Solved: ISE Licensing and Anyconnect VPN ( is APEX required to connect?)

alalli2002 · ‎06-18-2021

Good Day,

We have an environment that has multiple users who attach to network with Cisco Anyconnect VPN and ASA Firewalls. We are using Cisco ACS server at the moment ; but are looking to migrate to the ISE product in the coming weeks.

The anyconnect clients are licensed on the firewall to connect.

The users are authenticated with ACS and AD.

I am trying to find out if I need the Apex license on the ISE server to allow these same users to login to the network via VPN or if I can get by with only the Base and Plus license.

The ISE server is running version 2.7 and has Base and Plus permanent licenses.

The old ACS server has a "large deployment' permanent license.

Thanks in advance.

Regards

Amanda

Karsten Iwen · ‎06-18-2021

For your use case, you only need the AnyConnect license as defined by your VPN gateway. You probably have PLUS enabled on the ASA and the ISE does not need anything more. You directly can authenticate and authorize your users on the ISE.

If you want to add a compliance check of the VPN-devices at a later point, you need the APEX (or PREMIER after upgrading to ISE 3) licenses on the ISE *and* APEX licenses for AnyConnect.

View solution in original post

Karsten Iwen · ‎06-18-2021

For your use case, you only need the AnyConnect license as defined by your VPN gateway. You probably have PLUS enabled on the ASA and the ISE does not need anything more. You directly can authenticate and authorize your users on the ISE.

If you want to add a compliance check of the VPN-devices at a later point, you need the APEX (or PREMIER after upgrading to ISE 3) licenses on the ISE *and* APEX licenses for AnyConnect.