Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
8
Helpful
9
Replies

any information available how to optimize the search base for LDAP?

Amen
Level 1
Level 1

‎02-01-2023 12:23 AM

is any there information available of  how to optimize the search base for LDAP in ISE?

0 Helpful
9 Replies 9

Arne Bier
VIP
VIP

‎02-01-2023 02:01 AM

Can you give a bit more detail about what you mean?  What does a "non-optimised" LDAP search base for ISE look like?

Amen
Level 1
Level 1

‎02-01-2023 02:27 AM - edited ‎02-01-2023 03:14 AM

I have a latency problem with TACACS+ 

13015 Returned TACACS+ Authentication Reply
13014 Received TACACS+ Authentication CONTINUE Request ( [Step latency=5061ms] Step latency=5061ms)
13046 TACACS+ ASCII change password request
13015 Returned TACACS+ Authentication Reply
13014 Received TACACS+ Authentication CONTINUE Request ( [Step latency=4752ms] Step latency=4752ms)
13046 TACACS+ ASCII change password request

This problem is since the beginning of using ISE in our environment. not sure if its a design or Performance  problem or an issue with TACACS+ 

 

Amen_0-1675247231765.png

 

0 Helpful

Arne Bier
VIP
VIP

‎02-01-2023 06:01 PM

Do you have a latency measurement between that NAD device (VPN concentrator?) and the ISE node?  Log into the ISE CLI and do a ping to the NAD device to see what latency you get there. Sure, ICMP is not UDP, and might be different QoS treatment (if QoS is used) but the latency should be relatively close.

Another thing to check is whether you have given that ISE PSN enough resources - 16 vCPU and 32 GB RAM. You don't have to reserve it necessarily, if you can prove without a doubt, that the VM is not getting starved of resources. Check your hypervisor performance reporting to confirm.

You can also ping the LDAP server from the ISE VM to see what the latency is.

Finally, as far as LDAP configuration is concerned, if you want to share some screenshots, we can try assist you. But I have never seen any LDAP related tuning. It either works or it doesn't.

Amen
Level 1
Level 1
In response to Arne Bier

‎03-01-2023 05:22 AM

I try to answer the questions. I don’t know whether we have a latency management because I don’t know the VPN Concentrator.

I can ping from the ISE to jumphost and to the gateway. Here is the output

Amen_0-1677676597300.png

 

 

As for the hardware of the ISE VM, isevm01stu has 24vCPU and 96GB RAM and isevm01ess has 16vCPU and 96GB RAM.

 

Ping to domaincontroller

 

isevm01stu/admin# ping vtsdc10.versatel.local

PING vtsdc10.versatel.local (10.232.68.19) 56(84) bytes of data.

64 bytes from 10.232.68.19: icmp_seq=1 ttl=126 time=1.05 ms

64 bytes from 10.232.68.19: icmp_seq=2 ttl=126 time=1.02 ms

64 bytes from 10.232.68.19: icmp_seq=3 ttl=126 time=0.971 ms

64 bytes from 10.232.68.19: icmp_seq=4 ttl=126 time=0.900 ms

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-04-2023 05:52 PM

@Amen : If you have a big user base, I would suggest separating the users who would use T+ into their own Organization Unit (OU) and put the distinguished name of the OU as the subject search base (e.g. OU=tplusUsers,CN=Users,DC=mydemo,DC=org).

Amen
Level 1
Level 1
In response to hslai

‎03-03-2023 02:26 AM

We have a big user base in our company, we have in our LDAP following subject base DC=versatel,DC=local

 

and group search base is OU=Teams,OU=CiscoISE,OU=TK,OU=Gruppen,DC=versatel,DC=local

 

You mean we should use the group search base in the subject subject search base start with OU Cisco ISE? What is the difference between search base and group base. Can we use MAC Address or this strip start object to minimize the latency?

 

Amen_0-1677839171320.png

 

 

I have a second question if I search in the tacacs live log I see in Network device name not the device name resolved from the NE IP Address via DNS but the network Device Names use to group the IP Networks for the different Profiles. NGN VPN Internet. Is there a possibility to see the DNS Names for the network device IP Address? Can we configure this?

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Amen

‎03-06-2023 10:16 AM

Put new questions in a new thread.

0 Helpful

Amen
Level 1
Level 1
In response to thomas

‎03-07-2023 01:04 AM

iam just wondering if this can be handled by TAC better.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Amen

‎03-11-2023 08:59 PM - edited ‎03-11-2023 09:00 PM

The subject search base is meant the LDAP subtree for users or computers and the group search base is for groups. They are to tell the LDAP servers to narrow the scope of the searches. It's more efficient when there are fewer items to search into.

The MAC address format option is for the cases to search for MAC addresses (as subject).

The strip options are to manipulate the input strings of the subjects in case the inputs have extra prefixes or suffixes compared to what stored in LDAP.

As to DNS resolution for network devices, no, ISE does not perform such lookups.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents