Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Interfaces (Data & Management) for Azure Deployment

This thread has been viewed 20 times
  • 1.  Clearpass Interfaces (Data & Management) for Azure Deployment

    Posted Jul 31, 2024 03:08 PM

    The Aruba Clearpass harding documentation indicates the following;

    "ClearPass utilizes separate management and data interfaces, and provides the ability to restrict access to the management interface to just authorized end stations."

    Is this the case for a specific implementation in Azure? Are there any restrictions in ClearPass or Azure for deployment utilizing multiple interfaces?

    Is there a requirement to deploy Azure Clearpass with a single interface - mixing the data and management traffic planes?



  • 2.  RE: Clearpass Interfaces (Data & Management) for Azure Deployment

    EMPLOYEE
    Posted Jul 31, 2024 03:45 PM

    The data port isn't supported in cloud deployments, only the management port is available.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Clearpass Interfaces (Data & Management) for Azure Deployment

    Posted 18 days ago

    Sorry to hijack this thread, but I'm wondering if you might be able to explain why the CPPM 6.11.x Azure deployment guide specifically instructs the addition of a 2nd network interface (data port) if it is not supported?

    I'm referring to this guide here:

    https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#Cloud-Azure/CD-AZ-cppm-in-azure.htm?TocPath=Cloud%2520Deployments%253A%2520Microsoft%2520Azure%2520Cloud%2520Service%257C_____2

    Under the Networking header, it states:

    Once the VA is created, you must log in to the Azure portal and create a second interface for the VA.

    This links to a lower section on the page giving instructions for doing so in the Azure portal:

    https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#Cloud-Azure/CD-AZ-cppm-in-azure.htm#Adding

    I'm asking mainly because I added a 2nd interface to our Azure VAs because of this guide, so I'm hoping there are no adverse effects.




  • 4.  RE: Clearpass Interfaces (Data & Management) for Azure Deployment

    EMPLOYEE
    Posted 18 days ago

    ClearPass expects the second interface to be present even when the underlying environment doesn't necessarily support the functionality.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Clearpass Interfaces (Data & Management) for Azure Deployment

    Posted 18 days ago

    Ah, that makes sense, thanks! 




  • 6.  RE: Clearpass Interfaces (Data & Management) for Azure Deployment

    Posted Aug 01, 2024 09:39 AM

    You can still set the ACLs to allow only specific client subnets (or exclude specific subnets) for access to the Policy Manager Web interface. That is done under Server Manager - Server Configuration - <your server> - Network - Application Access Control.

    Unsure how/why the data-management port ended up in that guide, as on premises you can connect through either interface to the CPPM Management, so I would not recommend using data-management ports for security reasons, just for some corner-case routing challenges. But, as mentioned in Azure you don't even have the option to use data interfaces, so it's even more simple.
    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------