Re: ISE - Network Admin Radius

Jason Maynard · ‎02-19-2019

Hi Folks,

Looking for confirmation on the following

- 1500 Network Devices that are managed by a team of 10.

- Use Radius to authenticate the user managing the network device. No TACACS today.

What is the minimum license required?

Also, would this change if they were also using TACACS outside of the Device Admin per node.

Thanks,

Jason

pan · ‎02-19-2019

TACACS uses Device admin

RADIUS uses base,plus.. license.

Check following doc[Ordering guide]:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Jason Maynard · ‎02-19-2019

So in summary:

If using Radius for management of 1500 devices one would require
- 1500 base license
- 1500 plus license

If using TACACS for management of 1500 devices one would require
- 100 base license
- Device administration license per node

If using Radius and/or TACACS for management of 1500 devices one would require
- 1500 base license
- 1500 plus license
- Device administration license per node

ognyan.totev · ‎02-19-2019

Hi, prior to Ise 2.4 you need 1 licence for device administration (TACACS) . For radius device administration you will need the minimum 100 base license. I don’t think there will be 1500 concurrent sessions at same time. As you told there are 10 guys only and i dont think they will use 2 or 3 sessions per user. Radius is count per session. 1 session 1 licence . After sessions end it will release the licence.

Jason Maynard · ‎02-19-2019

Just looking for a firm answer and it is ISE 2.4

So to confirm

If using Radius for management of 1500 devices one would require
- 100 base license

If using TACACS and/or Radius for management of 1500 devices one would require
- 100 base license
- Device administration license per node

Thanks

Jason

ognyan.totev · ‎02-19-2019

Yes , i never use radius for device administration.

Thats why I suggest to use tacacs . And for Ise 2.4 it is per node.