Security

Hi folks,

I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.

Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.

As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.

Or what is the best explaination to the customer having the best setup?

I hope you'll understand my question.

Best regards,
Erik

------------------------------
Erik Boss
------------------------------

Erik,

I don't see the relation between using a Virtual AP and Guest... for RADIUS/TACACS, maybe even more, availability and redundancy are important.

There are multiple scenarios for redundancy, and each has pros and cons. You can add multiple radius servers in the NAD, and let the NAD failover, or you can use network load balancers to have even more smooth failovers, or if your ClearPass servers are in the same subnet you can use Virtual IPs.

When configuring Virtual IP on ClearPass, it depends a bit on the number of nodes (and if they are in the same subnet), and if you need just need redundancy or also load distribution across multiple nodes. If I don't have network load balancers, I tend to configure the NADs to always use a VIP, so I can reboot one of the nodes and keep an operational service.

Please discuss with your Aruba partner or Aruba support which design works best in your specific situation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 14, 2021 05:27 AM
From: Erik Boss
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Hi folks,

I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.

Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.

As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.

Or what is the best explaination to the customer having the best setup?

I hope you'll understand my question.

Best regards,
Erik

------------------------------
Erik Boss
------------------------------

Hi Herman,

thanks for your very quick response.
Both ClearPass server are in the same subnet and no network load balancers are used.
The customer has two nodes. Load balancing across multiple nodes is not nessacary. 

I'm working for a Aruba partner, but to be sure I'll contact Aruba TAC for the best design in this case.
But I'll suggest to the customer to add a VIP IP-address.

Thanks.

------------------------------
Erik Boss
------------------------------

Original Message:
Sent: Oct 14, 2021 05:44 AM
From: Herman Robers
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Erik,

I don't see the relation between using a Virtual AP and Guest... for RADIUS/TACACS, maybe even more, availability and redundancy are important.

There are multiple scenarios for redundancy, and each has pros and cons. You can add multiple radius servers in the NAD, and let the NAD failover, or you can use network load balancers to have even more smooth failovers, or if your ClearPass servers are in the same subnet you can use Virtual IPs.

When configuring Virtual IP on ClearPass, it depends a bit on the number of nodes (and if they are in the same subnet), and if you need just need redundancy or also load distribution across multiple nodes. If I don't have network load balancers, I tend to configure the NADs to always use a VIP, so I can reboot one of the nodes and keep an operational service.

Please discuss with your Aruba partner or Aruba support which design works best in your specific situation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 14, 2021 05:27 AM
From: Erik Boss
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Hi folks,

I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.

Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.

As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.

Or what is the best explaination to the customer having the best setup?

I hope you'll understand my question.

Best regards,
Erik

------------------------------
Erik Boss
------------------------------

failover time is going to be more a factor of the NAD configuration.  if you have publisher and subscriber setup as RADIUS servers on your client ( AP / switch) devices then the failover detection time comes down to what the timeout and count settings are for the radius server. for example if you have it set to 5 second timeout and 3 retries it will in theory take up to 15 seconds to detect failure of one server and then connect to the secondary radius server. 

publisher failover is a separate process that is really only to do with who has write access to the DB. i usually set publisher failover to be 30 mins unless there is a high usage of the guest feature. When publisher fails you can still auth but can't create new accounts in guest. 

The failover detection is better managed on the authenticating device, for example if you set your radius settings to more aggressive like 3 seconds 2 retries you can get failover time down to 6 seconds

Just a vip related question.

If I use a Clearpass VIP for RADIUS authentication ( with 2 servers behind the vip) and I want t ouse CoA to force a edge client reauth, will it still work ? Sort of thought that CoA’ing back to the switch had to come from the same Clearpass cluster member that serviced the initial inbound RADIUS auth request

A


Original Message:
Sent: 10/17/2021 3:32:00 PM
From: SD12
Subject: RE: ClearPass publisher / standby publisher or VIP with least failover time

failover time is going to be more a factor of the NAD configuration.  if you have publisher and subscriber setup as RADIUS servers on your client ( AP / switch) devices then the failover detection time comes down to what the timeout and count settings are for the radius server. for example if you have it set to 5 second timeout and 3 retries it will in theory take up to 15 seconds to detect failure of one server and then connect to the secondary radius server. 

publisher failover is a separate process that is really only to do with who has write access to the DB. i usually set publisher failover to be 30 mins unless there is a high usage of the guest feature. When publisher fails you can still auth but can't create new accounts in guest. 

The failover detection is better managed on the authenticating device, for example if you set your radius settings to more aggressive like 3 seconds 2 retries you can get failover time down to 6 seconds

------------------------------
Scott Doorey
------------------------------

Original Message:
Sent: Oct 14, 2021 05:27 AM
From: Erik Boss
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Hi folks,

I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.

Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.

As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.

Or what is the best explaination to the customer having the best setup?

I hope you'll understand my question.

Best regards,
Erik

------------------------------
Erik Boss
------------------------------

ClearPass sends out the CoA originating from the VIP. Further, I don't think it is needed to send out the CoA from the same IP as the one originally used to do the authentication. You can (should) configure all possible ClearPass IPs as dynamic-authorization hosts on the switch/ap/controller and it should work in my experience, but it may that different devices respond differently to where the CoA can come from.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 18, 2021 06:45 AM
From: Alex Sharaz
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Just a vip related question.

If I use a Clearpass VIP for RADIUS authentication ( with 2 servers behind the vip) and I want t ouse CoA to force a edge client reauth, will it still work ? Sort of thought that CoA'ing back to the switch had to come from the same Clearpass cluster member that serviced the initial inbound RADIUS auth request

A


Original Message:
Sent: 10/17/2021 3:32:00 PM
From: SD12
Subject: RE: ClearPass publisher / standby publisher or VIP with least failover time

failover time is going to be more a factor of the NAD configuration.  if you have publisher and subscriber setup as RADIUS servers on your client ( AP / switch) devices then the failover detection time comes down to what the timeout and count settings are for the radius server. for example if you have it set to 5 second timeout and 3 retries it will in theory take up to 15 seconds to detect failure of one server and then connect to the secondary radius server. 

publisher failover is a separate process that is really only to do with who has write access to the DB. i usually set publisher failover to be 30 mins unless there is a high usage of the guest feature. When publisher fails you can still auth but can't create new accounts in guest. 

The failover detection is better managed on the authenticating device, for example if you set your radius settings to more aggressive like 3 seconds 2 retries you can get failover time down to 6 seconds

------------------------------
Scott Doorey

Original Message:
Sent: Oct 14, 2021 05:27 AM
From: Erik Boss
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Hi folks,

I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.

Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.

As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.

Or what is the best explaination to the customer having the best setup?

I hope you'll understand my question.

Best regards,
Erik

------------------------------
Erik Boss
------------------------------

o.k that’s good to know

Never used the VIP before , always load balanced inbound radius requests and CoA responses always seemed to be initiated from the Clearpass cluster member that served the auth request, but pleased to be proved wrong

Many thanks
A


Original Message:
Sent: 10/18/2021 7:32:00 AM
From: Herman Robers
Subject: RE: ClearPass publisher / standby publisher or VIP with least failover time

ClearPass sends out the CoA originating from the VIP. Further, I don't think it is needed to send out the CoA from the same IP as the one originally used to do the authentication. You can (should) configure all possible ClearPass IPs as dynamic-authorization hosts on the switch/ap/controller and it should work in my experience, but it may that different devices respond differently to where the CoA can come from.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 18, 2021 06:45 AM
From: Alex Sharaz
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Just a vip related question.

If I use a Clearpass VIP for RADIUS authentication ( with 2 servers behind the vip) and I want t ouse CoA to force a edge client reauth, will it still work ? Sort of thought that CoA'ing back to the switch had to come from the same Clearpass cluster member that serviced the initial inbound RADIUS auth request

A


Original Message:
Sent: 10/17/2021 3:32:00 PM
From: SD12
Subject: RE: ClearPass publisher / standby publisher or VIP with least failover time

failover time is going to be more a factor of the NAD configuration.  if you have publisher and subscriber setup as RADIUS servers on your client ( AP / switch) devices then the failover detection time comes down to what the timeout and count settings are for the radius server. for example if you have it set to 5 second timeout and 3 retries it will in theory take up to 15 seconds to detect failure of one server and then connect to the secondary radius server. 

publisher failover is a separate process that is really only to do with who has write access to the DB. i usually set publisher failover to be 30 mins unless there is a high usage of the guest feature. When publisher fails you can still auth but can't create new accounts in guest. 

The failover detection is better managed on the authenticating device, for example if you set your radius settings to more aggressive like 3 seconds 2 retries you can get failover time down to 6 seconds

------------------------------
Scott Doorey

Original Message:
Sent: Oct 14, 2021 05:27 AM
From: Erik Boss
Subject: ClearPass publisher / standby publisher or VIP with least failover time

Hi folks,

I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.

Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.

As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.

Or what is the best explaination to the customer having the best setup?

I hope you'll understand my question.

Best regards,
Erik

------------------------------
Erik Boss
------------------------------