Getting Started Guide Dell Networking W-ClearPass Policy Manager
Copyright Information © 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Powering Up and Configuring Policy Manager Hardware 5 Overview 5 Server Port Overview 5 Server Port Configuration 5 Powering Off the System 7 Resetting the Passwords to Factory Default 8 Generating a Support Key for Technical Support 8 A Subset of Useful CLI Commands 9 Accessing Policy Manager Accessing Help 11 12 Checking Basic Services Use Cases 13 15 802.
| Contents Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Chapter 1 Powering Up and Configuring Policy Manager Hardware Overview This Getting Started Guide for the Dell Networking W-W-ClearPass Policy Manager System (Policy Manager) describes the steps for installing the appliance using the Command Line Interface (CLI) and using the User Interface (UI) to ensure that the required services are running. Server Port Overview The W-ClearPass Policy Manager server requires initial port configuration. The backplane of the Policy Manager contains three ports.
Table 2: Required Information (Continued) Requirement Value for Your Installation Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) NOTE: The Data Port IP Address must not be in the same subnet as the Management Port IP Address. Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional) Perform the following steps to set up the Policy Manager appliance: 1.
Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4. Change your password Use any string with a minimum of six characters: New Password:************ Confirm Password: ************ From now, you must use this password for cluster administration and management of the appliance. 5. Change the system date/time Do you want to configure system date time information [y|n]: y Please select the date time configuration options.
Resetting the Passwords to Factory Default To reset Administrator passwords in Policy Manager to factory defaults, you can login to the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1. Connect to the Policy Manager appliance using the front serial port (using any terminal program). See "Resetting the Passwords to Factory Default" on page 8 for details. 2.
1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit. 5. To generate the support key, select option 2. Select 3, if you want to generate a password recovery key as well. 6. After the password recovery key is generated, email the key to Dell technical support. A unique password can now be generated by Dell technical support to log into the support shell.
Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional.
Chapter 2 Accessing Policy Manager Use Firefox 3.0 (or higher) or Internet Explorer 7.0.5 (or higher) to perform the following steps: 1. Open the administrative interface. Navigate to https:///tips, where is the hostname you configured during the initial configuration. 2. Enter License Key. 3. Click the Activate Now link. 4. Activate the product. If the appliance is connected to the Internet, click on the Activate Now button.
6. Change the password. Navigate to Administration > Admin Users, then use the Edit Admin User popup to change the administration password. Accessing Help The Policy Manager User Guide (in PDF format) is built within the help system here: https:///tipshelp/html/en/ (where is the hostname you configured during the initial configuration.) All Policy Manager user interface screens have context-sensitive help.
Chapter 3 Checking Basic Services To check the status of service, navigate to Administration > Server Manager > Server Configuration, then click on a row to select a server: l The System tab displays server identity and connection parameters. l The Service Control tab displays all services and their current status. If a service is stopped, you can use its Start/Stop button (toggle) to restart it.
| Checking Basic Services Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Appendix A Use Cases This appendix contains several specific W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l "802.1X Wireless Use Case" on page 15 l "Web Based Authentication Use Case" on page 21 l "MAC Authentication Use Case" on page 28 l "TACACS+ Use Case" on page 31 l "Single Port Use Case" on page 33 802.
column) at each step. Below the table, we call attention to any fields or functions that may not have an immediately obvious meaning. Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests. Table 3: 802.1X - Create Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): 802.
Table 4: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select drop-down list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local SQ
Table 5: 02.1X - Configure Authorization Navigation and Settings Navigation l l Settings Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping). 4. Apply a Role Mapping Policy. Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy.
Table 6: Role Mapping Navigation and Settings (Continued) Navigation Settings Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select all matches > l Add Rule (button opens popup) > l Add Rule (button) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions to Actions (drop-down list) > l Upon completion of each rule, click the Save button ( in the Rules Editor) > l When you are finished working in the Mapping Rules tab, click
Table 7: Posture Navigation and Settings Navigation Setting Add a new Posture Server: Posture (tab) > l Add new Posture Server (button) > l Configure Posture settings: Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server) l Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server.
Table 8: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies" in the W-ClearPass Policy Manager User Guide. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
Figure 3: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service. Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal, which captures username and password and optionally launches an agent that returns posture data.
Table 9: Service Navigation and Settings (Continued) Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b. Source: Administrators typically configure Guest Users in the local Policy Manager database. 4. Configure a Posture Policy.
Table 10: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 11: Posture Policy Navigation and Settings (Continued) Navigation Setting Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > l Dell Networking W-ClearPass Policy Manager | Ge
Table 11: Posture Policy Navigation and Settings (Continued) Navigation Setting Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > l Save (button) > l When finished working in the Posture Plugin tab click Next to move to the Rules tab) 26 | Use Cases Dell Networking W-ClearPass P
Table 11: Posture Policy Navigation and Settings (Continued) Navigation Setting Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
The SNMP_POLICY selected in this step provides full guest access to a Role of [Guest] with a Posture of Healthy, and limited guest access. Table 12: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_ POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
Figure 4: Flow-of-Control of MAC Authentication for Network Devices Configuring the Service Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service.
Table 13: MAC Authentication Service Navigation and Settings (Continued) Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
Table 15: Audit Server Navigation and Settings Navigation Settings Configure the Audit Server: l Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which follo
Figure 5: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service.
b. Source: For purposes of this use case, Network Access Devices authentication data will be stored in the Active Directory. Table 18: Active Directory Navigation and Settings Navigation Settings Select an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Add > l Sources (Select drop-down list): AD (Active Directory) > l Add > l Upon completion, click Next (to Enforcement Policy) 3. Select an Enforcement Policy.
Figure 6: Flow of the Multiple Protocol Per Port Case 34 | Use Cases Dell Networking W-ClearPass Policy Manager | Getting Started Guide