Security

Greetings - we ideally need to split our ClearPass servers between two Data Centres, for resilience/DR.   Layer-2 comms between the two is not readily available.   Can I still create a Cluster from the ClearPass servers, if they're in different subnets?  All the examples I've seen have them in the same subnet...  Is there a minimum bandwidth (max latency?) required between publisher and subscriber(s)?

If they can be split across subnets, I presume remote controllers would need to target the two Clearpass servers separately (no VIP).  Are there any limits on ArubaOS version needed to achieve this?

To use the HA URL for guest without any third party load balancers, they need to be L2 adjacent for the VIP to work.

Check out these TechNotes:

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15546

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15127

Thanks Tim - it appears that the 'same-subnet' requirement is limited to Guest authentications, using a web-page (and VIP) then?   If we're doing RADIUS authentications only we could use different subnets for the servers and use AOS 6.4 authentication server load-balancing (?) from the controllers across the two different server IPs?

I just want to add to Tim's coments.

Depending on the sclae of the deployment you MAY want to consider a SLB, there is also another TechNote of mine descibing in a lot of detail a CPPM + F5 deployment/configuration.

In addition, if you want to use the feature to dedicate a SUB to be a standby-PUB this now works over a Layer-3 hop (it used to be enforced as a L2 solution only).... Another Technote of a worthy read is my Clusterering TechNote.