Security

Hi,

For the project I'm working on, the decision was made to make eduroam available. Unfortunately the Clearpass cluster was already configured on private ip addresses and we went live a few weeks ago so I added public IP addresses on the data port to communicate with the fedral servers

I'm aware how the routing works and for now everything works foiine for now.

My question, would it be better to change all radius requests etc to the dataport too or would it be fine to keep all that traffic on the mgmt port 

Clearpass version 6.7.5

thanks

Erik

Hi Tim,

They use both private and public IP ranges internally. Clearpass is not directly connected to the internet, only radius is allowed through the firewall to the federal servers using the public IP addresses to communicate.

I was thinking about NAT but the current network admin isn't trustworthy and his contract is terminated by tomorrow. My NAT knowledge is limited on Cisco ASA and the system administrators couldn't help me either. Information on a contact for the Federal radius servers took several weeks to figure out by the staff.

School opens Monday after summer break so I was out of time to rebuild the cluster (which went live 3 weeks ago for the school staff) so I have chosen the dataport route. Eduroam is operational and I don't think I can get the changes done at Federal overnight.

As said, radius and portals are working fine. I just need some advise on best practice since I need to add yet another SNMP community to all the switches so I can change the radius settings in one go.

thanks

Erik