Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Dot1x authentication pointing to Publisher or Subscriber?

This thread has been viewed 4 times

  • 1.  Dot1x authentication pointing to Publisher or Subscriber?

    Posted Feb 05, 2020 12:39 AM

    Hi, We have deployed ClearPass cluster with one Publisher and one Subscriber for dot1x authentication for both the wired and wireless networks. We have enabled Insight on the subscriber and also OnGuard for endpoint health checks.

     

    Here my question is to which server authentication and OnGuard requests should point i.e. Publisher or subscriber. Shall we point all Dotx authentication request and onguard requests to the publisher as insight is enabled on Subscriber. we have C2000V platform with 5000 OnGuard license. Please suggest.

     

    Thanks,

    Yugandhar.



  • 2.  RE: Dot1x authentication pointing to Publisher or Subscriber?

    EMPLOYEE
    Posted Feb 05, 2020 01:35 AM

    Both C2000V servers together handles 10000 concurrent sessions, you need to balance load based on number of authentication session requests.

    If request are less than  5K you can point request to publisher and set subscriber as standby publisher.

    All servers insight data will be sync with server with insight enabled.



  • 3.  RE: Dot1x authentication pointing to Publisher or Subscriber?

    Posted Feb 10, 2020 02:17 AM

    Hi,

     

    It is usually recommended to forward requests to subscriber nodes as much as possible. Handling requests is the purpose of a subscriber, its a worker node.

     

    In a two-node cluster, your publisher is already going to be busy processing some other stuff. You should use it as the secondary RADIUS  server on your NADs.