Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass on Multiple VLANs

This thread has been viewed 5 times

  • 1.  ClearPass on Multiple VLANs

    Posted Apr 23, 2018 03:47 PM

    Getting ready to deploy CPPM Guest and I'm moving it to the guest vlan.  I would like to leave the current MGMT address on there, which is untagged vlan 1.  I see that I can add vlans Server Configuratrion > Network page, but I'm having touble figuring out exactly how to make this work with the VM appliance. 

     

    I configured a Port Group for 802.1q VLAN trunking in ESX, connected my management interfaces there.  CPPM now responds on the tagged vlans I added, but no longer responds on the untagged vlan associated with the management.


    Suggestions?  Am I going about this the wrong way somehow?



  • 2.  RE: ClearPass on Multiple VLANs

    EMPLOYEE
    Posted Apr 23, 2018 03:49 PM

    CPPM would only need to be reachable from the guest vlan.  It does not have to be ON the guest lan.



  • 3.  RE: ClearPass on Multiple VLANs

    EMPLOYEE
    Posted Apr 23, 2018 03:54 PM
    …and should not be on the guest LAN.


  • 4.  RE: ClearPass on Multiple VLANs

    Posted Apr 24, 2018 08:04 AM

    Thanks for the reply Tim - maybe I'm asking the wrong question.  Currently the guest network has no route to the production networks.  So it seems my choices would be to alter this segmentation, or add a vlan interface for CPPM on the guest network.  

     

    What is the best practice in this scenario?  

     

    Thanks,

     

     



  • 5.  RE: ClearPass on Multiple VLANs

    MVP EXPERT
    Posted Apr 24, 2018 09:13 AM

    Why don't you source NAT the Guest traffic (http/https) to the Captive Portal behind the AP or controller if the business allows it. I would imagine your AP/controller already has a route to the CPPM regardless.

     

    src-nat.png

    Above is an example on an IAP. The domain in question was the Public DNS of the CPPM which resolved to the internal interface IP. The AP management VLAN (which the HTTP/HTTPS traffic was src-nat behind) was able to reach CPPM.



  • 6.  RE: ClearPass on Multiple VLANs

    Posted Apr 24, 2018 02:21 PM

    I'm using cisco WLCs which do not support NAT.

     

    I ended up setting up routing and ACLs to allow the guest clients to reach clearpass.  It seems like this is a considerably safer way to set this up because I can put firewall policies between them which wouldn't be possible if I'd put clearpass on the guest VLAN.

     

    In CPPM itself, I've added a deny rule to Policy Manager for the guest subnet. Any other hardening that's recommended?



  • 7.  RE: ClearPass on Multiple VLANs

    Posted Apr 24, 2018 02:22 PM

    I'm using cisco WLCs which do not support NAT.

     

    I ended up setting up routing and ACLs to allow the guest clients to reach clearpass.  It seems like this is a considerably safer way to set this up because I can put firewall policies between them which wouldn't be possible if I'd put clearpass on the guest VLAN.

     

    In CPPM itself, I've added a deny rule to Policy Manager for the guest subnet. Any other hardening that's recommended?