topic Re: How many devices (MAB) can be authenticated via the interna in Network Access Control

How many devices (MAB) can be authenticated via the internal identity stores ACS 5.3? ACS 1120 (802.1x))

amin.amor — Mon, 11 Mar 2019 01:45:33 GMT

Hi,

I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project.

I would like to know what is the impact on the ACS? CPU/MEM?

What is the impact on the user authentication? delay, timeout, etc.

Please specify any other restriction or side effect.

Thanks for your input

Regards

Re: How many devices (MAB) can be authenticated via the interna

camejia — Tue, 24 Jan 2012 16:20:57 GMT

Hello Amin,

You might want to check the following:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/migration/guide/Migration_Deploy.html#wp1054828

Performance

A single ACS 5.3 server that does not act as the log collector can process more than 100 authentications per second. You should make sure that a single ACS server processing AAA requests is able to manage the load during peak hours. Peak hours typically occur when users arrive to work, or when network equipment reboots. This creates a large amount of authentications requests.

For example, 50,000 employees of a company log on to a network evenly, over a fifteen minute period. This translates to approximately 56 authentications per second as the peak authentication rate. In this case, a single ACS server which does not act as the log collector, can support this peak authentication rate.

Table 1-5 shows the number of authentications a single ACS server can support for different time periods, assuming a minimal rate of 100 authentications per second.

Table 1-5 Authentications Over Different Time Periods
1 second	100 authentications
60 seconds	6000 authentications
5 minutes	30000 authentications
15 minutes	90000 authentications
1 hour	360000 authentications

There are many factors that affect ACS authentication performance, such as configuration size, policy complexity, communication with external servers and authentication protocol complexity.

Table 1-6 lists the ACS performance for different authentication environments. This performance data represents the lower range of authentication rates observed while testing ACS with complex configurations. The performance is higher for simpler configurations.

Table 1-6 The Lower Range of ACS 5.3 Authentication Performance, in Authentications per Second
Authentication Types	Identity Stores
	Internal	AD	LDAP
PAP	500	100	800
CHAP	500	500	N/A
TACACS+	400	160	1200
MSCHAP	500	300	N/A
PEAP-MSCHAP	200	100	N/A
PEAP-GTC	200	100	300
EAP-TLS	200	180	270
LEAP	330	280	N/A
FAST-MSCHAP	120	120	N/A
FAST-GTC	130	110	190
MAC-Auth Bypass	750	N/A	2000

Note The above numbers assume fast reconnect and session resume is in use for the applicable EAP methods.

There is an approximate 50% drop in authentication performance if the ACS server is also being used as the log collector for the Monitoring and Report Viewer.

There is an approximate 10% to 15% increase in performance, on the CSACS 1121 appliance than the numbers shown in Table 1-6.

Performance on a virtual machine is slower than on an actual 1120 appliance because of the virtual machine overhead. Performance of a virtual machine increases when you increase the CPU resources.

For virtual machine environments, the minimum requirements are similar to the 1121 appliance. For more information on virtual machine environments, refer to the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.

I hope the above clarifies it.

If you find the information provided helpful please rate.

Best Regards.

Re: How many devices (MAB) can be authenticated via the interna

toschu — Tue, 24 Jan 2012 19:41:32 GMT

Hi Carlos,

I am just replying to your response on Amins questions because I am wondering in fact whether there is a reasonable number of MAC addresses being stored for MAB within the internal identity store. So it is less about having 60 authentication requests handled per second by the ACS, but more about storing e.g. several thousand MAC addresses instead. Are there any known limitations so far? I thought I would have come across something around 8.000 addresses, but can't find it anymore.

Thanks,

Torsten.

Re: How many devices (MAB) can be authenticated via the interna

camejia — Tue, 24 Jan 2012 19:52:01 GMT

Hello Torsten,

ACS 5.x was tested by ACS Developers with 50,000 Internal Hosts configured. There does not seem to be a limit on the amount of Internal Hosts configured but instead the amount of Authentication Requests it can handle per second.

Please mark the post as answered if the provided information has clarified your concerns.

Best Regards.

Re: How many devices (MAB) can be authenticated via the interna

camejia — Tue, 24 Jan 2012 19:53:55 GMT

Hello Torsten,

I have confirmed on our database and also on this Community and the answer is the same

Refer to:

https://supportforums.cisco.com/thread/2101657

Adding additional information:

Internal Users : 300000
Internal Hosts : 50000

Best Regards.

Re: How many devices (MAB) can be authenticated via the interna

toschu — Tue, 24 Jan 2012 20:07:36 GMT

Hello Carlos,

that's great to know as I don't need to be afraid of any pitfalls - at least not in this regard. 😉

Thanks a lot,

How many devices (MAB) can be authenticated via the internal id

amin.amor — Wed, 25 Jan 2012 13:43:49 GMT

Dear Carlos,

Thanks for your reply, the following Cisco PDF file confirm the 50.000 MAC address limit on the ACS.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf

As I can see from your answer, the accounting could consume upto 50% of the ACS performance, as you know monitoring is critical for 802.1x deployment in order to check which host has passed the authentication during the open phase.

My question is:

If I disable the accounting in the production ACS, in order to increase the ACS performance. What is the proposed solution for the accounting?

Regards

How many devices (MAB) can be authenticated via the internal id

camejia — Fri, 27 Jan 2012 00:47:34 GMT

Hello Amin,

If you have one Standalone server you cannot disable the ACS Log Collector features on it. Usually the best approach is to get another ACS 5.x registered as a Secondary Instance of the Primary ACS.

The Primary ACS will handle the Authentication Load and we can change the Log Collector to run on the Secondary ACS server instead.

With the above deployment the Primary ACS will only perform authentication tasks while the secondary will be used for authentication if the primary goes down. The Secondary will always run as the Log Collector reducing the load on the Primary ACS.

Hope this helps

Best Regards.