Security

Hey Guys,
one of our customer has a clearpass virtual appliance cluster with one publisher and one subscriber at the same site.

Currently we have not configured vrrp over the servers, so both ccpm can answer radius requests.

Now the customer asked, what would happen if we build a vrrp over both clearpass servers and configure the virtual ip and the two management ip adresses of the clearpass server at the switches as a radius server host.

Will the servers respond to both, the virtual IP address and the management IP address at radius requests or will only one clearpass server respond with the virtual ip address?

What is your customers reasons for wanting to use all 3x IPs (VIP & real IPs) in their environment? You'd usually only specify the VIP IP as the RADIUS server within the host. 

The customer thinks that he has triple redundancy if he enters all 3 IPs.

He wants to enter the radius servers as follows:
1. Native IP CCPM01
2. Native IP CCPM02
3. virutal IP cluster

So that first the native ip addresses should be requested before the virtual cluster IP is requested.

We have pointed out to the customer that it makes no sense to implement the configuration in this way, but he still wanted to know if it was possible.

To answer the question: ClearPass will listen for RADIUS both on the native IP and on its VIPs. Note that CoA will go out on the VIP.

One other thing to consider is to create two VIPs (for a 2-node) where one is active on the first box, the other on the second, so you have mutual failover by putting both VIPs in your access switches/controllers/APs.

Hi Herman,

Thank you very much for your answer. This answers exactly my question