Security

Reply
Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Network devices

Hi,

 

I need some explanations about the network devices in CPPM.

 

What do I really need to add there for radius working ?

 

I have added the IP of the VC (IAP 105) and the public IP of my network (for tests in lab). It works fine, no problem.

And if I remove the VC device, it still works.

 

So I don’t really understand how CPPM manages the devices.

 

Thanks

 

Dimitri

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: Network devices

What do you mean that you added your public network to the network devices?

 

"A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol."

This is where you add the IP address of your device (in your case the IP address of the VC if you enabled the dynamic radius proxy feature), the shared secret and other parameters. If you do not add your devices that send the access requests then the request will fail.

Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Re: Network devices

To be a bit more clear :

 

ClearPass Policy Manager server is inside my network and I use Guest Self-Registration. The IAP is outside my network and with an IP configured for the VC.

 

If I add the VC's IP in Network Devices, the login process fails. But if I add the public IP of the network where my IAP is, it works fine. So I don't understand this.

 

Dynamic radius proxy feature : can you explain me why to use it ?

 

Thanks

 

Dimitri

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: Network devices

Well, probably there is NAT used at the perimeter of the network where the IAP resides, right? If so then it's normal to use the public IP of the IAP since the internal address of the IAP will be never seen at the ClearPass.

 

If you will attach a sketch from the network topology with the IP's then it may help.

 

Dynamic RADIUS proxy: "When enabled, the Virtual Controller network uses the IP Address of the Virtual Controller for communication with external RADIUS servers. You must set the Virtual Controller IP address as a NAS client in the RADIUS server if Dynamic RADIUS Proxy is enabled."

 

Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Re: Network devices

Well, probably there is NAT used at the perimeter of the network where the IAP resides, right? If so then it's normal to use the public IP of the IAP since the internal address of the IAP will be never seen at the ClearPass.

 

Yes I think, it's the point. So I must add the public address of my IAP and not his internal IP address.

 

I will attach a sketch of my network typology tomorrow.

 

Thanks

 

Dimitri

Search Airheads
Showing results for 
Search instead for 
Did you mean: