Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
10
Helpful
1
Replies

License consumption for Radius device admin

Go to solution
smano
Cisco Employee
Cisco Employee

‎08-15-2019 02:18 PM

Hello Folks, 

 

I know how device admin license work for TACACS. May I know how base license been consumed for device administration using radius, is it per network device count or per radius session?

 

Thanks. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-15-2019 03:32 PM

So my experience with this in the field is that RADIUS device admin uses zero licenses. I have done a couple of 20k NAD device admin deployments and a handful of small ones, they were all a mix of RADIUS and TACACS. Not a single one of these deployments used any of the base licenses.

Maybe this is because ISE tracks active radius sessions from radius accounting start messages, and radius device admin authentication's don't typically send accounting. I took a look, and with 20k NADs, only a handful of avocent console servers send radius accounting. I still plan licensing around the approximate number of NADs that would have active sessions, and not unique admin sessions on each device.

I would say though, something official should be added to the ISE licensing guide because it comes up from time to time and it's always fuzzy.

View solution in original post

1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-15-2019 03:32 PM

So my experience with this in the field is that RADIUS device admin uses zero licenses. I have done a couple of 20k NAD device admin deployments and a handful of small ones, they were all a mix of RADIUS and TACACS. Not a single one of these deployments used any of the base licenses.

Maybe this is because ISE tracks active radius sessions from radius accounting start messages, and radius device admin authentication's don't typically send accounting. I took a look, and with 20k NADs, only a handful of avocent console servers send radius accounting. I still plan licensing around the approximate number of NADs that would have active sessions, and not unique admin sessions on each device.

I would say though, something official should be added to the ISE licensing guide because it comes up from time to time and it's always fuzzy.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents