Running or planning on deploying a large ClearPass cluster? See what others are doing in larger environments to improve their deployments This session is designed to help customers that run the largest and most demanding networks learn how to deal with multiple locations, 100k+ endpoints, and strict SLA’s. Come to this session to discuss architecture for distributed deployments and how to better design your install for high performance, high availability needs. This is the one session where we’ll include the most experienced ClearPass team members for what will be a highly interactive session.
9. 9#ATM16@ArubaNetworks |
ClearPass Cluster
Config database Insight database Session log DB Multi-master cache
Purpose
• Configuration
• Provisioning
• Endpoints
• Profiles
• Guests
• Onboard certificates
• Cluster-wide reporting
• Bandwidth checks
• Access Tracker
• Event Viewer
• Machine authentication
• Session information (CoA)
• Role and posture cache
Replication
Replicated from publisher to all
subscribers
Duplicated at each Insight
node
Not replicated
Full mesh replication within a
Zone
Size 50 MB to 500 MB 1 GB to 200+ GB 1 GB to 100 GB 1 MB to 100 MB
Guidance
Review Endpoint and Guest
cleanup settings
Review database retention
settings
Review cleanup
settings
Configure Zones per location
Databases
10. 10#ATM16@ArubaNetworks |
ClearPass Cluster
• UDP port 123 (NTP)
• TCP port 5432 (PostgreSQL)
• TCP port 443 (HTTPS)
Publisher Standby
Subscriber
NTP, PostgreSQL, HTTPS
NTP, PostgreSQL, HTTPS
Subscriber
Caveats:
• Releases before the latest ClearPass
6.5 release may need additional ports
open
• Port 80 is used to render System
Monitor data from a remote node. Can
be modified using the cluster-wide
parameter “Performance Monitor
Rendering Port”.
• Subscriber to subscriber
communication is not required, as long
as the subscriber will not be promoted
to publisher
Intra-cluster communication
11. 11#ATM16@ArubaNetworks |
ClearPass Cluster
• Join nodes to AD for
MSCHAPv2
• Can join multiple
independent AD domains
• Deploy nodes close to AD
domain controllers
• Can override AD
Password Servers
Active Directory (AD) integration
12. 12#ATM16@ArubaNetworks |
ClearPass Cluster
Publisher
Standby Subscriber Subscriber
Publisher failure
• Subscribers handle authentication requests
• Standby node detects failure and promotes to publisher
• Following operations are affected
• Policy Manager and Guest configuration / provisioning
• Guest, Onboard and Endpoint updates
13. 13#ATM16@ArubaNetworks |
ClearPass Cluster
• Publisher upgrades first
• Subscribers join back post upgrade
• Use the Cluster Upgrade Tool (CUT)
*additional details later
• Plan for sufficient downtime
Upgrade
15. 15#ATM16@ArubaNetworks |
ClearPass Zones
Profile
Publisher
Subscriber Subscriber
C
Subscriber
Subscriber
Zone A
Zone B
P
P
Profile Inputs
(DHCP, HTTP UA
etc.)
Profile Inputs
Profile Inputs
P Profile master node in zone
DB update
Proxy profile input to
profile master node
Profile Inputs
24. 24#ATM16
Monitoring
ClearPass Customers running on the CP 25K server can take advantage of the Integrated
Remote Access Controller remote management features (iDRAC7). The iDRAC7 allows
administrators to monitor, manage, update, troubleshoot, and remediate CP 25K servers
from any location.
iDRAC7
25. 25#ATM16
Monitoring
ClearPass user interfaces enable ClearPass administrators to view Authentication,
Authorization, Accounting, and System events. ClearPass has the capability to store these
messages, encapsulate them and retransmit them as RFC 5424 compliant Syslog
messages to any Syslog Receiver. ClearPass can also format Syslog messages in Log
Event Extended Format (LEEF) and Common Event Format (CEF).
ClearPass Syslog
26. 26#ATM16
Monitoring
ClearPass has a Private Enterprise SNMP MIB exposing 70+ OID’s covering....
ClearPass SNMP
• System information
• Authentication counters
• Authorization counters
• Network traffic counters
• Traps for various system
and application events
27. 27#ATM16
Monitoring
ClearPass Insight is an advanced application to deliver enhanced analytics, in-depth
reporting, and Alerting. Insight provides the ability to track detailed authentication records,
audit trails, and develop systematic reports on network-access trends
ClearPass Insight
• Consolidated Reporting
• In-depth Analytics
• Ready-to-use Templates
• Alerts
33. 33#ATM16
Operations
The Cluster Upgrade Tool is a simple user interface that automates the upgrade procedure
for a ClearPass cluster.
Cluster Upgrade Tool (CUT)
What does it do?
• Helps administrators upgrade multi node clusters (large or small)
• Task automation, reduces operational overhead and time
• Provides pre/post upgrade checks to flag/fix potential issues and ensure cluster health
Technical Details
• Available as a patch for Publishers running 6.2.6, 6.3.x, 6.4.x
• Software images distributed from publisher to subscribers
• Database lock time reduced to minutes versus hours
• Upgrade multiple subscribers simultaneously
• Does not upgrade patches (roadmap feature)
34. 34#ATM16
Operations
Customized upgrade models, choose all or subset
of subscribers. If all are chosen they will be
started after Publisher completes, staggering start
times every 5 minutes
View of entire process as well as access to
individual drilldown logging for Publisher and each
Subscriber
Cluster Upgrade Tool (CUT)
35. 35#ATM16
Operations
• MDM / EMM solutions
• Messaging and / or escalation platforms
• Helpdesk and trouble ticketing solutions
• Log management/retention systems (syslog)
• Network security / compliance engines (bi-directional)
ClearPass Exchange
Leverage ClearPass Exchange to integrate with existing Enterprise management systems.
36. 36#ATM16
Operations
ClearPass Policy Manager provides the ability to push scheduled data backups securely to
an external server. You can push the data using the SFTP and SCP protocols.
Backups
37. 37#ATM16
Operations
When you need to review performance or troubleshoot issues in detail, Policy Manager can
compile and save transactional and diagnostic data into several log files. These files are
saved in Local Shared Folders and can be downloaded to your computer.
Log collection
38. 38#ATM16
Operations
From the Log Configuration menu, you can view and change the verbosity of the data
collected into the Log Files.
Available levels include:
DEBUG
INFO
WARN
ERROR
FATAL
Log Configuration
39. 39#ATM16
Operations
Remote Assistance enables the ClearPass administrator to allow an Aruba Networks
support engineer to remotely log in using Secured Shell (SSH) to the ClearPass server and
also view the UI to debug any issues customer is facing or to perform pro-active monitoring
of the server.
Remote Assistance
41. 41#ATM16
Enterprise ClearPass Deployment
Design Phase
• Identify individual use cases
• Determine necessary ClearPass Policy Manager (CPPM) Modules
• Discover/Determine Customer Environments
•Regional Data Centers
•Estimated number of Endpoints per region
• Define Initial CPPM Cluster Architecture
• Define Licensing requirements
Use Case Analysis
(Design)
Planning and
Pilot
Design
Modifications
Production
Roll out
42. 42#ATM16
Planning/Pilot Phase
• Develop draft roll out plan for Enterprise
• Develop communications plan for notifying End Users
• Identify pilot locations to meet criteria set in Use Cases
• Leverage environment as close to production for pilot testing
• Capture pilot results
Use Case Analysis
Planning and
Pilot
Design
Modifications
Production
Roll out
Enterprise ClearPass Deployment
43. 43#ATM16
Design Modification Phase
• Analyze pilot results to determine effectiveness of CPPM Modules based on Use
Case requirements
• Adjust Architecture Design as necessary
•Additional or missed backend business processes identified
•Discovery of new or unexpected environment elements
•Endpoint devices
•Infrastructure obstacles
Use Case Analysis
Planning and
Pilot
Design
Modifications
Production
Roll out
Enterprise ClearPass Deployment
44. 44#ATM16
Production Roll out Phase
• Adjust deployment plan for production roll out
• Begin communication plan to end users with expected changes
• Execute deployment according to schedule
Use Case Analysis
Planning and
Pilot
Design
Modifications
Production
Roll out
Enterprise ClearPass Deployment
45. 45#ATM16
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com
46. Thank you
Venkatraju T V – venkatraju@hpe.com
Steve Eubanks – steve.eubanks@hpe.com
Drew Wyskida – drew.wyskida@hpe.com
Cluster for scale and redundancy
One Publisher, multiple subscribers
Writes allowed only on the publisher
Publisher is typically the single point for all management operations
Always setup a Standby that will take over the publisher role on publisher failure
Insight – cluster-wide reporting, analytics and alerts
- Most deployments should enable Insight on two nodes in the cluster for fault-tolerance
- Insight data is duplicated (not replicated). All ClearPass nodes in the cluster stream events to all nodes in the cluster
- Insight is not “Zone” aware
- Typical deployment: enable Insight on Publisher and Subscriber
- Limit use of Insight database as an authorization source where possible
- The node designated as ”Insight master” generates reports and alerts
Each ClearPass must be joined to the Active Directory domain for EAP-PEAP MSCHAPv2 authentications
Nodes can be joined to multiple independent AD forests or domains
Deploy ClearPass nodes close to AD domain controllers and join to local AD
Configure AD Password Servers for each node to use a local/nearby AD domain controller
Publisher upgrades first
Subscribers join back post upgrade
Plan adequate downtime depending on DB size, number of nodes and nature of deployment
Use the Cluster Upgrade Tool (CUT) to automate upgrade workflow
Zone:
Groups of nodes can be assigned to a “Zone”. Zones are typically geographic boundaries.
Cache replication is limited to nodes within a zone
Other features like Profile and OnGuard are also affected by Zone definition
Profile: classifies endpoints using attributes obtained from software components called “Collectors”
Profile nodes form temporary clusters per zone:
A master node is elected per zone
Any node in the cluster can handle incoming profile data (ex. any node can be setup to receive DHCP traffic)
All nodes in the zone proxy profiling requests to current active master
Master correlates profile information, runs profile rules and updates Publisher DB
Updated profile information from publisher DB replicates to all nodes in the cluster (config DB replication)
* Simplest and most convenient deployment
* All nodes in the cluster are in the same location / data center
* Nodes are connected by low latency, high bandwidth network links
Typical deployment: Large university
Multiple locations, possibly connected by high latency network links
Publisher and Standby in a central location
One or more nodes at each location based on capacity and redundancy requirements
Each location is configured as a Zone
Recommendation: Deploy ClearPass nodes close to authentication source.
Recommendation: Whitelist ClearPass traffic in WAN accelerators / firewalls between nodes
Multiple independent clusters
Con: Multiple independent points for configuration and reporting
One cluster could use another cluster as an Authentication source
Use cases:
Functional clusters: Ex. Separate AAA and Guest cluster; HCG cluster and AAA cluster
Regional clusters: Cluster per region / location
Large clusters: Recommend limiting cluster size to 30 nodes
Recommend latency of <200ms between nodes in a cluster
ClearPass Access Tracker, Audit Viewer and Event Viewer user interfaces enable ClearPass administrators to view Authentication, Authorization, Accounting, and System events. ClearPass has the capability to store these messages, encapsulate them and retransmit them as RFC 5424 compliant Syslog messages to any Syslog Receiver. ClearPass can also format Syslog messages in Log Event Extended Format (LEEF) and Common Event Format (CEF).
Policy Manager sends SNMP traps that expose the following server information:
System up-time— Provides information about how long the system is running.
Network interface statistics [up/down]— Provides information if the network interface is up or down.
Process monitoring information— Check for the processes that should be running. Sends traps if there is a change in value of maximum and minimum numbers.
Disk usage— Check for disk space usage of a partition. The agent can check the amount of available disk space and make sure it is above the set limit.
CPU load information— Check for unreasonable load average values. For example, if 1-minute CPU load average exceeds the configured value [in percentage] then system sends a trap to the configured destination.
Memory usage— Report the memory usage of the system.
ClearPass Insight is an advanced application to deliver enhanced analytics, in-depth reporting, and Alerting. Insight provides the ability to track detailed authentication records, audit trails, and develop systematic reports on network-access trends.
Additional features associated with Insight are described below.
Consolidated Reporting. Insight is capable of aggregating data from multiple Policy Manager appliances, or external stores, containing archived network access logs. It presents a powerful combination of near real-time analytics, as well as the ability to look into the past to satisfy historical analysis and compliance needs.
In-depth Analytics. Insight uses a powerful analytics engine that mines network access logs in order to generate trending report on various parameters. Network managers can utilize these trends to get an overview of authentication and access activity, elaborate client access distribution, load-averages, and analyze authentication traffic flow through various network devices.
Ready-to-use Templates. Insight includes several ready-to-use templates that help reduce the time associated with creating custom reports. The templates guide users through the process of capturing data for a number of use cases with minimal configuration.
Alerts. Insight can generate near real-time alerts on anomalous network activity. Network managers can configure alerts based on a number of various parameters. Alerts can be delivered via SMS or e-mail notification to multiple recipients to prompt action.
Make networks mobility-defined instead of fixed
Make networks mobility-defined instead of fixed
This is a sample Two Pictures with Captions slide ideal for including two pictures with brief descriptive statements.
To Replace the Pictures on this Sample Slide (this applies to all slides in this template that contain replaceable pictures)
Select the sample picture and press Delete. Click the icon inside the shape to open the Insert Picture dialog box. Navigate to the location where the picture is stored, select desired picture and click on the Insert button to fit the image proportionally within the shape.
Note: Do not right-click the image to change the picture inside the picture placeholder. This will change the frame size of the picture placeholder. Instead, follow the steps outlined above.
Tip: use the Crop tool to reposition a picture within a placeholder. From the Picture Tools Format tab on the ribbon, click the Crop button. Click and drag the picture within the placeholder to reposition. To scale the picture within the placeholder (while Crop is active), grab a round corner handle and drag to resize. Hold Shift key to constrain picture aspect ratio when resizing.
Make networks mobility-defined instead of fixed
Contest Overview
- Aruba is running a marketing campaign where we ask “What is your IT superpower?”
- Go to arubatitans.com to take a quick quiz to discover your superpower.
- Share your results with friends and encourage others to play the game
- Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt.
FAQ
1. What do I have to do to get a shirt?
Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification.
2. Where do I get my shirt?
Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor
3. Do I have to be at the event to get the shirt?
Yes. You have to be at #ATM16 to get a shirt.
4. Can I get my colleague a shirt? He/she is in a session right now.
Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves.
5. Can I bring a shirt home for my colleague?
Unfortunately not. You have to be at #ATM16 to get a shirt.
6. You don’t have a shirt in my size, can you ship the right size to me later?
Unfortunately not. Please select the best size from our inventory on site.