Latency that impacts authentication and posture includes:
RTT (Round Trip Time) between NAD and ISE
RTT between ISE and AD/DCs
Jitter (variance in latency)
Packet loss (causes retransmits)
Queueing delay (buffering, microbursts)
DNS query time (can be milliseconds or seconds)
TCP handshake delay (LDAP/LDAPS, HTTPS posture)
Path asymmetry (forward vs return paths)
A stable 80 ms RTT can be healthier than a “50 ms average” that spikes to 250 ms every few seconds.
RADIUS is UDP-based; reliability is implemented at the client. If the NAD timer is short and the RTT increases, the NAD may retry before ISE can respond, multiplying load.
EAP methods can involve several exchanges. In high RTT scenarios, the “sum of RTTs” becomes the real cost.
Even if NAD ↔ ISE is low latency, ISE may still need:
AD/LDAP group resolution
Kerberos validation
DNS lookups
Certificate checks
Posture state evaluation
The total time is approximately:
NAD ↔ ISE cycles
RADIUS/EAP round-trip exchanges between NAD and ISE
ISE ↔ AD cycles
LDAP and Kerberos interactions with Active Directory
DNS / NTP / PKI delays
Name resolution, time synchronization, and certificate validation
Policy evaluation time
Authorization and posture policy processing within ISE
“ISE is slow” → Often means “our backend and network path are slow”
“Just increase the timeout” → Often increases session duration and the attack window
“Latency only affects user experience” → It also affects security assurance (fail-open conditions, cached posture states)
Measure latency and dependency health at each segment:
NAD ↔ ISE
ISE ↔ Identity stores (AD / DC / LDAP / Kerberos)
DNS resolution (local vs remote, correctness)
NTP health (clock skew, reachability)
PKI revocation endpoints (CRL / OCSP locality)
Posture module ↔ ISE posture services
If you only measure (1), you miss most root causes.
Last updated
