Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
3
Replies

Legacy ISE Device Admin License with ISE 2.4

Go to solution
jorreyno
Cisco Employee
Cisco Employee

‎12-20-2018 02:57 PM

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

 

Table 18 of the ISE Licensing Guide suggests that we can still purchase 1 Legacy Device Admin license.  I understand that if I applied the legacy license to a 2.2 deployment, upgraded to 2.4, then it would migrate to 50 node licenses.

 

However, if I purchase 1 legacy license, and apply it to a net-new ISE 2.4 deployment, what occurs? Would it error out and apply nothing? Would 50 node licenses appear?

 

The reason for the question is I am trying to deploy ISE 2.4 in a new environment and they need 2 node licenses, and I would prefer to not install 2.2, apply the license, and then immediately upgrade to 2.4...  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-20-2018 03:38 PM

You can still purchase the old Device Admin SKU (goes end of sale Feb 2019) and apply it to a fresh ISE 2.4 install (and it's valid for 50 PSN's).  The new SKU costs roughly double as much and only supports 1 PSN.  Get it while you can!!!

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎12-20-2018 03:38 PM

You can still purchase the old Device Admin SKU (goes end of sale Feb 2019) and apply it to a fresh ISE 2.4 install (and it's valid for 50 PSN's).  The new SKU costs roughly double as much and only supports 1 PSN.  Get it while you can!!!

 

0 Helpful

Go to solution
jorreyno
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-20-2018 04:26 PM

I really want to believe this, but then why would the per-node SKU even be an option? It's more than 2x the price and 1/50 the value...

 

 

 

This answer suggests that the new SKU would never be sold under any circumstance until the old SKU is retired.

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jorreyno

‎12-20-2018 05:41 PM - edited ‎12-20-2018 05:43 PM

Hi @jorreyno

 

This is such a common question.  I replied to a similar thread the other day - have a look here.

 

The answer lies with the ISE Product Management.  My theory is that when TACACS was introduced as a feature in ISE 2.0, they needed to make ISE look appealing enough to sway customers from their beloved ACS.  And ACS needed to be end of life'd.  So the BU made the TACACS pricing attractive.

 

Now reality has set in :-(  - your assumption about the availability of the new SKU is wrong - you CAN purchase it.  Cisco doesn't make up SKU's that are not available for sale.  The question is whether or not you WANT to buy it now.  My guess is NO!

 

It's a lot of money to pay for TACACS feature - I agree.

The alternative is to use Radius instead.  Let's face it - not everyone needs per command authorization. If all you need is to grant a user lvl15 or lvl1 etc - then Radius does the job too. 

0 Helpful
Customers Also Viewed These Support Documents