Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

LDAP query timeout

This thread has been viewed 4 times

  • 1.  LDAP query timeout

    Posted Dec 07, 2014 06:16 PM

    Hi All,

     

    I've recently found any issue where my AD server (windows 2003) doesn't return a response to an ldap user search in some situations for 4-5 minutes. This is usually when the server is in the process of being restarted or shutdown for maintenance. 

     

    In this case a RADIUS timeout occured to our downstream devices and as such failed. 

     

    The issue here is that we had a backup AD server configured however it is never invoked for a large number of sessions and ClearPass seems to hang open until the server comes back onlien. 

     

    Eventually after these queries are run, subsequent authentication attempts seem to detect the server is down and then it fails over to the backup server.

     

    I'm wondering whether there should be some kind of LDAP query / search tmeout parameter that expires an LDAP query after a certain amount of time and causes the session to failover to backup server (before RADIUS timeout period).

     

    Anybody else see a problem here or had similar issues?

     

    Scott

     



  • 2.  RE: LDAP query timeout

    EMPLOYEE
    Posted Dec 08, 2014 05:09 AM

    You will probably want to contact TAC to design this right.  The type of redundancy you choose at this point will depend how your infrastructure is designed and your priorities.  If you contact TAC with all your information they will advise you best.  There is no one way to design this for everyone.

     



  • 3.  RE: LDAP query timeout

    Posted Dec 09, 2014 10:06 PM

    Hi Colin,

     

    I spoke with TAC but they weren't really able to do much as we only had access tracker logs to go on (debug didn't take place as this was unplanned outage).

     

    My concern more generally is that ClearPass can effectively wait an unlimited amount of time for AD to return search results and this causes downstream timeouts to RADIUS clients. 

     

    In my case a query took 3-4 minutes to return a result (presumably due to server being patched / restarted).

     

    During this time ClearPass did not failover to secondary AD server. 

     

    The advice from TAC was that CPPM can ping the LDAP server then it is considered to be up. This doesn't seem to protect from higher level failures.

     

    Scott