Security

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

Would seem I picked a lucky access request earlier, as I've just noticed that other requests are still coming in on the MC VIP.
Turns out cluster 1 is reporting the VRRP IP for each director.
Cluster 2 - only 1 director is reporting with its VRRP IP, the other 2 aren't.
Cluster 3 - all 4 VRRP-IP are absent from the CP filter, so requests only coming in from MM VIP as NAS IP.

Have to drill into a request to look for the Src-IP in order to know which director the traffic came from, as the Dest-IP is the mgmt interface of the Conductor, and NAD-IP is the Conductor VIP.

Looking back into the cluster cfg to see what I've missed!

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

I apologise to the community!
The shame.

Would seem I picked a lucky access request earlier, as I've just noticed that other requests are still coming in on the MC VIP.
Turns out cluster 1 is reporting the VRRP IP for each director.
Cluster 2 - only 1 director is reporting with its VRRP IP, the other 2 aren't.
Cluster 3 - all 4 VRRP-IP are absent from the CP filter, so requests only coming in from MM VIP as NAS IP.

Have to drill into a request to look for the Src-IP in order to know which director the traffic came from, as the Dest-IP is the mgmt interface of the Conductor, and NAD-IP is the Conductor VIP.

Looking back into the cluster cfg to see what I've missed!

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

But now it works the way you want it to?
Cluster members are L2 connected, cluster VRRP IP are used for authentication?

I apologise to the community!
The shame.

Would seem I picked a lucky access request earlier, as I've just noticed that other requests are still coming in on the MC VIP.
Turns out cluster 1 is reporting the VRRP IP for each director.
Cluster 2 - only 1 director is reporting with its VRRP IP, the other 2 aren't.
Cluster 3 - all 4 VRRP-IP are absent from the CP filter, so requests only coming in from MM VIP as NAS IP.

Have to drill into a request to look for the Src-IP in order to know which director the traffic came from, as the Dest-IP is the mgmt interface of the Conductor, and NAD-IP is the Conductor VIP.

Looking back into the cluster cfg to see what I've missed!

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

I apologise to the community!
The shame.

Would seem I picked a lucky access request earlier, as I've just noticed that other requests are still coming in on the MC VIP.
Turns out cluster 1 is reporting the VRRP IP for each director.
Cluster 2 - only 1 director is reporting with its VRRP IP, the other 2 aren't.
Cluster 3 - all 4 VRRP-IP are absent from the CP filter, so requests only coming in from MM VIP as NAS IP.

Have to drill into a request to look for the Src-IP in order to know which director the traffic came from, as the Dest-IP is the mgmt interface of the Conductor, and NAD-IP is the Conductor VIP.

Looking back into the cluster cfg to see what I've missed!

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

Do remember to go ahead and set the NAS IP on the individual controllers so that the MCR address doesn't get used.

I apologise to the community!
The shame.

Would seem I picked a lucky access request earlier, as I've just noticed that other requests are still coming in on the MC VIP.
Turns out cluster 1 is reporting the VRRP IP for each director.
Cluster 2 - only 1 director is reporting with its VRRP IP, the other 2 aren't.
Cluster 3 - all 4 VRRP-IP are absent from the CP filter, so requests only coming in from MM VIP as NAS IP.

Have to drill into a request to look for the Src-IP in order to know which director the traffic came from, as the Dest-IP is the mgmt interface of the Conductor, and NAD-IP is the Conductor VIP.

Looking back into the cluster cfg to see what I've missed!

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------

Thanks for shove in the right direction Carson, I just did that this morning after reading your post, using the VRRP-IP noted by Waldemar above.

e.g.

Find it odd that the cluster uses the VRRP-IP for the L2 connectivity, but the VLAN probe that tells you about L2 or L3 only uses the mgmt IP in the readout confirming connection type status. It's not gonna keep me awake at night.

Do remember to go ahead and set the NAS IP on the individual controllers so that the MCR address doesn't get used.

I apologise to the community!
The shame.

Would seem I picked a lucky access request earlier, as I've just noticed that other requests are still coming in on the MC VIP.
Turns out cluster 1 is reporting the VRRP IP for each director.
Cluster 2 - only 1 director is reporting with its VRRP IP, the other 2 aren't.
Cluster 3 - all 4 VRRP-IP are absent from the CP filter, so requests only coming in from MM VIP as NAS IP.

Have to drill into a request to look for the Src-IP in order to know which director the traffic came from, as the Dest-IP is the mgmt interface of the Conductor, and NAD-IP is the Conductor VIP.

Looking back into the cluster cfg to see what I've missed!

Thanks Waldemar, vlan probe has helped me find the problem:

I recently cleaned up some VLANs we no longer need (2504 and 2508) and deleted them from the Managed Network Folder level.
Gone from the list below:

And I thought in doing that those VLANs would be gone from the controllers, which was true from the controller VLAN interface level. 
But those VLANs still show up on the Services > Cluster Profile config

The second I excluded those two VLANs (2504, 2508) from the Cluster Profile,  the clusters come back to L2 connected.

Sorting the exclusion list also helped me sort the cluster status of another cluster that inherits all the VLANs from above, but doesn't use any of them. it only uses its own 3 specific VLANs, but as the exclusion list showed all VLANs i was in the same situation there.

And just to confirm in CP, the MC is no longer referenced in the access requests, it's back to showing the individual controller's VRRP-IP

Thanks for the nudge.

Best regards.
Nathan.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 06:49 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Your cluster is L3 connected, it is suboptimal. Seamless rooming works in the L2 connected cluster. I can only recommend that you ensure that the cluster is L2 connected.

You cannot configure the connected mode, the cluster members determine it dynamically. Mobility controllers send broadcasts via each VLAN, if broadcasts do not arrive in a VLAN, L3 mode is used. This happens, for example, if there are VLANs in the controller that have not been tagged on the upstream switch. Check whether new VLANs have been created or VLAN tagging has been changed on the switch. You can also set VLAN to an exlude list, in which case no probes are sent via this VLAN. This is done at the controller level, you must not exlude the controller VLAN!

Display vlan-probes, use "show lc-cluster vlan-probe status" on the MCR CLI, here reference output

show lc-cluster vlan-probe status

Cluster VLAN Probe Status
-------------------------
Type IPv4 Address    REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer   192.168.84.12      124        0      116        0      116      121         0   L2 Conn     0/   0

As soon as the cluster is L2 connected again, cluster VRRPs will also be activated.
Each controller becomes the MASTER in one instance and the BACKUP in three others.

Good luck.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 16, 2024 05:24 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Morning! 
I was about to reply blind, without checking group-membership because I 'knew' my clusters were all L2 connected.

My clusters are no longer L2 connected, they're L3.


About the VRRP IPs, they're manually created so that CoA works for Guest auth role. For this particular cluster the cluster VIP is 10.25.112.123
(I note there's an odd Group number in this list, has never appeared to be something that affects service though.)

The clusters appear to be up and OK as far as I can tell

The 10th May was the morning of the scheduled upgrade to version 8.10.0.11 - this particular cluster upgrade launched at 04:00 hrs.

Previously 'show vrrp' would show me a list of the virtual routers in a cluster, now it shows only 1

This all looks OK to me, config looks like I expect to find it. I'll keep reading in the mean time.
Thanks. 
N.

------------------------------
Nathan

Original Message:
Sent: May 16, 2024 01:32 AM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Controller IP is only used when running standalone or when manually configured as the NAS IP.  Managed devices will utilize the MCR address unless the device is active in a cluster that has a cluster VIP configured and operational.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 16, 2024 01:12 AM
From: lord
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Also check whether your cluster is L2 or L3 connected. Cluster VRRP IP is only used for L2 connected cluster-members. The controller IP is used for L3 connected cluster-members. 

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: May 15, 2024 12:22 PM
From: chulcher
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Default behavior when the NAS IP address hasn't been configured or otherwise overridden on the MD is to use the MCR IP address.  Been that way forever.  Is your 10.25.112.121 address a manually created VRRP IP or one of the cluster VIPs?  If that is a cluster VIP, looks like your cluster is either broken or down to a single node.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: May 15, 2024 11:00 AM
From: n.millward
Subject: Clearpass reports access device IP (Port) and access device name as Mobility Conductor after moving to 8.10.0.11 (I think)

Looking into a problem reported by a user and as an aside I notice that CP (6.11.2) is reporting the incoming access device as the VIP of our mobility conductor instead of the IP of a director as the case used to be.
e.g. now

But it used to be (this clip is from May 8th - we migrated to 8.10.0.11 on May 9th)

I'm struggling to spot where this info is pulled from.
In CP all the mgmt, cluster VIP, and VRRP IP are listed in the controllers container.
The conductor IPs and VIP are known to CP, but not added to the Controllers device group - I don't think this makes any difference to anything as we don't have a policy that check an incoming device group. Does CP even need to know about the Conductors, should I be able to remove them? I guess not at the moment because it appears as though requests are coming from the Conductor VIP.

In the MM, for each director there is no config for NAS IP, and never has been.

In the CLI there is no config parameter for ip radius nas-ip (not sure where this pops up in the GUI.

Both PSK and Guest registration (the two services we use CP for) appear to be happy, but it doesn't feel right. I'm pretty sure I should know from the access Request Details dialogue box which director the incoming device is using, or at the very least which cluster VIP is being used.

Any thoughts?

Thanks  

------------------------------
Nathan
------------------------------