Security

The publisher and standby recommendation in the same subnet is in relation to utilizing VRRP. Then it is a requirement. 

I don't fully understand the ask here, but as long as the NADs have access to either zone (DR/DC) clients will continue to authenticate.

------------------------------
ACEX #137
------------------------------

Original Message:
Sent: Jun 09, 2025 02:53 PM
From: nw16
Subject: Failover for an Active-Active Cluster

Hello Experts

Please help me in guiding for below scenario (manual failover):

1. Publisher placed in DC and Standby Publisher placed in DR: In an event if link between DC & DR fails

> Both setup will work independently

> In this case, Report generated will not be synced

 

2. Publisher and Standby Publisher place in DR: In an event if link between DC & DR fails

> If link restore in given timeframe, then the DR subscribers will auto-join the DC PUB

> If link restores after the given timeframe, we have to manually add these nodes to cluster

> Report will not be available during downtime

 

And my dilemma is what method could be a possible option to consider since its recommended to have PUB & STANDBY PUB in the same subnet.

Will this impact in any way from security standpoint?

Your design depends on the rest of the network and server design. If the publisher and subscriber are disconnected, then your ClearPass cluster is broken. But the primary goal is not to maintain cluster integrity in the event of a failure, but to ensure that authentication works. You cannot make any configuration changes at this moment, but each ClearPass server will still process the authentication requests.

As @zemerick1 meant, as long as the NADs reach the ClearPass server, clients will continue to be authenticated. The question is whether your NADs are redundantly connected and have a network connection to the DC and DR. It is also important whether all authentication and authorization sources are also present in the DC and DR. If so, then I would place one ClearPass server in the DC and one in the DR. In this case, you cannot use the VIPs and must configure both servers in each NAD.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jun 10, 2025 08:59 AM
From: zemerick1
Subject: Failover for an Active-Active Cluster

The publisher and standby recommendation in the same subnet is in relation to utilizing VRRP. Then it is a requirement. 

I don't fully understand the ask here, but as long as the NADs have access to either zone (DR/DC) clients will continue to authenticate.

------------------------------
ACEX #137

Original Message:
Sent: Jun 09, 2025 02:53 PM
From: nw16
Subject: Failover for an Active-Active Cluster

Hello Experts

Please help me in guiding for below scenario (manual failover):

1. Publisher placed in DC and Standby Publisher placed in DR: In an event if link between DC & DR fails

> Both setup will work independently

> In this case, Report generated will not be synced

 

2. Publisher and Standby Publisher place in DR: In an event if link between DC & DR fails

> If link restore in given timeframe, then the DR subscribers will auto-join the DC PUB

> If link restores after the given timeframe, we have to manually add these nodes to cluster

> Report will not be available during downtime

 

And my dilemma is what method could be a possible option to consider since its recommended to have PUB & STANDBY PUB in the same subnet.

Will this impact in any way from security standpoint?

Thank you for the clarification @Lord

In our environment, Authentication requests will first hit LB and then distributed to subscribers.

One of my main concerns is: will be discrepancies in Insight reports during downtime since failover will be manual? How can we handle this?

Original Message:
Sent: Jun 11, 2025 07:52 AM
From: Lord
Subject: Failover for an Active-Active Cluster

Your design depends on the rest of the network and server design. If the publisher and subscriber are disconnected, then your ClearPass cluster is broken. But the primary goal is not to maintain cluster integrity in the event of a failure, but to ensure that authentication works. You cannot make any configuration changes at this moment, but each ClearPass server will still process the authentication requests.

As @zemerick1 meant, as long as the NADs reach the ClearPass server, clients will continue to be authenticated. The question is whether your NADs are redundantly connected and have a network connection to the DC and DR. It is also important whether all authentication and authorization sources are also present in the DC and DR. If so, then I would place one ClearPass server in the DC and one in the DR. In this case, you cannot use the VIPs and must configure both servers in each NAD.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jun 10, 2025 08:59 AM
From: zemerick1
Subject: Failover for an Active-Active Cluster

The publisher and standby recommendation in the same subnet is in relation to utilizing VRRP. Then it is a requirement. 

I don't fully understand the ask here, but as long as the NADs have access to either zone (DR/DC) clients will continue to authenticate.

------------------------------
ACEX #137

Original Message:
Sent: Jun 09, 2025 02:53 PM
From: nw16
Subject: Failover for an Active-Active Cluster

Hello Experts

Please help me in guiding for below scenario (manual failover):

1. Publisher placed in DC and Standby Publisher placed in DR: In an event if link between DC & DR fails

> Both setup will work independently

> In this case, Report generated will not be synced

 

2. Publisher and Standby Publisher place in DR: In an event if link between DC & DR fails

> If link restore in given timeframe, then the DR subscribers will auto-join the DC PUB

> If link restores after the given timeframe, we have to manually add these nodes to cluster

> Report will not be available during downtime

 

And my dilemma is what method could be a possible option to consider since its recommended to have PUB & STANDBY PUB in the same subnet.

Will this impact in any way from security standpoint?