The way I always understood it, is that you have several licenses each of which with its own specifics:
1) the built-in policy manager license.
This is set on ordering and only available in 500, 5000 or 25000 variants. Add new appliances to increase the count.
The count for this license is on a on a 7-day rolling average where the daily result then gets fed into a 30-day average.
The metric used to count is 'authenticating devices per day'. Meaning a device that logs via guest portal and later that day gets mac authenticated only counts as 1 license used ( for that day). The same user that authenticates with 2 devices gets counted twice.
Although I'm unsure what exactly happens when you reach this limit the message is: 'make sure you don't reach it!'. You do get locked out of the management interface.
2) guest/onguard licenses (& enterprise used for this)
available in custom counts
Uses a 7 day rolling avarage to allow peaks above the actual license count.
A device authenticating first on a captive portal and than gets a healthcvheck (onguard) counts towards guest AND onguard licenses on top of the policy manager license (3 licenses used!)
Exceeding the rolling average enough times will get you locked out of the management interface and leaves only an option to add licenses. Guests will no longer be able to self-register either.
3) onboard licenses (& enterprise used for this)
available in custom counts
actual provisioned devices (no rolling avg). Cannot be exceeded. Won't except new onboarding if there are no licenses available anymore.
4) quick connect
per user / honor based (no enforcement)