05-09-2019 05:17 AM
hi experts:
My customer plan to purchase new ISE cluster to replace the old ones. Primary authentication is
EAP-TLS+DACL. Couple of questions from customer:
1. From the scale guide section ISE 2.4 RADIUS Performance, it mentioned concurrent EAP-TLS radius auth is 320 for 3595. Does this number factor into DACL processing?
2. How can we find out peak concurrent authentication in existing ISE so that can purchase hardware with enough capacity.
thanks for help
regards
Alex
Solved! Go to Solution.
05-09-2019 06:27 PM
Please reach out to me directly howon@cisco.com.
05-09-2019 02:16 PM
It doesn't factor in dACL processing. But, dACL process isn't taxing as full EAP transaction. It would be close to what PAP would be using internal DB as long as the dACL size is within reason. If using auth/sec, I suggest adding 10-15% overhead to EAP-TLS performance number to account for dACL. Since dACL process doesn't add to the session maintenance on the ISE node, # of concurrent endpoints will not change.
05-09-2019 06:10 PM
hi Hosuk:
Thanks for your explanation it's really helpful. By the way customer is still not sure to order 3595 or 36xx hardware. Do you know where I can find peak authentication request per second statistics on ISE 1.x? This way they can purchase appropriate hardware. thanks
regards
Alex
05-09-2019 06:12 PM
ISE 1.x can't run on SNS-3500 or SNS-3600. I would suggest recommending customer to go to 2.4 or 2.6.
05-09-2019 06:19 PM
Sorry I should make it clear 1.x is for their existing cluster. For new cluster they will go with 2.4 or 2.6. Existing ISE 1.x cluster has more than 10 PSN, however for new cluster customer plan only two PSN and they are not sure if 3595 has enough capacity thus the question. thanks
regards
Alex
05-09-2019 06:27 PM
Please reach out to me directly howon@cisco.com.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide