×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How many devices (MAB) can be authenticated via the internal identity stores ACS 5.3? ACS 1120 (802.1x))

Answered Question
Jan 24th, 2012
User Badges:

Hi,

I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project.

I would like to know what is the impact on the ACS? CPU/MEM?

What is the impact on the user authentication? delay, timeout, etc.

Please specify any other restriction or side effect.

Thanks for your input

Regards

Correct Answer by camejia about 5 years 6 months ago

Hello Amin,


If you have one Standalone server you cannot disable the ACS Log Collector features on it. Usually the best approach is to get another ACS 5.x registered as a Secondary Instance of the Primary ACS.


The Primary ACS will handle the Authentication Load and we can change the Log Collector to run on the Secondary ACS server instead.


With the above deployment the Primary ACS will only perform authentication tasks while the secondary will be used for authentication if the primary goes down. The Secondary will always run as the Log Collector reducing the load on the Primary ACS.


Hope this helps


Best Regards.

Correct Answer by camejia about 5 years 6 months ago

Hello Torsten,


I have confirmed on our database and also on this Community and the answer is the same


Refer to:


https://supportforums.cisco.com/thread/2101657


Adding additional information:


Internal Users : 300000
Internal Hosts : 50000



Best Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
camejia Tue, 01/24/2012 - 08:20
User Badges:
  • Silver, 250 points or more

Hello Amin,


You might want to check the following:


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/migration/guide/Migration_Deploy.html#wp1054828


Performance


A single ACS 5.3 server that does not act as the log collector can  process more than 100 authentications per second. You should make sure  that a single ACS server processing AAA requests is able to manage the  load during peak hours. Peak hours typically occur when users arrive to  work, or when network equipment reboots. This creates a large amount of  authentications requests.


For example, 50,000 employees of a company log on to a network evenly,  over a fifteen minute period. This translates to approximately 56  authentications per second as the peak authentication rate. In this  case, a single ACS server which does not act as the log collector, can  support this peak authentication rate.


Table 1-5 shows the number of authentications a single ACS server can support for  different time periods, assuming a minimal rate of 100 authentications  per second.


Table 1-5     Authentications Over Different Time Periods

1 second

100 authentications

60 seconds

6000 authentications

5 minutes

30000 authentications

15 minutes

90000 authentications

1 hour

360000 authentications



There are many factors that affect ACS authentication performance, such  as configuration size, policy complexity, communication with external  servers and authentication protocol complexity.


Table 1-6 lists the ACS performance for different authentication environments.  This performance data represents the lower range of authentication rates  observed while testing ACS with complex configurations. The performance  is higher for simpler configurations.


Table 1-6     The Lower Range of ACS 5.3 Authentication Performance, in Authentications per Second

Authentication Types
Identity Stores

Internal
AD
LDAP

PAP

500

100

800

CHAP

500

500

N/A

TACACS+

400

160

1200

MSCHAP

500

300

N/A

PEAP-MSCHAP

200

100

N/A

PEAP-GTC

200

100

300

EAP-TLS

200

180

270

LEAP

330

280

N/A

FAST-MSCHAP

120

120

N/A

FAST-GTC

130

110

190

MAC-Auth Bypass

750

N/A

2000





Note The above numbers assume fast reconnect and session resume is in use for the applicable EAP methods.




There is an approximate 50% drop in authentication performance if the  ACS server is also being used as the log collector for the Monitoring  and Report Viewer.


There is an approximate 10% to 15% increase in performance, on the CSACS 1121 appliance than the numbers shown in Table 1-6.


Performance on a virtual machine is slower than on an actual 1120  appliance because of the virtual machine overhead. Performance of a  virtual machine increases when you increase the CPU resources.


For virtual machine environments, the minimum requirements are similar  to the 1121 appliance. For more information on virtual machine  environments, refer to the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.




I hope the above clarifies it.


If you find the information provided helpful please rate.


Best Regards.

toschu Tue, 01/24/2012 - 11:41
User Badges:

Hi Carlos,


I am just replying to your response on Amins questions because I am wondering in fact whether there is a reasonable number of MAC addresses being stored for MAB within the internal identity store. So it is less about having 60 authentication requests handled per second by the ACS, but more about storing e.g. several thousand MAC addresses instead. Are there any known limitations so far? I thought I would have come across something around 8.000 addresses, but can't find it anymore.


Thanks,

Torsten.

camejia Tue, 01/24/2012 - 11:52
User Badges:
  • Silver, 250 points or more

Hello Torsten,


ACS 5.x was tested by ACS Developers with 50,000 Internal Hosts configured. There does not seem to be a limit on the amount of Internal Hosts configured but instead the amount of Authentication Requests it can handle per second.


Please mark the post as answered if the provided information has clarified your concerns.


Best Regards.

Correct Answer
camejia Tue, 01/24/2012 - 11:53
User Badges:
  • Silver, 250 points or more

Hello Torsten,


I have confirmed on our database and also on this Community and the answer is the same


Refer to:


https://supportforums.cisco.com/thread/2101657


Adding additional information:


Internal Users : 300000
Internal Hosts : 50000



Best Regards.

toschu Tue, 01/24/2012 - 12:07
User Badges:

Hello Carlos,


that's great to know as I don't need to be afraid of any pitfalls - at least not in this regard. ;-)


Thanks a lot,

T.

amin.amor Wed, 01/25/2012 - 05:43
User Badges:

Dear Carlos,


Thanks for your reply, the following Cisco PDF file confirm the 50.000 MAC address limit on the ACS.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf


As I can see from your answer, the accounting could consume upto 50% of the ACS performance, as you know monitoring is critical for 802.1x deployment in order to check which host has passed the authentication during the open phase.


My question is:

If I disable the accounting in the production ACS, in order to increase the ACS performance. What is the proposed solution for the accounting?


Regards

Correct Answer
camejia Thu, 01/26/2012 - 16:47
User Badges:
  • Silver, 250 points or more

Hello Amin,


If you have one Standalone server you cannot disable the ACS Log Collector features on it. Usually the best approach is to get another ACS 5.x registered as a Secondary Instance of the Primary ACS.


The Primary ACS will handle the Authentication Load and we can change the Log Collector to run on the Secondary ACS server instead.


With the above deployment the Primary ACS will only perform authentication tasks while the secondary will be used for authentication if the primary goes down. The Secondary will always run as the Log Collector reducing the load on the Primary ACS.


Hope this helps


Best Regards.

Actions

This Discussion

Related Content