Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4338
Views
0
Helpful
5
Replies

Step Latency?

James Horne
Level 1
Level 1

‎01-28-2015 09:35 PM - edited ‎03-10-2019 10:23 PM

Hi, all.

I haven't been able to find anything out about the term "Step Latency" which is seen in the authentication info for a user in ISE. I have been having an issue where wireless clients are being delayed by a failry reliable time (7500ms) on each dot1x authentication, judging by this value.

The issue is of course not knowing what this particular value is or what it relates to. If anyone can define the term or link to a document, I'd be very grateful!

 

Thanks

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎01-31-2015 10:57 AM

As far is i know, the "step" definition, is just an indicator of how long a specific step of the authentication or authorization process took. So you can see if ex. your Active directory lookup took a long time, or maybe something else is taking a long time. is the one with 7500 the only step in your detailed log that says latency=something?

0 Helpful

James Horne
Level 1
Level 1
In response to jan.nielsen

‎02-01-2015 03:01 PM

Thanks, Jan!

I had suspected as much but (like the steps themselves) it is not explicitly clear. This is typical of what we're seeing:

 11006Returned RADIUS Access-Challenge( Step latency=7530 ms)

 

The fact that it's always so close to 7500ms makes it seem unlikely to be a load-type issue, no?

 

If you or any others here have any insight, I'd appreciate the input. I've managed to find the attached spreadsheet of error/debug/etc. codes for ISE but it doesn't really clarify the process enough for me to isolate the issue.

Preview file
99 KB
0 Helpful

jan.nielsen
Level 7
Level 7

‎02-01-2015 08:54 PM

How are you authenticating the wireless clients with this issue (AD, Certs, other) ? What authorization conditions are you trying to match them to (Ad groups or other) ?

0 Helpful

James Horne
Level 1
Level 1
In response to jan.nielsen

‎02-17-2015 08:32 PM

Sorry for the late reply!

 

Authenticating with user credentials (AD) to ISE; AD group membership is the main authorization parameter in use.

It seems like the latency mentioned is more specific to iOS clients and the new 5760 controllers seem to be behaving pretty differently to the 5500s in use prior. We've found some interesing behaviour in ISE with anomolous client detection and a few other aspects but we've as yet not been able isolate the cause with this specific issue.

 

Thanks again for your initial answer, Jan.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎02-18-2015 02:23 AM

FYI

You have a Cisco ISE bandwidth and latency calculator available for ATP partners , You can download it from ATP Resource Center

http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents