I am looking for some guidance on how to approach this. Currently I run a cluster of two clearpass 25K boxes in a cluster to serve dot1x wireless RADIUS requests as well as WEBAUTH request for our captive portal.
These boxes are part of our internal IP space so there is no access from outside. In order to activate your guest account, you must be inside our network (we do a self sponsored type of guest network).
I would like to allow users to potentially reach our clearpass page from outside for a few different reasons, one of which would be to be able to activate an account or register a MAC address from outside.
Our boxes are connected with the management port. I am not really familiar with the data port. Even if the data port could be used to service those web requests, from a security standpoint it seems unwise to have a leg into both DMZ and inside essentially bypassing the the firewall with a device.
So I was thinking about perhaps using a VM on the DMZ to serve the captive portal and then load balancing and sanitizing the URIs through an F5.
1) Can I mix a small VM platform with my clustered 25K boxes?
2) Would I add that box to the cluster? Ideally I would like it to use the access licenses that we have for our 25K boxes.
3) How would I set it up so only that DMZ processes the WEBAUTH requests and captive portal. Serving just the captive portal seems relatively simple by only pointing to the the hostname for that box.
Is my thinking perhaps a little backwards? What would be the proper way to set up something like this. I'm focused on security first and foremost because exposing a device like clearpass to the world, even through a firewall, makes me very nervous.
Thoughts? Advice?
Thanks!