Security

Reply
Contributor II
Posts: 49
Registered: ‎02-03-2016

ClearPass Cluster with VIP or not?

[ Edited ]

Hi!

 

I'm just planning the integration of a CP-VA-500 as a Standby-Publisher which should add redundancy to an existing CP-HW-500 (v6.6.5) in a small environment (both are L2 connected).

Auto-promote from a Standby Subscriber to an Active Publisher would be enough 'high-availability' in case the primary Publisher fails.

 

I'm using the CPPM for Radius, Tacacs, ClearPass Guest with self-registration, Onboarding (BYOD) and do have a public wildcard certificate for Guest Authentication in place.

 

After studying the Tech Note: ClearPass Clustering Design Guidelines v1.2 (which is an excellent source) there are still some questions left.

 

Questions:

- Can I migrate the IP of the publisher to be the VIP?

- What is the best practise to do this?

- I'm using both the Data and the Management interface:

  Which Interface/Network will become the VIP?

  NADs are talking to the Management Port in the moment.

  Guest and BYOD authentication traffic goes to the Data Port.

- What is the real benefit of configuring a VIP?

- Will I loose anything when the "auto-promoted" former Subscriber becomes the Active Publisher?

 

Thank you in advance for your hints and ideas.

 

With kind regards

Manfred

 

 

Guru Elite
Posts: 8,743
Registered: ‎09-08-2010

Re: ClearPass Cluster with VIP or not?

[ Edited ]

- Can I migrate the IP of the publisher to be the VIP?

It's best to assign a new IP. NADs should point to individual servers for RADIUS and TACACS, not the VIP so that you can utilize load balancing.

 

- What is the best practise to do this?

- I'm using both the Data and the Management interface:

  Which Interface/Network will become the VIP?

  NADs are talking to the Management Port in the moment.

  Guest and BYOD authentication traffic goes to the Data Port.

Why are you using both ports? What was your design goal?

 

- What is the real benefit of configuring a VIP?

The VIP is really designed to provide an always available URL for captive portal workflows. You don't want to be touching your configuration all the time to change it to clearpass-1.domain.xyz vs clearpass-2.domain.xyz. 

 

- Will I loose anything when the "auto-promoted" former Subscriber becomes the Active Publisher?

You've effectively halved your long term capacity with one node.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 49
Registered: ‎02-03-2016

Re: ClearPass Cluster with VIP or not?

Thank you for your fast response.

 

  - I'm using both the Data and the Management interface:

    Which Interface/Network will become the VIP?

    NADs are talking to the Management Port in the moment.

    Guest and BYOD authentication traffic goes to the Data Port.

Why are you using both ports? What was your design goal?

 

To be honest:

You have addressed the weak point perfectly.

I'm now thinking that was poor design and not necessary.

The only reason was, that the customer has a Management VLAN for all networking devices. I will change the configuration before adding the Subscriber to only use the Management Port with the IP of the Data Port and disconnect the data port.

This would help a lot to make it easier with the VIP.

All Radius Clients have already configured the correct IP address which will be the Management Port after this change. Nobody uses the IP adress of the Management Port in the moment I think.

 

I will report my experience doing this.

 

Contributor II
Posts: 49
Registered: ‎02-03-2016

Re: ClearPass Cluster with VIP or not?

[ Edited ]

Experience Report Migration Data Port to MGMT Port:

 

Deleting IP on Data Port with the GUI worked without problems.

After sucessfull restart of the CP services I've changed the MGMT Port address to the address which was assigned to the Data Port before with the GUI.

 

Restart of the CP services was not sucessfull - the new IP address was reachable (ping) but the GUI did not came up (also no response on the CLI SSH connection).

I had to visit the customer and do a power cycle of the CP-HW-500 v1.

 

After that the restart was sucessfull - all services are up and running again.

 

I could also configure a VIP on the MGMT Port - even without the existence of the second Subcriber which will be integrated soon.

Could not test the functionality of the VIP - but it is reachable with ping.

 

 

 

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: ClearPass Cluster with VIP or not?

See this video
http://community.arubanetworks.com/t5/Video/VIDEO-Using-Virtual-IP-interfaces-in-a-ClearPass-Cluster/ta-p/78564

The common name you defined in your certificate needs to be have an entry in your DNS server pointing to the VIP

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 49
Registered: ‎02-03-2016

Re: ClearPass Cluster with VIP or not?

[ Edited ]

My findings after sucessful cluster setup are as follows.

(The ClearPass Cluster WITH a VIP is now up and running)

 

Some important things from my personal experience:

- Don't forget to join the Subscriber also to the AD

- Configure the SNMP Parameters on the Subscriber

- I have installed all Updates and Hofixes to the same level of the Publisher before activating the Subscriber (Updating to a higher level can be done after setting up the cluster)

- Add the Subsciber IP to all Radius/Tacacs Devices as Secondary Radius/Tacacs Server

- Evaluate the need/benefits of Radius Loadbalancing

- Adding the VIP was no problem even before the Subscriber is member of the cluster.

- Select a good to understand name for the https: certificate of the VIP (such as guestlogin.domain.com and NOT the hostname of the Publisher or Subscriber)

- Set the Clusterwide Paramters to promote the Standby Publisher

see: http://www.arubanetworks.com/techdocs/ClearPass/6.6/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_clusterwideparams.htm

 

 

Very helpful material:

 

Must read (Thank you Danny...)

Tech Note: ClearPass 6.x Clustering Design Guidelines V1.2

 

General (Thank you Herman...):

Aruba ClearPass Workshop Videos

and especially:

Building a ClearPass Cluster

Search Airheads
Showing results for 
Search instead for 
Did you mean: