06-04-2014 06:33 AM
Thanks for the explanation @cappalli!
Sorry for my ignorance but I was just wondering about the age out time. Would this be beneficial if on your controllers/switches you had a secondary auth server configured? Or does this help with preventing the controllers/switches needlessly sending requests?
06-04-2014 07:17 AM
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
06-04-2014 07:25 AM
My previous environment did not use a VIP on ClearPass so each server was setup individually as an authentication server in the controllers and switches. We did use RADIUS load-balacing in AOS 6.4 so by stopping the services, it would put that authentication server out-of-service.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
I had a situation, one of my subscribr went out of sync for more than 24 hours, and publisher has declared it out of sync. therefore, I dropped the subscriber from the cluster via the subscriber node.
After I rejoin the cluster, all its authenticated machine cache has been erased. therefore it was not accpeting any user auth due to absence of machine auth. then i need to reboot the machines to get the machine auth done.
Is that I did something wrong in rejoining the cluster?? Is this an expected behaviour or there is better way to do things?
I can't speak to whether or not the machine cache being cleared is normal or not.
You can avoid this issue though by writing an attribute into the endpoint database when a machine successfully authenticates. Then use a role mapping to give the machine a role based on that attribute.
This is especially helpful with laptops that disappear on a business trip and then the user comes back, but has put their laptop to sleep and not signed out.