Security

Reply
Super Contributor I
Posts: 267
Registered: ‎04-04-2014

Clearpass and RADIUS Status-Server pings?

 

We just fired up CPPM as a guest-network solution, and from what I'm seeing, it appears

that, when used as a home server, CPPM does not respond to Status-Server keepalive

packets.  Is this something we've missed in the configuration, a known bug, or should I

be heading over to the "ideas" to add a feature request?

 

The result of this is that during small network and/or VM resource blips, if the server is

out long enough to be declared "zombie" and then no actual requests come in, it gets

declared "dead" and will not resurrect unless it responds to Status-Server requests.  We could

of course switch to using the old hackery of forging fake requests from the proxy, but I'd

expect CPPM to be a bit more modern than that.

 

Guru Elite
Posts: 7,839
Registered: ‎09-08-2010

Re: Clearpass and RADIUS Status-Server pings?

What do you mean by "home" server?

 

Aruba controllers and switches use a dummy authentication request to mark RADIUS servers in and out of service.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 267
Registered: ‎04-04-2014

Re: Clearpass and RADIUS Status-Server pings?

 

We have a proxy in between CPPM and the controllers for accounting packets to do some extra business logic in unlang.

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Clearpass and RADIUS Status-Server pings?

[ Edited ]
 
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Clearpass and RADIUS Status-Server pings?

This indeed is supported...I found it here...

 

Adminsitration --> Server Manager --> Server Configuration --> Then select the tab "Service Parameters". Then RADIUS server.

 

See screenshot

 

Screen Shot 2015-10-23 at 4.40.25 PM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Super Contributor I
Posts: 267
Registered: ‎04-04-2014

Re: Clearpass and RADIUS Status-Server pings?

"Zombie" servers are down but will be tried as a last resort in a load-balance pool,
or just tried of they are alone, and if they answer they will come back "alive".
After a while if they do not answer they become "dead".   Pings are only sent to
"Dead" servers and they won't be tried until they answer a ping.  The pings can be
Status-Server, or fake Access-Requests or Accounting-Requests.  The former (see rfc5997)
is preferred in modern setups.

 

Any server that did not see a reply can send the pings.  They are not proxied -- they are a single-hop

keepalive.  In this case the proxy is sending the pings to CPPM.   The controllers are configured

to send accounting packets to the proxy (auth packets just go directly to CPPM.)

 

Super Contributor I
Posts: 267
Registered: ‎04-04-2014

Re: Clearpass and RADIUS Status-Server pings?

Excellent, thanks Seth!  I just could not find that, and not for lack of mousing around.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: