Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

131

132

133

134

135

136

137

138

139

140

136 | Deploying W-ClearPass Clusters Dell Networking W-ClearPass Deployment Guide

Cluster deployment sizing should not be based on raw performance numbers.

To determine the optimum sizing for a W-ClearPass cluster:

1. Determine how many endpoints need to be authenticated.

a. The number of authenticating endpoints can be determined by taking the number of users times the

number of devices per user.

b. To this total, add the other endpoints that just perform MAC authentication, such as printers and other

non-authenticating endpoints.

2. Take into account the following factors:

a. Number and type of authentications and authorizations:

n MAC authentication/authorizations vs. PAP vs. EAP-MSCHAPv2 vs. PEAP-MSCHAPv2 vs. PEAP-GTC vs.

EAP-TLS

n Active Directory vs. local database vs. external SQL datastore

n No posture assessment vs. in-band posture assessment in the PEAP tunnel vs. HTTPS-based posture

assessment done by OnGuard.

b. RADIUS accounting load.

c. Operational tasks taking place during authentications, such as configuration activities, administrative

tasks, replication load, periodic report generation, and so on.

d. Disk space consumed.

Note that W-ClearPass Policy Manager writes copious amounts of data for each transaction (this data is

displayed in the Access Tracker).

3. Then pick the number of W-ClearPass hardware appliances you would need, with redundancy ranging from

(N+1) to full redundancy, depending on the needs of the customer.

EAP-TLS Performance

EAP-TLS raw performance on a W-ClearPass 25K class hardware appliance without any authorization source

configured can be as high as 300 authentications per second, with an average latency of around 300 ms (with

the CPU running at 50%).

EAP-PEAP-MSCHAPv2 Performance

EAP-PEAP-MSCHAPv2 raw performance on a W-ClearPass 25K class hardware, with Active Directory-based

authentication and authorization, can be as high as 400 authentications per second, with an average latency of

around 300 ms (with the CPU running at 50%).

Publisher Node Guidelines

Setting Up a Standby Publisher

W-ClearPassPolicy Manager allows you to designate one of the Subscriber nodes in a cluster to be the Standby

Publisher, thereby providing for that Subscriber node to be automatically promoted to active Publisher status

in the event that the Publisher goes out of service. This ensures that any service degradation is limited to an

absolute minimum. For details, see Deploying the Standby Publisher on page 144.

Publisher Node Sizing

The Publisher node must be sized appropriately because it handles database write operations from all

Subscribers simultaneously.

The Publisher must also be capable of handling the total-number of endpoints within the cluster and be

capable of processing remote work directed to it when guest-account creation and onboarding are occurring.