Security

 View Only
  • 1.  ClearPass Cluster - 2 VIPs.. why ?

    Posted Mar 08, 2023 12:10 AM

    Hi all,

    Was just wondering why the recommended setup for clearpass cluster is to have 2 VIPs, when the  1 VIP should be enough to in the event of an outage to publisher?

    Regards



  • 2.  RE: ClearPass Cluster - 2 VIPs.. why ?

    Posted Mar 08, 2023 09:31 AM

    With 2 VIPs you can share the load of your environment over the two VIPs, where with 1 VIP all load will get to that single appliance.

    And if you have an internal or backend issue that makes the server holding the VIP no longer respond (but not 'broken enough' to release the VIP), your switches and APs may fallback to the other VIP. If you fallback to the node IP adresses, then a single VIP may also be a perfect viable solution.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass Cluster - 2 VIPs.. why ?

    Posted Mar 08, 2023 07:14 PM

    Hi Herman,

    Thanks for your reply. Still doesn not make a great deal of design sense to me, as I was thinking the whole idea of a vip was to have one virtual ip (with seamless failover across subscriber and publisher nodes).

    As per your first comment  "With 2 VIPs you can share the load of your environment over the two VIPs, where with 1 VIP all load will get to that single appliance."

    --> I thought by design the subscriber doesn't get used only replicates publishers database. So how is it exactly sharing load in a VIP scenario

    As per ur second point "And if you have an internal or backend issue that makes the server holding the VIP no longer respond (but not 'broken enough' to release the VIP), your switches and APs may fallback to the other VIP. If you fallback to the node IP adresses, then a single VIP may also be a perfect viable solution".

    --> how would the fallback work if the VIP has primary node as subscriber still? Does the subscriber get promoted to a publisher when the Publisher (primary) VIP has issues? why doesnt it do all of the failback in one VIP, kind of like VRRP/HSRP?




  • 4.  RE: ClearPass Cluster - 2 VIPs.. why ?
    Best Answer

    Posted Mar 09, 2023 02:24 AM

    Hi 

    "I thought by design the subscriber doesn't get used only replicates publishers database." 
    This is a bit of misunderstanding from your side.

    In a cluster the subscribers have the same capability to handle authentications and all other tasks as the Publisher. I a big cluster with multiple nodes you may have one node in each country or on different continents.

    As Herman mention you do not get any load balancing with just one VIP between the nodes, but with one VIP per server you can configure each server to take it's share of the authentication traffic load.

    "how would the fallback work if the VIP has primary node as subscriber still?"
    If you configure your network infrastructure to have two Radius servers the device will fail over to the secondary Radius server configured, in this case the other VIP.

    Depending on the size of the implementation I sometimes put one VIP as primary on the switches and the other as primary in the WLAN configuration. Another option is to have different primary and secondary Radius servers based on different sites.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: ClearPass Cluster - 2 VIPs.. why ?

    Posted Mar 09, 2023 05:45 PM

    Thanks Jonas.

    So basically the subscriber is still involved in authenticating requests... it is just not the main or primary one?




  • 6.  RE: ClearPass Cluster - 2 VIPs.. why ?

    Posted Mar 14, 2023 04:42 AM

    In a ClearPass cluster with publisher and subscribers, any node in the cluster can take authentication. Configuration and monitoring is done from the publisher, but either publisher or any of the subscribers can perform authentication to get scaling/redundancy/geographic/security-zone-spreading.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: ClearPass Cluster - 2 VIPs.. why ?

    Posted Mar 19, 2023 03:19 AM
    Edited by champ85 Mar 19, 2023 03:19 AM

    Thanks Herman.

    Appreciate it.