Security

Dear Airheads experts,

I have some questions regarding ClearPass vip address.

Can I use on the NAD side (for example aruba controller) only the ClearPass VIP address as a RADIUS server if I have two ClearPass in a cluster?

eg.: server group - ClearPass VIP address

If I do it this way which ClearPass will serve the RADIUS requests If both ClearPass is up? The publisher? or is it load balanced?

And what about if the publisher goes down?

I have to move the ClearPass from one platform to another (ESX-Hyperv) and than I have to add a second node to it. I think If we don't have a big downtime we can do it the following way:

1. Clean install on the hyper-v

2. add a different ip to the clearpass than the active esx node

2. restore the configuration without the ip ( uncheck "Restore cluster server/node entries from backup")

3. add a subscriber node with different ip

4. add vip address (previous clearpass ip on esx)

My second idea is to move the clearpass what is on the esx with its ip and just add a subscriber node to it. Then add the subscriber ip on the NAD devices to the server group as a failover RADIUS or check LB if it is necessary.

Could you help me what is the best practise in this case?

Thank you in advance for your help!

Zs

Can I suggest that you read my ClearPass Clustering TechNote. Then come back with any outstanding Q's you have.

In respect of moving from ESXi -> Hyper-V, yes you can cluster CPPM across dissimilar platforms. Yes, you can move a node, cluster them and add a VIP across them and have the NAD's talk to the VIP for availability/failover.

Hi Danny,

Thank you for your prompt reply I went trought it and i get my answers.

Zs