Security

Hi guys,

I have CPPM in my DC and I decided to configure it as the active/standby publishers. I also have CPPM to my remote locations running as subscribers.

This DC and remote locations has their own AD although this AD is integrated to each other.

My question is, is it possible that my subscribers will talk to the local AD while the AD in DC will be integrated to the DC CPPM as a fallback mechanism?

Thanks

For the domain join, you can set the password servers to be used for each appliance in the service manager:

The default is that ClearPass will pick the fastest responding server, but if you want to better control it and for example prevent ClearPass in the datacenter to query a domain controller in a branch, this is how you do it.

For the Authentication Source, it might be that you need to create an Authentication source per ClearPass subscriber and create different services with those sources (same content like role-mapping and enforcement policies).

For these type of designs, please involve a qualified ClearPass partner or professional services as this should be considered an advanced configuration.

hi herman,

but how will clearpass determine if this auth client is coming from SITE A or SITE B?

thanks

You can check on the NAD (switch/AP) source IP, or use device groups for this and match the service against one of those.

If your NAD sends its name in the NAS identifier, and that has a geographical code in the code, like: NL-AMS-SW31, or JP-TKY-MC03, you can even check if that name begins with NL-AMS, or JP.