Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass - Highly available guest URL in L3 cluster

This thread has been viewed 3 times

  • 1.  ClearPass - Highly available guest URL in L3 cluster

    Posted Nov 28, 2018 02:54 PM

    Hi guys,

     

    I have a two nodes of ClearPass, the nodes have IPs in different ranges, they are not L2 connected. I am going to configure ClearPass captive portal, and I will set up an external captive portal profile in my cluster of IAPs. It is something like the following:

    ext_captive portal profile.JPG

    For high available guest captive portal, I have seen other posts that talk about using the VIP feature for L2 clusters, but load balancers are needed for this to work in a L3 cluster. Can I put a hostname and associated that hostname to my two ClearPass IPs in a DNS server?

     

    Regards,

    Julián 



  • 2.  RE: ClearPass - Highly available guest URL in L3 cluster

    EMPLOYEE
    Posted Nov 28, 2018 02:56 PM
    If you're doing just self-registration flows, yes you can do that. .


  • 3.  RE: ClearPass - Highly available guest URL in L3 cluster

    Posted Nov 28, 2018 04:00 PM
    Hi Tim,

    What about doing social login authentication or create manually the username and password (in the ClearPass DB) for each guest that comes?

    Regards,
    Julián


  • 4.  RE: ClearPass - Highly available guest URL in L3 cluster

    EMPLOYEE
    Posted Nov 28, 2018 04:11 PM
    For anything that requires an end user UI login to ClearPass itself, this will not work. They will have to access the publisher.


  • 5.  RE: ClearPass - Highly available guest URL in L3 cluster

    Posted Nov 28, 2018 04:36 PM

    As always, Tim is correct on the publisher part for a customer login. And you provide the answer yourself. You should use load-balancer if you would like to create (fully automatic) redundancy between both ClearPass nodes. I have done it this way multiple times.

     

    There are tons of load balancers if you would like to test the usage of a load balancer. You could maybe check the free version of the Kemp LoadMaster (https://freeloadbalancer.com). Easy to install and deploy or add some more advanced Web Application Firewalling features via appliances like FortiWeb.

     



  • 6.  RE: ClearPass - Highly available guest URL in L3 cluster

    Posted Nov 28, 2018 05:32 PM
    Hi,

    OK, what I don't understand is why I can avoid the load balancer with self-registration, but not with the other options. I mean to have a DNS entry which points firstly to the publisher, and secondly to the subscriber (in case the publisher fails).

    Regards,
    Julián


  • 7.  RE: ClearPass - Highly available guest URL in L3 cluster

    EMPLOYEE
    Posted Nov 28, 2018 05:35 PM
    DNS is not natively aware of whether a node is the publisher or not. If you enter two IP addresses for the same A record, most name servers will round robin the response between the two.

    This is why you’d need a load balancer that can do health checks.


  • 8.  RE: ClearPass - Highly available guest URL in L3 cluster

    Posted Nov 28, 2018 06:13 PM

    Hi,

     

    Of course, many thanks, very clear!

     

    Regards,

    Julián