Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Virtual IP for Captive Portal and RADIUS?

This thread has been viewed 27 times

  • 1.  CPPM Virtual IP for Captive Portal and RADIUS?

    Posted May 21, 2016 12:22 PM

    Hi All,

     

    Scenario: CPPM Cluster with 2 or more instances. Multi controller deployment. Redundancy is required.

     

    What's the verdict on using the CPPM Virtual IP(VIP) address for captive portal and RADIUS requests?

     

    My understanding is just to use the virtual IP(s) for captive portals and populate RADIUS clients with each CPPM instance. To balance RADIUS request between the CPPM instances I would configure RADIUS clients like so:

     

    RADIUS Client 1

    RADIUS Server group

    Priority 1: CPPM1

    Priority 2: CPPM2

     

    RADIUS Client 2

    RADIUS Server group

    Priority 1: CPPM2

    Priority 2: CPPM1

     

    Is that the recommended way to configure this?

     

    Why not configure 2 x VIPs. 

     

    VIP1: 

    Primary node: CPPM1

    Secondary node; CPPM2

    VIP2: 

    Primary node: CPPM2

    Secondary node; CPPM1

     

     

    Then configure the RADIUS clients:

     

    RADIUS Client 1

    RADIUS Server group

    Priority 1: VIP1

     

    RADIUS Client 2

    RADIUS Server group

    Priority 1: VIP2

     

    What are the advantages/disadvantages? Thoughts?

     



  • 2.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    EMPLOYEE
    Posted May 21, 2016 12:40 PM
    I'm not sure there's any benefit of using VIPs for RADIUS. It just adds complexity. 

    The only time I use the VIP for RADIUS is if the NAD doesn't support more than 1 server. 


  • 3.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    Posted May 21, 2016 12:51 PM

    Ok, so just rely on the RADIUS client to identify if the RADIUS server is "working" and fail through to the next if the first fails.

     

    Would the time for the VIP to failover be longer than the time it take for a RADIUS client to identify a server is down? 

     

    It looks like VIP failover would be quicker (with the Aruba defaults).



  • 4.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    EMPLOYEE
    Posted May 21, 2016 12:55 PM
    It should happen pretty quickly as there will be a significant number of timeouts if the server is down. 


  • 5.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    Posted May 21, 2016 12:59 PM

    Thanks Tim.



  • 6.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    Posted Jun 04, 2016 11:22 AM

    From my experience you don't want to use the VIP for RADIUS. (except when you can only configure 1 RADIUS server.) The reason is that is the RADIUS process fails or is not running the VIP doesn't fail over. 



  • 7.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    Posted Jan 12, 2022 01:33 AM
    And old thread I know...

    But Herman now suggests doing exactly what you have proposed - creating 2 x VIPs within ClearPass, and specify both with the NADs.

    https://www.youtube.com/watch?v=yUTZcDwaEvM

    He explains why in the video, but it's still not 100% clear to me.

    Anyone?

    ------------------------------
    Regards,

    Brett V
    ------------------------------

    Original Message


  • 8.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    EMPLOYEE
    Posted Jan 12, 2022 04:34 AM
    I responded on the Youtube video as well:

    Q: "Re: the 2 x VIPs. What is the benefit of specifying ClearPass VIPs on a NAD (Mobility Controller for example) opposed to the unique pub/sub IPs themselves. Is it a case of the ClearPass UCARP failover being more efficient than the built-in Mobility Controller dead server detection mechanics?"

    My answer: "That is in summary what it is. If the switch/MC does not need to detect a dead server there is no delay, and it is done for all your switches and MC at once. Also, for a reboot/upgrade, the VIP will be brought down pro-actively, resulting in seamless failover. But as mentioned in the video (I think that I mentioned), the difference is probably small in practice and also subject to personal preference rather than a generally agreed on 'must do'. Using external load balancers probably is even better."

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 9.  RE: CPPM Virtual IP for Captive Portal and RADIUS?

    Posted Feb 22, 2022 01:29 AM
    Thanks Herman,

    I posted the question here before I asked the question on YouTube. Your response cleared it up for me completely.

    ------------------------------
    Regards,

    Brett V
    ------------------------------

    Original Message