01-28-2015 09:35 PM - edited 03-10-2019 10:23 PM
Hi, all.
I haven't been able to find anything out about the term "Step Latency" which is seen in the authentication info for a user in ISE. I have been having an issue where wireless clients are being delayed by a failry reliable time (7500ms) on each dot1x authentication, judging by this value.
The issue is of course not knowing what this particular value is or what it relates to. If anyone can define the term or link to a document, I'd be very grateful!
Thanks
01-31-2015 10:57 AM
As far is i know, the "step" definition, is just an indicator of how long a specific step of the authentication or authorization process took. So you can see if ex. your Active directory lookup took a long time, or maybe something else is taking a long time. is the one with 7500 the only step in your detailed log that says latency=something?
02-01-2015 03:01 PM
Thanks, Jan!
I had suspected as much but (like the steps themselves) it is not explicitly clear. This is typical of what we're seeing:
11006 | Returned RADIUS Access-Challenge( Step latency=7530 ms) |
The fact that it's always so close to 7500ms makes it seem unlikely to be a load-type issue, no?
If you or any others here have any insight, I'd appreciate the input. I've managed to find the attached spreadsheet of error/debug/etc. codes for ISE but it doesn't really clarify the process enough for me to isolate the issue.
02-01-2015 08:54 PM
How are you authenticating the wireless clients with this issue (AD, Certs, other) ? What authorization conditions are you trying to match them to (Ad groups or other) ?
02-17-2015 08:32 PM
Sorry for the late reply!
Authenticating with user credentials (AD) to ISE; AD group membership is the main authorization parameter in use.
It seems like the latency mentioned is more specific to iOS clients and the new 5760 controllers seem to be behaving pretty differently to the 5500s in use prior. We've found some interesing behaviour in ISE with anomolous client detection and a few other aspects but we've as yet not been able isolate the cause with this specific issue.
Thanks again for your initial answer, Jan.
02-18-2015 02:23 AM
FYI
You have a Cisco ISE bandwidth and latency calculator available for ATP partners , You can download it from ATP Resource Center
http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: