Security

Reply
Occasional Contributor II

CPPM Distributed Deployment

Hi guys,

I have CPPM in my DC and I decided to configure it as the active/standby publishers. I also have CPPM to my remote locations running as subscribers.

 

This DC and remote locations has their own AD although this AD is integrated to each other.

 

My question is, is it possible that my subscribers will talk to the local AD while the AD in DC will be integrated to the DC CPPM as a fallback mechanism?

 

Thanks

Re: CPPM Distributed Deployment

For the domain join, you can set the password servers to be used for each appliance in the service manager:

2017-11-02 10_24_16-ClearPass Policy Manager - Aruba Networks.pngThe default is that ClearPass will pick the fastest responding server, but if you want to better control it and for example prevent ClearPass in the datacenter to query a domain controller in a branch, this is how you do it.

 

For the Authentication Source, it might be that you need to create an Authentication source per ClearPass subscriber and create different services with those sources (same content like role-mapping and enforcement policies).

 

For these type of designs, please involve a qualified ClearPass partner or professional services as this should be considered an advanced configuration.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: CPPM Distributed Deployment

hi herman,

but how will clearpass determine if this auth client is coming from SITE A or SITE B?

thanks

Re: CPPM Distributed Deployment

You can check on the NAD (switch/AP) source IP, or use device groups for this and match the service against one of those.

 

If your NAD sends its name in the NAS identifier, and that has a geographical code in the code, like: NL-AMS-SW31, or JP-TKY-MC03, you can even check if that name begins with NL-AMS, or JP. 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: