Hi Dario
One VIP will give you redundancy and you can configure your LAN and WLAN with only one Radius server, but you will not be able to share the load between different ClearPass servers. Only the server owning the VIP will get the traffic.
If you, in a two node cluster, have one additional VIP owned by the other server you can share the load between the servers and keep the redundancy given by the VIP.
You may also be able to enable load balancing in a controller.
My second reason to have a VIP on each server is just for emergency situations. If you need to drop a Subscriber from the cluster Radius traffic will continue to reach the faulty server during the recovery work. During this time this faulty server may reject all requests as it may have lost all configuration.
With the VIP configured as the Radius server address instead of the interface address it's easy to disable the VIP address on the faulty server, or move it to another server in the cluster. This is also useful if you have a larger cluster with just one local node one some locations. By disabling the VIP the switch or AP will fail over to the secondary Radius server on another site.
So I normally configure primary and secondary Radius servers on the network infrastructure and VIP addresses for all ClearPass servers.
I hope my explanation answer your question. Let me know if I should elaborate anything.
------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP
Aranya AB
------------------------------
Original Message:
Sent: Sep 06, 2022 11:26 AM
From: Dario Nardello
Subject: Clearpass VIP Radius Server
Hi Jonas. sincerely I don't undertstand what you want tell "one VIP IP address for each server" can you gently explain me?, in this case I have to configure multiple radius and tacacs servers in my switches? My question for VIP it was for understand if possible configure one single ip on the switches for multiple radius servers for redundancy and load sharing.
Dario
Original Message:
Sent: Sep 06, 2022 02:49 AM
From: Jonas Hammarback
Subject: Clearpass VIP Radius Server
Hi Dario
It, depends...
If you are running your ClearPass servers in traditional hardware or virtual appliances you can have VIP addresses. If you have your appliances in a cloud environment such as Azure and AWS the VIP feature isn't supported.
Assuming you have hardware or virtual on-prem installation I normally create one VIP IP address for each server in the cluster and point the client traffic to these VIP addresses instead of the server interface addresses.
Beside the redundancy you get with a VIP the configuration of one VIP per server gives me an easy way of controlling if a server should be able to get the traffic or not.
In case of issues in one ClearPass server it's very convenient to be able to disable this server during troublshooting.
Also hardware replacement in the future will be easier with a VIP configured.
One thing to keep in mind if you have VIP addresses for the servers and are using CX switches with Downloadable User Roles is that the CX switches require the Radius server FDQN to be in the SAN or Subject field of the certificate.
If you have two FDQN, radius1.localdomain.com and radius2.localdomain.com, both of these names must be in the certificates on both servers. I think wildcard certificates should be supported in this scenario, but validate before you put it into production.
------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSA, ACEP
Aranya AB
Original Message:
Sent: Sep 06, 2022 02:34 AM
From: Dario Nardello
Subject: Clearpass VIP Radius Server
Hello all,
I till now in the switches and wireless controllers I ever configured the two phisichal ip addresses of the two clearpass for profiling radius and tacacs authentication, the question is: it is possible to use the VIP IP address? and If I have more than 2 learpass in cluster what is the best pratice?
Dario