Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
424
Views
5
Helpful
1
Replies

ISE licenses

Go to solution
raid_t
Level 1
Level 1

‎09-26-2019 01:43 PM - edited ‎09-26-2019 01:43 PM

Hello

 

Have a few question on a HA ISE setup.

 

Q1:For 2xPANs (active/passive), 2xMnTs and 8 PSNs. If only 2 Tacacs+ are need on this setup, does that mean only 2 Admin Licenses are needed (even though there are 8 PSNs in total)?

Q2: Is only 1 Base (Top level SKU) license required with X amount of sessions (even though there are 2 PANs active/standby)?

 

Q3: Should all the Admin Licenses (1, 2 or more...) along with the single Base be installed on the PAN node (primary only)?

 

Thanks in advance!

ton

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-26-2019 02:33 PM

1. Yes, you only need as many device admin node licenses as nodes you enable the device admin persona on, in your case two node licenses.

2. All licenses are shared in a deployment between the admin nodes. You only need as many licenses to cover active endpoints. If you were to use smart licensing then you can even share those licenses between multiple deployments. You just need to have enough licenses to cover the total active endpoints. Keep in mind that this can mean two licenses per endpoints though. You will always use a base license per mac address that actively authenticates, but you may also use a plus or apex license depending on the features.

3. Licenses are installed on the primary admin node, but you add the secondary admin node serial number when fulfilling the PAK. It could be beneficial looking at smart licensing again, it's the direction that all Cisco products are heading.


And you may have already determined this, but just being thorough, you also need a VM license (small/medium/large) per VM you deploy unless you are using physical SNS appliances.

View solution in original post

1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-26-2019 02:33 PM

1. Yes, you only need as many device admin node licenses as nodes you enable the device admin persona on, in your case two node licenses.

2. All licenses are shared in a deployment between the admin nodes. You only need as many licenses to cover active endpoints. If you were to use smart licensing then you can even share those licenses between multiple deployments. You just need to have enough licenses to cover the total active endpoints. Keep in mind that this can mean two licenses per endpoints though. You will always use a base license per mac address that actively authenticates, but you may also use a plus or apex license depending on the features.

3. Licenses are installed on the primary admin node, but you add the secondary admin node serial number when fulfilling the PAK. It could be beneficial looking at smart licensing again, it's the direction that all Cisco products are heading.


And you may have already determined this, but just being thorough, you also need a VM license (small/medium/large) per VM you deploy unless you are using physical SNS appliances.
Customers Also Viewed These Support Documents