Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7179
Views
20
Helpful
11
Replies

ISE 2.4 device administration (TACACS+) high availability licensing

Go to solution
jbenitol
Cisco Employee
Cisco Employee

‎12-11-2018 06:36 AM

Hi team,

 

I need to quote an HA deployment for ISE Device Administration in 2.4 and after reading through Krishnan post https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365 could you please confirm this is the only option?

 

  Deploy 2 ISE nodes with the following:

    Node 1: Primary PAN (active) + Primary MnT (active) + PSN (active)

    Node 2: Secondary PAN (standby) + Secondary MnT (active) + PSN (active)

 

So we need to quote always 2 x Device Admin license minimum for an HA deployment and there is no way to have only one active PSN and therefore 1 x Device Admin license for the deployment.

 

Thanks!

1 person had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to jbenitol

‎12-12-2018 03:18 AM

In ISE 2.4 the TACACS license consumption is dynamic.  This means that if you have 1 TACACS license installed on the PAN node, and you have not enabled TACACS Service (Device Admin), then 0 TACACS licenses will be consumed.  If you enable it on one node only, then only 1 license will be consumed. And so on.

In pre-2.4 days, you bought 1 TACACS SKU, and that entitled you to 50 PSN licenses.  But 2.4 licenses are now per PSN.

BUT - if you only want to buy ONE 2.4 TACACS license and only process TACACS on ONE PSN, then you strictly only need to purchase and install one license.  If you enable Device Admin Service on two nodes (with only 1 license) then you will get a license warning.

I think most people purchase the old 2.3 SKU and then get 50 PSN entitlements.  These licenses still work in ISE 2.4.  Not sure what the cost difference is, especailly if you only need 1 PSN active.  It might be cheaper to purchase a single SKU of the new ISE 2.4 TACACS license.

gggrgggrgrrrr Cisco licensing ... enough to drive you mad :-)

View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎02-11-2019 08:12 AM

@Alex Pfeil the old device admin license was for the whole deployment. You only needed 1 license. This is gone February 18th.

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Look at table 8 for new licenses available now are per node. So if you have 1 box for tacacs and another for HA then you would need 2 licenses minimum for a deployment.

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mvoi

‎06-05-2019 07:37 AM

It all depends on how you’re configuring your nodes.

In a standalone you have primary PAN, MNT and always on PSN1 (AAA, RADIUS, TACACS)
The other box as a secondary PAN,MNT and always on PSN2.

If you’re going to rely on NADs pointing to PSN1 only then there will be no HA. You will need to point the NADs at both PSNS for HA.

Unlike, Base, Plus, Apex licensing is applied across the deployment, TACACS is licensed per PSN. To be compliant you will need to license both PSNs.

Ordering guide
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
Learning items, Cisco live BRKSEC-3432 is a good one
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-118574828


View solution in original post

0 Helpful
11 Replies 11

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-11-2018 06:40 AM - edited ‎12-11-2018 07:59 AM

Number of Device Admin licenses should be equal to the number of nodes on which you have a PSN person on AND is intended to honour TACACS+ requests at any given point of time.

0 Helpful

Go to solution
jbenitol
Cisco Employee
Cisco Employee
In response to Surendra

‎12-11-2018 06:49 AM

Thanks Surendra,

 

Indeed, so questions now is, can I have active/standby PSN?

 

So only 1 PSN will attend TACACS+ requests at a time and only 1 Device Admin license would be "consumed"?

 

I understand I could NOT, but would appreciate your confirmation.

 

Thanks again and Regards.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jbenitol

‎12-12-2018 03:18 AM

In ISE 2.4 the TACACS license consumption is dynamic.  This means that if you have 1 TACACS license installed on the PAN node, and you have not enabled TACACS Service (Device Admin), then 0 TACACS licenses will be consumed.  If you enable it on one node only, then only 1 license will be consumed. And so on.

In pre-2.4 days, you bought 1 TACACS SKU, and that entitled you to 50 PSN licenses.  But 2.4 licenses are now per PSN.

BUT - if you only want to buy ONE 2.4 TACACS license and only process TACACS on ONE PSN, then you strictly only need to purchase and install one license.  If you enable Device Admin Service on two nodes (with only 1 license) then you will get a license warning.

I think most people purchase the old 2.3 SKU and then get 50 PSN entitlements.  These licenses still work in ISE 2.4.  Not sure what the cost difference is, especailly if you only need 1 PSN active.  It might be cheaper to purchase a single SKU of the new ISE 2.4 TACACS license.

gggrgggrgrrrr Cisco licensing ... enough to drive you mad :-)

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Arne Bier

‎02-05-2019 09:58 AM

I have the existing 2.3 TACACS administration license and I am upgrading to 2.4. Thank you for confirming the 50 licenses carry over.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Alex Pfeil

‎02-05-2019 08:28 PM

@Alex Pfeil - the interesting unanswered question is, what happens from ISE 2.6 and onwards?  Will those "old SKU's" be honoured in future releases?  Who knows.  We need to wait and see.

 

On a related note, if you are using VM Licenses, then as of ISE 2.4 the VM Licenses are not (yet) enforced.  That means, if you violate the VM License you will never get a degraded service.  If however you violate the other licenses long enough, ISE will punish you and force you into a License Captive Portal until you have called your friendly Salesman :-)

 

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Arne Bier

‎02-11-2019 03:52 AM

I believe that having the correct license is the right thing to do.  We all knew they were going to be enforced once smart licensing is standardized.  I do have the correct license for my VMs.  It would also make sense that the TACACS administration license would be accepted. Why would I have to pay for a TACACS license twice?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎02-11-2019 08:12 AM

@Alex Pfeil the old device admin license was for the whole deployment. You only needed 1 license. This is gone February 18th.

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Look at table 8 for new licenses available now are per node. So if you have 1 box for tacacs and another for HA then you would need 2 licenses minimum for a deployment.

0 Helpful

Go to solution
mvoi
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎06-05-2019 06:18 AM

@Jason Kunst in a Standalone deployment with HA, only the Primary Node is consuming the Device Admin license, so why you would need it even on the secondary that isn't consuming it? In case of the failure of the Primary Node, only the secondary Node will consume the Device Admin lic. that is seen in the Smart Account.

Am I wrong?

 

Thanks

Marco

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mvoi

‎06-05-2019 07:37 AM

It all depends on how you’re configuring your nodes.

In a standalone you have primary PAN, MNT and always on PSN1 (AAA, RADIUS, TACACS)
The other box as a secondary PAN,MNT and always on PSN2.

If you’re going to rely on NADs pointing to PSN1 only then there will be no HA. You will need to point the NADs at both PSNS for HA.

Unlike, Base, Plus, Apex licensing is applied across the deployment, TACACS is licensed per PSN. To be compliant you will need to license both PSNs.

Ordering guide
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf
Learning items, Cisco live BRKSEC-3432 is a good one
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-118574828


0 Helpful

Go to solution
david.atherton@ingrammicro.com
Level 1
Level 1
In response to Jason Kunst

‎02-25-2020 12:15 AM

the question was asked several times do I need 2 TACACS licenses for HA and never was a simply answer yes or no given

0 Helpful

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee
In response to david.atherton@ingrammicro.com

‎03-12-2020 03:12 PM

There is an answer and it's simple, but it depends. It all comes down to how you will configure your deployment, meaning, how many PSNs are you going to use in TACACS+ administration operations?

For example:

 

Standalone/centralized deployment:

 

VM/Physical device A: PAN (P), MNT (P) PSN (AAA, RADIUS, TACACS+);
VM/Physical device B: PAN (S), MNT (S) PSN (AAA, RADIUS, TACACS+).

 

In this case you need one for each VM/Physical server, because you gonna have two PSNs working with TACACS+ requests.

 

Now... If, the VM/Physical device B, its gonna be used just for AAA/RADIUS requests, then you just need one device admin license, which essentialy, it's gonna be enabled under VM/Physical device A, on the admin > system > deployment menu:

 

 

ise_device_admin.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Conclusion: one device admin license per PSN actively working with TACACS+ requests.

ISE Ordering Guide: https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Customers Also Viewed These Support Documents