Security

Hi,

 

I have been working to get our new CPPM server up running. This new server is located in a remote office which has a latency of around 300ms+. It has been joined to our existing cluster.

 

I am curious about the topology of how ClearPass Guest works in this scenario.

We have a captive portal that is being hosted from the CPPM.

The guest network in our remote office is setup to connect back to the publisher ClearPass and not the local subscriber. The registration of the guest accounts all occurs against the publisher. The authentication though occurs against the local subscriber. This is where I am running into issues. It seems that the subsciber node is not able to sync the data in time and I am left with a message stating that the user does not exist in the Guest Repository.

 

I am just curious about what the proper setup is for this scenario? I feel like I am missing the boat when it comes to how the ClearPass Guest should be structured. As well as in general. the latency has presenting challenges I didn't expect.

 

I was thinking that for the Captive Portal configuration instead of pointing it at the CPPM in the local site I would point it to the publisher. Is this the correct way to handle this? Or am I completely out to lunch?

Take a look at the ClearPass Deployment Guide. It has specific recommendations. Check the section on Cluster Design Considerations.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Default.htm#5%20Cluster%20Deployment/Design_guidelines.htm

 

 

Thank you for your reply.

 

I read over the document.

Everything for the most part makes sense.

we are definitely experiencing issues with the latency.

The way our Guest is setup is correct, but because of the replication delays we run into issues.

 

The geographical zoning configuration sounds like something we may need to implement. However, I do have some concerns about the runtime data that isn't synchronized. The document explicitly mentions that the endpoints db information isn't. We do have users that travel between the locations on regular basis and it would be handy to have this data present in our remote locations.

 

I believe that the major issue is related to the link we have to our remote location. It is very small, well under what is recommended in this document.

 

I will continue to investigate, thank you for this document!

 

Cheers

 

I was able to overcome the guest latency issue by having the guest authentication sent back to the publisher.

Seems to work as a temporary fix until we address the real issue behind the latency.

 

So much more to learn!

I was wondering if someone might be able to help with how the Endpoints db works when in a cluster.

 

If an enforcement policy is writing attributes into the Endpoints db for a particular endpoint, where is that actually happening? Is that happening in the subscriber or in the publisher? If the radius request is being handled by a subscriber, does that mean the write is happening in the subscriber?

 

I am a little confused on that point.

Bump.. running into the same issue and ran across this. I have CPPM nodes at a remote site, but only ~20ms latency, and I'm still seeing this issue with Guest. The Webauth is performed on the publisher, which writes the endpoint details to the DB. The client is re-authenticated, but the details haven't made it back to the remote CPPM node yet, so guest auth fails to see the new endpoint attributes. What are other possible solutions for this? The only thing I can think of currently is to force all my Guest SSID RADIUS back to the publisher node, which is what it looks like the OP did. Any other thoughts? I have my CoA delay up as high as 7 seconds and it still isn't enough time.. What is an expected time for a publisher to sync endpoint details back to a subscriber? 

This is a very old thread. Next time, please create a new one.

 

Which network device is in use here?

In my case, Cisco WLC with MAC auth and server-based CoA redirect.

Why aren't you using client-initiated login?

I need both wired and wireless redirects, tried to keep both with similar setups, and I also need more dynamic url redirects to different guest pages based on several different use cases.