Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2076
Views
5
Helpful
3
Replies

ACS 5.8 License query

Go to solution
hashimwajid1
Level 3
Level 3

‎10-26-2018 09:34 AM - edited ‎10-26-2018 01:01 PM

Hi,

 

we've ACS 5.8 running on SNS 3415. we do not have any redundant ACS server in our network. this ACS is integrated with Active Directory users. I've some query regarding failure and license restore.

 

in case this ACS server goes down and we receive New Appliance from Cisco then 

 

1- can we restore license on new ACS server from old ACS ( in case old ACS is not reachable then how we'll do licensing of new ACS Appliance or we've to purchase new license

 

2- can we use Microsoft Radius server (NPS) for Authentication of the AD Users ( WLC will integrate with NPS instead of ACS, in case ACS not Available/fail ) as second option 

 

3- can we use ISE Virtual Appliance as second option for redundancy (in case ACS goes down then we will point ISE IP on WLC for authentication)

 

We do not want to purchase second ACS for redundancy but we needed second Option for redundancy in case ACS goes down 

 

Thanks in Advance  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7

‎10-26-2018 02:25 PM

Hi, I'll try to my best to answer these questions. Anyone who knows better, feel free to correct any misinformation.

 

1 - The Base License (up to 500 NAD's) can be applied freely for each server in the ACS deployment, as long as each license in the cluster is distinct. So you can apply it to a new SNS or virtual machine, as long as no other ACS in the cluster is using that license.

 

2 - Depends on what your needs are. Some devices (such as newer Cisco phones) don't play well with NPS when it comes to 802.1x, and they no don't support the deprecated EAP-MD5. Perhaps you have certain policies that exist in ACS but can't be enforced by NPS. If you're looking for just PAP/MSCHAP authentication, NPS may be enough. Just make sure to update the RADIUS clients and policies within NPS since it won't be synced with ACS.

 

3- Well... if anything I'd do it the other way around. ISE is a much stronger platform which can integrate very well with other modern platforms. It's also a lot more scalable. You may also want it around for strong security features such as posturing, profiling, pxGRID and more.

 

If you're going to be purchasing ISE licenses, I'd prop it up to take on as the primary AAA/Radius server and use ACS only when necessary. 

 

P.S. Since you're discussing a form of HA which is not Hot Standby, you could also install ACS on your DR site with the existing license but don't join it to your primary ACS. This would give you a form of cold HA. Keep its policies and NADs up to date now and again, and if your main ACS is not available the supplicants and NADs can use it as a backup. Keep in mind since these are seperate clusters, they won't be synchronized.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nadav
Level 7
Level 7

‎10-26-2018 02:25 PM

Hi, I'll try to my best to answer these questions. Anyone who knows better, feel free to correct any misinformation.

 

1 - The Base License (up to 500 NAD's) can be applied freely for each server in the ACS deployment, as long as each license in the cluster is distinct. So you can apply it to a new SNS or virtual machine, as long as no other ACS in the cluster is using that license.

 

2 - Depends on what your needs are. Some devices (such as newer Cisco phones) don't play well with NPS when it comes to 802.1x, and they no don't support the deprecated EAP-MD5. Perhaps you have certain policies that exist in ACS but can't be enforced by NPS. If you're looking for just PAP/MSCHAP authentication, NPS may be enough. Just make sure to update the RADIUS clients and policies within NPS since it won't be synced with ACS.

 

3- Well... if anything I'd do it the other way around. ISE is a much stronger platform which can integrate very well with other modern platforms. It's also a lot more scalable. You may also want it around for strong security features such as posturing, profiling, pxGRID and more.

 

If you're going to be purchasing ISE licenses, I'd prop it up to take on as the primary AAA/Radius server and use ACS only when necessary. 

 

P.S. Since you're discussing a form of HA which is not Hot Standby, you could also install ACS on your DR site with the existing license but don't join it to your primary ACS. This would give you a form of cold HA. Keep its policies and NADs up to date now and again, and if your main ACS is not available the supplicants and NADs can use it as a backup. Keep in mind since these are seperate clusters, they won't be synchronized.

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Nadav

‎10-26-2018 10:47 PM

Hi Nadav,

 

Thanks for your detailed explanation. after reading your post some more question raised into my head. 

 

1- can we export this base license from current ACS server ( in case this ACS fails then we can use same license to newly receive ACS from cisco as the current ACS has back to back support from cisco. my question is will cisco  send new license/PAK with new ACS server or we have to use old license. we dont have old PAK ) 

 

2- we are only using 40 switches for TACACS Authentication ( does this base license includes TACACS Authentication as well) 

 

3- we are doing authentication for 2500 Users ( does this base license support this number of users authentication )

 

4- for simple authentication NPS would be fine for 2500 users ( we'll integrate NPS as Radius server on WLC and then call this Radius server under WLAN ) ? so in case if ACS fails then we'll only point NPS as Radius server under WLAN ?

 

Thanks for support 

0 Helpful
Customers Also Viewed These Support Documents