Getting Started Guide Dell Networking W-ClearPass Policy Manager
Copyright Information © 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Powering Up and Configuring Policy Manager Hardware 5 Overview 5 Server Port Overview 5 Server Port Configuration 5 Powering Off the System 7 Resetting the Passwords to Factory Default 8 Generating a Support Key for Technical Support 8 A Subset of Useful CLI Commands 9 Accessing Policy Manager Accessing Help 11 12 Checking Basic Services Use Cases 13 15 802.
| Contents Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Chapter 1 Powering Up and Configuring Policy Manager Hardware Overview This Getting Started Guide for the Dell Networking W-W-ClearPass Policy Manager System (Policy Manager) describes the steps for installing the appliance using the Command Line Interface (CLI) and using the User Interface (UI) to ensure that the required services are running. Server Port Overview The W-ClearPass Policy Manager server requires initial port configuration. The backplane of the Policy Manager contains three ports.
Table 2: Required Information Requirement Value for Your Installation Hostname (Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) NOTE: The Data Port IP Address must not be in the same subnet as the Management Port IP Address. Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional) Perform the following steps to set up the Policy Manager appliance: 1.
Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4. Change your password Use any string with a minimum of six characters: New Password:************ Confirm Password: ************ From now, you must use this new password for cluster administration and management of the appliance. 5.
Resetting the Passwords to Factory Default To reset the administrator password in Policy Manager to factory defaults, you can login to the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1. Connect to the Policy Manager appliance using the front serial port (using any terminal program). See "Server Port Configuration" on page 5 for details. 2. Reboot the system using the restart command. 3.
1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit. 5. To generate the support key, select option 2. If you want to generate a support key and a password recovery key, select option 3. 6. After the password recovery key is generated, email the key to Dell technical support. A unique password can now be generated by Dell technical support to log into the support shell.
Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional.
Chapter 2 Accessing Policy Manager Use Firefox 3.0 (or higher) or Internet Explorer 7.0.5 (or higher) to perform the following steps: 1. Open the administrative interface. Navigate to https:///tips, where is the hostname you configured during the initial configuration. 2. Enter License Key. 3. Click the Activate Now link. 4. Activate the product. If the appliance is connected to the Internet, click on the Activate Now button.
6. Change the password. Navigate to Administration > Admin Users, then use the Edit Admin User popup to change the administration password. Accessing Help The Policy Manager User Guide (in PDF format) is built within the help system here: https:///tipshelp/html/en/ (where is the hostname you configured during the initial configuration.) All Policy Manager user interface screens have context-sensitive help.
Chapter 3 Checking Basic Services To check the status of service, navigate to Administration > Server Manager > Server Configuration, then click on a row to select a server: l The System tab displays server identity and connection parameters. l The Service Control tab displays all services and their current status. If a service is stopped, you can use its Start/Stop button (toggle) to restart it.
| Checking Basic Services Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Appendix A Use Cases This appendix contains several specific W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l "802.1X Wireless Use Case" on page 15 l "Web Based Authentication Use Case" on page 22 l "MAC Authentication Use Case" on page 29 l "TACACS+ Use Case" on page 32 l "Single Port Use Case" on page 34 802.
column) at each step. Below the table, we call attention to any fields or functions that may not have an immediately obvious meaning. Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests. Table 3: 802.1X - Create Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): 802.
Table 4: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select drop-down list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local SQ
Table 5: 02.1X - Configure Authorization Navigation and Settings Navigation l l Settings Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping). 4. Apply a Role Mapping Policy. Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy.
Table 6: Role Mapping Navigation and Settings Navigation Settings Create the new Role Mapping Policy: Roles (tab) > l Add New Role Mapping Policy (link) l Add new Roles (names only): Policy (tab) > l Policy Name (freeform): ROLE_ ENGINEER > l Save (button) > l Repeat for ROLE_FINANCE > l When you are finished working in the Policy tab, click the Next button (in the Rules Editor) l Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select a
Table 6: Role Mapping Navigation and Settings (Continued) Navigation Settings Add the new Role Mapping Policy to the Service: l Back in Roles (tab) > l Role Mapping Policy (selector): RMP_ DEPARTMENT > l Upon completion, click Next (to Posture) 5. Configure a Posture Server. For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server (external), or an Audit Server (internal or external).
Table 7: Posture Navigation and Settings Navigation Setting Add a new Posture Server: Posture (tab) > l Add new Posture Server (button) > l Configure Posture settings: Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server) l Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server.
Table 8: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies" in the W-ClearPass Policy Manager User Guide. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
Figure 3: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service. Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal, which captures username and password and optionally launches an agent that returns posture data.
Table 9: Service Navigation and Settings Navigation Settings Create a new Service: l Services > l Add Service > Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 10: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 11: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable
Table 11: Posture Policy Navigation and Settings (Continued) Navigation Setting Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > l Save (button) > l When finished working in the Posture Plugin tab click Next to move to the Rules tab) Dell Networking W-ClearPass Policy Manager |
Table 11: Posture Policy Navigation and Settings (Continued) Navigation Setting Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
The SNMP_POLICY selected in this step provides full guest access to a Role of [Guest] with a Posture of Healthy, and limited guest access. Table 12: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_ POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
Figure 4: Flow-of-Control of MAC Authentication for Network Devices Configuring the Service Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service.
Table 13: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: l Services > l Add Service (link) > Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an audit. An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity.
Figure 5: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service.
b. Source: For purposes of this use case, Network Access Devices authentication data will be stored in the Active Directory. Table 18: Active Directory Navigation and Settings Navigation Settings Select an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Add > l Sources (Select drop-down list): AD (Active Directory) > l Add > l Upon completion, click Next (to Enforcement Policy) 3. Select an Enforcement Policy.
Figure 6: Flow of the Multiple Protocol Per Port Case Dell Networking W-ClearPass Policy Manager | Getting Started Guide Use Cases | 35
| Use Cases Dell Networking W-ClearPass Policy Manager | Getting Started Guide