Security

Hi,
my customer have a clearpass, this server is became very important for him so has decided to buy another server for have high availability.

it is not very clear how i can make a cluster.

I think to proceed in this way:

On the secondary node:

- Join the CLearPass to domain
- Make the clearpass the subscriber node

On the primary node:
- Configure VIP (VIrtual IP) for VRRP

On the controller:
- create an authentication server with the VIP IP.

 

correct?

Everything is correct except:

 

- You need to issue a radius server certificate to the subscriber and add the root CA of the radius server certificate to its trusted certificate store.

- You don't have to create the VIP IP.  You could have the ip address of the publisher as the primary radius server on the controller and the subscriber as the secondary radius server on the controller.  If the publisher stopped answering, the controller would choose the subscriber.  The VIP is typically created when you want to provide redundancy for guest traffic or onboard, since you can only redirect users to a single URL.  On controllers you can specify a primary and backup radius server, so you don't need to configure a VIP.

 

 

 

Hi,

it is all clear except,

"You need to issue a radius server certificate to the subscriber and add the root CA of the radius server certificate to its trusted certificate store."

 

Why i have to do it?
for the publisher i don't have done it.
With root CA you intend the pubblisher or the CA of customer?

 

Best regards

Every radius server needs a server certificate.  Your publisher comes with a self-signed radius certificate, just for evaluation purposes.  Everyone replaces that certificate with a real radius server certificate.  It is the same situation with the subscriber.

 

When you try to replace the self-signed certificate with a real radius server certificate, it will not let you proceed unless you upload the CA certificate from the CA that issued the rsdius server certificate.  This is for both puiblisher and subscriber.

 

Every radius server needs a server certificate.  Your publisher comes with a self-signed radius certificate, just for evaluation purposes.  Everyone replaces that certificate with a real radius server certificate.  It is the same situation with the subscriber.

 

When you try to replace the self-signed certificate with a real radius server certificate, it will not let you proceed unless you upload the CA certificate from the CA that issued the rsdius server certificate.  This is for both puiblisher and subscriber.

 

Some docs that may help:

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13734

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=15546



Thanks,
Tim

Hi,

i have a question about your suggestions.

 

I have configured on clearpass both Guest and Internal authentication.

For the guest i have to insert the virtual IP for the captive portal and it is ok, but for radius authentication server group is better to add 2 different server with real IP or one with Virtual IP?

 

And if i'll decide to use 2 server the Fail Through is automatically? or i have to set something?

 

thank in advance

Best regards

 

Andrea Acampa

I always use the two servers individually for RADIUS this way the controller can load balance the requests.


Thanks,
Tim