Security

Does  clearpass (virtual ip) do captive and auth  portal load balanicng ? Or virtual IP is  only for auth HA/redundancy ? I've seen video with common use cases mentioned that VIP enables removal of L7 SLB. 

The VIP is primarily used to make the captive portal URL highly available. If you need to load balance RADIUS requests, you'll need to use the network device's load balancing capability or an external load balance e. 


Thanks, 
Tim

Hi - I have a question around this.

 

I just created a cluster, and the captive portal is defined on the publisher. If the publisher becomes unavailable (for whatever reason), how does the subscriber take over ?

 

publisher is 172.27.94.132/23

subscriber is 172.27.92.132/23

DNS for clearpass is 172.27.94.132

 

thx!

Take a look at the cluster TechNote.

OK, thx. Now, two possibly dumb questions if the publisher dies:

 

1.  will the subscriber process Captive portal requests after it is promoted to publisher?  According to the doc that will take around 8 minutes (which is fine)  "The backup publisher node cannot take over immediately (in the sense of it creating Guest accounts etc,) as the failure may be transient and the minimum time it takes for a standby-­‐Publisher to become active is about 8 minutes"

2. if there is a DNS entry for the publisher, how does the captive portal traffic get redirected to the subscriber?

 

3. Is there a way to test this without downing the publisher?

1.  will the subscriber process Captive portal requests after it is promoted to publisher? 

[djj] - Yes.

According to the doc that will take around 8 minutes (which is fine)  "The backup publisher node cannot take over immediately (in the sense of it creating Guest accounts etc,) as the failure may be transient and the minimum time it takes for a standby-­‐Publisher to become active is about 8 minutes"

[djj] - Note it can take longer, it depends on the size of the cluster and DB's.

 

"The backup publisher node cannot take over immediately (in the sense of it creating Guest accounts etc,) as the failure may be transient and the minimum time it takes for a standby-­‐Publisher to become active is about 8 minutes"

 

 

2. if there is a DNS entry for the publisher, how does the captive portal traffic get redirected to the subscriber?

[djj] - As you have L3 between your CPPM-nodes, the issue is your unable to have a VIP across them unless you deploy a L2 GRE/VPLS network to permit the L2 VIP process to function... i.e. VIP addresses must exist in say L2 network and can't cross a L3 boundary. 

Else, you need some other process to front the Portal, such as a VIP on an ADC.... or you're into tweaking DNS records when you fail over.

 

 

3. Is there a way to test this without downing the publisher?

Thanks Danny - can you please calrify what ADC is?

 

Else, you need some other process to front the Portal, such as a VIP on an ADC

 

ADC-Application Delivery Controller, or if you like to use old-money..... an SLB..!!

Yeah, that's a great document, can't recommend it to much.

Hi,

 

I know this is an old post, but am trying to find the cluster tehcnote as I am looking at the exact scenario mentioned 

 

Cheers

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33298

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=33093

We've also started to migrate a lot of the TechNotes to a new home.... either go arubanetworks.com/clearpassdocs or under the new asp.arubanetworks.com support site.

 

https://support.hpe.com/hpesc/public/docDisplay?docId=a00100359en_us

 

Take a look at the cluster TechNote.