LDAP Directory Organization

The following suggestions can be extended to complex configurations, allowing the AAA Server to maximize the authentication performance of the system.

You must organize the LDAP directory in such a way that the:

Number of queries in the configuration is limited, and
Average number of queries executed by the system is minimized.

To ensure optimal AAA Server performance, it is recommended that you limit the number of multiple branches in the LDAP queries. High-level queries using a sub-tree structure allow faster interaction between the AAA Server and the LDAP directory.

The following examples provide options for organizing your queries and groups in the AAA Server.

Example 1 - Queries with attribute checking
SCENARIO Only managers are allowed to log on to the network using a specific access portal. User attempts to log on using this portal are rejected. CONFIGURATION with QueryALL The authentication servers must check for the 'function' LDAP attribute with a value of 'manager' to authenticate the user. 1 AAA Server group is created - GroupManager. Based on QueryAll, it returns the users from all locations matching the 'function' attribute 'manager'. AUTHENTICATION If the function attribute is 'manager', then the authentication request is accepted (assuming all other logon information is correct). If the function attribute is 'user', then the authentication request is rejected.
RESULT: AAA Server runs the same query once only for both groups, filtering based on the attribute values. As there are fewer queries to execute, there is: Less load on the AAA Server authentication server(s). Shorter response time to authentication requests.

Example 1 - Queries with attribute checking

SCENARIO

Only managers are allowed to log on to the network using a specific access portal. User attempts to log on using this portal are rejected.

CONFIGURATION with QueryALL

The authentication servers must check for the 'function' LDAP attribute with a value of 'manager' to authenticate the user.

1 AAA Server group is created - GroupManager.

Based on QueryAll, it returns the users from all locations matching the 'function' attribute 'manager'.

AUTHENTICATION

If the function attribute is 'manager', then the authentication request is accepted (assuming all other logon information is correct).
If the function attribute is 'user', then the authentication request is rejected.

RESULT:

AAA Server runs the same query once only for both groups, filtering based on the attribute values.

As there are fewer queries to execute, there is:

Less load on the AAA Server authentication server(s).
Shorter response time to authentication requests.

Example 2 - Queries ordered at the gate level
SCENARIO Typically, users from a specific geographical location log on locally. However, sometimes they travel and log on from another location. Each location has a dedicated authentication server. CONFIGURATION 2 AAA Server groups are created: GroupEMEA and GroupUS. QueryEMEA returns the users with the location attribute 'EMEA'. QueryUS returns the users with the location attribute 'US'. The authentication server for EMEA must find the EMEA users first because the majority of authentication attempts are from EMEA users. Therefore, query order at the gate is: 1 - QueryEMEA 2 - QueryUS The authentication server for US must find the US users first because the majority of authentication attempts are from US users. Therefore, query order at the gate is: 1 - QueryUS 2 - QueryEMEA Queries Ordered at Gate Level
AUTHENTICATION GroupEMEA uses QueryEMEA when an EMEA user attempts to authenticate using the EMEA gate GroupUS uses QueryUS when a US user attempts to authenticate using the US gate GroupEMEA uses QueryEMEA first, then triggers QueryUS when an EMEA user attempts to authenticate using the US gate GroupUS uses QueryUS first, then triggers QueryEMEA when a US user attempts to authenticate using the EMEA gate
RESULT: In the majority of authentication attempts, only the first query is executed. The majority of the users at the EMEA gate is EMEA users who belong to the GroupEMEA (returned by QueryEMEA). Therefore, this query executes first. For the users from the US who are authenticating with the EMEA gate (or vice versa), both queries are executed. However, such instances are minimized through efficient configuration.

Example 2 - Queries ordered at the gate level

SCENARIO

Typically, users from a specific geographical location log on locally. However, sometimes they travel and log on from another location. Each location has a dedicated authentication server.

CONFIGURATION

2 AAA Server groups are created: GroupEMEA and GroupUS.

QueryEMEA returns the users with the location attribute 'EMEA'.
QueryUS returns the users with the location attribute 'US'.
The authentication server for EMEA must find the EMEA users first because the majority of authentication attempts are from EMEA users. Therefore, query order at the gate is:
1 - QueryEMEA
2 - QueryUS
The authentication server for US must find the US users first because the majority of authentication attempts are from US users. Therefore, query order at the gate is:
1 - QueryUS
2 - QueryEMEA

Queries Ordered at Gate Level

AUTHENTICATION

GroupEMEA uses QueryEMEA when an EMEA user attempts to authenticate using the EMEA gate
GroupUS uses QueryUS when a US user attempts to authenticate using the US gate
GroupEMEA uses QueryEMEA first, then triggers QueryUS when an EMEA user attempts to authenticate using the US gate
GroupUS uses QueryUS first, then triggers QueryEMEA when a US user attempts to authenticate using the EMEA gate

RESULT:

In the majority of authentication attempts, only the first query is executed.
The majority of the users at the EMEA gate is EMEA users who belong to the GroupEMEA (returned by QueryEMEA). Therefore, this query executes first.
For the users from the US who are authenticating with the EMEA gate (or vice versa), both queries are executed. However, such instances are minimized through efficient configuration.