Security

HI,

What are the pros and cons of using ClearPass (Wireless, Wired NAC, TACACS+) Virtual IP or Physical IP address?

How to decide which one is better for belwo scenario?

Thanks.

Situation

- 2 data centres

- 2 x CPPM at each data centre

- 10 x branch WLAN controllers

- 200 x switches which need TACACS+

I can't comment on the cons with both the physical or virtual IP (VIP) address, cause the usage of these IP addresses on the network devices comes down to your requirement and the network design.

The virtual IP address has the advantage of being configured as a single radius/tacacs/captive-portal server with auto-failover when the primary server is down and fall-back once the primary server is up. 

I recommend using virtual IP address, especially if you are implementing Layer 3 authentication (guest registration/login). The VIP can direct the users to the secondary server without any manual configuration change.

---

@david.cw.liu1 wrote:

HI,

 

What are the pros and cons of using ClearPass (Wireless, Wired NAC, TACACS+) Virtual IP or Physical IP address?

How to decide which one is better for belwo scenario?

Thanks.

 

Situation

- 2 data centres

- 2 x CPPM at each data centre

- 10 x branch WLAN controllers

- 200 x switches which need TACACS+

---

I would say that the VIP address is designed for guest page redirect on CPPM, where you can only redirect users to  a single URL but you require some sort of redundancy.  With TACACS and radius, you can always add a second ip address in the NAS device for redundancy, but with guest scenarios, that is not possible.  The VIP is for that scenario for people who cannot or do not want to put their guest traffic in front of a load balancer for redundancy.

thanks Joseph.

So VIP is especially useful for Guest Portal resilience.

But will VIP impose extra down time or manual work for upgrading the CPPM VIP group? (suppose 2 x CPPM form a VIP for guest portal purpose)

Thanks.

David