topic Re: ISE SNS3515 Assistance in Network Access Control

ISE SNS3515 Assistance

craddockchristopher — Thu, 22 Feb 2024 20:17:01 GMT

Dear Community,

I was hoping someone could provide some guidance for me. Here is my issue:

I currently have 2x SNS3515 hardware appliances in a "small" deployment configuration. Both devices are acting with all 3 personas. This deployment is for TACACS only and has 865 devices registered to it.

I also have a separate TACACS deployment that is made up of VMs that is in another region and has a similar # of devices. This deployment however, is in very bad shape and could have issues at any time.

I wanted to see if I could import the 800+ devices and the dozen or so policies from the "bad deployment" into my SNS3515 deployment but I am not sure the 3515's can handle it. Can someone lend me some guidance on how I might go about ascertaining the SNS3515 deployment can support adding hundreds more devices and a dozen or so extra policies?

I understand the SNS3515s are EOL, this is just a stopgap measure until we can upgrade the SNS3515s to the newest models. Any help is appreciated! Thank you!

Re: ISE SNS3515 Assistance

balaji.bandi — Thu, 22 Feb 2024 20:32:19 GMT

that should able to handle if that is only for device admin - bare in mind that model end of life.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-742122.html

Re: ISE SNS3515 Assistance

Arne Bier — Thu, 22 Feb 2024 20:41:36 GMT

Well, the task of exporting all the NADs from the VM ISE to the SNS ISE is easy. But. Check first that you have the necessary Network Device Group structure in place, or else the NAD import will fail. You can export the Network Device Group from VM ISE and import into SNS ISE as a first step, then import the NADs.

The Policy Sets you'll have to hand-craft into the SNS ISE - no import function there.

As for the performance ... how does the saying go ? It depends - LOL.

How busy is are the VM's? Can you go into your hypervisor and check the CPU stats over a week/month? That might give some indication - but also remember that there will be a baseline CPU load from ISE itself - but have a look anyway.

I had a look and even in ISE 3.2 the Reports > Diagnostics counters all relate to RADIUS performance, and not TACACS+. So perhaps your best bet is to see how active your TACACS really is with a TACACS report and then just thumb suck it.

Reports > Device Administration > Summary

The number of NAD devices is not the problem - it's how many of those devices choose to talk to ISE at the same time. Being TACACS, the only real culprit of hammering ISE is usually NMS platforms (DNAC, Solarwinds, etc.) - they are constantly logging into devices and hence, make work for ISE.

If you have such NMS logins, you can try reducing the MNT load by implementing Collection Filters

Admin > System > Logging > Collection Filters

By filtering these hundreds or thousands of constant Successful logins of your NMS username(s), you won't see them in LiveLogs any longer, and your MNT will thank you for it. Make the Collection filter only match of the auth was successful - you will want to see the failed auths just in case something went wrong one day.

Final tip is about your Policy Set. Use the hit counters not sure if your ISE has those) to order the most often hit policies in descending order. The means, ISE spends less CPU time hunting down the Policy Set looking for the match.

BUT

Very important - don't be tempted to willy-nilly move Policies around - pay attention to the Conditions and logic and ensure that what you're doing is correct - somethings certain Policies MUST be placed in a certain order for Boolean/Logical reasons. But having an efficient Policy Set is a very good idea to reduce CPU load on busy systems.

And then finally, plan on building an ISE 3.2 system! There, I said it - because others will chime in and tell you the same thing. But there's nothing wrong in trying to consolidate and optimise regardless.

Re: ISE SNS3515 Assistance

craddockchristopher — Thu, 22 Feb 2024 20:49:17 GMT

Arne,

Thank you so much for the detailed response. I did want to key in on one aspect:

"I had a look and even in ISE 3.2 the Reports > Diagnostics counters all relate to RADIUS performance, and not TACACS+. So perhaps your best bet is to see how active your TACACS really is with a TACACS report and then just thumb suck it."

This was exactly what I was attempting to do as well, was figure out how many TACACS requests are these deployments seeing in a given time period as well as how many concurrent TACACS auths the deployments were seeing. I didnt see any good way of ascertaining this info. I was going to use the reports as you suggested. It sounds like there isnt any good way in ISE to see this info for TACACS correct?

Thank you.

Re: ISE SNS3515 Assistance

Arne Bier — Thu, 22 Feb 2024 21:00:40 GMT

Yes, sadly the TACACS Key Performance Metrics are non existent in ISE. If you're desperate then you could run a tcpdump on both nodes and use a filter such as 'tcp port 49' for as long as ISE will let you (older versions it was 5 min max). And then run that through wireshark (filter on 'tacplus'). But your easiest approach is the look at LiveLogs and extrapolate from there.

If it's any consolation, I have customers with close on 10,000 network devices - I think the system limits as far as the raw number of devices is not even close to exhaustion.

Re: ISE SNS3515 Assistance

craddockchristopher — Thu, 22 Feb 2024 21:20:20 GMT

Arne,

Thanks again! Are you saying you have clients with SNS3515 that have 10k devices resgitered?

I logged into the CIMC of my SNS3515 and found that the CPU and overall utilization is about 5% so its not even breaking a sweat currently. Unfortunately I am not able to see any reports or live logs on my "bad deployment" because its still running 2.7 and requires Adobe Flash player....yikes!

Thank you.

Re: ISE SNS3515 Assistance

Arne Bier — Thu, 22 Feb 2024 21:48:45 GMT

ha ha - I don't have any customers with SNS-3515 ... but the customer in question uses a Small VM spec (32 GB RAM, 16 vCPU) on those TACACS PSNs.

The CIMC CPU utilisation is also a good indicator of load. And those old SNS-3515 (single disk) have pretty slow IO - if you're moving to VMs you might find that IO is improved if the underlying VM data storage is RAID or SSD based.