End-to-End Flow: Authentication + Authorization + Posture

1. The core idea

Authentication and posture do not “happen inside ISE”. They are distributed transactions across:

Endpoint ↔ NAD
NAD ↔ ISE (RADIUS/EAP)
ISE ↔ identity sources (AD/LDAP/Kerberos)
Endpoint posture module ↔ ISE posture services (often HTTPS-based)
Certificate validation components (CRL/OCSP) when certificates are used
DNS and NTP that keep the above functioning

Every additional hop adds RTT, jitter sensitivity, and failure probability.

2. Actors and responsibilities

Endpoint (Supplicant)

Initiates 802.1X/EAP conversation (wired or wireless), or VPN auth.
May run posture module (Cisco Secure Client / AnyConnect ISE posture module).
Uses certificates (EAP-TLS) or username/password (PEAP/EAP-MSCHAPv2, etc).

NAD (Network Access Device)

Examples: switch, WLC, VPN headend, firewall, controller.

Acts as the first policy enforcement point (PEP).
Relays EAP inside RADIUS (EAPoL ↔ RADIUS EAP messages).
Handles UDP retransmissions and timeouts at the RADIUS layer.
Applies VLAN/SGT/dACL/ACL decisions from ISE.

Cisco ISE

Policy engine (PDP) for authentication and authorization.
Session state controller.
Integrates with external identity stores (AD, LDAP).
Hosts posture services and posture policy evaluation.
Returns Access-Accept/Reject/Challenge plus authorization attributes.

Identity stores (AD / LDAP / Kerberos)

Validate machine/user identity and group membership.
Require DNS correctness, time synchronization, and correct site selection.

3. A practical sequence (high-level)

(1) Endpoint connects
(2) NAD starts 802.1X (EAPoL) or VPN identity exchange
(3) NAD encapsulates EAP into RADIUS and sends to ISE
(4) ISE evaluates policy
(5) ISE queries identity stores (LDAP/Kerberos/AD)
(6) ISE responds with Access-Accept/Reject/Challenge
(7) NAD enforces access policy
(8) Posture (if enabled): endpoint receives requirement policy, evaluates locally,
    sends posture results back to ISE, then authorization may change

4. Why latency hits posture harder than authentication

Authentication is often a bounded handshake (though it can be multi–round-trip under EAP).

Posture, however, is stateful and can involve:

Requirement retrieval
Local checks (processes, registry, AV status, file versions)
Optional remediation
Periodic reassessment
CoA events / session updates

Each of these steps adds time and introduces additional dependencies, which magnify the impact of latency.

5. The “single cause” myth

When people say “ISE is slow”, they often ignore the broader dependency chain, including:

NAD ↔ ISE RTT
ISE ↔ AD RTT
DNS resolution time for service discovery and SRV records
Kerberos time skew sensitivity (NTP)
PKI revocation checking delays (CRL / OCSP)
Posture module communications and reassessment intervals

ISE is frequently where the symptoms surface, not where the root cause actually lives.

PreviousProtocols and Dependencies (What Must Work)Next02-protocols-and-latency

Last updated 1 hour ago

hashtag1. The core idea

hashtag2. Actors and responsibilities

hashtagEndpoint (Supplicant)

hashtagNAD (Network Access Device)

hashtagCisco ISE

hashtagIdentity stores (AD / LDAP / Kerberos)

hashtag3. A practical sequence (high-level)

hashtag4. Why latency hits posture harder than authentication

hashtag5. The “single cause” myth