On-Prem vs Cloud Latency Considerations

This document analyzes real latency impacts when deploying Cisco ISE in on-prem, cloud, or hybrid environments. Focus is on authentication critical paths, not generic network latency.

1. Authentication Critical Path

NAD → PSN → AD/DC → PKI

Latency on this path directly affects:

Authentication success rate
EAP stability
Posture behavior
RADIUS retransmissions

2. Latency Sensitivity by Flow

Flow

Sensitivity

Notes

NAD ↔ PSN

Very High

Inline EAP/RADIUS

PSN ↔ DC

High

LDAP, Kerberos

PSN ↔ PAN

Low

Control plane

PSN ↔ MnT

Medium

Logging

PSN ↔ Posture

High

Stateful

3. Recommended Design – Local PSN

3.1 Typical RTT

NAD ↔ PSN: 2–5 ms
PSN ↔ DC: 3–10 ms

3.2 Result

Authentication < 300 ms
Stable posture
No RADIUS retries

4. Anti-Pattern

Cloud PSN for On-Prem NADs

4.1 Observed RTT (Real-World)

NAD ↔ PSN: 120–180 ms
PSN ↔ DC: 140–200 ms

4.2 Symptoms

EAP timeouts
RADIUS retries
Posture stuck in Unknown
Random failures under load

5. Protocol-Specific Impact

Protocol

Latency Effect

RADIUS

Retransmits, queue buildup

EAP-TLS

TLS handshake timeout

PEAP

Inner authentication delay

Kerberos

Ticket acquisition failures

LDAP

Group lookup delay

Posture

State machine stalls

6. Design Rules

PSNs must be < 20–30 ms RTT from NADs
Avoid intercontinental authentication paths
Cloud ISE works only with:
- Cloud-hosted NADs, or
- Local PSNs per region

Key Takeaway

Authentication traffic is latency-sensitive control-plane traffic. Treating it as generic application traffic leads to instability.

PreviousCisco ISE Node Placement Strategy NextTraffic Forwarding Strategies for Cisco ISE

Last updated 2 hours ago

hashtag1. Authentication Critical Path

hashtag2. Latency Sensitivity by Flow

hashtag3. Recommended Design – Local PSN

hashtag3.1 Typical RTT

hashtag3.2 Result

hashtag4. Anti-Pattern

hashtag4.1 Observed RTT (Real-World)

hashtag4.2 Symptoms

hashtag5. Protocol-Specific Impact

hashtag6. Design Rules

hashtagKey Takeaway