Security

Hi friends,

In a cluster topology with 2 Clearpass (version 6.5) doing guest authentication and landing pages, what is better to assure performance and availabilty? To balance load with a inline hardware load balancer, like F5? Or is it enough activating RADIUS load balancing feature in Clearpass? Which one offer the best performance and availability?

I read some documents related to this subject but I still have doubts.

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Load-Balancing-across-Clearpass-Servers/td-p/193277

http://www.arubanetworks.com/pdf/partners/CPPM_Load-Balancing_TechNote.pdf

Please, if you don't understand the setting or need more information, tell me.

Thanks in advance.

Clearpass does not do any load balancing. It is either done with the Nas device or with a third party load balancer. 

I do not understand your answer. In one of the links I posted in my message I have found this...

You have three options:


1) If you're using AOS 6.4, check the RADIUS load balancing box in the server-group config.

2) If you're not using AOS 6.4, create two server groups, one with server A in slot 1 and Server B in slot 2, and then in the second server group flip them. Then assign these to different AP groups.

3) Use a hardware load balancer.

Per your question you asked " 

Or is it enough activating RADIUS load balancing feature in Clearpass? Which one offer the best performance and availability?"

I was was stating that ClearPass does not do radius load balancing. The three options you post are you options today. 

If if you want complete load balancing then you would need a third party load balancer. 

---

lazaro@unitronics.es wrote:

I do not understand your answer. In one of the links I posted in my message I have found this...

 

1) If you're using AOS 6.4, check the RADIUS load balancing box in the server-group config.

2) If you're not using AOS 6.4, create two server groups, one with server A in slot 1 and Server B in slot 2, and then in the second server group flip them. Then assign these to different AP groups.

---

to add to Troys reply, option 1 and 2 talk about ArubaOS, the software on the controller, not the software ClearPass uses.

Thanks for all your replies. So in a setup with a clearpass cluster with two devices, one publisher and one suscriber, if I've understood well, I'd do this to balance load between them:

- RADIUS: configure NAS to share the requests between them or put a load balancer between NAS and clearpass to balance requests.

- Captive portals: configured DNS to balance DNS requests between both clearpass or put a load balancer in front of clearpass to balance requests.

Are my assumptions right?

My doubt is what happens inside my clearpass cluster (1 publisher + 1 suscriber)  when access captive portals through virtual IP cluster address.

1. Are all the requests answered by the master?

2. If all the requests are answered by only one clearpass, what should I do to avoid exceeding clearpass' resources capacity? 

3. Are all the requests balanced internally?

4. Do both clearpass reply to captive portal requests at the same time?

Sorry for all these questions but I want to be sure of how clearpass works.

Thanks in advance.

When using the virtual IP, only the CPPM that is currently master and owns the VIP will respond.

I'd recommend using NAD load balancing for RADIUS and VIP for guest portal URL.