Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2410
Views
0
Helpful
4
Replies

Max number of Authorization policies in ISE

nloverin
Cisco Employee
Cisco Employee

‎09-13-2017 06:43 AM

Can anyone share ways to expand beyond the limitation of 700-800 authorization policies in ISE?  I have a customer (new network design) with 400+ sites and 2+ authorization rules per site.  Their desire goes well beyond what the ISE documentation says is possible.  They are well under the max number of devices that ISE can handle (500K).  While 700-800 rules sounds like a big number, they don't seem to fit in this use-case.  Any thoughts are welcome.

0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎09-13-2017 11:02 AM

Such numbers are tested by our product teams but not hard limits. Some of these might address in the upcoming releases but we do not discuss roadmaps in a public forum. Please talk to Craig and our PM team further.

0 Helpful

kthiruve
Cisco Employee
Cisco Employee

‎09-14-2017 10:59 PM

HI Neil,

Are you planning to use one authorization rule per site?. Best to use policy set to filter the incoming request from different sites and construct your authorization rules based on that. I wonder why you need so many authorization rules.

ISE supports upto 100 policy sets. Once you have an entrance criteria in the policy sets, you can group a few sites and create authorization policies for those sites and combine user roles. The performance of the page refresh will be slow when you exceed those limits, save will be slower etc. Validated limit published is 700 authz rules.

Thanks

krishnan

0 Helpful

Orlando_Queiroz
Level 1
Level 1
In response to kthiruve

‎09-17-2019 08:53 AM

Hi Guys,

 

Does anybody know about a limit to create Authorization Policy on Policy Sets using Radius???


I have two IISE Servers 2.6 version update 1, and I have done migration from ACS 5.6 and most of the polices are not there, so to fix that, but I have 110 Authorization polices on ACS and when I was migrating the line 58, I got a failure to save and I removed some rules and it worked.

But when I created only one more rule, I got a message it's created, but it's not.

And I cannot create new rules on my ISE Server.

 

Policy - Policy Sets - VPN Authentication - Authorization Policy.

 

Thanks in advance,

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Orlando_Queiroz

‎09-17-2019 09:30 PM

for recent ISE releases, the BU has documented the tested numbers on the performance and scale guide linked below.
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

It is suggested that you deploy no more than 1000 authentication, and 3200 authorization policies. From a management perspective I suggest far fewer than this.
0 Helpful
Customers Also Viewed These Support Documents