Increased Authentication Latency

Jumpermb76 · ‎07-20-2017

Running ISE 2.2 patch 1 on a VM, 2 nodes (1 primary monitor and PSN and 1 secondary) and a few weeks back the dashboard showing authentication latency started to rise from an average of around 30-50 milliseconds to around 200-300. No network changes have been performed.

Does this dashboard, since it's showing an average, also take into account the timeouts for failed authentications and those higher timeout values are increasing the average?

When I perform an auth test it shows the AD response time in the single digits in milliseconds but shows the "Group Fetching" time in the hundreds, could this be a factor?

While this is not currently affecting users I'm worried that once the client load increases that it might start causing auth failures.

hslai · ‎07-20-2017

You are correct that the latency is average over all requests.

In general, try tuning the authorization policy rules in such a way to avoid un-necessary queries to external ID stores. Additional info, see the session reference slide 88 from BRKSEC-3699 - Designing ISE for Scale & High Availability (2017 Las Vegas)

You might also want to check the general health of the AD infrastructure.

Increased Authentication Latency

Possible latency for Telia customers connecting through Stockholm

High Authentication Latency for Radius

ISE Authentication Latency

High Authentication Latency alarm in ISE

ISE authentication latency.