Solved: external RADIUS server on ISE, dead time

nmourtzi · ‎07-16-2018

Hello ,

I have read the below document on how an external RADIUS server can be configured as an authentication server on Identity Services Engine (ISE) where ISE acts a proxy and as an authorization server as well.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on…

The default dead time for external RADIUS Servers in ISE is 5 minutes. This value is hardcoded and cannot be modified as of this version.

Can I suppose that if I set the server timeout and connection attempt can I modify definitively the dead time of external radius?

hslai · ‎07-16-2018

Not exactly. The options for the server timeout and the number of connection attempts are for every request and influence when will ISE mark a server as dead. Once marked dead, ISE will skip the dead server for 5 minutes and not send any requests to it.

View solution in original post

hslai · ‎07-16-2018

Not exactly. The options for the server timeout and the number of connection attempts are for every request and influence when will ISE mark a server as dead. Once marked dead, ISE will skip the dead server for 5 minutes and not send any requests to it.

philipp.staiger · ‎11-23-2018

Is the RADIUS server marked dead for the whole deployment or is this on a per node basis?

Some further questions:

What happens if all servers are dead in the sequence? Will ISE try to contact a server anyways, as the newer switches do as well or will there be just no authentication attempts at all during those five minutes?

Also does ISE switch to the second Server in the sequence after the first timeout as seen on some switches or does it only attempt the next server after all retries failed?