Security

Reply
MVP
Posts: 1,413
Registered: ‎11-30-2011

load balancing ClearPass Policy Manager and OnGuard

im looking at load balancing ClearPass with a hardware load balancer and looking at what to consider. if anyone has set this up do share your experience.

 

what is the wise setup on the ClearPass side, multiple standalone ones or a publisher with subscribers?

 

in the publisher / subscriber model will this mean i have to access multiple ClearPasses to look at the access tracker or is this combined on the publisher (cant find this anywhere, a technote on all effects for ClearPass clustering would be nice)? what about radius accounting, is it shared?

 

is "persistence" needed / useful? so should radius traffic from a source always go to the same ClearPass (as long as it is available of course).

 

 

for the server certificate, a SAN certificate with the clustername and the device name would be best right? and as a second only the clustername?

 

what about OnGuard, is it wise to load balance it (so HTTPS i assume) also? is the OnGuard info shared between the ClearPasses or should i have the radius and OnGuard traffic end up on the same server?

 

and while on the topic, what about Guest, is that also simply load balancable?

 

i have checked these also:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Aruba-clearpass-servers-load-balacing-with-F5-Big-IP/td-p/93026/

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Load-balance-clearpass-servers/m-p/80122/

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Best-practice-Load-balancing-radius-over-four-ClearPass-servers/m-p/49228

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: load balancing ClearPass Policy Manager and OnGuard

 

 

I have attached a document that might help

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I
Posts: 166
Registered: ‎04-11-2011

Re: load balancing ClearPass Policy Manager and OnGuard

I currently have 3 clearpass servers behind a hardware load balancer (1 publisher, 2 subscribers).

 

You can view the access tracker on just the publisher but you have to choose which server you want to view it for by select it in the drop down list.

 

I have found that persistance is based on your wireless clients.  If you have highly mobile clients you will want to set persistance because when a client roams they may land on a different server and have to go through a full re-auth everytime they roam.  I currently have my perisistance set to 12 hours.

 

I do not currently use onGuard so I can't answer any questions related to that nad hwlb.

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: load balancing ClearPass Policy Manager and OnGuard

thanks for the replies both, which brand lb msales?

Regular Contributor I
Posts: 166
Registered: ‎04-11-2011

Re: load balancing ClearPass Policy Manager and OnGuard

Brocade
Occasional Contributor I
Posts: 5
Registered: ‎03-08-2013

Re: load balancing ClearPass Policy Manager and OnGuard

Hi msales

 

I am using a hardware load balancer for three CPPMs, what need to be configured on CPPM to make the harware load balancer (citrix load balancer) work? 

Moderator
Posts: 488
Registered: ‎11-09-2012

Re: load balancing ClearPass Policy Manager and OnGuard

We've not looked at integration with NetScaler specifically. However I suggest you take a look at my TechNote that covers integration with F5 BigIP as a lot of the fundamentals I cover here would apply to ANY SLB. You can find my F5 SLB TechNote on the support site here CPPM and F5 Load-Balancing TechNote v1.0.pdf

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 166
Registered: ‎04-11-2011

Re: load balancing ClearPass Policy Manager and OnGuard

If you're looking to load balance radius request the controller can now handle that in 6.4 with no hardware load balancer needed.





Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
Search Airheads
Showing results for 
Search instead for 
Did you mean: