05-03-2018 11:02 AM - edited 02-21-2020 10:55 AM
What is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND= part numbers? The price difference is $4K list vs $6K list respectively. Also the latest ordering guide references. L-ISE-TACACS= as a legacy part #? No results via Google, no EOS, and not addressed in the ordering guide. Thanks.
Solved! Go to Solution.
05-03-2018 02:11 PM
With ISE 2.4, Cisco changed the way the device administration is licensed:
Version 2.0 -> 2.3: Only one L-ISE-TACACS= is needed per deployment.
Version >= 2.4: One L-ISE-TACACS-ND= per Node that runs the device admin service is needed.
05-03-2018 02:11 PM
With ISE 2.4, Cisco changed the way the device administration is licensed:
Version 2.0 -> 2.3: Only one L-ISE-TACACS= is needed per deployment.
Version >= 2.4: One L-ISE-TACACS-ND= per Node that runs the device admin service is needed.
07-06-2018 06:44 AM - edited 07-06-2018 06:47 AM
Hi Karsten
Regarding that, how can this be explained:
We had an ISE with Version 3.0.4.070, L-ISE-TACACS-ND and L-ISE-BSE-100 installed.
Now we got a second one into Deployment, without L-ISE-TACACS-ND installed.
The Primary ISE now shows two Device Admin licenses:
On monday we will do a test, "undeploy" the second one and have a look, what will happen to the license quantity. I think, it will reduce to one again on the Primary. And the secondary will have None.
But what will this mean to us? Do we need the second license or not?
08-21-2018 06:11 AM
After doing the above described test, I'm more confused than before.
To keep the overview for the following explanations, I will roll up the whole procedure from the start:
ISE ONE, first installed, primary, no licenses.
ISE TWO, second installed, registered to ISE ONE, secondary, no licenses.
After installing licenses (L-ISE-TACACS-ND and L-ISE-BSE-100) on ISE ONE I can see 100 Base and 2 (!) Device Admin.
Promoting ISE TWO to primary: 100 Base and 2 Device Admin licenses.
Deregistering ISE ONE: 100 Base and 2 Device Admin licenses on ISE TWO. No more licenses on ISE ONE.
Reregister ISE ONE to ISE TWO: 100 Base and 2 Device Admin licenses.
Promoting ISE ONE to primary: 100 Base and 2 Device Admin licenses.
Deregistering ISE TWO: 100 Base and 2 Device Admin licenses on ISE ONE. No more licenses on ISE TWO.
Uninstall Device Admin Licenses from ISE ONE: No licenses on ISE ONE. No licenses on ISE TWO.
Install 1 (!) Device Admin License on ISE ONE: 100 Base and 2 (!!) Device Admin licenses on ISE ONE. No licenses on ISE TWO.
Register ISE TWO to ISE ONE: 100 Base and (still) 2 Device Admin licenses.
Conclusion:
Licenses are always kept on primary, not on the ISE they are/were installed.
Questions:
Why do I have 2 Device Admin Licenses, when only one is installed?
09-01-2018 10:50 AM
3.0.4.070 is the ADE-OS Build Version number but the ISE version is 2.4.0.357.
The licensing info is in details @ the Cisco ISE ordering guide.
The quantity of 2 means the license file giving you 2 license counts of device admin licenses. If you open the file in a text editor, you should see the first line like below:
VENDOR_STRING=<COTERM>FALSE</COTERM><MIGRATION>FALSE</MIGRATION><FEED_SVC>FALSE</FEED_SVC><W_ONLY>FALSE</W_ONLY><W_UPG>FALSE</W_UPG><ALL_UPG>TRUE</ALL_UPG><Count>2</Count><PrimaryUDI>ISE-VM-K9:V01:SOMESERIAL</PrimaryUDI><secondaryUDI>::</secondaryUDI> \
This number should not depend on the number of ISE nodes with device admin enabled. If it is doing that, then it seems a bug and please open a TAC case to check it out.
Please note that your entitlement is based on what you have purchased.
02-08-2024 03:53 PM
in 3.0 version, Do I need 2 admin licenses?
I have 1 deployment with:
1 primary administration node
1 secondary administration node
02-09-2024 12:24 AM
If you want to run TACACS on both, then yes. And for redundancy you probably want to.
02-09-2024 03:41 AM - edited 02-09-2024 03:42 AM
TACACS services would run on the PSN personas not on the admin nodes, you would need a TACACS license for each PSN if you want to run TACACS on all of them.
02-09-2024 03:56 AM
I was 99,9% sure that he implied that these nodes also run PSN ... Well, if not, this answer is maximum accurate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide