https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3809741#M484826 Hi,<BR />Starting in ISE 2.1 up to 300ms between any 2 ISE nodes. Check out Cisco Live presentation BRKSEC-3432, it has a section on latency. <BR /><BR />HTH Tue, 26 Feb 2019 09:45:32 GMT Rob Ingram 2019-02-26T09:45:32Z https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3809655#M484825 <P>Dear Team,</P> <P>&nbsp;</P> <P>Is there any documentation regarding recommended latency between users and ISE nodes ?</P> <P>I have customer with users across 100+ sites, and latency between sites and ISE in HQ is around 200ms.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Omar</P> Sat, 09 Mar 2019 03:14:25 GMT https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3809655#M484825 ommaayah 2019-03-09T03:14:25Z https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3809741#M484826 Hi,<BR />Starting in ISE 2.1 up to 300ms between any 2 ISE nodes. Check out Cisco Live presentation BRKSEC-3432, it has a section on latency. <BR /><BR />HTH Tue, 26 Feb 2019 09:45:32 GMT https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3809741#M484826 Rob Ingram 2019-02-26T09:45:32Z https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3810240#M484827 <P>There are two pieces here, but what you are asking is not exactly an ISE thing but a general radius concept. ISE has a very high timeout interval, 120 seconds.&nbsp;</P> <P>&nbsp;</P> <P>Latency between ISE nodes and the PAN, less than 200 ms or 300 ms depending on the version you are running.&nbsp;</P> <P>&nbsp;</P> <P>And then the second which is the latency of radius authentication (user/endpoint/NAD).&nbsp; What you have to pay attention to here is the latency between the NAD (Switch/WLC), ISE, and the ID store. Usually referred to as the radius timeout interval, it's usually set at something like 5 seconds by default.&nbsp; I have seen issues where an aggressive 1000ms radius timeout is set on a WLC and it causes problems when ISE or AD cannot process the request quick enough.</P> <P>&nbsp;</P> <P>The radius timeout interval is usually configurable on all devices, but there is always a default.&nbsp; The time has to include everything in the authentication path, RTT of ISE and NAD, time it takes ISE to authenticate the device, time it takes AD to respond.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>If you can stay under 5 seconds then you are unlikely to have issues with default timers.&nbsp; I would check the WLC's though.&nbsp;</P> Tue, 26 Feb 2019 18:48:45 GMT https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3810240#M484827 Damien Miller 2019-02-26T18:48:45Z https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3812400#M484828 Thanks for the response, i have read in the guides that ISE 2.1 onwards support latency between ISE nodes up to 300 ms, but my question was related to NAD to ISE which you answered clearly.<BR />Thanks a lot. Fri, 01 Mar 2019 10:15:41 GMT https://community.cisco.com/t5/network-access-control/recommended-latency-between-user-and-ise-nodes/m-p/3812400#M484828 ommaayah 2019-03-01T10:15:41Z