Reset Search



NAC Troubleshooting Tips: Licensing overview and common issues (ExtremeControl)

« Go Back


TitleNAC Troubleshooting Tips: Licensing overview and common issues (ExtremeControl)
  • To discuss various information gathering and resolution tips to licensing issues on NAC (Control) appliance.
  • License issues with NAC
  • License issue with Access Control
  • Netsight NAC Manager Version 5.x and up
  • Netsight NAC appliance Version 5.x and up
  • Extreme Managment Center 

End system licensing is a global system that accounts for unique end systems that have authenticated in a 24 hour period. The total end system count is applied across all NAC appliances. The end systems can exist on one, or multiple NAC appliances as long as the maximum licensed count is not exceeded. 

In NAC Manager click the menu option "Tools" > Update Enterprise Licensing
This will have a counter for Total End-System License Limit

Click on Control->Dashboard->Select System->Look at Overview.

User-added image

Assessment licensing counts all end systems that exist and have a current assessment health status from an assessment (agentless or agent-based). This number is then compared to the assessment licensing count installed. If the specific NAC deployment is keeping end systems for a longer duration per configuration then these older assessments will count toward the licensing count as Assessment licensing is not based  on a 24 hour counter, but instead any end system with an assessment result, not matter how old. 

Licenses will need to be purchased through sales to increase the amount of end systems.

There are two separate capacity counters for end systems. NAC capacity, found if you click on the NAC appliance and click the "Configuration" tab shows a per appliance capacity. This count can vary based on the appliance, and licensing initially installed if a virtual appliance. This NAC capacity counter is not affiliated with the global end system capacity. If you click the link for capacity this value can be changed, and is used as a tool to determine the hardware required for the expected end system count, and features deployed. Changing this value will cause an enforce flag, but does not change licensing related end system counts. This counter can also help to identify the end systems currently being handled by the selected NAC appliance.

Global End System Capacity, found under tools > Update Enterprise Licensing, is the total global end system capacity that is licensed on the system.

NMS-ADV - This license unlocks all NetSight features (Except Purview and Assessment), includes licensing for virtual NAC appliances, and includes 500 end systems that are added to the global end system capacity. In a system that has an NMS-ADV license you can install and license for use as many NAC appliances as the system will handle. Each NAC appliance that is added into NetSight NAC Manager after the NMS-ADV license is applied can be licensed using the NMS-ADV by clicking the "update license" button and agreeing to use the NMS-ADV license in the pop-up that appears.

NMS-XXX - This license allows for use of NAC/Access Control virtual appliances since the introduction of version 6.3.x.x. In a system that has an NMS license you can install and license for use as many NAC appliances as the system will handle. IA-ES-XX licenses must be added.

NMS-Base-XXX licenses do not allow for NAC/Access Control appliances to be used regardless if the customer has purchases IA-ES-XX licenses. They must have NMS-XXX or NMS-ADV to make use of the functionality.

NAC-ASSESS or NAC-ASSESSMENT licenses are legacy licenses that can only be added to the NetSight solution through the Tools --> Server Information --> License tab --> "Add License" button. You cannot add more the 1 of these licensing types to the system at any time. Each NAC-ASSESS or NAC-ASSESSMENT license that you add after the initial license will overwrite the previous license. If you have additional NAC-ASSESS or NAC-ASSESSMENT licenses you will need to contact your inside services representative in order to trade in the NAC-ASSESS or NAC-ASSESSMENT licenses for IA-PA-3K licensing keys.

The following licenses are added via NAC Manager->Tools->Update Enterprise license. See below Pic
User-added image
Or they are added using the following in Extreme Management Center
Administration->Diagnostics->Server->Server Licenses->Add
User-added image
IA-ES-XK - This license increases the global end system licensing count on the entire system based on the part name. The license exists in the following formats:
IA-ES-1K: Increases end systems by 1,000
IA-ES-3K: Increases end systems by 3,000
IA-ES-6K: Increases end systems by 6,000
IA-ES-12K: Increase end systems by 12,000

IA-PA-XK - This license increases  the amount of end systems allowed to perform assessment in a system and unlocks the assessment feature. This license is also global and is not restricted to a specific NAC appliance. This license exists in the following formats:
IA-PA-3K: Increases assessment count by 3000
IA-PA-12K: Increases assessment count by 12,000

NAC-V-20/NAC-VX -Post Software 7.08.xx, the NAC-V-XX will be overwritten via any IA-ES-XX license. So these licenses will need to be traded in via sales channel for IA-ES-XX licenses if they both exists as the IA-ES-XX will take precedence. See the following KCS for reference.
Access Control / EAC / NAC does not allow you to update the NAC with a NAC-V-XX license if a IA-ES-XX license is already applied
Below is for older software references only.
These license license virtual NAC appliances to be allowed to be managed by the NetSight Server. In a licensing system that does not have an NMS-ADV license applied each NAC appliance must have a NAC-V-20, or NAC-VX license applied in order to license the appliance for use. These licenses also increase the end system capacity.
NAC-V-20: Licenses 1 NAC appliance and adds 3,000 users to global end system count
NAC-VX-5: Licenses 1 NAC appliance and adds 500 users to global end system count.

These licenses are entered here:
User-added image
NAC-A-20, and SNS-TAG type appliances do not need to be licensed as licensing is included with these physical appliances. They do not need to be licensed for use, and will add 3,000 end systems to the global capacity per physical appliance.
IA-A-X type appliances include a license for use, but do not increase the global end system capacity. These appliances should be paired with IA-ES-XK type keys to increase the global end system capacity.

If authentications exceed the global end system capacity there is a 4 stage violation procedure that is put into action. 

Stage 1:  The NetSight Administrator group users receive a pop-up error message when they login that the system has exceeded licensing and additional licensing should be purchased.
Stage 2: All NetSight users receive a pop-up error message when they login that the system has exceeded licensing and additional licensing should be purchased.
Stage 3: All end systems authenticating that exceeded the maximum threshold. (Ex. If maximum of 3000 end systems this stage only affects the 3001st end system and higher) will no long have any end system events tied to the end system. The end system will authenticate normally, but no events for the end system will display. Stages 1 and 2 will still be in effect.
Stage 4: All end systems authenticating that exceeded the maximum threshold. (Ex. If maximum of 3000 end systems this stage only affects the 3001st end system and higher) will fall into the "Catch All" rule in the NAC Manager rules engine, and will not be authorized normally. Stages 1, 2, and 3 will still be in effect.

There is a minimum of 120 days of violation before stage 4 will be triggered. 
Here is a message that will appear in the
/var/log/tag.log on the Access Control appliance.


[NacRuleEngine] System is oversubscribed, using catch-all profile…

7-10 days are required in order to clear the violation stage and reset back to normal operation, after additional licensing is purchased the error messages will still appear until the violation stages are reset.


1. SSH to the NAC appliance
2. Run the following command:


Look under "Appliance License and Capacity Diagnostics"

Virtual NAC appliance licensing files are located in the /etc/tag-license file. 

Licensing for NetSight is found in the following directory:
<Install Directory>/NetSight/Appdata/License 

Each NAC-A-20 can be traded in for an IA-ES-3K when they decommission the NAC-A-20.  Then they pay maintenance on the IA-ES-3K licenses. Please contact your Sales representative for this to occur, or GTAC can create a Sales Lead for them to contact you.

If the following error is presented there is no end system licensing applied to the system. Generally if this error states "which exceeds the limit of -1" of "0" this is caused by an expired evaluation. This is the license violation error message that will appear to NetSight users if the system has entered violation, but will have a valid license limit instead of "-1" or "0"
User-added image
If the NAC has an expired evaluation key applied to it it must be removed manually with the following procedure:
1. SSH to NAC
2. manually remove tag-license file from the /etc directory.
rm /etc/tag-license
3. Restart the NAC services
nacctl restart
4. The NAC should temporarily show as down, and once it comes back up should have an orange arrow and will need to be licensed according.

If the previous procedure doesn't resolve the issue. You may need to manually install the IA-ES key.
Details on this procedure: 
NAC - Orange Arrow in NAC manager (Unlicensed) not licensed


In NetSight version 5.x and higher the IA-ES, and IA-PA licenses are only accepted through the menu option Tools > Update Enterprise License. If these licenses are attempted in the Tools > Server Information > Licensing tab they will not apply to the system correctly.

License keys starting in "INCREMENT" are not in the correct format for versions 5 and higher and will need to be upgraded through the Extranet.

Link found here:
How to upgrade a NetSight Extreme Management Control license for use with version 7

If licenses are not accepted please check to make sure there is no trailing space, or any extra spaces in the activation key, the activation key starts with 0001: and ends with =, and that the system time on the NetSight Server is correct.

Additional notes
For information on the NMS-K12 Bundle: What is included with a NetSight K12 license, NMS-K12



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255