Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
7
Replies

ISE Licensing Issue

Go to solution
Mustafa Habibi
Level 1
Level 1

‎03-11-2017 10:40 PM - edited ‎03-11-2019 12:32 AM

Dears in support

I have plan to deploy cisco ISE, I am a little confused about licensing. I have plan to manage almost 500 end host. which license should I select? for deployment we prefer to use appliance. what is requirement of it? only purchasing SNS 3515 plus affiliated license. or anything else.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mustafa Habibi

‎03-12-2017 09:40 PM

If you are only doing device administration you technically do not consume any Base licenses. However you need to purchase the minimum quantity (100) for your appliance as it's required by Cisco. You then add the Device Admin license. That entitles you to manage any number of devices no matter how many admins,  concurrent or not. 

Reference: 

http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-12-2017 07:13 AM

The appliance itself does not require any license. However the support contract you buy for it will give you entitlement to request TAC support and downlaod software updates for your deployment.

Your ISE deployment has several licensing options:

1. You start with perpetual Base licenses (required - one license per concurrent active endpoint).

2. You then optionally add Plus (adds Device Registration and Profiling among other things) as Apex (adds Posture and MDM integration) term licenses. The available terms are 1, 3 and 5 years.

3. You also have the option of adding a Device Admin perpetual license to allow ISE to act as a TACACS+ server to provide AAA services administering your network devices.

Note if you are doing Posture Assessment you are also required to have AnyConnect Apex licenses for the endpoints.

0 Helpful

Go to solution
Mustafa Habibi
Level 1
Level 1
In response to Marvin Rhoads

‎03-12-2017 09:20 PM

Dear Marvin

Many thanks for your comments, we are 5 admin person responsible for managing max 500 router, switch and firewall which all of them are in production environment (online). our main object is only deployment of AAA in ISE. the point which I got from your comment is first purchasing Device Admin perpetual license to allow ISE to act as a TACACS+ server to provide AAA services to our network. am I right? second I am a little confused about Licenses are counted against concurrent active sessions or are counted against concurrent active devices. we (5 admin) may have max 10 active concurrent session. do we need to purchase 500 base license for covering our 500 concurrent active devices or only need 10 base license for covering our max 10 active concurrent session?

waiting for your valuable comments.

Regards

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mustafa Habibi

‎03-12-2017 09:40 PM

If you are only doing device administration you technically do not consume any Base licenses. However you need to purchase the minimum quantity (100) for your appliance as it's required by Cisco. You then add the Device Admin license. That entitles you to manage any number of devices no matter how many admins,  concurrent or not. 

Reference: 

http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

0 Helpful

Go to solution
Mustafa Habibi
Level 1
Level 1
In response to Marvin Rhoads

‎03-14-2017 12:06 AM

Dear Marvin

Many thanks for your informative reply, as I mentioned now we are accessing almost 500 devices using their local database through SSH and authentication is IP based using ACL. there is no authorization and accounting procedure. we want to deploy AAA through ISE with SNS appliance special because we need to change the password in short period of time(sensitive and time consuming process). could you please help us about hardware and software requirement for deployment?

your always assistant is highly appreciated.

Regards

  

0 Helpful

Go to solution
Mustafa Habibi
Level 1
Level 1
In response to Mustafa Habibi

‎03-14-2017 02:02 AM

Dear Marvin

The points which I got from you comments are for deployment of AAA using ISE with cisco appliance we need first:- cisco SNS 3515 appliance Second:- cisco ISE base license for 100 endpoint third:- device admin license.

Waiting for your comments.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mustafa Habibi

‎03-14-2017 06:10 AM

Yes, that's correct.

The appliance should also be purchased with a support contract (Smartnet). You have chosen the hardware appliance - one can also do the same thing with a VM of equivalent CPU, memory and disk.

I would also recommend to you the resources listed at the following page:

https://communities.cisco.com/docs/DOC-64012#jive_content_id_Device_Administration_TACACS

There are many useful links and guides listed there that will help you get started.

0 Helpful

Go to solution
Mustafa Habibi
Level 1
Level 1
In response to Marvin Rhoads

‎03-14-2017 09:34 PM

Dear Marvin

Many thanks for sharing your valuable information.

Regards

0 Helpful
Customers Also Viewed These Support Documents