Security

Reply
Occasional Contributor II

Onguard behaviour within zone

Hi all,

 

I recently configure clearpass zone to limit the clearpass nodes whose serving posturing services to nearest users

 

this is my current configuration

pub A : IP A, B (data)

pub B : IP C, D (data)

sub A : IP E (mgmt)

Sub B : IP F (mgmt)

 

i have mapped the customer subnet into the zone Test (consist of IP E only) as well as assigned sub A into zone Test,

 

this configuration is not working sincec i seen on the device, the auth server / node details is still consist of ip A,B,C,D,E, and F, and some agent still contact Publisher IP as well

 

any idea?

 

regards

 

 

Aruba Employee

Re: Onguard behaviour within zone

Hi,

 

The Policy manager zones configuration for agents is to update the agent about it's zone/domain based on the client subnet.

The agent will pick up the servers form it's domain as primary servers and initiate communication for health check. You will see all the cluster nodes in the agent as auth servers, but it will start the health check with it's respective domain nodes and then failover to the next auth servers if the domain servers are not rechable. You can infact configure the order through which the agent should failover. 

 

The "Onguard in a cluster" technote available in the below liunk will help you with more details..

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13373

 

Note: The newly installed agents will not know about the zone configuration. It has to contact one of the nodes (probably publisher) in the cluster to download the agent settings and then follow the configured zones.


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: