Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Load balance clearpass servers

This is out of curiosity more than anything, but is there any reason why you wouldn't want to loadbalance Clearpass servers using something like a Cisco ACE or F5?  With the new VIP functionality, it may be a moot point assuming you have L2 connectivity between CP servers, but I'm still curious.  Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Regular Contributor I
Posts: 163
Registered: ‎04-11-2011

Re: Load balance clearpass servers

We do just that with a Brocade hardware load balancer. We have 1 clearpass hardware appliance and two VMs. We round robin the common radius ports between the three cppm servers
Guru Elite
Posts: 20,560
Registered: ‎03-29-2007

Re: Load balance clearpass servers

Msales,

 

Thanks for that insight..

 

What do you do to determine if a CPPM server is "alive" on the Brocade?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 163
Registered: ‎04-11-2011

Re: Load balance clearpass servers

Brocade supports layer 7 health checks. It will sent a radius request to cppm and if it gets a reply its marked alive.
Regular Contributor I
Posts: 163
Registered: ‎04-11-2011

Re: Load balance clearpass servers

You also need to make sure that the radius request is set to "sticky" or the EAP handshake will be spread across the servers and the request will fail.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Load balance clearpass servers

Msales,

Thanks for the info.

How does this affect accounting? Are you sending accounting to the VIP?
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Regular Contributor I
Posts: 163
Registered: ‎04-11-2011

Re: Load balance clearpass servers

We don't utilize accounting in our environment, but I don't think it would be much different than the radius request.  You could send it to the VIP but just configure it to be sticky so that it goes to the same clearpass server for the entire session.

Search Airheads
Showing results for 
Search instead for 
Did you mean: