Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Cluster-Wide Parameters
This section describes the following
features:
|
In ClearPass 6.11.0 and later, the maximum single cluster size is 32 servers. This includes the publisher, standby publisher, subscribers, dedicated insight server, and standby insight servers. |
General Parameters
You can configure the parameters that apply to all the nodes in a Policy Manager cluster by configuring the . To configure the Cluster-Wide parameters:
1. Navigate to the > > page.
2. Select the link. The page opens to the page:
Figure 1 Cluster-Wide Parameters > General Page
3. Configure > parameters as described in the following table, then click .
Parameter |
Action/Description |
Policy result cache timeout |
Specify the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation. A value of disables caching.This result can then be used in subsequent evaluation of policies associated with a service, if the option is turned on for the service.The value of the field must be greater than the highest value set in the fields.
Student-Enforcement-Profile Staff-Enforcement-Profile |
Free disk space threshold value (Aggressive cleanup starts at 10% below this value) |
Specify the percentage below which disk usage warnings are issued in the > page.For example, a default value of 30% indicates a warning is issued when the available disk space is 30% or lower. However, an aggressive cleanup is triggered when the disk space available drops below 20% (the 30% default value minus an additional 10%). In this instance, the additional 10% is the hard coded threshold delta value implemented as part of an aggressive cleanup operation. |
Free memory threshold value |
Specify the percentage below which RAM Random Access Memory. usage warnings are issued in the Policy Manager Event Viewer. For example, a value of RAM Random Access Memory. is 30% or lower. indicates that a warning is issued only when the available |
Endpoint Context Servers polling interval |
Enter the interval in minutes between polling of endpoint context servers, between 1 and 10,500 minutes. (10,500 minutes is 175 hours, or a bit more than a week). The default interval is . |
Endpoint Context Servers polling start time |
Specify the Endpoint Context Servers polling start time in HH:mm:ss format. |
Syslog Export Interval |
This parameter provides the ability to configure a Syslog messaging batch interval. The default value is 120 seconds. The supported interval value is between 30 seconds to 120 seconds. The interval specified for this parameter is applied to all appliances in a cluster and to all the Syslog Export Filters that are in the enabled state. For related information, see Syslog Export Filters. |
Automatically check for available Software Updates |
Specify whether to enable automatic checking for available software updates. The default it Software Updates. . For related information, see |
Automatically download Posture Signature and Windows Hotfixes Updates |
Specify whether to automatically download and install Posture Signature and Windows Hotfixes Updates. The default is Software Updates. . For related information, see |
Automatically download minor updates for Extensions |
Set this parameter to TRUE to download micro-services that can run on top of the ClearPass platform and provide access to some features not yet part of the current ClearPass version. The default is . |
Automatically download Endpoint Profile Fingerprints |
Specify whether to automatically download Endpoint Profile Fingerprints. The default is Software Updates. . For related information, see |
Force Enable User |
Set this parameter to TRUE to require user consent before login. Once set to True, a banner displays requiring the user to select I agree to the terms and conditions and then click Proceed before continuing to the login. |
Login Banner Text |
Customize the banner text that appears on the Policy Manager login screen and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. access window. By default, if the login banner text and forced user acknowledgment are configured for Policy Manager, they are also displayed in ClearPass Guest operator logins and guest registrations. If you do not want these displayed in Guest logins and registrations, go to Guest > Administration > Operator Logins > Login Configuration. Under Banner Options, deselect the Login Banner check box. |
Policy Manager allows Cluster Communication Mode to be set to or . The default is . If the value of this parameter is set to API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls will use IPv6 addresses for cluster communication. If the value is set to ipv4, it will use IPv4 for database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls instead. The default value of the cluster communication mode will depend on the IP address configured on the appliance during installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured, then the default cluster communication mode will be IPv4. , all database andWhenever the cluster communication mode is changed, it performs the following validations: Configuration checks to verify an IP address in the correct format is configured for the interface. Certificate checks to verify the database certificates have the correct IP address in the SAN field. Certificate checks to verify the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certificates have the correct IP address in the SAN field. For more information on setting the Cluster Communication Mode and the conditions for using IPv4 and IPv6 formatted IP addresses, go to Setting the Cluster Communication Mode. You can only use the command to reset an IPv4 or IPv6 management port address if the cluster communication mode is set to a different IP address format. For example, you cannot reset a management port IPv4 address, unless the cluster communication mode is set to IPv6. In a cluster with both IPv4 and IPv6 addresses (dual stack) configured on the management interface of every appliance, the ClearPass Zone Cache service always uses the IPv4 management address to keep the cache of each appliance synchronized across the cluster. The ClearPass Zone Cache service does not use the IPv6 management address for synchronization when the cluster communication mode parameter is set to IPv6 in a dual-stack scenario. In a cluster using self-signed certificates, if the management IP address is changed the database certificate does not need to be regenerated. The generation of the database certificate and the restart of backend services are automatic. There may be a delay of up to 10 minutes while backend services are re-started, and configuration updates and replication setup are re-established. This change only applies to clusters with self-signed certificates, not to clusters with CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.-signed certificates. |
|
Allow Concurrent Admin Login |
When this field is set to Policy Manager server concurrently from either the same device or a different device. (which is the default setting), an Admin user can log in to the sameWhen this field is set to Policy Manager server from one device, and then later logs into the same Policy Manager server from either the same device or a different device, the Admin user is logged out of all previous sessions on that Policy Manager server. When this occurs, the following message is displayed: , and an Admin user logs into aYou have been logged out of previous active session(s) |
Admin Session Idle Timeout |
Specify the maximum idle time permitted for admin users, beyond which the session times out. The default value is . The allowed range is to minutes (24 hours). |
CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Session Idle Timeout |
Specify the maximum idle time permitted for CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. users, beyond which the session times out. The default value is . The allowed range is to minutes (24 hours).When this parameter is changed, the changes take effect when the client opens a new CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. session. Any active CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. sessions will continue to use the old timeout setting—the sessions have to be disconnected and reconnected for the updated timeout value to take effect. Before performing any operations like make subscriber, drop subscriber, backup, restore, update, or upgrade operations from the appadmin CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. that take more than 15 minutes, first make sure to change the value of the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Session Idle Timeout parameter to the amount of time required for the operation. |
Console Session Idle Timeout |
Specify the duration in minutes. The default value is .The Policy Manager server for an admin user connected to the console, you must set the idle timeout for the as well as the . Must have a valid integer value (for example, a setting of 10.5 wouldn't be valid). The range of valid values is from 5 to 1,440 minutes (24 hours). The Audit Viewer captures the details about changes in . |
Disable TLSv1.0 support |
On new Policy Manager installations, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.0 is disabled by default, so the default setting is . To modify Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) v1.0 support, select one of the following options: None Admin Network All Users cannot change into Common Criteria (CC) mode while the Disable TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.0 parameter is set to None. This parameter must be set to All for CC mode. This parameter is not configurable and does not appear in the Policy Manager WebUI when Policy Manager is in FIPs mode. Beginning with the ClearPass 6.11 release, the ClearPass OpenSSL cryptography library does not support TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.0 when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. As part of this change, the Disable TLSv1.0 support option is hidden within the Cluster-Wide Parameters when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. |
Disable TLSv1.3 support |
To modify Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) v1.3 support, select one of the following options: TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.3 communication for all servers. On new ClearPass installations, this is the default setting. When TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.3 is enabled it is used as the preferred connection for systems that support it, and can be used for post-handshake authentications. If a system does not support TLSv1.3, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.2 or v1.1 will automatically be used instead. : EnablesSSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts., OnGuard, or downloadable user roles are configured, as those do not work with TLSv1.3. Having Admin (TLSv1.3 disabled) as the default setting for upgraded servers ensures that if any of those configurations are present, the TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. setting will not interfere with them. : Disables TLSv1.3 for all servers. On upgraded ClearPass servers, this is the default setting. This setting must be used in cases where client certificate-based authentications with |
Disable TLSv1.1 support |
On new Policy Manager installations, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.1 is disabled by default, so the default setting is . To modify Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) v1.1 support, select one of the following options: None Admin Network All Clusters in Common Criteria (CC) mode can have a value of None, so TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.1 is enabled on all devices. This is the default setting for clusters upgrading to Policy Manager 6.10. Beginning with the ClearPass 6.11 release, the ClearPass OpenSSL cryptography library does not support TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.1 when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. As part of this change, the Disable TLSv1.1 support option is hidden within the Cluster-Wide Parameters when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. |
Content Security Policy (CSP) |
When enabled, Content Security Policy (CSP) has significant impact on the way browsers renders pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the Content Security Policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. |
Allowed SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Modes |
When you specify a particular cipher mode, all Policy Manager servers in the cluster will accept only the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. connections that use that cipher mode. Select one of the following to specify the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. cipher mode: All Unlike legacy releases, ClearPass now enables the selection of either AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC, AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR, AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM or All to specify a specific SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. cipher mode in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode. With previous ClearPass releases, the Allowed SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Modes parameter was disabled when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. |
Performance Monitor Rendering Port |
Specify the port for performance monitor rendering. The default value is . |
ICMPv6 Filters |
When thePolicy Manager responds to all ICMPv6 (Internet Control Message Protocol) traffic. When this parameter is set to , the following restrictions are applicable: parameter is set to (the default),Policy Manager does not respond to ICMPv6 traffic sent to an anycast or multicast address. Policy Manager does not transmit to ICMPv6 type-3 (Destination Unreachable) messages. |
ClearPass Zone Cache Durability |
For the ClearPass Zone Cache to survive abrupt shutdowns, set this to or . The default value is . Enabling this feature might result in some performance degradation. |
Post-Authentication v2 |
When is enabled, it improves performance and scaling for post-authentication events when interoperating with third-party systems. This setting is enabled by default in IPv4-only, IPv6-only, or dual-stack mode (IPv4 and IPv6). Post-Authentication v2 can still be disabled when in IPv4-only mode. However, in an IPv6-only or dual stack environment, disabling Post-Authentication v2 is not permitted.
The following additional restrictions apply:When you either enable or disable Async Network service. For more information on starting or stopping services, refer to Services Control Page , you must also manually restart thePolicy Manager Proxy. does not supportWhen defining a context server action, the following HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. methods are supported: PATCH, DELETE, POST Power On Self Test. An HTTP request method that requests data from a specified resource., GET GET refers HTTP request method or an SNMP operation method. The GET HTTP request method submits data to be processed to a specified resource. The GET SNMP operation method obtains information from the Management Information Base (MIB)., and PUT. |
Post-Authentication unsubscribes from the endpoint updates on Acct Stop |
When using post authentication for NMAP trigger, enabling this option ensures endpoints are unsubscribed on an accounting stop. This ensures a payload is not sent to the NMAP service when the device reauthenticates and a different enforcement profile is applied. This option must be disabled for firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. integration in general, and must be disabled for dual stack or pure IPv6 if multiple IP addresses are expected. |
Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement |
Administrators have the option to enable or disable Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement, when the Post-Authentication v2 parameter is enabled. Selecting Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement lets administrators disable the Post-Authentication HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement profile while the Session Notification Enforcement enforcement profile remains enabled. This can improve the scalability and performance of the Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement in some deployments. If Post-Authentication v2 is changed from Enable to Disable, Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement automatically changes to Disable as well. Certificate Based Authentication is supported for VmWare AirWatch with Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Enforcement. To use this feature with AirWatch, both the and Post Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement settings must be enabled from the Cluster-Wide Parameters > General tab. In addition, go to: Administration > External Servers > Endpoint Context Servers > Server > Add, and select VMWare AirWatch as the server type and Certificate as the authentication method. Lastly, go to: Administration > Dictionaries > Context Server Actions > Add, and select VMWare AirWatch as the server type and Certificate as the authentication method. |
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Session Cache Policy |
ClearPass supports TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. session cache persistence for EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -based authentications. Use the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Session Cache Policy parameter to specify whether the session cache should persist in internal memory only, or in both memory and disk. The duration of the session persistence can also be configured. Select Internal+Disk for the user session to be read from disk, so re-authentication is not required before the configured session timeout. The default setting is Internal, which retains the previous behavior of periodically clearing the session cache when roaming. To specify how long the session cache should be stored on disk, go to the Cleanup Intervals tab and enter the number of hours in the Parameter Value field for the TTL Time to Live. TTL or hop limit is a mechanism that sets limits for data expiry in a computer or network. Stale TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. session in Disk parameter. The default value is 24 hours. |
Setting the Cluster Communication Mode
Cluster configuration operations (the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands available under the cluster command section) support IPv4 or IPv6 communication depending on the cluster wide parameter called the Cluster Communication Mode.
If set to IPv6, cluster replication, database connections and internal API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls specific to the cluster operations listed above will use an IPv6 address, or otherwise use IPv4.
The default Cluster Communication Mode depends on the IP address configured on the node at the time of an upgrade or install. If the node has only an IPv6 address, the default Cluster Communication Mode will be IPv6.
If both IPv4 and IPv6 addresses are configured, or if only an IPv4 address is configured, the default Cluster Communication Mode will be IPv4.
Keep in mind, the following modules are not supported for cluster communication using IPv6:
Zone cache (Battery/Redis)
Insight database communication
Admin UI User Interface. features (Access Tracker, API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls etc.)
License usage computation on Publisher
Async-netd Monitor (tracks the syncronization status of other modules)
Set the Cluster Communication Mode from either the ClearPass UI User Interface. or command line interface (CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.). To set the Cluster Communication Mode from the UI User Interface., go to Setting Cluster Wide Parameters.
To review the cluster specific commands supported by ClearPass, go to ClearPass Cluster Commands. For information on using the ClearPass command line to set the Cluster Communication mode, go to Cluster Communication Mode.
The Cluster Communication Mode performs 3 pre-checks to ensure cluster operations do not fail if the mode is changed. These pre-checks include:
1. Configuration checks - Ensure the IP address of a given format is configured on the interface.
2. Certificate checks for database - The database certs must have the correct IP address configured in the SAN field. Make sure the SAN field is updated to use the correct IP address format in the pattern DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.:<ip address>. Multiple IP addresses must be separated by a comma (,) delimiter. For example, DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.:<ipv6 address>, DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.:<ipv4 address>.
3. Certificate checks for HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certs - The HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certs must have the correct IP address configured in the SAN field. Make sure the SAN field is updated to use the correct IP address format in the pattern IP Address:<ip address>. Multiple IP addresses must be separated by a comma (,) delimiter. For example, DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.:<ipv6 address>, DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.:<ipv4 address>.
Cleanup Intervals Parameters
The following figure displays the
> dialog:Figure 2 Cluster-Wide Parameters > Cleanup Intervals Dialog
Specify the
> parameters as described in the following table:
Parameter |
Action/Description |
Cleanup interval for Session log details in the database |
Specify the duration in number of days to keep the following data in the Policy Manager database: Session logs (found on the > > page)Event logs (found on the > page)Machine authentication cache The default value is . |
Cleanup interval for information stored on the disk |
Specify the duration in number of days to keep log files that are written to the disk. The default value is . |
Cleanup interval for CSRs and private keys. |
By default, ClearPass automaticaly performs a cleanup for Certificate Signing Requests (CSRs) older than 15 days. use this parameter to extend the cleanup interval for old CSRs and associated private keys from 15 days to up to 90 days. Network administrators should extend the cleanup interval for CRS and private keys in cases where the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. takes more than 15 days to create a certificate, as the CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. generated on the system would become invalid with the default 15 day setting, and would be removed automatically from the system. |
Old Audit Records cleanup interval |
Specify the cleanup interval in number of days that Policy Manager uses to determine when to start deleting old audit records from the page. The default value is . |
Known endpoints cleanup interval |
Specify the duration in number of days that Policy Manager uses to determine when to start deleting known or disabled entries from the Endpoint repository. Known entries are deleted based on the when the endpoint was last seen. For example, if this value is , then known Endpoints that have not been seen within the last 7 days are deleted.The default value is s. This indicates that no cleanup interval is specified. |
Unknown endpoints cleanup interval |
Specify the duration in number of days that Policy Manager uses to determine when to start deleting unknown entries from the Endpoint repository. Unknown entries are deleted based on the when the endpoint was last seen. For example, if this value is , then unknown Endpoints that have not been seen within the last 7 days are deleted. The default value is . This indicates that no cleanup interval is specified. |
Expired guest accounts cleanup interval |
The cleanup interval for expired guest accounts indicates the number of days after expiry that the cleanup occurs. A value of specifies no expired guest accounts cleanup interval. The default value is . |
Profiled Unknown endpoints cleanup interval |
Specify the cleanup interval in number of days that Policy Manager uses to determine when to start deleting profiled unknown entries from the Endpoint repository. Profiled unknown entries are deleted based either the time the unknown Endpoint was last seen or the time it was last profiled, whichever is most recent. The default value is ,indicating that no cleanup interval is specified. |
Profiled Known endpoints cleanup option |
Specify whether to enable the option to clean up profiled known endpoints. The default value is . Profiled known entries are deleted based either the time the known Endpoint was last seen or the time it was last profiled, whichever is most recent. |
Static IP endpoints cleanup option |
Specify whether to enable the option to clean up static IP endpoints. The default option is . |
Notifications Parameters
The following figure displays the
> dialog:Figure 3 Cluster-Wide Parameters > Notifications Dialog
Specify the
parameters as described in the following table:
Parameter |
Action/Description |
System Alert Level |
Specify the alert notifications that are generated for system events logged at this level or higher. : Alerts that provide Information, Warnings, and Error messages are generated. : Alerts that provide Warnings and Error messages are generated. : Alerts that provide Error messages only are generated. The default value is . |
Alert Notification Timeout |
Specify the timeout in hours that determines how often alert messages are generated and distributed. If you select , alert generation is disabled. The default value is . |
Alert Notification - eMail Address |
Enter a comma-separated list of email addresses to which alert messages are sent. |
Alert Notification - SMS Short Message Service. SMS refers to short text messages (up to 140 characters) sent and received through mobile phones. Address |
Enter a comma-separated list of phone numbers to which alert messages are sent. |
Standby Publisher Parameters
The standby publisher is the publisher in the cluster that is configured to come up in the event that the publisher is not reachable. The following figure displays the
> dialog:
|
During a failover, the standby publisher does not have to wait for all the servers in the cluster to fully resynchronize, and instead is available with complete publisher functionality within moments of the triggering failover event. |
Figure 4 Cluster-Wide Parameters > Standby Publisher Dialog
Specify the following
> parameters:
Parameter |
Action/Description |
Enable Publisher Failover |
To authorize a node in a cluster on the system to act as a publisher if the primary publisher fails, select . The default value is .To avoid false failover triggers, the value should be set to before starting a cluster update. |
Designated Standby Publisher |
Select the server in the cluster to act as the standby publisher. The default value is .If the standby publisher is on a different subnet Subnet is the logical division of an IP network. than the publisher, then ensure that a reliable connection between the two subnets Subnet is the logical division of an IP network. is available to avoid unwanted network segmentation and potential data loss from a false failover. |
Failover Wait Time |
Specify the time (in minutes) that the standby publisher must wait before it assumes the role of publisher after the primary publisher becomes unreachable. The default failover wait time is .This parameter prevents the standby publisher from taking over when the publisher is temporarily unavailable during a restart. Failover wait times vary based on the size of the data needing to synchronize, as well as the number of subscribers that need to be checked. |
|
If a cluster is configured with a standby publisher, add the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server certificate of the standby publisher to the Trust list and ensure sure all the servers in the cluster have this certificate in the Trust list. Similarly, before you promote a subscriber to publisher, add the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server certificate of the subscriber to the Trust list and ensure sure all the servers in the cluster have this certificate in the Trust list. This step is not required if the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server certificates for all the nodes in the cluster are signed by a certificate authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.). |
|
When a database backup is made with a subscriber configured as the standby publisher, and the backup is restored without using the -s flag, then after the backup is restored the cluster list command could fail with an error message displaying Caught unexpected error while retrieving the Cluster Node List. If this occurs, navigate to the Standby Publisher tab and remove the server from the Designated Standby Publisher field. You can designate it as the standby again once the restoration is complete. If the subscriber is configured as the standby in the backup file, pass the -s flag during the restoration to restore the cluster configuration. |
Common Criteria Mode Parameter
The
tab in the page allows you to enable or disable and choose the mode devices within the cluster will communicate. Common Criteria is an international standard for security certification. Use Common Criteria Mode for deployments that require strict compliance to Common Criteria requirements.Common Criteria Mode has the following restrictions and requirements:
When a user enables Common Criteria mode they must enter the existing cluster password, which is validated against existing Common Criteria password rules. If the existing cluster password meets the requirements, no action is needed for the password and Common Criteria mode can be enabled. If the existing password does not meet the requirements, the user is prompted to change the password. If the new cluster password provided is not strong enough, the requirements display so it can be corrected. The Change Cluster Password screen also includes this validation step when the cluster is in Common Criteria mode. The cluster password strenghth minimum requirements for Common Criteria mode include:
|
If a Password did not meet the minimum requirements error displays, change the password to include a stronger combination of letters, numbers and special characters. |
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character { } & ! @ # $ % ^ ? _ = . , + < > - *
A minimum length of 15 characters
The password cannot include a dictionary word
The password cannot contain more than four consecutive repeating characters
The password cannot contain more than four consecutive repeating characters from the same character class
Common Criteria Mode cannot be enabled if there are less than three NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. servers configured (for information on configuring multiple NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. servers, see the option in Table 1, Changing Date and Time Parameters).
Common Criteria Mode requires that all the Policy Manager servers in the cluster must have FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode enabled (see FIPS Page ).
Server certificates must be updated before you enable Common Criteria Mode (see Certificate Store).
Only Certificate Authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.)-issued certificates can be used for Policy Manager server certificates.
No self-signed certificates are allowed as trusted certificates.
All X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. v3 trusted Certificate Authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.) certificates must satisfy the basic constraints.
X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. is an important standard for a public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. infrastructure to manage digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. and public-key encryption. X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. is a key part of the Transport Layer Security protocol used to secure web and email communication.
All HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. communication to external services using X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. v3 certificates must pass the basic constraint checks.
Cipher suites that use RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet., DSA, or DH keys shorter than 2048 bits or ECC Elliptical Curve Cryptography or Error correcting Code memory. Elliptical Curve Cryptography is a public-key encryption technique that is based on elliptic curve theory used for creating faster, smaller, and more efficient cryptographic keys. Error Correcting Code memory is a type of computer data storage that can detect and correct the most common kinds of internal data corruption. ECC memory is used in most computers where data corruption cannot be tolerated under any circumstances, such as for scientific or financial computing. keys shorter than 224 bits are not supported in Common Criteria Mode.
If a cluster is using CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.-signed certificates, the replication service remains in a stopped state until after a cluster communication mode change is completed. This is expected behavior, introduced as a safety measure to keep the cluster secure while the operation completes. Reboot the individual cluster nodes after changing the cluster communication mode using ca-signed certificates.
Figure 5 Cluster-Wide Parameters Page > Common Criteria Mode Parameter
Specify the
parameter as described in the following table:
Parameter |
Action/Description |
Cluster Communication Mode |
Click the drop-down list and select either or as the mode of commuication for all cluster operations.If the value of this parameter is set to IPv6, all database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls will use IPv6 addresses for cluster communication. If the value is set to ipv4, it will use IPv4 for database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls instead. The default value of the cluster communication mode will depend on the IP address configured on the appliance during installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured, then the default cluster communication mode will be IPv4. Whenever the cluster communication mode is changed, it performs the following validations: Configuration checks to verify an IP address in the correct format is configured for the interface. Certificate checks to verify the database certificates have the correct IP address in the SAN field. Certificate checks to verify the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certificates have the correct IP address in the SAN field Before changing the cluster communication mode, carefully review the displayed warning message stating that resetting the cluster communication mode can cause the cluster to go out of sync by resetting the IP address format of the cluster communication interface. Resetting the certificates on each cluster node along with rebooting ensures the cluster is in sync. |
Common Criteria Mode |
The Setting this value to TRUE enables strict validation of Certificates and changes to modules in order to comply with Common Criteria requirements. is for specific deployments that require strict compliance to Common Criteria requirements. To enable or disable , select or . The default is . When you set , the following message appears:When Policy Manager is in Common Criteria (CC) mode, TLS 1.2 is enforced with RadSec, and TLS 1.0 and TLS 1.1 are no longer supported. When Common Criteria Mode is enabled, the text is shown in the release version footer of the WebUI. |
Database Parameters
The following figure displays the
> dialog:Figure 6 Cluster-Wide Parameters > Database Dialog
Configure the
> parameters as described in the following table:
Parameter |
Action/Description |
Auto backup configuration options |
Select any of the following auto-backup configuration options: not perform periodic backups. : Select this toSelect before upgrading Policy Manager to avoid the interference between Auto backup and migration process.: Performs a periodic backup of the configuration database that includes licensing information that would be required to restore a server to its original state. This is the default auto backup configuration option. In a cluster deployment, the backup file on the publisher also contains license information for all subscribers. : Performs a backup of the configuration database, certificates and licenses, and also the session log database. : Extensions are included in the backup, in addition to configuration data. : Extensions are included in the backup, in addition to configuration data, session log, and Insight data. Keep in mind, if extensions are excluded from a backup file, and that backup file is restored on a system that already has extensions, that system's existing extensions remain and are not overwritten. It is recommended you set this option to Off or Config before starting an upgrade. This ensures the Auto Backup process does not interfere with migration post upgrade. If required, you can change this setting back to Config|SessionInfo 24 hours after upgrade completion. Evaluation and Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. licenses which have expired will not be included in the backup. |
Database user "appexternal" password |
Enter the password for the username for this connection to the database. |
Store Password Hash for MSCHAP authentication |
To store passwords for admin and local users to Hash and NTLM hash formats (which enables RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. MSCHAP authentications against admin or local repositories), set this to . If you set this to RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. MSCHAP authentications are not possible because the NTLM hash passwords are removed for all the users. ,When you set this value to , you must reset all the passwords to reenable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. MSCHAP authentication against the user repositories. |
Store Local User Passwords using reversible encryption |
To enable cleartext password comparison against local users, set this to .If you set this to , cleartext password comparison against local users is not possible because the reversible passwords for local users are removed.After setting this value to , you must reset all the local user passwords to reenable cleartext password comparison against local users. |
|
The time it takes for subscribers to synchronize with the publisher in the event of downtime will depend on the duration of the subscriber's downtime and on when the replication recovery is next run on the subscriber after it is back online. It might take as much as 24 hours for the subscriber to synchronize with the publisher. |
Profiler Parameters
The following figure displays the
> dialog:Figure 7 Cluster-Wide Parameters > Profiler Dialog
|
Starting with Policy Manager 6.10.2, the Policy Manager server no longer needs to have Device Insight integration disabled in order to run other types of scans that use ClearPass Profilerk so users can seamlessly run any type of Profiler scan even while Device Insight's device discovery is active. In Policy Manager 6.10.0 and 6.10.1, when is enabled, the > tab is hidden because Device Insight functionality replaces the Policy Manager functions available through the tab (for more information, see Device Insight Integration Page). |
Configure the
> parameters as described in the following table:TACACS+ Parameters
The following figure displays the
> dialog:Figure 8 Cluster-Wide Parameters > TACACS+ Dialog
Configure the
> parameters as described in the following table, then click .