Security

Reply
Occasional Contributor II

ClearPass on Multiple VLANs

Getting ready to deploy CPPM Guest and I'm moving it to the guest vlan.  I would like to leave the current MGMT address on there, which is untagged vlan 1.  I see that I can add vlans Server Configuratrion > Network page, but I'm having touble figuring out exactly how to make this work with the VM appliance. 

 

I configured a Port Group for 802.1q VLAN trunking in ESX, connected my management interfaces there.  CPPM now responds on the tagged vlans I added, but no longer responds on the untagged vlan associated with the management.


Suggestions?  Am I going about this the wrong way somehow?

Guru Elite

Re: ClearPass on Multiple VLANs

CPPM would only need to be reachable from the guest vlan.  It does not have to be ON the guest lan.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Guru Elite

Re: ClearPass on Multiple VLANs

…and should not be on the guest LAN.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass on Multiple VLANs

Thanks for the reply Tim - maybe I'm asking the wrong question.  Currently the guest network has no route to the production networks.  So it seems my choices would be to alter this segmentation, or add a vlan interface for CPPM on the guest network.  

 

What is the best practice in this scenario?  

 

Thanks,

 

 

Re: ClearPass on Multiple VLANs

Why don't you source NAT the Guest traffic (http/https) to the Captive Portal behind the AP or controller if the business allows it. I would imagine your AP/controller already has a route to the CPPM regardless.

 

src-nat.png

Above is an example on an IAP. The domain in question was the Public DNS of the CPPM which resolved to the internal interface IP. The AP management VLAN (which the HTTP/HTTPS traffic was src-nat behind) was able to reach CPPM.


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: ClearPass on Multiple VLANs

I'm using cisco WLCs which do not support NAT.

 

I ended up setting up routing and ACLs to allow the guest clients to reach clearpass.  It seems like this is a considerably safer way to set this up because I can put firewall policies between them which wouldn't be possible if I'd put clearpass on the guest VLAN.

 

In CPPM itself, I've added a deny rule to Policy Manager for the guest subnet. Any other hardening that's recommended?

Occasional Contributor II

Re: ClearPass on Multiple VLANs

I'm using cisco WLCs which do not support NAT.

 

I ended up setting up routing and ACLs to allow the guest clients to reach clearpass.  It seems like this is a considerably safer way to set this up because I can put firewall policies between them which wouldn't be possible if I'd put clearpass on the guest VLAN.

 

In CPPM itself, I've added a deny rule to Policy Manager for the guest subnet. Any other hardening that's recommended?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: