Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Question about clustering and using the data port of an individual subscriber

This thread has been viewed 25 times
  • 1.  Question about clustering and using the data port of an individual subscriber

    Posted May 11, 2023 06:49 PM

    I have a small development cluster, right now 1 publisher and 1 subscriber, both C1000's, and I am trying to drop the data port of the subscriber into an isolated network segment that doesn't have access to any directory or authentication sources.  This cluster is relatively new and is running 6.11.2.  With that background I have a couple of questions:

    1) when you create a cluster like this do the services and sources you create on the Publisher automatically get pushed out to the Subscriber along with Certs, Roles, Endpoints and etc?  I have a situation where a simple radius test client (NTRadPing) can successfully authenticate against the Publisher but not the Subscriber, the system with an active data interface.  The test client says that it doesn't even get a response from the Mgmt interface of the Subscriber.

    2) When you use the data port of a subscriber does the functionality of that system's Mgmt port change?   Meaning can the Mgmt interface and the data interface both answer radius requests on a subscriber where both interfaces are active?

    Thanks for any help on this -

    Mike 



  • 2.  RE: Question about clustering and using the data port of an individual subscriber

    MVP GURU
    Posted May 11, 2023 07:43 PM

    Have you read through this? Should have your answers: https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Admin/datamanagementport.htm



    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: Question about clustering and using the data port of an individual subscriber

    Posted May 12, 2023 03:09 PM

    Dustin:

    Thanks - that page is helpful.  The point on that page that gives me concern is: "If the destination network is not in either management or data subnets, ClearPass uses the data interface by default."  In my case the data port is in an isolated network with very limited services.  I need to get that system to only use the data port for Radius services.  I need it to use the Management port to do all other things such as ntp, dns, authentication/authorization services (AD, ASC Ldap & etc-).  Is it possible to alter the default on that system so that it only uses the data port to directly handle Radius requests?

    Thanks!

    Mike




  • 4.  RE: Question about clustering and using the data port of an individual subscriber

    MVP GURU
    Posted May 11, 2023 07:46 PM

    1) when you create a cluster like this do the services and sources you create on the Publisher automatically get pushed out to the Subscriber along with Certs, Roles, Endpoints and etc?  I have a situation where a simple radius test client (NTRadPing) can successfully authenticate against the Publisher but not the Subscriber, the system with an active data interface.  The test client says that it doesn't even get a response from the Mgmt interface of the Subscriber.

    The publisher will push the policy configurations down to the subscriber. You need to install the certificate on the subscriber, either from the Publisher when added, or standalone. If your using Active directory for an auth source, you need to join both nodes to the domain separately



    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 5.  RE: Question about clustering and using the data port of an individual subscriber

    Posted May 12, 2023 03:16 PM

    Dustin:

    Thanks again!

    Thanks!.

    I am still left with the issue that I can't successfully send a RADIUS request to the Mgmt port of the Subscriber, a box with the data port active, but can to the Publisher, a system without an active data port.  The connection attempt doesn't even show up in the Access Tracker.  Please note the Mgmt ports of both systems are on the same subnet.

    Thanks again -


    Mike




  • 6.  RE: Question about clustering and using the data port of an individual subscriber

    MVP GURU
    Posted May 15, 2023 09:39 AM

    Have you tried configuring static routes for those to use mgmt?

    Try this :

    network ip add mgmt -d <DestinationIP Address/Subnet Mask> -g <Gateway IP address>



    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 7.  RE: Question about clustering and using the data port of an individual subscriber

    Posted May 15, 2023 10:39 AM

    If the RADIUS request is sent to the MGMT interface it will go back out that interface. Nothing in Event Viewer for that Subscriber? Does it work when you disable the Data interface?
    Post some screenshots :)



    ------------------------------
    ACNSP | ACCP | ACMP | ACEP
    ------------------------------



  • 8.  RE: Question about clustering and using the data port of an individual subscriber

    Posted May 15, 2023 06:39 PM

    Dustin, bd_87:

    Thanks - Since my initial post I have done some experiments and if I delete the configuration for the data interface on the Subscriber I can successfully test both the Mgmt interface on both the Publisher and Subscriber.  It just works.  However, once I configure the data interface on the Subscriber I can't successfully run that test anymore on the Subscriber.  So, I'm inclined to give Dustin's idea of hardcoding a path a try.  My only question is does that setting persist after a reboot?

    Thanks again to both of you -

    Mike




  • 9.  RE: Question about clustering and using the data port of an individual subscriber

    Posted May 15, 2023 07:01 PM

    Dustin:

    You were right!  It looks like once you activate the data interface you have to create routing rules to make magic happen.

    Following Dustin's suggestion, I added a route to the Subscriber's mgmt interface and it works -

    Thanks!

    Mike