Increased Authentication Latency

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2017 03:04 PM
Running ISE 2.2 patch 1 on a VM, 2 nodes (1 primary monitor and PSN and 1 secondary) and a few weeks back the dashboard showing authentication latency started to rise from an average of around 30-50 milliseconds to around 200-300. No network changes have been performed.
Does this dashboard, since it's showing an average, also take into account the timeouts for failed authentications and those higher timeout values are increasing the average?
When I perform an auth test it shows the AD response time in the single digits in milliseconds but shows the "Group Fetching" time in the hundreds, could this be a factor?
While this is not currently affecting users I'm worried that once the client load increases that it might start causing auth failures.
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2017 09:21 PM
You are correct that the latency is average over all requests.
In general, try tuning the authorization policy rules in such a way to avoid un-necessary queries to external ID stores. Additional info, see the session reference slide 88 from BRKSEC-3699 - Designing ISE for Scale & High Availability (2017 Las Vegas)
You might also want to check the general health of the AD infrastructure.
