Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1589
Views
0
Helpful
3
Replies

Cisco ISE Licensing Upgrade from pre 2.4 release to 2.4 and above

Go to solution
Inderpal Oberoi
Cisco Employee
Cisco Employee

‎05-20-2020 10:34 AM

Hello Team,

 

Customer has upgraded  ISE from 2.0 release to 2.6 release. ISE Licensing has changed for 2.4 and above. Please , look at difference between ISE pre 2.4 and Release 2.4 and above in the screenshot below :

 

Reference Link : Section  License Behavior

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

 

Based on the information mentioned above, I see there is no restriction on the Device admin license in pre 2.4 release so they can have unlimited number of ISE TACACS+ nodes within the deployment. Moreover, I also see that in pre 2.4 release VM is licensed with no enforcement.

 

Now , they have upgraded to the Cisco ISE release 2.6  and are looking forward to move from traditional licensing model to smart licensing model  they have few queries to be addressed:

 

  1. Does the EA agreement covers  this license upgrade as well?  As they are running more than one device admin nodes in the Cisco ISE 2.6 Deployment in Virtual Environment .

Currently, this is what they have purchased in EA agreement :

Apex License : 2000 Qty

Plus License : 5000 Qty

Device Admin : 1 Qty

Enhanced Support for ISE 

 

Please, share your thoughts on it.

 

Regards

Inderpal Singh

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Inderpal Oberoi

‎05-21-2020 04:22 PM

A few things changed since 2.0. Pre 2.4 didn't require installing VM licenses, they were right to use only. It was expected you buy them and self police according to our morals of if we are using it, we should license it.

For released 2.4 - 2.7, you are now expected to either install the VM licenses directly to the deployment via a fulfilled licenses file, or having enough entitlement in the smart account the deployment is registered to. Right now there is no enforcement action for being short VM licenses other than a warning message that you are out of compliance on licensing. I wouldn't expect it to stay this way, I suspect we will see VM license enforcement in the future with a grace period.

TAC/licensing team will grant a direct 1:1 of the old RTU VM licenses ordered to new medium size vm licenses. This is based on how many were bought.

If you bought a TACACS licenses for the deployment pre 2.4, this was a single license that allowed up to 50 nodes (max nodes in ISE) to have the device admin role enabled. From 2.4 - 2.7, the TACACS licensing model went to a per node basis and enabling the device admin role on a VM/appliance requires a 1 for 1 number of TACACS node licenses. If you were to have bought the old TACACS deployment license, you are given an early adopter bonus, this license gets transferred/translated to 50 TACACS node licenses. You cannot buy this single deployment license any more, it has been replaced by the tacacs node licenses.

Working with TAC, it's possible to migrate all of the licensing to a new deployment assuming it was bought in the first place. I echo Pauls suggestion on moving any purchased licenses to a smart account. It's easier to work with during upgrades, and migrations in the future.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎05-20-2020 03:40 PM

Was the ISE environment running TACACS in 2.0?  Is this on VMs or physicals?

 

You should get all your licenses in 2.0 put into the Smart account before you add anything from EA.  You don't want to start using EA licenses when the customer already paid for licenses in their 2.0 deployment.  After you get all the correct licenses in the smart account from the 2.0 deployment then add EA licenses as needed.

0 Helpful

Go to solution
Inderpal Oberoi
Cisco Employee
Cisco Employee
In response to paul

‎05-21-2020 09:29 AM

Thanks Paul.

 

Please , see the answer to your query below:

 

Was the ISE environment running TACACS in 2.0?  Is this on VMs or physicals?

 

Yes , they were running it . It is VM deployment. After the upgrade , the box is running in Smart licensing evaluation mode. The license page is displaying the following information at present for the consumption field.

Base :336 consumed

Apex: 1 Consumed

TACACS:2 Consumed.

 

This was no enforcement in pre 2.4 release for Device Admin and VM license as shown in the guide below 

3.3 License behavior

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

 

I am trying to understand the last field in the table in the section 3.3 License Table, Legacy Device Admin License.

 

For pre 2.4 release it says  "Is identified and consumed as uncounted (unlimited number of ISE TACACS+ nodes within the deployment)

 

For 2.4 and above, it says Is identified and enables consumption of up to 50 ISE TACACS+ nodes . Does , it mean to say " No of Nodes supporting TACACS + is identified in the legacy deployment and based on it , same number of TACACS+ licenses are issued by the licensing team and max number can be issued upto 50.

Please , correct me , if am wrong..

 

Moreover, I don't see any enforcement on VM in pre 2.4 release which is not the case with 2.4 and above ISE release.

 

It seems to me in pre 2.4 release , VM ISE nodes are build based on honor based commitment. And customer needs to follow the process to migrate VM licenses as mentioned in the link above in  Section 3.4.1 ISE Virtual Machine (VM) Nodes.

 

Please , share your thoughts on it..

 

Thanks

 

Regards

Inderpal Singh

 

 

 

 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Inderpal Oberoi

‎05-21-2020 04:22 PM

A few things changed since 2.0. Pre 2.4 didn't require installing VM licenses, they were right to use only. It was expected you buy them and self police according to our morals of if we are using it, we should license it.

For released 2.4 - 2.7, you are now expected to either install the VM licenses directly to the deployment via a fulfilled licenses file, or having enough entitlement in the smart account the deployment is registered to. Right now there is no enforcement action for being short VM licenses other than a warning message that you are out of compliance on licensing. I wouldn't expect it to stay this way, I suspect we will see VM license enforcement in the future with a grace period.

TAC/licensing team will grant a direct 1:1 of the old RTU VM licenses ordered to new medium size vm licenses. This is based on how many were bought.

If you bought a TACACS licenses for the deployment pre 2.4, this was a single license that allowed up to 50 nodes (max nodes in ISE) to have the device admin role enabled. From 2.4 - 2.7, the TACACS licensing model went to a per node basis and enabling the device admin role on a VM/appliance requires a 1 for 1 number of TACACS node licenses. If you were to have bought the old TACACS deployment license, you are given an early adopter bonus, this license gets transferred/translated to 50 TACACS node licenses. You cannot buy this single deployment license any more, it has been replaced by the tacacs node licenses.

Working with TAC, it's possible to migrate all of the licensing to a new deployment assuming it was bought in the first place. I echo Pauls suggestion on moving any purchased licenses to a smart account. It's easier to work with during upgrades, and migrations in the future.
0 Helpful
Customers Also Viewed These Support Documents