Erik,
I don't see the relation between using a Virtual AP and Guest... for RADIUS/TACACS, maybe even more, availability and redundancy are important.
There are multiple scenarios for redundancy, and each has pros and cons. You can add multiple radius servers in the NAD, and let the NAD failover, or you can use network load balancers to have even more smooth failovers, or if your ClearPass servers are in the same subnet you can use Virtual IPs.
When configuring Virtual IP on ClearPass, it depends a bit on the number of nodes (and if they are in the same subnet), and if you need just need redundancy or also load distribution across multiple nodes. If I don't have network load balancers, I tend to configure the NADs to always use a VIP, so I can reboot one of the nodes and keep an operational service.
Please discuss with your Aruba partner or Aruba support which design works best in your specific situation.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 14, 2021 05:27 AM
From: Erik Boss
Subject: ClearPass publisher / standby publisher or VIP with least failover time
Hi folks,
I'm very interested in these threads about ClearPass, but I'm currently running out of ideas because of a customers question.
Several monthts ago we sold a ClearPass publisher / subscriber (standby publisher) setup on Vmware. So far so good.
Now after almost ready the customer wanted to be sure failover is working. He assumes the old active / standby way like on firewall's so I tried to explain that as good as I could.
Searching on the internet and this form does not give me the correct answer.
As I mentioned I configured the publisher / standby publisher cluster. But when the publisher fails, it will take several minutes to be back online.
This customer has 22 sites with LAN and WIFI authenticated with 802.1x on ClearPass, also the NAD logins are on ClearPass.
I decided not to add VIP, because we're not going to use the Guest functionalility.
My question: does adding the VIP IP decrease the time of a "failover"? I have to add this IP on all NAD's but that doesn't matter.
Or what is the best explaination to the customer having the best setup?
I hope you'll understand my question.
Best regards,
Erik
------------------------------
Erik Boss
------------------------------