ā04-20-2017 05:44 PM - edited ā03-11-2019 12:38 AM
Hey guys,
Does anyone know how the license will count for device administration via Radius in ISE?
Due to some restrictions I cannot utilize TACACS+ for the device admin, so the ISE has to function as a Radius server. The license guide says 'TACACS+ sessions do not consume a base license, but RADIUS sessions consume a base license.' so I would assume when a success login occurs it consumes a base license in ISE. But during my lab testing it did not seem to be the case. I generated two telnet sessions on a switch using two different credentials, and in my ISE (v2.0) the base license count stayed '0'. The next day when I turned the ISE on, the base license showed '1' but after 30 minutes (the ISE license count updates every 1/2 hour) it went back to '0' even if the switch was running two concurrent logins.
I was a bit confused as I am not sure how the license will exactly count for the device admin radius sessions? Does it count for every successful radius sessions, or does it only count as per device (means regardless of how many active Radius logins on a device, the consumed license will count as one). Or does it not consume the base license at all?
Many thanks,
ā04-21-2017 05:03 AM
I had to get a device admin license, it allows for unlimited devices. I am using tacacs though, I cant get radius to work! be good to know how you set it up to use radius?
ā04-21-2017 06:20 AM
Hi James there should be a couple of posts out there showing how to do device admin via radius, sorry I don't have the URL at hand. Where did you get stuck? What device did you try to authenticate?
ā04-21-2017 06:29 AM
I got TACACS working fine, but there is nothing out there to get them both working at the same time, it will be F5s mainly, these are currently working fine on ACS..
ā04-23-2017 07:13 PM
Honestly I'm not sure. Our F5 is integrated with AD and I am not considering to manage the F5 using radius in ISE
ā04-21-2017 05:21 AM
I may be mistaken, but under the covers I believe it is the RADIUS Start accounting message that triggers ISE to allocate a base license for the session (and Stop accounting or timeout to de-allocate it).
I used ISE a couple of years back as the RADIUS server for a client's device administration before the Device Admin license was available. It worked fine but I didn't have occasion to dig into the details of if or how it allocated licenses.
ā04-21-2017 06:14 AM
Thanks Marvin, my test config did not include aaa aacounting and that probably does the trick. I will give it a go
Thanks!
ā04-23-2017 07:10 PM
tried to have the accounting enabled on the device but the license count didn't seem to increase until I logged into another AAA enabled device. So looks like the license counts per device, not per radius session. I cannot really valudate this as I don't know where to look for the consumption details and the license info is updated every 30 mins, by that time the session might be terminated and the license info might not be that accurate?
ā04-23-2017 07:19 PM
I will cross post into the partner community and see if anyone from the ISE team chimes in with a definitive answer.
ā04-24-2017 12:33 AM
Thanks!
ā04-24-2017 08:41 AM
The Cisco folks say is is the RADIUS Start-Stop accounting messages.
The following thread was cited:
https://supportforums.cisco.com/discussion/12951576/ise-license-consumption-and-releasing-licenses-radius
You might have to tcpdump the communications between the switch and ISE PSN to validate the messages going back and forth. You can do that using the ISE Troubleshooting Tools.
ā08-27-2022 04:41 AM
Hi all,
I have question please.
Can I do accounting for device administration and without TACACS device admin license?
ā08-27-2022 05:02 AM - edited ā08-27-2022 05:03 AM
I mean Commands accounting. not endpoints accounting, my scope is to use ISE only for device administration
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide