Security

 View Only
  • 1.  Clearpass 2 node cluster

    Posted Apr 13, 2022 02:58 PM
    Hi guys,
    I am setting up a 2 node CPPM Cluster and I have a couple of questions about the best practices to set up the environment.
    Reading the user guides and watching the workshop videos I set up the 2 nodes as publisher/subscriber with 2 VIPs (VRRP instances), one active on the PUB and the other one active on the SUB. Then I pointed the NADs to both VIPs so that I can have max high availability.
    Now my questions are about 2 things:

    1. standby publisher: is the process of promoting it to Publisher hitless or does it need the SUB to reboot to become PUB? I mean, if I have 2 nodes, the PUB fails, the SUB becomes PUB without any service interruption?
    Do I really need the standby Publisher?

    2. Profiling with DHCP relay: if I have more than one CPPM node, do I have to set all the nodes as IP helper address on my relay agent? Or just one? And if just one, should it be the PUBLISHER?
    Is there any best practice for DHCP Profiling with miltiple CPPM nodes?
    Many thanks in advance
    Alessandro

    ------------------------------
    alessandro fedeli
    ------------------------------


  • 2.  RE: Clearpass 2 node cluster

    Posted Apr 14, 2022 03:57 AM
    1) There is no interuption

    The Standby Publisher health-checks the primary Publisher server every 60 seconds by making an SQL call to the active Publisher. If this SQL call fails, after ten additional attempts (one per minute), the Standby Publisher begins the process of promoting itself to be the active Publisher server.

    The process used to verify the reachability of the remote Policy Manager servers uses an outbound HTTPS call. As noted in Network Ports That Must Be Enabledport 443/TCP must be open between all the servers in the cluster. Utilizing this HTTPS health check provides for a more robust and predictable failover process.

    When aPublisherfailure is detected, the designated Subscriber server ispromoted to activePublisherstatus. The other Subscriber servers automatically update and replicate their configuration with the newPublisher, which resolves the issue.

    2) If you are using a VIP, add the VIP as the IP Helper.



    ------------------------------
    Craig Syme
    ------------------------------