cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1723
Views
0
Helpful
3
Replies

ISE2.4 - patch10 - How is Authentication Latency Calculated?

baker82
Level 1
Level 1

I have what I hope is a fairly quick question,

 

I want to know how the authentication latency times are calculated in ISE 2.4 with an external identity source of an RSA server. 

 

I assume that the timer starts from the point a request is made, and ends when endpoint or nad receives the permit or deny.

 

So is it fair to say that adding an external identity source of an token based RSA server would only increase authentication latency which is reported on the ISE home screen.

 

 

 

 

1 Accepted Solution

Accepted Solutions

That's what i was thinking. 

In order to keep authentication latency times lower, I have created a custom sdopts.rec file and uploaded it to the RSA options file for each individual RSA node.

Here i can provide a weighted calculation to a list of RSA servers so it chooses the local site RSA server first then use the other listed servers in the event the local site RSA is busy or worst, down...

 

To make this happen you can use the following SDOPTS.REC file

 

file name = sdopts.rec
save as: txt file with ANSI formatting

 

USESERVER=<RSA SERVER IP>, <Weighted Value>  # 10 being the highest

USESERVER=10.x.x.x, 10

USESERVER=10.x.x.x, 9

USESERVER=10.x.x.x, 8

 

This configuration has proved to be helpful since now the individual ISE PSN nodes don't try to reach out to OCONUS RSA servers which often return high authentication latency alarms. I was also able to customize the High Authentication latency alarm to point out excessive latency triggers.

 

 

 

View solution in original post

3 Replies 3

Short answer yes because ISE won't replay back to the NAD until a response
is received from RSA server or the request times out.

paul
Level 10
Level 10

Yeah any time you have a MFA/2FA solution in play you can expect to get high authentication latency alarms.  Unfortunately there is no way I know of to filter out NAD devices from high authentication latency consideration.  Basically, the customers start ignoring the alarm then when there is a real high authentication latency issue they miss it.  They could do more advanced filtering on the Syslog server side if they are sending the alerts to a Syslog server for further processing.

That's what i was thinking. 

In order to keep authentication latency times lower, I have created a custom sdopts.rec file and uploaded it to the RSA options file for each individual RSA node.

Here i can provide a weighted calculation to a list of RSA servers so it chooses the local site RSA server first then use the other listed servers in the event the local site RSA is busy or worst, down...

 

To make this happen you can use the following SDOPTS.REC file

 

file name = sdopts.rec
save as: txt file with ANSI formatting

 

USESERVER=<RSA SERVER IP>, <Weighted Value>  # 10 being the highest

USESERVER=10.x.x.x, 10

USESERVER=10.x.x.x, 9

USESERVER=10.x.x.x, 8

 

This configuration has proved to be helpful since now the individual ISE PSN nodes don't try to reach out to OCONUS RSA servers which often return high authentication latency alarms. I was also able to customize the High Authentication latency alarm to point out excessive latency triggers.

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: