Security

I have two ClearPass servers configured with two virtual IPs for redundancy. When creating server groups in Aruba Mobility Master I use virtual-IPs not physical IPs. now I want to enable CoA between ClearPass and Aruba controllers:

1- Should I use virtual or physical IPs of ClearPass when creating rfc-3576-server in Aruba Mobility Master

2- Is it required to add all ClearPass servers as rfc-3576-servers in Aruba Controllers? If ClearPass uses vrrp IP address in CoA, is it enough to add one rfc-3576-server using virtual IP between the two ClearPass servers?

3- If ClearPass server has mgmt and data ports. witch port it uses to send CoA messages to Aruba Controllers?


Thank you,

------------------------------
Ahmad Enaya
------------------------------

All CPPM nodes need to be defined in the controller for Dynamic Authorization. Do not use virtual IPs.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Feb 03, 2021 11:40 AM
From: Ahmad Enaya
Subject: Configuring ClearPass as rfc-3576-server or COA server in Aruba Controllers

I have two ClearPass servers configured with two virtual IPs for redundancy. When creating server groups in Aruba Mobility Master I use virtual-IPs not physical IPs. now I want to enable CoA between ClearPass and Aruba controllers:

1- Should I use virtual or physical IPs of ClearPass when creating rfc-3576-server in Aruba Mobility Master

2- Is it required to add all ClearPass servers as rfc-3576-servers in Aruba Controllers? If ClearPass uses vrrp IP address in CoA, is it enough to add one rfc-3576-server using virtual IP between the two ClearPass servers?

3- If ClearPass server has mgmt and data ports. witch port it uses to send CoA messages to Aruba Controllers?


Thank you,

------------------------------
Ahmad Enaya
------------------------------

On #3, standard ClearPass routing rules apply:

if destination is in mgmt subnet, packet is sent out of mgmt port.
For every other destination the data port is used.

Static routes can be added to manipulate this.​

------------------------------
Mathew George
------------------------------

Original Message:
Sent: Feb 03, 2021 11:40 AM
From: Ahmad Enaya
Subject: Configuring ClearPass as rfc-3576-server or COA server in Aruba Controllers

I have two ClearPass servers configured with two virtual IPs for redundancy. When creating server groups in Aruba Mobility Master I use virtual-IPs not physical IPs. now I want to enable CoA between ClearPass and Aruba controllers:

1- Should I use virtual or physical IPs of ClearPass when creating rfc-3576-server in Aruba Mobility Master

2- Is it required to add all ClearPass servers as rfc-3576-servers in Aruba Controllers? If ClearPass uses vrrp IP address in CoA, is it enough to add one rfc-3576-server using virtual IP between the two ClearPass servers?

3- If ClearPass server has mgmt and data ports. witch port it uses to send CoA messages to Aruba Controllers?


Thank you,

------------------------------
Ahmad Enaya
------------------------------

.. and on #3, if you don't absolutely need it and understand how ClearPass works with both management and data port enabled: Only use the management port. Data port should not be used unless you exactly know why you need it and there is no other way to achieve what is required.

Read the Service Routing TechNote from https://arubanetworks.com/clearpassdocs/ a few times before enabling the data interface.
​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 04, 2021 04:19 AM
From: Mathew George
Subject: Configuring ClearPass as rfc-3576-server or COA server in Aruba Controllers

On #3, standard ClearPass routing rules apply:

if destination is in mgmt subnet, packet is sent out of mgmt port.
For every other destination the data port is used.

Static routes can be added to manipulate this.​

------------------------------
Mathew George

Original Message:
Sent: Feb 03, 2021 11:40 AM
From: Ahmad Enaya
Subject: Configuring ClearPass as rfc-3576-server or COA server in Aruba Controllers

I have two ClearPass servers configured with two virtual IPs for redundancy. When creating server groups in Aruba Mobility Master I use virtual-IPs not physical IPs. now I want to enable CoA between ClearPass and Aruba controllers:

1- Should I use virtual or physical IPs of ClearPass when creating rfc-3576-server in Aruba Mobility Master

2- Is it required to add all ClearPass servers as rfc-3576-servers in Aruba Controllers? If ClearPass uses vrrp IP address in CoA, is it enough to add one rfc-3576-server using virtual IP between the two ClearPass servers?

3- If ClearPass server has mgmt and data ports. witch port it uses to send CoA messages to Aruba Controllers?


Thank you,

------------------------------
Ahmad Enaya
------------------------------

I typically enable all IPs for CoA in the controller, so the ClearPass VIP(s) and the node addresses. I thought that ClearPass always uses the VIP (if it has one active) to send out CoA, but it appears to use the IP that it was called on for the authentication. If authentication is done to the VIP, the VIP will be used as source IP to send out the CoA, if the node IP is used, that IP is used. This makes sense as for deployments with Instant, you set the CoA as an attribute on the RADIUS server, so it is hard to configure a RADIUS server just for CoA. On controllers, for historical reasons, the RADIUS server and CoA server configuration is separate, but you should configure CoA servers for each of the configured RADIUS authentication servers

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 03, 2021 11:40 AM
From: Ahmad Enaya
Subject: Configuring ClearPass as rfc-3576-server or COA server in Aruba Controllers

I have two ClearPass servers configured with two virtual IPs for redundancy. When creating server groups in Aruba Mobility Master I use virtual-IPs not physical IPs. now I want to enable CoA between ClearPass and Aruba controllers:

1- Should I use virtual or physical IPs of ClearPass when creating rfc-3576-server in Aruba Mobility Master

2- Is it required to add all ClearPass servers as rfc-3576-servers in Aruba Controllers? If ClearPass uses vrrp IP address in CoA, is it enough to add one rfc-3576-server using virtual IP between the two ClearPass servers?

3- If ClearPass server has mgmt and data ports. witch port it uses to send CoA messages to Aruba Controllers?


Thank you,

------------------------------
Ahmad Enaya
------------------------------