Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
56626
Views
67
Helpful
24
Comments

ISE Licensing - Quick Access

Charlie Moreton
Cisco Employee
Cisco Employee

‎06-07-2018 01:18 PM - edited ‎03-22-2022 07:03 AM

I've had a lot of people ask for this, so I'll post it here.

I've created a Cisco ISE 2.x to 3.x License Migration Calculator, but I could not find a way to host it on Cisco sites and show the calculations as they happened.  For that reason, I put it on my external site, isedemolab.com.

 

This is for ISE versions prior to 3.0:

***NOTE the Base/Plus/Apex licenses AND the Virtual Machine VMS/VMM/VML Licenses have all reached End of Sale ***

End-of-Sale and End-of-Life Announcement for the Cisco Identity Services Engine Base, Plus and Apex License PIDs

End-of-Sale and End-of-Life Announcement for the Cisco Identity Services Engine Virtual Machine S/M/L

ISE_Licensing_2.7.png

 

While this graphic covers 3.0 through ISE 3.0 patch 3:

Licensing 3.0.png

 

NOW we need a new graphic for 3.1 (ISE 3.0 Patch 4 and newer will also be covered here):

Licensing 3.1.png

 

With the recent End of Life Announcement for the DNA Premier Licenses, I've removed the information from the ISE 3.0 and 3.1 Licensing slides.  The announcement can be seen here:  

End-of-Sale and End-of-Life Announcement for the Cisco DNA Premier License PIDs for Switching

End-of-Sale and End-of-Life Announcement for the Cisco DNA Premier License PIDs for Wireless

 

I've also made a video detailing the changes that can be found here:

ISE 3.0 Licensing Changes

 

Cisco ISE Licensing Changes from v2.x to v3.1

Cisco ISE Licensing Changes from v3.0 to v3.1

 

The resources used to create the video and slides are:

Cisco ISE Ordering Guide

http://cs.co/ise-ordering-guide

Cisco ISE License Migration Guide

http://cs.co/ise-migration-guide

Cisco ISE Licensing FAQ

http://cs.co/ise-license-faq

 

Cisco ISE 3.0 Admin Guide

http://cs.co/ise-30-admin

Cisco ISE 3.0 Release Notes

http://cs.co/ise-30-rn

 

Cisco ISE 3.1 Admin Guide

http://cs.co/ise-31-admin

Cisco ISE 3.1 Release Notes

http://cs.co/ise-31-rn

 

Comments
melgrove
Level 1
Level 1
‎06-25-2018 06:40 AM

Hi Charles, can you please confirm what happens to the legacy TACACS+ license on upgrade to ISE 2.4? The Ordering Guide Q&As state:

Q. We purchased Device Admin previously. Do I need to buy more licenses if I upgrade to 2.4? A. If you purchased Device Admin as a deployment-wide license, you can continue to utilize all nodes in the deployment for TACACS+ transactions even after upgrade to 2.4. This means the license entitles your deployment to the maximum number of nodes supported by ISE for the deployment.

But after recently upgrading a customer to 2.4, we have ended up with a single 50 device node license. What needs to be done to allow this to be extended to the other PSNs in the deployment?

Jason Kunst
Cisco Employee
Cisco Employee
‎06-25-2018 06:45 AM

50 nodes (psns) is the max deployment size . That’s correct and fine.

melgrove
Level 1
Level 1
‎06-25-2018 06:49 AM

Thanks Jason, it makes sense now. We have confused the maximum nodes with the amount of network devices supported and assumed that Cisco were being extremely restrictive....

gvanbon
Cisco Employee
Cisco Employee
‎07-09-2018 02:00 AM

Customer bought L-ISE-TACACS license for a fresh 2.4 deployment. How do we fix  that ?

Cheers

hslai
Cisco Employee
Cisco Employee
‎07-09-2018 08:39 AM

L-ISE-TACACS should still work on ISE 2.4. If not, then please check with ISE PM team.

Arie --
Level 1
Level 1
‎07-31-2018 04:03 AM

 Hi,

Just to make sure for TACACS+ license. When upgrading from ISE 2.3 to 2.4, are the 50 device administration nodes referred to PSN node or Network Access Devices (NAD)?

Marvin Rhoads
Hall of Fame
Hall of Fame
‎07-31-2018 07:53 AM

@Arie -- 

 

The 50 device administration nodes are ISE servers running the Device Administration persona. They can be co-existing with PSN (or other) persona nodes or dedicated for Device Administration.

Runner888
Level 4
Level 4
‎07-31-2018 08:20 AM

Hi All--As an extension to melgrove's comments, my client is currently running on ISE v2.3.098 (TACACS only) on a pair of VMs. My question, if the client wants to upgrade to ISE 2.4.xxx, will he:

1) Need to upgrade the license?

2) If yes to #1,  is this done automatically during the upgrade process or will he need to reach out to his AM/SE to coordinate the license migration/conversion effort?

 

Just trying to understand if ISE upgrade from pre 2.3 version to 2.4 will require involvement with Cisco AM/SE or Cisco licensing team. Thanks in advance.

 

Keith

AndreasKvist
Level 1
Level 1
‎11-15-2018 01:49 AM

Hi, I'm new to the ISE licensing model and have recieved a question regarding admin licensing. I understand that Device Admin Node is the key to decide how many Device admin licenses a customer needs for the implementation. 

 

However, I have not found a clear definition of what that is. 

 

Am I correct if a Device Admin Node is equal to a Admin persona of an ISE device?

 

BR

 

Andreas Kvist

Marvin Rhoads
Hall of Fame
Hall of Fame
‎11-15-2018 03:14 AM

@AndreasKvist when you add a node to an ISE deployment you choose which persona(s) it runs. Device Administration is a service that is optionally enabled on a node running Policy Service (PSN).

 

When enabled, that node is the one where you will direct your network devices (switches, routes, WLCs, firewalls etc.) for TACACS+ services.

 

It is a completely separate function from Admin persona role (Primary PAN or Secondary PAN).

Jason Kunst
Cisco Employee
Cisco Employee
‎11-15-2018 05:05 AM
Marvin is correct. And in ise 2.4 you all need a device admin license per psn running these services

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
AndreasKvist
Level 1
Level 1
‎11-15-2018 05:22 AM

This is great. I´ve read throug the Ordering guide many times. I found this in the guide

 

"One ISE Device Administration license is required per Policy Service Node that operates on Device Administration transactions"

 

So, the situation is like this. Customer has two nodes, ie two hw appliances, with Device admin enabled on both nodes. The ISE units are configured as Primary and Secondary PAN, HA pair. 

 

Q1. They need 2 Device admin licenses?

 

Q2. Are the Base, Plus and Apex licenses available for both ISE appliances in case that the Primary unit fails?

 

BR

 

Andreas

Jason Kunst
Cisco Employee
Cisco Employee
‎11-15-2018 05:31 AM
All licenses are installed on the primary admin and these licenses when created should have the secondary admin udi information as well so that when failover occurs the deployment still has valid licensing

Base plus apex are licensed for the whole deployment

Device admin is licensed per psn but still installed on primary admin for the deployment


https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.pdf
AndreasKvist
Level 1
Level 1
‎11-15-2018 05:41 AM

Thank you Jason, really helpfull

jmarquez01
Level 1
Level 1
‎11-20-2018 06:28 PM
Hi Charlie: For radius device administration do I need license? or is just for tacacs? Thank You!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents