Security

Reply
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: ClearPass subscriber out of sync

Thanks for the explanation @cappalli!

 

Sorry for my ignorance but I was just wondering about the age out time. Would this be beneficial if on your controllers/switches you had a secondary auth server configured? Or does this help with preventing the controllers/switches needlessly sending requests?

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: ClearPass subscriber out of sync

Very good point, Tim.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: ClearPass subscriber out of sync

It all depends on how you have things setup.

My previous environment did not use a VIP on ClearPass so each server was setup individually as an authentication server in the controllers and switches. We did use RADIUS load-balacing in AOS 6.4 so by stopping the services, it would put that authentication server out-of-service.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎03-20-2017

Re: ClearPass subscriber out of sync

Hi geeks,

 

I had a situation, one of my subscribr went out of sync for more than 24 hours, and publisher has declared it out of sync. therefore, I dropped the subscriber from the cluster via the subscriber node.

 

After I rejoin the cluster, all its authenticated machine cache has been erased. therefore it was not accpeting any user auth due to absence of machine auth. then i need to reboot the machines to get the machine auth done.

 

Is that I did something wrong in rejoining the cluster?? Is this an expected behaviour or there is better way to do things?

Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: ClearPass subscriber out of sync

I can't speak to whether or not the machine cache being cleared is normal or not.

 

You can avoid this issue though by writing an attribute into the endpoint database when a machine successfully authenticates. Then use a role mapping to give the machine a role based on that attribute.

 

This is especially helpful with laptops that disappear on a business trip and then the user comes back, but has put their laptop to sleep and not signed out.

Search Airheads
Showing results for 
Search instead for 
Did you mean: