Security

Reply
Frequent Contributor II
Posts: 119
Registered: ‎10-31-2012

Clearpass round robin to AD servers

Is there a way to have Clearpass make LDAP query to  a group of ActiveDirectory servers instead of a single server INSIDE of clearpass.  I could buy a load balancer or have different AP groups be routed to different LDAP sources but is there a better way to not have a large load kill a single LDAP server?

 

 

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Clearpass round robin to AD servers

Instead of an ip address or a fqdn, you could just put the domain in the Hostname parameter.

 

Authentication is handled by samba/winbind and DNS.  So if you have AD sites and services configured, DNS will return the AD servers that are in charge of those subnets.  Otherwise It will send to any of the AD servers that DNS returns.
 
ClearPass does not do an LDAP lookup every time.  It caches LDAP  each user for 5 minutes by default.  This setting is controlled by the Cluster Wide Setting "Policy result cache timeout".

 

 

 

 

source.PNG

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 119
Registered: ‎10-31-2012

Re: Clearpass round robin to AD servers

I did put in just the domain only, but it appeared to only hit the first server on the list.  How long does it take to switch between the servers?

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Clearpass round robin to AD servers

How can you tell which server it is using?

What "list"?  Do you have multiple servers in the Authentication Source?  You only need one.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 119
Registered: ‎10-31-2012

Re: Clearpass round robin to AD servers

We only have the one listed, but from the AD logs it appeared to only hit 1. Should a single client hit a different server every time he auths, or should they hit a different server each time?   

 

 

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Clearpass round robin to AD servers

It probably uses the same server for the same user.  Please see the thread here:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Many-authentication-sources/td-p/80128

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Clearpass round robin to AD servers

We just worked with a clearpass engineer on a P1 case, and it was determined that when you join to the domain, it will send ALL mschap authentications to the DC you used when joining to the domain. It does NOT round robin. Only when that DC becomes unresponsive will clearpass query DNS, find another DC, and then stay sticky with that one until IT becomes unresponsive.

Clearly, this is an inconvenience. The passwd CLI option is to make the fail-through deterministic rather than relying on thoe "randomness" of querying the domain for DCs.

I'm doing a change tonight to unjoint/join to DCs in an effort to balance load from all subscribers to all DCs.

FYI, as it took quite a bit of effort to lead us to this conclusion.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Frequent Contributor II
Posts: 119
Registered: ‎10-31-2012

Re: Clearpass round robin to AD servers

Thanks Ryan,   Yea that is a bummer.  I will either create a few different auth groups based on location, or mac address (1-5,6-a,b-f) and have each go to a different  server.   It would be nice if they did a more distributed load.   I just placed all my campus on Clearpass and I see only 1 AD server getting hammered.  

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Clearpass round robin to AD servers


mattjhughes wrote:

Thanks Ryan,   Yea that is a bummer.  I will either create a few different auth groups based on location, or mac address (1-5,6-a,b-f) and have each go to a different  server.   It would be nice if they did a more distributed load.   I just placed all my campus on Clearpass and I see only 1 AD server getting hammered.  


Mattjhughes,

 

If you wanted to do that, you would instead setup a number of specific  radius servers in your environment and set them up as Proxy Targets:

targets.png

 

You would then create a radius Proxy Service and set your scheme to load balance:

proxy.png

 

You would have to setup a radius server service (IAS, NPS) on whatever of your internal servers you want authentication proxied to.

 

You can use role mapping based on incoming attributes or attributes received from your Radius server and in turn send back an enforcement policy.

 

So tl;dr, point to the ClearPass server with the Radius Proxy service configured and it will load balance it to your Radius Servers.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 119
Registered: ‎10-31-2012

Re: Clearpass round robin to AD servers

I see what you are saying with the proxy server, but to me the idea of having to create other radius servers seems crazy since that is what we bought clearpass for. Additional configuration for passing ldap attributes, added points of failure.   I  just would think this would be an obvious feature, to be able to have a list of servers and have it rotate.   As a stop gap we have a load balancer in the middle and are testing with that, but kind of disappointing. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: