Security

Good Afternoon,

I am creating this discussion to obtain a couple of hints related to "Authentication Source Cache Timeout" field in Aruba Clearpass.

In our organization we are trying to implement some automatic remediations with the aim to block users and devices that have been reported by our SIEM.

In particular, in order to isolate users whose account may have been "hacked", we started by disabling them on the Active Directory.

However the problem is that, in our current environment (Cluster of 2 Aruba Clearpass  6.11.9.259693 on C2010 platform), the value of the cache timeout is set to 36000 seconds, so a user, if already authenticated via 802.1x (wired or wireless) will still continue to authenticate to its service.

My questions are:

• If we reduce the value to 300 (or even 180) seconds, what's the impact of this modification on the server load/performances?

• Moving the authentication from the on-prem AD to the Entra environment will be more usefull in the proposed scenario?

Thank you

The cache timeout is for authorization purposes. For 802.1X, AD users authenticate with a client certificate (preferred) and the AD is only used for authorization. This is not If you reduce the timeout to 300 seconds, then if there is a (re)authentication for the same user, ClearPass will lookup the authorization information again in the Active Directory Server. It depends on re-authentication timers, how often devices authenticate, and the sizing/performance of your AD servers if there is a noticeable increase in load or latency. If your AD servers and ClearPass servers have plenty of capacity, you probably can reduce the cache timer. In most environments, the AD is not so dynamic and having a 10 hour timeout is fine. If you regularly disable accounts and want the ClearPass respond faster to those changes, yes, it may be the right option.

Moving from on-premises AD to Entra ID does not really make a difference in this perspective. It's LDAP(s) to AD or a GraphAPI call to Entra ID; the caching works the same, and also there it's a performance vs fast response balance how you configure the cache timeout.

Good Afternoon,

I am creating this discussion to obtain a couple of hints related to "Authentication Source Cache Timeout" field in Aruba Clearpass.

In our organization we are trying to implement some automatic remediations with the aim to block users and devices that have been reported by our SIEM.

In particular, in order to isolate users whose account may have been "hacked", we started by disabling them on the Active Directory.

However the problem is that, in our current environment (Cluster of 2 Aruba Clearpass  6.11.9.259693 on C2010 platform), the value of the cache timeout is set to 36000 seconds, so a user, if already authenticated via 802.1x (wired or wireless) will still continue to authenticate to its service.

My questions are:

• If we reduce the value to 300 (or even 180) seconds, what's the impact of this modification on the server load/performances?

• Moving the authentication from the on-prem AD to the Entra environment will be more usefull in the proposed scenario?

Thank you

Hello Herman,

How do I create roles and enforcement for only one device with a certificate that is manually installed on the device?

Thanks

The cache timeout is for authorization purposes. For 802.1X, AD users authenticate with a client certificate (preferred) and the AD is only used for authorization. This is not If you reduce the timeout to 300 seconds, then if there is a (re)authentication for the same user, ClearPass will lookup the authorization information again in the Active Directory Server. It depends on re-authentication timers, how often devices authenticate, and the sizing/performance of your AD servers if there is a noticeable increase in load or latency. If your AD servers and ClearPass servers have plenty of capacity, you probably can reduce the cache timer. In most environments, the AD is not so dynamic and having a 10 hour timeout is fine. If you regularly disable accounts and want the ClearPass respond faster to those changes, yes, it may be the right option.

Moving from on-premises AD to Entra ID does not really make a difference in this perspective. It's LDAP(s) to AD or a GraphAPI call to Entra ID; the caching works the same, and also there it's a performance vs fast response balance how you configure the cache timeout.

Good Afternoon,

I am creating this discussion to obtain a couple of hints related to "Authentication Source Cache Timeout" field in Aruba Clearpass.

In our organization we are trying to implement some automatic remediations with the aim to block users and devices that have been reported by our SIEM.

In particular, in order to isolate users whose account may have been "hacked", we started by disabling them on the Active Directory.

However the problem is that, in our current environment (Cluster of 2 Aruba Clearpass  6.11.9.259693 on C2010 platform), the value of the cache timeout is set to 36000 seconds, so a user, if already authenticated via 802.1x (wired or wireless) will still continue to authenticate to its service.

My questions are:

• If we reduce the value to 300 (or even 180) seconds, what's the impact of this modification on the server load/performances?

• Moving the authentication from the on-prem AD to the Entra environment will be more usefull in the proposed scenario?

Thank you

Hard to tell without further knowing your setup. But in general, find a way to recognize the manual installed certificate, create a role mapping for that, and apply an enforcement profile based on that.

Hello Herman,

How do I create roles and enforcement for only one device with a certificate that is manually installed on the device?

Thanks

The cache timeout is for authorization purposes. For 802.1X, AD users authenticate with a client certificate (preferred) and the AD is only used for authorization. This is not If you reduce the timeout to 300 seconds, then if there is a (re)authentication for the same user, ClearPass will lookup the authorization information again in the Active Directory Server. It depends on re-authentication timers, how often devices authenticate, and the sizing/performance of your AD servers if there is a noticeable increase in load or latency. If your AD servers and ClearPass servers have plenty of capacity, you probably can reduce the cache timer. In most environments, the AD is not so dynamic and having a 10 hour timeout is fine. If you regularly disable accounts and want the ClearPass respond faster to those changes, yes, it may be the right option.

Moving from on-premises AD to Entra ID does not really make a difference in this perspective. It's LDAP(s) to AD or a GraphAPI call to Entra ID; the caching works the same, and also there it's a performance vs fast response balance how you configure the cache timeout.

Good Afternoon,

I am creating this discussion to obtain a couple of hints related to "Authentication Source Cache Timeout" field in Aruba Clearpass.

In our organization we are trying to implement some automatic remediations with the aim to block users and devices that have been reported by our SIEM.

In particular, in order to isolate users whose account may have been "hacked", we started by disabling them on the Active Directory.

However the problem is that, in our current environment (Cluster of 2 Aruba Clearpass  6.11.9.259693 on C2010 platform), the value of the cache timeout is set to 36000 seconds, so a user, if already authenticated via 802.1x (wired or wireless) will still continue to authenticate to its service.

My questions are:

• If we reduce the value to 300 (or even 180) seconds, what's the impact of this modification on the server load/performances?

• Moving the authentication from the on-prem AD to the Entra environment will be more usefull in the proposed scenario?

Thank you

Hard to tell without further knowing your setup. But in general, find a way to recognize the manual installed certificate, create a role mapping for that, and apply an enforcement profile based on that.

Hello Herman,

How do I create roles and enforcement for only one device with a certificate that is manually installed on the device?

Thanks

The cache timeout is for authorization purposes. For 802.1X, AD users authenticate with a client certificate (preferred) and the AD is only used for authorization. This is not If you reduce the timeout to 300 seconds, then if there is a (re)authentication for the same user, ClearPass will lookup the authorization information again in the Active Directory Server. It depends on re-authentication timers, how often devices authenticate, and the sizing/performance of your AD servers if there is a noticeable increase in load or latency. If your AD servers and ClearPass servers have plenty of capacity, you probably can reduce the cache timer. In most environments, the AD is not so dynamic and having a 10 hour timeout is fine. If you regularly disable accounts and want the ClearPass respond faster to those changes, yes, it may be the right option.

Moving from on-premises AD to Entra ID does not really make a difference in this perspective. It's LDAP(s) to AD or a GraphAPI call to Entra ID; the caching works the same, and also there it's a performance vs fast response balance how you configure the cache timeout.

Good Afternoon,

I am creating this discussion to obtain a couple of hints related to "Authentication Source Cache Timeout" field in Aruba Clearpass.

In our organization we are trying to implement some automatic remediations with the aim to block users and devices that have been reported by our SIEM.

In particular, in order to isolate users whose account may have been "hacked", we started by disabling them on the Active Directory.

However the problem is that, in our current environment (Cluster of 2 Aruba Clearpass  6.11.9.259693 on C2010 platform), the value of the cache timeout is set to 36000 seconds, so a user, if already authenticated via 802.1x (wired or wireless) will still continue to authenticate to its service.

My questions are:

• If we reduce the value to 300 (or even 180) seconds, what's the impact of this modification on the server load/performances?

• Moving the authentication from the on-prem AD to the Entra environment will be more usefull in the proposed scenario?

Thank you