Radius Health Check - Cisco ISE

nrafia · ‎06-17-2013

I have one Cisco ISE setup with AD authentication. I want to configure radius helth check how it can be confiured on switches.

Best Regards,

Venkatesh Attuluri · ‎06-18-2013

When the ISE Health System rule is evaluated, system health parameters are examined as a result of values exceeding the rule for a specified time interval (up to the previous 60 minutes).

When the ISE AAA Health rule is evaluated, ISE health parameters that exceeded the rule for the specified time interval (up to the previous 60 minutes) are examined. Cisco ISE monitors the following parameters:

• RADIUS throughput

• RADIUS latency

If any of the parameters exceed the rule, an alarm is triggered. By default, the rule applies to all monitored Cisco ISE instances. However, you can choose to limit the check to just a single Cisco ISE instance

nrafia · ‎06-18-2013

Thanks for your input. Please can you provide any configuration example and reference docs. I want to use an AD user.

Jatin Katyal · ‎06-18-2013

For example if we have too many authentications per second, more than what the PSN Specifications are designed for. In such cases we've to distribute the radius load to other PSN’s. You can also run Catalog report to draw a graph of Radius latency per PSN instance under Operations>Catalog>Server Health Summary> Last 7 days> PSN Hostname.

This will only give you a trend of radius latency but not the reasons why. You need to go through logs of the concerned PSN to find out whats going on the PSN. Certainly Radius latency greater than 3 Seconds is concerning. In such scenarios we have to download the support bundle and analyse the logs.

Cisco ISE Dashboard Monitoring

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wp1226014

Jatin Katyal
- Do rate helpful posts -

~Jatin

nrafia · ‎06-19-2013

I will appreciate if some one can provide switch side configuration example for Radius Health check.