topic Re: ISE Passive ID load in Network Access Control

ISE Passive ID load

gacs — Thu, 11 Jul 2019 14:21:22 GMT

Hi Team,

Our customer would like to see the Passive ID service generated load on ISE-PIC for apps. 10,000 users on:

- Active Directory

- ISE

- Network Traffic

Do we have any tangible information regarding this question?

Thank You!

Best regards, Gyorgy

Re: ISE Passive ID load

Timothy Abbott — Thu, 11 Jul 2019 14:35:32 GMT

Hi,
Can you please clarify the question? ISE-PIC can support up to 300K user to IP mappings with the proper licensing. The same is true with ISE and base licensing.

Regards,
-Tim

Re: ISE Passive ID load

gacs — Fri, 12 Jul 2019 13:25:34 GMT

Hi Tim,

Thank you! This part is clear.

Our customer would like to see if they deploy the Passive ID service, what it means in additional load point of view on:

- Active Directory (CPU usage, for example)

- ISE

- Network traffic (additional kbps caused by this Passive ID)

Regarding ISE: Since ISE was tested for the specified concurrent endpoints including this service as well, the load is negligible.

Thank you!

Best regards, Gyorgy

Re: ISE Passive ID load

Surendra — Fri, 12 Jul 2019 13:28:51 GMT

All of those parameters are completely dependent on the customer’s environment. Number of endpoints, number of domain controllers, user events logged, number of applications that request for TGTs etc. No deployment is identical when it comes to passive-ID. Only way to know is by implementing and testing it.

Re: ISE Passive ID load

gbercsenyi — Mon, 15 Jul 2019 19:34:51 GMT

Hello,

Unfortunately it is not a technical answer what we could accept from Cisco. We would like to understand what could cause an extra load to the domain controllers. What and it works under the hood. And also we would like to understand how this equation works. If the load comes what we should suggest to the customer?

For example:

- add new domain controllers to their system?

- migrate the domain controller to a specific level or patch it?

- any good suggestion?

Testing and just failing and leaving is not an option. Sorry.

Our second issue is after we joined the ISE to the AD and then selected the domain controller, what is the minimum privilege what required for the domain user to access WMI? Domain admin of course working fine how ever customers does not provide this kind of privilege in their production environment. We have not found any detail about the WMI admin user privileges in AD? Please share these information with us.

Thank you,

Gabor

Re: ISE Passive ID load

hslai — Tue, 16 Jul 2019 03:09:22 GMT

On your second inquiry, please see Required Permissions when AD User not in Domain Admin Group

Regarding loads on the domain controllers, here is from our engineering team:

CPU load on Domain controller is proportional to filters that are used on domain controller by subscribed clients. ISE is currently uses very lightweight and optimized filters, so the average additional load that is usually seen on customer's domain controllers is 5-10%.

Do note the known issues -- CSCvh86466 and, if using PIC agent, CSCvm83091

In case of significant high load on domain controllers after the integration, please do work Microsoft and Cisco TAC. WMIseries might be of interest. Potentially, forward the security events to a member server and monitor on the member server instead.