12-18-2018 03:27 PM
We have a TACACS environment on ISE where authentication is done via SecurID and authorization via LDAP.
ACS allows for both SecureID and Ldap to be referred to in the Identity Source Sequence. Hence the LDAP group for users are fetched during authentication phase and are referred in authorization rules for all subsequent command authorization. The idea is that ACS only reaches out to LDAP only once during authentication phase.
I believe this behaviour has changed in ISE and ISE reaches out to LDAP for each command being fired every time an authorization rule is hit.
Is there any way to prevent for ISE to not query the LDAP everytime a command is fired with some caching mechanism fired ? We are concerned about the amount of extra load LDAP would have once we move into ISE.
Solved! Go to Solution.
12-18-2018 05:36 PM
ISE 2.3 has a cache for internal users. If you need similar for AD/LDAP, please discuss your requirements with our PM team.
12-18-2018 05:36 PM
ISE 2.3 has a cache for internal users. If you need similar for AD/LDAP, please discuss your requirements with our PM team.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide