search

Traffic Forwarding Strategies for Cisco ISE

This document defines how authentication traffic should be forwarded in hybrid WAN and SD-WAN environments.

hashtag
1. Authentication Traffic Characteristics

  • Control-plane traffic

  • Highly latency and jitter sensitive

  • Stateful (EAP, posture)

RADIUS ≠ data traffic

hashtag
2. Good Pattern – Local Authentication

spinner

hashtag
2.1 Characteristics

  • Deterministic path

  • Low RTT

  • No WAN hairpinning

hashtag
3. Bad Pattern

  • Hub-and-Spoke Authentication

spinner

hashtag
3.1 Observed Issues

  • Increased jitter

  • EAP instability

  • Posture oscillation

hashtag
4. SD-WAN Policy Design (Conceptual)

hashtag
4.1 Match

  • UDP 1812 / 1813 (RADIUS)

  • TCP 443 (Posture)

  • TCP 49 (TACACS, if used)

hashtag
4.2 Actions

  • Strict SLA

  • Prefer local transport

  • No cloud security insertion

  • Avoid FEC for authentication traffic

hashtag
5. Multi-Region Example (BR ↔ US)

Flow
Valid

NAD-BR → PSN-BR

Yes

PSN-BR → DC-BR

Yes

NAD-BR → PSN-US

No

Auth via global hub

No

hashtag
6.1 Real-World Scenario

hashtag
6.1 Topology

  • NAD: São Paulo

  • PSN: AWS us-east-1

  • DC: On-prem São Paulo

hashtag
6.2 Measured RTT

  • NAD ↔ PSN: 160 ms

  • PSN ↔ DC: 180 ms

hashtag
6.3 Symptoms

  • EAP-TLS failures under load

  • RADIUS retransmits

  • Posture stuck in Unknown

hashtag
Key Takeaway

Authentication traffic must be explicitly engineered. Leaving it to generic routing decisions leads to unpredictable behavior.

PreviousOn-Prem vs Cloud Latency ConsiderationsNext04-what-breaks-with-latency

Last updated