Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1011
Views
10
Helpful
8
Replies

ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎09-26-2019 04:09 AM - edited ‎02-21-2020 09:45 PM

Hi,

 

We are planning to configure anyconnect VPN posture for our remote clients through ASA and Cisco ISE (version 2.6). I would like to clarify whether we need any specific license on the ASA to have the posture functionality. On ISE we have the below licenses

 

L-ISE-APX-S-10K

L-AC-APX-LIC=

L-ISE-PLS-S-5K=

L-ISE-BSE-100K=

 

Kindly advise if we are missing anything.

Labels:
0 Helpful
8 Replies 8

Marius Gunnerud
VIP
VIP

‎09-29-2019 09:34 AM

The AnyConnect Apex license includes all AnyConnect features so you are all set on that part.

For the ISE, the ISE doesn't enforce the license usage, but if you want to take full advantage of ISE with regard to endpoint details, you will require an ISE plus license, which you also have.

You are all set.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-29-2019 10:07 PM

ISE Compliance (Posture) requires ISE Apex licenses.

Reference page 16 of the ISE Ordering Guide for confirmation:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Marvin Rhoads

‎09-30-2019 12:58 AM

Hi Marvin,

 

So from the ASA side we do not need any license?.

 

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎09-30-2019 01:16 AM

As I mentioned above you have the licenses required to take full advantage of AnyConnect and ISE.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SHABEEB KUNHIPOCKER

‎09-30-2019 05:04 AM

It's as @Marius Gunnerud correctly noted.

The L-AC-APX-LIC= license gives you a PAK that you redeem for an activation key to install that particular license on the ASA.

It works in conjunction with the ISE licenses (primarily Base and Apex ISE licenses, Plus licenses if you are using features like profiling or Device Registration) to give the full set of features.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Marvin Rhoads

‎10-01-2019 01:05 AM

Hi,

 

I tried to generate an activation key from the PAK. But I got the message that the license is already converted to smart entitlement. My ASA is 5585 and I need to check if it can be changed to smart licensing mode. But my question is that if I connect my ASA to smart licensing cloud, all my existing licenses in ASA should be transferred to the smart licensing cloud right?.

 

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎10-01-2019 05:37 AM

I am uncertain about this with ASA, though with switches migrating to smart licensing you keep your existing licenses just on the smart licensing portal, so I would assume the same for ASA.

You could contact licensing@cisco.com to verify this.

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SHABEEB KUNHIPOCKER

‎10-01-2019 11:19 PM

ASA 5585-X only uses classic PAK-based licenses with activation keys. It cannot use Smart licensing.

If your Anyconnect licenses have been converted, then you need to open a request with licensing (as @Marius Gunnerud suggested) and request they also be provisioned as PAKs for this purpose.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents