Cisco Community
English
Register
Announcing the Project Gallery! Click here to read community member deployment stories and share your projects!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

383
Views
10
Helpful
5
Replies
Highlighted
Maurice Ball
Beginner
Beginner
‎05-24-2020 12:15 PM
‎05-24-2020 12:15 PM

Cisco ISE Device Admin Licensing

Do I need a Cisco ISE device admin license for every PSN I enable the service on?

 For example: If I enabled the device admin service on 5 of my policy nodes. Does this mean I would need 5 device admin licenses installed on the primary admin node?

0 Helpful
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎05-24-2020 12:44 PM
‎05-24-2020 12:44 PM

Re: Cisco ISE Device Admin Licensing

Yes, as of ISE v2.4+ you need one L-ISE-TACACS-ND= license per PSN you enable the device admin role on. So enabling device admin on five PSNs would require ordering 5x L-ISE-TACACS-ND=. You then have the option of either putting them in to a smart account ISE can be pointed at, or fulfilling them as a traditional license file and installing it on the admin node.

View solution in original post

Reply
Highlighted
Maurice Ball
Beginner
Beginner
‎05-24-2020 12:51 PM
‎05-24-2020 12:51 PM

Re: Cisco ISE Device Admin Licensing

Ok, great. I just wanted to make sure I understood it correctly. Thanks so much for the clarification.

View solution in original post

0 Helpful
Reply
5 REPLIES 5
Highlighted
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎05-24-2020 12:44 PM
‎05-24-2020 12:44 PM

Re: Cisco ISE Device Admin Licensing

Yes, as of ISE v2.4+ you need one L-ISE-TACACS-ND= license per PSN you enable the device admin role on. So enabling device admin on five PSNs would require ordering 5x L-ISE-TACACS-ND=. You then have the option of either putting them in to a smart account ISE can be pointed at, or fulfilling them as a traditional license file and installing it on the admin node.

View solution in original post

Reply
Highlighted
Maurice Ball
Beginner
Beginner
‎05-24-2020 12:51 PM
‎05-24-2020 12:51 PM

Re: Cisco ISE Device Admin Licensing

Ok, great. I just wanted to make sure I understood it correctly. Thanks so much for the clarification.

View solution in original post

0 Helpful
Reply
Highlighted
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎05-25-2020 12:56 AM
‎05-25-2020 12:56 AM

Re: Cisco ISE Device Admin Licensing

Hi,

Your device admin license are counted by the number of devices not by the
number of PSN nodes. You PSN nodes consume VM license only. But feature
license can be shared between them.


**** please remember to rate useful posts
0 Helpful
Reply
Highlighted
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎05-25-2020 01:05 AM
‎05-25-2020 01:05 AM

Re: Cisco ISE Device Admin Licensing

Not with ISE.

That was the case with ACS, 500 vs large deployments. ISE 2.4+ licenses both virtual ISE nodes, and tacacs/device admin nodes by the number deployed. 

Reply
Highlighted
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎05-25-2020 02:36 AM
‎05-25-2020 02:36 AM

Re: Cisco ISE Device Admin Licensing

Thanks for correcting me Damien.
0 Helpful
Reply
Latest Contents
Problems Authenticating and Authorizing Users on new wlan us...
Created by stevemegyery on 08-11-2020 11:26 AM
1
0
1
0
I am involved in rolling out about 40 wifi networks using cisco 3602/2802 aps and cisco 5508 ISE. Our network offers a 2 step authentication with user and machine certificates as well as users needing to be in correct AD groups. The problem we have i... view more
NGFW VPN PAGE
Created by Fnu Kanwaljeet Singh on 08-11-2020 07:44 AM
0
0
0
0
Site-to-Site VPN: ASA Site-to-Site VPN using IKEV1 Configuration Example Configure a Site-to-Site IPSec IKEv1 Tunnel Between an ASA and a Cisco IOS Router Site-to-Site IKEv2 Tunnel between ASA and Router Configuration Examples Site-to-Site VPN Tunnel wit... view more
Cisco ISE MS Intune remote WIPE/LOCK ISE Feature
Created by Rkle on 08-11-2020 04:28 AM
0
0
0
0
Dear Community,  So, according to the Cisco ISE Release 2.7 Administrator Guide, it should be possible to use a remote lock/wipe on MDM-devices that connect through ISE on the network( see the screenshot in the attachment).The problem is that th... view more
Applying Cisco Anyconnect licenses
Created by ross_rulz on 08-11-2020 01:00 AM
0
0
0
0
Hi, We currently have 2 Cisco 5525X ASA's in active/standby state. We have 750 concurrent Anyconnect licenses with the below licenses:AC-PLSM-5YR-500-S & AC-PLSM-5YR-250-S. (These are expiring soon) I have asked to get these renewed by our l... view more
Cisco Anyconnect using a different IP
Created by latenaite2011 on 08-10-2020 07:47 PM
0
0
0
0
Hi Everyone, Does anyone know if it is possible create a NAT for Cisco Anyconnect to a different IP so that the user doesn't have to use the External IP? We want to use a different dns name and assign to a different set group of users. Thank you... view more
Content for Community-Ad

Cisco Community May 2020 Spotlight Award Winners

Follow our Social Media Channels