Security

Reply
Highlighted
Frequent Contributor I

Forced to use dataport, some advice please?

Hi,

 

For the project I'm working on, the decision was made to make eduroam available. Unfortunately the Clearpass cluster was already configured on private ip addresses and we went live a few weeks ago so I added public IP addresses on the data port to communicate with the fedral servers

 

I'm aware how the routing works and for now everything works foiine for now.

 

My question, would it be better to change all radius requests etc to the dataport too or would it be fine to keep all that traffic on the mgmt port 

 

Clearpass version 6.7.5

 

thanks

 

Erik

ACDX#968, ACMP, ACCP, ACSP
Guru Elite

Re: Forced to use dataport, some advice please?

Why not use NAT? You should avoid connecting ClearPass servers directly to the internet wherever possible.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Forced to use dataport, some advice please?

Hi Tim,

 

They use both private and public IP ranges internally. Clearpass is not directly connected to the internet, only radius is allowed through the firewall to the federal servers using the public IP addresses to communicate.

 

I was thinking about NAT but the current network admin isn't trustworthy and his contract is terminated by tomorrow. My NAT knowledge is limited on Cisco ASA and the system administrators couldn't help me either. Information on a contact for the Federal radius servers took several weeks to figure out by the staff.

 

School opens Monday after summer break so I was out of time to rebuild the cluster (which went live 3 weeks ago for the school staff) so I have chosen the dataport route. Eduroam is operational and I don't think I can get the changes done at Federal overnight.

 

As said, radius and portals are working fine. I just need some advise on best practice since I need to add yet another SNMP community to all the switches so I can change the radius settings in one go.

 

thanks

 

Erik

ACDX#968, ACMP, ACCP, ACSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: