Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted

Re: CPPM Cluster and Certificates

Yes you will have to manually have to change the url redirect in the controller or you can create a VIP if you have L3 between the pub and sub and have the sub as the primary and it will auto fall to the pub if the sub fails.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
Moderator

Re: CPPM Cluster and Certificates

Note:--

 

You cannot create a VIP over a L3 network between two CPPM nodes unless you employ some sort of L2 tunneling protocol such as GRE/VPLS.... thi does and can work but its NOT the optimum solution.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Contributor II

Re: CPPM Cluster and Certificates


@dannyjump wrote:

Note:--

 

You cannot create a VIP over a L3 network between two CPPM nodes unless you employ some sort of L2 tunneling protocol such as GRE/VPLS.... thi does and can work but its NOT the optimum solution.




.

 

.how about OSCP checks in authenticaion method EAP-TLS.

Will subscriber allows to configure authentication method EAP-TLS to include http://Subscriber/guest/mdps_ocsp.php/1 to do  OSCP checks for clients authentication?

Highlighted
Moderator

Re: CPPM Cluster and Certificates

Please read the CPPM Custering Technote...I cover OCSP in this doc.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Frequent Contributor I

Re: CPPM Cluster and Certificates


@dannyjump wrote:

Note:--

 

You cannot create a VIP over a L3 network between two CPPM nodes unless you employ some sort of L2 tunneling protocol such as GRE/VPLS.... thi does and can work but its NOT the optimum solution.


It'd be nice if this was documented somewhere....apart from communities.. but in a KB or official docs..

Highlighted
Occasional Contributor II

Re: CPPM Cluster and Certificates

Hi - I'm bringing up my first cluster, and the question I have is how to handle iOS devices that have the cert pushed to them via JAMF.  They currently have a JAMF config that pushed a sefl-signed from the existing clearpass. But now that I am bringing a 2nd clearpass online, how can they use the existing cert in the event that the primary clearpass goes offline?

I don't know if JAMF can push (2) certs for the same SSID to ipads. I doubt it?

Thx

Highlighted
Moderator

Re: CPPM Cluster and Certificates

Use the same EAP server cert on all servers in the cluster.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Moderator

Re: CPPM Cluster and Certificates

Use the same EAP server cert on all servers in the cluster.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: CPPM Cluster and Certificates

So I should export from the publisher and import on the subscriber?

But will that work since the existing on the publisher is self signed and will have a different FQDN than the subscriber?

BTW, I inherited this, so it was not my decision to use self signed :-)

Highlighted
Moderator

Re: CPPM Cluster and Certificates

The FQDN is irrelevant for the EAP server certificate.



You may want to reach out to your Aruba ClearPass partner to discuss options
for the EAP server certificate going forward as it varies by environment.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: