Security

Reply
Occasional Contributor II

Cache Clearpass with LDAP query

Hello,

 

We have a Controller with ClearPass and we use the protocol 802.1x for authentication issue with LDAP you may not make the ClearPass frequently queries the LDAP and cache is generated for a certain time, there is that option?

 

Thanks for your help.

 

Regards.

 

HC 

Guru Elite

Re: Cache Clearpass with LDAP query

It does not look up LDAP for AD group membership for X seconds.

 

It is located in configuration> Authentication> Sources.  Click on your Authentication Source and then General to see the Cache timeout:

 

 

source.png

 

In the lower right hand corner of that same screen is a clear cache button:

 

clearcache.png


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Guru Elite

Re: Cache Clearpass with LDAP query

The reason for that cache is that some LDAP servers cannot keep up with tons of authentications a second, so doing a lookup for a group membership constantly can slow down regular authentications.  When it does an authentication, it will cache the group memberships for X seconds, which prevents another group lookup.  It will check the authenticaton for the password, every time, however.  If you are doing testing and changing AD group memberships, you can click on clear cache to test if the user is getting the correct LDAP group membership.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Cache Clearpass with LDAP query

Thanks for your help 

 

One Question? The maximum cache how long is it? right now I have it set for 10 hours 36000 seconds which is maximum time that could define ?

 

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: