Controllerless Networks

Hello All,

I have a Customer that has over 32 IAPs on there WLAN Network.

In these 32 IAPs, there exists 4 as Virtual Controllers (Customer's Network is split across 4VLANs). 

On ClearPass, I attempted to add the IP Address of the Virtual Controllers as the NAD Devices but we keep getting an error from both ClearPass and the IAPs indicating that they are not communicating with each other.

ClearPass for some reason keeps authenticating to each individual IAP. So when I add one of the IAPs it's attempting to authenticate, as a NAD, it works just fine.

Does this mean I need to add all 32 IAPs as NAD Devices? I would doubt that.

Any ideas?

In Instant hard set the VC IP address then enable "Dynamic Radius Proxy".  All authentication requests will now be sourced from the VC's IPA and you only need to add the one VC IPA.

Thanks Marcus.

Will give that a shot and let you know.

I believe you also have to set the NAS-ID to your VC IP address inthe RADIUS server config:

I configured the NAS IP Address as the IP Address for the VC. But not so sure what the NAS ID should be.

And should the NAS ID be unique for each VC and can it be any number?

---

@msabin wrote:

I believe you also have to set the NAS-ID to your VC IP address inthe RADIUS server config:

 

---

I'm sorry, I mis-spoke.  I typed before I pasted the screenshot.

I use the NAS IP Address, and not the identifier, so I don't know what the rule-of-thumb is for the ID.

Set the NAS IP, and the dynamic-radius and you should see that any AP in the cluster will claim to be the VC when it sends to the RADIUS server.

Yep! That worked. 

I already had the Virtual Controller's IP Address configured. I just didn't have the Dynamic Radius Proxy enabled.

When I had this enabled, it worked like a charm.