Security

Greetings.....

I have 3 Clearpass Appliances. I need to create a cluster of 2 in the main site and the 3rd will be in the DR site.
What could be the deployment model. As Main appliances having 1 Virtual IP. How the DR site will join the cluster and it'll have the same Virtual IP or not. VIP is Layer 2 scenario.
I would be glad if someone suggests the deployment scenario.

Why wouldn't you have all 3 servers be a part of the cluster so they can share config and endpoint data? 

If you have L2 between DC and DR, you can setup a VIP and allow DC to be the primary server. You can also set DR as the standby-publisher in case DC goes down completely. This way you have the ability to make config changes if needed while DC is down, for example if you do guest registrations, only the publisher can generate the accounts.

If you don't have L2, you won't be able to define a VIP between the DC and DR locations, however, you can still add all 3 servers as RADIUS/TACACS servers to your network devices for redundancy as well. 

We have 1 CPPM at DC and 1 CPPM at DR, both on L2 network with VIP. They are all within the same cluster.

If standby publisher at the DR site is really required, I would make sure L2 is stretched from the DC to the DR as mharing suggested. Then I would make a VIP with the DC publisher as primary and DR standby publisher as secondary.

You could have a cluster with no VIP at all and there is no need for every servers to have their own VIP.

Virtual IP is specially usefull to achieve redundancy with captive portal and this is why you want your publisher and standby pub mostly pointing to it. You simply need to create the Cportal DNS entry to resolve on that VIP.

If you are configuring Aruba WLCs or wired NAC, most of the time, I find it's favorable to put servers directly instead of the VIP. That way you can use the load balancing feature. It also gives you more flexibility to geographically load balance authentications and accounting with the use of different server groups (this is possible too with multiple VIPs but less clean imo). Also, if a server is dead or unresponsive, it will failover to the next one in the list (no need for a VIP to achieve that).

Please see the quick diagram I attached with random IPs.

Cheers,

Thanks for the clarification. I'm using CPPM Mainly for the TACACS+ service for devices in 2 Geographical location. (Main & DR).
I have 3 appliances and I understand that these can form cluster and they have the same configuration database. What is confusing for me is that Main and DR have Active Directory servers. how I can priorities the authentication source. DR CPPM will use his Active Directory server in DR or it'll point towards main.

What's the best practice in the scenario of Main and DR appliances. 
I attached sample diagram to get more idea regarding the design.

Need Suggestions.
Thanks Again

Dear Nawab,

What services will be used with ClearPass? This will help choose the best redundancy strategy?

Are you using ClearPass Guest?

Onboarding?

Radius MAC auth? 802.1x?

TACACS?

Having layer 2 stretched between DC and DR is not a must unless you need to run a VIP.. You can use a standby publisher over layer 3 link..

It is also important to understand what happens when a publisher fails (which services are lost)

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Aruba_DeployGd_HTML/Content/Cluster%20Deployment/Standby_publisher.htm#Strategies

Ayman.
We are using only TACACS+ service for device administration inside the DC (Main & DR).

I can create L3 between DC's and designate DR CPPM as standby publisher. The point here is I'm still confused that the devices in DR will authenticate with which CPPM appliance and what will be the Authentication source as I have Active Directory Servers in both DC's.

Is it possible that we can point DR requests to DR standby Publisher with Local AD (DR) and Main DC appliances TACACS+ request to main Subscriber with Local AD (Main).