last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

NAC Positioning in a Network

This thread has been viewed 15 times
  • 1.  NAC Positioning in a Network

    Posted Oct 16, 2021 04:27 AM

    I´d like to as a Design-related question regarding the general positioning of a NAC appliance in a network!
    In my case, I`ve a CPPM which should be used in the first instance only to authenticate guests via SMS! I now try to understand whether it`s necessary/useful to secure the CPPM from the rest of the network through a firewall, in which case all authentication requests must go through the firewall as well!
    ow do you basically handle that kind of design or does anybody know if there`re official design guides public?

    thanks for any kind of help in advance!

  • 2.  RE: NAC Positioning in a Network

    Posted Oct 17, 2021 03:14 PM
    you should secure cppm from the users as much as possible. for example;

    -Use MGMT interface for internal server connectivity and management
    -Use DATA interface and place this in DMZ behind a firewall which only permits the necessary client traffic flows (e.g. HTTPS for Web Login)
    -Apply ACL to management interfaces to prevent end users accessing the policy manager login page
    -Use HTTPs for all login pages to protect the credential exchange

    Check out the ClearPass hardening and deployment guides here:

  • 3.  RE: NAC Positioning in a Network

    Posted Oct 18, 2021 07:52 AM
    I disagree with using the management and data interfaces for security reasons. For security reasons, you should probably not connect the same device to, different security zones, especially not untrusted/guest and trusted/internal, as a compromise of the guest interface may provide uncontrolled access to the internal network. If you really need multiple interfaces, put both interfaces in a DMZ behind a/the firewall to control what comes in, and can go out. At least make a proper security and risk assessment. This does not just apply to ClearPass, but to any device that has multiple interfaces (in different security zones).

    In general, my (personal) advice would be: don't use data/mgmt on ClearPass, stick with management only. If that is considered not secure enough, that is an indication you should consider a separate appliance in the other security zone instead of using both network interfaces. One recent good reason for using mgmt+data was for an MSP model, and the separate interfaces were used to connect to two different routing domains, and in both domains, the first device that the appliances hit was a firewall to secure the traffic and keep the domains separated. Always check the 'Service Routing Technote' to better understand running ClearPass with multiple interfaces.

    Agree with the other suggestions and using the hardening guide.

    Running RADIUS or other ClearPass protocols across firewalls should not be an issue, however, make sure all possible traffic is allowed, also in backup scenarios like when your primary authentication source is down and ClearPass falls back to another. When I'm involved in troubleshooting connectivity, my first question is if there is a firewall somewhere in the datapath.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.