I responded on the Youtube video as well:
Q: "Re: the 2 x VIPs. What is the benefit of specifying ClearPass VIPs on a NAD (Mobility Controller for example) opposed to the unique pub/sub IPs themselves. Is it a case of the ClearPass UCARP failover being more efficient than the built-in Mobility Controller dead server detection mechanics?"
My answer: "That is in summary what it is. If the switch/MC does not need to detect a dead server there is no delay, and it is done for all your switches and MC at once. Also, for a reboot/upgrade, the VIP will be brought down pro-actively, resulting in seamless failover. But as mentioned in the video (I think that I mentioned), the difference is probably small in practice and also subject to personal preference rather than a generally agreed on 'must do'. Using external load balancers probably is even better."
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 12, 2022 01:33 AM
From: Brett Verney
Subject: CPPM Virtual IP for Captive Portal and RADIUS?
And old thread I know...
But Herman now suggests doing exactly what you have proposed - creating 2 x VIPs within ClearPass, and specify both with the NADs.
https://www.youtube.com/watch?v=yUTZcDwaEvM
He explains why in the video, but it's still not 100% clear to me.
Anyone?
------------------------------
Regards,
Brett V
Original Message:
Sent: May 21, 2016 12:22 PM
From: James Whitehead
Subject: CPPM Virtual IP for Captive Portal and RADIUS?
Hi All,
Scenario: CPPM Cluster with 2 or more instances. Multi controller deployment. Redundancy is required.
What's the verdict on using the CPPM Virtual IP(VIP) address for captive portal and RADIUS requests?
My understanding is just to use the virtual IP(s) for captive portals and populate RADIUS clients with each CPPM instance. To balance RADIUS request between the CPPM instances I would configure RADIUS clients like so:
RADIUS Client 1
RADIUS Server group
Priority 1: CPPM1
Priority 2: CPPM2
RADIUS Client 2
RADIUS Server group
Priority 1: CPPM2
Priority 2: CPPM1
Is that the recommended way to configure this?
Why not configure 2 x VIPs.
VIP1:
Primary node: CPPM1
Secondary node; CPPM2
VIP2:
Primary node: CPPM2
Secondary node; CPPM1
Then configure the RADIUS clients:
RADIUS Client 1
RADIUS Server group
Priority 1: VIP1
RADIUS Client 2
RADIUS Server group
Priority 1: VIP2
What are the advantages/disadvantages? Thoughts?