Security

im looking at load balancing ClearPass with a hardware load balancer and looking at what to consider. if anyone has set this up do share your experience.

 

what is the wise setup on the ClearPass side, multiple standalone ones or a publisher with subscribers?

 

in the publisher / subscriber model will this mean i have to access multiple ClearPasses to look at the access tracker or is this combined on the publisher (cant find this anywhere, a technote on all effects for ClearPass clustering would be nice)? what about radius accounting, is it shared?

 

is "persistence" needed / useful? so should radius traffic from a source always go to the same ClearPass (as long as it is available of course).

 

 

for the server certificate, a SAN certificate with the clustername and the device name would be best right? and as a second only the clustername?

 

what about OnGuard, is it wise to load balance it (so HTTPS i assume) also? is the OnGuard info shared between the ClearPasses or should i have the radius and OnGuard traffic end up on the same server?

 

and while on the topic, what about Guest, is that also simply load balancable?

 

i have checked these also:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Aruba-clearpass-servers-load-balacing-with-F5-Big-IP/td-p/93026/

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Load-balance-clearpass-servers/m-p/80122/

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Best-practice-Load-balancing-radius-over-four-ClearPass-servers/m-p/49228

 

 

I have attached a document that might help

 

 

I currently have 3 clearpass servers behind a hardware load balancer (1 publisher, 2 subscribers).

 

You can view the access tracker on just the publisher but you have to choose which server you want to view it for by select it in the drop down list.

 

I have found that persistance is based on your wireless clients.  If you have highly mobile clients you will want to set persistance because when a client roams they may land on a different server and have to go through a full re-auth everytime they roam.  I currently have my perisistance set to 12 hours.

 

I do not currently use onGuard so I can't answer any questions related to that nad hwlb.

thanks for the replies both, which brand lb msales?

Hi msales

 

I am using a hardware load balancer for three CPPMs, what need to be configured on CPPM to make the harware load balancer (citrix load balancer) work? 

We've not looked at integration with NetScaler specifically. However I suggest you take a look at my TechNote that covers integration with F5 BigIP as a lot of the fundamentals I cover here would apply to ANY SLB. You can find my F5 SLB TechNote on the support site here CPPM and F5 Load-Balancing TechNote v1.0.pdf

 

If you're looking to load balance radius request the controller can now handle that in 6.4 with no hardware load balancer needed.





Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.

Hi, Do you have the criteria on how the controller is making decisions on where to send the requests if I was load balancing?  Is there a percentage of latency or reliability?  We have 2 CPPM configured to load balance but in different locations but the ratio of request is 10:2.

 

Thank you. 

Brocade