Yes, the active controller sends authentication data to CPPM. But in cluster operation both controllers are active. Due to load balancing, there are user sessions on each cluster member, so each cluster member also sends authentication data for its own users to CPPM.
Original Message:
Sent: Aug 25, 2024 12:53 PM
From: Ronin101
Subject: VRRP IP in cluster configuration
Dear Waldemar,
You mentioned "Both controllers set the cluster VRRP IP in the radius attribute." and this "Each member sets its master IP from the VRRP instance in the radius attribute. In the normal case, CoAs arrive at member one and member two."
Why would each member send anything to CPPM? unless its the active controller for that particular user right?
Original Message:
Sent: Aug 25, 2024 09:23 AM
From: lord
Subject: VRRP IP in cluster configuration
In the normal case, i.e. without a controller failure, CoA should arrive at the controller where the user session is currently running, and not just at one of the controllers. Let's look at the following examples.
ClearPass knows nothing about the controller failure and uses the attributes that it received during the authentication request.
Two member clusters, only one cluster VRRP instance. Member 1 is master, member 2 is backup. Both controllers set the cluster VRRP IP in the radius attribute. CoAs always arrive at member 1 because it is the master in this VRRP instance. That is wrong.
Two member clusters, two cluster VRRP instances. Member one is master in instance one and backup in instance two. Member two is master in instance two and backup in instance one. Each member sets its master IP from the VRRP instance in the radius attribute. In the normal case, CoAs arrive at member one and member two. If, for example, member one goes down, all APs and all user sessions are transferred to member two. It also becomes master in instance one. ClearPass sends CoAs to IPs from VRRP instance one and VRRP instance two - member two is master in both VRRP instances and responds to the CoAs. That's right.
I hope it helps you :)
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Aug 25, 2024 07:19 AM
From: Ronin101
Subject: VRRP IP in cluster configuration
Dear Waldemar,
Thats exactly what is confusing me. Why 2 VRRP instances for 2 cluster members? why not one? if controller is sending VIP in the NAS attribute and if that controller goes down, the other controller will become primary and respond to CoA coming from ClearPass isnt it? then why 2 VRRP instances?
Original Message:
Sent: Aug 25, 2024 06:41 AM
From: lord
Subject: VRRP IP in cluster configuration
This ensures that the IP address to be used for CoA stays available even if the controller fails.
Due to HA and load balancing, you cannot know on which cluster member the user session is running. If this cluster member fails, another one will take over this user session seamlessly. However, the ClearPass server does not know this. If you want to send CoA from ClearPass, it will be sent to the controller IP, the controller is currently offline and CoA would not work.
This situation can be solved by cluster-VRRP-IP. For example, with two member clusters, 2 cluster VRRP instances are set up. Each cluster member is master in one VRRP instance and backup in the other instance. With 802.1X authentication, the controller automatically put the cluster VRRP IP into the radius attribute Radius:IETF:NAS-IP-Address
.
ClearPass uses this IP for CoA. If this controller fails, the second cluster member would take over its cluster VRRP IP by becoming the master in the instance.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Aug 24, 2024 12:19 PM
From: Ronin101
Subject: VRRP IP in cluster configuration
Dear Experts,
When we configure cluster we give different VRRP IP for each cluster member. This is required for CoA to work as per my understanding but i couldnt understand why? Why each member should have its own VRRP IP?