Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2023
Views
0
Helpful
3
Replies

ISE2.4 - patch10 - How is Authentication Latency Calculated?

Go to solution
baker82
Level 1
Level 1

‎10-15-2019 10:58 AM

I have what I hope is a fairly quick question,

 

I want to know how the authentication latency times are calculated in ISE 2.4 with an external identity source of an RSA server. 

 

I assume that the timer starts from the point a request is made, and ends when endpoint or nad receives the permit or deny.

 

So is it fair to say that adding an external identity source of an token based RSA server would only increase authentication latency which is reported on the ISE home screen.

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
baker82
Level 1
Level 1
In response to paul

‎10-16-2019 06:33 AM - edited ‎10-16-2019 06:34 AM

That's what i was thinking. 

In order to keep authentication latency times lower, I have created a custom sdopts.rec file and uploaded it to the RSA options file for each individual RSA node.

Here i can provide a weighted calculation to a list of RSA servers so it chooses the local site RSA server first then use the other listed servers in the event the local site RSA is busy or worst, down...

 

To make this happen you can use the following SDOPTS.REC file

 

file name = sdopts.rec
save as: txt file with ANSI formatting

 

USESERVER=<RSA SERVER IP>, <Weighted Value>  # 10 being the highest

USESERVER=10.x.x.x, 10

USESERVER=10.x.x.x, 9

USESERVER=10.x.x.x, 8

 

This configuration has proved to be helpful since now the individual ISE PSN nodes don't try to reach out to OCONUS RSA servers which often return high authentication latency alarms. I was also able to customize the High Authentication latency alarm to point out excessive latency triggers.

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎10-15-2019 11:10 PM

Short answer yes because ISE won't replay back to the NAD until a response
is received from RSA server or the request times out.
0 Helpful

Go to solution
paul
Level 10
Level 10

‎10-16-2019 04:50 AM

Yeah any time you have a MFA/2FA solution in play you can expect to get high authentication latency alarms.  Unfortunately there is no way I know of to filter out NAD devices from high authentication latency consideration.  Basically, the customers start ignoring the alarm then when there is a real high authentication latency issue they miss it.  They could do more advanced filtering on the Syslog server side if they are sending the alerts to a Syslog server for further processing.

0 Helpful

Go to solution
baker82
Level 1
Level 1
In response to paul

‎10-16-2019 06:33 AM - edited ‎10-16-2019 06:34 AM

That's what i was thinking. 

In order to keep authentication latency times lower, I have created a custom sdopts.rec file and uploaded it to the RSA options file for each individual RSA node.

Here i can provide a weighted calculation to a list of RSA servers so it chooses the local site RSA server first then use the other listed servers in the event the local site RSA is busy or worst, down...

 

To make this happen you can use the following SDOPTS.REC file

 

file name = sdopts.rec
save as: txt file with ANSI formatting

 

USESERVER=<RSA SERVER IP>, <Weighted Value>  # 10 being the highest

USESERVER=10.x.x.x, 10

USESERVER=10.x.x.x, 9

USESERVER=10.x.x.x, 8

 

This configuration has proved to be helpful since now the individual ISE PSN nodes don't try to reach out to OCONUS RSA servers which often return high authentication latency alarms. I was also able to customize the High Authentication latency alarm to point out excessive latency triggers.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents