Solved: ISE TACACS licensing question

Madura Malwatte · ‎12-01-2019

For TACACS license, in the license ordering guide it says that "One ISE Device Administration license is required per Policy Service Node that operates on Device Administration transactions". If I have 2 PSN's that means I will need to purchase 2 x L-ISE-TACACS-ND licenses? I want redundancy if one PSN goes down I can still authenticate tacacs to the secondary PSN.

Damien Miller · ‎12-01-2019

Yes, I certainly agree. If any deployment has the old deployment TACACS license, it will continue to provide support for 50 nodes. When you convert it to smart licensing it will be broken in to 50 TACACS nodes. We can think of that as a bonus for ISE TACACS early adopters.

View solution in original post

Damien Miller · ‎12-01-2019

As you are already alluding to, you need one L-ISE-TACACS-ND per node you enable the device admin persona on. So if you want HA like you say then two nodes minimum. Two of the license SKU you listed is correct.

If you had 10 PSN's, 2 MNT, and 2 PAN, but only wanted to run TACACS auth (device admin persona) against 5 PSN's, you would only require 5 TACACS node licenses.

Madura Malwatte · ‎12-01-2019

Hi Damien, thanks for the quick response and confirming. Okay, so this is a big change from the older tacacs licenses where it could license upto 50 PSN's.

Damien Miller · ‎12-01-2019

Yes, I certainly agree. If any deployment has the old deployment TACACS license, it will continue to provide support for 50 nodes. When you convert it to smart licensing it will be broken in to 50 TACACS nodes. We can think of that as a bonus for ISE TACACS early adopters.