05-21-2015 08:58 AM
Hi Aruba expert,
We have a scenario where the CPPM is deployed in the remote site and all authentication source such as AD/LDAP Server is in the Data Center site.
what if CPPM was unable to connect to LDAP or AD Server due to WAN LINK failure will clearpass be able to trigger fail open that will instruct the switch to trigger critical vlan incase of LDAP/AD Server unreachable from the CPPM?
Solved! Go to Solution.
05-21-2015 09:05 AM
Whether there is a "fail open" situation is more dependent on the NAS device that authenticates to CPPM. CPPM itself does not have a "fail open" option for authentication.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
05-21-2015 09:21 AM
Also, keep in mind that most of our products support auth survivability in the latest versions. Check the release notes and user guides.
More importantly, I would question why you are placing a ClearPass server at a site and not an additional AD server? The fact that you need ClearPass there tells me that you either expect this link to go down or the link has high latency. If it is the latter, you will need an AD server there as well as ClearPass, otherwise RADIUS authentications will time out while we wait for a response from AD. This is not a fault of our products but is based on how Apple and Microsoft implement the 802.1x supplicant. There is a time limit upon which no response will cause a new 802.1x auth attempt.
A safe number is 100ms or less latency.
05-21-2015 11:30 AM
Thanks in advance. I understand the fail-open is dependent to NAS device and for what I understand in Authentication Survivability, if CPPM is not available which means NAS unable to reach clearpass the user can still authenticate to the NAS device via eap-peap which is good for wireless deployment with CPPM.
My question if CPPM was located in remote sites and authentication source is coming from the WAN link and doesn’t have a backup Active directory server in the remote site. Worst case scenario there is a WAN link failure. This means the NAS device still able to communicate to the CPPM but CPPM has lost its connection to the AD Server. can clearpass some how tell to the switch to trigger the fail-open/critical vlan even there is a reachability between CPPM and the NAS device?
05-21-2015 01:42 PM - edited 05-21-2015 06:11 PM
However, you could OnBoard the devices and disable Authorization in the EAP-TLS method. This would allow those devices to continue authenticating without AD.
Or offer a PSK SSID with MAC auth for times when the WAN link goes down. We could use a custom SQL query to determine if the device successfully authenticated to the 802.1x SSID in the past X hours.
Just a thought.