Security

 View Only
last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Adding zones to Clearpass

This thread has been viewed 8 times
  • 1.  Adding zones to Clearpass

    Posted Dec 08, 2022 05:27 PM
    We have a globally distributed deployment of Clearpass and want to enable additional Zones to regionalise authentication state, etc and avoid having this replicated to all servers in the cluster unnecessarily.

    Is there any impact in configuring these zones and assigning cluster members to them that we need to consider? What is the immediate impact to cluster members that were previously in the default zone but whom will now be in a US, EU or Asia zone? Does the cluster continue to operate normally during the change? Should this be done outside of production hours, etc.

    Thanks


  • 2.  RE: Adding zones to Clearpass

    EMPLOYEE
    Posted Dec 12, 2022 07:21 AM
    Check here for guidance on the use of zones in ClearPass.

    You should put ClearPass nodes in the same zone if the same device is likely to authenticate on different servers in that zone.

    I'm quite sure that there is no interruption if you change ClearPass servers to a different zone. The 'hot data' may be out of sync shortly after that, but recover quickly. If you heavily depend on Cached Roles (like OnGuard), you may consider making the change in a maintenance window. And probably it's a good practice to run all changes in an maintenance window anyway so your users know that things may have changed and they report possible issues.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------