07-11-2019 07:21 AM
Hi Team,
Our customer would like to see the Passive ID service generated load on ISE-PIC for apps. 10,000 users on:
- Active Directory
- ISE
- Network Traffic
Do we have any tangible information regarding this question?
Thank You!
Best regards, Gyorgy
Solved! Go to Solution.
07-15-2019 08:09 PM
On your second inquiry, please see Required Permissions when AD User not in Domain Admin Group
Regarding loads on the domain controllers, here is from our engineering team:
CPU load on Domain controller is proportional to filters that are used on domain controller by subscribed clients. ISE is currently uses very lightweight and optimized filters, so the average additional load that is usually seen on customer's domain controllers is 5-10%.
Do note the known issues -- CSCvh86466 and, if using PIC agent, CSCvm83091
In case of significant high load on domain controllers after the integration, please do work Microsoft and Cisco TAC. WMIseries might be of interest. Potentially, forward the security events to a member server and monitor on the member server instead.
07-11-2019 07:35 AM
07-12-2019 06:25 AM
Hi Tim,
Thank you! This part is clear.
Our customer would like to see if they deploy the Passive ID service, what it means in additional load point of view on:
- Active Directory (CPU usage, for example)
- ISE
- Network traffic (additional kbps caused by this Passive ID)
Regarding ISE: Since ISE was tested for the specified concurrent endpoints including this service as well, the load is negligible.
Thank you!
Best regards, Gyorgy
07-12-2019 06:28 AM
07-15-2019 12:34 PM
Hello,
Unfortunately it is not a technical answer what we could accept from Cisco. We would like to understand what could cause an extra load to the domain controllers. What and it works under the hood. And also we would like to understand how this equation works. If the load comes what we should suggest to the customer?
For example:
- add new domain controllers to their system?
- migrate the domain controller to a specific level or patch it?
- any good suggestion?
Testing and just failing and leaving is not an option. Sorry.
Our second issue is after we joined the ISE to the AD and then selected the domain controller, what is the minimum privilege what required for the domain user to access WMI? Domain admin of course working fine how ever customers does not provide this kind of privilege in their production environment. We have not found any detail about the WMI admin user privileges in AD? Please share these information with us.
Thank you,
Gabor
07-15-2019 08:09 PM
On your second inquiry, please see Required Permissions when AD User not in Domain Admin Group
Regarding loads on the domain controllers, here is from our engineering team:
CPU load on Domain controller is proportional to filters that are used on domain controller by subscribed clients. ISE is currently uses very lightweight and optimized filters, so the average additional load that is usually seen on customer's domain controllers is 5-10%.
Do note the known issues -- CSCvh86466 and, if using PIC agent, CSCvm83091
In case of significant high load on domain controllers after the integration, please do work Microsoft and Cisco TAC. WMIseries might be of interest. Potentially, forward the security events to a member server and monitor on the member server instead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide