Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8860
Views
22
Helpful
2
Replies

ISE Authentication Latency

Go to solution
vishrana
Cisco Employee
Cisco Employee

‎03-22-2019 09:04 AM

Hi all,

 

Need information on how to measure the radius authentication latency in ISE? What is the threshold value?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-22-2019 12:08 PM - edited ‎03-22-2019 12:09 PM

The RADIUS timeout in ISE is 120 seconds. The radius timeout that you have to be concerned about is on the network device where defaults are usually around 5 seconds, but I have seen it set as low as 1 second (with issues). The RADIUS authentication timeout has to incorporate the latency in the round trip between the NAD and ISE, the latency between ISE and the external ID store (if used), the time it takes for the external ID store to respond, the time it takes ISE to evaluate authentication and authorization rules, and any other checks such as quarantine status.

Because of the 120 second timeout in ISE, it is unlikely that ISE will be timing out a session before the NADs do.

In ISE you can see a logged response time in the authentication details results, this can be used to determine how loaded a node is.
In the RADIUS protocol settings you can set ISE to flag any authentication step that takes more than 500 ms (up to 10 sec and default is 1 sec). It will log these slow steps in the authentication detail reports.
There is also a Authentication Summary report you can run which will provide response time averages and peaks.

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-22-2019 12:08 PM - edited ‎03-22-2019 12:09 PM

The RADIUS timeout in ISE is 120 seconds. The radius timeout that you have to be concerned about is on the network device where defaults are usually around 5 seconds, but I have seen it set as low as 1 second (with issues). The RADIUS authentication timeout has to incorporate the latency in the round trip between the NAD and ISE, the latency between ISE and the external ID store (if used), the time it takes for the external ID store to respond, the time it takes ISE to evaluate authentication and authorization rules, and any other checks such as quarantine status.

Because of the 120 second timeout in ISE, it is unlikely that ISE will be timing out a session before the NADs do.

In ISE you can see a logged response time in the authentication details results, this can be used to determine how loaded a node is.
In the RADIUS protocol settings you can set ISE to flag any authentication step that takes more than 500 ms (up to 10 sec and default is 1 sec). It will log these slow steps in the authentication detail reports.
There is also a Authentication Summary report you can run which will provide response time averages and peaks.

Go to solution
jianzh3
Cisco Employee
Cisco Employee

‎11-26-2020 11:37 PM

Hi Damien,  as you said the RADIUS timeout in ISE is 120 seconds.

Is there any way to change this timeout value ?

or the value(120s) is hardcoded ?

0 Helpful
Customers Also Viewed These Support Documents