Wireless Access

In A setup MM and cluster two Controllers.

For COA to work we need to configure VRRP IP for each controllers.

For Management of two controllers one IP (Example 192.168.1.1 and 192.168.1.2) each and one VIP (192.168.1.3) for AP's to Discover and download the configuration.

Management Vlan 10 - 192.168.1.1

                                      192.168.1.2

                      VIP   - 192.168.1.3

For COA to work we need one IP User vlan Each 

Vlan 20 - 192.168.2.1

               192.168.2.2

In the above scenario are we allowed  to use Management IP 192.168.1.1  by configuring at Specific controller in Hierarchy as NAS -IP to ensure COA works . This will reduce customer to allocate less number of IP.

This is one of the query from Secure Site Customer as they need to clear for more number of IP's moving to AOS 8.

Please advice.

Your answer is here:  https://community.arubanetworks.com/t5/Wireless-Access/Clustering-MD-in-8-x-The-need-for-VRRP-IP/m-p/303835/highlight/true#M72733

So if i understand correctly  i need VIP for each MD for COA to work. :-(

You honestly don't need VRRPs for COA to work. 

The VRRP ip address created in the Cluster Profile, that automatically creates VRRP IDS from 220 and up are only really used if there is a cluster failover/election, so that the ip address of the NAS stays the same as that in the user's in the access tracker.  If there are no cluster failovers between when the user first authenticates and when you expect to do a COA, the cluster VRRP configuration is excess, really.  COA will still work without configuring VRRPs in the cluster profile.

Thanks a lot for more detailed information

An important question: do the devices use their own "physical" IP address for RADIUS communication, or the VRRP addresses created under the Cluster Profile?

Example:

• MD1:
  • Physical IP address: 10.0.0.11
  • VRRP IP in cluster profile: 10.0.0.21
• MD2:
  • Physical IP address: 10.0.0.12
  • VRRP IP in cluster profile: 10.0.0.22
• RADIUS server:
  • IP address: 172.18.0.99

In this case, for example, if the UAC of user1 is MD1, to which IP address is the communication goes from the RADIUS in case of CoA, 10.0.0.11 or 10.0.0.21 is the destination IP address? Because of firewall rules this is an important question, I would need to know if the NAS IPs (10.0.0.21 and 10.0.0.22) are actually used for communication or not?

Does it depend on whether I enter the device's own VRRP address in the "NAS IP" under the RADIUS server profile in the MD configuration? (10.0.0.21 for MD1) If nothing is specified in the RADIUS server profile under "NAS IP", will it send packets with the default mgmt address? (10.0.0.11 for MD1)

Yes.

IP address used depends on cluster state and config:

• not clustered
  • no cluster, no NAS IP configured, interface closest to RADIUS server is used
  • no cluster, NAS IP configured, NAS IP always used
• clustered
  • no cluster VRRP, no NAS IP configured, interface closest to RADIUS server is used
  • no cluster VRRP, NAS IP configured, NAS IP always used
  • cluster VRRP configured and cluster operational, NAS IP ignored, cluster VRRP IP always used