Solved: Re: User authentication time

williamtan · ‎05-17-2023

Customer have one ISE and five AD domains which have zero trust between. I'm able to join the ISE to all five ADs and created the identity source sequence from top AD1 to bottom AD5.

Any different of time taken to authenticate between user from AD1 and AD5? Is it in millisecond? Customer want to know how long it take and document it.

hslai · ‎05-21-2023

@williamtan For active directory, it's preferred to use scopes so the ISE will query all AD join points the same time.

It's hard to judge the authentication time because it depends on both ISE and AD servers. AD servers could be busy and slower in responses.

View solution in original post

Marcelo Morais · ‎05-17-2023

Hi @williamtan ,

1st please take a look at Administration > Identity Management > Identity Source Sequences > select your Sequence Name and make sure that at Advanced Search List Settings, the Treat as if the user was not found and proceed to the next store in the sequence is selected.

2nd at Administration > System > Settings > Protocols > RADIUS > check the value of Highlight steps longer than (millisenconds).

3rd at Operations > Reports > Reports > Endpoint and Users > RADIUS Authentications > click the Details icon > at the new windows you are able to check the Steps of the RADIUS Authentication and check the 24325 Resolving Identity, if this step takes longer than the value of Highlight steps longer than (millisenconds), then you have your answer in an exact number.

Hope this helps !!!

williamtan · ‎05-17-2023

Thank you Marcelo Morais for your fast reply.

1. Yes, I have select this already.

2. This one is default 1000 milliseconds.

3. I didn't see a clock there so it should be less than 1000ms.

Marcelo Morais · ‎05-18-2023

Hi @williamtan ,

that's correct ... in your case less than 1000 ms.

Hope this helps !!!

williamtan · ‎05-19-2023

Hi Marcelo Morais ,

I try to change the value of Highlight steps longer than to 500ms and it still not show the time. But customer want to know the exact time. Is it possible?

Marcelo Morais · ‎05-19-2023

Hi @williamtan ,

at Operations > Troubleshooting > Diagnostic Tools > General Tools > TCP Dump:

select the PSN
Promiscuous Mode = Off

Download and open the TCPDump.pcap file via Wireshark and filter by: tcp.port == 389. (for example), you are able to check the Time between packets exchange.

Hope this helps !!!

hslai · ‎05-21-2023

@williamtan For active directory, it's preferred to use scopes so the ISE will query all AD join points the same time.

It's hard to judge the authentication time because it depends on both ISE and AD servers. AD servers could be busy and slower in responses.

williamtan · ‎05-22-2023

Hi @hslai,

Do I still need to select "Treat as if the user was not found and proceed to the next store in the sequence" after use the initial scope?

hslai · ‎05-23-2023

We may use the Active Directory scope directly as the identity authentication source. That setting is for an ISE identity source sequence so it would not be in effect unless we are using one when we combine the Active directory scope with other other sources.

ajc · ‎05-24-2023

Hi @hslai , let me investigate the "scope" configuration you are mentioning.