If you are exposing ClearPass to the internet via public IP address, make sure you setup Applipcation Restrictions to prevent any IP address from accessing administrative pages - Please reference the ClearPass Hardening Guide.
In terms of NAT, I've done it the other way and it required me add the NAT'd IP and the real IP as network devices, but you may not need to do this the way you are explaining.