Wireless

Good Afternoon,

We have a cluster of two clearpass servers set up with a VIP using the management interface. We also have our VPN gateways on the same VLAN  or /24 network.

We have a problem when VPN users try to authenticate a Guest access request. The clearpass servers have a default route defined which is our core router. The problem is when a VPN user tries to access a CP server the return traffic is sent to the router, not the VPN gateway device.

We partially  solved this by adding network rules to each node such as

network ip add mgmt -i 500 -d 10.255.0.0/21   -g 192.168.1.55   

This work when the VPN user is connecting to the IP address of the cluster member, not the VIP, if the VIP is used the traffic goes to the router and is lost.

Is there any way of applying the routing rules to the VIP

Can anyone tell me if adding a rule

network ip add mgmt -i 502 -s 192.168.1.50  -d 10.255.0.0/21   -g 192.168.1.55

is likely to work or will it break the cluster or will the command just fail, I am have trouble getting an outage window to test

192.168.1.1 - Core Router

192.168.1.50 - Cluster VIP

192.168.1.51 - Cluster Publisher

192.168.1.52 - Cluster Subscriber

 Network Commands

Arubanetworks		remove preview
Network Commands The ClearPass Policy Manager command line interface includes the following commands: network ip6 network ping6 network reset network traceroute6 network traceroute Use the command to add, delete, or list custom routes to the data or management interface routing table in IPv6 networks. View this on Arubanetworks >

Did you get anywhere with this? I try to avoid using the data interface whenever possible, but think that if traffic destined for a virtual IP on the management port is returned to the data port, that would be considered a bug. Did you open a support case for this?

As nobody responded yet, and you mention that it's production and you can't take risks of outages, it may be wise to build/test this in lab before deploying in production. That may be something that your Aruba partner or Aruba support can assist with.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 01, 2024 09:44 PM
From: russell.stewart@melbourne.vic.gov.au
Subject: ClearPass cluster VIP and routing rules

Good Afternoon,

We have a cluster of two clearpass servers set up with a VIP using the management interface. We also have our VPN gateways on the same VLAN  or /24 network.

We have a problem when VPN users try to authenticate a Guest access request. The clearpass servers have a default route defined which is our core router. The problem is when a VPN user tries to access a CP server the return traffic is sent to the router, not the VPN gateway device.

We partially  solved this by adding network rules to each node such as

network ip add mgmt -i 500 -d 10.255.0.0/21   -g 192.168.1.55   

This work when the VPN user is connecting to the IP address of the cluster member, not the VIP, if the VIP is used the traffic goes to the router and is lost.

Is there any way of applying the routing rules to the VIP

Can anyone tell me if adding a rule

network ip add mgmt -i 502 -s 192.168.1.50  -d 10.255.0.0/21   -g 192.168.1.55

is likely to work or will it break the cluster or will the command just fail, I am have trouble getting an outage window to test

192.168.1.1 - Core Router

192.168.1.50 - Cluster VIP

192.168.1.51 - Cluster Publisher

192.168.1.52 - Cluster Subscriber

 Network Commands

Arubanetworks		remove preview
Network Commands The ClearPass Policy Manager command line interface includes the following commands: network ip6 network ping6 network reset network traceroute6 network traceroute Use the command to add, delete, or list custom routes to the data or management interface routing table in IPv6 networks. View this on Arubanetworks >