Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass VIP Radius Server

This thread has been viewed 47 times

  • 1.  Clearpass VIP Radius Server

    Posted Sep 06, 2022 02:34 AM
    Hello all,
    I till now in the switches and wireless controllers I ever configured the two phisichal ip addresses of the two clearpass for profiling radius and tacacs authentication, the question is: it is possible to use the VIP IP address? and If I have more than 2 learpass in cluster what is the best pratice?
    Dario


  • 2.  RE: Clearpass VIP Radius Server

    Posted Sep 06, 2022 02:50 AM

    Hi Dario

    It, depends...
    If you are running your ClearPass servers in traditional hardware or virtual appliances you can have VIP addresses. If you have your appliances in a cloud environment such as Azure and AWS the VIP feature isn't supported.

    Assuming you have hardware or virtual on-prem installation I normally create one VIP IP address for each server in the cluster and point the client traffic to these VIP addresses instead of the server interface addresses.
    Beside the redundancy you get with a VIP the configuration of one VIP per server gives me an easy way of controlling if a server should be able to get the traffic or not.

    In case of issues in one ClearPass server it's very convenient to be able to disable this server during troublshooting.
    Also hardware replacement in the future will be easier with a VIP configured.

    One thing to keep in mind if you have VIP addresses for the servers and are using CX switches with Downloadable User Roles is that the CX switches require the Radius server FDQN to be in the SAN or Subject field of the certificate.
    If you have two FDQN, radius1.localdomain.com and radius2.localdomain.com, both of these names must be in the certificates on both servers. I think wildcard certificates should be supported in this scenario, but validate before you put it into  production.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSA, ACEP
    Aranya AB
    ------------------------------

    Original Message


  • 3.  RE: Clearpass VIP Radius Server

    EMPLOYEE
    Posted Sep 06, 2022 03:02 AM
    here is the screenshot where you can do the VIP configuration



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 4.  RE: Clearpass VIP Radius Server

    EMPLOYEE
    Posted Sep 06, 2022 04:42 AM
    On that last point: For RADIUS/EAP use one single server certificate which is shared across all of your servers to avoid issues. Wildcard certificates are deprecated for RADIUS/EAP.
    For the HTTPS certificate in case of DUR, make sure that the certificate has SANs for each of the FQDNs that you want to address the server on, like cppm1, cppm2, cppm-vip1, cppm-vip2, guest, or use a wildcard. Wildcards for the HTTPS certificate are great because you can handle the DUR scenario, but also guest scenarios and you are more flexible and can use even the same HTTPS certificate on all of your nodes. Certificates will need to be planned carefully in a ClearPass deployment.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Clearpass VIP Radius Server

    MVP EXPERT
    Posted Sep 07, 2023 04:29 AM

    I have 1 radius cert that i use across all nodes in a cluster e.g.  radius.sharaz.inf. Also,  i have 1 https cert  with a CN of cppm.sharaz.info and then  SaNs for all the individual nodes in the cluster. Again this cert is used across all cluster nodes.

    Havent  implemented DURs on  CX switcehs yet, so just checking, do i have to add  radius.sharaz.info  to the SaN of my  https cert ?

    A


    Original Message


  • 6.  RE: Clearpass VIP Radius Server

    EMPLOYEE
    Posted Sep 08, 2023 05:54 PM

    The DUR actually uses the API login as a client, so it's hitting the HTTPS certificate, not the RADIUS certificate.  As such you shouldn't need to make any changes to your cert SANs as you defined them.

    When you get to the switch configuration you will need to load the CA that signed the HTTPS certificate onto the switch so that it can perform validation.



    ------------------------------
    Travis Thompson
    Consulting System Engineer, Great Plains
    CISSP, ACEX, ACCX, ACMX, ACDX, SPSX, CCIE (Emeritus)
    HPE Aruba Networking
    ------------------------------

    Original Message


  • 7.  RE: Clearpass VIP Radius Server

    Posted Sep 06, 2022 11:26 AM
    Hi Jonas. sincerely I don't undertstand what you want tell "one VIP IP address for each server" can you gently explain me?, in this case I have to configure multiple radius and tacacs servers in my switches?   My question for VIP it was for understand if possible configure one single ip on the switches for multiple radius servers for redundancy and load sharing.

    Dario
    Original Message


  • 8.  RE: Clearpass VIP Radius Server

    Posted Sep 06, 2022 12:38 PM
    Hi Dario

    One VIP will give you redundancy and you can configure your LAN and WLAN with only one Radius server, but you will not be able to share the load between different ClearPass servers. Only the server owning the VIP will get the traffic.
    If you, in a two node cluster, have one additional VIP owned by the other server you can share the load between the servers and keep the redundancy given by the VIP.
    You may also be able to enable load balancing in a controller.

    My second reason to have a VIP on each server is just for emergency situations. If you need to drop a Subscriber from the cluster Radius traffic will continue to reach the faulty server during the recovery work. During this time this faulty server may reject all requests as it may have lost all configuration.
    With the VIP configured as the Radius server address instead of the interface address it's easy to disable the VIP address on the faulty server, or move it to another server in the cluster. This is also useful if you have a larger cluster with just one local node one some locations. By disabling the VIP the switch or AP will fail over to the secondary Radius server on another site.

    So I normally configure primary and secondary Radius servers on the network infrastructure and VIP addresses for all ClearPass servers.

    I hope my explanation answer your question. Let me know if I should elaborate anything.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP
    Aranya AB
    ------------------------------

    Original Message


  • 9.  RE: Clearpass VIP Radius Server

    Posted Sep 14, 2022 02:21 AM
    You may consider having F5 or any load-balancer hardware acting as the VIP of clearpass. In there you can set in percentage how many traffic to direct to CPPM01, CPPM02, and CPPM03 (if you have 3 CPPMs).
    Original Message


  • 10.  RE: Clearpass VIP Radius Server

    Posted Sep 14, 2022 02:55 AM
    Thank You matchabear

    ------------------------------
    Dario Nardello
    ACMP ACSP ACCP ACEP
    ------------------------------

    Original Message