Check here for guidance on the use of zones in ClearPass.
You should put ClearPass nodes in the same zone if the same device is likely to authenticate on different servers in that zone.
I'm quite sure that there is no interruption if you change ClearPass servers to a different zone. The 'hot data' may be out of sync shortly after that, but recover quickly. If you heavily depend on Cached Roles (like OnGuard), you may consider making the change in a maintenance window. And probably it's a good practice to run all changes in an maintenance window anyway so your users know that things may have changed and they report possible issues.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 08, 2022 05:24 PM
From: Darren Carr
Subject: Adding zones to Clearpass
We have a globally distributed deployment of Clearpass and want to enable additional Zones to regionalise authentication state, etc and avoid having this replicated to all servers in the cluster unnecessarily.
Is there any impact in configuring these zones and assigning cluster members to them that we need to consider? What is the immediate impact to cluster members that were previously in the default zone but whom will now be in a US, EU or Asia zone? Does the cluster continue to operate normally during the change? Should this be done outside of production hours, etc.
Thanks