https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5113855#M589576 <P>Version 2.x ?&nbsp; I guess that is anything from 2.0 to 2.7. Quite a difference. In any case, time to upgrade to 3.2 or later <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>In most customer scenarios, where the ISE node is in the same data centre as the AD controllers, you'll get responses as low as 10ms in most cases. It depends on how quickly the AD controller can process your request.</P> <P>In ISE 3.x I also enable DNS caching to alleviate the constant DNS lookups that ISE is performing (because older ISE versions do not cache DNS results). That also helps a bit.</P> Thu, 23 May 2024 02:45:28 GMT Arne Bier 2024-05-23T02:45:28Z https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5112326#M589537 <P>Hi,</P><P>When using EAP-PEAP-GTC, the Active Directory (AD) response time is around 8 ms. Currently, NL_AUTH_SIGNATURE is being used. However, when using EAP-PEAP-MSCHAPv2, the Domain Controller (DC) response time increases to around 2-3 seconds, Is it ideal for Microsoft Active Directory and it causes wireless authentication to fail<BR />Also How can I change to a more secure signature algorithm, such as NL_AUTH_SHA2_SIGNATURE?</P><P>Thanks</P> Tue, 21 May 2024 18:22:59 GMT https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5112326#M589537 bluesea2010 2024-05-21T18:22:59Z https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5112577#M589543 <P>What version and patch of ISE are you using?&nbsp; I don't think we have any control over those algorithms within ISE - the best we can do is to run the latest versions of ISE.&nbsp; There have been some discussions around Windows Server registry hacks set/prefer certain algorithms.</P> Tue, 21 May 2024 23:44:34 GMT https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5112577#M589543 Arne Bier 2024-05-21T23:44:34Z https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5112940#M589555 <P>Hi</P><P><SPAN>Thanks for the reply .I am using &nbsp;2.x</SPAN></P><P><SPAN>what could be the ideal Active Directory &nbsp;challenge response time in&nbsp;</SPAN></P><P>&nbsp;</P> Wed, 22 May 2024 08:23:54 GMT https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5112940#M589555 bluesea2010 2024-05-22T08:23:54Z https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5113855#M589576 <P>Version 2.x ?&nbsp; I guess that is anything from 2.0 to 2.7. Quite a difference. In any case, time to upgrade to 3.2 or later <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>In most customer scenarios, where the ISE node is in the same data centre as the AD controllers, you'll get responses as low as 10ms in most cases. It depends on how quickly the AD controller can process your request.</P> <P>In ISE 3.x I also enable DNS caching to alleviate the constant DNS lookups that ISE is performing (because older ISE versions do not cache DNS results). That also helps a bit.</P> Thu, 23 May 2024 02:45:28 GMT https://community.cisco.com/t5/network-access-control/wireless-controller-ise-microsoft-domain-controller/m-p/5113855#M589576 Arne Bier 2024-05-23T02:45:28Z