cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1252
Views
1
Helpful
9
Replies

User authentication time

williamtan
Level 1
Level 1

Customer have one ISE and five AD domains which have zero trust between. I'm able to join the ISE to all five ADs and created the identity source sequence from top AD1 to bottom AD5.

Any different of time taken to authenticate between user from AD1 and AD5? Is it in millisecond? Customer want to know how long it take and document it. 

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

@williamtan For active directory, it's preferred to use scopes so the ISE will query all AD join points the same time.

It's hard to judge the authentication time because it depends on both ISE and AD servers. AD servers could be busy and slower in responses.

View solution in original post

9 Replies 9

Hi @williamtan ,

 1st please take a look at Administration > Identity Management > Identity Source Sequences > select your Sequence Name and make sure that at Advanced Search List Settings, the Treat as if the user was not found and proceed to the next store in the sequence is selected.

 2nd at Administration > System > Settings > Protocols > RADIUS > check the value of Highlight steps longer than (millisenconds).

 3rd at Operations > Reports > Reports > Endpoint and Users > RADIUS Authentications > click the Details icon > at the new windows you are able to check the Steps of the RADIUS Authentication and check the 24325 Resolving Identity, if this step takes longer than the value of Highlight steps longer than (millisenconds), then you have your answer in an exact number.

Hope this helps !!!

Thank you Marcelo Morais for your fast reply.

1. Yes, I have select this already.

2. This one is default 1000 milliseconds.

3. I didn't see a clock there so it should be less than 1000ms.

Hi @williamtan ,

 that's correct ... in your case less than 1000 ms.

Hope this helps !!!

Hi Marcelo Morais ,

I try to change the value of Highlight steps longer than to 500ms and it still not show the time. But customer want to know the exact time. Is it possible?

Hi @williamtan ,

 at Operations > Troubleshooting > Diagnostic Tools > General Tools > TCP Dump:

  • select the PSN
  • Promiscuous Mode = Off

Download and open the TCPDump.pcap file via Wireshark and filter by: tcp.port == 389. (for example), you are able to check the Time between packets exchange.

Hope this helps !!!

hslai
Cisco Employee
Cisco Employee

@williamtan For active directory, it's preferred to use scopes so the ISE will query all AD join points the same time.

It's hard to judge the authentication time because it depends on both ISE and AD servers. AD servers could be busy and slower in responses.

Hi @hslai

Do I still need to select "Treat as if the user was not found and proceed to the next store in the sequence" after use the initial scope? 

We may use the Active Directory scope directly as the identity authentication source. That setting is for an ISE identity source sequence so it would not be in effect unless we are using one when we combine the Active directory scope with other other sources.

Hi @hslai , let me investigate the "scope" configuration you are mentioning.