Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Deploying Policy Manager Clusters
A cluster is a logical connection of any combination of Policy Manager hardware or virtual appliances. This section of the deployment guide provides guidance on how to design and deploy Policy Manager clusters, how to complete major tasks such as adding a Subscriber server and deploying a standby Publisher, as well as how to rejoin a down server to the cluster. Finally, the set of cluster-specific CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands is included.
Policy Manager Cluster Overview
Policy Manager can be deployed either as a dedicated hardware appliance or a virtual machine running on top of VMware vSphere Hypervisor or Microsoft Hyper-V.
When demand exceeds the capacity of a single instance, or you have a requirement for a High Availability deployment, you have the option of logically joining multiple instances to process the workload from the network. You can logically join physical and virtual instances and also join Policy Manager instances that are dissimilar in size. However, careful planning must be taken, especially if you plan to utilize the failover capabilities within the clustering feature. The cluster feature allows for shared configuration and databases. However, it does not provide a virtual IP address for the cluster, so failover/redundancy for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. for Guest relies on Domain Name System (DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.) lookup or load balancing. RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. clients must define a primary and backup RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server.
Authentication Requests in a Cluster
The typical use case for Policy Manager is to process authentication requests using the policy framework. The policy framework is a selection of services that work to process authentication requests, but the policy framework also determines authentication, authorization, posture, enforcement, role, etc. of the endpoint/end-user.
In the context of cluster operations, authentication typically involves a read-only operation from the configuration database. A cluster server receives an authentication request, determines the appropriate policies to apply, and responds appropriately. This does not require a configuration change, and can therefore be scaled across the entire cluster.
|
Authentication is performed from the server itself to the configured identity store, whether locally (as synchronized by the Publisher; for example, a Guest account) or externally, such as with Microsoft Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed.. |
Logs relevant to each authentication request are recorded separately on each server, using that server’s log database. Centralized reporting is handled by generating a Netevent from the server, which is sent to all Insight servers and recorded in the Insight database (for related information, see Deploying Policy Manager Insight in a Cluster).
Policy Manager Databases
Each Policy Manager server makes use of the following databases:
Policy Manager user interface. This includes, but is not limited to:
. Contains most of the editable entries that can be seen in theAdministrative user accounts
Local user accounts
Service definitions
Role definitions
Enforcement policies and profiles
Network access devices
Guest accounts
Onboard certificates
Most of the configuration shown within Guest and Onboard
. Contains activity logs generated by typical usage of the system. This includes information shown in Access Tracker and the Event Viewer.
Deploying Policy Manager Insight in a Cluster).
. Records historical information generated by the Netevents framework. This database is used to generate reports (for related information, seePublisher/Subscriber Model
Policy Manager uses a Publisher/Subscriber model to provide multiple-box clustering. Another term for this model is hub and spoke, where the hub corresponds to the Publisher, and the spokes correspond to the Subscribers.
Figure 1 Publisher and Subscribers in Hub and Spoke Configuration
The controller in a cluster. The Publisher is your central point of configuration, monitoring, and reporting. It is also the central point of database replication. All the databases are managed through the Publisher.
functions as the masterThere is at most one active Publisher in this model, and a potentially unlimited number of Subscribers.
The Publisher server has full read/write access to the configuration database. All configuration changes must be made on the Publisher. The Publisher server sends configuration changes to each Subscriber server.
The AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. load, all RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests, and the server where policy decisions are being made are on the Subscriber servers.
are worker servers. All theSubscriber servers maintain a local copy of the configuration database, and each Subscriber has read-only access to a local copy of the configuration database.
Network Address Translation (NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.) is not supported between the Publisher and Subscriber servers.
What Information Is Replicated?
A background replication process handles the task of updating the configuration database based on the configuration changes received from the Publisher.
Multiple entities exist within a Policy Manager server cluster that must be shared to ensure successful operation of the cluster. Only the configuration database is replicated.
|
The Log and Insight databases are not replicated across the cluster. |
However, certain elements are server-specific and these must be configured separately for each server, which you can achieve directly on the Publisher or individually on the Subscriber server.
Elements Replicated
Cluster replication is delta-based; that is, only changed information is replicated.
The cluster elements that are replicated across all the servers in the cluster are as follows:
All policy configuration elements
All audit data
All identity store data
Guest accounts, endpoints, and profile data
Runtime information
Authorization status, posture status, and roles
Connectivity information, NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. details
Database replication on port 5432 over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.
Runtime replication on port 443 over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.
Elements Not Replicated
The following elements are not replicated:
Access Tracker logs and Session logs
Authentication records
Accounting records
System events (Event Viewer data)
System monitoring data
Network Ports That Must Be Enabled
Table 1 lists the network ports that must be opened between the Publisher and the Subscriber servers.
Table 1: Network Ports to Be Enabled
Port |
Protocol |
Description |
---|---|---|
80 |
Internal proxy |
|
123 |
TNTP: Time synchronization |
|
443 |
HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.: Internal proxy and server-to-server service |
|
5432 |
PostgreSQL: Database replication |
Because any Subscriber server can be promoted to be the Publisher server, all port/protocol combinations listed in Table 1 should be:
Bidirectional
Open between any two servers in the cluster
Cluster Scaling Limitations
Due to the design requirements of the cluster Publisher/Subscriber model, various Policy Manager components scale differently (see Table 2).
Table 2: Policy Manager Cluster Scaling Limitations
Component |
Scaling Limitation |
---|---|
Authentication capacity |
Scales linearly according to the number of Subscriber servers. Add more servers as necessary to provide additional capacity to service authentication requests. |
Configuration changes (Guest/ Onboard) |
These configuration changes do not scale with additional servers as they are centralized. Requires the Publisher be scaled to support write traffic from the maximum number of Subscribers that would be active concurrently. |
Configuration changes (Policy Manager) |
As the total size of the configuration set is bounded, these configuration changes are assumed to be infrequent and therefore not a significant limit to scaling. |
Insight reports |
Because this function is centralized, reporting does not scale with additional servers. Use a separate Insight server sufficient to handle the incoming Netevents traffic from all servers in the cluster. In a very large-scale deployment, the Publisher server should not be used as the Insight reporting server. |
Logging capacity |
Scales linearly according to the number of Subscriber servers, as each server handles its own logging operations. |
Replication load on Publisher |
Scales linearly according to the number of Subscriber servers. The replication is efficient as only changed information is sent. |