Difference between how ACS and ISE queries AD/LDAP groups for TACACS+

umahar — Tue, 18 Dec 2018 23:27:46 GMT

We have a TACACS environment on ISE where authentication is done via SecurID and authorization via LDAP.

ACS allows for both SecureID and Ldap to be referred to in the Identity Source Sequence. Hence the LDAP group for users are fetched during authentication phase and are referred in authorization rules for all subsequent command authorization. The idea is that ACS only reaches out to LDAP only once during authentication phase.

I believe this behaviour has changed in ISE and ISE reaches out to LDAP for each command being fired every time an authorization rule is hit.

Is there any way to prevent for ISE to not query the LDAP everytime a command is fired with some caching mechanism fired ? We are concerned about the amount of extra load LDAP would have once we move into ISE.

Re: Difference between how ACS and ISE queries AD/LDAP groups for TACACS+

hslai — Wed, 19 Dec 2018 01:36:46 GMT

ISE 2.3 has a cache for internal users. If you need similar for AD/LDAP, please discuss your requirements with our PM team.

topic Re: Difference between how ACS and ISE queries AD/LDAP groups for TACACS+ in Network Access Control

Difference between how ACS and ISE queries AD/LDAP groups for TACACS+

Re: Difference between how ACS and ISE queries AD/LDAP groups for TACACS+