NAC END SYSTEM LICENSING SYSTEM OVERVIEW:
End system licensing is a global system that accounts for unique end systems that have authenticated in a 24 hour period. The total end system count is applied across all NAC appliances. The end systems can exist on one, or multiple NAC appliances as long as the maximum licensed count is not exceeded.
HOW TO DETERMINE CURRENT MAXIMUM END SYSTEMS ARE LICENSED:
In NAC Manager click the menu option "Tools" > Update Enterprise Licensing
This will have a counter for Total End-System License Limit
DETERMINING CURRENT END SYSTEM LICENSING USAGE:
In OneView click on the "Identity and Access" tab > System
This will give you a "Seen Last 24 Hours" counter that will tell you how close to to the licensing limit.
HOW ASSESSMENT LICENSING IS COUNTED:
Assessment licensing counts all end systems that exist and have a current assessment health status from an assessment (agentless or agent-based). This number is then compared to the assessment licensing count installed. If the specific NAC deployment is keeping end systems for a longer duration per configuration then these older assessments will count toward the licensing count as Assessment licensing is not based on a 24 hour counter, but instead any end system with an assessment result, not matter how old.
HOW TO INCREASE END SYSTEM LICENSE COUNT:
Licenses will need to be purchased through sales to increase the amount of end systems.
NAC CAPACITY VS GLOBAL END SYSTEM CAPACITY:
There are two separate capacity counters for end systems. NAC capacity, found if you click on the NAC appliance and click the "Configuration" tab shows a per appliance capacity. This count can vary based on the appliance, and licensing initially installed if a virtual appliance. This NAC capacity counter is not affiliated with the global end system capacity. If you click the link for capacity this value can be changed, and is used as a tool to determine the hardware required for the expected end system count, and features deployed. Changing this value will cause an enforce flag, but does not change licensing related end system counts. This counter can also help to identify the end systems currently being handled by the selected NAC appliance.
Global End System Capacity, found under tools > Update Enterprise Licensing, is the total global end system capacity that is licensed on the system.
NAC LICENSING TYPES:
NMS-ADV - This license unlocks all NetSight features (Except Purview and Assessment), includes licensing for virtual NAC appliances, and includes 500 end systems that are added to the global end system capacity. In a system that has an NMS-ADV license you can install and license for use as many NAC appliances as the system will handle. Each NAC appliance that is added into NetSight NAC Manager after the NMS-ADV license is applied can be licensed using the NMS-ADV by clicking the "update license" button and agreeing to use the NMS-ADV license in the pop-up that appears.
NMS-XXX - This license allows for use of NAC/Access Control virtual appliances since the introduction of version 6.3.x.x. In a system that has an NMS license you can install and license for use as many NAC appliances as the system will handle. IA-ES-XX licenses must be added.
NMS-Base-XXX licenses do not allow for NAC/Access Control appliances to be used regardless if the customer has purchases IA-ES-XX licenses. They must have NMS-XXX or NMS-ADV to make use of the functionality.
NAC-ASSESS or NAC-ASSESSMENT licenses are legacy licenses that can only be added to the NetSight solution through the Tools --> Server Information --> License tab --> "Add License" button. You cannot add more the 1 of these licensing types to the system at any time. Each NAC-ASSESS or NAC-ASSESSMENT license that you add after the initial license will overwrite the previous license. If you have additional NAC-ASSESS or NAC-ASSESSMENT licenses you will need to contact your inside services representative in order to trade in the NAC-ASSESS or NAC-ASSESSMENT licenses for IA-PA-3K licensing keys.
The following licenses are added via NAC Manager->Tools->Update Enterprise license. See below Pic
IA-ES-XK - This license increases the global end system licensing count on the entire system based on the part name. The license exists in the following formats:
IA-ES-1K: Increases end systems by 1,000
IA-ES-3K: Increases end systems by 3,000
IA-ES-6K: Increases end systems by 6,000
IA-ES-12K: Increase end systems by 12,000
IA-PA-XK - This license increases the amount of end systems allowed to perform assessment in a system and unlocks the assessment feature. This license is also global and is not restricted to a specific NAC appliance. This license exists in the following formats:
IA-PA-3K: Increases assessment count by 3000
IA-PA-12K: Increases assessment count by 12,000
NAC-V-20/NAC-VX -Post Software 7.08.xx, the NAC-V-XX will be overwritten via any IA-ES-XX license. So these licenses will need to be traded in via sales channel for IA-ES-XX licenses if they both exists as the IA-ES-XX will take precedence. See the following KCS for reference.
Access Control / EAC / NAC does not allow you to update the NAC with a NAC-V-XX license if a IA-ES-XX license is already applied
Below is for older software references only.
These license license virtual NAC appliances to be allowed to be managed by the NetSight Server. In a licensing system that does not have an NMS-ADV license applied each NAC appliance must have a NAC-V-20, or NAC-VX license applied in order to license the appliance for use. These licenses also increase the end system capacity.
NAC-V-20: Licenses 1 NAC appliance and adds 3,000 users to global end system count
NAC-VX-5: Licenses 1 NAC appliance and adds 500 users to global end system count.
These licenses are entered here:
PHYSICAL APPLIANCE LICENSING:
NAC-A-20, and SNS-TAG type appliances do not need to be licensed as licensing is included with these physical appliances. They do not need to be licensed for use, and will add 3,000 end systems to the global capacity per physical appliance.
IA-A-X type appliances include a license for use, but do not increase the global end system capacity. These appliances should be paired with IA-ES-XK type keys to increase the global end system capacity.
GLOBAL END SYSTEM LICENSING VIOLATION ACTIONS:
If authentications exceed the global end system capacity there is a 4 stage violation procedure that is put into action.
Stage 1: The NetSight Administrator group users receive a pop-up error message when they login that the system has exceeded licensing and additional licensing should be purchased.
Stage 2: All NetSight users receive a pop-up error message when they login that the system has exceeded licensing and additional licensing should be purchased.
Stage 3: All end systems authenticating that exceeded the maximum threshold. (Ex. If maximum of 3000 end systems this stage only affects the 3001st end system and higher) will no long have any end system events tied to the end system. The end system will authenticate normally, but no events for the end system will display. Stages 1 and 2 will still be in effect.
Stage 4: All end systems authenticating that exceeded the maximum threshold. (Ex. If maximum of 3000 end systems this stage only affects the 3001st end system and higher) will fall into the "Catch All" rule in the NAC Manager rules engine, and will not be authorized normally. Stages 1, 2, and 3 will still be in effect.
There is a minimum of 120 days of violation before stage 4 will be triggered.
Here is a message that will appear in the /var/log/tag.log on the Access Control appliance.
[NacRuleEngine] System is oversubscribed, using catch-all profile…
7-10 days are required in order to clear the violation stage and reset back to normal operation, after additional licensing is purchased the error messages will still appear until the violation stages are reset.
LICENSE KEY FILE INFORMATION:
1. SSH to the NAC appliance
2. Run the following command:
Look under "Appliance License and Capacity Diagnostics"
LICENSE FILE LOCATION:
Virtual NAC appliance licensing files are located in the /etc/tag-license file.
Licensing for NetSight is found in the following directory:
TRADE IN OR TRANSFER OF NAC-A-20 to NAC-V-20 LICENSE:
Each NAC-A-20 can be traded in for an IA-ES-3K when they decommission the NAC-A-20. Then they pay maintenance on the IA-ES-3K licenses. Please contact your Sales representative for this to occur, or GTAC can create a Sales Lead for them to contact you.
END SYSTEMS LICENSE ERRORS:
If the following error is presented there is no end system licensing applied to the system. Generally if this error states "which exceeds the limit of -1" of "0" this is caused by an expired evaluation. This is the license violation error message that will appear to NetSight users if the system has entered violation, but will have a valid license limit instead of "-1" or "0"
If the NAC has an expired evaluation key applied to it it must be removed manually with the following procedure:
1. SSH to NAC
2. manually remove tag-license file from the /etc directory.
3. Restart the NAC services
4. The NAC should temporarily show as down, and once it comes back up should have an orange arrow and will need to be licensed according.
If the previous procedure doesn't resolve the issue. You may need to manually install the IA-ES key.
Details on this procedure:
NAC - Orange Arrow in NAC manager (Unlicensed) not licensed
ERRORS WHEN ENTERING LICENSE KEYS:
In NetSight version 5.x and higher the IA-ES, and IA-PA licenses are only accepted through the menu option Tools > Update Enterprise License. If these licenses are attempted in the Tools > Server Information > Licensing tab they will not apply to the system correctly.
License keys starting in "INCREMENT" are not in the correct format for versions 5 and higher and will need to be upgraded through the Extranet.
Link found here:
How to upgrade a NetSight Extreme Management Control license for use with version 7
If licenses are not accepted please check to make sure there is no trailing space, or any extra spaces in the activation key, the activation key starts with 0001: and ends with =, and that the system time on the NetSight Server is correct.