Solved: aaa time-out value for ISE as RADIUS on ASA

SULTAN9703 · ‎05-06-2020

I’m working to get my ISE situated as radius for RA VPN Authentication, authorization and posture. We’re also using MFA for authentication purposes with ISE.

I’m currently planning on to do 60 sec time-out on aaa-server on ASA. Do you think it’s a good value to proceed with? Does anybody have similar setup? What’s is the time-out value you are using and how is working out on you? Thanks

paul · ‎05-08-2020

60 seconds is a common value used here. Just make sure you think through the math when you setup the MFA connector in ISE. If you setup the timeout to MFA in ISE to 15 seconds with 2 retries that means ISE is going to take 45 seconds to realize the first MFA server is down before switching over to the second. So the 60 second window on the ASA would facilitate that.

View solution in original post

balaji.bandi · ‎05-07-2020

Some environment it is big if the user only using for device management access, some use case or different.

here is good document i refer always, Loweer is better my suggest.

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul · ‎05-08-2020

60 seconds is a common value used here. Just make sure you think through the math when you setup the MFA connector in ISE. If you setup the timeout to MFA in ISE to 15 seconds with 2 retries that means ISE is going to take 45 seconds to realize the first MFA server is down before switching over to the second. So the 60 second window on the ASA would facilitate that.