Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2260
Views
0
Helpful
2
Replies

ISE-AD Integration timeout value

Go to solution
sikeda
Cisco Employee
Cisco Employee

‎08-23-2018 09:01 PM

Hi experts,

 

My customer is now planning to replace a 3rd party RADIUS server to Cisco ISE. But they are much worried about AD timeout issue because they are running huge Windows domain network so that they have experienced Name resolution timeout with current radius server. (they tuned the timer)

 

Could you provide detailed information about

  1. Default ISE Timeout value for Windows Domain Authentication
  2. Can we tune a timer wit AD connection with “Advanced Tuning” under External Identity Sources? (it seems restricted for TAC use).
  3. How does DNS A-record cache work in ISE with AD integration?

Any comment would be highly appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RichardAtkin
Level 3
Level 3

‎08-24-2018 04:04 AM

Interesting question.

 

Maybe I'm being dumb, but what does the size of AD have to do with slow DNS responses?  It feels like they want to manipulate ISE when really they should be fixing their DNS, but I suppose they have their reasons.  Or do you mean that user lookups are also slow?

 

How many DCs do they have and how often do they change address / hostname?  If DNS is slow you could always define the DC hostname / IP address associations manually and cut extrnal DNS out of the loop.

 

ip host [ipv4-address | ipv6-address] [host-alias | FQDN-string]

 

Feels a bit of a naff way to do it though.  Hopefully somebody has a better idea...

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
RichardAtkin
Level 3
Level 3

‎08-24-2018 04:04 AM

Interesting question.

 

Maybe I'm being dumb, but what does the size of AD have to do with slow DNS responses?  It feels like they want to manipulate ISE when really they should be fixing their DNS, but I suppose they have their reasons.  Or do you mean that user lookups are also slow?

 

How many DCs do they have and how often do they change address / hostname?  If DNS is slow you could always define the DC hostname / IP address associations manually and cut extrnal DNS out of the loop.

 

ip host [ipv4-address | ipv6-address] [host-alias | FQDN-string]

 

Feels a bit of a naff way to do it though.  Hopefully somebody has a better idea...

 

 

0 Helpful

Go to solution
sikeda
Cisco Employee
Cisco Employee
In response to RichardAtkin

‎08-27-2018 09:44 PM

Hi Richard,
Thank you for your suggestion! My customer agreed to try the "ip host" command to avoid the AD timeout in their test environment. Much appreciate for your help!
0 Helpful
Customers Also Viewed These Support Documents