Security

Reply
Contributor I
Posts: 90
Registered: ‎08-03-2009

CPPM Cluster and Certificates

In a cppm cluster configuration , we have two nodes one publisher and one subscriber and vip is configured.

 

Do i need to install two seperate server certificates for each of the nodes, I have seen the certificate which was installed in the first node before making as cluster has replicated to the subscriber. But does this work in the event of a subscriber failure as the fqdn of the subscriber is different .cppm1.abc.com and cppm2.abc.com

 

What are the considerations in cluster enviornment with VIP configured regarding  certificates, COA , onboard etc..

 

I have seen a document for onguard in the culster enviornment , do you have any other docs/pointers.

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: CPPM Cluster and Certificates

Please see the article here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Certificate-Issues-Questions/td-p/94444

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: CPPM Cluster and Certificates

Typically you would want to use a SAN cert for clusters. 

 

CN=VIP

 

SAN=VIP,CPPM1,CPPM2

 

Your local SE should be able to give you a document on certs.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: CPPM Cluster and Certificates

[ Edited ]

Hi all,

 

we are planning to do clustering in L3 enviroment. 

Can i use same server certificate for both  clearpasses so that if subscriber fails publisher can authenticate onboarded devices instead of going for SAN.

If publisher goes down, subscriber can be promoted to active publisher and it can authenticate traffic which comes to publisher.

 

I have a doubt when i went through tech note. they are suggesting not to go with Virtual IP in L3 enviroment.How to do clustering over L3???

 

And if we onboard at subscriber location, devices gets regiesters in publisher and then replicated subscriber or gets registered in subscriber and replicates to publisher. I am bit confused .

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: CPPM Cluster and Certificates

Yes you can use the same cert but it should be a SAN. I do this in most deployments.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: CPPM Cluster and Certificates

[ Edited ]

I have already 200 devices onboarded in main location and we have deployed new setup in remote location.

I have configured only CN. to configure again i have to create signing request with SAN.

I have to re onboard all the devices ri8 to work fail over???

 

 

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: CPPM Cluster and Certificates

[ Edited ]

No. The RADIUS server certificate does not impact your Onboarding.

 

Yes, everything is replicated to the subscriber but only the publisher has write access to the database.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: CPPM Cluster and Certificates

but u said it should be SAN. generally cppm looks for CN ri8 if SAN is not given.

 

No...but on publisher which has 200 devices. Cant I go with with jus CN and importing publisher certificate in subscriber.

 

My CPPM host name is different and CN is different and TAC has said that it wont work with CN having different name which is not hostname has it wont resolve DNS.

How is CN is related to DNS?? im fully confused

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: CPPM Cluster and Certificates

What is the host name and what is the CN?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: CPPM Cluster and Certificates


srikanthsoogoor wrote:

but u said it should be SAN. generally cppm looks for CN ri8 if SAN is not given.

 

No...but on publisher which has 200 devices. Cant I go with with jus CN and importing publisher certificate in subscriber.

 

My CPPM host name is different and CN is different and TAC has said that it wont work with CN having different name which is not hostname has it wont resolve DNS.

How is CN is related to DNS?? im fully confused


srikanthsoogoor,

 

Please feel free to download the ClearPass Certificates Technote written by our own Danny Jump here :  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13734

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: