Aruba ClearPass

Maximising High Availability in Aruba ClearPass with Two VIPs


Introduction

High availability (HA) and seamless failover are critical for modern network authentication. In Aruba ClearPass, a VIP (Virtual IP) ensures IP redundancy in clustered Publisher/Subscriber deployments. The VIP allows multiple ClearPass Policy Manager (CPPM) nodes to act as a single endpoint for client devices, maintaining service continuity even if one node fails. To manage Layer 2 redundancy, ClearPass uses UCARP, a Linux-based implementation of CARP (Common Address Redundancy Protocol) originally developed for BSD systems.

Typically, administrators configure a single VIP when deploying ClearPass clusters. One node becomes the primary server, actively responding to authentication requests, while the other node is the secondary server, ready to take over if the primary fails. A single VIP solution is widely used across IT systems for load balancing and failover.

The Case for Two VIPs

What if I told you that assigning two VIPs in ClearPass could enhance improve performance, redundancy, and maintenance workflows? I discovered this approach which watching Herman Robers’ ClearPass Workshop series on YouTube several years ago. After successfully implementing it in a customer deployment back then, I’ve now adopted it as best practice.

The idea is simple: create a second VIP and reverse the roles of the nodes! For the second VIP, the node acting as the primary for the first VIP becomes the secondary, and vice versa. Here’s a diagram to illustrate the concept:

Aruba ClearPass cluster showing flow using two VIPs for HA.

A ClearPass cluster with two VIPs has the following advantages over a cluster with one VIP:

Active-Active Participation

With two VIPs, each node has a clear active role (primary for one VIP, secondary for the other). This ensures both nodes can be utilised under normal conditions, rather than having one node sit idle waiting for a failure.

Improved Redundancy

Each VIP can fail over independently. If one ClearPass node goes down, the other node takes over both VIPs. This is the biggest benefit for me. The UCARP service quickly promotes the remaining ClearPass node to the primary role for both IPs, with no IP failure detected on the Network Access Devices (NADs). This method is more reliable than most NAD dead server detection methods. It also ensures that all NADs fail over to the second ClearPass server simultaneously, avoiding staggered transitions.

Aruba ClearPass cluster showing flow during a server failure using two VIPs for HA.

Load Balancing

Authentication traffic can be split between the two VIPs, balancing the workload across both nodes. This is particularly valuable in high-traffic environments where a single VIP might overload one node. On NADs that support load balancing, you can configure them to distribute traffic between the two VIPs. Otherwise, achieving load balancing requires pointing NADs to the real IP addresses of the two ClearPass servers, which relies on NAD dead server detection mechanisms. While network load balancers like F5-BIG IP or Citrix ADC can be used, they are beyond the scope of this post.

Proactive Maintenance

When upgrading or rebooting a ClearPass node, the secondary node proactively assumes the primary role of the rebooting nodes VIP, minimising downtime and user impact.  This setup even allows you to remove and replace a ClearPass server from the cluster without the network and its clients even noticing.

Network Access Device (NAD) Considerations

When configuring NADs to work with ClearPass, it’s essential to consider how they handle RADIUS or TACACS requests and failover. The configuration approach depends on the NAD’s capabilities.

    • Supports Multiple IPs: Point NADs to both ClearPass VIPs for redundancy. If one server fails, the other takes over both IPs.
    • Load Balancing Support: Enable load balancing or round robin features, if available, to distribute authentication requests between the two VIPs. Note that UCARP does not handle load balancing.
    • Single RADIUS/TACACS IP: Use one of the two VIPs. Alternatively, split NAD configurations so half the network uses one VIP as primary and the other half uses the second VIP. This approach balances authentication traffic and works well in environments with grouping options for site, network, or role-specific configurations, such as Aruba Central or Meraki networks.
    • Accounting Traffic: Configure NADs to send RADIUS and TACACS accounting traffic to the same VIPs used for authentication. This ensures consistency and simplifies troubleshooting.

    Monitoring and Testing

    • Set up monitoring on NADs to track RADIUS/TACACS server health where available. This allows proactive detection of issues and prevents reliance on IP failover mechanisms alone.
    • Periodically test failover and redundancy configurations by simulating ClearPass node failures. This confirms NAD behaviour and ensures uninterrupted service.

    Final Thoughts

    Using two VIPs in Aruba ClearPass deployments offers tangible benefits in redundancy, performance, and maintenance flexibility. While it adds some configuration complexity, the advantages far outweigh the effort, especially in medium-to-large environments or high-traffic networks.

    If you’re designing or optimising a ClearPass deployment, consider this dual VIP approach to maximise the potential of your HA setup.

    For more ClearPass tips, check out my other posts on wifiwizardofoz.com. Let me know your thoughts or share your experiences with dual VIP setups in the comments!

    Leave a Reply