Solved: ACS to ISE Migration - Radius Requests Base Licensing Question

jmcgourt@cisco.com · ‎09-15-2020

For an ACS to ISE migration, an organisation is using ACS 5.8 and doing MAC address authentication for access points which use Radius for authentication.

The question is, with ISE, do MAC address authentications count towards the 100 Base count allowable in the 100 Base license? Or does the organisation have to work out how many concurrent authentications are used on ACS for Radius, and then buy the corresponding amount of Base? They already have the TACACS Device Admin license for their ISE deployment, ready for the ACS migration. We would like to know how many Base licenses they need to buy for the access point authentication requests.

Damien Miller · ‎09-15-2020

Yes, you need 1 base license for every active radius endpoint authentication. So if you expect a peak of 500 endpoints to be connected to the network at a given time, and also authenticated by ISE, then you need at least 500 base licenses.

If you want to use profiling during authentication/authorization, then you also require a plus license on top of the base license. These are only required if you use attributes ISE has learnt from the profiling probes. Installing 100 on a deployment is always a good idea, even if you don't use them since if enabled all the visibility components. If not used in policy, you will have zero usage but 100 is the minimum to enable some of the GUI.

One caveat worth mentioning here is that if radius accounting it not set up correct, each authentication will use a base license, but ISE will maintain that session as active for 5 days until it times out. ISE relies on the radius accounting stop message to release an active session. This can lead to an environment using more base licenses than expected due to misconfiguration.

View solution in original post

Damien Miller · ‎09-15-2020

Yes, you need 1 base license for every active radius endpoint authentication. So if you expect a peak of 500 endpoints to be connected to the network at a given time, and also authenticated by ISE, then you need at least 500 base licenses.

If you want to use profiling during authentication/authorization, then you also require a plus license on top of the base license. These are only required if you use attributes ISE has learnt from the profiling probes. Installing 100 on a deployment is always a good idea, even if you don't use them since if enabled all the visibility components. If not used in policy, you will have zero usage but 100 is the minimum to enable some of the GUI.

One caveat worth mentioning here is that if radius accounting it not set up correct, each authentication will use a base license, but ISE will maintain that session as active for 5 days until it times out. ISE relies on the radius accounting stop message to release an active session. This can lead to an environment using more base licenses than expected due to misconfiguration.