Security

Hi,
We have a guest wifi network using clearpass using a 2 node  clearpas cluster.  Each cluster node is in a different  data center and hence in a different ip address space. The FQDN configured on our mobility controllers resolves to the IP address of the master publisher.

In terms of providing resilience ( case of master publsiher becoming unavailable),  I'm guessing  front ending the  cppm cluster with a hardware load balancer and pointing the captive portal FQDN to its VIP is my only option?

Rgds
Alex

you can also achieve good resilience without the HW load-balancer.

This is done by configuring a VIP on ClearPass and your Captive Portal URL and its DNS would resolve to that VIP. and your NADs would be pointing to it as well.
You can do the same thing for RADIUS authentication as well.


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 13, 2023 04:50 AM
From: alexs-nd
Subject: Captive portal page resilience

Hi,
We have a guest wifi network using clearpass using a 2 node  clearpas cluster.  Each cluster node is in a different  data center and hence in a different ip address space. The FQDN configured on our mobility controllers resolves to the IP address of the master publisher.

In terms of providing resilience ( case of master publsiher becoming unavailable),  I'm guessing  front ending the  cppm cluster with a hardware load balancer and pointing the captive portal FQDN to its VIP is my only option?

Rgds
Alex

Yes but only if you have 2 cppm appliances on the same L2 network. We have a 2 node cluster with each node in a different data centre and therefor on different l3 networks
A
Sent from my iPhone


Original Message:
Sent: 1/13/2023 4:42:00 PM
From: ariyap
Subject: RE: Captive portal page resilience

you can also achieve good resilience without the HW load-balancer.

This is done by configuring a VIP on ClearPass and your Captive Portal URL and its DNS would resolve to that VIP. and your NADs would be pointing to it as well.
You can do the same thing for RADIUS authentication as well.


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 13, 2023 04:50 AM
From: alexs-nd
Subject: Captive portal page resilience

Hi,
We have a guest wifi network using clearpass using a 2 node  clearpas cluster.  Each cluster node is in a different  data center and hence in a different ip address space. The FQDN configured on our mobility controllers resolves to the IP address of the master publisher.

In terms of providing resilience ( case of master publsiher becoming unavailable),  I'm guessing  front ending the  cppm cluster with a hardware load balancer and pointing the captive portal FQDN to its VIP is my only option?

Rgds
Alex

good point, then it looks like the best option would be a load balancer.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 13, 2023 11:47 PM
From: alexs-nd
Subject: Captive portal page resilience

Yes but only if you have 2 cppm appliances on the same L2 network. We have a 2 node cluster with each node in a different data centre and therefor on different l3 networks
A
Sent from my iPhone


Original Message:
Sent: 1/13/2023 4:42:00 PM
From: ariyap
Subject: RE: Captive portal page resilience

you can also achieve good resilience without the HW load-balancer.

This is done by configuring a VIP on ClearPass and your Captive Portal URL and its DNS would resolve to that VIP. and your NADs would be pointing to it as well.
You can do the same thing for RADIUS authentication as well.


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 13, 2023 04:50 AM
From: alexs-nd
Subject: Captive portal page resilience

Hi,
We have a guest wifi network using clearpass using a 2 node  clearpas cluster.  Each cluster node is in a different  data center and hence in a different ip address space. The FQDN configured on our mobility controllers resolves to the IP address of the master publisher.

In terms of providing resilience ( case of master publsiher becoming unavailable),  I'm guessing  front ending the  cppm cluster with a hardware load balancer and pointing the captive portal FQDN to its VIP is my only option?

Rgds
Alex