topic limitations of Cisco ACS server in Network Access Control https://community.cisco.com/t5/network-access-control/limitations-of-cisco-acs-server/m-p/599481#M426647 <P>I want to ask about limitations of Cisco ACS server 3.3 . </P><P>I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?</P><P></P><P>Can i also solve this problem with a High Availability configuration.</P> Sun, 10 Mar 2019 21:42:44 GMT kayihanaltinoz 2019-03-10T21:42:44Z limitations of Cisco ACS server https://community.cisco.com/t5/network-access-control/limitations-of-cisco-acs-server/m-p/599481#M426647 <P>I want to ask about limitations of Cisco ACS server 3.3 . </P><P>I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?</P><P></P><P>Can i also solve this problem with a High Availability configuration.</P> Sun, 10 Mar 2019 21:42:44 GMT https://community.cisco.com/t5/network-access-control/limitations-of-cisco-acs-server/m-p/599481#M426647 kayihanaltinoz 2019-03-10T21:42:44Z Re: limitations of Cisco ACS server https://community.cisco.com/t5/network-access-control/limitations-of-cisco-acs-server/m-p/599482#M426648 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>ACS performance is a very complex issue and depends largely on</P><P></P><P>1) auth protocol (anything eap is SLOW)</P><P>2) backend (anything external is SLOW)</P><P>3) server CPU</P><P></P><P>We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.</P><P></P><P>AD authentication/group mapping can take several seconds to complete.</P><P></P><P>ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.</P><P></P><P>EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.</P><P></P><P>Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.</P><P></P><P>The only way to increase performance is to add more servers... and then you'll also have to get into load balancing <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database. </P><P></P><P>Darran</P><P></P></BODY></HTML> Tue, 15 Aug 2006 08:59:26 GMT https://community.cisco.com/t5/network-access-control/limitations-of-cisco-acs-server/m-p/599482#M426648 darpotter 2006-08-15T08:59:26Z