cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1068
Views
1
Helpful
2
Replies

ISE Scaling for EAP-TLS Authentications

igaffine
Level 1
Level 1

Hi all,

I wonder if anyone can help with a scaling question.

We plan to deploy ISE in large scale mode with dedicated PAN, MnT and PSNs for a 20k endpoint solution. Initially I was planning to propose 6 ISE (3595 or VM equivalent) nodes in total, to provide a resilient solution across two Data Centres in the same campus. This should easily support the client endpoint count and we could also deploy the PSNs behind load-balancers to allow for expansion in the future.

My question is whether there is a way of determining the total number of EAP-TLS endpoints that a PSN could handle, before performance issues are noticed?

I see from the ISE performance and scaling document that 324 EAP-TLS auths/sec can be handled by a 3595 appliance, but does this equate to a particular endpoint device total?

Our solution will have two PSNs, therefore I see the proposed design being able to handle 648 auths/sec and doubling my total endpoint count.

Hope this makes sense.

Kind regards and thanks in advance.

Ian

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Good question.  I had a look at the ISE Performance & Scale document and those numbers are worst-case since the EAP-TLS Session Resume was not enabled.  I am guessing that they simulated how many NEW sessions could be created per second.   In the real world I would enable Session Resume and expect a small improvement.

The load balancer would need some persistence logic to make the TCP session sticky to a PSN for some time duration - and the load balancing algorithm chosen to evenly distribute new sessions across the pool members.  If you have any recommendations on that I would like to hear what you have proposed.

The Cisco results are dependent on the bit size of the crypto algorithm (RSA 2048 bits was used).  Surprisingly, the 3495 was as fast as the 3595, despite the faster CPU in the 3595.

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Good question.  I had a look at the ISE Performance & Scale document and those numbers are worst-case since the EAP-TLS Session Resume was not enabled.  I am guessing that they simulated how many NEW sessions could be created per second.   In the real world I would enable Session Resume and expect a small improvement.

The load balancer would need some persistence logic to make the TCP session sticky to a PSN for some time duration - and the load balancing algorithm chosen to evenly distribute new sessions across the pool members.  If you have any recommendations on that I would like to hear what you have proposed.

The Cisco results are dependent on the bit size of the crypto algorithm (RSA 2048 bits was used).  Surprisingly, the 3495 was as fast as the 3595, despite the faster CPU in the 3595.

Adding to Arne's... we can usually expect ~ 2 X TPS with session resume enabled. Also, if not already done, please review some of ISE training materials, such as

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: