以下文档仅限于6.8版本
开启Cluster集群注意事项
从ClearPass 6.8开始,建立集群和删除集群时增加了对Publisher和Subscriber HTTPs证书的校验。当Subscriber添加到Publisher时Subscriber会校验Publisher的HTTPs证书是否被信任,当在Publisher上删除Subscriber时,Publisher会校验Subscriber的HTTPs证书是否被信任,当证书校验不通过时会提示WARNING – 10.X.50.41: echo GET failed. 并且无法成功创建集群或者删除集群。
针对此情况,有两种解决方式:
1、在ClearPass的CLI下通过命令将ClearPass转换为Subscriber,并通过设置参数来忽略对Publisher证书的校验,通过此方式可以成功将Subscriber加入到Publisher,但是在Publisher上通过命令删除Subscriber时无法通过设置参数来忽略对Subscriber证书的校验,所以会导致删除Subscriber失败;此方式不推荐
[appadmin@Lab5-CPPM-1]# cluster make-subscriber -V -i 10.X.50.41
********************************************************
* *
* WARNING: Executing this command will make the current*
* machine a subscriber to the publisher host specified.*
* Current configuration and application licenses *
* installed (if any) on this node will be lost when the*
* operation is complete. *
* *
* Configuration changes will be blocked on the *
* publisher during initial cluster sync as part of *
* this operation. *
* *
* Do not close the shell or interrupt this command *
* execution. *
* *
********************************************************
Continue? [y|n]: y
Enter Publisher Password: aruba123
Setting up local machine as a subscriber to 10.1.50.41
INFO - Check publisher connection passed
INFO - Local checks before adding subscriber passed
INFO - 10.1.50.41: - Subscriber node added successfully for host=Lab5-CPPM-1
[appadmin@Lab5-CPPM-1]# cluster make-subscriber --h
ERROR: Invalid command-line argument
Usage:
make-subscriber -i <IP Address> [-l] [-b] [-V]
-i <IP Address> -- Publisher IP Address
-l -- Restore the local log database after this operation
-b -- Skip generating a backup before this operation
-V -- Do not verify publisher certificate2、分别在Publisher和Subscriber上创建证书签名请求CSR,通过CA(这里采用ClearPass Onboard)签发HTTPs证书,分别在Publisher和Subscriber上导入HTTPs证书,并在证书信任列表中导入对方的证书链。推荐采用此方式。
通过ClearPass Onboard给Publisher节点签发HTTPs证书具体流程,参考以下文档:
关于Clearpass 6.8 Clustering的官方文档,参考: