Many thanks. Keep going ! SALMA from Morocco

Nice video, thank you Herman !

Thanks 👍

Herman amazing video as always... Re: the 2 x VIPs. What is the benefit of specifying ClearPass VIPs on a NAD (Mobility Controller for example) opposed to the unique pub/sub IPs themselves. Is it a case of the ClearPass UCARP failover being more efficient than the built in Mobility Controller dead server detection mechanics?

@hermanrobers

2 жыл бұрын

That is in summary what it is. If the switch/MC does not need to detect a dead server there is no delay, and it is done for all your switches and MC at once. Also, for a reboot/upgrade, the VIP will be brought down pro-actively, resulting in seamless failover. But as mentioned in the video (I think that I mentioned), the difference is probably small in practice and also subject to personal preference rather than a generally agreed on 'must do'. Using external load balancers probably is even better.

Herman longtime follower of your video series here. Thank you so much for all your assists with Clearpass over the years. I do have a question however on joining an AWS instance to an on on premises cluster. Would the procedure be the same?

@hermanrobers

Жыл бұрын

Yes, ClearPass running in Azure or AWS is the same software, so you can join an AWS ClearPass to an on-premises publisher (or to an Azure / other AWS hosted); and vice versa as well. Just make sure you have assigned the required resources (Mem/CPU/Disk) and that the round-trip-time between each of the subscribers and the publisher meets the requirements (think it's 200ms rtt). The AWS and Azure systems can't do virtual IP, which has to do with how network/subnetting/ip-assignments are done in such an environment; so for high-availability as part of AWS/Azure you would probably add a network load balancer.

@itguy25

Жыл бұрын

@@hermanrobers Thank you so much

Why the need for two virtual IPs? I’ve typically seen a single real IP per device with a floating virtual IP address that gets assigned to the active device.

@hermanrobers

2 жыл бұрын

There is no real need. If you want to load-balance between the two devices, it may be good to have two virtual IPs which can mutually fail over. For just redundancy, a single VIP is fine. And you can also still use the radius server backup in your switches, APs, etc, but that in general is slower than a virtual IP on the ClearPass. I found that this works for me, in other situations different approaches may work. Also, if you are at the point where the choice between one or multiple VIPs really makes impact, you probably should have a look at an external network load balancer as that is even faster and much more flexible in how you route/distribute your traffic.

Could you please explain how to get the P12 cert from Let's Encrypt?

@hermanrobers

3 жыл бұрын

Abdul-Kareem, I left that out intentionally, as I don't want to explain how to use ClearPass with Let's Encrypt as the short-living certificates are not suited in most deployment. But to answer your question, I have a Linux server that requests (and periodically renews) a wildcard certificate through DNS validation. As part of the script, I have openssl create that .p12 from the PEM files that come out of the Let's Encrypt certbot (command is: openssl pkcs12 -export -inkey privkey.pem -in cert.pem -out wildcard.p12 -certfile chain.pem -password "pass:MyCertPa$$w0rd"). I could have used the PEM files as well..

Hi herman we can use only a publisher without subs?

@hermanrobers

Жыл бұрын

Yes, sure. Subscribers are optional.

does the subscriber need to have the same firmware of the publisher or ar the moment of joining th cluster it updates to the publisher version?

@hermanrobers

3 жыл бұрын

Yes, first upgrade your new subscriber to the same version as the publisher, then join as a subscriber to your publisher.