Solved: ACS to ISE migration

smolz · ‎02-01-2016

Trying to get a BOM put together to upgrade an ACS install to ISE. I think I have it narrowed down to:

ISE-VM-M-K9=

L-ISE- BSE-250-M=

Looking through the ordering guide I am a little confused by this statement:

Please note that existing ACS customer should also order the ISE Device Administration Migration License if they wish to support both endpoint access as well as device administration on the same ISE deployment.

I cannot seem to find this "ISE Device Administration Migration License" anywhere in the guide?

howon · ‎02-01-2016

Smolz, there is no "ISE Device Administration Migration License". One will need to purchase device administration license (L-ISE-TACACS=) in order to enable TACACS+ features. Can you provide the link to the document that references such license so I can get it corrected? Thank you.

Hosuk

View solution in original post

howon · ‎02-01-2016

Smolz, there is no "ISE Device Administration Migration License". One will need to purchase device administration license (L-ISE-TACACS=) in order to enable TACACS+ features. Can you provide the link to the document that references such license so I can get it corrected? Thank you.

Hosuk

smolz · ‎02-01-2016

http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

It is in Section 5.6 of the ordering guide, which was linked to from several places.

5.6 Cisco ISE Migration Licenses

Existing Cisco Secure Access Control System (ACS) customers or Cisco NAC Guest Server customers wishing to migrate to Cisco ISE can order special Cisco ISE Base Migration Licenses. These are designated by an “-M=” in the Cisco ISE Base SKUs listed in the table below. Please note that existing ACS customer should also order the ISE Device Administration Migration License if they wish to support both endpoint access as well as device administration on the same ISE deployment.

howon · ‎02-01-2016

Thank you, will get it corrected.

TM13 · ‎05-25-2016

This link is not working, can you send it to me if you have that?

Alex.Samson · ‎03-02-2017

Hi Hosuk,

What if the client has an existing ACS 3415 and 3515 with valid Support service? do they only require TACACS+ license and 100 base license?

based on the statement below, what does "ISE support" mean?

link: http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

ACS customers with supported hardware (SNS-34xx or SNS-35xx) who wish to migrate to ISE need to order ISE support for the number of appliances and other licenses as required, based on number of endpoints and desired features

Thanks and Regards,

Alex

irgunaseelan · ‎09-01-2016

How is the TACACS licensed ? Is that per ISE node, or per deployment cluster as one Primary and Secondary PAN?

David Hild · ‎09-02-2016

Hello Infant Gunaseelan.

The latest version of the ISE Ordering Guide has this info in Table 5 page 6:

Device Administration | Enables Device Administration/TACACS+ support for networking devices | Perpetual | Add-on to Base licenses. Deployment wide license.

Further, Table 8 page 8:

Device Administration (TACACS+) | Controls device administrators seeking to perform configuration changes or maintenance on networking devices such as switches, wireless controllers, routers, etc., in order to perform the maintenance. | Service is enabled with a valid Device Administration license and is functional across entire ISE deployment.

I hope this is helpful.