Security

Hi!

I´m wondering if it is possible to change clearpass VRRP-id. It seems that the default is vrrp-id 1. This causes a issue at a customer site, since they have a different product using vrrp-id 1. Nothing serious but it creates a lot of log entrys on the other product regarding auth fail (they try to speak to eachother using different password).

I can find nothing about changing this looking through different documentations. 

Well thats strange, everytime I turn of virtual IP the logging stops on the device. Must be something that interferes, they are on the same vlan.

I will check with TAC.

Thanks

Just to confirm, we use UCARP on CPPM for our VIP functionality.

Thanks!

It seems that you shouldn´t use the same ID in CARP as VRRP if they exist on the same subnet. I would suggest adding a option to change VHID from the gui in clearpass from default to avoid issues for customers using both vrrp and CARP on the same subnet.

From: https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

Conflicting VHIDs

The VHID determines the virtual MAC address used by that CARP IP. The input validation in pfSense will not permit using conflicting VHIDs on a single pair of systems, however if there are multiple systems on the same broadcast domain running CARP, it's possible to create a conflict. VRRP also uses the same virtual MAC address scheme, so a VRRP IP using the same VRID as a CARP IP VHID will also generate the same MAC address conflict.

When using CARP on the WAN interface, this also means VRRP or CARP used by the ISP can also conflict. Be sure to use VHIDs that are not in use by the ISP on that broadcast domain.