LDAP Directory Organization
The following suggestions can be extended to complex configurations, allowing the AAA Server to maximize the authentication performance of the system.
You must organize the LDAP directory in such a way that the:
- Number of queries in the configuration is limited, and
- Average number of queries executed by the system is minimized.
To ensure optimal AAA Server performance, it is recommended that you limit the number of multiple branches in the LDAP queries. High-level queries using a sub-tree structure allow faster interaction between the AAA Server and the LDAP directory.
The following examples provide options for organizing your queries and groups in the AAA Server.
Example 1 - Queries with attribute checking |
---|
SCENARIO Only managers are allowed to log on to the network using a specific access portal. User attempts to log on using this portal are rejected. CONFIGURATION with QueryALL The authentication servers must check for the 'function' LDAP attribute with a value of 'manager' to authenticate the user. 1 AAA Server group is created - GroupManager.
AUTHENTICATION
|
RESULT: AAA Server runs the same query once only for both groups, filtering based on the attribute values. As there are fewer queries to execute, there is:
|
Example 2 - Queries ordered at the gate level |
---|
SCENARIO Typically, users from a specific geographical location log on locally. However, sometimes they travel and log on from another location. Each location has a dedicated authentication server. CONFIGURATION 2 AAA Server groups are created: GroupEMEA and GroupUS.
Queries Ordered at Gate Level
|
AUTHENTICATION
|
RESULT:
|