Solved: Yes. If you are deploying

ramikamel911 · ‎08-22-2016

Hello Guys,

As you know, Anyconnect is used now instead of NAC Agent, do we require to purchase a license for that?

Regards

Marvin Rhoads · ‎08-23-2016

Whether you need AnyConnect licenses with ISE depends on how you are using ISE.

If you want to use AnyConnect NAM as the 802.1x supplicant, that requires AnyConnect Plus. In that case, AnyConnect can be deployed from ISE as part of client provisioning. If can also be pre-deployed outside of ISE either manually or via your enterprise software deployment tools (like Windows GPO or Microsoft SCCM).

If you also or instead want to use AnyConnect for Posture Assessment then you require AnyConnect Apex licenses. (The Apex license also includes right to use the NAM feature.) Here, we can also deploy AnyConnect from ISE during the Posture Assessment process.

In both use cases where we deploy from ISE, the AnyConnect software (pkg file you may be familiar with from ASA use) can be uploaded onto the ISE server along with the associated profile.xml file that governs its behavior.

There is no license file or technical check that you have the license for AnyConnect. It is the administrator's responsibility to be compliant.

View solution in original post

Marvin Rhoads · ‎08-22-2016

Yes. If you are deploying AnyConnect as an access agent (NAM) or ISE Posture module you require either AnyConnect Plus or Apex licenses. (Apex includes all AnyConnect features.)

ISE does not enforce the license use but it is required to be compliant with AnyConnect licensing terms.

ramikamel911 · ‎08-23-2016

Hi Marvin,

Thanks for your reply.

In my setup, I will order ISE-PLS and ISE-APX, do still I need Anyconnect Plus/Apex?

And as I know, Anyconnect can't be installed on ISE, it should be installed on ASA.... where the Anyconnect license will be installed? and how many users I will be going to require? for example, I've 500 users ISE-PLS & ISE-APX.

Regards.

Marvin Rhoads · ‎08-23-2016

Whether you need AnyConnect licenses with ISE depends on how you are using ISE.

If you want to use AnyConnect NAM as the 802.1x supplicant, that requires AnyConnect Plus. In that case, AnyConnect can be deployed from ISE as part of client provisioning. If can also be pre-deployed outside of ISE either manually or via your enterprise software deployment tools (like Windows GPO or Microsoft SCCM).

If you also or instead want to use AnyConnect for Posture Assessment then you require AnyConnect Apex licenses. (The Apex license also includes right to use the NAM feature.) Here, we can also deploy AnyConnect from ISE during the Posture Assessment process.

In both use cases where we deploy from ISE, the AnyConnect software (pkg file you may be familiar with from ASA use) can be uploaded onto the ISE server along with the associated profile.xml file that governs its behavior.

There is no license file or technical check that you have the license for AnyConnect. It is the administrator's responsibility to be compliant.

subrun.jamil · ‎08-09-2020

Quick Question Marvin, before licensing activation of ASA , does it come with APEX License as Default. ?

Marvin Rhoads · ‎08-10-2020

Cisco ASA hardware appliances come with two AnyConnect "Premium" licenses by default. That's roughly equivalent to the current Apex tier (but without AnyConnect for Mobile or Advanced Endpoint Assessment).

ISE and Anyconnect License