Solved: ISE v2.1 patch 3 issues

David Fitzgerald · ‎05-01-2017

Ever since we updated to patch 3, we have seen a lot of dead radius server messages, especially when users are accessing the network via wireless controllers.

We have a guest portal tied to AD, and the wireless access is practically unusable, due to timeouts in accessing the PSNs. We've created a pair of dedicated PSNs for wireless, and they are the least busy PSNs on the network.

Config T · ‎05-01-2017

I updated 2.1 to patch 3 a couple days after it came out, not experiencing the issues you're reporting. Strange that it would affect mostly wireless. Have you checked resource utilization on those PSNs dedicated to the WLC?

View solution in original post

Config T · ‎05-01-2017

I updated 2.1 to patch 3 a couple days after it came out, not experiencing the issues you're reporting. Strange that it would affect mostly wireless. Have you checked resource utilization on those PSNs dedicated to the WLC?

David Fitzgerald · ‎05-01-2017

Sorry for the Correct Answer tag. I hit the wrong button, and couldn't figure out how to undo.

We've gone as far as to bring up two PSNs specifically for wireless traffic, and the Wireless PSNs are much less busy than the wired PSNs, so it's not a loading issue, per se.

We thought we had it down to EAP-TLS vs EAPChaining supplicants, but that isn't exactly right. Windows users without NAM behave differently than Macs, and they are both using EAP-TLS.

It appears as though the Macs are throwing out a large number of CoAs, as we are seeing a lot of traffic that is being reported as dropped due to previous packets. What dead/timeout values are you using for your PSNs in the WLC config?

Config T · ‎05-01-2017

My WLC timeout is two seconds.

I don't see anything in the release notes that might explain the symptoms you're experiencing. If radius messages are getting to ISE from your WLC but not making it back, perhaps it's a load balancer related issue.

If it was working fine before patch 3, I'd look for changes introduced with patch 3 that might explain it.

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎05-02-2017

I would recommend to check the MTU along the path from WLC till the PSNs (I has a similar issue in the past) although it was affecting both wired and Wireless users.

This is true for EAP-FAST and EAP-TLS as both would use TLS tunnel as they would request the whole CA chain (if you are using Root/SubRoot CAs) during tunnel establishment which would make the radius payload pretty large (this is true when the certificates are signed by SHA256 or larger)

I would also try and tweak the WLC radius timeout and dot1x timeout and trties and see if they are any improvements.

These are the recommended WLC timer (From Cisco Live BRKSEC-3697):

Idle timeout: Leave global at 300 seconds, Open networks 300 seconds, Dot1x
networks 3600s can be used
Client Exclusions: Enable them and set for 180 seconds
Session Timeout: Set it per security policy preferably 7200+ seconds
Aggressive Failover: Disabling reduces load on ISE but can increase failover times
Configure Fast Secure Roaming to reduce RADIUS load during roam
Advanced EAP Timers:

config advanced eap identity-request-timeout 3
config advanced eap identity-request-retries 10
config advanced eap request-timeout 3
config advanced eap request-retries 10