Security

Hello! i got a few questions regarding this

The configuration seems easy.  

But i want to know a few details

Right now we have one clearpass that is on production and the other one which is there just waiting to be the subcriber

1-Do i need to join in the domain the subcriber first before making it the subcriber?

2-I installed the Radius Eap certificate before making it that clearpass as a subcriber, i saw that you did it after, there is no issue if i leave it like that?

3-I need to create the virtual IP and  change all the switches radius server ips to the virtual ip address, the same will be for the wirleess controller, i need to change the ip it has for the virtual ip address

4-i need to change the captiveporta.domain.com entry on the dns server for the guest users to use the virtual ip.   For this guest vmodule to totally work i will need to have at least one publisher up 

If you think on any other recommendation please advise me thanks

1) Each CPPM will need to be joined to the domain regardless as to whether it is a Publisher or Subscriber. You can do this before promoting/demoting a Publisher/Subscriber.

2) No, the certificates are independent to each CPPM and will survive the Publisher/Subscriber transistion.

3) You can send RADIUS requests to the any interface on CPPM and it will respond. Your design will determine if the switch/controller sends it to MGMT/DATA/VIP.

4) This is correct, the HTTPS certificate should also match this domain too.

I suggest you take a look at the cluster guidelines.

Hello! i got a few questions regarding this

The configuration seems easy.  

But i want to know a few details

Right now we have one clearpass that is on production and the other one which is there just waiting to be the subcriber

1-Do i need to join in the domain the subcriber first before making it the subcriber?

2-I installed the Radius Eap certificate before making it that clearpass as a subcriber, i saw that you did it after, there is no issue if i leave it like that?

3-I need to create the virtual IP and  change all the switches radius server ips to the virtual ip address, the same will be for the wirleess controller, i need to change the ip it has for the virtual ip address

4-i need to change the captiveporta.domain.com entry on the dns server for the guest users to use the virtual ip.   For this guest vmodule to totally work i will need to have at least one publisher up 

If you think on any other recommendation please advise me thanks

Okay 

Do you suggest that i add this new clearpass before doing the HA.  It just that i didnt got that part.  Sorry my english is not that good

Just want to know if i add this before creating the cluster or after creating the cluster

Right now just the clearpass in production is joined in the AD

1) Each CPPM will need to be joined to the domain regardless as to whether it is a Publisher or Subscriber. You can do this before promoting/demoting a Publisher/Subscriber.

2) No, the certificates are independent to each CPPM and will survive the Publisher/Subscriber transistion.

3) You can send RADIUS requests to the any interface on CPPM and it will respond. Your design will determine if the switch/controller sends it to MGMT/DATA/VIP.

4) This is correct, the HTTPS certificate should also match this domain too.

I suggest you take a look at the cluster guidelines.

Hello! i got a few questions regarding this

The configuration seems easy.  

But i want to know a few details

Right now we have one clearpass that is on production and the other one which is there just waiting to be the subcriber

1-Do i need to join in the domain the subcriber first before making it the subcriber?

2-I installed the Radius Eap certificate before making it that clearpass as a subcriber, i saw that you did it after, there is no issue if i leave it like that?

3-I need to create the virtual IP and  change all the switches radius server ips to the virtual ip address, the same will be for the wirleess controller, i need to change the ip it has for the virtual ip address

4-i need to change the captiveporta.domain.com entry on the dns server for the guest users to use the virtual ip.   For this guest vmodule to totally work i will need to have at least one publisher up 

If you think on any other recommendation please advise me thanks

Okay 

Do you suggest that i add this new clearpass before doing the HA.  It just that i didnt got that part.  Sorry my english is not that good

Just want to know if i add this before creating the cluster or after creating the cluster

Right now just the clearpass in production is joined in the AD

1) Each CPPM will need to be joined to the domain regardless as to whether it is a Publisher or Subscriber. You can do this before promoting/demoting a Publisher/Subscriber.

2) No, the certificates are independent to each CPPM and will survive the Publisher/Subscriber transistion.

3) You can send RADIUS requests to the any interface on CPPM and it will respond. Your design will determine if the switch/controller sends it to MGMT/DATA/VIP.

4) This is correct, the HTTPS certificate should also match this domain too.

I suggest you take a look at the cluster guidelines.

Hello! i got a few questions regarding this

The configuration seems easy.  

But i want to know a few details

Right now we have one clearpass that is on production and the other one which is there just waiting to be the subcriber

1-Do i need to join in the domain the subcriber first before making it the subcriber?

2-I installed the Radius Eap certificate before making it that clearpass as a subcriber, i saw that you did it after, there is no issue if i leave it like that?

3-I need to create the virtual IP and  change all the switches radius server ips to the virtual ip address, the same will be for the wirleess controller, i need to change the ip it has for the virtual ip address

4-i need to change the captiveporta.domain.com entry on the dns server for the guest users to use the virtual ip.   For this guest vmodule to totally work i will need to have at least one publisher up 

If you think on any other recommendation please advise me thanks