Security

In a cppm cluster configuration , we have two nodes one publisher and one subscriber and vip is configured.

 

Do i need to install two seperate server certificates for each of the nodes, I have seen the certificate which was installed in the first node before making as cluster has replicated to the subscriber. But does this work in the event of a subscriber failure as the fqdn of the subscriber is different .cppm1.abc.com and cppm2.abc.com

 

What are the considerations in cluster enviornment with VIP configured regarding  certificates, COA , onboard etc..

 

I have seen a document for onguard in the culster enviornment , do you have any other docs/pointers.

Please see the article here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Certificate-Issues-Questions/td-p/94444

Typically you would want to use a SAN cert for clusters. 

 

CN=VIP

 

SAN=VIP,CPPM1,CPPM2

 

Your local SE should be able to give you a document on certs.

Hi all,

 

we are planning to do clustering in L3 enviroment. 

Can i use same server certificate for both  clearpasses so that if subscriber fails publisher can authenticate onboarded devices instead of going for SAN.

If publisher goes down, subscriber can be promoted to active publisher and it can authenticate traffic which comes to publisher.

 

I have a doubt when i went through tech note. they are suggesting not to go with Virtual IP in L3 enviroment.How to do clustering over L3???

 

And if we onboard at subscriber location, devices gets regiesters in publisher and then replicated subscriber or gets registered in subscriber and replicates to publisher. I am bit confused .

Yes you can use the same cert but it should be a SAN. I do this in most deployments.

I have already 200 devices onboarded in main location and we have deployed new setup in remote location.

I have configured only CN. to configure again i have to create signing request with SAN.

I have to re onboard all the devices ri8 to work fail over???

 

 

No. The RADIUS server certificate does not impact your Onboarding.

 

Yes, everything is replicated to the subscriber but only the publisher has write access to the database.

but u said it should be SAN. generally cppm looks for CN ri8 if SAN is not given.

 

No...but on publisher which has 200 devices. Cant I go with with jus CN and importing publisher certificate in subscriber.

 

My CPPM host name is different and CN is different and TAC has said that it wont work with CN having different name which is not hostname has it wont resolve DNS.

How is CN is related to DNS?? im fully confused

What is the host name and what is the CN?

Yes, cn needs to be fqdn in a non-SAN certificate.

I gave hostname xxx-CPPM-02

 

CN has CPPM-6.0.1

 

generally CN is FQDN

Is it that important ..for CN to be FQDN. I didnt gave any fqdn...im redirecting based on IP for onboarding from controller. I dont c any issues as im doing HTTP(ok , not secure) for onboarding and onboard CA to issue certs.

 

May be if i redirect for HTTPS for guest portals. It throws error as untrusted connection.

 

apart from that.....if at all i use virtual IP then also if i use same server certificate i think there will be no issue. Issue arises only if i onboard over HTTPS and using guest portals from clearpass to authenticate guest users.

 

if i am wrong..please correct

Please make your CN = FQDN.... because when your users enter a URL in their browser this is what is checked against the server certificate presented from CPPM... they need to match else you will get a browser error. Above everything else its also BEST practisce. 

 

SOme of your other questions.... clustering is TOTALLY independent from VIP... you can cluster CPPM noes from enywhere as long as you have connecivity and firewall ports required are open.

 

VIP is  L2 function ONLY, this is not a CPPM restriction is a genric networking restriction for HSRP/VRRP/NSRP Etc. as L2 multicast is used for heartbeat.

 

PUB adn Standby-PUB is a different thing again as I think you are maybe confusing this in your undertstanding..... this used to ONLY a L2 feature but we relwxed this in CPPM 6.3 and stand by is supported over L2 or L3 adjacency.

 

@dannyjump: tanq.

i went throught tech note on certficates.

 

In Publisher/Subscriber model .. i understood that subscriber can only authenticate the users hitting the service which we configured and pushed from publisher.

 

If i am trying to onboarding a new ios. As suscriber has read only to databases am i onboarding it in publisher onboard repository and replicating to all subscribers????

 

If Publisher A with controller A and subcriber B with controller B in case. Where should i redirect for onboarding to subscriber or publisher from controller B and i will redirect radius requests to subscriber. But in case, subscriber goes ..should i manually change redirection to publisher to authenticate.

 

You can point to either one, but all users are created in the publisher. It all comes down to latency and does it make sense to send all users to the pub or the sub or split the users.

JUst to ad to Troy's post.... if you Onboard on a SUBCRIBER we (CPPM) handles behind the scene the creation of the account of the PUBLISHER and the replication from the PUBLISHER out to the SUBSCRIBER in your cluster..... this piece is all transparent to you and/or the user onboarding.

Onboarding should be directed to subscriber but subscriber has only read only to databases ri8? ?? then how can it register the device??

anyhow authenticating is directed to subscriber as primary and publisher as secondary in AAA of controller.

 

i repeat my previous post......

 

if you Onboard on a SUBCRIBER we (CPPM) handles behind the scene the creation of the account of the PUBLISHER and the replication from the PUBLISHER out to the SUBSCRIBER in your cluster..... this piece is all transparent to you and/or the user onboarding.

@dannyjump: tanq danny..i got it..

 

if i redirect from controller  to subscriber to onboard and subscriber is down . should i have to change login page  url manually in controller captive portal to onboard. and even for guest captive portal???

Yes you will have to manually have to change the url redirect in the controller or you can create a VIP if you have L3 between the pub and sub and have the sub as the primary and it will auto fall to the pub if the sub fails.

Note:--

 

You cannot create a VIP over a L3 network between two CPPM nodes unless you employ some sort of L2 tunneling protocol such as GRE/VPLS.... thi does and can work but its NOT the optimum solution.

---

@dannyjump wrote:

Note:--

 

You cannot create a VIP over a L3 network between two CPPM nodes unless you employ some sort of L2 tunneling protocol such as GRE/VPLS.... thi does and can work but its NOT the optimum solution.

---

---

---

.

 

.how about OSCP checks in authenticaion method EAP-TLS.

Will subscriber allows to configure authentication method EAP-TLS to include http://Subscriber/guest/mdps_ocsp.php/1 to do  OSCP checks for clients authentication?

Please read the CPPM Custering Technote...I cover OCSP in this doc.

---

@dannyjump wrote:

Note:--

 

You cannot create a VIP over a L3 network between two CPPM nodes unless you employ some sort of L2 tunneling protocol such as GRE/VPLS.... thi does and can work but its NOT the optimum solution.

---

It'd be nice if this was documented somewhere....apart from communities.. but in a KB or official docs..

Hi - I'm bringing up my first cluster, and the question I have is how to handle iOS devices that have the cert pushed to them via JAMF.  They currently have a JAMF config that pushed a sefl-signed from the existing clearpass. But now that I am bringing a 2nd clearpass online, how can they use the existing cert in the event that the primary clearpass goes offline?

I don't know if JAMF can push (2) certs for the same SSID to ipads. I doubt it?

Thx

Use the same EAP server cert on all servers in the cluster.

Use the same EAP server cert on all servers in the cluster.

So I should export from the publisher and import on the subscriber?

But will that work since the existing on the publisher is self signed and will have a different FQDN than the subscriber?

BTW, I inherited this, so it was not my decision to use self signed :-)

The FQDN is irrelevant for the EAP server certificate.



You may want to reach out to your Aruba ClearPass partner to discuss options
for the EAP server certificate going forward as it varies by environment.

OK, I'll give it a go. And in this case I am the partner, so I appreciate the help !

The FQDN is irrelevant for the EAP server certificate.



You may want to reach out to your Aruba ClearPass partner to discuss options
for the EAP server certificate going forward as it varies by environment.

---

@srikanthsoogoor wrote:

but u said it should be SAN. generally cppm looks for CN ri8 if SAN is not given.

 

No...but on publisher which has 200 devices. Cant I go with with jus CN and importing publisher certificate in subscriber.

 

My CPPM host name is different and CN is different and TAC has said that it wont work with CN having different name which is not hostname has it wont resolve DNS.

How is CN is related to DNS?? im fully confused

---

srikanthsoogoor,

 

Please feel free to download the ClearPass Certificates Technote written by our own Danny Jump here :  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13734