Security

Reply
Highlighted
MVP Expert

ClearPass - Highly available guest URL in L3 cluster

Hi guys,

 

I have a two nodes of ClearPass, the nodes have IPs in different ranges, they are not L2 connected. I am going to configure ClearPass captive portal, and I will set up an external captive portal profile in my cluster of IAPs. It is something like the following:

ext_captive portal profile.JPG

For high available guest captive portal, I have seen other posts that talk about using the VIP feature for L2 clusters, but load balancers are needed for this to work in a L3 cluster. Can I put a hostname and associated that hostname to my two ClearPass IPs in a DNS server?

 

Regards,

Julián 

Highlighted
Moderator

Re: ClearPass - Highly available guest URL in L3 cluster

If you're doing just self-registration flows, yes you can do that. .


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
MVP Expert

Re: ClearPass - Highly available guest URL in L3 cluster

Hi Tim,

What about doing social login authentication or create manually the username and password (in the ClearPass DB) for each guest that comes?

Regards,
Julián
Highlighted
Moderator

Re: ClearPass - Highly available guest URL in L3 cluster

For anything that requires an end user UI login to ClearPass itself, this will not work. They will have to access the publisher.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Guest Blogger

Re: ClearPass - Highly available guest URL in L3 cluster

As always, Tim is correct on the publisher part for a customer login. And you provide the answer yourself. You should use load-balancer if you would like to create (fully automatic) redundancy between both ClearPass nodes. I have done it this way multiple times.

 

There are tons of load balancers if you would like to test the usage of a load balancer. You could maybe check the free version of the Kemp LoadMaster (https://freeloadbalancer.com). Easy to install and deploy or add some more advanced Web Application Firewalling features via appliances like FortiWeb.

 

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Highlighted
MVP Expert

Re: ClearPass - Highly available guest URL in L3 cluster

Hi,

OK, what I don't understand is why I can avoid the load balancer with self-registration, but not with the other options. I mean to have a DNS entry which points firstly to the publisher, and secondly to the subscriber (in case the publisher fails).

Regards,
Julián
Highlighted
Moderator

Re: ClearPass - Highly available guest URL in L3 cluster

DNS is not natively aware of whether a node is the publisher or not. If you enter two IP addresses for the same A record, most name servers will round robin the response between the two.

This is why you’d need a load balancer that can do health checks.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
MVP Expert

Re: ClearPass - Highly available guest URL in L3 cluster

Hi,

 

Of course, many thanks, very clear!

 

Regards,

Julián

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: