I have a small development cluster, right now 1 publisher and 1 subscriber, both C1000's, and I am trying to drop the data port of the subscriber into an isolated network segment that doesn't have access to any directory or authentication sources. This cluster is relatively new and is running 6.11.2. With that background I have a couple of questions:1) when you create a cluster like this do the services and sources you create on the Publisher automatically get pushed out to the Subscriber along with Certs, Roles, Endpoints and etc? I have a situation where a simple radius test client (NTRadPing) can successfully authenticate against the Publisher but not the Subscriber, the system with an active data interface. The test client says that it doesn't even get a response from the Mgmt interface of the Subscriber.2) When you use the data port of a subscriber does the functionality of that system's Mgmt port change? Meaning can the Mgmt interface and the data interface both answer radius requests on a subscriber where both interfaces are active?Thanks for any help on this -Mike
Have you read through this? Should have your answers: https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Admin/datamanagementport.htm
Dustin:Thanks - that page is helpful. The point on that page that gives me concern is: "If the destination network is not in either management or data subnets, ClearPass uses the data interface by default." In my case the data port is in an isolated network with very limited services. I need to get that system to only use the data port for Radius services. I need it to use the Management port to do all other things such as ntp, dns, authentication/authorization services (AD, ASC Ldap & etc-). Is it possible to alter the default on that system so that it only uses the data port to directly handle Radius requests?Thanks!Mike
1) when you create a cluster like this do the services and sources you create on the Publisher automatically get pushed out to the Subscriber along with Certs, Roles, Endpoints and etc? I have a situation where a simple radius test client (NTRadPing) can successfully authenticate against the Publisher but not the Subscriber, the system with an active data interface. The test client says that it doesn't even get a response from the Mgmt interface of the Subscriber.The publisher will push the policy configurations down to the subscriber. You need to install the certificate on the subscriber, either from the Publisher when added, or standalone. If your using Active directory for an auth source, you need to join both nodes to the domain separately
Dustin:Thanks again!Thanks!.I am still left with the issue that I can't successfully send a RADIUS request to the Mgmt port of the Subscriber, a box with the data port active, but can to the Publisher, a system without an active data port. The connection attempt doesn't even show up in the Access Tracker. Please note the Mgmt ports of both systems are on the same subnet.Thanks again -Mike
Have you tried configuring static routes for those to use mgmt?
Try this :
network ip add mgmt -d <DestinationIP Address/Subnet Mask> -g <Gateway IP address>
If the RADIUS request is sent to the MGMT interface it will go back out that interface. Nothing in Event Viewer for that Subscriber? Does it work when you disable the Data interface?Post some screenshots :)
Dustin, bd_87:Thanks - Since my initial post I have done some experiments and if I delete the configuration for the data interface on the Subscriber I can successfully test both the Mgmt interface on both the Publisher and Subscriber. It just works. However, once I configure the data interface on the Subscriber I can't successfully run that test anymore on the Subscriber. So, I'm inclined to give Dustin's idea of hardcoding a path a try. My only question is does that setting persist after a reboot?Thanks again to both of you -Mike
Dustin:You were right! It looks like once you activate the data interface you have to create routing rules to make magic happen.Following Dustin's suggestion, I added a route to the Subscriber's mgmt interface and it works -Thanks!Mike
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.