Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4120
Views
2
Helpful
6
Replies

Cisco ISE Device Administration License

Go to solution
JH8286
Level 1
Level 1

‎05-18-2023 02:29 AM

Hello all,

I have a 2 node (PPAN/SPAN) ISE deployment, used for TACACS+ 

I am moving to SMART licensing, at the moment I use the smallest perpetual Base license size available (100) and 1 device admin license on each node, the Base which is installed on the PAN works nicely in a failover, or promotion of SPAN to PPAN, however moving to SMART I will need to implement SLR (air gapped) and I have to reserve licenses per node. 

If I converted from Base > Essential I would get 100 Essential licenses, Cisco ISE in this deployment is used only for TACACS+ so I do not need 100 (In theory none, as I only want and use Device Admin), but I cannot find anywhere the minimum number of Essential licenses required to run Device Administration on 3.x/SMART, and how I need to allocate them using SLR in my context.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎05-18-2023 06:26 AM

Zero.  3.X does not require Essentials licenses to use Device Admin (TACACS+).  Just make sure that your Device Administration is 100% TACACS+ and you don't have any devices that only support RADIUS for Device Admin.

View solution in original post

6 Replies 6

Go to solution
ahollifield
VIP
VIP

‎05-18-2023 06:26 AM

Zero.  3.X does not require Essentials licenses to use Device Admin (TACACS+).  Just make sure that your Device Administration is 100% TACACS+ and you don't have any devices that only support RADIUS for Device Admin.

Go to solution
JH8286
Level 1
Level 1
In response to ahollifield

‎05-18-2023 06:33 AM

That would be good - It's definitely 100% TAC+ - I think the confusion is with 2.x we were sold the smallest base (100 endpoint) as it was a pre-req for using Device Admin. Sorry to be a pain but can you link any Cisco material that I can reference with this explained?

0 Helpful

Go to solution
JH8286
Level 1
Level 1
In response to ahollifield

‎05-18-2023 06:38 AM

Nevermind - I have found it - thanks for your help! :

In 2.x : 

Device Administration

Perpetual

TACACS+

A Base or Mobility license is required to install the Device Administration license.

The number of Device Administration licenses must be equal to the number of Policy Service Nodes with TACACS+ persona enabled on them.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/Workflow/html/b_license_2_6.html

In 3.X:

1.9.3 How to License Device Administration

●    License that enables Device Administration: Device Admin License

●    License consumption: Device Administration licenses are consumed per Policy Service Node (PSN). You must have a Device Administration license for each of the policy service nodes that you enable TACACS+ service on. Device Administration using TACACS+ does not consume endpoints, and there is no limit on network devices for Device Administration. The user does not require an Essentials license.
Cisco ISE Licensing Guide - Cisco

Go to solution
MR203
Level 1
Level 1
In response to ahollifield

‎07-11-2024 10:20 AM

do I need device admin license if deploying ISE in AWS?

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to MR203

‎07-11-2024 10:33 AM

Only if using TACACS+
0 Helpful
Customers Also Viewed These Support Documents