09-15-2020 01:58 PM
For an ACS to ISE migration, an organisation is using ACS 5.8 and doing MAC address authentication for access points which use Radius for authentication.
The question is, with ISE, do MAC address authentications count towards the 100 Base count allowable in the 100 Base license? Or does the organisation have to work out how many concurrent authentications are used on ACS for Radius, and then buy the corresponding amount of Base? They already have the TACACS Device Admin license for their ISE deployment, ready for the ACS migration. We would like to know how many Base licenses they need to buy for the access point authentication requests.
Solved! Go to Solution.
09-15-2020 03:03 PM
Yes, you need 1 base license for every active radius endpoint authentication. So if you expect a peak of 500 endpoints to be connected to the network at a given time, and also authenticated by ISE, then you need at least 500 base licenses.
If you want to use profiling during authentication/authorization, then you also require a plus license on top of the base license. These are only required if you use attributes ISE has learnt from the profiling probes. Installing 100 on a deployment is always a good idea, even if you don't use them since if enabled all the visibility components. If not used in policy, you will have zero usage but 100 is the minimum to enable some of the GUI.
One caveat worth mentioning here is that if radius accounting it not set up correct, each authentication will use a base license, but ISE will maintain that session as active for 5 days until it times out. ISE relies on the radius accounting stop message to release an active session. This can lead to an environment using more base licenses than expected due to misconfiguration.
09-15-2020 03:03 PM
Yes, you need 1 base license for every active radius endpoint authentication. So if you expect a peak of 500 endpoints to be connected to the network at a given time, and also authenticated by ISE, then you need at least 500 base licenses.
If you want to use profiling during authentication/authorization, then you also require a plus license on top of the base license. These are only required if you use attributes ISE has learnt from the profiling probes. Installing 100 on a deployment is always a good idea, even if you don't use them since if enabled all the visibility components. If not used in policy, you will have zero usage but 100 is the minimum to enable some of the GUI.
One caveat worth mentioning here is that if radius accounting it not set up correct, each authentication will use a base license, but ISE will maintain that session as active for 5 days until it times out. ISE relies on the radius accounting stop message to release an active session. This can lead to an environment using more base licenses than expected due to misconfiguration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide