09-26-2019 04:09 AM - edited 02-21-2020 09:45 PM
Hi,
We are planning to configure anyconnect VPN posture for our remote clients through ASA and Cisco ISE (version 2.6). I would like to clarify whether we need any specific license on the ASA to have the posture functionality. On ISE we have the below licenses
L-ISE-APX-S-10K
L-AC-APX-LIC=
L-ISE-PLS-S-5K=
L-ISE-BSE-100K=
Kindly advise if we are missing anything.
09-29-2019 09:34 AM
The AnyConnect Apex license includes all AnyConnect features so you are all set on that part.
For the ISE, the ISE doesn't enforce the license usage, but if you want to take full advantage of ISE with regard to endpoint details, you will require an ISE plus license, which you also have.
You are all set.
09-29-2019 10:07 PM
ISE Compliance (Posture) requires ISE Apex licenses.
Reference page 16 of the ISE Ordering Guide for confirmation:
09-30-2019 12:58 AM
Hi Marvin,
So from the ASA side we do not need any license?.
Thanks
09-30-2019 01:16 AM
As I mentioned above you have the licenses required to take full advantage of AnyConnect and ISE.
09-30-2019 05:04 AM
It's as @Marius Gunnerud correctly noted.
The L-AC-APX-LIC= license gives you a PAK that you redeem for an activation key to install that particular license on the ASA.
It works in conjunction with the ISE licenses (primarily Base and Apex ISE licenses, Plus licenses if you are using features like profiling or Device Registration) to give the full set of features.
10-01-2019 01:05 AM
Hi,
I tried to generate an activation key from the PAK. But I got the message that the license is already converted to smart entitlement. My ASA is 5585 and I need to check if it can be changed to smart licensing mode. But my question is that if I connect my ASA to smart licensing cloud, all my existing licenses in ASA should be transferred to the smart licensing cloud right?.
Thanks
10-01-2019 05:37 AM
I am uncertain about this with ASA, though with switches migrating to smart licensing you keep your existing licenses just on the smart licensing portal, so I would assume the same for ASA.
You could contact licensing@cisco.com to verify this.
10-01-2019 11:19 PM
ASA 5585-X only uses classic PAK-based licenses with activation keys. It cannot use Smart licensing.
If your Anyconnect licenses have been converted, then you need to open a request with licensing (as @Marius Gunnerud suggested) and request they also be provisioned as PAKs for this purpose.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide