Security

Reply
Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

ClearPass Cluster

Hi,
my customer have a clearpass, this server is became very important for him so has decided to buy another server for have high availability.

it is not very clear how i can make a cluster.

I think to proceed in this way:

On the secondary node:

- Join the CLearPass to domain
- Make the clearpass the subscriber node

On the primary node:
- Configure VIP (VIrtual IP) for VRRP

On the controller:
- create an authentication server with the VIP IP.

 

correct?

Andrea
Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: ClearPass Cluster

[ Edited ]

Everything is correct except:

 

- You need to issue a radius server certificate to the subscriber and add the root CA of the radius server certificate to its trusted certificate store.

- You don't have to create the VIP IP.  You could have the ip address of the publisher as the primary radius server on the controller and the subscriber as the secondary radius server on the controller.  If the publisher stopped answering, the controller would choose the subscriber.  The VIP is typically created when you want to provide redundancy for guest traffic or onboard, since you can only redirect users to a single URL.  On controllers you can specify a primary and backup radius server, so you don't need to configure a VIP.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

Re: ClearPass Cluster

Hi,

it is all clear except,

"You need to issue a radius server certificate to the subscriber and add the root CA of the radius server certificate to its trusted certificate store."

 

Why i have to do it?
for the publisher i don't have done it.
With root CA you intend the pubblisher or the CA of customer?

 

Best regards

Andrea
Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: ClearPass Cluster

Every radius server needs a server certificate.  Your publisher comes with a self-signed radius certificate, just for evaluation purposes.  Everyone replaces that certificate with a real radius server certificate.  It is the same situation with the subscriber.

 

When you try to replace the self-signed certificate with a real radius server certificate, it will not let you proceed unless you upload the CA certificate from the CA that issued the rsdius server certificate.  This is for both puiblisher and subscriber.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: ClearPass Cluster

Every radius server needs a server certificate.  Your publisher comes with a self-signed radius certificate, just for evaluation purposes.  Everyone replaces that certificate with a real radius server certificate.  It is the same situation with the subscriber.

 

When you try to replace the self-signed certificate with a real radius server certificate, it will not let you proceed unless you upload the CA certificate from the CA that issued the rsdius server certificate.  This is for both puiblisher and subscriber.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010
Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

Re: ClearPass Cluster

Hi,

i have a question about your suggestions.

 

I have configured on clearpass both Guest and Internal authentication.

For the guest i have to insert the virtual IP for the captive portal and it is ok, but for radius authentication server group is better to add 2 different server with real IP or one with Virtual IP?

 

And if i'll decide to use 2 server the Fail Through is automatically? or i have to set something?

 

thank in advance

Best regards

 

Andrea Acampa

Andrea
Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: ClearPass Cluster

I always use the two servers individually for RADIUS this way the controller can load balance the requests.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: