Hello Csoto
There are a few posts on this under Instant and ClearPass boards.
Firstly. Is the ClearPass owned by customer? As in in - it's not used by anyone else like a multi-customer hosted solution.
If it's customer only then as long as the customer has http/https connection to the CP server he will be able to do administration.
If it's multi-customer then no - you cant differentiate enough access to adjust just their own portals.
Second.
The client is redirected to the clearpass webserver (port 80 or 443) so the client needs a route to the server. Likewise the CP server needs a route back to the client network. At the same time - the IAP needs radius connectivity to the CP server.