Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
5
Helpful
6
Replies

In a 2 Node Deployment both node will server as Device Admin or Only 1

MSJ1
Level 1
Level 1

‎11-19-2025 08:39 AM

Refer to below quote from the below provided link ,  In a 2 Node Deployment both node will server as Device Admin or Only 1 

"Licensing

A Device Administration license allows you to use TACACS+ services on a Policy Service node. In a high availability (HA) standalone deployment, a Device Administration license permits you to use TACACS+ services on a single Policy Service node in the HA pair.

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/225097-configure-tacacs-over-tls-1-3-on-an.html#toc-hId--1812571374 "

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎11-19-2025 08:45 AM

@MSJ1 you need to purchase one license for each PSN on which you wish to enable TACACS services (Device Administration).

Marcelo Morais
VIP
VIP

‎11-19-2025 05:19 PM

@MSJ1 ,

 please take a look at: ISE - What we need to know about TACACS+.

 

Quoting the document : Configure TACACS+ over TLS 1.3 on an IOS XE Device with ISE.

" ... A Device Administration license allows you to use TACACS+ services on a Policy Service Node. In a High Availability (HA) Standalone Deployment, a Device Administration license permits you to use TACACS+ services on a single Policy Service Node in the HA pair ... "

First of all ... "by the book":

  • a Deployment that has a single ISE Node is called a Standalone Deployment.
  • Standalone Deployment is not recommended for Production because redundancy is not provided.
  • a High Availability (HA) Deployment implies a pair of ISE Nodes working together to prevent a single point of failure.
  • please take a look at Performance and Scalability Guide for Cisco Identity Services Engine, search for Cisco ISE Deployments.

IMHO ... I don't like the term High Availability (HA) Standalone Deployment, for me the correct term would be: Two (2x) Standalone Deployments (because they are not working as "a pair"), in other words, I would write it like this:

" ... A Device Administration license allows you to use TACACS+ services on a PSN. In a Two Standalone Deployment (to simulate a HA environment), a Device Administration license permits you to use TACACS+ services on a single PSN of one of the Standalone Deployments ... "

 

Hope this helps !

 

Mafra
Level 1
Level 1

‎11-20-2025 04:02 AM - edited ‎11-20-2025 04:04 AM

Hi @MSJ1!

As far as I understand, TACACS is handled by the PSN persona, so in an HA deployment each PSN that has "device admin" enabled under Administration > Deployment will process TACACS packets and consume a license. So keep in mind that every node with "device admin" will need a license.

So in a two-node deployment, you’d need 2 licenses—one for each PSN if you want both to handle TACACS packets. Or you can use only one license with just one PSN having device admin enabled (and in that case, all the TACACS settings on the switches, WLCs, routers, etc. would have to point only to that node).

 

 

Mafra_4-1763639964741.png

 

Primary node:

Mafra_5-1763640227652.png

 

 

 

Secondary node:

Mafra_6-1763640263364.png

 

 

Marcelo Morais
VIP
VIP
In response to Mafra

‎11-20-2025 07:57 AM - edited ‎11-20-2025 07:57 AM

@Mafra ,

 your understanding is correct, but the point here is the term High Availability (HA) Standalone Deployment, found not only in:

Configure TACACS+ over TLS 1.3 on an IOS XE Device with ISE (updated on Sep 30, 2025)

but also in

Cisco ISE - Manage Licenses (updated on May 29, 2025)

Device Admin License - Manage Licenses.png

 however, it's not mentioned in either

Cisco ISE Licensing Guide 

or

Performance and Scalability Guide for Cisco Identity Services Engine.

 

@MSJ1 , @Mafra and @Rob Ingram ,

 I'm gathering more information on this to suggest Cisco a clearer and more concise Documentation on the subject.

 

Hope this helps !

 

0 Helpful

MSJ1
Level 1
Level 1
In response to Marcelo Morais

‎11-20-2025 02:08 PM

@Marcelo Morais I think I understood your explanation for the term  - term High Availability (HA) Standalone Deployment. As you said I would rather support to say in 2 node Distributed Deployment if both node has Device License both node can serve the request for Device Administration in Parallel. For example if Device 1 points to ISE Node 1 it will server for  Tacacs same time if Device 2 points to ISE Node 2 it will server for Tacacs 

Marcelo Morais
VIP
VIP
In response to MSJ1

‎11-20-2025 02:38 PM

@MSJ1 ,

 yes, you fully understood ...

Distributed Deployment with 2x Nodes is called a Small Deployment. In a  Small Deployment, one Node acts as Primary and the other as Secondary for redundancy (HA). Each Node has all Personas (PAN, MnT and PSN), and you must activate the Device Administration License on each Node (one License for each PSN) to handle TACACS+ Requests in parallel.

 

Note: a Standalone Deployment has only 1x Node, not recommended for Production.

 

Hope this helps !

 

0 Helpful
Customers Also Viewed These Support Documents