Solved: ISE EAP-TLS performance question

alehsieh · ‎05-09-2019

hi experts:

My customer plan to purchase new ISE cluster to replace the old ones. Primary authentication is

EAP-TLS+DACL. Couple of questions from customer:

1. From the scale guide section ISE 2.4 RADIUS Performance, it mentioned concurrent EAP-TLS radius auth is 320 for 3595. Does this number factor into DACL processing?

2. How can we find out peak concurrent authentication in existing ISE so that can purchase hardware with enough capacity.

thanks for help

regards

Alex

howon · ‎05-09-2019

Please reach out to me directly howon@cisco.com.

View solution in original post

howon · ‎05-09-2019

It doesn't factor in dACL processing. But, dACL process isn't taxing as full EAP transaction. It would be close to what PAP would be using internal DB as long as the dACL size is within reason. If using auth/sec, I suggest adding 10-15% overhead to EAP-TLS performance number to account for dACL. Since dACL process doesn't add to the session maintenance on the ISE node, # of concurrent endpoints will not change.

alehsieh · ‎05-09-2019

hi Hosuk:

Thanks for your explanation it's really helpful. By the way customer is still not sure to order 3595 or 36xx hardware. Do you know where I can find peak authentication request per second statistics on ISE 1.x? This way they can purchase appropriate hardware. thanks

regards

Alex

howon · ‎05-09-2019

ISE 1.x can't run on SNS-3500 or SNS-3600. I would suggest recommending customer to go to 2.4 or 2.6.

alehsieh · ‎05-09-2019

Sorry I should make it clear 1.x is for their existing cluster. For new cluster they will go with 2.4 or 2.6. Existing ISE 1.x cluster has more than 10 PSN, however for new cluster customer plan only two PSN and they are not sure if 3595 has enough capacity thus the question. thanks

regards

Alex

howon · ‎05-09-2019

Please reach out to me directly howon@cisco.com.