cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

237
Views
10
Helpful
8
Replies

ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

Hi,

 

We are planning to configure anyconnect VPN posture for our remote clients through ASA and Cisco ISE (version 2.6). I would like to clarify whether we need any specific license on the ASA to have the posture functionality. On ISE we have the below licenses

 

L-ISE-APX-S-10K

L-AC-APX-LIC=

L-ISE-PLS-S-5K=

L-ISE-BSE-100K=

 

Kindly advise if we are missing anything.

8 REPLIES 8
VIP Advocate

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

The AnyConnect Apex license includes all AnyConnect features so you are all set on that part.

For the ISE, the ISE doesn't enforce the license usage, but if you want to take full advantage of ISE with regard to endpoint details, you will require an ISE plus license, which you also have.

You are all set.

--
Please remember to rate and select a correct answer
Hall of Fame Master

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

ISE Compliance (Posture) requires ISE Apex licenses.

Reference page 16 of the ISE Ordering Guide for confirmation:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

Hi Marvin,

 

So from the ASA side we do not need any license?.

 

Thanks

VIP Advocate

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

As I mentioned above you have the licenses required to take full advantage of AnyConnect and ISE.

--
Please remember to rate and select a correct answer
Hall of Fame Master

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

It's as @Marius Gunnerud correctly noted.

The L-AC-APX-LIC= license gives you a PAK that you redeem for an activation key to install that particular license on the ASA.

It works in conjunction with the ISE licenses (primarily Base and Apex ISE licenses, Plus licenses if you are using features like profiling or Device Registration) to give the full set of features.

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

Hi,

 

I tried to generate an activation key from the PAK. But I got the message that the license is already converted to smart entitlement. My ASA is 5585 and I need to check if it can be changed to smart licensing mode. But my question is that if I connect my ASA to smart licensing cloud, all my existing licenses in ASA should be transferred to the smart licensing cloud right?.

 

Thanks

VIP Advocate

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

I am uncertain about this with ASA, though with switches migrating to smart licensing you keep your existing licenses just on the smart licensing portal, so I would assume the same for ASA.

You could contact licensing@cisco.com to verify this.

--
Please remember to rate and select a correct answer
Highlighted
Hall of Fame Master

Re: ASA Anyconnect VPN posture with Cisco ISE | Licensing Query

ASA 5585-X only uses classic PAK-based licenses with activation keys. It cannot use Smart licensing.

If your Anyconnect licenses have been converted, then you need to open a request with licensing (as @Marius Gunnerud suggested) and request they also be provisioned as PAKs for this purpose.