AAA, NAC, Guest Access & BYOD

Load balancing TACACS authentication when CPPM used as TACACS auth server

Aruba Employee
Problem:

Multiple attempts needed to login to NAD devices via TACACS when CPPM used as TACACS auth server. TACACS requests are load balanced by an external load balancer like F5.

 



Diagnostics:

On taking a pcap, we noticed the TACACS authentication request being forwarded to one Clearpass node and TACACS authorization node being sent to another Clearpass node in the cluster. 

NOTE: To view the TACACS decrypted reply, we need to apply the TACACS shared secret key in the wireshark.

In the below pcap sequence, the NAD IP is 10.226.72.222 and the Clearpass node IP is 10.208.50.37, the authentication request is forwarded to node: 10.208.50.37 as shown in the above and below pcap sequence

Clearpass requests for the password

NAD device sends the password

 

Clearpass authenticates the NAD device.

 

After the authentication succeeds, the authorization request is sent. In the below example, the NAD device is a Cisco WLC

Authorization request sent to a different Clearpass node:10.208.50.38

 

As node:10.208.50.38 did not authenticate the NAD device, the authorization request was not succeeded on this node and returned with unknown status

 

On further analyzing, we found that the TACACS authorization request was sent to different node due to a F5 load balancer in place between the NAD devices and Clearpass cluster and the F5 load balancers were load balancing the TACACS requests from NAD devices.

In Clearpass, as the TACACS authentication is not cached across nodes in cluster, we need to ensure that the TACACS auth request and TACACS authorization request goes to the same Clearpass node.

 



Solution

As F5 was load balancing the requests, we can ensure the TACACS auth and TACACS authorization request hits the same node by enabling session persistence on F5 load balancer.

 

Enabling session persistence on F5 load balancer ensures that the TACACS auth and TACACS authorization for a particular NAD session hits the same Clearpass node and the TACACS authorization would succeeed as shown in below pcap

 

Version history
Revision #:
2 of 2
Last update:
‎11-15-2016 10:11 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: