cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE 2.4 Licensing - Quick Access

16925
Views
32
Helpful
24
Comments

I've had a lot of people ask for this, so I'll post it here.

 

Reference theISE Ordering Guide for more details

 

Base

L-ISE-BSE-PLIC=**

Plus

L-ISE-PLS-LIC=**

Apex

L-ISE-APX-LIC=**

Device Admin

L-ISE-TACACS-ND=**

VM Licenses*
  • AAA
  • RADIUS/802.1x
  • Cisco TrustSec
  • Multiple APIs (ERS)
  • Guest Services
  • Device Profiling and Feed Service
  • BYOD with certificate authority
  • Cisco pxGrid identity and context sharing
  • Adaptive Network Control (ANC)
  • MSE Integration
  • Endpoint Posture compliance and remediation
  • MDM/EMM Integration
  • Threat Centric NAC (TC-NAC)

 

+AnyConnect Apex License

  • ISE Posture Module
  • TACACS+
  • Available in ISE 2.x
  • Prior to 2.4, a single license is needed for the entire deployment
  • Starting in 2.4, a separate license is required for every Device Admin Node*
  • Per deployment license is honored in 2.4 with fresh install or upgrade
  • Starting in 2.4, VMs will no longer be right-to-use
  • Key-based license dependent upon Virtual Resources asigned to the virtual appliance
  • Small, Medium, and Large VM sizes, each with a different SKU
  • Small: R-ISE-VMS-K9=
  • Medium: R-ISE-VMM-K9=
  • Large: R-ISE-VML-K9=
Perpetual (Permanent) License Subscription (1, 3, or 5 years) Subscription (1, 3, or 5 years)

Perpetual (Permanent) License

NOT Based upon Network Device count

Perpetual (Permanent) License

 

* = New License in 2.4

** = New SKU in 2.4

Comments
Rising star
Hi @jmarquez01 , DA licenses are strictly for T+. RADIUS device administration sessions take up a Base license. I should point out that T+ device administration sessions don't take up a Base license. Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf "TACACS+ sessions do not consume a base license, but RADIUS sessions consume a base license"
Beginner

ok

Beginner
Hi Nadav, thank you, now is clear for me.

 Hi Jason,

 

We have lot of deployments where ISE works Primary Admin and Secondary Admin HA way in ISE 2.1 version.

It' has enabled TACACS+ as well.

 

1)So what will happen if we upgrade this HA cluster to 2.4.

 

2) if the we promote secondary ISE to primary node, will tacacs function not work in the new primary node?

 

Regards

Hasitha

 

regards

Hasitha

Hall of Fame Master

@hasitha siriwardhana If you upgrade your pre-2.4 deployment which had the old style Device Administration license, it will remain in effect.

 

In other words, you will be licensed and able to run the Device Admin role on any or all nodes in your ISE deployment without having to purchase any additional licenses.

Beginner

Hello,

my understanding from postings above:

An ISE upgrade from <=2.3  to 2.4 automatically converts an installed legacy L-ISE-TACACS=

to a 50 Nodes L-ISE-TACACS-ND=

 

Now, we have some clients who ordered ISE and L-ISE-TACACS= several months ago

They have revceived their PAKs now, but not yet fulfilled or installed anything.

Can we still fulfill the PAK, generate a (legacy) license file

and import this (legacy) dev admin license file to a new (or re-imaged) ISE 2.4 PAN ?

in other words:

Will freshly installed ISE 2.4 accept the legacy license file and we end up with a 50 Node DevAdmin ?

 

If not: how do we fix this ?

 

BR

Frank

Rising star

To enjoy being "grandfathered in", you'll need to upgrade from an ISE version older than 2.4.

 

You can't install a single DA license on ISE 2.4 and have it become 50 DA licenses, regardless of when it was bought.

Cisco Employee

Nadav,

Do you have a screen capture of an ISE 2.4 fresh install with the L-ISE-TACACS= license key installed? We have heard people tell us something similar to what you suggest but have never gotten a screen capture from anyone showing us the problem.

Thanks in Advance, Kevin

Beginner

Hi,

found solution in this thread:

> Cisco ISE 2.4 with L-ISE-TACACS= SKU

> yes you can apply it directly to a 2.4 deployment. 
> did it just the other day.

BR

Frank