When the ISE Health System rule is evaluated, system health parameters are examined as a result of values exceeding the rule for a specified time interval (up to the previous 60 minutes).
When the ISE AAA Health rule is evaluated, ISE health parameters that exceeded the rule for the specified time interval (up to the previous 60 minutes) are examined. Cisco ISE monitors the following parameters:
• RADIUS throughput
• RADIUS latency
If any of the parameters exceed the rule, an alarm is triggered. By default, the rule applies to all monitored Cisco ISE instances. However, you can choose to limit the check to just a single Cisco ISE instance
For example if we have too many authentications per second, more than what the PSN Specifications are designed for. In such cases we've to distribute the radius load to other PSN’s. You can also run Catalog report to draw a graph of Radius latency per PSN instance under Operations>Catalog>Server Health Summary> Last 7 days> PSN Hostname.
This will only give you a trend of radius latency but not the reasons why. You need to go through logs of the concerned PSN to find out whats going on the PSN. Certainly Radius latency greater than 3 Seconds is concerning. In such scenarios we have to download the support bundle and analyse the logs.
Cisco ISE Dashboard Monitoring
- Do rate helpful posts -