https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853616#M473223 <P>Sorry I should make it clear 1.x is for their existing cluster. For new cluster they will go with 2.4 or 2.6. Existing ISE 1.x cluster has more than 10 PSN, however for new cluster customer plan only two PSN and they are not sure if 3595 has enough capacity thus the question. thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Alex</P> Fri, 10 May 2019 01:19:41 GMT alehsieh 2019-05-10T01:19:41Z https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853131#M473219 <P>hi experts:</P> <P>&nbsp;&nbsp; My customer plan to purchase new ISE cluster to replace the old ones. Primary authentication is</P> <P>EAP-TLS+DACL. Couple of questions from customer:</P> <P>1. From the scale guide section ISE 2.4 RADIUS Performance, it mentioned concurrent EAP-TLS radius auth is 320 for 3595. Does this number factor into DACL processing?</P> <P>2. How can we find out peak concurrent authentication in existing ISE so that can purchase hardware with enough capacity.</P> <P>&nbsp;</P> <P>thanks for help</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Alex</P> Thu, 09 May 2019 12:17:30 GMT https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853131#M473219 alehsieh 2019-05-09T12:17:30Z https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853524#M473220 <P>It doesn't factor in dACL processing. But, dACL process isn't taxing as full EAP transaction. It would be close to what PAP would be using internal DB as long as the dACL size is within reason. If using auth/sec, I suggest adding 10-15% overhead to EAP-TLS performance number to account for dACL. Since dACL process doesn't add to the session maintenance on the ISE node, # of concurrent endpoints will not change.</P> Thu, 09 May 2019 21:16:02 GMT https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853524#M473220 howon 2019-05-09T21:16:02Z https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853613#M473221 <P>hi Hosuk:</P> <P>&nbsp;&nbsp; Thanks for your explanation it's really helpful. By the way customer is still not sure to order 3595 or 36xx hardware. Do you know where I can find peak authentication request per second statistics on ISE 1.x? This way they can purchase appropriate hardware. thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Alex</P> Fri, 10 May 2019 01:10:33 GMT https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853613#M473221 alehsieh 2019-05-10T01:10:33Z https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853614#M473222 <P>ISE 1.x can't run on SNS-3500 or SNS-3600. I would suggest recommending customer to go to 2.4 or 2.6.</P> Fri, 10 May 2019 01:12:50 GMT https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853614#M473222 howon 2019-05-10T01:12:50Z https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853616#M473223 <P>Sorry I should make it clear 1.x is for their existing cluster. For new cluster they will go with 2.4 or 2.6. Existing ISE 1.x cluster has more than 10 PSN, however for new cluster customer plan only two PSN and they are not sure if 3595 has enough capacity thus the question. thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Alex</P> Fri, 10 May 2019 01:19:41 GMT https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853616#M473223 alehsieh 2019-05-10T01:19:41Z https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853620#M473224 <P>Please reach out to me directly howon@cisco.com.</P> Fri, 10 May 2019 01:27:31 GMT https://community.cisco.com/t5/network-access-control/ise-eap-tls-performance-question/m-p/3853620#M473224 howon 2019-05-10T01:27:31Z