Device Administration in ISE using Radius - Does it consume base license

Meng Li · ‎04-20-2017

Hey guys,

Does anyone know how the license will count for device administration via Radius in ISE?

Due to some restrictions I cannot utilize TACACS+ for the device admin, so the ISE has to function as a Radius server. The license guide says 'TACACS+ sessions do not consume a base license, but RADIUS sessions consume a base license.' so I would assume when a success login occurs it consumes a base license in ISE. But during my lab testing it did not seem to be the case. I generated two telnet sessions on a switch using two different credentials, and in my ISE (v2.0) the base license count stayed '0'. The next day when I turned the ISE on, the base license showed '1' but after 30 minutes (the ISE license count updates every 1/2 hour) it went back to '0' even if the switch was running two concurrent logins.

I was a bit confused as I am not sure how the license will exactly count for the device admin radius sessions? Does it count for every successful radius sessions, or does it only count as per device (means regardless of how many active Radius logins on a device, the consumed license will count as one). Or does it not consume the base license at all?

Many thanks,

James Davies · ‎04-21-2017

I had to get a device admin license, it allows for unlimited devices. I am using tacacs though, I cant get radius to work! be good to know how you set it up to use radius?

Meng Li · ‎04-21-2017

Hi James there should be a couple of posts out there showing how to do device admin via radius, sorry I don't have the URL at hand. Where did you get stuck? What device did you try to authenticate?

James Davies · ‎04-21-2017

I got TACACS working fine, but there is nothing out there to get them both working at the same time, it will be F5s mainly, these are currently working fine on ACS..

Meng Li · ‎04-23-2017

Honestly I'm not sure. Our F5 is integrated with AD and I am not considering to manage the F5 using radius in ISE

Marvin Rhoads · ‎04-21-2017

I may be mistaken, but under the covers I believe it is the RADIUS Start accounting message that triggers ISE to allocate a base license for the session (and Stop accounting or timeout to de-allocate it).

I used ISE a couple of years back as the RADIUS server for a client's device administration before the Device Admin license was available. It worked fine but I didn't have occasion to dig into the details of if or how it allocated licenses.

Meng Li · ‎04-21-2017

Thanks Marvin, my test config did not include aaa aacounting and that probably does the trick. I will give it a go

Thanks!

Meng Li · ‎04-23-2017

tried to have the accounting enabled on the device but the license count didn't seem to increase until I logged into another AAA enabled device. So looks like the license counts per device, not per radius session. I cannot really valudate this as I don't know where to look for the consumption details and the license info is updated every 30 mins, by that time the session might be terminated and the license info might not be that accurate?

Marvin Rhoads · ‎04-23-2017

I will cross post into the partner community and see if anyone from the ISE team chimes in with a definitive answer.

Meng Li · ‎04-24-2017

Thanks!

Marvin Rhoads · ‎04-24-2017

The Cisco folks say is is the RADIUS Start-Stop accounting messages.

The following thread was cited:

https://supportforums.cisco.com/discussion/12951576/ise-license-consumption-and-releasing-licenses-radius

You might have to tcpdump the communications between the switch and ISE PSN to validate the messages going back and forth. You can do that using the ISE Troubleshooting Tools.

Eman.Bakri · ‎08-27-2022

Hi all,

I have question please.

Can I do accounting for device administration and without TACACS device admin license?

Eman.Bakri · ‎08-27-2022

I mean Commands accounting. not endpoints accounting, my scope is to use ISE only for device administration