Hello Josep, hello Marvin,

thanks for your replies.

To number 4: with "base licenses" I didn't mean the client base licenses, but the smalles license required to run an ISE, as shown in the first table in "http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0110.html"

Or do I get this wrong, and both license types I mentioned are the same and I get the base functionality with the client base license?

Annother question:
So when I say that I will set up 10 nodes (1 primary admin, 1 secondary admin, 2 monitor nodes and 6 policy service nodes), will I only need:
- 10 VM licences? ("ISE-10VM-K9", a package bundle with 10 VM licences)
- Licenses depending on the number of my clients (For example: "L-ISE-BSE-2500", for 2500 endpoints)
- the Device Administration license "L-ISE-TACACS.=." 

Thanks again for your help, as a student trying to get into the Cisco AAA environment, this forum here is very helpful!

Hello Marvin,

in case when there are two SN-3515 applicances, do we need one or two Device Administration licenses "L-ISE-TACACS, to be able to provide high availability?

Thank you in advance,

Nikola

HI Nikola,
I assume it depends on whether your two applicances are in the same ISE cluster or are both running as separate instances, not knowing each other.
In case they are in the same cluster, you will only need one license, as licences are distributed on the whole deployment, otherwise you will need two.

But I think [@mrhoads-cco]  can give you a more reliable answer.

Greetings,
Max

nikolami11  ,

[@usi.usinger]  is correct. The Device Administration license needs only be purchased once for a given deployment. It (and all ISE licenses) is good for the entire deployment, includes all nodes.

For HA, you need to enable to role in both of your nodes once you've installed the license.

Remember that TACACS (or RADIUS) HA also depends on the capabilities of the network device (switch, router WLC etc.). Most Cisco devices use the first server in a AAA method list unless and until it is unavailable. Then it fails over the the second (third etc.). So you usually don't get load balancing unless you have your AAA server behind a load balancer or application delivery controller (like Citrix Netscaler or F5 Big-IP LTM).

Hi Marvin,

Can you please explain what if we have 4 ISE servers on two different locations, on each location 2 servers for high availability? How many Device Admin licenses and Base licenses we need in that case. For example 500 Base users in total.

Thank you so much in advance!

Best regards,

Bojana

bojanapavlica  ,

As long as it's all one ISE deployment, the licenses are per deployment - no matter whether it is one node or 100. You do have to buy the appliances or VMs separately (for support) but the ISE licenses are shared across the deployment.

If by base users you are talking endpoints (not network devices for which ISE is the TACACS+ server) then you would need 500 Base licenses.

The Device Admin license is only purchased as quantity one for the entire deployment no matter how many devices you are managing.

Thank you Martin so much for your quick reply and explanation.

Have a nice day!

Regards,

Bojana

You're welcome.

Please rate helpful replies.

Is this still true in 2.4?  Can't find the reference. 

Hello Marvin,

thanks for your reply.
My answer is beyond Josephs reply.