cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12914
Views
32
Helpful
8
Replies

what is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND=

rcampo
Level 1
Level 1

What is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND= part numbers?  The price difference is $4K list vs $6K list respectively.  Also the latest ordering guide references.  L-ISE-TACACS= as a legacy part #?  No results via Google, no EOS,  and not addressed in the ordering guide. Thanks. 

1 Accepted Solution

Accepted Solutions

With ISE 2.4, Cisco changed the way the device administration is licensed:

 

Version 2.0 -> 2.3: Only one L-ISE-TACACS= is needed per deployment.

Version >= 2.4: One L-ISE-TACACS-ND= per Node that runs the device admin service is needed.

View solution in original post

8 Replies 8

With ISE 2.4, Cisco changed the way the device administration is licensed:

 

Version 2.0 -> 2.3: Only one L-ISE-TACACS= is needed per deployment.

Version >= 2.4: One L-ISE-TACACS-ND= per Node that runs the device admin service is needed.

Hi Karsten

Regarding that, how can this be explained:

We had an ISE with Version 3.0.4.070, L-ISE-TACACS-ND and L-ISE-BSE-100 installed.

Now we got a second one into Deployment, without L-ISE-TACACS-ND installed.

The Primary ISE now shows two Device Admin licenses:

Unbenannt.JPG

On monday we will do a test, "undeploy" the second one and have a look, what will happen to the license quantity. I think, it will reduce to one again on the Primary. And the secondary will have None.

But what will this mean to us? Do we need the second license or not?

After doing the above described test, I'm more confused than before.

To keep the overview for the following explanations, I will roll up the whole procedure from the start:
ISE ONE, first installed, primary, no licenses.

ISE TWO, second installed, registered to ISE ONE, secondary, no licenses.

 

After installing licenses (L-ISE-TACACS-ND and L-ISE-BSE-100) on ISE ONE I can see 100 Base and 2 (!) Device Admin.

Promoting ISE TWO to primary: 100 Base and 2 Device Admin licenses.

Deregistering ISE ONE: 100 Base and 2 Device Admin licenses on ISE TWO. No more licenses on ISE ONE.

Reregister ISE ONE to ISE TWO:  100 Base and 2 Device Admin licenses.

Promoting ISE ONE to primary: 100 Base and 2 Device Admin licenses.

Deregistering ISE TWO:  100 Base and 2 Device Admin licenses on ISE ONE. No more licenses on ISE TWO.

Uninstall Device Admin Licenses from ISE ONE: No licenses on ISE ONE. No licenses on ISE TWO.

Install 1 (!) Device Admin License on ISE ONE: 100 Base and 2 (!!) Device Admin licenses on ISE ONE. No licenses on ISE TWO.

Register ISE TWO to ISE ONE: 100 Base and (still) 2 Device Admin licenses.

 

Conclusion:

Licenses are always kept on primary, not on the ISE they are/were installed.

Questions:

Why do I have 2 Device Admin Licenses, when only one is installed?

3.0.4.070 is the ADE-OS Build Version number but the ISE version is 2.4.0.357.

The licensing info is in details @ the Cisco ISE ordering guide.

The quantity of 2 means the license file giving you 2 license counts of device admin licenses. If you open the file in a text editor, you should see the first line like below:

VENDOR_STRING=<COTERM>FALSE</COTERM><MIGRATION>FALSE</MIGRATION><FEED_SVC>FALSE</FEED_SVC><W_ONLY>FALSE</W_ONLY><W_UPG>FALSE</W_UPG><ALL_UPG>TRUE</ALL_UPG><Count>2</Count><PrimaryUDI>ISE-VM-K9:V01:SOMESERIAL</PrimaryUDI><secondaryUDI>::</secondaryUDI> \

This number should not depend on the number of ISE nodes with device admin enabled. If it is doing that, then it seems a bug and please open a TAC case to check it out.

Please note that your entitlement is based on what you have purchased.

in 3.0 version, Do I need 2 admin licenses?

I have 1 deployment with:

1 primary administration node

1 secondary administration node

If you want to run TACACS on both, then yes. And for redundancy you probably want to.

TACACS services would run on the PSN personas not on the admin nodes, you would need a TACACS license for each PSN if you want to run TACACS on all of them.

I was 99,9% sure that he implied that these nodes also run PSN ... Well, if not, this answer is maximum accurate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: