Solved: Latency Concerns between ISE and AD Servers

CRAIG BOURQUIN · ‎04-05-2019

I currently have an ISE instance in the US that is used for Wired and Wireless 802.1x, TACACS+, and Guest Wireless. I have a large contingent of users in India. The round trip latency between the US and India is about 300ms. Based on the information I have seen I would not be able to implement a distributed environment and would be looking at placing a standalone ISE environment in India. My new concern is that I don't have any AD resources in India. Meaning the ISE instance will need to come all the way back to the US for all AD requests. Should I be concerned about this and will I have issues with ISE timing out to AD?

Thanks,

Craig

Damien Miller · ‎04-05-2019

I would agree that putting PSN's in India could introduce issues with high RTT to the PAN nodes.

You can certainly point your network devices to ISE PSN's elsewhere. The 300 ms latency is specifically ISE nodes to PAN. There are much looser latency requirements for NAD to ISE. Typical radius timeouts are around 5 seconds, but ISE itself can handle 120 seconds before timing out an authentication.

Same goes though if you have a standalone deployment in India. You just have to account for the complete radius/tacacs authentication to fall below the radius timeout configured on your nads. The shortest radius timeout I have seen in production was 1 second, it did cause periodic issues when load was high, configuring back to a reasonable timeout solved the issue.

So in your case, I would look at having the PSN's in the US, pointing India NADs there, and making sure you aren't using radius/tacacs timeout timers on the NAD.

View solution in original post

Damien Miller · ‎04-05-2019

I would agree that putting PSN's in India could introduce issues with high RTT to the PAN nodes.

You can certainly point your network devices to ISE PSN's elsewhere. The 300 ms latency is specifically ISE nodes to PAN. There are much looser latency requirements for NAD to ISE. Typical radius timeouts are around 5 seconds, but ISE itself can handle 120 seconds before timing out an authentication.

Same goes though if you have a standalone deployment in India. You just have to account for the complete radius/tacacs authentication to fall below the radius timeout configured on your nads. The shortest radius timeout I have seen in production was 1 second, it did cause periodic issues when load was high, configuring back to a reasonable timeout solved the issue.

So in your case, I would look at having the PSN's in the US, pointing India NADs there, and making sure you aren't using radius/tacacs timeout timers on the NAD.