Security

 View Only
Expand all | Collapse all

Onguard behaviour within zone

This thread has been viewed 1 times
  • 1.  Onguard behaviour within zone

    Posted Apr 10, 2018 11:03 AM

    Hi all,

     

    I recently configure clearpass zone to limit the clearpass nodes whose serving posturing services to nearest users

     

    this is my current configuration

    pub A : IP A, B (data)

    pub B : IP C, D (data)

    sub A : IP E (mgmt)

    Sub B : IP F (mgmt)

     

    i have mapped the customer subnet into the zone Test (consist of IP E only) as well as assigned sub A into zone Test,

     

    this configuration is not working sincec i seen on the device, the auth server / node details is still consist of ip A,B,C,D,E, and F, and some agent still contact Publisher IP as well

     

    any idea?

     

    regards

     

     



  • 2.  RE: Onguard behaviour within zone

    Posted Apr 12, 2018 11:45 AM

    Hi,

     

    The Policy manager zones configuration for agents is to update the agent about it's zone/domain based on the client subnet.

    The agent will pick up the servers form it's domain as primary servers and initiate communication for health check. You will see all the cluster nodes in the agent as auth servers, but it will start the health check with it's respective domain nodes and then failover to the next auth servers if the domain servers are not rechable. You can infact configure the order through which the agent should failover. 

     

    The "Onguard in a cluster" technote available in the below liunk will help you with more details..

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13373

     

    Note: The newly installed agents will not know about the zone configuration. It has to contact one of the nodes (probably publisher) in the cluster to download the agent settings and then follow the configured zones.