ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

9165
Views
45
Helpful
11
Replies
Highlighted
Beginner

Cisco ISE SKU# for TACACS "Device Administration"

Hello,

Trying to locate the SKU to enable cisco Tacacs+ (Device Administration) license. Should be ~$4500 - but not finding it. Anyone had any luck?

Thank you!

j

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Found it. L-ISE-TACACS=

Found it. L-ISE-TACACS=

View solution in original post

Highlighted
Hall of Fame Guru

@Glenn Costantino  

[@glenn.costantino]  

No - the Device Administration feature is licensed for the deployment regardless of the number of devices using the feature.

View solution in original post

11 REPLIES 11
Highlighted
Beginner

Found it. L-ISE-TACACS=

Found it. L-ISE-TACACS=

View solution in original post

Highlighted

The ordering guide states you

The ordering guide states you need a minimum 100 ISE base licenses to use the TACACS feature - Device Administration but there is no Large deployment license like in the past - is it safe to say you need a base license for every switch that you are trying to manage administrative access to? for example 425 network switches would require the L-ISE-BSE-500 license?

Highlighted
Hall of Fame Guru

@Glenn Costantino  

[@glenn.costantino]  

No - the Device Administration feature is licensed for the deployment regardless of the number of devices using the feature.

View solution in original post

Highlighted
Beginner

@marvin rhoads

@marvin rhoads

Do you mean if I have 3 network administrators, I require 3 Device Administration license only?

How does Device Administration license work? Does it release license when administrator finish the authentication?

Thank you.

Highlighted
Hall of Fame Guru

Paniphon,

Paniphon, . Only a single Device Administration license is required for the entire ISE deployment - no matter how many administrators or devices you have. Thus there is no concept of releasing the licenselike we have with endpoint licenses. If you have a very large number of devices and something like a program that authenticates you may want to consider dedicating a node for Device Admin.
Highlighted
Beginner

Thank you @Marvin Rhoads  

Thank you [@mrhoads-cco]  

Highlighted
Beginner

Re: @Glenn Costantino

Means If I have 10 devices authenticated via TACACS, it will counted as 10 base license required?

Assumed I have L-ISE-TACACS= install already.

 

In another scenario, if I have 10devices authenticated via Radius, it wouldn't be any base license required. Right?

Highlighted
Hall of Fame Guru

License Consumption

TACACS+ user authentications for device administration do not consume base licenses. As long as you have the TACACS license installed you can authenticate users for device adminstration as the deployment type will scale to.

 

If you are using RADIUS for device administration then the user sessions are RADIUS sessions and consume base licenses just as if they were a wired, wireless or VPN endpoint using RADIUS authentication for network access..

Highlighted
Beginner

Re: @Glenn Costantino

Glenn,

 

we have ACS and ISE 1.4 in our deployment and we are going through ISE 2.3 deployment,

Since we already purchased permanent base and license for 5K endpoints and is currently applied to ISE 1.4 deployment

we are not buying new base and plus license for new ISE 2.3 deployment

our plan is to migrate the licenses from ISE 1.4 to ISE 2.3 and all the network devices on our network at the same time to new ISE 2.3 deployment.

But while we are testing and validating 802.1x part of the new ISE 2.3 deployment we want to continue migrating device from ACS to ISE 2.3 for device administration.

 

 

I know that you need to have base license to apply device admin license and you can't even apply permanent device admin license with base evaluation license.

So we convinced our cisco rep to give us temporary base and plus license for 100 endpoints for 90 days, so we can apply our permanent device admin license and work with device migration for device administration.

Now our base and plus license is going to expire in 25 days.

what will happen to my device admin license if my base license expires?

will tacacs continue to work and will I be able to add new network devices for TACACS?

 

 

 

Highlighted
Cisco Employee

To add to what Marvin already

To add to what Marvin already said: Compared to ACS where the license was based on the number of NADs, in ISE the Base/Plus/Apex licenses are based on the number of endpoints (PCs, Mobile Devices, etc)

Thank you for rating helpful posts!

Highlighted

Thank you

Thank you