last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Preferred Servers

This thread has been viewed 15 times
  • 1.  CPPM Preferred Servers

    Posted Aug 05, 2021 03:45 PM

    I have a 4 node CPPM cluster deployed in our international data centers. (EU, Australia, and North America). Latency is OK to sync the DBs across. We are using the CPPM server for authentication to our wireless network as well as wired and logins into our switches (2930s) and controllers. 

    In the controller, I can adjust the order in the AAA profile. Is there a way to set CPPM server preference for those switches? I do have a L2 connection for our DCs in NA, so would it be appropriate to setup a VIP with just the 2 NA servers and let CPPM handle the load balancing? 

    Thank you for the input! 

    Doug Ullman

    Douglas Ullman

  • 2.  RE: CPPM Preferred Servers

    Posted Aug 08, 2021 04:05 PM
    Hi Douglas,

    Configuring a VIP for the two servers on L2 would not load-balance them, rather build redundancy as it would automatically fail over to the standby when the active is no longer reachable. This would be done on ClearPass, nothing would be required to change on the switches/controllers pointing to the VIP. If you're looking for load-balancing or distributing the authentications, you would either have to setup a load-balancing appliance or use the local server on those local pieces of equipment. For our environment, we have a local CPPM server at each large campus which is primary for those switches/controllers, followed by the the data center, and so on. We simply adjust the RADIUS and/or TACACS groups on the network devices with a different order depending on where we want the authentications to primarily go to. In this case, if the primary server becomes unreachable, it's up to the network device to fail to the next - typically these options are configurable.


    Michael Haring

    AirHeads MVP 2017, 2019-2021

  • 3.  RE: CPPM Preferred Servers

    Posted Sep 16, 2021 02:02 PM
    Judt as an aside , if you are running conwsre 5130 switches the load balance radius requests across specified. Servers and do peap based health checking so U know that the server u tsk to. Actually can do user based auths and not just to an account on the radius server

    Sent from my iPhone