Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2367
Views
5
Helpful
2
Replies

Confusion about administration license for ISE 2.4

Go to solution
SMD28316
Level 1
Level 1

‎04-09-2021 04:14 AM

I have a question regarding the following:

If you are currently using a Device Administration license and plan to upgrade to Release 2.4 or above, TACACS+ features will be supported for 50 Device Administration nodes in Release 2.4 and above.

If you are currently using a Device Administration license and plan to upgrade to Release 2.4 or above, TACACS+ features will be supported for 50 Device Administration nodes in Release 2.4 and above.

 

From the documentation: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/Upgrade_Journey/journey_html/Cisco_ISE_2_4_Upgrade_Journey.html

 

For every PSN node I'll need a single administration license, but if I already have one that means it can cover up to 50 devices so I don't need to buy new licenses or what? What are the mentioned devices exactly? are they PSN devices or what?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎04-09-2021 05:34 AM

Hi @SMD28316 

 please take a look at: ISE Administration Guide, 2.4., search for Cisco ISE Licensing Model and ISE Upgrade Journey, 2.4, select Choose your upgrade path and search for Licensing Changes.

"...There are two types of Device Administration Licenses: Cluster and Node. A Cluster License allows you to use Device Administration on all PSN Nodes in a Cisco ISE cluster. A Node License allows you to use Device Administration on a single PSN Node.

Cluster licenses were introduced with the release of Device Administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, Node Licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only Node Licenses are available for sale.

However, if you are upgrading to this release with a valid Cluster License, you can continue to use your existing license upon upgrade..."

 

"... From Cisco ISE, Release 2.4, the number of Device Administration licenses must be equal to the number of Device Administration Nodes (PSNs configured for the Device Administration service) in a deployment.

If you are currently using a Device Administration license and plan to upgrade to Release 2.4 or above, TACACS+ features will be supported for 50 Device Administration Nodes in Release 2.4 and above..."

 

Please double check if you already have a Cluster Licensing.

 

Hope this helps !!!

 

 

View solution in original post

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-09-2021 07:20 AM - edited ‎04-09-2021 07:29 AM

Early adopters of ISE were able to order a single tacacs device admin sku L-ISE-TACACS= that covered the entire deployment. When ise 2.4 released they stopped selling this deployment wide sku. 

 

For those who own the original sku, L-ISE-TACACS=, it can still be installed on an ise 2.4+ deployment, and it provides 50 node licenses when you do this. If you migrate the legacy sku to a smart licensing account, it also breaks in to 50 node licenses. 50 is the magic number because that was the max number of supported ise nodes in a single cluster.

 

Today we order the new single node sku L-ISE-TACACS-ND=. Each one you order will allow you to enable tacacs device admin on a single psn/node.

 

So if you're lucky enough to have ordered tacacs back before 2.4 was released, then you essentially got an early adopter incentive.

 

 

You need one L-ISE-TACACS-ND= tacacs device admin node license for each ise node/appliance/vm you enable device admin feature on. It doesn't matter if you're lucky and had the legacy license that provided 50 of these, or if you order each node license separately from the new sku. 

View solution in original post

2 Replies 2

Go to solution
Marcelo Morais
VIP
VIP

‎04-09-2021 05:34 AM

Hi @SMD28316 

 please take a look at: ISE Administration Guide, 2.4., search for Cisco ISE Licensing Model and ISE Upgrade Journey, 2.4, select Choose your upgrade path and search for Licensing Changes.

"...There are two types of Device Administration Licenses: Cluster and Node. A Cluster License allows you to use Device Administration on all PSN Nodes in a Cisco ISE cluster. A Node License allows you to use Device Administration on a single PSN Node.

Cluster licenses were introduced with the release of Device Administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, Node Licenses are completely enforced on a per-node basis.

Cluster licenses have been discontinued, and now only Node Licenses are available for sale.

However, if you are upgrading to this release with a valid Cluster License, you can continue to use your existing license upon upgrade..."

 

"... From Cisco ISE, Release 2.4, the number of Device Administration licenses must be equal to the number of Device Administration Nodes (PSNs configured for the Device Administration service) in a deployment.

If you are currently using a Device Administration license and plan to upgrade to Release 2.4 or above, TACACS+ features will be supported for 50 Device Administration Nodes in Release 2.4 and above..."

 

Please double check if you already have a Cluster Licensing.

 

Hope this helps !!!

 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-09-2021 07:20 AM - edited ‎04-09-2021 07:29 AM

Early adopters of ISE were able to order a single tacacs device admin sku L-ISE-TACACS= that covered the entire deployment. When ise 2.4 released they stopped selling this deployment wide sku. 

 

For those who own the original sku, L-ISE-TACACS=, it can still be installed on an ise 2.4+ deployment, and it provides 50 node licenses when you do this. If you migrate the legacy sku to a smart licensing account, it also breaks in to 50 node licenses. 50 is the magic number because that was the max number of supported ise nodes in a single cluster.

 

Today we order the new single node sku L-ISE-TACACS-ND=. Each one you order will allow you to enable tacacs device admin on a single psn/node.

 

So if you're lucky enough to have ordered tacacs back before 2.4 was released, then you essentially got an early adopter incentive.

 

 

You need one L-ISE-TACACS-ND= tacacs device admin node license for each ise node/appliance/vm you enable device admin feature on. It doesn't matter if you're lucky and had the legacy license that provided 50 of these, or if you order each node license separately from the new sku. 

Customers Also Viewed These Support Documents