Security

We have two clearpass servers clustered.  Their management IP addresses are in different subnets.

The question is failover with Layer3.  As we will not have a VIP.  If the publisher fails, how do requests go to the subscriber?

For radius requests, I believe I can have a primary/secondary entries.  But for guest/captive portal, how does the request get to the secondary server upon failure of the publisher?

Hi prasad405, 

You can also get a little creative with if you have a MPLS-enabled gear. You could run VRRP for the Clearpass gateway over a VPLS instance. This could achieve shared L3 over MPLS, but it's far less common.

Troy's right, the most popular to pull this off without the use of the Clearpass Virtual IP is with a dedicated load balancer. That way you can point the URL redirect to the load balancer IP address and let it spray IPs based on it's criteria. I've seen people use F5s and very elaborate iRules along side health checks to guarantee the servers are still responding to pings and http / https requests.

Hope this helps!

-Mike

Guys,

Just FYI... at the following link are a bunch of my CPPM TechNotes, there is one there related to CPPM + F5. Might be useful if you pursue a SLB type CPPM deployment.

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961