cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
2
Helpful
3
Replies

Max number of conditions in an authorization Compound condition

radotodo
Cisco Employee
Cisco Employee

Hello Team,

I am working with customer who want to use 167 Conditions with OR in one Compound conditions.

Is there any max number on conditions which can be used ?

Also I am not sure if this will make performance issue.

Is there any recommended max number of conditions which could be used ?

I notice that when we saving the page it takes long time, however should the authentication take also unexpectedly long time ?

Deployment information  :

3 Nodes -ISE 2.0.0.306 (VM)

CPU Core Count : 4 @ 2.6 GHz

It would be wonderful if somebody has any kind of experiencing with this to share.

Thanks.

1 Accepted Solution

Accepted Solutions

We test with 8 conditions per AuthC or AuthZ rule.  Certainly a massive increase in conditions can be impactful to performance but we have not tested with this number to provide any indicator of impact.

As suggested above, 169 is very likely not reasonable and candidly not very manageable.  It also makes it very difficult to troubleshoot.  If this is for one exceptional use case, then likely they can assign these exceptions to their own ID group or store attribute and address with singular or few conditions.

Also note that conditions are matched left to right, so best to place the simple and local conditions first.

Craig

View solution in original post

3 Replies 3

paul
Level 10
Level 10

I can't speak to the performance, but I am curious what the 169 OR conditions are. Maybe there is a different way to do what the customer is trying to accomplish.

I agree, this seems like a lot of conditions to go through. Why is this needed.

If you still needed to do this. Generally for best design you should place an authorization rule like this lower in your list. If you require every endpoint to go through all of these checks then its going to consume a lot of time and lower your time to correct authorization.

Design your authz rules to put rules that are going to be used by lots of endpoints higher in the order.

Remember we use a top down approach.

We test with 8 conditions per AuthC or AuthZ rule.  Certainly a massive increase in conditions can be impactful to performance but we have not tested with this number to provide any indicator of impact.

As suggested above, 169 is very likely not reasonable and candidly not very manageable.  It also makes it very difficult to troubleshoot.  If this is for one exceptional use case, then likely they can assign these exceptions to their own ID group or store attribute and address with singular or few conditions.

Also note that conditions are matched left to right, so best to place the simple and local conditions first.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: