https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696272#M508052 I have many production deployments, some very large with "Reject repeated failures" disabled. Per the ISE Advanced Tips and Tricks (AT&amp;T, the good one) recommendations I do have PEAP and EAP-TLS session resume and PEAP Fast Reconnect enabled. Also under the allowed protocols I have Stateless Session Resume enabled for EAP-TLS with a session ticket life of 2 hours.<BR /><BR /><BR /><BR />I know AT&amp;T says to keep reject repeated failures enabled, but like I said I leave that up to the customer and disable it for the early rollout until we get authentication issues ironed out.<BR /><BR /><BR /> Tue, 28 Aug 2018 15:00:05 GMT paul 2018-08-28T15:00:05Z https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696190#M507950 <P>I'm wondering what others configure under:</P> <P><STRONG><FONT size="2">Administration &gt; System &gt; Settings &gt; Protocols &gt; RADIUS &gt; Suppression &amp; Reports</FONT></STRONG></P> <P>&nbsp;</P> <P>Screenshot of my settings attached. While I understand that this is probably highly specific to your environment, I'm curious of the following:</P> <UL> <LI>I believe TAC has advised enabling some of these features to prevent overloading ISE. Which are safe to disable in a production deployment?</LI> <LI>Are the settings I have configured typical? I believe they are mostly default.</LI> <LI>If you've configured values other than default, what was your logic? How did you come up with appropriate values?</LI> </UL> Tue, 28 Aug 2018 13:42:26 GMT https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696190#M507950 anthonylofreso 2018-08-28T13:42:26Z https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696212#M508050 <P>When I am first doing the ISE rollout at a customer, I turn off "<SPAN>Reject RADIUS requests from clients with repeated failures".&nbsp; I explain this feature to them and while it is good feature from an ISE performance perspective it can be frustrating when troubleshooting issues and you forget this feature is enabled.&nbsp; I equate it to client exclusion setting on WLC.&nbsp; Nice feature to have, but again if you forget about the setting it can make troubleshooting more difficult.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Once we have authentication working the way we want and work through any issues, I leave it up to the customer if they want to turn it back on.&nbsp; I don't change the other settings.</SPAN></P> Tue, 28 Aug 2018 14:27:52 GMT https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696212#M508050 paul 2018-08-28T14:27:52Z https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696252#M508051 <P>Makes sense. So you have environments in production then with Reject Repeated Failures disabled.</P> <P>&nbsp;</P> <P>We've got things mostly configured the way we want, but are seeing some odd issues with Windows clients. I'm thinking we need to tweak the PEAP settings. "PEAP Session Resume" is currently disabled.</P> <P>&nbsp;</P> <P>I've noticed that "Enable Fast Reconnect" is checked on the windows supplicants... but since PEAP Session Resume is disabled, Fast Reconnect is also disabled in ISE.</P> Tue, 28 Aug 2018 14:47:59 GMT https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696252#M508051 anthonylofreso 2018-08-28T14:47:59Z https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696272#M508052 I have many production deployments, some very large with "Reject repeated failures" disabled. Per the ISE Advanced Tips and Tricks (AT&amp;T, the good one) recommendations I do have PEAP and EAP-TLS session resume and PEAP Fast Reconnect enabled. Also under the allowed protocols I have Stateless Session Resume enabled for EAP-TLS with a session ticket life of 2 hours.<BR /><BR /><BR /><BR />I know AT&amp;T says to keep reject repeated failures enabled, but like I said I leave that up to the customer and disable it for the early rollout until we get authentication issues ironed out.<BR /><BR /><BR /> Tue, 28 Aug 2018 15:00:05 GMT https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696272#M508052 paul 2018-08-28T15:00:05Z https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696305#M508053 <P>Good info. Would you link that ATT Tips/Tricks guide?</P> Tue, 28 Aug 2018 15:34:17 GMT https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696305#M508053 anthonylofreso 2018-08-28T15:34:17Z https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696310#M508054 <P><A href="https://www.ciscolive.com/global/on-demand-library/?search.event=ciscoliveus2018&amp;search=ISE#/session/1511296178359001Alyb" target="_blank">BRKSEC-3557 ISE Advanced Tips and Tricks</A></P> <P>&nbsp;</P> Tue, 28 Aug 2018 15:40:45 GMT https://community.cisco.com/t5/network-access-control/recommended-radius-suppression-settings/m-p/3696310#M508054 paul 2018-08-28T15:40:45Z