Wireless Access

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

core-remote failover

I'm trying to figure out a failover solution for a rather complicated guest setup and wondered if anyone had an ideas for redundancy in my setup. Picture attached shows a simplified setup where we need to build in redundancy at both ends for guest traffic to/from a clearpass at the core DMZ. Issue I have is that I cannot build the VPN tunnel between the two VRRP addresses.

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: core-remote failover

MattF,

 

If it is a guest network, what is the importance of tunneling guest traffic back to the DMZ?  Why is it not just split out locally?

 

If it is an option, give the ClearPass server a public address and have everyone hit the guest page in that manner, rather than trying to tunnel guest traffic to a DMZ.  Have the guest traffic then exit locally to the remote site.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: core-remote failover

We need to tunnel the guest back to the core because that is where the Clearpass is and it cannot be Internet facing for security reasons.

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: core-remote failover

[ Edited ]

MattF, Clearpass is a security box. You can say what IP addresses can and cannot be serviced by the guest page, period, so from a security perspective, you can use https and protect any authentication traffic that you want.

 

Is there already a site to site VPN for wired traffic between the remote site and the core?  If so, maybe the guest traffic can ride than tunnel and get split out in the DMZ.  If there is no site to site VPN for wired traffic, you should just use a public ip address for CPPM and protect it, just like everyone else does.  Its only for authenticating guest traffic, right?  You pretty much do not care about any of the other traffic, so why force all the traffic to go back to the core over a tunnel for guest traffic, when you can just use https?  Why build all of that infrastructure and then put redundancy on top of it, just for guest traffic.  If that option has not been given, I would certainly present it.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: core-remote failover

Customer will not allow connections from the internet, so this cannot be done. There is a site to site which carries the Aruba VPN between the controllers, however the guest must be kept off the corporate network which is why it needs to go thorugh the VPN built between the controllers. The VPN between the controllers was pretty much the only option. If there hadn't been the Site-to-site between the controllers then there would have been no guest.

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: core-remote failover

[ Edited ]
MattF,

Technically, a site to site VPN is a connection from the internet. The only difference is that it is spelled VPN and not https.

You can possibly make a redundant tunnel, but between monitoring the status of the tunnel, configuring routing and probably going through the exact same thing to add an additional site, I would ask the customer why they would not consider https to clearpass locked down from only specific sites. You have (1) clients coming from network with a stateful firewall, (2) clearpass, which can be locked down by IP address and ultimate flexibility to extend this anywhere. It is hard to defend or advise someone building a redundant VPN solution.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: