cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
10
Helpful
5
Replies

ISE EAP-TLS performance question

alehsieh
Cisco Employee
Cisco Employee

hi experts:

   My customer plan to purchase new ISE cluster to replace the old ones. Primary authentication is

EAP-TLS+DACL. Couple of questions from customer:

1. From the scale guide section ISE 2.4 RADIUS Performance, it mentioned concurrent EAP-TLS radius auth is 320 for 3595. Does this number factor into DACL processing?

2. How can we find out peak concurrent authentication in existing ISE so that can purchase hardware with enough capacity.

 

thanks for help

 

 

regards

Alex

1 Accepted Solution

Accepted Solutions

Please reach out to me directly howon@cisco.com.

View solution in original post

5 Replies 5

howon
Cisco Employee
Cisco Employee

It doesn't factor in dACL processing. But, dACL process isn't taxing as full EAP transaction. It would be close to what PAP would be using internal DB as long as the dACL size is within reason. If using auth/sec, I suggest adding 10-15% overhead to EAP-TLS performance number to account for dACL. Since dACL process doesn't add to the session maintenance on the ISE node, # of concurrent endpoints will not change.

hi Hosuk:

   Thanks for your explanation it's really helpful. By the way customer is still not sure to order 3595 or 36xx hardware. Do you know where I can find peak authentication request per second statistics on ISE 1.x? This way they can purchase appropriate hardware. thanks

 

 

regards

Alex

ISE 1.x can't run on SNS-3500 or SNS-3600. I would suggest recommending customer to go to 2.4 or 2.6.

Sorry I should make it clear 1.x is for their existing cluster. For new cluster they will go with 2.4 or 2.6. Existing ISE 1.x cluster has more than 10 PSN, however for new cluster customer plan only two PSN and they are not sure if 3595 has enough capacity thus the question. thanks

 

 

regards

Alex

Please reach out to me directly howon@cisco.com.