last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Cluster Setup

This thread has been viewed 1 times
  • 1.  CPPM Cluster Setup

    Posted Mar 18, 2013 11:53 AM



    I've been looking for information about CPPM clustering. The documentation available on the CPPM doesn't cover the setup, only some commandline tools, and what not. I also checked on and didn't find anything that specifically talks about clustering in CPPM.


    Is there a document that goes into detail about CPPM clustering? I did find an old document

    pertatining to clustering in Amigopod, are the concepts the same?


    Thank you

  • 2.  RE: CPPM Cluster Setup

    Posted Mar 18, 2013 01:12 PM

    Adding a subscriber to a publisher (terminology for the cluster) is quite simple.    On the Administration --> Server Manager --> Server Configuration page click the Make Subscriber link.   You then just enter in the Publisher IP and password (this password is the CLI password; the one for appadmin).


    The clustering for CPPM 6.x will allow for shared configuration and databases.   It does not  provide a "virtual IP" for the cluster; so failover/redundnacy for captive portal for Guest will need to rely on DNS or a load balancer; and your RADIUS clients will need to define a primary and backup RADIUS server for redundancy.


    I believe future releases are set to include some of the above features.

  • 3.  RE: CPPM Cluster Setup

    Posted Mar 18, 2013 01:53 PM

    Hey clembo,


    Thanks for the reply.


    We are running CPPM 6.0.2.x


    Since there is no virtual IP is there still the restriction of the CPPM's being in the same subnet? I had read that with Amigopod that the two systems needed to be in the same subnet.


    What configurations are actually synchronized between the two devices? Endpoints? Onboarded devices and certs (certs would probably be a problem)? Services? Etc...

    I figure that for sure Guest accounts would be synced.


    When a Subscriber is setup the current DB on the CPPM is wiped out and replaced by that of the Publisher?


    I believe I follow the comment about using DNS to provide redundency.


    Thank you again for your response!

  • 4.  RE: CPPM Cluster Setup

    Posted Mar 18, 2013 02:39 PM

    Hi Bourne,


    "Since there is no virtual IP is there still the restriction of the CPPM's being in the same subnet? I had read that with Amigopod that the two systems needed to be in the same subnet."


    I believe this is no longer the case. With CPPM you would need to configure a DNS entry or load balancer to point to the active CPPM, and monitor the primary. In the event the primary dies you would then point to the Backup CPPM. This way as long as the network permissions and routes are there you should be able to place the devices anywhere. I believe they two CPPM just need to be able to talk to each other on SSH to sync(there may be other ports, but I'm not sure)


    As I understood,  all of the configurations are synced, including users, devices, certs, and profiles.


    I would imagine it would wipe the config and match itself to the primary, but I am not sure. This is how Amigopod acted IIRC.




  • 5.  RE: CPPM Cluster Setup

    Posted Mar 18, 2013 03:19 PM

    Hey ELiasz,


    Thank you for your response.


    Interesting that the sync is done over SSH!


    In this Cluster you can only have one CPPM handling the client requests at a time? The sync is just one way I guess from Publisher to Subcriber, but not Subscriber to Publisher?


    Thanks for confirming the wipe of the config. It makes sense that that is what would happend but I wasn't 100% sure.




  • 6.  RE: CPPM Cluster Setup

    Posted Mar 18, 2013 03:31 PM

    You can have the publisher and any number of subscribers handling client requests at a time, however configuration changes can only be made to the publisher node.   


    The following are a list of ports needed between the publisher and subscriber (and no they do not have to be on the same VLAN).


    • UDP Port 123 NTP (Subscriber to publisher)
    • TCP Port 443 HTTPS (Bi-directional)
    • TCP Port 5432 PostgreSQL for DB replication (Subscriber to publisher)

  • 7.  RE: CPPM Cluster Setup

    Posted Mar 19, 2013 08:53 AM

    Hey clembo,


    Thank you for your response and sorry I didn't get back sooner.


    That is good to hear that the Publisher and any number of the Subscribers can handle client request.

    Configuration changes on the Publisher only makes sense.


    We will make note of the ports that need to be available between the two Policy Managers.


    Still not sure if we will implement the clustering but it is good to know a little more about it!


    Thank you again for the help!

  • 8.  RE: CPPM Cluster Setup

    Posted Aug 30, 2013 01:38 PM



    Sorry to rehash yet another old post. I figured it would be better then creating a new post.


    I was reading @tarnold's post here: Certificate Issues/Questions

    And due to my severe lack of understanding of Certificate's and lack of experience with CPPM in a cluster environment I wanted to see if I have once again misunderstood what is possible.


    In our environment we have two CPPM's. They are in two difference physical locations and in different VLANs. However, there is a connection between the two locations so the CPPM's will be able to talk to one another. They are currently not clustered.


    What we had planned to do was to modify the DNS at each location to cause the clients to hit the CPPM local to the location they were at.

    Location A
    Server Hostname: DNS entry for CPPM:; x.x.y.x <----- used by all users and devices to communicate with the CPPM
    Location B
    Server Hostname: DNS entry for CPPM:; x.x.y.x <----- used by all users and devices to communicate with the CPPM


     We do not intend to use the server hostnames to access to CPPM's. Instead we will use a common DNS name (


    We had ran into the error mentioned in @tarnold's post in a previous test environment. Through our tests we discovered that the the CPPM take's the URL used to access the CPPM and the CN value defined within the cert. If these two items match then you will not receive the error.


    So it was our assumption that we could just use DNS as mentioned above. The same commercial certificate would be loaded on both CPPM servers and all would be well. But after reading the post now I am not so sure.

    Within our commercial certificate we made no reference to the IP's of the CPPM's themselves nor the hostname of the individual servers. But in the examples provided each CPPM is individually defined.


    We currently have our commercial cert. installed on one of our CPPM's and it is fully functional. We are able to Onboard Apple devices without issue and do no receive the error mentioned in @tarnold's post. My fear though is that when we do eventually cluster the two CPPM's together and replace the cert currently installed on the CPPM at location B that we may run into issues.


    Will a properly defined DNS entry be enough to get everything working?

    Since everything is working already, I don't see why it wouldn't because the only thing that is changing is the IP of the CPPM in the DNS entry. But I also don't have any real experience with a CPPM cluster!


    Thank you,



  • 9.  RE: CPPM Cluster Setup

    Posted Aug 31, 2013 12:08 AM



    There was a issue with CPPM where it was very strict on what was the on the cert and server name. The was fixed in 6.1.2 patch 3 and 6.2. You should be fine with the way you posted.


    Previously CPPM would just read the CN value of the cert even if there was a SAN entry. I put in my example the IP address also because there are a few people out there where using IPs internal and DNS external but its not a requirement to put them in the SAN entry.

  • 10.  RE: CPPM Cluster Setup

    Posted Sep 04, 2013 08:18 AM

    Hey @tarnold,


    Thank you for clarifying it is very much appreciated.


    I do remember the issue you are referring to as you helped to diagnose the issue in another thread


    You mention that now the CPPM can read the SAN entries.

    In the situation where you have a wildcard cert, if you could add SAN entries to this cert then technically you could still use a wildcard cert with the CPPM? Not sure if wildcard certs will allow for SAN entries though.


    Thank you again!



  • 11.  RE: CPPM Cluster Setup

    Posted Jun 06, 2016 11:20 PM

    But for 'virtual IP' doesn't it need to be in the same broadcast domain ?