10-15-2020 08:27 AM
Hi,
I have ACS5.8 in my network with 500 devices license installed to it. As ACS is out of support now and we would like to move to ISE in next few months. I am wondering about How Essentials License work in Cisco ISE. Do we need to buy essentials license for 500 as we have in ACS now? I read in some Cisco Article saying Essentials license works based on Sessions. Can you some one explain me how it is different with ACS Device license?
Thanks in Advance!!
Solved! Go to Solution.
10-15-2020 04:38 PM
Hi,
ACS was licensing number of network devices, not RADIUS or TACACS+ sessions. This is a huge difference in licensing model between ACS and ISE. ISE license number of simultaneous connections for RADIUS protocol (and respective features used on top of that like profiling or posturing), and also number of servers supporting TACACS+ protocol.
Here is an example: Let's assume that you currently have 4 ACS nodes, with a licese for a 500 devices, which you are using for AAA for network devices (TACACS+ protocol), and also for simple 802.1x on Wired/WiFi, and/or authentication of VPN users, where you have around 800 simultaneous users (e.g. company with 800 employees). ISE setup would be 4 ISE servers (please note that you also have a size of ISE server - check this link ), Essentials license for 1000 users (as there is a license enforcement, I'm adding certain comfort on top of required ones, also to predict growth; this license is required for a 802.1x) and 4x DeviceAdmin license (which would enable TACACS+ functionality on 4 ISE nodes).
With previous releases, there was a dependency that you must have a Base license (consider Essentials license as a successor for Base) installed, regardless of a quantity, in order to be able to install DeviceAdmin license. As new licensing model is quite new, I'm not sure if they transferred same logic to new licensing model.
Also, as far as I know, there was no easy way of estimating how many simultaneous RADIUS sessions you are using on ACS, so I always relied on guesstimate.
Best regards
10-15-2020 08:39 AM
essesntial should do - look Table 6. Cisco ISE Device Administration license ( here is the good guide
more information here :
10-15-2020 04:38 PM
Hi,
ACS was licensing number of network devices, not RADIUS or TACACS+ sessions. This is a huge difference in licensing model between ACS and ISE. ISE license number of simultaneous connections for RADIUS protocol (and respective features used on top of that like profiling or posturing), and also number of servers supporting TACACS+ protocol.
Here is an example: Let's assume that you currently have 4 ACS nodes, with a licese for a 500 devices, which you are using for AAA for network devices (TACACS+ protocol), and also for simple 802.1x on Wired/WiFi, and/or authentication of VPN users, where you have around 800 simultaneous users (e.g. company with 800 employees). ISE setup would be 4 ISE servers (please note that you also have a size of ISE server - check this link ), Essentials license for 1000 users (as there is a license enforcement, I'm adding certain comfort on top of required ones, also to predict growth; this license is required for a 802.1x) and 4x DeviceAdmin license (which would enable TACACS+ functionality on 4 ISE nodes).
With previous releases, there was a dependency that you must have a Base license (consider Essentials license as a successor for Base) installed, regardless of a quantity, in order to be able to install DeviceAdmin license. As new licensing model is quite new, I'm not sure if they transferred same logic to new licensing model.
Also, as far as I know, there was no easy way of estimating how many simultaneous RADIUS sessions you are using on ACS, so I always relied on guesstimate.
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide