Administrator Guide
138 | Deploying W-ClearPass Clusters Dell Networking W-ClearPass Deployment Guide
Using Subscriber Nodes as Workers
Subscriber nodes should be used as workers that process the following:
l Authentication requests (for example, RADIUS, TACACS+, Web-Auth)
l Online Certificate Status Protocol (OCSP) requests
l Static content delivery (for example, images, CSS, JavaScript)
Avoid sending "worker traffic" to the Publisher, as the Publisher services API requests from Subscribers,
handles the resulting database writes, and generates replication changes to send back to the Subscribers.
If Onboard is used, ensure that the EAP-TLS authentication method in Policy Manager is configured to perform
localhost OCSP checks.
Providing Sufficient Bandwidth Between Publisher and Subscribers
In a large-scale deployment, reduced bandwidth or high latency on the link (greater than 200ms) delivers a
lower-quality user experience for all users of that Subscriber, even though static content is delivered locally
almost instantaneously.
For reliable operation of each Subscriber, ensure that there is sufficient bandwidth available for
communications with the Publisher. For basic authentication operations, there is no specific requirement for
high bandwidth. However, the number of round-trips to complete an EAP authentication could cause delay for
the end user.
Traffic Flows Between Publisher and Subscriber
The traffic flows between the Publisher and Subscriber nodes include:
l Basic monitoring of the cluster
Monitoring operations generate a small amount of traffic.
l Time synchronization for clustering
Generates standard Network Time Protocol (NTP) traffic.
l Policy Manager configuration changes
Not a significant consumer of bandwidth.
l Multi-Master Cache
The amount of traffic depends on the authentication load and other details of the deployment. Cached
information is metadata and is not large. This data is replicated only within the Policy Manager zone.
l Guest/Onboard dynamic content proxy requests
This is essentially a web page and averages approximately 100KB.
l Guest/Onboard configuration changes
Only the changes to the database configuration are sent, and this information is typically small in size
(approximately 10KB).
RTT Considerations When Building Geographically Distributed Clusters
It's important to take the delay between a W-ClearPass Policy Manager server and a NAD/NAS (a controller or
switch) into consideration when building geographically distributed clusters.
In a large geographically dispersed cluster, the worst case round-trip time (RTT) between a NAS /NAD and all
potential nodes in the cluster that might handle authentication is a design consideration.
l Dell recommends that the round-trip time between the NAD/NAS and a W-ClearPass server should not
exceed 600ms.
l The acceptable delay between cluster nodes is less than 50ms (RTT less than 100ms).