I've deployed Clearpass quite a bit and I always understood that the mgmt port was for admin access (and authentication), and data port only allowed authentication. This made it easy to DMZ the data port for guest captive portal etc. With 6.7 I noticed that the admin UI is available via the data port. I'm not sure if this is a bug but I can't find any documentation around this behavior change.
Anyone have any ideas?
I don't believe so, I pulled this from the Clearpass 6.6 quick start guide and it shows the same thing in the 6.7 guide (page 6). It's referencing a Hardware appliance but I saw this behavior in 6.6 virtual appliances. I have specifically deployed data ports for DMZ guest networks for authentication only. Obviously, I can use the Application ACL, it just caught me off guard.
As Tim said, this has been like this as long as I know ClearPass. While the naming of the ports, and the way you interpreted it, may not fully cover your intended use, the documentation doesn't tell that the admin UI is unreachable via the data port. And indeed, service ACLs were introduced to stop admin access in dual port cases.
For the sake of simplicity and security, I always try to just use the management port (don't configure data port). Then at least you know what you get and can do proper designs around it. There are very few cases where the data port is actually needed, and in those cases, it can be better to still just use the management port. Unless you fully understand the implications of dual port configuration, I would try to avoid the use of it.
To learn more about the routing and working of dual port ClearPass, please check the CPPM Service Routing TechNote.
Thanks, it seems as though the documentation around this is written very poorly. I found that in the documentation it says the CLI is only accessible via mgmt but nothing referencing the GUI. Its also omitted in the screenshot I provided above which is from the quick start guide explaining the purpose of the two interfaces.
Really appreciate the help and quick response to this!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.