Wireless Access

Reply
Trusted Contributor I

ArubaOS 8 MD cluster and CoA

working on a 8.2 environment with a MM cluster and MD cluster, both of two nodes. setup VRRP between the MDs for the APs to connect initially to and setup MD cluster with two VRRP IPs for what i picked up from the documentation and here is needed for CoA.

so one MD has three active IPs and one MD have two active IPs.

MD #1
10.3.22.31 - node IP
10.3.22.41 - cluster VRRP IP
10.3.22.30 - MD VRRP IP (for APs)

MD #2
10.3.22.32 - node IP
10.3.22.42 - cluster VRRP IP

show vrrp looks good, IPs are active where i expect them.

cluster looks good, L2 connected.

when a client connects it ends up on one of the MDs and if i turn off that MD it eventually shows up on the other MD.

so to CoA, first of all im correct that these extra IPs are needed that when a client moves the another MD that CoA remains working right? Which is in principe only happens after a device failure right?

i configured the Radius Server profile with the NAS IP set to 10.3.22.41 on MD #1 and 10.3.22.42 on MD #2.

with this setup i can bounce a client from ClearPass (6.6) on either MD.

now when i turn off one MD the client moves, but im unable to perform the CoA. ClearPass doesn't let me (the CoA option is greyed out, it was fine before turning off the MD, i repeated this test several times), it has in some way detected that the MD is different or such.

anyone experienced the same? (on itself the last part might be more a question for the Security forum, but it seems the ArubaOS 8 MD cluster function is the basis of this issue)

Re: ArubaOS 8 MD cluster and CoA

Did you include the Cluster VRRP IPs in your RADIUS server as RADIUS Clients?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Trusted Contributor I

Re: ArubaOS 8 MD cluster and CoA

yep all relevant MD IPs are there:

 

  10.3.22.31-32

  10.3.22.41-42

 

at the moment i think .31 and .32 can be removed, but well.

 

it also works fine before the failure of one of the MDs.

 

btw am i correct in the assumption about the "need" for this setup, only that specific case of client move of MD and wanting to do CoA?

Aruba Employee

Re: ArubaOS 8 MD cluster and CoA


@boneyardwrote:

btw am i correct in the assumption about the "need" for this setup, only that specific case of client move of MD and wanting to do CoA?


Correct. The RADIUS server should see the VRRP address in auths, so that it can respond with COA and be properly handled if/when the MD is not available.

 

On the ClearPass side, when a user authenticates, does CPPM see it coming from  the .31/.32 primary addresses, or does it see the VRRP IPs (.41/.42)?


Charlie Clemmer
Aruba Customer Engineering
Trusted Contributor I

Re: ArubaOS 8 MD cluster and CoA

ClearPass sees the VRRP IPs (.41/.42)

 

so that part is working fine, it is just the case for which i would implement this, the move to another MD which suddenly makes things stop.

Trusted Contributor I

Re: ArubaOS 8 MD cluster and CoA

anyone recognize this? perhaps a bug or such, need to see if it also happens with ClearPass 6.7 perhaps, and ArubaOS 8.3 is out, perhaps ...

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: