Wireless Access

Hello,

recently we had some issues with ClearPass overwhelming our domain controllers. Essentially the number of requests causes the CPU load to go to 100%.

We are using DNS round robin with four DCs but of course ClearPass does a DNS lookup and only goes to the one that it picks at that particular moment.

I have also tried to use our internal F5 load balancer but the LDAP profile on the F5 uses source address persistence so this is no good either.

• ClearPass version 6.5.7
• Use cached Roles and Posture attributes from previous sessions is active
• BaseDN is set as high as possible

Are there any best practices when it comes to Role Mapping Policies?

For example, is it better to use EQUALS instead of ENDS_WITH in the Operator field of the Rule Editor?

Are there any other suggestions to reduce the load on the LDAP server?

Thanks for your help!

best regards,

Harald

The operator in the role map should not make a difference as that data is evaluated by ClearPass.

Are you noticing performance issues during authentication or authorization? 

To be honest, I do not know.

I have attached a summary of the ClearPass' dashboard. I don't know if the number of authentication requests is particularly high. ClearPass doesn't seem to be the problem, though.

I have received some more information from my server admin. Attached is a screenshot of the processes eating up the CPU.

I think its the sheer volume of requests that is bogging down the server.

What is strange is that most of the queries seem to originate at the top of the hierarchy - which is dc=fhm,dc=de - even though dc=belgium,dc=fhm,dc=de is configured in ClearPass as the BaseDN.

I have attached a screenshot of the LDAP config as well.