The ordering guide states you need a minimum 100 ISE base licenses to use the TACACS feature - Device Administration but there is no Large deployment license like in the past - is it safe to say you need a base license for every switch that you are trying to manage administrative access to? for example 425 network switches would require the L-ISE-BSE-500 license?

@marvin rhoads

Do you mean if I have 3 network administrators, I require 3 Device Administration license only?

How does Device Administration license work? Does it release license when administrator finish the authentication?

Thank you.

Thank you [@mrhoads-cco]  

Means If I have 10 devices authenticated via TACACS, it will counted as 10 base license required?

Assumed I have L-ISE-TACACS= install already.

In another scenario, if I have 10devices authenticated via Radius, it wouldn't be any base license required. Right?

TACACS+ user authentications for device administration do not consume base licenses. As long as you have the TACACS license installed you can authenticate users for device adminstration as the deployment type will scale to.

If you are using RADIUS for device administration then the user sessions are RADIUS sessions and consume base licenses just as if they were a wired, wireless or VPN endpoint using RADIUS authentication for network access..

Glenn,

we have ACS and ISE 1.4 in our deployment and we are going through ISE 2.3 deployment,

Since we already purchased permanent base and license for 5K endpoints and is currently applied to ISE 1.4 deployment

we are not buying new base and plus license for new ISE 2.3 deployment

our plan is to migrate the licenses from ISE 1.4 to ISE 2.3 and all the network devices on our network at the same time to new ISE 2.3 deployment.

But while we are testing and validating 802.1x part of the new ISE 2.3 deployment we want to continue migrating device from ACS to ISE 2.3 for device administration.

I know that you need to have base license to apply device admin license and you can't even apply permanent device admin license with base evaluation license.

So we convinced our cisco rep to give us temporary base and plus license for 100 endpoints for 90 days, so we can apply our permanent device admin license and work with device migration for device administration.

Now our base and plus license is going to expire in 25 days.

what will happen to my device admin license if my base license expires?

will tacacs continue to work and will I be able to add new network devices for TACACS?

To add to what Marvin already said: Compared to ACS where the license was based on the number of NADs, in ISE the Base/Plus/Apex licenses are based on the number of endpoints (PCs, Mobile Devices, etc)

Thank you for rating helpful posts!

Thank you