Security

We would like to restrict guest users access to the WEBUI.  I see the ability to to this via the Network tab of each appliance via server config. However the settings are confusing.  Could someone elaborate.  I need an example in order to understand.  Thanks

Thank you. Where I get confused is:

I want to deny our guest ip range.  So say x.x.x.x..x/20

I Select Policy Manager in the Resource field

then I select Deny in the Access field

then place x.x.x.x./20 in the Network Field.

Am I stating that I want policy manager access denied to x.x.x.x./20?

or

Policy manager access is denied, then denied all access except x.x.x.x./20 ?

Sorry if it doesnt make sense.

As the screenshot indicates, you have two options:

1) Allow, then put in the subnets/IPs from which you want to allow access to the admin UI. Put in your admin IP addresses in here. Access from all other IP addresses will be denied in that case, including your guest range.

2) Deny, then put in the subnets/IPs for which you want to explicitly deny access. Everything else will be allowed.

Whenever possible, I would use the Allow option and only allow access from authorized IP ranges. The guest range will be automatically denied, and other ranges that you might not be aware of to have IP access.

Please also check the other services, like Insight, and lock those down as well during the hardening process.

When asking questions like these, it may be useful to get and read the ClearPass hardening guide from the ClearPass Technote section on the support website.