cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3624
Views
25
Helpful
4
Replies
Highlighted
Beginner

what is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND=

What is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND= part numbers?  The price difference is $4K list vs $6K list respectively.  Also the latest ordering guide references.  L-ISE-TACACS= as a legacy part #?  No results via Google, no EOS,  and not addressed in the ordering guide. Thanks. 

Everyone's tags (2)
4 REPLIES 4
VIP Mentor

Re: what is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND=

With ISE 2.4, Cisco changed the way the device administration is licensed:

 

Version 2.0 -> 2.3: Only one L-ISE-TACACS= is needed per deployment.

Version >= 2.4: One L-ISE-TACACS-ND= per Node that runs the device admin service is needed.

Beginner

Re: what is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND=

Hi Karsten

Regarding that, how can this be explained:

We had an ISE with Version 3.0.4.070, L-ISE-TACACS-ND and L-ISE-BSE-100 installed.

Now we got a second one into Deployment, without L-ISE-TACACS-ND installed.

The Primary ISE now shows two Device Admin licenses:

Unbenannt.JPG

On monday we will do a test, "undeploy" the second one and have a look, what will happen to the license quantity. I think, it will reduce to one again on the Primary. And the secondary will have None.

But what will this mean to us? Do we need the second license or not?

Beginner

Re: what is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND=

After doing the above described test, I'm more confused than before.

To keep the overview for the following explanations, I will roll up the whole procedure from the start:
ISE ONE, first installed, primary, no licenses.

ISE TWO, second installed, registered to ISE ONE, secondary, no licenses.

 

After installing licenses (L-ISE-TACACS-ND and L-ISE-BSE-100) on ISE ONE I can see 100 Base and 2 (!) Device Admin.

Promoting ISE TWO to primary: 100 Base and 2 Device Admin licenses.

Deregistering ISE ONE: 100 Base and 2 Device Admin licenses on ISE TWO. No more licenses on ISE ONE.

Reregister ISE ONE to ISE TWO:  100 Base and 2 Device Admin licenses.

Promoting ISE ONE to primary: 100 Base and 2 Device Admin licenses.

Deregistering ISE TWO:  100 Base and 2 Device Admin licenses on ISE ONE. No more licenses on ISE TWO.

Uninstall Device Admin Licenses from ISE ONE: No licenses on ISE ONE. No licenses on ISE TWO.

Install 1 (!) Device Admin License on ISE ONE: 100 Base and 2 (!!) Device Admin licenses on ISE ONE. No licenses on ISE TWO.

Register ISE TWO to ISE ONE: 100 Base and (still) 2 Device Admin licenses.

 

Conclusion:

Licenses are always kept on primary, not on the ISE they are/were installed.

Questions:

Why do I have 2 Device Admin Licenses, when only one is installed?

Cisco Employee

Re: what is the difference between L-ISE-TACACS= and L-ISE-TACACS-ND=

3.0.4.070 is the ADE-OS Build Version number but the ISE version is 2.4.0.357.

The licensing info is in details @ the Cisco ISE ordering guide.

The quantity of 2 means the license file giving you 2 license counts of device admin licenses. If you open the file in a text editor, you should see the first line like below:

VENDOR_STRING=<COTERM>FALSE</COTERM><MIGRATION>FALSE</MIGRATION><FEED_SVC>FALSE</FEED_SVC><W_ONLY>FALSE</W_ONLY><W_UPG>FALSE</W_UPG><ALL_UPG>TRUE</ALL_UPG><Count>2</Count><PrimaryUDI>ISE-VM-K9:V01:SOMESERIAL</PrimaryUDI><secondaryUDI>::</secondaryUDI> \

This number should not depend on the number of ISE nodes with device admin enabled. If it is doing that, then it seems a bug and please open a TAC case to check it out.

Please note that your entitlement is based on what you have purchased.