Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1498
Views
110
Helpful
6
Replies

How many LDAP can join to cisco ise

Go to solution
jewfcb001
Level 4
Level 4

‎02-23-2022 05:56 PM

Hi All,

 

I would like to find information about How many maximum LDAP can join with ISE ? But I can found only the Active directory maximum join to ISE 50 Join Points .But LDAP not see the information. Please suggest me 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jewfcb001

‎02-24-2022 08:40 PM

I'm not sure I understand your question. If you're asking if you can create two separate LDAP Identity Sources with the following configuration, then the answer is yes. (I would use a more identifiable name for the Sources in production)

You would also need to determine how you are going to use the separate sources in an Identity Source Sequence and/or AuthC and AuthZ Policies.

  • LDAP1 - (Primary server = 1.1.1.1, Secondary server = 1.1.1.2)
  • LDAP2 - (Primary server = 2.2.2.1, Secondary server = 2.2.2.2)

View solution in original post

6 Replies 6

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-24-2022 01:43 PM

Only two LDAP servers (Primary/Secondary) can be configured for one LDAP connection, I'm not aware of any documented/validated maximum LDAP connection limits for ISE. The AD limit is due to the AD agent running on ISE. LDAP does not use an agent so, theoretically, it could support an unlimited number.

The more LDAP connections used, however, would likely increase the complexity of the policy model exponentially. The more LDAP connections you add to an Identity Source Sequence, the more performance and delay issues you would likely see as ISE would potentially have to search through each one in sequence to find the resource trying to authenticate.

Go to solution
jewfcb001
Level 4
Level 4
In response to Greg Gibbs

‎02-24-2022 05:51 PM

@Greg Gibbs 

Thank you for information . From your information  2 LDAP Server You mean 1 Group or 1 LDAP Connection or not ? It mean If I would like to create many the ldap group can i do that ?

 

 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jewfcb001

‎02-24-2022 06:57 PM

In ISE, an LDAP Identity Source can consist of up to two LDAP servers (Primary/Secondary). ISE will allow you to configure multiple LDAP Identity Sources for either separate LDAP clusters or the same clusters (IP addresses) using different connectivity methods (LDAP/LDAPS) and/or Search Bases.

Example of two Sources with two LDAP servers each (Primary/Secondary) that use the same IP addresses (1.1.1.1, 1.1.1.2) and different search bases (OU=Finance,DC=domain,DC=local; OU=Legal,DC=domain,DC=local):

Screen Shot 2022-02-25 at 1.56.37 pm.png

Go to solution
jewfcb001
Level 4
Level 4
In response to Greg Gibbs

‎02-24-2022 07:48 PM

@Greg Gibbs 

Thank you for information . From your  figure . Example LDAP1 =  (1.1.1.1, 1.1.1.2) and LDAP2 = (2.2.2.1 , 2.2.2.2)  and The LDAP separate information .  Can I do from your figure ?

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jewfcb001

‎02-24-2022 08:40 PM

I'm not sure I understand your question. If you're asking if you can create two separate LDAP Identity Sources with the following configuration, then the answer is yes. (I would use a more identifiable name for the Sources in production)

You would also need to determine how you are going to use the separate sources in an Identity Source Sequence and/or AuthC and AuthZ Policies.

  • LDAP1 - (Primary server = 1.1.1.1, Secondary server = 1.1.1.2)
  • LDAP2 - (Primary server = 2.2.2.1, Secondary server = 2.2.2.2)

Go to solution
jewfcb001
Level 4
Level 4
In response to Greg Gibbs

‎02-24-2022 08:44 PM

@Greg Gibbs 

 

Yes . I would like to  create two separate LDAP . 

 

Thank you so much for information . 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents