Security

Reply
Contributor I
Posts: 25
Registered: ‎01-23-2015

clearpass virtual ip for captive portal load balancing ?

Does  clearpass (virtual ip) do captive and auth  portal load balanicng ? Or virtual IP is  only for auth HA/redundancy ? I've seen video with common use cases mentioned that VIP enables removal of L7 SLB. 

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: clearpass virtual ip for captive portal load balancing ?

The VIP is primarily used to make the captive portal URL highly available. If you need to load balance RADIUS requests, you'll need to use the network device's load balancing capability or an external load balance e. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: clearpass virtual ip for captive portal load balancing ?

Hi - I have a question around this.

 

I just created a cluster, and the captive portal is defined on the publisher. If the publisher becomes unavailable (for whatever reason), how does the subscriber take over ?

 

publisher is 172.27.94.132/23

subscriber is 172.27.92.132/23

DNS for clearpass is 172.27.94.132

 

thx!

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: clearpass virtual ip for captive portal load balancing ?

Take a look at the cluster TechNote.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: clearpass virtual ip for captive portal load balancing ?

Take a look at the cluster TechNote.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: clearpass virtual ip for captive portal load balancing ?

OK, thx. Now, two possibly dumb questions if the publisher dies:

 

1.  will the subscriber process Captive portal requests after it is promoted to publisher?  According to the doc that will take around 8 minutes (which is fine)  "The backup publisher node cannot take over immediately (in the sense of it creating Guest accounts etc,) as the failure may be transient and the minimum time it takes for a standby-­‐Publisher to become active is about 8 minutes"

2. if there is a DNS entry for the publisher, how does the captive portal traffic get redirected to the subscriber?

 

3. Is there a way to test this without downing the publisher?

Moderator
Posts: 472
Registered: ‎11-09-2012

Re: clearpass virtual ip for captive portal load balancing ?

Yeah, that's a great document, can't recommend it to much.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Moderator
Posts: 472
Registered: ‎11-09-2012

Re: clearpass virtual ip for captive portal load balancing ?

1.  will the subscriber process Captive portal requests after it is promoted to publisher? 

[djj] - Yes.

According to the doc that will take around 8 minutes (which is fine)  "The backup publisher node cannot take over immediately (in the sense of it creating Guest accounts etc,) as the failure may be transient and the minimum time it takes for a standby-­‐Publisher to become active is about 8 minutes"

[djj] - Note it can take longer, it depends on the size of the cluster and DB's.

 

"The backup publisher node cannot take over immediately (in the sense of it creating Guest accounts etc,) as the failure may be transient and the minimum time it takes for a standby-­‐Publisher to become active is about 8 minutes"

 

 

2. if there is a DNS entry for the publisher, how does the captive portal traffic get redirected to the subscriber?

[djj] - As you have L3 between your CPPM-nodes, the issue is your unable to have a VIP across them unless you deploy a L2 GRE/VPLS network to permit the L2 VIP process to function... i.e. VIP addresses must exist in say L2 network and can't cross a L3 boundary. 

Else, you need some other process to front the Portal, such as a VIP on an ADC.... or you're into tweaking DNS records when you fail over.

 

 

3. Is there a way to test this without downing the publisher?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: clearpass virtual ip for captive portal load balancing ?

Thanks Danny - can you please calrify what ADC is?

 

Else, you need some other process to front the Portal, such as a VIP on an ADC

Moderator
Posts: 472
Registered: ‎11-09-2012

Re: clearpass virtual ip for captive portal load balancing ?

 

ADC-Application Delivery Controller, or if you like to use old-money..... an SLB..!!


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: