I disagree with using the management and data interfaces for security reasons. For security reasons, you should probably not connect the same device to, different security zones, especially not untrusted/guest and trusted/internal, as a compromise of the guest interface may provide uncontrolled access to the internal network. If you really need multiple interfaces, put both interfaces in a DMZ behind a/the firewall to control what comes in, and can go out. At least make a proper security and risk assessment. This does not just apply to ClearPass, but to any device that has multiple interfaces (in different security zones).
In general, my (personal) advice would be: don't use data/mgmt on ClearPass, stick with management only. If that is considered not secure enough, that is an indication you should consider a separate appliance in the other security zone instead of using both network interfaces. One recent good reason for using mgmt+data was for an MSP model, and the separate interfaces were used to connect to two different routing domains, and in both domains, the first device that the appliances hit was a firewall to secure the traffic and keep the domains separated. Always check the 'Service Routing Technote' to better understand running ClearPass with multiple interfaces.
Agree with the other suggestions and using the hardening guide.
Running RADIUS or other ClearPass protocols across firewalls should not be an issue, however, make sure all possible traffic is allowed, also in backup scenarios like when your primary authentication source is down and ClearPass falls back to another. When I'm involved in troubleshooting connectivity, my first question is if there is a firewall somewhere in the datapath.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 17, 2021 03:13 PM
From: Scott Doorey
Subject: NAC Positioning in a Network
you should secure cppm from the users as much as possible. for example;
-Use MGMT interface for internal server connectivity and management
-Use DATA interface and place this in DMZ behind a firewall which only permits the necessary client traffic flows (e.g. HTTPS for Web Login)
-Apply ACL to management interfaces to prevent end users accessing the policy manager login page
-Use HTTPs for all login pages to protect the credential exchange
Check out the ClearPass hardening and deployment guides here: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=27076
------------------------------
Scott Doorey
Original Message:
Sent: Oct 16, 2021 04:27 AM
From: Daniel wolf
Subject: NAC Positioning in a Network
Hi,
I´d like to as a Design-related question regarding the general positioning of a NAC appliance in a network!
In my case, I`ve a CPPM which should be used in the first instance only to authenticate guests via SMS! I now try to understand whether it`s necessary/useful to secure the CPPM from the rest of the network through a firewall, in which case all authentication requests must go through the firewall as well!
How do you basically handle that kind of design or does anybody know if there`re official design guides public?
thanks for any kind of help in advance!