cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1276
Views
1
Helpful
3
Replies

Manage mac addresses in ODBC, LDAP or internal store?

Andreas Falk
Level 1
Level 1

Hi,

Today we are using LDAP to manage our mac addresses for mab auth.
When 2.1 was introduced with customAttributes we started to look at moving all mac addresses back into ise internal store.


But after some testing it seems that we have encountered an issue with having all macaddresses in the internal store.
[ers api filter on custom attributes?]

So now we are looking at the possibility to switch store to ODBC. It is pretty easy to continue our webui work against an ordinary db.


Do you guys know if there is any performance drop when using ODBC(in our case probably postgresql) or LDAP against ISE internal store?
We have est. 10k endpoints in the mac db today.

--
Regards Falk

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

MAB testing against Internal vs LDAP were fairly on par with Internal performing better.  No details on ODBC as external ID store for MAC auth as less common scenario, although valid.

View solution in original post

3 Replies 3

Craig Hyps
Level 10
Level 10

MAB testing against Internal vs LDAP were fairly on par with Internal performing better.  No details on ODBC as external ID store for MAC auth as less common scenario, although valid.

Today we use a openldap cluster with one provider and three consumers, and haproxy/keepalived as lb fronting our ise radius servers.
It works and handles the load with no problem, but the complexity is daunting.


But after a hit and miss with the internal datastore and ERS api, I'll try to read up on ODBC, postgresql and ISE.

A postgresql cluster is easier to manage, backup and integrate with than openldap, imho.

I'll do some testing and see if I can get some performance numbers with both of them. But it's hard to do a correct test, when you got to have a huge environment to just get ISE working with the right amount of devices

--
Regards Falk

We also added enhancements to LDAP scale and HA in recent releases via

* Per PSN LDAP configs with Primary//Secondary settings per node

* Option to force nodes to retrigger DNS lookup to allow new LDAP server assignment every interval.

/C