Security

Reading Guides and following discussions I understand that best practice is to use the Management Port only. If the Data Port is introduced, then the Management Port should be used to access the Clearpass and all authentication and the Guest traffic should go via the Data Port.

My current deployment is as follows: I use the Management Port to access the appliance and use it for 802.1X and MAC Auth. The clients reside in a different VLAN, so I added a static route, to send the answers back from where they came.

The Data Port is configured in the Guest VLAN and directly attached to the Firewall. This, to have the Guest traffic run over its own interface, physically separated from internal traffic.

Is this setup also recommended or feasible?

Yup this should work fine.  However, I do prefer to have dedicated ClearPass subscribers in the guest DMZ.  A lot of customers it also breaks security policy to have both internal network and guest/DMZ networks terminated in the same appliance/VM unless it is a firewall so be sure to check with your security team.

Also be sure to configure application ACLs to block HTTPS admin access from the guest network NIC.
Original Message:
Sent: Jan 11, 2023 09:34 AM
From: Dario Natale
Subject: Clearpass Design (Management and Data Port)

Reading Guides and following discussions I understand that best practice is to use the Management Port only. If the Data Port is introduced, then the Management Port should be used to access the Clearpass and all authentication and the Guest traffic should go via the Data Port.

My current deployment is as follows: I use the Management Port to access the appliance and use it for 802.1X and MAC Auth. The clients reside in a different VLAN, so I added a static route, to send the answers back from where they came.

The Data Port is configured in the Guest VLAN and directly attached to the Firewall. This, to have the Guest traffic run over its own interface, physically separated from internal traffic.

Is this setup also recommended or feasible?

Thank you. To prevent Guests to access Clearpass resources, I configured an Application Access Control on Clear Pass, denying access from the Guest VLAN to the Policy Manager.
We are also considering adding a dedicated appliance into the DMZ and use that for Guest only.
Original Message:
Sent: Jan 11, 2023 09:57 AM
From: Unknown User
Subject: Clearpass Design (Management and Data Port)

Yup this should work fine.  However, I do prefer to have dedicated ClearPass subscribers in the guest DMZ.  A lot of customers it also breaks security policy to have both internal network and guest/DMZ networks terminated in the same appliance/VM unless it is a firewall so be sure to check with your security team.

Also be sure to configure application ACLs to block HTTPS admin access from the guest network NIC.
Original Message:
Sent: Jan 11, 2023 09:34 AM
From: Dario Natale
Subject: Clearpass Design (Management and Data Port)

Reading Guides and following discussions I understand that best practice is to use the Management Port only. If the Data Port is introduced, then the Management Port should be used to access the Clearpass and all authentication and the Guest traffic should go via the Data Port.

My current deployment is as follows: I use the Management Port to access the appliance and use it for 802.1X and MAC Auth. The clients reside in a different VLAN, so I added a static route, to send the answers back from where they came.

The Data Port is configured in the Guest VLAN and directly attached to the Firewall. This, to have the Guest traffic run over its own interface, physically separated from internal traffic.

Is this setup also recommended or feasible?