Security

Hi,

I have just deployed ClearPass in AWS.  I have to instances in a cluster publisher and subscriber which is working as expected.

My question is what is the next part of the setup for redundancy? As you cannot use a VIP in AWS.

Do you just set your radius requests to go to the subscriber ? In the event the subscriber fails what do we do for redundancy as I know it isn't advisable to send radius requests to the publisher.  I just don't see any documentation for the recommended practices in AWS as i don't believe it is fully supported yet.

Thanks

Scott

If request is going to publisher IP then add subcriber IP standby in controller and also add subcriber  under Administration » Server Manager » Server Configuration >>Cluster Wide Paramters > Standby Publisher, in event of publisher goes down subcriber will takeover .

Sorry I don't understand your first sentenence.  What do you mean if request is going to publisher IP? Shouldn't all radius request go to the subscriber?

I mean radius requests, we can add both publisher and subscriber IP in NAD device in radius section, if primary goes down request will go to standby server.

It is not necessary that all radius request goes to subscriber it all depend on how we want to configure.

Scott,

In a two-node cluster, the PUB is not performing much cluster-related wok so you can send 50/50 of your traffic to each node. If you have AOS you can utilize built in load-balancing to load balance the authN requests from the NAD's. Other vendors do sometime support primitive load-balancing else you need to configure 50% of your NAD's to point to the SUB with a fail-through to the PUB and the remaining 50% the other way round.

At this time it was recently discovered that the PUB fail-over for an AWS deployment is not working, we've triaged the issue and have discovered the fault, planning on getting a fix released soon.