Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

VRRP IP in cluster configuration

This thread has been viewed 24 times
  • 1.  VRRP IP in cluster configuration

    Posted Aug 24, 2024 12:19 PM

    Dear Experts, 

    When we configure cluster we give different VRRP IP for each cluster member. This is required for CoA to work as per my understanding but i couldnt understand why? Why each member should have its own VRRP IP?



  • 2.  RE: VRRP IP in cluster configuration

    Posted Aug 25, 2024 06:41 AM

    This ensures that the IP address to be used for CoA stays available even if the controller fails.

    Due to HA and load balancing, you cannot know on which cluster member the user session is running. If this cluster member fails, another one will take over this user session seamlessly. However, the ClearPass server does not know this. If you want to send CoA from ClearPass, it will be sent to the controller IP, the controller is currently offline and CoA would not work.

    This situation can be solved by cluster-VRRP-IP. For example, with two member clusters, 2 cluster VRRP instances are set up. Each cluster member is master in one VRRP instance and backup in the other instance. With 802.1X authentication, the controller automatically put the cluster VRRP IP into the radius attribute Radius:IETF:NAS-IP-Address.

    ClearPass uses this IP for CoA. If this controller fails, the second cluster member would take over its cluster VRRP IP by becoming the master in the instance.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: VRRP IP in cluster configuration

    Posted Aug 25, 2024 07:19 AM

    Dear Waldemar,

    Thats exactly what is confusing me. Why 2 VRRP instances for 2 cluster members? why not one? if controller is sending VIP in the NAS attribute and if that controller goes down, the other controller will become primary and respond to CoA coming from ClearPass isnt it? then why 2 VRRP instances?




  • 4.  RE: VRRP IP in cluster configuration

    Posted Aug 25, 2024 07:24 AM

    Please correct me if i am wrong, i think i get it but need your confirmation. 

    In cluster configuration any of the controllers can be primary for any APs right? (please confirm)

    So if we keep 1 VRRP instance, it may make controller 1 primary, but lets say for client 2 which is connected to AP2, controller 2 is primary which is sending request to CPPM.

    Am i right?




  • 5.  RE: VRRP IP in cluster configuration

    Posted Aug 25, 2024 09:42 AM

    In cluster configuration any of the controllers can be primary for any APs right? (please confirm)

    Yes, it is correct.

    In the cluster setup, each AP always sets up two management tunnels, one primary and one secondary. In the show ap database output, the columns are called "Switch IP" and "Standby IP".

    So if we keep 1 VRRP instance, it may make controller 1 primary, but lets say for client 2 which is connected to AP2, controller 2 is primary which is sending request to CPPM.
    This is not quite correct.

    Cluster VRRP has no real relationship with the distribution of roles in the cluster. If you do not configure cluster VRRP, all AP- and User- Sessions are still distributed across two controllers. This happens through load-balancing.
    Cluster-VRRP-IP is only required for the special use-case if you firstly want to send from the ClearPass CoA and secondly want to catch the outage of a controller. This use-case is required if, for example, Guest User Acccount has expired and ClearPass sends CoA. Or if you want to manually disconect the user so that he has to re-authenticate.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: VRRP IP in cluster configuration

    Posted Aug 25, 2024 09:23 AM

    In the normal case, i.e. without a controller failure, CoA should arrive at the controller where the user session is currently running, and not just at one of the controllers. Let's look at the following examples.

    ClearPass knows nothing about the controller failure and uses the attributes that it received during the authentication request.

    Two member clusters, only one cluster VRRP instance. Member 1 is master, member 2 is backup. Both controllers set the cluster VRRP IP in the radius attribute. CoAs always arrive at member 1 because it is the master in this VRRP instance. That is wrong.

    Two member clusters, two cluster VRRP instances. Member one is master in instance one and backup in instance two. Member two is master in instance two and backup in instance one. Each member sets its master IP from the VRRP instance in the radius attribute. In the normal case, CoAs arrive at member one and member two. If, for example, member one goes down, all APs and all user sessions are transferred to member two. It also becomes master in instance one. ClearPass sends CoAs to IPs from VRRP instance one and VRRP instance two - member two is master in both VRRP instances and responds to the CoAs. That's right.

    I hope it helps you :)



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: VRRP IP in cluster configuration

    Posted Aug 25, 2024 12:53 PM

    Dear Waldemar, 

    You mentioned "Both controllers set the cluster VRRP IP in the radius attribute." and this "Each member sets its master IP from the VRRP instance in the radius attribute. In the normal case, CoAs arrive at member one and member two."

    Why would each member send anything to CPPM? unless its the active controller for that particular user right?




  • 8.  RE: VRRP IP in cluster configuration

    Posted Aug 26, 2024 02:07 AM

    Yes, the active controller sends authentication data to CPPM. But in cluster operation both controllers are active. Due to load balancing, there are user sessions on each cluster member, so each cluster member also sends authentication data for its own users to CPPM.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------