Showing results for 
Search instead for 
Did you mean: 

IBNS 2.0 does concurrent 802.1x MAB authentications tax the ISE nodes

I will start by saying I have successfully implemented the IBNS 2.0 configuration and can make 802.1x and MAB authenticate instantly with one of them always failing of course and it's great!

I am going to ask a loaded question that I'm sure begins with "it depends" but does anyone know how much concurrent authentications really taxes the ISE servers?

We have some goals in mind while we roll out ISE.

1. we would REALLY like to have the same configuration across all access layer switches; no one wants to keep track of one-off stacks that do concurrent authentications while the majority do not.

2. we want everything to stay dynamic as we feel this is one of the reasons to use ISE, to have consistent policy no matter where a device plugs in. That said I would not want to hard code only a few ports to do concurrent authentication as that is not dynamic.

Cisco documentation gives you guidelines on building ISE nodes (we're doing VM's) based on concurrent sessions. In other words it depends on the number of devices with an active session in ISE. So if I built out my nodes to handle, say, 40,000 active endpoints/sessions does that number go down if I turn on concurrent authentications across the board vs just doing 802.1x then MAB?

In case it helps we are using Cisco 3850 switches all on 3.6.3 code or later and the ISE nodes are 2.0 patch 2

Thank you!


Re: IBNS 2.0 does concurrent 802.1x MAB authentications tax the ISE nodes

c'mon Cisco Guys... for 2 year no response on this quite emergent Q?