Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
4
Replies

Cisco ISE VM license question

Go to solution
mpbaker82
Level 1
Level 1

‎02-13-2019 06:15 PM - edited ‎03-11-2019 01:55 AM

I found the license guide but I’m still unclear on the VM license. 

 

Right now I have the following 

 

base license 

admin key which enables tacacs

and a VM (med) key for each of my nodes. All nodes are going to be deployed Vm server. 1 pan, 1 san, 5 psn nodes. 

 

Do I need the base license? The guide makes me think I don’t need it. 

 

Thanks 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to mpbaker82

‎02-13-2019 07:37 PM

VM licenses (small medium, and large) are as already mentioned, one per node you deploy. 7 nodes in your case = 7 VM licenses.

The base licenses are per active endpoint. This is a bit of a misnomer because an endpoint is actually a mac address in ISE. If a single PC connects via wired and wireless, this can use two base licenses for a single "endpoint". Plus and Apex licenses for the deployment are also required if you use any profile or advanced endpoint authentication features.

There is a third license category, Device Admin node licenses. You also need one of these per VM you enable the device admin feature on, this is TACACS authentication for switches, routers, wlc etc. If you wanted to authenticate your administrators logins to network devices, and you only turn device admin on on two PSN's, then you only need two node licenses.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-13-2019 06:31 PM

For RADIUS auth, we need base licenses for concurrent endpoint sessions. For T+ auth, we need import a base license with minimally 100 endpoint sessions before T+ (device admin) license(s).

0 Helpful

Go to solution
mpbaker82
Level 1
Level 1
In response to hslai

‎02-13-2019 07:29 PM

So if I understand correctly the VM license is just to install on a VM server. I would need one VM license per ise node. 

 

I was was thinking the VM license served at the base license. Thank you for cleaning that up. 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to mpbaker82

‎02-13-2019 07:37 PM

VM licenses (small medium, and large) are as already mentioned, one per node you deploy. 7 nodes in your case = 7 VM licenses.

The base licenses are per active endpoint. This is a bit of a misnomer because an endpoint is actually a mac address in ISE. If a single PC connects via wired and wireless, this can use two base licenses for a single "endpoint". Plus and Apex licenses for the deployment are also required if you use any profile or advanced endpoint authentication features.

There is a third license category, Device Admin node licenses. You also need one of these per VM you enable the device admin feature on, this is TACACS authentication for switches, routers, wlc etc. If you wanted to authenticate your administrators logins to network devices, and you only turn device admin on on two PSN's, then you only need two node licenses.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-13-2019 06:34 PM

Base licenses allow you to use 8021x, AAA features, trustsec, and macsec. If you are planning to use additional features that you would get from obtaining an apex license etc. you still must have base licenses. So yes you will need them.
0 Helpful
Customers Also Viewed These Support Documents