Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: ClearPass subscriber out of sync

Thanks for the explanation @cappalli!


Sorry for my ignorance but I was just wondering about the age out time. Would this be beneficial if on your controllers/switches you had a secondary auth server configured? Or does this help with preventing the controllers/switches needlessly sending requests?

Posts: 1,110
Registered: ‎10-11-2011

Re: ClearPass subscriber out of sync

Very good point, Tim.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,178
Registered: ‎09-08-2010

Re: ClearPass subscriber out of sync

It all depends on how you have things setup.

My previous environment did not use a VIP on ClearPass so each server was setup individually as an authentication server in the controllers and switches. We did use RADIUS load-balacing in AOS 6.4 so by stopping the services, it would put that authentication server out-of-service.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 1
Registered: Monday

Re: ClearPass subscriber out of sync

Hi geeks,


I had a situation, one of my subscribr went out of sync for more than 24 hours, and publisher has declared it out of sync. therefore, I dropped the subscriber from the cluster via the subscriber node.


After I rejoin the cluster, all its authenticated machine cache has been erased. therefore it was not accpeting any user auth due to absence of machine auth. then i need to reboot the machines to get the machine auth done.


Is that I did something wrong in rejoining the cluster?? Is this an expected behaviour or there is better way to do things?

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: ClearPass subscriber out of sync

I can't speak to whether or not the machine cache being cleared is normal or not.


You can avoid this issue though by writing an attribute into the endpoint database when a machine successfully authenticates. Then use a role mapping to give the machine a role based on that attribute.


This is especially helpful with laptops that disappear on a business trip and then the user comes back, but has put their laptop to sleep and not signed out.

Search Airheads
Showing results for 
Search instead for 
Did you mean: