Security

Hi,

 

I deployed clearpass cluster of two nodes where the data interface sits in a public network reachable from the controller by placing on physical port into that public network.

The problem is that everything is going through the Data port which has no reachability internally and I wasn't able to get anything internal to work until i removed the data interface(temporarily).

 

Any ideas on how to get my mgmt interface to be the default interface for traffic and not the data interface?

Use just the management interface.


Thanks,
Tim

Thanks,

The customer requirement is to have the guest traffic be isolated into their own vlan. but now clearpass is using that data port for everything and nothing internal is working.

Guess traffic will still be isolated but you just allow captive portal to the management interface.


Thanks,
Tim

Still won't work.

the guest network isn't going through any firewall.

The controller, ClearPass, Switch all have physical connection to service provider router and to the Internet, I made up vlan on the switch and the controller vlan 61 is made and a dhcp server on the controller for guest.

Captive portal will be served up on the data interface. RADIUS will go through the management interface. Not sure I understand the issue.


Thanks,
Tim

Sorry if I'm confusing you but here is an example of an issue:

 

Trying to join clearpass to the domain, trying to add AD as an auth source is being done through the guest/ DATA port and is going nowhere. The point is that ClearPass is trying to resolve AD name on the DATA port and is failing because the DNS is internal and there isn't any DNS on the DATA port that can translate AD hostname to IP address.

Give the management interface a DNS address and remove dns from the data interface.


Thanks,
Tim

The DNS in MGMT-internal only. Even pinging the DNS ip from cppm CLI did not work until I removed the DATA port IP.