Hey Daniel,
Appreciate it. I explained some of the race conditions that can be experienced in a high capacity environment when using CWA in another post (https://wiflymax.wordpress.com/2023/07/14/cisco-aireos-clearpass-captive-portal-w-mac-caching-without-change-of-authorization-coa/)
It boils down to DB replication across the nodes when using the endpoint database. You can tune things with a login delay, as described in Cisco's documentation, to give the db replication service a chance to replicate the data successfully, but you're really just moving chairs on the titanic in my view. If you send the MAC auth to the publisher, that gives you the best chance as you don't have a subscriber -> publisher -> subscribers replication flow, but you still have publisher -> subscribers that needs to make it before the portal auth is triggered within the login delay period. I will say that if anyone is going to use CWA because of some reason, send all MAC auths to the publisher and all portal auths to the subscribers.
Things worked better on a C3010 with the faster SAS drives but ultimately, the solution was doomed to fail for us given the number of auths we were dealing with. The C2010s failed almost immediately, they didn't have a chance.
The real kicker is that it works perfectly in test. It's not until you start stressing the system, that you see the holes in the solution. You will see intermittent issues, not complete failures. The real bad part is that when the DB gets backed up, it turns into a feedback loop where clients start sending more auths because they're failing and you end up in a cascading failure whereby you end up needing to reboot the publisher and sometimes the subscribers.
Original Message:
Sent: Nov 19, 2024 02:52 AM
From: Daniel Ruiz
Subject: Clearpass Guest and Cisco wireless controller
Great information because I didn't imagine that CWA was a disaster as you say and that the best option was LWA. Good to know for future reviews. Good blog, I've read it and it's well explained the configuration process. Thanks
------------------------------
Daniel Ruiz
-----------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support.
Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
Original Message:
Sent: Nov 18, 2024 12:33 PM
From: MT9
Subject: Clearpass Guest and Cisco wireless controller
No problem, good luck. Be aware that you can do either a passthrough or on mac filter deny type portal. Both are valid LWA methods. Also, any foreign controller must have a self signed cert for 192.0.2.1 or whatever your virtual IP is. I would recommend 192.0.2.1 as a matter of principle, just keep it simple.
Original Message:
Sent: Nov 18, 2024 12:26 PM
From: anish2018
Subject: Clearpass Guest and Cisco wireless controller
you are right, CWA method is disaster. Let me try your method and will keep you posted. Thank you so much for sharing this.
Original Message:
Sent: Nov 18, 2024 11:53 AM
From: MT9
Subject: Clearpass Guest and Cisco wireless controller
I described this process in depth with LWA on my blog here: https://wiflymax.wordpress.com/2023/07/25/cisco-wlc-guest-wifi-with-mac-caching-and-anchor-wlc-clearpass-controller-initiated/
I do not recommend what Cisco documents, meaning CWA. At scale, for us it's 30k+ users per day, CWA was a disaster. LWA however, works great.
Original Message:
Sent: Nov 18, 2024 08:02 AM
From: anish2018
Subject: Clearpass Guest and Cisco wireless controller
Hello folks,
can anyone share the document for Clearpass guest self registration and cisco wlc integration.
there are some articles in cisco community but it's not working as expected.