cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1200
Views
5
Helpful
5
Replies
vivarock12
Beginner

CISCO ISE TACACS Lisence

Hello,

i just have one question my custumer haves 300 devices authenticating on a ACS with TACACS so what should i buy to meet this requirement?

from what i understand i only need the following:

 

R-ISE-VMS-K9=

Cisco ISE Virtual Machine Small

L-ISE-BSE-PLIC

Cisco ISE Base License

L-ISE-BSE-P1

Cisco ISE Base License - Sessions 100 to 249

L-ISE-TACACS-ND=

Cisco ISE Device Admin Node License

 

and the licence that is giving me this option is this one L-ISE-TACACS-ND=.

but im not sure if the 100 base is limiting the Radius or the Tacacs devices, so can someone help me with this doubt?

 

thanks for the help.

 

5 REPLIES 5
Mike.Cifelli
VIP Advocate

First of, if your customer has 300 endpoints you are going to want to go with this: L-ISE-BSE-P2 (Cisco ISE Base License- Sessions 250 to 499). This meets the requirement and gives room for growth. Base licenses are consumed on a per user basis and enables the following features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces
AFAIK, at least 100 ISE Base session licenses are needed in your deployment prior to adding an ISE Device Administration license (L-ISE-TACACS-ND=). The device admin license enables Tacacs+ feature. You only need one of these. The base licenses will count against the functions listed above. If you are using Tacacs+ for device administration only the base licenses will not be consumed. HTH!

all the devices ar networking devices like SW, RT, etc. and all this devices use tacacs so wil the

L-ISE-BSE-P1

Cisco ISE Base License - Sessions 100

 

be consumed by every networking device?

or only when the try to authenticate to each one?

Greg Gibbs
Cisco Employee

See the ISE Ordering Guide for more detailed information.

An ISE installation must have a minimum of 100 Base licenses (as I believe this is the smallest block that can be ordered), but those licenses are only consumed by RADIUS sessions. If all of the Network Devices you need to manage use TACACS+, you do not need more than the minimum 100 Base licenses.

More recent versions of ISE require 1 Device Admin license for each PSN that will service TACACS+ requests. If you will have 2x ISE nodes servicing T+ requests (for HA), you will need a total of 2 Device Admin Node licenses.

so this means that i can connected the 300 devices or more?

If all of those devices use TACACS+ for Device Admin, then you can provide AAA services from ISE using the licenses I discussed above. There is no limit (from a licensing perspective) to the number of network devices that can be supported for TACACS+ with 1 Device Admin Node license (per PSN).

If you have devices that use RADIUS for device administration (instead of TACACS+), the number of Base licenses you have will limit the number of those devices (again, from a licensing perspective) that will be supported by the ISE cluster.

Content for Community-Ad