Security

Reply
Frequent Contributor II

CPPM Authentication Source Cache Timeout

Hi:

I've had several problems lately that were solved by clearing the cache for the AD authentication source.

Currently the Cache Timeout (Configuration -- Authentication -- Sources -- Our AD - General Tab) is set to 36000 seconds, or 10 hours.

 

I would like to make this much shorter - something like 15 minutes.

 

Are there any side effects I should be aware of, before I do this?

 

Thanks,

Tony

Guru Elite

Re: CPPM Authentication Source Cache Timeout

Side effects are more authorization requests to AD. I have a large university set to 1 hour with no issues.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: CPPM Authentication Source Cache Timeout

I will begin the shortening process! :-)

Thank you.

Frequent Contributor I

Re: CPPM Authentication Source Cache Timeout

Hi Tony1234,

 

How do you do for to clear the cache of AD auth in CPPM ?

 

regards

 

Yann

Frequent Contributor I

Re: CPPM Authentication Source Cache Timeout

Sorry, i hadn't opened my eyes, is it on the auth Source.Capture23.JPG

Occasional Contributor II

Re: CPPM Authentication Source Cache Timeout

Does anyone see a problem with setting the Cache Timeout to 0 - 300s?

 

What we are trying to achieve is only allowing users connect to wifi if they badge in using their campus ID card. We want to utilize CPPM and its functionality to search AD/LDAP attributes. So we would want to achieve the following:

  • When student arrives on campus, they will badge in with their ID.
  • The ID software will then update an attribute in ActiveDirectory/LDAP, "pager" and will change it to say 1, so that we know that this user has tapped into the system and is on campus.
  • CPPM Rules: 
    • If user is a "student" AND "pager = 1" then user can connect. (User is a student and has badged in)
    • If user is a "student" AND "pager is not 1" then user can't connect. (User is a student but has not badged in, no wifi)
  • I've tested a trial run in our Test environment, with CPPM, I have two authentication sources from Active Directory.
    • Authentication Source: AD Server 1, with cache timeout set to it's default 36000s. This will be for main authentication
    • Authentication Source: AD Server 2, which is looking for a change in the "pager" attribute., with cache timeout set to 0-300s

I know I can do all of this using one authentication source with a very low Cache Timout, but I'm just not sure if the load will be too great? We would hypothetically have 1500 users authenticating at peak hours or beginning of the day.

 

Any recommended settings would be appreciated? My main worry is if CPPM could handle that load?

 

Thanks

Re: CPPM Authentication Source Cache Timeout

i would start a new thread, as this is different question.

 

[EDIT] you did exactly that already :) ignore my post.

 

personally i don't really see the difference between the clearpass having to do the lookup internally or against an external source. to an external source will take more time but i don't see the load go up that much because of that.

Occasional Contributor II

Re: CPPM Authentication Source Cache Timeout

Hello,

 

The 36000 is the time maximum range? or whats is the range maximum the time? because the default is 10 hours or 36000 , We can put the 24 hours? or 12 hours? 

 

Thanks.

 

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: