Security

Hello everyone

 

I got this scenario

 

1 Clearpass in office

 

1 Future Clearpass on a data center

 

 

Current situation

Clearpass authenticating 802.1x EAP TLS Wireless

Clearpass Authenticating 802.1x EAP TLS wired

Clearpass Authenticating TACACS+ 

Clearpass for Guest 

Administration with a single IP 

 

IF the clearpass were in the same site in which i could use a VIP putting a publisher subcriber  there would not be issue.

 

 

BUT those sites are separate using layer 3 so i Guess i cannot use VIP

 

I see the fallowing:

 

Clearpass authenticating 802.1x EAP TLS Wireless

Here i can declare 2 radius servers on the NADS(no isuee i guess)

 

Clearpass Authenticating 802.1x EAP TLS wired

Here i can declare 2 radius servers on the NADS(no isuee i guess)

 

Clearpass Authenticating TACACS+ 

Here i can declare 2 radius servers on the NADS(no isuee i guess)

 

Clearpass for Guest 

I see an issue here because the controller is just pointing i to one URL(we need the VIP here i bealive)

What can i do? i need both clearpass to be on the same subnet to create it.

 

Administration with a single IP 

The client wanted one IP to do their administration(guess is not possible)  We would need to use 2 administrations IPS (if the publisher fails for too long and it  subcriber convert to  the publisher)

 

What would be the best way to attack this scenario? Any advices that you have done?

Two options:
1- would be to define the subscriber as standby publisher and in the event the primary goes down , then manually update the DNS entry to standby publisher
2- if guest and being able to manage the ClearPass cluster from single IP, is very really critical for the customer, then purchase a new ClearPass VM license and deploy another subscriber / standby publisher and configure the VIP (Access / Onboard / Onguard Licenses will be shared across all the nodeS)



Thank you

Victor Fabian

Pardon typos sent from Mobile

I would use a proxy/load-balancers who redirect traffic to both clearpass nodes. Just be aware that if the Publisher fail you won't be able to create new guests until your promote the second node to Publisher... 

 

I usually use F5 for my customer but I'm sure there is some open solution. 

 

Then your guest captive portal will point to this reverse proxy/load-balancer IP and in backend it will redirect traffic to your clearpass nodes. 

Thank you for your time but for now im referring  about using non third party apliance, what we can do ?

 

If we need  to, and thanks for telling me about the proxy /load balandcer, i will tell the client that he needs that.  

 

But i was trying to see  if it was possible to do it, with what he has.

 

Cheers

Carlos

Hmmm I'm not sure if it will work but maybe you can use DNS round robin. 

 

guest-portal.company.tld -> 10.10.10.10 (clearpass 1)

guest-portal.company.tld -> 172.16.10.10 (clearpass 2) 

 

but here I'm not sure if the client will try the second IP if the first one is not answering. Take a look here : https://www.stsoftware.com.au/site/ST/blog/article/how-to-configure-load-balancer/

First 

Thank you very much in taking your time in asnwering me my question Victor

 

Now 

For what i see in option 1 you are just talking about the guest module part, and how to work around it right?

 

For all the other options, Radius TACACS, you think they are fine as i put them ?

 

 

For your second one.   In this case you are just taking in mind if something happens to the clearpass itself?? i was referring if something happens to the whole site itselft like if that site dissapear and you loose connectivity to it.

 

Cheers

Carlos

For the authentication options , you should good as long as you define the second node as a backup



Thank you

Victor Fabian

Pardon typos sent from Mobile

Thankf for your asnwer Victor

For the administration threre is no way of having this if the site goes down? i mean even with your 2 VMs you said.

The only way i think its via layer 2 right?  like a vrrp as its how VIP wrks in clearpass. right Victor?

Correct



Thank you

Victor Fabian

Pardon typos sent from Mobile

So to add a few titbits, if you want to have VRRP between the CPPM nodes {we actually use UCARP} then L2 is needed, depending on the routers it can be possible to build a L2-extension using GRE but it need carful filtering/config, but it is possible.

 

Yes, you can use 3rd party hardware if you run CPPM on top of ESXi/Hyper-V or KVM on CentOS but you MUST maintain the resource requirements as documented by us for the relevant size of the VM you will deploy, note there is no 'ISO' type option to directly install on 3rd party h/w.