Contributor II

Testing clearpass failover



Just wanted to ask what the correct way would be to test a clearpass failover. Basically, we have two servers, which are confgured as publisher and subscriber. I know I can shutdown the server from the GUI, which would obviously cause the failover, but just wanted to make sure that is the only thing I have to do. Is there anything else I need to do?


Also, can you advise what the correct procedure is to add the server back?



Contributor II

Re: Testing clearpass failover

That will do it. Or switch off the interfaces at the switch.


One thing to remember, with dot1X authentication, if one server in a group stops responding to RADIUS, Aruba controllers will not attempt to connect to that server for a specified time (I think its an hour) so bringing it back up won't mean service will automatically fall back to that server.

Contributor II

Re: Testing clearpass failover

Thanks for the reply. 


So after we either shut it down or switch off the port. When bringing it back into normal state would it automatically join back as the publisher after 1 hr or do I have to do anything to make it publisher again?


Also, how do we make it come inline straight away and start servicing radius requests?

Contributor II

Re: Testing clearpass failover

It will come back as publisher straight away. In fact, unless you actively login to the subscriber and promote it, the subscriber will remain a subscriber and the publisher will remain as a publisher.


However, the Aruba controller will stop sending RADIUS requests to the failed server and start sending them to the second server in the server group list and won't try again for the timeout period.


Note that this won't happen if you are using Virtual IPs as you would only have one server listed in the server group.

Re: Testing clearpass failover

If you have a VIP configured between the two ClearPass servers you could have the VIP as your RADIUS IP address on your NAD device and once the Publisher goes away the subscriber should take over automatically.


This information is valid only if you have your ClearPass servers in the same Layer 2 segment , this works similar to VRRP

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Contributor II

Re: Testing clearpass failover

Thank you for the input. Sorry a bit new to this so just trying to understand it fully.


I checked the config on the controller and they point to a single VIP address and have checked on clearpass and their is a VIP configured between the two nodes. 


So is the following process correct:


1. Shutdown the publisher from GUI 

2. Check the accounting logs and see if radius requests are still going through. (Being logged in VIA the VIP)

3. Leave it running for a while and see if everything is working normally

4. Restore the server from the server configuration

5. watch it come back up as the publisher 

6. check accounting logs to see if everything is working normally. 


Please let me know if that is the correct process or if I have missed anything. 


Contributor II

Re: Testing clearpass failover

Yes, that will work. And unless you have done anything crazy like factory resetting the server, you wont need to restore any config. The logs generated by the subscriber in the time while it was down will be synced to the publisher so essentially, you will be back where you were as if nothing had happened :-)

Contributor II

Re: Testing clearpass failover

Thanks. It is clear now. :-)

Search Airheads
Showing results for 
Search instead for 
Did you mean: