https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3694196#M495027 <P>Hi experts,</P> <P>&nbsp;</P> <P>My customer is now planning to replace a 3<SUP>rd</SUP> party RADIUS server to Cisco ISE. But they are much worried about AD timeout issue because they are running huge Windows domain network so that they have experienced Name resolution timeout with current radius server. (they tuned the timer)</P> <P>&nbsp;</P> <P>Could you provide detailed information about</P> <OL> <LI>Default ISE Timeout value for Windows Domain Authentication</LI> <LI>Can we tune a timer wit AD connection with “Advanced Tuning” under External Identity Sources? (it seems restricted for TAC use).</LI> <LI>How does DNS A-record cache work in ISE with AD integration?</LI> </OL> <P>Any comment would be highly appreciated.</P> Fri, 24 Aug 2018 04:01:34 GMT sikeda 2018-08-24T04:01:34Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3694196#M495027 <P>Hi experts,</P> <P>&nbsp;</P> <P>My customer is now planning to replace a 3<SUP>rd</SUP> party RADIUS server to Cisco ISE. But they are much worried about AD timeout issue because they are running huge Windows domain network so that they have experienced Name resolution timeout with current radius server. (they tuned the timer)</P> <P>&nbsp;</P> <P>Could you provide detailed information about</P> <OL> <LI>Default ISE Timeout value for Windows Domain Authentication</LI> <LI>Can we tune a timer wit AD connection with “Advanced Tuning” under External Identity Sources? (it seems restricted for TAC use).</LI> <LI>How does DNS A-record cache work in ISE with AD integration?</LI> </OL> <P>Any comment would be highly appreciated.</P> Fri, 24 Aug 2018 04:01:34 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3694196#M495027 sikeda 2018-08-24T04:01:34Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3694402#M495028 <P>Interesting question.</P> <P>&nbsp;</P> <P>Maybe I'm being dumb, but what does the size of AD have to do with slow DNS responses?&nbsp; It feels like they want to manipulate ISE when really they should be fixing their DNS, but I suppose they have their reasons.&nbsp; Or do you mean that user lookups are also slow?</P> <P>&nbsp;</P> <P>How many DCs do they have and how often do they change address / hostname?&nbsp; If DNS is slow you could always define the DC hostname / IP address associations manually and cut extrnal DNS out of the loop.</P> <P>&nbsp;</P> <PRE><SPAN class="ph synph"><SPAN class="keyword kwd">ip host </SPAN>[<VAR>ipv4-address</VAR> | <VAR>ipv6-address</VAR>] [<VAR>host-alias</VAR> | <VAR>FQDN-string</VAR>] </SPAN></PRE> <P>&nbsp;</P> <P><SPAN class="ph synph">Feels a bit of a naff way to do it though.&nbsp; Hopefully somebody has a better idea...</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 24 Aug 2018 11:04:35 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3694402#M495028 RichardAtkin 2018-08-24T11:04:35Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3695922#M495029 Hi Richard,<BR />Thank you for your suggestion! My customer agreed to try the "ip host" command to avoid the AD timeout in their test environment. Much appreciate for your help! Tue, 28 Aug 2018 04:44:26 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-timeout-value/m-p/3695922#M495029 sikeda 2018-08-28T04:44:26Z