Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7728
Views
111
Helpful
6
Replies

ISE authentication latency in system summary tile.

Go to solution
Ciscorocks
Level 1
Level 1

‎03-01-2022 11:08 AM

What is considered a healthy ISE authentication latency? And what is considered to be too high? I have not found anything published on this but am curious of other's thoughts. Thanks in advance.

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 04:37 PM

It depends. (of course!)

Latency takes many forms but mainly we are talking about it to/from Identity Stores or RADIUS proxies. Typically >300ms is bad and depending on the request load, requests can start to get backed up.

ISE should be co-located near your [AD/LDAP/ODBC/etc] identity stores to eliminate as much latency as possible and to still work in the case of WAN outage. But sometimes you cannot help it : Azure AD, eduroam, etc.

It is typically a symptom of a problem with your identity stores (sizing, loading, VM resourcing, down) or the link to them.

Why is it bad? ISE has to hold the session while waiting... and waiting... and waiting for a response.  Depending on the number of incoming requests and how bad the latency is, this can exhaust your ISE PSN's request buffer, causing other requests to go unanswered if you do not have a load balancer.

I have seen it discussed by Clark Gambrel (below) in his  Deploying ISE in a Dynamic Environment (Best Practices) - BRKSEC-2059 which is listed under https://cs.co/ise-training and still available in the Cisco Live On-Demand Library.

image.png

View solution in original post

6 Replies 6

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎03-01-2022 06:43 PM

There are several discussions surrounding this question, here are some that I personally liked https://community.cisco.com/t5/network-access-control/ise-authentication-latency-metric/m-p/4188747

https://community.cisco.com/t5/network-access-control/increased-authentication-latency/m-p/3533691

 

As explained in those discussions too, latency can be due to multiple factors. RADIUS connectivity/timeouts, client side issues or latency between ISE and external identity stores etc.

Go to solution
Marcelo Morais
VIP
VIP

‎03-02-2022 06:00 AM

Hi @Ciscorocks ,

 beyond what @UdupiKrishna said ... please take a look at ISE > Operations > Reports > Reports > Diagnostics > Key Performance Metrics, a high level overview of key metrics for each PSNs.

Note: special attention to the Avg Latency per Request column (average latency per RADIUS Request for selected PSN Server), a good way to check the "before and after" a Latency issue.

 

Hope this helps !!!

Go to solution
Ciscorocks
Level 1
Level 1
In response to Marcelo Morais

‎03-02-2022 08:57 AM

Hi Marcelo,

 

Thanks for the info. In the deployment I am seeing 0.01 for the Avg Latency per Request for the PSN in question. I would assume this is very low latency? I am not seeing any info as to what is considered high and low values for this column.

 

Thanks!

Go to solution
Marcelo Morais
VIP
VIP
In response to Ciscorocks

‎03-02-2022 01:28 PM

Hi @Ciscorocks ,

 yes, you are correct.

Note 1: remember that it's an average for the last hour, in other words, you can have "spikes"

Note 2: it's important to check this info during the Last 30 Days, just to have an idea of the average in a long period (use the Export to - Repository CSV for a better view).

 

Hope this helps !!!

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 04:37 PM

It depends. (of course!)

Latency takes many forms but mainly we are talking about it to/from Identity Stores or RADIUS proxies. Typically >300ms is bad and depending on the request load, requests can start to get backed up.

ISE should be co-located near your [AD/LDAP/ODBC/etc] identity stores to eliminate as much latency as possible and to still work in the case of WAN outage. But sometimes you cannot help it : Azure AD, eduroam, etc.

It is typically a symptom of a problem with your identity stores (sizing, loading, VM resourcing, down) or the link to them.

Why is it bad? ISE has to hold the session while waiting... and waiting... and waiting for a response.  Depending on the number of incoming requests and how bad the latency is, this can exhaust your ISE PSN's request buffer, causing other requests to go unanswered if you do not have a load balancer.

I have seen it discussed by Clark Gambrel (below) in his  Deploying ISE in a Dynamic Environment (Best Practices) - BRKSEC-2059 which is listed under https://cs.co/ise-training and still available in the Cisco Live On-Demand Library.

image.png

Go to solution
Ciscorocks
Level 1
Level 1
In response to thomas

‎03-06-2022 09:34 PM

Hi Thomas,

 

Thanks for the information provided. One thing that I am seeing when I test a user's AD credentials in the external identity sources section of the ISE GUI I am seeing these values. Obviously the authentication time and attributes fetching time isn't that high, but the groups fetching time is a little higher. Does this value seem higher than what it should be?

Authentication time : 5 ms.
Groups fetching time : 188 ms.
Attributes fetching time: 3 ms.

 

Thanks! 

 

Customers Also Viewed These Support Documents