Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Cluster with VIP or not?

This thread has been viewed 52 times

  • 1.  ClearPass Cluster with VIP or not?

    Posted Jun 13, 2017 12:20 PM

    Hi!

     

    I'm just planning the integration of a CP-VA-500 as a Standby-Publisher which should add redundancy to an existing CP-HW-500 (v6.6.5) in a small environment (both are L2 connected).

    Auto-promote from a Standby Subscriber to an Active Publisher would be enough 'high-availability' in case the primary Publisher fails.

     

    I'm using the CPPM for Radius, Tacacs, ClearPass Guest with self-registration, Onboarding (BYOD) and do have a public wildcard certificate for Guest Authentication in place.

     

    After studying the Tech Note: ClearPass Clustering Design Guidelines v1.2 (which is an excellent source) there are still some questions left.

     

    Questions:

    - Can I migrate the IP of the publisher to be the VIP?

    - What is the best practise to do this?

    - I'm using both the Data and the Management interface:

      Which Interface/Network will become the VIP?

      NADs are talking to the Management Port in the moment.

      Guest and BYOD authentication traffic goes to the Data Port.

    - What is the real benefit of configuring a VIP?

    - Will I loose anything when the "auto-promoted" former Subscriber becomes the Active Publisher?

     

    Thank you in advance for your hints and ideas.

     

    With kind regards

    Manfred

     

     



  • 2.  RE: ClearPass Cluster with VIP or not?
    Best Answer

    EMPLOYEE
    Posted Jun 13, 2017 12:39 PM

    - Can I migrate the IP of the publisher to be the VIP?

    It's best to assign a new IP. NADs should point to individual servers for RADIUS and TACACS, not the VIP so that you can utilize load balancing.

     

    - What is the best practise to do this?

    - I'm using both the Data and the Management interface:

      Which Interface/Network will become the VIP?

      NADs are talking to the Management Port in the moment.

      Guest and BYOD authentication traffic goes to the Data Port.

    Why are you using both ports? What was your design goal?

     

    - What is the real benefit of configuring a VIP?

    The VIP is really designed to provide an always available URL for captive portal workflows. You don't want to be touching your configuration all the time to change it to clearpass-1.domain.xyz vs clearpass-2.domain.xyz. 

     

    - Will I loose anything when the "auto-promoted" former Subscriber becomes the Active Publisher?

    You've effectively halved your long term capacity with one node.



  • 3.  RE: ClearPass Cluster with VIP or not?

    Posted Jun 14, 2017 05:54 AM

    Thank you for your fast response.

     

      - I'm using both the Data and the Management interface:

        Which Interface/Network will become the VIP?

        NADs are talking to the Management Port in the moment.

        Guest and BYOD authentication traffic goes to the Data Port.

    Why are you using both ports? What was your design goal?

     

    To be honest:

    You have addressed the weak point perfectly.

    I'm now thinking that was poor design and not necessary.

    The only reason was, that the customer has a Management VLAN for all networking devices. I will change the configuration before adding the Subscriber to only use the Management Port with the IP of the Data Port and disconnect the data port.

    This would help a lot to make it easier with the VIP.

    All Radius Clients have already configured the correct IP address which will be the Management Port after this change. Nobody uses the IP adress of the Management Port in the moment I think.

     

    I will report my experience doing this.

     



  • 4.  RE: ClearPass Cluster with VIP or not?

    Posted Jun 14, 2017 12:15 PM

    Experience Report Migration Data Port to MGMT Port:

     

    Deleting IP on Data Port with the GUI worked without problems.

    After sucessfull restart of the CP services I've changed the MGMT Port address to the address which was assigned to the Data Port before with the GUI.

     

    Restart of the CP services was not sucessfull - the new IP address was reachable (ping) but the GUI did not came up (also no response on the CLI SSH connection).

    I had to visit the customer and do a power cycle of the CP-HW-500 v1.

     

    After that the restart was sucessfull - all services are up and running again.

     

    I could also configure a VIP on the MGMT Port - even without the existence of the second Subcriber which will be integrated soon.

    Could not test the functionality of the VIP - but it is reachable with ping.

     

     

     



  • 5.  RE: ClearPass Cluster with VIP or not?

    Posted Jun 21, 2017 04:45 AM

    My findings after sucessful cluster setup are as follows.

    (The ClearPass Cluster WITH a VIP is now up and running)

     

    Some important things from my personal experience:

    - Don't forget to join the Subscriber also to the AD

    - Configure the SNMP Parameters on the Subscriber

    - I have installed all Updates and Hofixes to the same level of the Publisher before activating the Subscriber (Updating to a higher level can be done after setting up the cluster)

    - Add the Subsciber IP to all Radius/Tacacs Devices as Secondary Radius/Tacacs Server

    - Evaluate the need/benefits of Radius Loadbalancing

    - Adding the VIP was no problem even before the Subscriber is member of the cluster.

    - Select a good to understand name for the https: certificate of the VIP (such as guestlogin.domain.com and NOT the hostname of the Publisher or Subscriber)

    - Set the Clusterwide Paramters to promote the Standby Publisher

    see: http://www.arubanetworks.com/techdocs/ClearPass/6.6/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_clusterwideparams.htm

     

     

    Very helpful material:

     

    Must read (Thank you Danny...)

    Tech Note: ClearPass 6.x Clustering Design Guidelines V1.2

     

    General (Thank you Herman...):

    Aruba ClearPass Workshop Videos

    and especially:

    Building a ClearPass Cluster



  • 6.  RE: ClearPass Cluster with VIP or not?

    Posted Nov 04, 2017 05:37 PM

    Could you show me your network design using both ports?
    Why did you decide to use both?

     

    Regards

    Carlos Villanueva



  • 7.  RE: ClearPass Cluster with VIP or not?

    Posted Nov 06, 2017 02:51 AM

    Hi Carlos!

    I did NOT use both ports at the end - I've changed this before the VIP implementation. Now I'm using only the Management Port.

    Using both ports was neither necessary nor a design goal.

     

    With kind regards

    Manfred



  • 8.  RE: ClearPass Cluster with VIP or not?

    Posted Nov 06, 2017 05:42 PM

    Hello Manfred
    Thanks for answering
    I was referring, you mentioned that at the beginning you used both because they had a management VLAN for all their devices, I happen to be in an implementation proposal, and they are asking me to present a livelihood why use only the management port and not the data, to be honest, I do not have it very clear, the implementation will be with 2 CPPM Hardware Appliance and VIP.
    Regards

     

    Carlos Villanueva



  • 9.  RE: ClearPass Cluster with VIP or not?

    Posted Jun 16, 2017 07:37 AM
    See this video
    http://community.arubanetworks.com/t5/Video/VIDEO-Using-Virtual-IP-interfaces-in-a-ClearPass-Cluster/ta-p/78564

    The common name you defined in your certificate needs to be have an entry in your DNS server pointing to the VIP

    Get Outlook for iOS