Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5920
Views
0
Helpful
3
Replies

Recommended latency between user and ISE nodes

Go to solution
ommaayah
Cisco Employee
Cisco Employee

‎02-26-2019 12:20 AM - edited ‎03-08-2019 07:14 PM

Dear Team,

 

Is there any documentation regarding recommended latency between users and ISE nodes ?

I have customer with users across 100+ sites, and latency between sites and ISE in HQ is around 200ms.

 

Regards,

Omar

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-26-2019 10:48 AM

There are two pieces here, but what you are asking is not exactly an ISE thing but a general radius concept. ISE has a very high timeout interval, 120 seconds. 

 

Latency between ISE nodes and the PAN, less than 200 ms or 300 ms depending on the version you are running. 

 

And then the second which is the latency of radius authentication (user/endpoint/NAD).  What you have to pay attention to here is the latency between the NAD (Switch/WLC), ISE, and the ID store. Usually referred to as the radius timeout interval, it's usually set at something like 5 seconds by default.  I have seen issues where an aggressive 1000ms radius timeout is set on a WLC and it causes problems when ISE or AD cannot process the request quick enough.

 

The radius timeout interval is usually configurable on all devices, but there is always a default.  The time has to include everything in the authentication path, RTT of ISE and NAD, time it takes ISE to authenticate the device, time it takes AD to respond.  

 

If you can stay under 5 seconds then you are unlikely to have issues with default timers.  I would check the WLC's though. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎02-26-2019 01:45 AM

Hi,
Starting in ISE 2.1 up to 300ms between any 2 ISE nodes. Check out Cisco Live presentation BRKSEC-3432, it has a section on latency.

HTH
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-26-2019 10:48 AM

There are two pieces here, but what you are asking is not exactly an ISE thing but a general radius concept. ISE has a very high timeout interval, 120 seconds. 

 

Latency between ISE nodes and the PAN, less than 200 ms or 300 ms depending on the version you are running. 

 

And then the second which is the latency of radius authentication (user/endpoint/NAD).  What you have to pay attention to here is the latency between the NAD (Switch/WLC), ISE, and the ID store. Usually referred to as the radius timeout interval, it's usually set at something like 5 seconds by default.  I have seen issues where an aggressive 1000ms radius timeout is set on a WLC and it causes problems when ISE or AD cannot process the request quick enough.

 

The radius timeout interval is usually configurable on all devices, but there is always a default.  The time has to include everything in the authentication path, RTT of ISE and NAD, time it takes ISE to authenticate the device, time it takes AD to respond.  

 

If you can stay under 5 seconds then you are unlikely to have issues with default timers.  I would check the WLC's though. 

0 Helpful

Go to solution
ommaayah
Cisco Employee
Cisco Employee
In response to Damien Miller

‎03-01-2019 02:15 AM

Thanks for the response, i have read in the guides that ISE 2.1 onwards support latency between ISE nodes up to 300 ms, but my question was related to NAD to ISE which you answered clearly.
Thanks a lot.
0 Helpful
Customers Also Viewed These Support Documents