Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

limitations of Cisco ACS server

I want to ask about limitations of Cisco ACS server 3.3 .

I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?

Can i also solve this problem with a High Availability configuration.

1 REPLY
Silver

Re: limitations of Cisco ACS server

Hi

ACS performance is a very complex issue and depends largely on

1) auth protocol (anything eap is SLOW)

2) backend (anything external is SLOW)

3) server CPU

We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.

AD authentication/group mapping can take several seconds to complete.

ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.

EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.

Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.

The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(

IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.

Darran

244
Views
0
Helpful
1
Replies
CreatePlease to create content