Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Contributor I

CPPM Cluster and Certificates

In a cppm cluster configuration , we have two nodes one publisher and one subscriber and vip is configured.

 

Do i need to install two seperate server certificates for each of the nodes, I have seen the certificate which was installed in the first node before making as cluster has replicated to the subscriber. But does this work in the event of a subscriber failure as the fqdn of the subscriber is different .cppm1.abc.com and cppm2.abc.com

 

What are the considerations in cluster enviornment with VIP configured regarding  certificates, COA , onboard etc..

 

I have seen a document for onguard in the culster enviornment , do you have any other docs/pointers.

Highlighted
Guru Elite

Re: CPPM Cluster and Certificates

Highlighted

Re: CPPM Cluster and Certificates

Typically you would want to use a SAN cert for clusters. 

 

CN=VIP

 

SAN=VIP,CPPM1,CPPM2

 

Your local SE should be able to give you a document on certs.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
Contributor II

Re: CPPM Cluster and Certificates

Hi all,

 

we are planning to do clustering in L3 enviroment. 

Can i use same server certificate for both  clearpasses so that if subscriber fails publisher can authenticate onboarded devices instead of going for SAN.

If publisher goes down, subscriber can be promoted to active publisher and it can authenticate traffic which comes to publisher.

 

I have a doubt when i went through tech note. they are suggesting not to go with Virtual IP in L3 enviroment.How to do clustering over L3???

 

And if we onboard at subscriber location, devices gets regiesters in publisher and then replicated subscriber or gets registered in subscriber and replicates to publisher. I am bit confused .

Highlighted
Moderator

Re: CPPM Cluster and Certificates

Yes you can use the same cert but it should be a SAN. I do this in most deployments.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: CPPM Cluster and Certificates

I have already 200 devices onboarded in main location and we have deployed new setup in remote location.

I have configured only CN. to configure again i have to create signing request with SAN.

I have to re onboard all the devices ri8 to work fail over???

 

 

Highlighted
Moderator

Re: CPPM Cluster and Certificates

No. The RADIUS server certificate does not impact your Onboarding.

 

Yes, everything is replicated to the subscriber but only the publisher has write access to the database.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: CPPM Cluster and Certificates

but u said it should be SAN. generally cppm looks for CN ri8 if SAN is not given.

 

No...but on publisher which has 200 devices. Cant I go with with jus CN and importing publisher certificate in subscriber.

 

My CPPM host name is different and CN is different and TAC has said that it wont work with CN having different name which is not hostname has it wont resolve DNS.

How is CN is related to DNS?? im fully confused

Highlighted
Moderator

Re: CPPM Cluster and Certificates

What is the host name and what is the CN?



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Guru Elite

Re: CPPM Cluster and Certificates


@srikanthsoogoor wrote:

but u said it should be SAN. generally cppm looks for CN ri8 if SAN is not given.

 

No...but on publisher which has 200 devices. Cant I go with with jus CN and importing publisher certificate in subscriber.

 

My CPPM host name is different and CN is different and TAC has said that it wont work with CN having different name which is not hostname has it wont resolve DNS.

How is CN is related to DNS?? im fully confused


srikanthsoogoor,

 

Please feel free to download the ClearPass Certificates Technote written by our own Danny Jump here :  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13734


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: