cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

87
Views
10
Helpful
1
Replies
Cisco Employee

License consumption for Radius device admin

Hello Folks, 

 

I know how device admin license work for TACACS. May I know how base license been consumed for device administration using radius, is it per network device count or per radius session?

 

Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

Re: License consumption for Radius device admin

So my experience with this in the field is that RADIUS device admin uses zero licenses. I have done a couple of 20k NAD device admin deployments and a handful of small ones, they were all a mix of RADIUS and TACACS. Not a single one of these deployments used any of the base licenses.

Maybe this is because ISE tracks active radius sessions from radius accounting start messages, and radius device admin authentication's don't typically send accounting. I took a look, and with 20k NADs, only a handful of avocent console servers send radius accounting. I still plan licensing around the approximate number of NADs that would have active sessions, and not unique admin sessions on each device.

I would say though, something official should be added to the ISE licensing guide because it comes up from time to time and it's always fuzzy.
1 REPLY 1
Highlighted
VIP Engager

Re: License consumption for Radius device admin

So my experience with this in the field is that RADIUS device admin uses zero licenses. I have done a couple of 20k NAD device admin deployments and a handful of small ones, they were all a mix of RADIUS and TACACS. Not a single one of these deployments used any of the base licenses.

Maybe this is because ISE tracks active radius sessions from radius accounting start messages, and radius device admin authentication's don't typically send accounting. I took a look, and with 20k NADs, only a handful of avocent console servers send radius accounting. I still plan licensing around the approximate number of NADs that would have active sessions, and not unique admin sessions on each device.

I would say though, something official should be added to the ISE licensing guide because it comes up from time to time and it's always fuzzy.