I want to ask about limitations of Cisco ACS server 3.3 .
I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
Can i also solve this problem with a High Availability configuration.
ACS performance is a very complex issue and depends largely on
1) auth protocol (anything eap is SLOW)
2) backend (anything external is SLOW)
3) server CPU
We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
AD authentication/group mapping can take several seconds to complete.
ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :