Showing results for 
Search instead for 
Did you mean: 

ISE 2.4 Licensing - Quick Access


I've had a lot of people ask for this, so I'll post it here.


Reference theISE Ordering Guide for more details








Device Admin


VM Licenses*
  • AAA
  • RADIUS/802.1x
  • Cisco TrustSec
  • Multiple APIs (ERS)
  • Guest Services
  • Device Profiling and Feed Service
  • BYOD with certificate authority
  • Cisco pxGrid identity and context sharing
  • Adaptive Network Control (ANC)
  • MSE Integration
  • Endpoint Posture compliance and remediation
  • MDM/EMM Integration
  • Threat Centric NAC (TC-NAC)


+AnyConnect Apex License

  • ISE Posture Module
  • Available in ISE 2.x
  • Prior to 2.4, a single license is needed for the entire deployment
  • Starting in 2.4, a separate license is required for every Device Admin Node*
  • Per deployment license is honored in 2.4 with fresh install or upgrade
  • Starting in 2.4, VMs will no longer be right-to-use
  • Key-based license dependent upon Virtual Resources asigned to the virtual appliance
  • Small, Medium, and Large VM sizes, each with a different SKU
  • Small: R-ISE-VMS-K9=
  • Medium: R-ISE-VMM-K9=
  • Large: R-ISE-VML-K9=
Perpetual (Permanent) License Subscription (1, 3, or 5 years) Subscription (1, 3, or 5 years)

Perpetual (Permanent) License

NOT Based upon Network Device count

Perpetual (Permanent) License


* = New License in 2.4

** = New SKU in 2.4


Hi Charles, can you please confirm what happens to the legacy TACACS+ license on upgrade to ISE 2.4? The Ordering Guide Q&As state:

Q. We purchased Device Admin previously. Do I need to buy more licenses if I upgrade to 2.4? A. If you purchased Device Admin as a deployment-wide license, you can continue to utilize all nodes in the deployment for TACACS+ transactions even after upgrade to 2.4. This means the license entitles your deployment to the maximum number of nodes supported by ISE for the deployment.

But after recently upgrading a customer to 2.4, we have ended up with a single 50 device node license. What needs to be done to allow this to be extended to the other PSNs in the deployment?

Cisco Employee

50 nodes (psns) is the max deployment size . That’s correct and fine.


Thanks Jason, it makes sense now. We have confused the maximum nodes with the amount of network devices supported and assumed that Cisco were being extremely restrictive....

Cisco Employee

Customer bought L-ISE-TACACS license for a fresh 2.4 deployment. How do we fix  that ?


Cisco Employee

L-ISE-TACACS should still work on ISE 2.4. If not, then please check with ISE PM team.



Just to make sure for TACACS+ license. When upgrading from ISE 2.3 to 2.4, are the 50 device administration nodes referred to PSN node or Network Access Devices (NAD)?

Hall of Fame Guru

@Arie -- 


The 50 device administration nodes are ISE servers running the Device Administration persona. They can be co-existing with PSN (or other) persona nodes or dedicated for Device Administration.


Hi All--As an extension to melgrove's comments, my client is currently running on ISE v2.3.098 (TACACS only) on a pair of VMs. My question, if the client wants to upgrade to ISE, will he:

1) Need to upgrade the license?

2) If yes to #1,  is this done automatically during the upgrade process or will he need to reach out to his AM/SE to coordinate the license migration/conversion effort?


Just trying to understand if ISE upgrade from pre 2.3 version to 2.4 will require involvement with Cisco AM/SE or Cisco licensing team. Thanks in advance.




Hi, I'm new to the ISE licensing model and have recieved a question regarding admin licensing. I understand that Device Admin Node is the key to decide how many Device admin licenses a customer needs for the implementation. 


However, I have not found a clear definition of what that is. 


Am I correct if a Device Admin Node is equal to a Admin persona of an ISE device?




Andreas Kvist

Hall of Fame Guru

@AndreasKvist when you add a node to an ISE deployment you choose which persona(s) it runs. Device Administration is a service that is optionally enabled on a node running Policy Service (PSN).


When enabled, that node is the one where you will direct your network devices (switches, routes, WLCs, firewalls etc.) for TACACS+ services.


It is a completely separate function from Admin persona role (Primary PAN or Secondary PAN).

Cisco Employee
Marvin is correct. And in ise 2.4 you all need a device admin license per psn running these services

This is great. I´ve read throug the Ordering guide many times. I found this in the guide


"One ISE Device Administration license is required per Policy Service Node that operates on Device Administration transactions"


So, the situation is like this. Customer has two nodes, ie two hw appliances, with Device admin enabled on both nodes. The ISE units are configured as Primary and Secondary PAN, HA pair. 


Q1. They need 2 Device admin licenses?


Q2. Are the Base, Plus and Apex licenses available for both ISE appliances in case that the Primary unit fails?





Cisco Employee
All licenses are installed on the primary admin and these licenses when created should have the secondary admin udi information as well so that when failover occurs the deployment still has valid licensing

Base plus apex are licensed for the whole deployment

Device admin is licensed per psn but still installed on primary admin for the deployment

Thank you Jason, really helpfull

Hi Charlie: For radius device administration do I need license? or is just for tacacs? Thank You!
Content for Community-Ad