cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2444
Views
6
Helpful
0
Comments
Jonathan Casillas
Cisco Employee
Cisco Employee

Intro

This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.

Symptoms

Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarms triggered frequently.

Solution

  1. Suppression should be enabled under Administration -> System -> Settings -> Protocols -> RADIUS.
  2. Enable "EndPoint Attribute Filter" under Work centers>profiler>profiler settings. The Endpoint Attribute Filter restricts profile data collection and replication to attributes needed to support device classification as well as maintenance of the endpoint in the database. The filter is sometimes referred to as the "Whitelist" filter. Please see: https://community.cisco.com/t5/network-access-control/endpoint-attribute-filter/td-p/3513108
  3. DHCP probe. If you have DHCP probe enabled via ip-helper for profiling its recommended to point only 1 or 2 PSNs per NAD. These are, the PSNs that you have listed on the RADIUS server group on the NAD. If you have multiple PSNs for one particular location then you can create node groups.
  4. Data limiting best practices for wired and wireless networks:

Wireless (WLC).

* RADIUS server timeout: Increase from default of 2 to 5 sec.

* RADIUS Aggressive-Failover: Disable agressive failover.

* RADIUS Interim Accounting: v7.6: Disable; v8.0+: Enable with interval of 0. (Update auto-sent on DHCP lease or Device Sensor)

* Idle Timer: Increase to 1 hour (3600 sec) for secure SSIDs

* Session Timeout: Increase to 2+ hours (7200+sec)

* Client Exclusion: Enable and set exclusion timeout to 180+ sec

* Roaming: Enable CCKM/SKC/802.11r (when feasible)

 

Wired.

* RADIUS Interim Accounting: Use newinfo parameter with long interval (forexample, 24-48hrs), if avaialble. Otherwise, set 15 mins.

* 802.1X Timeouts

- held-period: Increase to 300+ sec

- quiet-period: Increase to 300+ sec

- ratelimit-period: Increase to 300+ sec

*Inactivity Timer: Disable or increase to 1+ hours (3600+ sec)

*Session Timeout: Disable or increase to 2+ hours (7200+ sec)

*Reauth Timer: Disable or increase to 2+ hours (7200+sec)

 

    5. Test probes

* Wired NAD: RADIUS test probe interval set with idle-time parameter in radius-server config; Default is 60 min.

* Wireless NAD: If configured, WLC only sends "active" probe when server marked as dead. *No action required*

* Load Balancers: Set health probe intervals and retry values short enough to ensure prompt failover to another server in cluster occurs prior to NAD RADIUS timeout (typically 20-60 sec.) but long enough to avoid excessive test probes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: