cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

182
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

Device Administration Using RADIUS

 Hi Team,

 

One of my customer has WLC and AP which doesn't support TACACS so they want to to the device administration using RADIUS. We have completed the POC for the customer but need to understand the License consumption. Do we need to include device admin license along with the 100 base license or only base license is enough.

 

Regards,

Hiten R

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

If you're only using RADIUS for device admin instead of TACACS+, then BASE is fine.

View solution in original post

3 REPLIES 3
Highlighted
Participant

If you're only using RADIUS for device admin instead of TACACS+, then BASE is fine.

View solution in original post

Highlighted

How about the license consumption ? Is it based on device or based on session ?

Highlighted

Every successful Radius Authentication&Authorization for an Endpoint will consume 1 base license.  If the same Endpoint has 1000 repeat authentications then it's still only 1 base license consumed.  The NAS should ideally send Radius Accounting to ISE, because ISE uses that to track the session for that endpoint - and when WLC sends accounting Stop for that endpoint, then ISE should free up the license for that endpoint.

If you don't send Radius accounting then ISE has some internal logic when it decides to free up the license. I forget what the time interval is - it's like 1 hour or something.  it's very crude.