Security

Reply
Highlighted
Occasional Contributor I

ClearPass Deployment Queries

Hello Friends,

 

I am relatively new to ClarPass. I have a few basic queries if you guys can answer:

 

1. What happens to the clients/PC's when complete cluster goes down? Will there be a network outage because of this or the clients will bypass the NAC and work normally?

 

2. Where showld the application licences be installed? As I read a few threads it says it showld be installed on publisher. Or should it be installed on publisher and subscriber seperately. If it is installed on Publisher, what happens to licences when the Publisher is down. Does the license get passed to the subscriber when it gets propmoted as publisher?

 

3. Do we need to create a sparate service for MAC Auth and 802.1x auth? or we can use the 802.1x service together with MAB all in one service? I would appreciate any reference on this case.

 

I would appreciate  any support,

Thanks

Contributor II

Re: ClearPass Deployment Queries


 

1. What happens to the clients/PC's when complete cluster goes down? Will there be a network outage because of this or the clients will bypass the NAC and work normally?

This is dependent on how you have your NADs setup (Network access devices, your switches, controllers, etc), most can be setup to either fallback to a local database, or a "server-fail" vlan, which you can use

2. Where showld the application licences be installed? As I read a few threads it says it showld be installed on publisher. Or should it be installed on publisher and subscriber seperately. If it is installed on Publisher, what happens to licences when the Publisher is down. Does the license get passed to the subscriber when it gets propmoted as publisher?

 


On the publisher. As long as you have everything setup correctly, you shouldn't run into any issues. The licenses get essentially pooled. You may run into some issues if you ever move to new VMs, but from publisher to subsriber you should be fine. TAC is able to migrate licenses as needed if you do ever run into an issue


 

3. Do we need to create a sparate service for MAC Auth and 802.1x auth? or we can use the 802.1x service together with MAB all in one service? I would appreciate any reference on this case.


I would recommend creating 2 seperate services, it's going to make your workflow much simpler and easier to manage. Since most NADs send different radius attributes depending on if your doing dot1x vs MAC auth, as well as each using different authentication sources, I couldn't imagine the headache of trying to manage it all in one service. That being said I've never tried it in one service, so it might very well be possible


As I'm sure others will mention, clearpass is a behomth, and very easy to mess up, I would recommend reaching out to your Aruba team for assistance. They can help guide you on best practice and share relative documentation.

Chris Wickline | Network Engineer | York College of Pennsylvania
Occasional Contributor I

Re: ClearPass Deployment Queries


@cwickline14 wrote:

 

 

1. What happens to the clients/PC's when complete cluster goes down? Will there be a network outage because of this or the clients will bypass the NAC and work normally?

This is dependent on how you have your NADs setup (Network access devices, your switches, controllers, etc), most can be setup to either fallback to a local database, or a "server-fail" vlan, which you can use

 

2. Where showld the application licences be installed? As I read a few threads it says it showld be installed on publisher. Or should it be installed on publisher and subscriber seperately. If it is installed on Publisher, what happens to licences when the Publisher is down. Does the license get passed to the subscriber when it gets propmoted as publisher?

 


On the publisher. As long as you have everything setup correctly, you shouldn't run into any issues. The licenses get essentially pooled. You may run into some issues if you ever move to new VMs, but from publisher to subsriber you should be fine. TAC is able to migrate licenses as needed if you do ever run into an issue


 

3. Do we need to create a sparate service for MAC Auth and 802.1x auth? or we can use the 802.1x service together with MAB all in one service? I would appreciate any reference on this case.


I would recommend creating 2 seperate services, it's going to make your workflow much simpler and easier to manage. Since most NADs send different radius attributes depending on if your doing dot1x vs MAC auth, as well as each using different authentication sources, I couldn't imagine the headache of trying to manage it all in one service. That being said I've never tried it in one service, so it might very well be possible


As I'm sure others will mention, clearpass is a behomth, and very easy to mess up, I would recommend reaching out to your Aruba team for assistance. They can help guide you on best practice and share relative documentation.


Dear Chris,

 

Thank you so much. I have concerns regarding point number 1. Can ou please elaborate on this? Any sample configuration from NAD would help clarify my doubts

Contributor II

Re: ClearPass Deployment Queries

So, it depends on which NAD vendor you are using. We are Aruba for Wireless, with mainly Juniper on the switching side (however, we started the migration to Aruba Switches!)

The Juniper config looks like this

set protocols dot1x authenticator interface ge-0/0/0 server-fail vlan-name <name of vlan>

Our requirement was that if Clearpass were to fail completely, we want users to get dropped into a restricted VLAN. (The thought here is we don't want to completely deny access, but don't want to give them full network access either). Each vendor will implement this a  little differently, but all have some sort of feature similar to this

Chris Wickline | Network Engineer | York College of Pennsylvania
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: