Security

I am looking for some guidance on how to approach this. Currently I run a cluster of two clearpass 25K boxes in a cluster to serve dot1x wireless RADIUS requests as well as WEBAUTH request for our captive portal.

These boxes are part of our internal IP space so there is no access from outside. In order to activate your guest account, you must be inside our network (we do a self sponsored type of guest network).

I would like to allow users to potentially reach our clearpass page from outside for a few different reasons, one of which would be to be able to activate an account or register a MAC address from outside.

Our boxes are connected with the management port. I am not really familiar with the data port. Even if the data port could be used to service those web requests, from a security standpoint it seems unwise to have a leg into both DMZ and inside essentially bypassing the the firewall with a device.

So I was thinking about perhaps using a VM on the DMZ to serve the captive portal and then load balancing and sanitizing the URIs through an F5.

1) Can I mix a small VM platform with my clustered 25K boxes?

2) Would I add that box to the cluster? Ideally I would like it to use the access licenses that we have for our 25K boxes.

3) How would I set it up so only that DMZ processes the WEBAUTH requests and captive portal. Serving just the captive portal seems relatively simple by only pointing to the the hostname for that box.

Is my thinking perhaps a little backwards? What would be the proper way to set up something like this. I'm focused on security first and foremost because exposing a device like clearpass to the world, even through a firewall, makes me very nervous.

Thoughts? Advice?

Thanks!

VM can be mixed with hardware appliances in a cluster, and I think deploying a separate instance in the DMZ (with URL filter in front of it) is an excellent idea.

You can purchase just the VM license without any access license if you add it to the cluster.

If you don't want to cluster across the DMZ to internal, you could build a separate publisher, but that may need access licenses.

As for how to make sure the VM in the DMZ only processes WEBAUTH requirements, best is to firewall it off so other requests can't reach the box; or just don't use the other functionality.

Thanks for the response Herman, I appreciate it. Your Clearpass videos have always been very helpful to me.

Would you be able to tell me or point me to a resource where I can find out what traffic needs to be allowed for a cluster to form successfully if we decide to just spin up an additional subscriber on the DMZ?

In terms of isolating it completely and spinning up a standalone publisher on the DMZ, I think we should be okay with access licenses as when we converted our 6.6 licenses to 6.8 it included 2 packs of 1000 access which we had with our original Amigopod setup. From a security perspective making it a standalone publisher makes sense. However from an administrative standpoint it complicates things. 

Thanks again. 

The ClearPass Hardening guide, which can be found from the Documentation page, provides you with the information on what communication is required. Check page 9&10.

Excellent. Thank you so much Herman.