Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3142
Views
0
Helpful
2
Replies

How Essentials License work in Cisco ISE

Go to solution
aaggarwal23
Level 1
Level 1

‎10-15-2020 08:27 AM

Hi,

 

I have ACS5.8 in my network with 500 devices license installed to it. As ACS is out of support now and we would like to move to ISE in next few months. I am wondering about How Essentials License work in Cisco ISE. Do we need to buy essentials license for 500 as we have in ACS now? I read in some Cisco Article saying Essentials license works based on Sessions. Can you some one explain me how it is different with ACS Device license?

 

Thanks in Advance!!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-15-2020 04:38 PM

Hi,

 

ACS was licensing number of network devices, not RADIUS or TACACS+ sessions. This is a huge difference in licensing model between ACS and ISE. ISE license number of simultaneous connections for RADIUS protocol (and respective features used on top of that like profiling or posturing), and also number of servers supporting TACACS+ protocol.

Here is an example: Let's assume that you currently have 4 ACS nodes, with a licese for a 500 devices, which you are using for AAA for network devices (TACACS+ protocol), and also for simple 802.1x on Wired/WiFi, and/or authentication of VPN users, where you have around 800 simultaneous users (e.g. company with 800 employees). ISE setup would be 4 ISE servers (please note that you also have a size of ISE server - check this link ), Essentials license for 1000 users (as there is a license enforcement, I'm adding certain comfort on top of required ones, also to predict growth; this license is required for a 802.1x) and 4x DeviceAdmin license (which would enable TACACS+ functionality on 4 ISE nodes).

With previous releases, there was a dependency that you must have a Base license (consider Essentials license as a successor for Base) installed, regardless of a quantity, in order to be able to install DeviceAdmin license. As new licensing model is quite new, I'm not sure if they transferred same logic to new licensing model.

Also, as far as I know, there was no easy way of estimating how many simultaneous RADIUS sessions you are using on ACS, so I always relied on guesstimate.

 

Best regards

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-15-2020 08:39 AM

essesntial should do - look Table 6.        Cisco ISE Device Administration license ( here is the good guide

 

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#CiscoISEDeviceAdminSKU

 

more information  here :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_man_license.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-15-2020 04:38 PM

Hi,

 

ACS was licensing number of network devices, not RADIUS or TACACS+ sessions. This is a huge difference in licensing model between ACS and ISE. ISE license number of simultaneous connections for RADIUS protocol (and respective features used on top of that like profiling or posturing), and also number of servers supporting TACACS+ protocol.

Here is an example: Let's assume that you currently have 4 ACS nodes, with a licese for a 500 devices, which you are using for AAA for network devices (TACACS+ protocol), and also for simple 802.1x on Wired/WiFi, and/or authentication of VPN users, where you have around 800 simultaneous users (e.g. company with 800 employees). ISE setup would be 4 ISE servers (please note that you also have a size of ISE server - check this link ), Essentials license for 1000 users (as there is a license enforcement, I'm adding certain comfort on top of required ones, also to predict growth; this license is required for a 802.1x) and 4x DeviceAdmin license (which would enable TACACS+ functionality on 4 ISE nodes).

With previous releases, there was a dependency that you must have a Base license (consider Essentials license as a successor for Base) installed, regardless of a quantity, in order to be able to install DeviceAdmin license. As new licensing model is quite new, I'm not sure if they transferred same logic to new licensing model.

Also, as far as I know, there was no easy way of estimating how many simultaneous RADIUS sessions you are using on ACS, so I always relied on guesstimate.

 

Best regards

0 Helpful
Customers Also Viewed These Support Documents