cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1524
Views
5
Helpful
2
Replies

aaa time-out value for ISE as RADIUS on ASA

SULTAN9703
Level 1
Level 1

I’m working to get my ISE situated as radius for RA VPN Authentication, authorization and posture. We’re also using MFA for authentication purposes with ISE.

 

I’m currently planning on to do 60 sec time-out on aaa-server on ASA. Do you think it’s a good value to proceed with? Does anybody have similar setup? What’s is the time-out value you are using and how is working out on you? Thanks

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

60 seconds is a common value used here.  Just make sure you think through the math when you setup the MFA connector in ISE.  If you setup the timeout to MFA in ISE to 15 seconds with 2 retries that means ISE is going to take 45 seconds to realize the first MFA server is down before switching over to the second.  So the 60 second window on the ASA would facilitate that.

View solution in original post

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

Some environment it is big if the user only using for device management access, some use case or different.

 

here is good document i refer always, Loweer is better my suggest.

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul
Level 10
Level 10

60 seconds is a common value used here.  Just make sure you think through the math when you setup the MFA connector in ISE.  If you setup the timeout to MFA in ISE to 15 seconds with 2 retries that means ISE is going to take 45 seconds to realize the first MFA server is down before switching over to the second.  So the 60 second window on the ASA would facilitate that.