Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ArubaOS 8 MD cluster and CoA

This thread has been viewed 10 times

  • 1.  ArubaOS 8 MD cluster and CoA

    Posted May 02, 2018 11:32 AM

    working on a 8.2 environment with a MM cluster and MD cluster, both of two nodes. setup VRRP between the MDs for the APs to connect initially to and setup MD cluster with two VRRP IPs for what i picked up from the documentation and here is needed for CoA.

    so one MD has three active IPs and one MD have two active IPs.

    MD #1
    10.3.22.31 - node IP
    10.3.22.41 - cluster VRRP IP
    10.3.22.30 - MD VRRP IP (for APs)

    MD #2
    10.3.22.32 - node IP
    10.3.22.42 - cluster VRRP IP

    show vrrp looks good, IPs are active where i expect them.

    cluster looks good, L2 connected.

    when a client connects it ends up on one of the MDs and if i turn off that MD it eventually shows up on the other MD.

    so to CoA, first of all im correct that these extra IPs are needed that when a client moves the another MD that CoA remains working right? Which is in principe only happens after a device failure right?

    i configured the Radius Server profile with the NAS IP set to 10.3.22.41 on MD #1 and 10.3.22.42 on MD #2.

    with this setup i can bounce a client from ClearPass (6.6) on either MD.

    now when i turn off one MD the client moves, but im unable to perform the CoA. ClearPass doesn't let me (the CoA option is greyed out, it was fine before turning off the MD, i repeated this test several times), it has in some way detected that the MD is different or such.

    anyone experienced the same? (on itself the last part might be more a question for the Security forum, but it seems the ArubaOS 8 MD cluster function is the basis of this issue)



  • 2.  RE: ArubaOS 8 MD cluster and CoA

    Posted May 02, 2018 01:45 PM
    Did you include the Cluster VRRP IPs in your RADIUS server as RADIUS Clients?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: ArubaOS 8 MD cluster and CoA

    Posted May 03, 2018 12:54 PM

    yep all relevant MD IPs are there:

     

      10.3.22.31-32

      10.3.22.41-42

     

    at the moment i think .31 and .32 can be removed, but well.

     

    it also works fine before the failure of one of the MDs.

     

    btw am i correct in the assumption about the "need" for this setup, only that specific case of client move of MD and wanting to do CoA?



  • 4.  RE: ArubaOS 8 MD cluster and CoA

    EMPLOYEE
    Posted May 03, 2018 05:01 PM
    @boneyardwrote:

    btw am i correct in the assumption about the "need" for this setup, only that specific case of client move of MD and wanting to do CoA?

    Correct. The RADIUS server should see the VRRP address in auths, so that it can respond with COA and be properly handled if/when the MD is not available.

     

    On the ClearPass side, when a user authenticates, does CPPM see it coming from  the .31/.32 primary addresses, or does it see the VRRP IPs (.41/.42)?



  • 5.  RE: ArubaOS 8 MD cluster and CoA

    Posted May 06, 2018 09:31 AM

    ClearPass sees the VRRP IPs (.41/.42)

     

    so that part is working fine, it is just the case for which i would implement this, the move to another MD which suddenly makes things stop.



  • 6.  RE: ArubaOS 8 MD cluster and CoA

    Posted May 10, 2018 04:23 AM

    anyone recognize this? perhaps a bug or such, need to see if it also happens with ClearPass 6.7 perhaps, and ArubaOS 8.3 is out, perhaps ...