Hi,
[edit based on actual experience. 03/27/2019]
controller real ip will always be used as source address in IP header of Radius request. So only that IP needs to be added to radius clients.
Additionally add the Controller Cluster VIP to the radius clients in CPPM.
If you use device groups to select services or to define downloadable user rules, CPPM will try to match the NAS IP to the device group. If you only add the controller real IP to that group, CPPM will not match that device group.
So just adding the real IP to radius clients is good for special cases, where you do not use a match to tha NAS IP. Therefore it is recommended to add both.
- the real IP, cause CPPM matches against this IP to allow the client
- the NAS IP, which is the controller VIP in our case, to be able to match this in policy objects
This is also described in the threat, mentioned/linked by jgoff somewhere here in this threat.
[end of edit]
If you have a single controller or a cluster without configuring controller-CoA-VIPs, then the real ip will becopied to the radius-NAS-IP-field.
If you configure controller-CoA-VIPs for your cluster, then these IPs will be copied to radius-NAS-IP-field. But still real IP is used as source for radius communication.
Aruba ClearPass wil send CoA requets to the NAS-IP (not to the real IP).
Thus, if a controller in a cluster with configured CoA-IPs dies, the CoA packets will be send to the controller, who is now owning the CoA-VIP of the broken controller.
Not sure, if you can do CoA with NPS and what IP it will use to send the CoA packets to. But usually you leave NAS-IP in controller config at default and let controller decide, which IP to put into NAS-IP.
NAS-ID only needs to be altered, if you use that in your policy definitions/decisions.
So I leave this on default settings in most installations.
Regards, Jö