Security

Reply
Super Contributor II

Re: ClearPass subscriber out of sync

Thanks for the explanation @cappalli!

 

Sorry for my ignorance but I was just wondering about the age out time. Would this be beneficial if on your controllers/switches you had a secondary auth server configured? Or does this help with preventing the controllers/switches needlessly sending requests?

Re: ClearPass subscriber out of sync

Very good point, Tim.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: ClearPass subscriber out of sync

It all depends on how you have things setup.

My previous environment did not use a VIP on ClearPass so each server was setup individually as an authentication server in the controllers and switches. We did use RADIUS load-balacing in AOS 6.4 so by stopping the services, it would put that authentication server out-of-service.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass subscriber out of sync

Hi geeks,

 

I had a situation, one of my subscribr went out of sync for more than 24 hours, and publisher has declared it out of sync. therefore, I dropped the subscriber from the cluster via the subscriber node.

 

After I rejoin the cluster, all its authenticated machine cache has been erased. therefore it was not accpeting any user auth due to absence of machine auth. then i need to reboot the machines to get the machine auth done.

 

Is that I did something wrong in rejoining the cluster?? Is this an expected behaviour or there is better way to do things?

Super Contributor II

Re: ClearPass subscriber out of sync

I can't speak to whether or not the machine cache being cleared is normal or not.

 

You can avoid this issue though by writing an attribute into the endpoint database when a machine successfully authenticates. Then use a role mapping to give the machine a role based on that attribute.

 

This is especially helpful with laptops that disappear on a business trip and then the user comes back, but has put their laptop to sleep and not signed out.

Occasional Contributor I

Re: ClearPass subscriber out of sync

Hi,

 

as of today, is it still the only solution to drop a subscriber if its out of sync?

That would mean if you're using VIPs on that node, you need to delete them and setup everything again after readding the node??

That would cause downtime in my case...

 

Many thanks in advance.

Aruba Employee

Re: ClearPass subscriber out of sync

Hi,

 

It is not neccesary always to drop the subscirber and rejoin the cluster if it is out of sync. Need to check logs why it went out of sync.

 

We could try restart db replication service and check the status.

 

Regards,

Pavan

Guru Elite

Re: ClearPass subscriber out of sync

You can remove a node from the virtual IP without deleting it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: