Security

Reply
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

ClearPass End to End processing time vs Network response time

Hi Everyone,

 

Seeing something odd on our clearpass system. Currently we are doing Wired Auth with only MAC Authentication via ClearPass. We have 8 subscribers, 25k hardware, behind a load balancer. RIght now we just started roll out, and about 500 endpoints are authenticating from 10 switches, distributed among these 8 devices. There is a seperate dedicated publisher which is not getting RADIUS traffic sent to it.

 

We noticed that the Cisco switches are constantly marking the Radius servers as dead.

 

Our flow:

 

Switch > Load Balancer (NAT mode) > ClearPass subsciber

 

The switch is configured with a 3 second timeout for RADIUS.

 

The issue is that there seems to be a long delay on the ClearPass server from when it recieves the Radius Request pack, to when it sends back a RADIUS accept or reject.

 

When i look on the subscirber, and look at the average End to End response time i see that it is about 20-40 ms.

 

However when we do a PCAP of the same traffic, i can see that the RADIUS request, and RADIUS response packets are anywhere from 2-3 seconds apart for many of the authentications.

 

To me this seems like an issue, i was under the impression that clearpass should be responding as soon as possible?

 

I opened a case with TAC and they "Informed that 3 seconds delay is acceptable for NAS device", however they said that this is not documented anywhere.

 

Should we raise our timeout value for Radius on the switch to something like 5-10 seconds? Is is reasonable that when the server says a end to end response time is 20-40 ms, that the packet arrival/response time are up to 3 seconds apart?

 

Thanks,

 

ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: