Deploying the Standby Publisher

This section contains the following information:

Setting Up the Standby Publisher
About the Fail-Over Process
Mitigation Strategies
Virtual IP Address Considerations
Functions Lost When the Publisher Is Down

Setting Up the Standby Publisher

ClearPass Policy Manager allows you to designate one of the subscriber nodes in a cluster to be the Standby Publisher, thereby providing for that subscriber node to be automatically promoted to active Publisher status in the event that the Publisher goes out of service. This ensures that any service degradation is limited to an absolute minimum.

During the period when a cluster does not have an active Publisher, some functions across the cluster are not available, such as being able to create guest accounts (for details, see Functions Lost When the Publisher Is Down).

 

Before you can designate a ClearPass Policy Manager node as a Standby Publisher, the designated node must be in a cluster.

The Standby Publisher can function as a fully operational subscriber node. However, in a large cluster deployment, the Publisher and Standby Publisher might need to be dedicated nodes, in which case the Standby Publisher will not be available to handle authentication requests.

If the Standby Publisher is on a different subnet than the Publisher, ensure that a reliable connection between the two subnets is established. This avoids network segmentation and potential data loss from a false failover.

To designate and configure the Standby Publisher:

1. From the node to be designated the Standby Publisher, navigate to Administration > Server Manager > Server Configuration > Cluster-Wide Parameters > Standby Publisher.

Figure 1  Standby Publisher Dialog

2. Configure the Standby Publisher parameters as described in Table 1, then click Save.

Table 1: Configuring Standby Publisher Parameters

Parameter

Action/Description

Enable Publisher Failover

To authorize a node in a cluster on the system to act as a Publisher if the primary Publisher fails, select TRUE.

The default value is FALSE.

Designated Standby Publisher

From the drop-down, select the ClearPass server in the cluster that will serve as the Standby Publisher.

Failover Wait Time

Specify the time (in minutes) for which the secondary node waits after the primary node fails before it acquires a virtual IP address.

The default failover wait time is 10 minutes, 5 minutes being the minimum value you can select before the Standby Publisher begins to promote itself to an active state. This prevents the secondary node from taking over when the primary node is temporarily unavailable during restart.

About the Fail-Over Process

The Standby Publisher health-checks the primary Publisher every 60 seconds by making an SQL call to the active Publisher. If this SQL call fails, after ten additional attempts (one per minute), the Standby Publisher begins the process of promoting itself to be the active Publisher node.

The process used to verify the reachability of the remote ClearPass Policy Manager nodes uses an outbound HTTPS call. As noted in Network Ports That Must Be Enabled, port 443/TCP must be open between all the nodes in the cluster. Utilizing this HTTPS health check provides for a more robust and predictable failover process.

When a Publisher failure is detected, the designated Subscriber node is promoted to active Publisher status. The other Subscriber nodes automatically update and replicate their configuration with the new Publisher, which resolves the issue.

Mitigation Strategies

The recommended mitigation strategies for deploying a Standby Publisher are as follows:

Use a virtual IP address for the Publisher.

Doing so reduces the potential for a prolonged service outage while the active Publisher is out of service or promoting the Standby Publisher (for related information, see Virtual IP Address Considerations.

 

It is good practice that when you configure a Standby Publisher and deploy a virtual IP address, the Standby Publisher should be paired with the active Publisher in the VIP group.

Ensure that the cluster nodes are being monitored.

Determine if a Publisher node is no longer reachable or not providing service (for example, by SNMP host checking).

Set up the network access devices (NADs) to point to a primary node, backup node, and a tertiary node.

Doing so provides for continuity of the RADIUS authentication and accounting traffic until the Standby Publisher transitions to the active state.

Virtual IP Address Considerations

Using a virtual IP address allows for the deployment of a highly available pair of servers. This reduces the amount of down-time in the event of a server failure. If one of the servers in a high-availability pair fails, the other server can take over the virtual IP address and continue providing service to clients. This is particularly useful if the network access server (NAS) devices are processing basic RADIUS authentications to a CPPM node.

The Standby Publisher node cannot take over immediately as the failure may be transient and the minimum time for a Standby Publisher to become active is about eight minutes. This duration is due to five attempts (one per minute) to connect to the active Publisher’s database, then about four minutes for the node to promote itself to an active state.

Thus, there will always be a delay before the virtual IP address on the transitioning active Publisher the NAS clients are communicating with is back in service and able to process RADIUS authentication requests.

During this eight-minute window, requests from Subscribers to write to the Publisher's database will fail as there will be no Publisher available that can write to the database.

Functions Lost When the Publisher Is Down

When the active Publisher goes out of service, the following ClearPass Policy Manager functions are temporarily lost:

AirGroup and MACTrac enrollment
Certificate creation and revocation
Certificate revocation list updates
ClearPass Exchange outbound enforcement
General ClearPass Policy Manager and ClearPass Guest configuration changes
ClearPass Guest account creation
Mobile device management endpoint polling and ingestion
Onboarding functionality