Security

Reply
Highlighted
Occasional Contributor II

Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

Hello,

I've deployed Clearpass quite a bit and I always understood that the mgmt port was for admin access (and authentication), and data port only allowed authentication. This made it easy to DMZ the data port for guest captive portal etc. With 6.7 I noticed that the admin UI is available via the data port. I'm not sure if this is a bug but I can't find any documentation around this behavior change. 

 

Anyone have any ideas? 

 


Accepted Solutions
Highlighted
Moderator

Re: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

It always has. You should be using the application ACLs to restrict access to services.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
Moderator

Re: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

It always has. You should be using the application ACLs to restrict access to services.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Occasional Contributor II

Re: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

I don't believe so, I pulled this from the Clearpass 6.6 quick start guide and it shows the same thing in the 6.7 guide (page 6).  It's referencing a Hardware appliance but I saw this behavior in 6.6 virtual appliances. I have specifically deployed data ports for DMZ guest networks for authentication only. Obviously, I can use the Application ACL, it just caught me off guard. 

Highlighted
MVP Guru

Re: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

As Tim said, this has been like this as long as I know ClearPass. While the naming of the ports, and the way you interpreted it, may not fully cover your intended use, the documentation doesn't tell that the admin UI is unreachable via the data port. And indeed, service ACLs were introduced to stop admin access in dual port cases.

 

For the sake of simplicity and security, I always try to just use the management port (don't configure data port). Then at least you know what you get and can do proper designs around it. There are very few cases where the data port is actually needed, and in those cases, it can be better to still just use the management port. Unless you fully understand the implications of dual port configuration, I would try to avoid the use of it.

 

To learn more about the routing and working of dual port ClearPass, please check the CPPM Service Routing TechNote.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: Data Port on Virtual Appliance CPPM 6.7 now allows admin UI??

Thanks, it seems as though the documentation around this is written very poorly. I found that in the documentation it says the CLI is only accessible via mgmt but nothing referencing the GUI. Its also omitted in the screenshot I provided above which is from the quick start guide explaining the purpose of the two interfaces. 

 

Really appreciate the help and quick response to this! 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: