Security

Reply
Super Contributor II
Posts: 355
Registered: ‎02-22-2011

LDAP query timeout

Hi All,

 

I've recently found any issue where my AD server (windows 2003) doesn't return a response to an ldap user search in some situations for 4-5 minutes. This is usually when the server is in the process of being restarted or shutdown for maintenance. 

 

In this case a RADIUS timeout occured to our downstream devices and as such failed. 

 

The issue here is that we had a backup AD server configured however it is never invoked for a large number of sessions and ClearPass seems to hang open until the server comes back onlien. 

 

Eventually after these queries are run, subsequent authentication attempts seem to detect the server is down and then it fails over to the backup server.

 

I'm wondering whether there should be some kind of LDAP query / search tmeout parameter that expires an LDAP query after a certain amount of time and causes the session to failover to backup server (before RADIUS timeout period).

 

Anybody else see a problem here or had similar issues?

 

Scott

 

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: LDAP query timeout

You will probably want to contact TAC to design this right.  The type of redundancy you choose at this point will depend how your infrastructure is designed and your priorities.  If you contact TAC with all your information they will advise you best.  There is no one way to design this for everyone.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: LDAP query timeout

Hi Colin,

 

I spoke with TAC but they weren't really able to do much as we only had access tracker logs to go on (debug didn't take place as this was unplanned outage).

 

My concern more generally is that ClearPass can effectively wait an unlimited amount of time for AD to return search results and this causes downstream timeouts to RADIUS clients. 

 

In my case a query took 3-4 minutes to return a result (presumably due to server being patched / restarted).

 

During this time ClearPass did not failover to secondary AD server. 

 

The advice from TAC was that CPPM can ping the LDAP server then it is considered to be up. This doesn't seem to protect from higher level failures.

 

Scott

Search Airheads
Showing results for 
Search instead for 
Did you mean: