forward! If you want to use ISE as a TACACS+ server, this is the license you need to get.

What is actually included in each Apex license?

In fact, Posture assessment is an extra layer of security . You can utilize a persistent agent like AnyConnect (with the ISE posture module) or a dissolvable agent to perform some checks against a Windows or Mac client to verify they meet certain requirements. The following points can be checked via Posture Assessment:

  • USB drive plugged in (Windows only (up to today's date))

  • Windows registry entries

  • Windows service status

  • Specific antivirus program is installed, running, and updated

Cisco ISE does not have posture clients available for mobile devices running Android and iOS. That’s where MDM integration comes into play. ISE can force mobile devices to register with your company’s MDM. If it’s already registered, ISE can check with the MDM to verify it meets all of the requirements set in your MDM. MDM integration is not only for Android and iOS devices but also fot any device managed by an MDM like Mac OS X and JAMF can be checked by ISE for MDM compliance. ISE integrates with several 3rd party MDM servers like :

  • Absolute

  • AirWatch

  • Citrix XenMobile

  • Globo

  • Good Technology

  • IBM MaaS360

  • JAMF Software

  • Meraki SM/EMM

  • MobileIron

  • SAP Afaria

  • SOTI

  • Symantec

  • Tangoe

  • Microsoft Intune - for mobile devices

  • Microsoft SCCM - for desktop devices

TC-NAC is yet another layer of security for your network devices. It allows ISE to react to threat and vulnerability notifications from several vulnerability scanners. ISE can take action, like quarantining, via ANC to minimize the risk from that device being on the network when a threat notification is received. This feature is huge if you have a lot of IoT devices because those devices rarely value security. Cisco ISE 2.4 supports the following TC-NAC adapters:

  • SourceFire FireAMP

  • Cognitive Threat Analytics (CTA) adapter

  • Qualys

  • Note: Only the Qualys Enterprise Edition is currently supported for TC-NAC flows.

  • Rapid7

  • Nexpose

  • Tenable Security Center

Note: TC-NAC should only be enabled on a dedicated PSN and only the TC-NAC persona should be enabled. Attention: Only one node can have TC-NAC enabled.

How are Apex licenses consumed?

Apex licenses are consumed along with Base licenses any time an authorization rule is based on the following conditions:

  • Posture assessment is utilized against an endpoint

  • An authorization rule triggers a TC-NAC event (scanning, quarantining, etc.)

  • An endpoint is verified against an MDM for compliance

How many Apex licenses do I need?

You will need enough Apex licenses to cover any of the above consumption scenarios. The number of Apex licenses must be less than or equal to the number of Base licenses. Let’s assume you have 10k endpoints (workstations, printers, APs, etc.) but only want to run posture assessment against 2k workstations. You would only need 2k Apex licenses.

One thing to remember is that the ISE Apex license does not cover licensing for using AnyConnect as the posture enforcement agent for Windows and Mac endpoints. You will also need AnyConnect Apex licenses for every endpoint.

How are Device Administration licenses consumed and how many do I need?

You only need one (1)! There is no consumption outside of enabling the TACACS+ server functions. Once you add the Device Administration license, you can enable device administration on all of your PSNs if you wanted to. But don’t do that. Plan your deployment properly so you’re not overwhelming your PSN between RADIUS authentications and TACACS+ authentications.


All product names, logos, and brands are property of their respective owners in the Austria or other countries.

All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.

Use of these names, logos, and brands does not imply endorsement.

The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other company. Pheniix runs as an independent blog.

#Cisco #ISE #CiscoIdentityServicesEngine #CiscoSecurity #Cybersecurity #CloudSecurity #MikeGhahremani #BaseLicense #Licensing

bottom of page