cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

368
Views
10
Helpful
1
Replies
smano
Cisco Employee

License consumption for Radius device admin

Hello Folks, 

 

I know how device admin license work for TACACS. May I know how base license been consumed for device administration using radius, is it per network device count or per radius session?

 

Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

So my experience with this in the field is that RADIUS device admin uses zero licenses. I have done a couple of 20k NAD device admin deployments and a handful of small ones, they were all a mix of RADIUS and TACACS. Not a single one of these deployments used any of the base licenses.

Maybe this is because ISE tracks active radius sessions from radius accounting start messages, and radius device admin authentication's don't typically send accounting. I took a look, and with 20k NADs, only a handful of avocent console servers send radius accounting. I still plan licensing around the approximate number of NADs that would have active sessions, and not unique admin sessions on each device.

I would say though, something official should be added to the ISE licensing guide because it comes up from time to time and it's always fuzzy.

View solution in original post

1 REPLY 1
Damien Miller
VIP Advisor

So my experience with this in the field is that RADIUS device admin uses zero licenses. I have done a couple of 20k NAD device admin deployments and a handful of small ones, they were all a mix of RADIUS and TACACS. Not a single one of these deployments used any of the base licenses.

Maybe this is because ISE tracks active radius sessions from radius accounting start messages, and radius device admin authentication's don't typically send accounting. I took a look, and with 20k NADs, only a handful of avocent console servers send radius accounting. I still plan licensing around the approximate number of NADs that would have active sessions, and not unique admin sessions on each device.

I would say though, something official should be added to the ISE licensing guide because it comes up from time to time and it's always fuzzy.

View solution in original post

Content for Community-Ad