In terms of security, it depends as far as I'm concerned. Primarily, it depends on the customer type. If it's military or some such, might be wise to put the Clearpass behind a firewall. It really comes down to governance and applicable industry regs for the customer. Having said that, if you're using an Aruba controller, the initial login role and architecture consistutes this (a firewall). Just make sure your rules are nice and tight!
There is an option in Clearpass (well, in recent versions certainly), to prevent admin from certain source subnets (maybe your DMZ). Screenshot attached.
Having said all that, I actually don't like having multiple interfaces as it increases complexity. This is nothing to do with security, but I find it simpler all around (mostly for the customer) if Clearpass has just one logical interface. I guess the validity of this for you depends on the architecture as a whole?