02-15-2017 09:39 AM
Seeing something odd on our clearpass system. Currently we are doing Wired Auth with only MAC Authentication via ClearPass. We have 8 subscribers, 25k hardware, behind a load balancer. RIght now we just started roll out, and about 500 endpoints are authenticating from 10 switches, distributed among these 8 devices. There is a seperate dedicated publisher which is not getting RADIUS traffic sent to it.
We noticed that the Cisco switches are constantly marking the Radius servers as dead.
Switch > Load Balancer (NAT mode) > ClearPass subsciber
The switch is configured with a 3 second timeout for RADIUS.
The issue is that there seems to be a long delay on the ClearPass server from when it recieves the Radius Request pack, to when it sends back a RADIUS accept or reject.
When i look on the subscirber, and look at the average End to End response time i see that it is about 20-40 ms.
However when we do a PCAP of the same traffic, i can see that the RADIUS request, and RADIUS response packets are anywhere from 2-3 seconds apart for many of the authentications.
To me this seems like an issue, i was under the impression that clearpass should be responding as soon as possible?
I opened a case with TAC and they "Informed that 3 seconds delay is acceptable for NAS device", however they said that this is not documented anywhere.
Should we raise our timeout value for Radius on the switch to something like 5-10 seconds? Is is reasonable that when the server says a end to end response time is 20-40 ms, that the packet arrival/response time are up to 3 seconds apart?
ACDX, ACCP, CISSP, CWNA