Added authentication latency, Authentication timeout value on aaa clients – Cisco 3.3 User Manual

Page 619

Advertising
background image

15-9

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 15 Unknown User Policy

Authentication and Unknown Users

Added Authentication Latency

Adding external user databases against which to authenticate unknown users can
significantly increase the time needed for each individual authentication. At best,
the time needed for each authentication is the time taken by the external user
database to authenticate, plus some time for Cisco Secure ACS processing. In
some circumstances (for example, when using a Windows user database), the
extra latency introduced by an external user database can be as much as tens of
seconds. If you have configured the Unknown User Policy to include multiple
databases in unknown user authentication, the latency your AAA client timeout
values must account for is the sum of the time taken for each external user
database to respond to an authentication request of an unknown user, plus the time
taken for Cisco Secure ACS processing.

You can reduce the effect of this added latency by setting the order of databases.
If you are using an authentication protocol that is particularly time sensitive, such
as PEAP, we recommend configuring unknown user authentication to attempt
authentication first with the database most likely to contain unknown users using
the time-sensitive protocol. For more information, see

Database Search Order,

page 15-14

.

Authentication Timeout Value on AAA clients

Be sure to increase the AAA client timeout to accommodate the longer
authentication time required for Cisco Secure ACS to pass the authentication
request to the external user databases used by unknown user authentication. If the
AAA client timeout value is not set high enough to account for the delay required
by unknown user authentication, the AAA client times out the request and every
unknown user authentication fails.

In Cisco IOS, the default AAA client timeout value is five seconds. If you have
Cisco Secure ACS configured to search through several databases or if your
databases are slow to respond to authentication requests, consider increasing the
timeout values on AAA clients. For more information about authentication
timeout values in IOS, refer to your Cisco IOS documentation.

Advertising