Security

This is out of curiosity more than anything, but is there any reason why you wouldn't want to loadbalance Clearpass servers using something like a Cisco ACE or F5?  With the new VIP functionality, it may be a moot point assuming you have L2 connectivity between CP servers, but I'm still curious.  Any thoughts?

We do just that with a Brocade hardware load balancer. We have 1 clearpass hardware appliance and two VMs. We round robin the common radius ports between the three cppm servers

Msales,

 

Thanks for that insight..

 

What do you do to determine if a CPPM server is "alive" on the Brocade?

 

Brocade supports layer 7 health checks. It will sent a radius request to cppm and if it gets a reply its marked alive.

You also need to make sure that the radius request is set to "sticky" or the EAP handshake will be spread across the servers and the request will fail.

Msales,

Thanks for the info.

How does this affect accounting? Are you sending accounting to the VIP?

We don't utilize accounting in our environment, but I don't think it would be much different than the radius request.  You could send it to the VIP but just configure it to be sticky so that it goes to the same clearpass server for the entire session.