Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

Jump to Best Answer
  • 1.  Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

    Posted Aug 15, 2018 07:25 PM

    Hello,

    I've deployed Clearpass quite a bit and I always understood that the mgmt port was for admin access (and authentication), and data port only allowed authentication. This made it easy to DMZ the data port for guest captive portal etc. With 6.7 I noticed that the admin UI is available via the data port. I'm not sure if this is a bug but I can't find any documentation around this behavior change. 

     

    Anyone have any ideas? 

     



  • 2.  RE: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??
    Best Answer

    Posted Aug 15, 2018 07:27 PM
    It always has. You should be using the application ACLs to restrict access to services.


  • 3.  RE: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

    Posted Aug 15, 2018 07:44 PM

    I don't believe so, I pulled this from the Clearpass 6.6 quick start guide and it shows the same thing in the 6.7 guide (page 6).  It's referencing a Hardware appliance but I saw this behavior in 6.6 virtual appliances. I have specifically deployed data ports for DMZ guest networks for authentication only. Obviously, I can use the Application ACL, it just caught me off guard. 

    Attachment(s)



  • 4.  RE: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

    Posted Aug 16, 2018 03:56 AM

    As Tim said, this has been like this as long as I know ClearPass. While the naming of the ports, and the way you interpreted it, may not fully cover your intended use, the documentation doesn't tell that the admin UI is unreachable via the data port. And indeed, service ACLs were introduced to stop admin access in dual port cases.

     

    For the sake of simplicity and security, I always try to just use the management port (don't configure data port). Then at least you know what you get and can do proper designs around it. There are very few cases where the data port is actually needed, and in those cases, it can be better to still just use the management port. Unless you fully understand the implications of dual port configuration, I would try to avoid the use of it.

     

    To learn more about the routing and working of dual port ClearPass, please check the CPPM Service Routing TechNote.



  • 5.  RE: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

    Posted Aug 16, 2018 04:06 PM

    Thanks, it seems as though the documentation around this is written very poorly. I found that in the documentation it says the CLI is only accessible via mgmt but nothing referencing the GUI. Its also omitted in the screenshot I provided above which is from the quick start guide explaining the purpose of the two interfaces. 

     

    Really appreciate the help and quick response to this!