Creating the Azure Custom Storage Account and Virtual Appliance

Before you create your ClearPass virtual appliance (VA) , you must create a custom storage account within the Azure portal. The ClearPass VA will not function correctly using a default storage account.

From the Azure portal home page, select .

in the search field, enter . The list of services will filter as you begin to type.

Select .

Select . The window appears. Configure the storage account settings as defined in the table below, and then click .

Table 1: Storage Account Settings
Field	Description
Subscription	Select the Azure subscription you will use to manage this storage account. ClearPass is available in the Microsoft Azure marketplace as a virtual appliance with the Bring Your Own License (BYOL) licensing model only. ClearPass is not supported on the Microsoft Azure Cloud Solution Provider (CSP) program or any other mode.
Resource group	Select an existing resource group to assign the storage account to that group, or click Create New to create a new resource group.
Storage account name	Give a unique name to the storage account.
Location	Set the location for the storage account.
Performance	Select Standard.
Account Kind	Retain the default StorageV2 (general-purpose V2) setting.
Replication	Retain the default Read-access geo-redundant storage setting.
Blob access tier	Retain the default Hot setting.

Create the ClearPass Virtual Appliance

The following procedure describes the steps to launch the ClearPass VA in Azure.

Log in to the Azure marketplace (https://azuremarketplace.microsoft.com/en-us) and search for to locate the ClearPass Policy Manager virtual appliance offer.

Select the image.

Click . The page appears in the Azure portal with the tab selected.

When creating your virtual appliance, use the Create option only. Do not use the Start with a pre-set configuration option for creating a VA, as ClearPass does not support pre-set configurations.

Basics

On the Basics tab, configure the virtual appliance settings as described in Table 2.

Table 2: Configuring Basic Virtual Appliance Settings
Field	Description
Project details
Subscription	Select the Azure portal subscription that will manage this VA.
Resource group	Select the resource group used for your storage account for your VA.
Instance Details
Virtual Machine name	Enter a unique name for this VA.
Region	Choose the region in which you want to deploy the ClearPass VA.
Availability options	Select an availability option, if desired. No infrastructure redundancy is required for the ClearPass VA.
Image	Select the version of the ClearPass Policy Manager (CPPM) image you wish to install on the VA.
Azure Spot Instance	Select the No option. The ClearPass VA should not operate as an Azure spot instance.
Size	Click this drop-down menu and select one of the following recommended sizes. Each of the recommended disk sizes correspond with a ClearPass hardware appliance model. The Standard_D2s_v3 - 2 vcpus, 8 Gib memory option corresponds to a ClearPass C1000 appliance. The Standard_D4s_v3 - 4 vcpus, 16 Gib memory option corresponds to a ClearPass C2000 or C2010 appliance. The Standard_D16s_v3 - 16 vcpus, 64 Gib memory option corresponds to a ClearPass C3000 or 3010 appliance.
Administrator Account
Authentication Type	Select the SSH public key option. Later in the VA creation process you will be prompted to generate and down an SSH key pair. The Azure VA creation process requires that you create and download SSH keys, but these keys will be not used, and cannot be used to log in to ClearPass.
Username	Enter a user name for the VA administrator.
SSH public key source	Select Generate new key pair.
Key pair name	Enter a name for the key pair to be used by this VA.
Inbound Port Rules
Public Inbound Ports	Select Allow Selected Ports.
Select inbound ports	Enable the following ports: HTTPS (443) SSH (22)

When you are done configuring the Basics settings, click Next: Disks.

Disks

On the Disks tab, configure the virtual appliance disk settings as described in Table 3.

Table 3: Configuring Disk Settings
Field	Description
Disk Options
OS disk type	Select an OS disk type. The Standard SSD option is supported.
Encryption type	Selected the default option Encryption at-rest with a platform-managed key.
Data Disks
Create and Attach a New Disk	This setting is optional, as you do not need to create and attach a new disk at this time. You may choose to attach a disk when you are ready to move your VA from a test environment into production.

When you are done configuring disk settings, click Next: Networking.

Networking

On the Networking tab, configure the virtual appliance network interface as described in Table 4. Note that these settings allow you to define only one interface. Once the VA is created, you must log in to the Azure portal and create a second interface for the VA.

Table 4: Configuring the Networking Interface

Field

Description

Virtual Network

Select an existing virtual network for the VA, or click Create New to create a new virtual network.

Subnet

Select an existing subnet, or click Manage Subnet Configuration to define a new subnet.

Public IP

Select one of the following options:

Click the drop-down menu to select an existing public IP for the VA

Click the drop-down menu to if the VA should not use a public IP

to create a new public IP

NOTE: If you choose a public IP option, you can create rules to restrict access only to VPN-connected devices in a later step.

NIC network security group

Select Basic.

Public inbound Ports

Select Allow selected ports.

Select inbound ports

Select HTTPS (443) and SSH (22).

Accelerated networking

Select Off. The ClearPass VA does not support accelerated networking.

Load Balancing

Select No. Azure load balancers are not able to load balance RADIUS requests, which would prevent ClearPass from working as expected.

When you are done configuring network interface settings, click Next: Management.

Management

On the Management tab, configure the virtual appliance management settings as described Table 5.

Table 5: Configuring Virtual Appliance Management Settings
Field	Description
Monitoring
Boot diagnostics	Select On.
Diagnostics storage account	Select the customer storage account you created in Creating the Azure Custom Storage Account and Virtual Appliance. NOTE: The ClearPass VA does not support the default managed storage account, so you must create a custom storage account.
Identity
System assigned managed identity	Select Off.
Azure Active Directory	The default Off setting cannot be changed as the ClearPass VA does not support Azure Active Directory.
Auto Shutdown
Enable auto-shutdown	Select Off. WARNING: A ClearPass VA will not operate correctly with this setting enabled. Enabling this setting will cause regular ClearPass outages.

When you are done configuring management settings, click Next: Advanced.

Advanced

On the Advanced tab, configure the advanced virtual appliance settings as described in Table 6.

Table 6: Configuring Advanced Virtual Appliance Settings
Field	Description
Extensions
Extensions	Do not select any extensions. The available extensions in this menu are Azure extensions, not ClearPass extensions. The ClearPass VA does not support any Azure extensions.
Custom Data
Custom data	This field is optional. Custom data is supported if required by your deployment, but it is not required by the ClearPass VA.
Host
Host group	Do not select a host group.
Proximity placement group	Do not select a proximity placement group.
VM generation	Select Gen 1. This is the only option supported by the ClearPass VA.

When you are done configuring advanced VA settings, click Next: Tags.

Review + Create

This tab displays the settings you configured in the previous tabs, the product details and pricing for the selected VA size, and Azure terms and conditions. You may be prompted to enter a contact name, email address and phone number for your VA.

When you have verified your settings, click .The window appears.

Click .

The Azure VA configuration process requires that you generate these keys, but these keys will not be used by your ClearPass VA, and cannot be used to log in to ClearPass.

After you generate the SSH key pair, the dialog appears and indicates the status of each VA resource. When each resource has been successfully created, the message appears.

Click to open your VA in the Azure portal.

Adding an Additional Interface to the ClearPass Virtual Appliance

Once your ClearPass VA is created, navigate to the Azure portal (https://portal.azure.com) and select your ClearPass VA if it is not already selected.

Click the menu link, and select the icon to stop the VA.

Click the menu link and select . The menu opens.

Define your network interface using the settings described in Table 7.

Table 7: Adding an Additional Interface to Your Virtual Appliance
Field	Description
Project details
Subscription	Select the Azure portal subscription that will manage this VA interface.
Resource group	Select the resource group for the VA interface.
Instance Details
Name	Enter a unique name for this VA interface.
Region	Choose the region in which you want to deploy the ClearPass VA.
Virtual Network	Select the virtual network for the interface.
Subnet	Select the subnet for your VA interface.
Private IP address assignment	Select Dynamic.
Network security group	Select the security group for your VA interface.

Next, you must add an inbound port rule for TCP and UDP ports to the new interface. For a list of ports commonly used by many ClearPass deployments, see Table 8. For additional information on ports for ClearPass, refer to the Firewall Ports Recommended and Required to be Open topic in the ClearPass Policy Manager 6.11 User Guide.

From the Azure portal, select the ClearPass VA.

Select the new VA interface.

Click the menu link.

Select Rule.

In the field, select , then add ports as a comma-separated list in the field.

Select the option in the field then add UDP ports as a comma-separated list in the field.

Select the menu link and click the icon to restart the VA.

Table 8: Ports Required for ClearPass
Port	Description
ClearPass Policy Manager Cluster (Subscriber-Publisher)
TCP Port 80	HTTP (Between cluster members)
UDP Port 123	NTP (subscriber to publisher)
TCP Port 443	HTTPS (Bi-directional)
TCP Port 4231	NetWatch (Post-authentication module and the cluster member with Insight enabled)
TCP Port 5432	PostgreSQL for DB replication (subscriber to publisher)
ClearPass Policy Manager used with ClearPass Guest
TCP Port 80	HTTP (Endpoint --> Policy Manager)
TCP Port 443	HTTPS (Endpoint --> Policy Manager)
TCP/UDP Port 49	TACACS+ (NAD <--> Policy Manager)
UDP 3799	RFC 3576/5176 (CoA) (NAD <--> Policy Manager)
TCP 25 or 465	SMTP Mail
TCP 22 and 443	SSH and HTTPS and multicast between two servers in a high availability configuration
ClearPass Policy Manager to Active Directory
TCP/UDP Port 53	DNS from a client to domain controller and between domain controllers
UDP Port 88	Kerberos authentication
TCP/UDP Port 135	Operations between domain controllers and between a client and a domain controller
UDP Port 389	LDAP to handle normal queries from client computers to the domain controllers
TCP/UDP Port 464	Kerberos password changes
TCP Port 3268 and 3269	Global catalog from a client to a domain controller.
ClearPass Policy Manager to OnGuard Client
TCP Port 6658	OnGuard client to communicate with Policy Manager
Other Ports
UDP Port 1812, 1645	RADIUS authentication
UDP Port 1813, 1646	RADIUS accounting
TCP/UDP Port 53	DNS
TCP/UDP Port 389	LDAP
TCP/UDP Port 636	LDAP protocol over TLS/SSL
TCP/UDP Port 3269	Microsoft Global Catalog with LDAP/SSLTCP
TCP port 2083	RadSec
UDP Port 5432	ClearPass clustering