I'm trying to figure out a failover solution for a rather complicated guest setup and wondered if anyone had an ideas for redundancy in my setup. Picture attached shows a simplified setup where we need to build in redundancy at both ends for guest traffic to/from a clearpass at the core DMZ. Issue I have is that I cannot build the VPN tunnel between the two VRRP addresses.
If it is a guest network, what is the importance of tunneling guest traffic back to the DMZ? Why is it not just split out locally?
If it is an option, give the ClearPass server a public address and have everyone hit the guest page in that manner, rather than trying to tunnel guest traffic to a DMZ. Have the guest traffic then exit locally to the remote site.
We need to tunnel the guest back to the core because that is where the Clearpass is and it cannot be Internet facing for security reasons.
MattF, Clearpass is a security box. You can say what IP addresses can and cannot be serviced by the guest page, period, so from a security perspective, you can use https and protect any authentication traffic that you want.
Is there already a site to site VPN for wired traffic between the remote site and the core? If so, maybe the guest traffic can ride than tunnel and get split out in the DMZ. If there is no site to site VPN for wired traffic, you should just use a public ip address for CPPM and protect it, just like everyone else does. Its only for authenticating guest traffic, right? You pretty much do not care about any of the other traffic, so why force all the traffic to go back to the core over a tunnel for guest traffic, when you can just use https? Why build all of that infrastructure and then put redundancy on top of it, just for guest traffic. If that option has not been given, I would certainly present it.
Customer will not allow connections from the internet, so this cannot be done. There is a site to site which carries the Aruba VPN between the controllers, however the guest must be kept off the corporate network which is why it needs to go thorugh the VPN built between the controllers. The VPN between the controllers was pretty much the only option. If there hadn't been the Site-to-site between the controllers then there would have been no guest.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.