Super Contributor I

Re: Device end to end processing time

End-to-end request processing time is graphed in ClearPass under system monitor > ClearPass tab, then under the pulldown menu. You'd have to look at service categorization, authentication, role mapping, etc... and then subtract that from end-to-end time to interpret the CPPM->AD amount of time. You can also look at the logs for an individual client in access tracker and look at first and last log timestamps to get that individual's experience.


Aruba will tell you Clarity Live can tell you this, but I have found that is significantly skewed by "passer by" clients.


We're looking at seriously moving towards EAP-TLS, which will remove the whole AD portion from the equation.


As for the cacheing question, OKC will work for clients that support it and not require a reauthentication when they roam. If they disconnect, they'll have to auth when they return unless a PMKID exists for that BSSID and client that hasn't timed out.

Or, if you're referring to the clearpass authentication source "cacheing", that's just for LDAP(S) attributes. NTLM AD authentication would still occur.

Ryan Holland, ACDX #1 ACMX #1
The Ohio State University