Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9151
Views
5
Helpful
5
Replies

Recommended RADIUS suppression settings

Go to solution
anthonylofreso
Level 4
Level 4

‎08-28-2018 06:42 AM

I'm wondering what others configure under:

Administration > System > Settings > Protocols > RADIUS > Suppression & Reports

 

Screenshot of my settings attached. While I understand that this is probably highly specific to your environment, I'm curious of the following:

  • I believe TAC has advised enabling some of these features to prevent overloading ISE. Which are safe to disable in a production deployment?
  • Are the settings I have configured typical? I believe they are mostly default.
  • If you've configured values other than default, what was your logic? How did you come up with appropriate values?
Preview file
62 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to anthonylofreso

‎08-28-2018 08:00 AM

I have many production deployments, some very large with "Reject repeated failures" disabled. Per the ISE Advanced Tips and Tricks (AT&T, the good one) recommendations I do have PEAP and EAP-TLS session resume and PEAP Fast Reconnect enabled. Also under the allowed protocols I have Stateless Session Resume enabled for EAP-TLS with a session ticket life of 2 hours.



I know AT&T says to keep reject repeated failures enabled, but like I said I leave that up to the customer and disable it for the early rollout until we get authentication issues ironed out.


View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul
Level 10
Level 10

‎08-28-2018 07:27 AM

When I am first doing the ISE rollout at a customer, I turn off "Reject RADIUS requests from clients with repeated failures".  I explain this feature to them and while it is good feature from an ISE performance perspective it can be frustrating when troubleshooting issues and you forget this feature is enabled.  I equate it to client exclusion setting on WLC.  Nice feature to have, but again if you forget about the setting it can make troubleshooting more difficult.

 

Once we have authentication working the way we want and work through any issues, I leave it up to the customer if they want to turn it back on.  I don't change the other settings.

0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4
In response to paul

‎08-28-2018 07:47 AM

Makes sense. So you have environments in production then with Reject Repeated Failures disabled.

 

We've got things mostly configured the way we want, but are seeing some odd issues with Windows clients. I'm thinking we need to tweak the PEAP settings. "PEAP Session Resume" is currently disabled.

 

I've noticed that "Enable Fast Reconnect" is checked on the windows supplicants... but since PEAP Session Resume is disabled, Fast Reconnect is also disabled in ISE.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to anthonylofreso

‎08-28-2018 08:00 AM

I have many production deployments, some very large with "Reject repeated failures" disabled. Per the ISE Advanced Tips and Tricks (AT&T, the good one) recommendations I do have PEAP and EAP-TLS session resume and PEAP Fast Reconnect enabled. Also under the allowed protocols I have Stateless Session Resume enabled for EAP-TLS with a session ticket life of 2 hours.



I know AT&T says to keep reject repeated failures enabled, but like I said I leave that up to the customer and disable it for the early rollout until we get authentication issues ironed out.


0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4
In response to paul

‎08-28-2018 08:34 AM

Good info. Would you link that ATT Tips/Tricks guide?

0 Helpful
Customers Also Viewed These Support Documents