Security

hello,

we have 3 clearpass servers, we are deploying dot1x wired with cisco switch,

all worksation out of domain, and there is 2k end device,

we cant install onguard throw gpo cuz they are out of domain,

we are redirecting them to weblogin page to download the onguard and once its run its bounce the network and recheck if its healthy or no,

 we are redirecting client to cppm1 and end user download onguard agent from ccpm1,

we have added all cppm ips in the cluster , so its have to check the available server to establish connection for onguard,

we create below access-list on cisco

deny tcp any hots "cppm1 ip"

deny tcp any host "cppm2 ip"

deny tcp any host :cppm3 ip;

permit tcp any any

but on some devices its stuck on collecting helth information, and we can see the hit on access tracker that its healthy but we can bounce the network cuz onguard is stuck,

we have enabled on agnet profile the bounce is true,

i need clearpass to communicate throw port 6658

how to creare access list on cisco for it?

deny or permit?

do i need to create access list to permit 80,443 ,6658goint to clearpass or deny it?

i have checked the document,

i just want you to confirm on if i permit www and 443 ,6658 port to my cppm address is that gonna help onguard agent to establish connection with cppm server?