01-24-2012 01:48 AM - edited 03-10-2019 06:45 PM
Hi,
I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project.
I would like to know what is the impact on the ACS? CPU/MEM?
What is the impact on the user authentication? delay, timeout, etc.
Please specify any other restriction or side effect.
Thanks for your input
Regards
Solved! Go to Solution.
01-24-2012 11:53 AM
Hello Torsten,
I have confirmed on our database and also on this Community and the answer is the same
Refer to:
https://supportforums.cisco.com/thread/2101657
Adding additional information:
Internal Users : 300000 Internal Hosts : 50000
Best Regards.
01-26-2012 04:47 PM
Hello Amin,
If you have one Standalone server you cannot disable the ACS Log Collector features on it. Usually the best approach is to get another ACS 5.x registered as a Secondary Instance of the Primary ACS.
The Primary ACS will handle the Authentication Load and we can change the Log Collector to run on the Secondary ACS server instead.
With the above deployment the Primary ACS will only perform authentication tasks while the secondary will be used for authentication if the primary goes down. The Secondary will always run as the Log Collector reducing the load on the Primary ACS.
Hope this helps
Best Regards.
01-24-2012 08:20 AM
Hello Amin,
You might want to check the following:
A single ACS 5.3 server that does not act as the log collector can process more than 100 authentications per second. You should make sure that a single ACS server processing AAA requests is able to manage the load during peak hours. Peak hours typically occur when users arrive to work, or when network equipment reboots. This creates a large amount of authentications requests.
For example, 50,000 employees of a company log on to a network evenly, over a fifteen minute period. This translates to approximately 56 authentications per second as the peak authentication rate. In this case, a single ACS server which does not act as the log collector, can support this peak authentication rate.
Table 1-5 shows the number of authentications a single ACS server can support for different time periods, assuming a minimal rate of 100 authentications per second.
1 second | 100 authentications |
---|---|
60 seconds | 6000 authentications |
5 minutes | 30000 authentications |
15 minutes | 90000 authentications |
1 hour | 360000 authentications |
There are many factors that affect ACS authentication performance, such as configuration size, policy complexity, communication with external servers and authentication protocol complexity.
Table 1-6 lists the ACS performance for different authentication environments. This performance data represents the lower range of authentication rates observed while testing ACS with complex configurations. The performance is higher for simpler configurations.
Authentication Types | Identity Stores | ||
---|---|---|---|
Internal | AD | LDAP | |
PAP | 500 | 100 | 800 |
CHAP | 500 | 500 | N/A |
TACACS+ | 400 | 160 | 1200 |
MSCHAP | 500 | 300 | N/A |
PEAP-MSCHAP | 200 | 100 | N/A |
PEAP-GTC | 200 | 100 | 300 |
EAP-TLS | 200 | 180 | 270 |
LEAP | 330 | 280 | N/A |
FAST-MSCHAP | 120 | 120 | N/A |
FAST-GTC | 130 | 110 | 190 |
MAC-Auth Bypass | 750 | N/A | 2000 |
Note The above numbers assume fast reconnect and session resume is in use for the applicable EAP methods.
There is an approximate 50% drop in authentication performance if the ACS server is also being used as the log collector for the Monitoring and Report Viewer.
There is an approximate 10% to 15% increase in performance, on the CSACS 1121 appliance than the numbers shown in Table 1-6.
Performance on a virtual machine is slower than on an actual 1120 appliance because of the virtual machine overhead. Performance of a virtual machine increases when you increase the CPU resources.
For virtual machine environments, the minimum requirements are similar to the 1121 appliance. For more information on virtual machine environments, refer to the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3.
I hope the above clarifies it.
If you find the information provided helpful please rate.
Best Regards.
01-24-2012 11:41 AM
Hi Carlos,
I am just replying to your response on Amins questions because I am wondering in fact whether there is a reasonable number of MAC addresses being stored for MAB within the internal identity store. So it is less about having 60 authentication requests handled per second by the ACS, but more about storing e.g. several thousand MAC addresses instead. Are there any known limitations so far? I thought I would have come across something around 8.000 addresses, but can't find it anymore.
Thanks,
Torsten.
01-24-2012 11:52 AM
Hello Torsten,
ACS 5.x was tested by ACS Developers with 50,000 Internal Hosts configured. There does not seem to be a limit on the amount of Internal Hosts configured but instead the amount of Authentication Requests it can handle per second.
Please mark the post as answered if the provided information has clarified your concerns.
Best Regards.
01-24-2012 11:53 AM
Hello Torsten,
I have confirmed on our database and also on this Community and the answer is the same
Refer to:
https://supportforums.cisco.com/thread/2101657
Adding additional information:
Internal Users : 300000 Internal Hosts : 50000
Best Regards.
01-24-2012 12:07 PM
Hello Carlos,
that's great to know as I don't need to be afraid of any pitfalls - at least not in this regard. ;-)
Thanks a lot,
T.
01-25-2012 05:43 AM
Dear Carlos,
Thanks for your reply, the following Cisco PDF file confirm the 50.000 MAC address limit on the ACS.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf
As I can see from your answer, the accounting could consume upto 50% of the ACS performance, as you know monitoring is critical for 802.1x deployment in order to check which host has passed the authentication during the open phase.
My question is:
If I disable the accounting in the production ACS, in order to increase the ACS performance. What is the proposed solution for the accounting?
Regards
01-26-2012 04:47 PM
Hello Amin,
If you have one Standalone server you cannot disable the ACS Log Collector features on it. Usually the best approach is to get another ACS 5.x registered as a Secondary Instance of the Primary ACS.
The Primary ACS will handle the Authentication Load and we can change the Log Collector to run on the Secondary ACS server instead.
With the above deployment the Primary ACS will only perform authentication tasks while the secondary will be used for authentication if the primary goes down. The Secondary will always run as the Log Collector reducing the load on the Primary ACS.
Hope this helps
Best Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: