Security

Reply
MVP
Posts: 485
Registered: ‎04-03-2007

Multi-server ClearPass Deployment

I am building our new clearpass server cluster(s) and have just discovered that access tracker is independent with each subscriber. In other words, it is not all aggregated to the publisher. Since load balancing across the subscribers is recommended by Aruba, what is the recommended method for tracking a user's authentications throughout the day? It is not easily determined which subscriber the user's authentication will take place (since a centralized load balancer is used). Is this where the Insight product is used? I've touched on it a bit, but I'm not finding a place to show all the authentications.

 

Anyone else with a multi-server clearpass deployment with whom I could consult?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: Multi-server ClearPass Deployment

[ Edited ]

We have requested the option to search all cluster members in access tracker. Currently we have to flip between them when searching.

 

You could use the Insight search feature as well which tends to allow a lot more search options.

 

The nice thing with insight is there are preconfigured templates for failed auths by authentication type.

 

cp-insight-templates.png

 

 

 

 

 

cp insight.png


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Multi-server ClearPass Deployment

Using insight though, how can I tell on which subscriber an auth failure occurred? This would allow me to then dig into that subscriber, into the failed auth, and read the detailed logs on why they failed (which is NOT available in insight). Any ideas?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: Multi-server ClearPass Deployment

Good point. Feature request!


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Multi-server ClearPass Deployment

Dang...I was really hoping this was already there. (Aruba, insert comments here.) Sadly, I'm finding that once again, we have an application that lacks good network-wide visibility.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Multi-server ClearPass Deployment

Tim, can you explain to me how you functionally use Insight? I'm realizing, too, that the search results don't even include timestamps! How on earth does one troubleshoot user authentications in a multi-server environment???

 

(Again, Aruba feel free to chime in with some advice here.)

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: Multi-server ClearPass Deployment

We're really only using Insight for trending/counts and time period reports, not really for troubleshooting.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 1
Registered: ‎07-26-2013

Re: Multi-server ClearPass Deployment

Sadly this was available in earlier code and from what i understand is coming back (no ETA).

 


Charlie

Search Airheads
Showing results for 
Search instead for 
Did you mean: