Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2524
Views
5
Helpful
5
Replies

CISCO ISE TACACS Lisence

vivarock12
Level 1
Level 1

‎04-21-2020 03:47 PM

Hello,

i just have one question my custumer haves 300 devices authenticating on a ACS with TACACS so what should i buy to meet this requirement?

from what i understand i only need the following:

 

R-ISE-VMS-K9=

Cisco ISE Virtual Machine Small

L-ISE-BSE-PLIC

Cisco ISE Base License

L-ISE-BSE-P1

Cisco ISE Base License - Sessions 100 to 249

L-ISE-TACACS-ND=

Cisco ISE Device Admin Node License

 

and the licence that is giving me this option is this one L-ISE-TACACS-ND=.

but im not sure if the 100 base is limiting the Radius or the Tacacs devices, so can someone help me with this doubt?

 

thanks for the help.

 

0 Helpful
5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-21-2020 04:34 PM

First of, if your customer has 300 endpoints you are going to want to go with this: L-ISE-BSE-P2 (Cisco ISE Base License- Sessions 250 to 499). This meets the requirement and gives room for growth. Base licenses are consumed on a per user basis and enables the following features:
Basic network access: AAA, IEEE-802.1X
Guest services
Link encryption (MACSec)
TrustSec
ISE Application Programming Interfaces
AFAIK, at least 100 ISE Base session licenses are needed in your deployment prior to adding an ISE Device Administration license (L-ISE-TACACS-ND=). The device admin license enables Tacacs+ feature. You only need one of these. The base licenses will count against the functions listed above. If you are using Tacacs+ for device administration only the base licenses will not be consumed. HTH!
0 Helpful

vivarock12
Level 1
Level 1
In response to Mike.Cifelli

‎04-21-2020 06:36 PM

all the devices ar networking devices like SW, RT, etc. and all this devices use tacacs so wil the

L-ISE-BSE-P1

Cisco ISE Base License - Sessions 100

 

be consumed by every networking device?

or only when the try to authenticate to each one?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎04-21-2020 04:56 PM

See the ISE Ordering Guide for more detailed information.

An ISE installation must have a minimum of 100 Base licenses (as I believe this is the smallest block that can be ordered), but those licenses are only consumed by RADIUS sessions. If all of the Network Devices you need to manage use TACACS+, you do not need more than the minimum 100 Base licenses.

More recent versions of ISE require 1 Device Admin license for each PSN that will service TACACS+ requests. If you will have 2x ISE nodes servicing T+ requests (for HA), you will need a total of 2 Device Admin Node licenses.

0 Helpful

vivarock12
Level 1
Level 1
In response to Greg Gibbs

‎04-21-2020 06:37 PM

so this means that i can connected the 300 devices or more?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to vivarock12

‎04-21-2020 07:27 PM

If all of those devices use TACACS+ for Device Admin, then you can provide AAA services from ISE using the licenses I discussed above. There is no limit (from a licensing perspective) to the number of network devices that can be supported for TACACS+ with 1 Device Admin Node license (per PSN).

If you have devices that use RADIUS for device administration (instead of TACACS+), the number of Base licenses you have will limit the number of those devices (again, from a licensing perspective) that will be supported by the ISE cluster.

Customers Also Viewed These Support Documents