Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
3
Replies

Wireless Controller - ISE - Microsoft Domain Controller

bluesea2010
Level 5
Level 5

‎05-21-2024 11:22 AM

Hi,

When using EAP-PEAP-GTC, the Active Directory (AD) response time is around 8 ms. Currently, NL_AUTH_SIGNATURE is being used. However, when using EAP-PEAP-MSCHAPv2, the Domain Controller (DC) response time increases to around 2-3 seconds, Is it ideal for Microsoft Active Directory and it causes wireless authentication to fail
Also How can I change to a more secure signature algorithm, such as NL_AUTH_SHA2_SIGNATURE?

Thanks

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎05-21-2024 04:44 PM

What version and patch of ISE are you using?  I don't think we have any control over those algorithms within ISE - the best we can do is to run the latest versions of ISE.  There have been some discussions around Windows Server registry hacks set/prefer certain algorithms.

0 Helpful

bluesea2010
Level 5
Level 5
In response to Arne Bier

‎05-22-2024 01:23 AM

Hi

Thanks for the reply .I am using  2.x

what could be the ideal Active Directory  challenge response time in 

 

0 Helpful

Arne Bier
VIP
VIP

‎05-22-2024 07:45 PM

Version 2.x ?  I guess that is anything from 2.0 to 2.7. Quite a difference. In any case, time to upgrade to 3.2 or later

In most customer scenarios, where the ISE node is in the same data centre as the AD controllers, you'll get responses as low as 10ms in most cases. It depends on how quickly the AD controller can process your request.

In ISE 3.x I also enable DNS caching to alleviate the constant DNS lookups that ISE is performing (because older ISE versions do not cache DNS results). That also helps a bit.

0 Helpful
Customers Also Viewed These Support Documents