Security

Reply
Contributor II
Posts: 58
Registered: ‎08-19-2013

Aruba clearpass servers load balacing with F5 Big IP

Hey Guys,

 

We've 3 clearpass servers in our network. We would like to load balance the RADIUS requests among these 3 clearpass servers using F5 load balancers. 

 

Already added F5 LB as Network Access Device in clearpass with SHARED secret and configured F5 with clearpass for authentication, authorisation & accounting with shared secret.

 

But F5 needs a clearpass user account with password to be entered when configuring AAA in it. How could this can be accomplished? Need to create local user or use an existing AD domain user in clearpass?

 

Could you please help?

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Aruba clearpass servers load balacing with F5 Big IP

Why would F5 need an account?  In my experience, load balancers will accept a RADIUS reject as an indication the server is healthy for load balancing.  If an account is needed, I would recommend a local user account and a seperate service just for this.  That way it can be tracked in its own service and if you need to take a node out for maintenance, etc...just disable the service and the server will be marked down or unhealthy and taken out of the load balancing scheme.  

 

You may also use iRules or a website http check as well to use as a measurement for health as ClearPass is also a web server.  Lastly, you can add health checks against SQL too.

 

If you do a boolean check as mentined above, it may prove more robust than just AAA as a failure of one service (like SQL) could affect ClearPass even though the RADIUS service still checks out ok.

 

Hope this all makes sense.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Aruba clearpass servers load balacing with F5 Big IP

Hey great! Thanks for your reply. That's sounds good.

Could you please guide on the steps to create a service for this local user authentication?

If I'm creating a local user in clearpass with username and password and going to give this credentials in F5 (when adding health monitors), what kind of service needs to be created in clearpass side? 802.1X wired or Mac auth bypass or any other? Because we've configured wired service with authentication source as local user repository. But getting error in clearpass as 'service classification failed, failed to classify the service '

Please help! Thanks in advance.
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Aruba clearpass servers load balacing with F5 Big IP

Can you post the access tracker details for this failure?

Sent from my iPhone
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Aruba clearpass servers load balacing with F5 Big IP

Hi,

 

Please see the attached doc for the access tracker error found on clearpass during the F5 integration. Would this help?

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Aruba clearpass servers load balacing with F5 Big IP

Try a generic radius service and add a service categorization of NAD-IP-Address EQUALS 10.197.128.11

That should work but remember the service ordering is important as well.

Let us know if you need some help here.
Sent from my iPhone
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Aruba clearpass servers load balacing with F5 Big IP

Bro,

 

I think this is gonna work! Now, this RADIUS generic service is triggered.. But rather getting "RADIUS Cannot select appropriate authentication method" error now.. Whar auth method and sources need to be selected in this service? Can you help?

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Aruba clearpass servers load balacing with F5 Big IP

[ Edited ]

Try adding in all of the authentication methods to the service, test with an access request, then look at the entry in access tracker on the input tab and it will tell you the method it used.

 

computerattributes.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Aruba clearpass servers load balacing with F5 Big IP

This should also be configurable on F5. My guess is PAP or MSCHAP

Sent from my iPhone
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Aruba clearpass servers load balacing with F5 Big IP

Hi,

 

Yes.. You're perfect.. The authentication method used is PAP. Now clearpass can authenticate F5 successfully. I can see it in access tracker of clear pass.

 

I've configured F5 like this: Created a virtual server ip, added all 3 clearpass servers to it, mentioned the ports (1812 & 1813) to be load balanced. 

 

I've configured a switch with RADIUS details by giving F5 load balancer virtual server ip so that it'll contact clearpass for RADIUS authentication thro F5. But unfortunately, the RADIUS requests are not getting load balanced successfully. 

 

I'm getting 'radius server dead, can't able to reach radius server' in switch when it tries to get authenticated via F5.

 

Is there anything we're missing here? Any good F5 integration with clearpass server document available? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: