Security

Hello, 

I have a 4 node CPPM cluster deployed in our international data centers. (EU, Australia, and North America). Latency is OK to sync the DBs across. We are using the CPPM server for authentication to our wireless network as well as wired and logins into our switches (2930s) and controllers. 

In the controller, I can adjust the order in the AAA profile. Is there a way to set CPPM server preference for those switches? I do have a L2 connection for our DCs in NA, so would it be appropriate to setup a VIP with just the 2 NA servers and let CPPM handle the load balancing? 

Thank you for the input! 

Doug Ullman

------------------------------
Douglas Ullman
------------------------------

Hi Douglas,

Configuring a VIP for the two servers on L2 would not load-balance them, rather build redundancy as it would automatically fail over to the standby when the active is no longer reachable. This would be done on ClearPass, nothing would be required to change on the switches/controllers pointing to the VIP. If you're looking for load-balancing or distributing the authentications, you would either have to setup a load-balancing appliance or use the local server on those local pieces of equipment. For our environment, we have a local CPPM server at each large campus which is primary for those switches/controllers, followed by the the data center, and so on. We simply adjust the RADIUS and/or TACACS groups on the network devices with a different order depending on where we want the authentications to primarily go to. In this case, if the primary server becomes unreachable, it's up to the network device to fail to the next - typically these options are configurable.

Thanks.

------------------------------
Michael Haring

AirHeads MVP 2017, 2019-2021
------------------------------

Judt as an aside , if you are running conwsre 5130 switches the load balance radius requests across specified. Servers and do peap based health checking so U know that the server u tsk to. Actually can do user based auths and not just to an account on the radius server



Sent from my iPhone


Original Message:
Sent: 8/8/2021 4:05:00 PM
From: mharing
Subject: RE: CPPM Preferred Servers

Hi Douglas,

Configuring a VIP for the two servers on L2 would not load-balance them, rather build redundancy as it would automatically fail over to the standby when the active is no longer reachable. This would be done on ClearPass, nothing would be required to change on the switches/controllers pointing to the VIP. If you're looking for load-balancing or distributing the authentications, you would either have to setup a load-balancing appliance or use the local server on those local pieces of equipment. For our environment, we have a local CPPM server at each large campus which is primary for those switches/controllers, followed by the the data center, and so on. We simply adjust the RADIUS and/or TACACS groups on the network devices with a different order depending on where we want the authentications to primarily go to. In this case, if the primary server becomes unreachable, it's up to the network device to fail to the next - typically these options are configurable.

Thanks.

------------------------------
Michael Haring

AirHeads MVP 2017, 2019-2021
------------------------------