Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1758
Views
0
Helpful
1
Replies

ISE Latency to Active Directory

jmcgourt@cisco.com
Cisco Employee
Cisco Employee

‎02-04-2020 01:43 PM

Is there a max design latency between ISE and AD for authentications? I know between ISE nodes its 300ms but would like to confirm if there is a recommended latency limit between ISE and AD.

0 Helpful
1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

‎02-04-2020 01:52 PM

There isn't a published max latency between ISE and the external directory/AD per say, but it's a function of the lower the better. Ideally you would have an AD server in the same location as the ISE node with AD sites and services defined.

The key is that the entire NAD to ISE to AD to NAD again needs to stay under the configured radius timeout value on the NAD. The general recommendation that tends to work well in most environments is keeping the whole round trip under 5 seconds. In some larger environments this has been configured at 10 seconds.

Keeping an eye on AD latency can be done via the ISE dashboard alarms/syslog/email alerting. You typically don't have to worry about it by default unless you are seeing the alarms, or you NADs have something like a 1 second timeout configured. I bring up the 1 second radius timeout because I have run across a lot of WLCs configured for this and it causes problems all the time.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents