Wireless Access

Hi

I am quite new to Clearpass. We are about deploy 4 CPPM servers in a single cluster. Regarding the guest captive portal is that load balanced accross all the servers or does it just run on one of them? 

Do i need to place a load balancer in from of the servers to provide high availabilty of captive portal?

We will be using the latest 6.7 version.

By using a VIP with your cluster you can make the Captive Portal Page Highly Available.  For load balancing you can use the load balancing feature in ArubaOS under Configuration > Authentication > Servers > Server Group > Load Balancing check box.  Or if you have a load balancer such as an F5 or NetScaler you can run them through that.

Will all four CPPM appliances be reachable by guests so that they can serve as captive portal?

A load balancer could be used, or techniques such as DNS round robin load balancing and/or Virtual IPs on the CPPM appliances to help distribute the load and provide high availablity. Ultimately, you have options available based on your end requirements.

I was planning to have the portal on all 4 of them just for availbility and nothing else. Load wont be very hight but availability is important for us.

 We do have Netscalers so may look to use those.

Now i just neeed to figure out how to get the Guest traffic from a Branch office to the portal :-(

That's always the fun part. :) (Getting traffic from the remote branches back to the internal CPPM appliances)

Some customers will expose one or more CPPM appliances to the Internet, so that guests are the remote branch can reach the portal over the public Internet. Some will tunnel from the branch guest networks back to where CPPM is located. Others still may NAT or otherwise allow guest traffic access to the inside IP addresses of CPPM. 

Hi thanks for your help, I had read about going over the internet and also some people using VRF tunnels. I don't want guest traffic on the internal network so these seem the best options.
At the moment and based on your feedback I am thinking.

Data interface of CPPM in DMZ and presenting Captive portal over the internet fronted by a Netscaler. Seems easier than VRF.
Would you recommend this as an option?

That is one method I've seen used well. The plus side is that connectivity to the captive portal is dependent on the guest Internet connection being available, assuming guest and corporate traffic is segmented at the branch. 

Great, yes corp traffic is all sent back to a central location, guest traffic in branch offices have a local internet breakout. So sounds like it could be a good option.
Thanks