Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
1
Replies

Difference between how ACS and ISE queries AD/LDAP groups for TACACS+

Go to solution
umahar
Cisco Employee
Cisco Employee

‎12-18-2018 03:27 PM

We have a TACACS environment on ISE where authentication is done via SecurID and authorization via LDAP.

ACS allows for both SecureID and Ldap to be referred to in the Identity Source Sequence. Hence the LDAP group for users are fetched during authentication phase and are referred in authorization rules for all subsequent command authorization. The idea is that ACS only reaches out to LDAP only once during authentication phase.

I believe this behaviour has changed in ISE and ISE reaches out to LDAP for each command being fired every time an authorization rule is hit. 

Is there any way to prevent for ISE to not query the LDAP  everytime a command is fired with some caching mechanism fired ? We are concerned about the amount of extra load LDAP would have once we move into ISE.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-18-2018 05:36 PM

ISE 2.3 has a cache for internal users. If you need similar for AD/LDAP, please discuss your requirements with our PM team.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-18-2018 05:36 PM

ISE 2.3 has a cache for internal users. If you need similar for AD/LDAP, please discuss your requirements with our PM team.

0 Helpful
Customers Also Viewed These Support Documents