Wireless Access

Are there any supported options for resiliency / High Availability with ClearPass Guest ?
I have a Publisher/Subscriber setup with the two servers in different Datacenters with different subnets.
ClearPass 6.8.5.230350
MM /MDs : 8.5.0.10
Campus AP setup

I am looking to setup an external captive portal on my ClearPass Publisher for my environment.  What will happen if the Publisher fails or is brought down for maintenance?  How can have my Subscriber hold a backup portal?


------------------------------
PetRock
------------------------------

Ideally you should consider ClearPass nodes in the same subnet for guest access. You can run VRRP between the nodes and create a DNS entry for the VIP.

In your case with L3 separation between the nodes, this is what I can think of:
- Create a separate DNS entry for each ClearPass IP
- Create a new certificate with SAN having both IPs/Domains or a separate certificate for each ClearPass node
- Use any of the "DNS failover" solution to start resolving to second ClearPass IP in case the primary node goes down. There are other providers but I know AWS route 53 can do that:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-configuring.html

------------------------------
Jibran Aziz
------------------------------

Original Message:
Sent: Nov 23, 2020 01:18 PM
From: ANDY DREWS
Subject: ClearPass resiliency with external Captive Portal

Are there any supported options for resiliency / High Availability with ClearPass Guest ?
I have a Publisher/Subscriber setup with the two servers in different Datacenters with different subnets.
ClearPass 6.8.5.230350
MM /MDs : 8.5.0.10
Campus AP setup

I am looking to setup an external captive portal on my ClearPass Publisher for my environment.  What will happen if the Publisher fails or is brought down for maintenance?  How can have my Subscriber hold a backup portal?


------------------------------
PetRock
------------------------------

When your publisher fails, you should still be able to use your subscriber as all configuration including captive-portal is synchronized in the cluster. You can use any node in your cluster to point your clients to.

Then in addition to what has been suggested already, a network load balancer if you have that in your network could be used to provide redundancy between the two IP addresses. Put the same certificate (name as in CN/SAN) on both appliances and in DNS point to the IP of your network load-balancer.
One poor-mans redundancy option is to use round-robin DNS, by publishing both IPs (A-record) for the same name. The client will use randomly one of the IPs, and it if fails in most cases after a few seconds try the other IP. In case of a failure, you will get in the situation that half of the requests will (statistically) try the wrong server and only after a timeout get to the portal.

As database updates are performed through the publisher, you will not be able to register new guest accounts when the publisher is down, but existing accounts and MAC caching will just work as expected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 23, 2020 01:18 PM
From: ANDY DREWS
Subject: ClearPass resiliency with external Captive Portal

Are there any supported options for resiliency / High Availability with ClearPass Guest ?
I have a Publisher/Subscriber setup with the two servers in different Datacenters with different subnets.
ClearPass 6.8.5.230350
MM /MDs : 8.5.0.10
Campus AP setup

I am looking to setup an external captive portal on my ClearPass Publisher for my environment.  What will happen if the Publisher fails or is brought down for maintenance?  How can have my Subscriber hold a backup portal?


------------------------------
PetRock
------------------------------