Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3011
Views
10
Helpful
6
Replies

TACACS+ Licenses

Go to solution
dausedm
Level 1
Level 1

‎03-26-2019 08:08 AM

Hell,


I will to replace my ACS 5.8 infrastructure by Cisco ISE TACACS (2.x) to maintain current TACACS/Radius service.
I have about 9000 network devices (70% TACACS + and 30% Radius) and I use only one large license for Cisco ACS 5.8.
For Cisco ISE 2.x, What licenses and how many licences will I need with 3 PSN, 1 Primary PAN+Admin node and 1 secondary PAN+Admin (Medium-Sized Network Deployment)
Cisco ISE Device Admin Node License (L-ISE-TACACS-ND=)= b?
Cisco ISE Base License (L-ISE-BSE-PLIC)=nb?
Other license ?
Thanks for your help

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-26-2019 09:26 AM

You are going to need to determine roughly how many end users are on the network. Base licensing will get you basic network access which includes 8021x, trustsec, etc. If you have requirements to utilize pxgrid, byod, profiling, etc. you will need to get ISE plus licenses. Apex licenses will give you the ability to implement and use posture compliance. For a deeper understanding see:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0110.html

HTH!

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-26-2019 10:12 AM

You will need one L-ISE-TACACS-ND= per ISE node you want to enable TACACS authentication on, typically only the PSN's unless you want to direct TACACS requests at your PAN's.

L-ISE-BSE-PLIC is the top level product ID for base licenses. So you will have that on a BOM, but it will have something like L-ISE-BSE-P4 nested under it if you order between 1000 and 2499 base licenses. This is done so that you can buy licenses in exact quantity at a discount to the lesser tiers. Per license gets cheaper the more endpoint licenses you order.

You will also need VM ISE node licenses if you plan to run ISE as virtual appliances. If you order SNS hardware appliances to run ISE, then you do not need these. They are offered in small, medium, and large.
Small 3515 and 3615 templates use one R-ISE-VMS-K9= per node
Medium 3595 and 3655 templates use one R-ISE-VMM-K9= per node
Large 3595 (large) and 3695 templates use one R-ISE-VML-K9= per node.

TACACS is no longer licensed on how many endpoints or devices are authenticating against the deployment, you only have to buy node licenses to enable it on a per PSN basis. You need a minimum of 100 base licenses to install the TACACS licenses.

RADIUS authentication is counted per active session, you will have to estimate how many concurrent RADIUS connections you will have. This is typically low in a device admin only deployment compared to the number of NADs but much higher in a user/endpoint authentication deployment. This is the hardest part since you need to estimate how many active sessions/device logins will be happening via RADIUS. You should be able to run some reports on ACS to help estimate this. Are you using this deployment for device authentication such as wireless/wired/guest, or just log ins to manage network devices (like TACACS but via RADIUS)? Example...1 WLC can use 1000 base licenses if you are authenticating 1000 different mac addresses via dot1x/guest. The same WLC using RADIUS/ISE for only device administration/management log ins, then you'll use 1 license.

There is an ISE ordering guide, but it can be quite daunting if you don't deal with ISE every day.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-26-2019 09:26 AM

You are going to need to determine roughly how many end users are on the network. Base licensing will get you basic network access which includes 8021x, trustsec, etc. If you have requirements to utilize pxgrid, byod, profiling, etc. you will need to get ISE plus licenses. Apex licenses will give you the ability to implement and use posture compliance. For a deeper understanding see:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0110.html

HTH!

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-26-2019 10:12 AM

You will need one L-ISE-TACACS-ND= per ISE node you want to enable TACACS authentication on, typically only the PSN's unless you want to direct TACACS requests at your PAN's.

L-ISE-BSE-PLIC is the top level product ID for base licenses. So you will have that on a BOM, but it will have something like L-ISE-BSE-P4 nested under it if you order between 1000 and 2499 base licenses. This is done so that you can buy licenses in exact quantity at a discount to the lesser tiers. Per license gets cheaper the more endpoint licenses you order.

You will also need VM ISE node licenses if you plan to run ISE as virtual appliances. If you order SNS hardware appliances to run ISE, then you do not need these. They are offered in small, medium, and large.
Small 3515 and 3615 templates use one R-ISE-VMS-K9= per node
Medium 3595 and 3655 templates use one R-ISE-VMM-K9= per node
Large 3595 (large) and 3695 templates use one R-ISE-VML-K9= per node.

TACACS is no longer licensed on how many endpoints or devices are authenticating against the deployment, you only have to buy node licenses to enable it on a per PSN basis. You need a minimum of 100 base licenses to install the TACACS licenses.

RADIUS authentication is counted per active session, you will have to estimate how many concurrent RADIUS connections you will have. This is typically low in a device admin only deployment compared to the number of NADs but much higher in a user/endpoint authentication deployment. This is the hardest part since you need to estimate how many active sessions/device logins will be happening via RADIUS. You should be able to run some reports on ACS to help estimate this. Are you using this deployment for device authentication such as wireless/wired/guest, or just log ins to manage network devices (like TACACS but via RADIUS)? Example...1 WLC can use 1000 base licenses if you are authenticating 1000 different mac addresses via dot1x/guest. The same WLC using RADIUS/ISE for only device administration/management log ins, then you'll use 1 license.

There is an ISE ordering guide, but it can be quite daunting if you don't deal with ISE every day.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Go to solution
dausedm
Level 1
Level 1
In response to Damien Miller

‎03-27-2019 02:21 AM

Hello Damien,

Thank you for your help.

I will order the SNS hardware appliances to run ISE
3 SNS 3615 as PSN
2 SNS 3695 as PAN/admin


If I understood correctly,
- for TACACS+ authentication I have to buy 3 L-ISE-TACACS-ND= and 100 L-ISE-BSE-PLIC
- for Radius authentication, I've got about 2700 network devices then I have to order what licenses ?


In any case I am very surprised of this comprexity on licenses which makes me spend at least 3 times (3 x 10 000$ + ...) more expensive than the existing (only one large license = 10 000 $).

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dausedm

‎03-27-2019 07:16 AM

I would recommend working through partner and cisco sales on ordering and pricing. This is a technical community
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎03-27-2019 08:09 AM

I agree with Jason, the dollar discussions are suited for your Cisco reps. They should also be able to help scope the order and build the BOM.

You mention you have 2700 NADs, but you don't indicate how you will leverage ISE with them. If you are just performing managment/admin log ins via RADIUS, then you probably don't need more than 2700 base licenses. You only need as many to cover admin sessions.

If those 2700 NAD's, are doing client/user/endpoint auth such a dot1x or MAB, then you need to license based on the number of active endpoint MAC addresses. The example here is, a switch doing aaa client auth could have 20 endpoints authenticating, each using a licenses, or you could have a WLC with 500 clients authenticating. If you get in to client authentication you have to start looking at Plus and apex licensing if you leverage advanced features beyond basic authentication.
0 Helpful

Go to solution
Mohaninj
Cisco Employee
Cisco Employee
In response to Damien Miller

‎04-02-2019 03:45 AM

Hi Damien,

 

You have mentioned medium VM should support both 3595 and 3655. But the official licensing guide (refer below URL) still says, medium VM license can have up to 64GB RAM. 3655 VM recommendations is 96GB. Could you please confirm if this has changed from 2.6 and share if any reference document available.

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

 

 

0 Helpful
Customers Also Viewed These Support Documents