Security

Reply

CPPM Virtual IP for Captive Portal and RADIUS?

Hi All,

 

Scenario: CPPM Cluster with 2 or more instances. Multi controller deployment. Redundancy is required.

 

What's the verdict on using the CPPM Virtual IP(VIP) address for captive portal and RADIUS requests?

 

My understanding is just to use the virtual IP(s) for captive portals and populate RADIUS clients with each CPPM instance. To balance RADIUS request between the CPPM instances I would configure RADIUS clients like so:

 

RADIUS Client 1

RADIUS Server group

Priority 1: CPPM1

Priority 2: CPPM2

 

RADIUS Client 2

RADIUS Server group

Priority 1: CPPM2

Priority 2: CPPM1

 

Is that the recommended way to configure this?

 

Why not configure 2 x VIPs. 

 

VIP1: 

Primary node: CPPM1

Secondary node; CPPM2

VIP2: 

Primary node: CPPM2

Secondary node; CPPM1

 

 

Then configure the RADIUS clients:

 

RADIUS Client 1

RADIUS Server group

Priority 1: VIP1

 

RADIUS Client 2

RADIUS Server group

Priority 1: VIP2

 

What are the advantages/disadvantages? Thoughts?

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: CPPM Virtual IP for Captive Portal and RADIUS?

I'm not sure there's any benefit of using VIPs for RADIUS. It just adds complexity. 

The only time I use the VIP for RADIUS is if the NAD doesn't support more than 1 server. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: CPPM Virtual IP for Captive Portal and RADIUS?

Ok, so just rely on the RADIUS client to identify if the RADIUS server is "working" and fail through to the next if the first fails.

 

Would the time for the VIP to failover be longer than the time it take for a RADIUS client to identify a server is down? 

 

It looks like VIP failover would be quicker (with the Aruba defaults).

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: CPPM Virtual IP for Captive Portal and RADIUS?

It should happen pretty quickly as there will be a significant number of timeouts if the server is down. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: CPPM Virtual IP for Captive Portal and RADIUS?

Thanks Tim.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor I

Re: CPPM Virtual IP for Captive Portal and RADIUS?

From my experience you don't want to use the VIP for RADIUS. (except when you can only configure 1 RADIUS server.) The reason is that is the RADIUS process fails or is not running the VIP doesn't fail over. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: