Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager 13 Common Tasks in Policy Manager 13 Importing 13 Exporting 14 Powering Up and Configuring Policy Manager Hardware 17 Server Port Overview 17 Server Port Configuration 18 Powering Off the System 19 Resetting Passwords to Factory Default 20 Generating Support Key for Technical Support 20 Policy Manager Dashboard 23 Monitoring 27 Access Tracker Viewing Session Details 27 29 Accounting 29 OnGuard Activity 39 Analysis and Tr
Collectors DHCP Sending DHCP Traffic to CPPM 66 66 ClearPass Onboard 66 HTTP User-Agent 66 Configuration 66 MAC OUI 66 ActiveSync Plugin 67 CPPM OnGuard 67 SNMP 67 802.
EAP-FAST 126 MAC-AUTH 131 CHAP and EAP-MD5 132 Authorize 133 Adding and Modifying Authentication Sources 134 Generic LDAP or Active Directory 135 Generic SQL DB (Open Data Base Connectivity (ODBC) compliant SQL Databases) 146 HTTP 149 Kerberos 152 Okta 154 Static Host List 156 Token Server 158 Identity: Users, Endpoints, Roles and Role Mapping Architecture and Flow Configuring a Role Mapping Policy Configuring a Role Mapping Policy Adding and Modifying Role Mapping Policies 161 161
Windows Security Health Validator - NAP Agent 203 Windows Security Health Validator - OnGuard Agent 204 Windows System Health Validator - NAP Agent 205 Windows System Health Validator - OnGuard Agent 205 Adding and Modifying Posture Servers Microsoft NPS Audit Servers 206 209 Architecture and Flow 209 Configuring Audit Servers 210 Built-In Audit Servers 211 Adding Auditing to a Policy Manager Service 211 Modifying Built-In Audit Servers 212 Custom Audit Servers 213 NESSUS Audit Server
Administration 249 Admin Users 250 Add User 250 Import Users 251 Export Users 252 Export 252 Admin Privileges 252 Custom Admin Privileges 252 Create a Custom Admin Privilege 252 Admin Privilege XML Structure 253 Admin Privileges and IDs 253 Sample Admin Privilege XML 255 Server Configuration 256 Set Date/Time 257 Change Cluster Password 259 Manage Policy Manager Zones 260 NetEvents Targets 261 Virtual IP Settings 261 Make Subscriber 262 Upload Nessus Plugins 263 Clust
Application Licensing 289 Adding a License 290 Activating an Application License 291 Updating a License 291 SNMP Trap Receivers 292 Add SNMP Trap Server 293 Import SNMP Trap Server 294 Export all SNMP Trap Servers 294 Export a Single SNMP Trap Server 294 Syslog Targets Add Syslog Target 295 Import Syslog Target 296 Export Syslog Target 296 Export 297 Syslog Export Filters 297 Add Syslog Filter 298 Import Syslog Filter 299 Export Syslog Filter 300 Export 300 Messaging Setu
Fingerprints 316 Attributes 317 Add Attribute 318 Import Attributes 319 Export Attributes 320 Export 320 Application Dictionaries 320 View an application dictionary 320 Delete an application dictionary 321 OnGuard Settings 321 OnGuard Portal 323 Update Portal 325 Install Update dialog box Updating the Policy Manager Software 327 328 Upgrade the Image on a Single Policy Manager Appliance 329 Upgrade the Image on All Appliances 329 Command Line Configuration 331 Available Comma
Service commands 341 Show Commands 341 all-timezones 342 date 342 dns 342 domain 343 hostname 343 ip 343 license 343 timezone 344 version 344 System commands 344 boot-image 344 gen-support-key 345 install-license 345 restart 345 shutdown 346 update 346 upgrade 346 Miscellaneous Commands 347 ad auth 347 ad netjoin 348 ad netleave 348 ad testjoin 348 alias 348 backup 349 dump certchain 349 dump logs 350 dump servercert 350 exit 351 help 351
Namespaces 355 Variables 361 Operators 362 Error Codes, SNMP Traps, and System Events 365 Error Codes 365 SNMP Trap Details 368 Example 1 369 Example 2 369 CPPM Processes and OIDs 369 CPU Load Average Traps 369 Disk space threshold traps: 370 Network interface status traps: 370 Important System Events 370 Admin UI Events 370 Critical Events 370 Info Events 370 Admin Server Events Info Events Async Service Events Info Events ClearPass/Domain Controller Events 371 371 371 371
Info Events Policy Server Events Info Events RADIUS/TACACS+ Server Events 373 373 373 Critical Events 373 Info Events 373 SNMP Events 373 Critical Events 373 Info Events 373 Support Shell Events Info Events System Auxiliary Service Events Info Events System Monitor Events 373 373 373 373 374 Critical Events 374 Info Events 374 Service Names 374 Software Copyright and License Statements 12 372 375 PostgreSQL Copyright 375 GNU LGPL 375 GNU GPL 381 Lighthttpd License 384 Apache
Chapter 1 About Dell Networking W-ClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform, such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration, provisioning, profiling, health checks, and guest access.
The file must be an XML file in the correct format. If you've exported files from different places in Policy Manager, make sure you're selecting the correct one. The API Guide contains more information about the format and contents of these XML files. 3. If the file is password protected, enter the password (secret). 4. Click Import. Exporting On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can export the information about one or more items.
Depending on which browser you use, the file is automatically saved to your hard drive or you are asked to save it, and you may be asked where. Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 2 Powering Up and Configuring Policy Manager Hardware The Policy Manager server requires initial port configuration. Its backplane contains three ports. Server Port Overview Figure 1: Policy Manager Backplane The ports in the figure above are described in the following table: Table 1: Device Ports Key Port Description A Serial Configures the ClearPass Policy Manager appliance initially, via hardwired terminal.
Server Port Configuration Before starting the installation, gather the following information that will need, write it in the table below, and keep it for your records: Table 2: Required Information Requirement Value for Your Installation Hostname) Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) Data Port IP Address must not be in the same subnet as the Management Port IP Address Data Port Gateway (optional) Data Port
3. Configure the Appliance Replace the bolded placeholder entries in the following illustration with your local information: Enter hostname:verne.xyzcompany.com Enter Management Port IP Address: 192.168.5.10 Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4.
l Connect to the CLI from the serial console via the front serial port and enter the following: login: poweroff password: poweroff This procedure gracefully shuts down the appliance. Resetting Passwords to Factory Default Administrator passwords in Policy Manager can be reset to factory defaults by logging into the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1.
4. When the system restarts it waits at the following prompt for 10 seconds: Generate support keys? [y/n]: Enter ‘y’ at the prompt. The system prompts with the following choices: Please select a support key generation option. 1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit: 5. To generate the support key, select option 2 (or 3, if you want to generate a password recovery key, as well). 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Policy Manager Dashboard The Policy Manager Dashboard menu allows you to display system health and other request related statistics. Policy Manager comes pre-configured with different dashboard elements. The screen on the right of the dashboard menu is partitioned into five fixed slots. You can drag and drop any of the dashboard elements into the five slots. The dashboard elements are listed below: This shows a graph of all requests processed by Policy Manager over the past week.
This chart shows the graph of all profiled devices categorized into built in categories – Smartdevices, Access Points, Computer, VOIP phone, Datacenter Appliance, Printer, Physical Security, Game Console, Routers, Unknown and Conflict. Unknown devices are devices that the profiler was not able to profile. Conflict indicates a conflict in the categorization of the device.
Quick Links shows links to common configuration tasks: l Start Configuring Policies links to the Start Here Page under Configuration menu. Start configuring Policy Manager Services from here. l Manage Services links to the Services page under Configuration menu. Shows a list of configured services. l Access Tracker links to the Access Tracker screen under Reporting & Monitoring menu. l Analysis & Trending links to the Analysis & Trending screen under Reporting & Monitoring menu.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Monitoring The Policy Manager Monitoring menu provides the following interfaces: l Live Monitoring n "Access Tracker" on page 27 n "Accounting" on page 29 n "OnGuard Activity " on page 39 n "Analysis and Trending" on page 41 n "Endpoint Profiler " on page 41 n "System Monitor" on page 42 l "Audit Viewer" on page 44 l "Event Viewer " on page 47 l "Data Filters " on page 48 Access Tracker The Access Tracker provides a real-time display of system activity, with optional auto-refr
Container Description Server in the Policy Manager cluster. Auto Refresh Click to toggle On/Off. Select Filter Select filter to constrain data display. Modify the currently displayed data filter Go to Data Filters page to create a new data filter. Add Select Date Range Select the number of days prior to the configured date for which Access Tracker data is to be displayed. Valid number of days is 1 day to a week. Show Latest Sets the date to Today in the previous step to Today.
Viewing Session Details To view details for a session, click on the row containing any entry. Policy Manager divides the view into multiple tabs. Depending on the type of authentication - RADIUS, WebAuth, TACACS, Application - the view displays different tabs. l Summary - This tab shows a summary view of the transaction, including policies applied.
RADIUS/TACACS+ accounting records), at: Monitoring > Live Monitoring > Accounting. Figure 3: Accounting (Edit Mode) Table 7: Accounting Container Description Select Server Select server for which to display dashboard data. Select Filter Select filter to constrain data display. Modify the currently displayed data filter Modify Add Go to Data Filters page to create a new data filter.
Figure 4: RADIUS Accounting Record Details (Summary tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 5: RADIUS Accounting Record Details (Auth Sessions tab) 32 Dell Networking W-ClearPass Policy Manager 6.
Figure 6: RADIUS Accounting Record Details (Utilization tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 7: RADIUS Accounting Record Details (Details tab) Table 8: RADIUS Accounting Record Details 34 Tab Container Description Summary Session ID Policy Manager session identifier (you can correlate this record with a record in Access Tracker) Account Session ID A unique ID for this accounting record Start and End Timestamp Start and end time of the session Status Current connection status of the session Username Username associated with this record Termination Cause The reason for termin
Tab Auth Sessions Utilization Container Description NAS IP Address IP address of the network device NAS Port Type The access method - For example, Ethernet, 802.11 Wireless, etc. Calling Station ID In most use cases supported by Policy Manager this is the MAC address of the client Called Station ID MAC Address of the network device Framed IP Address IP Address of the client (if available) Account Auth Type of authentication - In this case, RADIUS.
Figure 8: TACACS+ Accounting Record Details (Request tab) 36 Dell Networking W-ClearPass Policy Manager 6.
Figure 9: TACACS+ Accounting Record Details (Auth Sessions tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 10: TACACS+ Accounting Record Details (Details tab) Table 9: TACACS+ Accounting Record Details 38 Tab Container Description Request Session ID Unique ID associated with a request User Session ID A session ID that correlates authentication, authorization and accounting records Start and End Timestamp Start and end time of the session Username Username associated with this record Client IP The IP address and tty of the device interface Remote IP IP address from which Admin is logged i
Tab Container Description Authentication Type Identifies the authentication type used for the access. Authentication Service Identifies the authentication service used for the access.
Container Description l l 40 SNMP traps (link up and/or MAC notification) have to enabled on the switch port. In order to specify the IP address of the endpoint to bounce, the DHCP snooper service on Policy Manager must receive DHCP packets from the endpoint. Refer to your network device documentation to find out how to configure IP helper address. Broadcast Message Send a message to all active endpoints Send Message Send a message to the selected endpoints.
Analysis and Trending Monitoring > Live Monitoring > Analysis & Trending The Analysis and Trending Page displays monthly, bi-weekly, weekly, daily, or 12-hourly, 6-hourly, 3-hourly or hourly quantity of requests for the subset of components included in the selected filters. The data can be aggregated by minute, hour, day or week. The summary table at the bottom shows the per-filter count for the aggregated data. Each bar (corresponding to each filter) in the bar graph is clickable.
Figure 13: Endpoint Profiler You can view endpoint details about a specific device by clicking on a device in the table below the graphs. Select the Cancel button to return to the Endpoint Profiler page. Figure 14: Fig: Endpoint Profiler Details System Monitor The System Monitor is available by navigating to Monitoring > Live Monitoring > System Monitor. l Select Server- Select a node from the cluster for which data is to be displayed.
Figure 15: System Monitor Graphs l Process Monitor. For the selected server and process, provides critical usage statistics, including CPU, Virtual Memory, and Main Memory. Use Select Process to select the process for which you want to see the usage statistics. Dell Networking W-ClearPass Policy Manager 6.
Figure 16: Figure Process Monitor Graphs Audit Viewer The Audit Viewer display provides a dynamic report of Actions, filterable by Action, Name and Category (of policy component), and User, at: Monitoring > Audit Viewer. 44 Dell Networking W-ClearPass Policy Manager 6.
Figure 17: Audit Viewer Table 11: Audit Viewer Container Description Select Filter Select the filter by which to constrain the display of audit data. Show records Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent logins. Click on any row to display the corresponding Audit Row Details: l For Add Actions, a single popup displays, containing the new data.
Figure 19: Audit Row Details (Old Data tab) Figure 20: Audit Row Details (New Data tab) 46 Dell Networking W-ClearPass Policy Manager 6.
Figure 21: Audit Row Details (Inline Difference tab) For Remove Actions, a popup displays the removed data. Event Viewer The Event Viewer display provides a dynamic report of system level (not request-related) Events, filterable by Source, Level, Category, and Action, at: Monitoring > Event Viewer. Figure 22: Event Viewer Table 12: Event Viewer Container Description Select Server Select the server for which to display accounting data.
Click on any row to display the corresponding System Event Details. Figure 23: System Event Details Data Filters The Data Filters provide a way to filter data (limit the number of rows of data shown by defining custom criteria or rules) that is shown in "Access Tracker" on page 27, "Syslog Export Filters " on page 297, "Analysis and Trending" on page 41, and "Accounting" on page 29 components in Policy Manager. It is available at: Monitoring> Data Filters.
l RADIUS Requests - All RADIUS requests l Successful Requests - All authentication requests that were successful. l TACACS Requests - All TACACS requests l Unhealthy Requests - All requests that were not deemed healthy per policy. l WebAuth Requests - All Web Authentication requests (requests originated from the Dell Guest Portal). Table 13: Data Filters Container Description Add Filter Click to open the Add Filter wizard. Import Filters Click to open the Import Filters popup.
Container Configuration Type Custom SQL Description Choose one of the following configuration types: Specify Custom SQL - Selecting this option allows you to specify a custom SQL entry for the filter. If this is specified, then the Rules tab disappears, and a SQL template displays in the Custom SQL field. NOTE: Selecting this option is not recommended. For users who need to utilize this, however, we recommend contacting Support.
Figure 27: Add Filter (Rules tab) - Rules Editor Table 16: Add Filter (Rules tab) - Rules Editor Container Description Matches ANY matches one of the configured conditions. ALL indicates to match all of the configured conditions. Type This indicates the namespace for the attribute.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 5 Policy Manager Policy Model From the point of view of network devices or other entities that need authentication and authorization services, Policy Manager appears as a RADIUS, TACACS+ or HTTP/S based Authentication server; however, its rich and extensible policy model allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture services and client technologies within the Enterprise.
Figure 28: Generic Policy Manager Service Flow of Control Table 17: Policy Manager Service Components Component 54 Service: component ratio Description AAuthentication Method Zero or more per service EAP or non-EAP method for client authentication. Policy Manager supports four broad classes of authentication methods: l EAP, tunneled: PEAP, EAP-FAST, or EAP-TTLS. l EAP, non-tunneled: EAP-TLS or EAP-MD5. l Non-EAP, non-tunneled: CHAP, MS-CHAP, PAP, or [MAC AUTH].
Component Service: component ratio Description l l l l any LDAP compliant directory RSA or other RADIUS-based token servers SQL database, including the local user store. Static Host Lists, in the case of MAC-based Authentication of managed devices. CAuthorization Source One or more per Authentication Source and zero or more per service An Authorization Source collects attributes for use in Role Mapping Rules. You specify the attributes you want to collect when you configure the authentication source.
l View and manipulate the list of current services. In the menu panel, click Services to view a list of services that you can filter by phrase or sort by order. Figure 29: List of services with sorting tool l Drill down to view details for an individual service. In the Services page, click the name of a Service to display its details.
In the Services page, click Add a Service, then follow the configuration wizard from component to component by clicking Next as you complete each tab. l Remove a service. In the Services page, fill the check box for a service, then click the Delete button. You can also disable/enable a service from the service detail page by clicking Disable/Enable (lower right of page).
Policy Component Configuration Instructions Illustrative Use Cases authentication sources would also be fine. Role Mapping "802.1x Wireless Use Case" on page 71 has an explicit Role Mapping Policy that tests request attributes against a set of rules to assign a role.
l Role Mapping - Given the service name (and associated role mapping policy), the authentication source and the user name, the role mapping simulation maps the user into a role or set of roles. You can also use the role mapping simulation to test whether the specified authentication source is reachable. l Posture Validation - A posture validation simulation allows you to specify a set of posture attributes in the posture namespace and test the posture status of the request.
Add Simulation Test Navigate to Configuration > Policy Simulation and click on the Add Simulation link. Depending on the simulation type selected the contents of the Simulation tab changes. Table 20: Add Policy Simulation (Simulation Tab) Container Description Name/Description Specify name and description (freeform). Type Service Categorization. l Input (Simulation tab): Select Date and Time.
Container Description l l Type Audit. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces relevant to posture evaluation (posture dictionaries) are loaded in the attributes editor. Returns (Results tab): System Posture Status and Status Messages.
Container Description source. For an example of enabling attributes as a role, refer to "Generic LDAP or Active Directory " on page 135for more information. Type Chained Simulations. l Input (Simulation tab): Select Service, Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces that are relevant in the Role Mapping Policy context are loaded in the attributes editor.
Figure 33: Add Simulation (Attributes Tab) In the Results tab, Policy Manager displays the outcome of applying the test request parameters against the specified policy component(s). What is shown in the results tab again depends on the type of simulation. Figure 34: Add Simulation (Results Tab) Import and Exporting Simulations Import Simulations Navigate to Configuration > Policy Simulation and select the Import Simulations link. Dell Networking W-ClearPass Policy Manager 6.
Figure 35: Import Simulations Table 21: Import Simulations Container Description Select file Browse to select name of simulations import file. Import/Cancel Import to commit or Cancel to dismiss popup. Export Simulations Navigate to Configuration > Policy Simulation and select the Export Simulations link. This task exports all simulations. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export.
Chapter 6 ClearPass Policy Manager Profile Profile is a ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. It can be used to implement “Bring Your Own Device” (BYOD) flows, where access has to be controlled based on the type of the device and the identity of the user.
l CPPM OnGuard l SNMP l Subnet Scanner DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class) and options list from DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network. Switches and controllers can be configured to forward DHCP packets such as DISCOVER, REQUEST and INFORM to CPPM. These DHCP packets are decoded by CPPM to arrive at the device category, family, and name.
Motorola® Android etc. MAC OUI is also useful to profile devices like printers which may be configured with static IP addresses. ActiveSync Plugin ActiveSync plugin is software to be installed on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes like device-type and user-agent. These attributes are collected by the plugin software and is send to CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes.
Figure 36: SNMP Read/Write Settings Tabs In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured devices. The default behaviour is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network.
l HTTP User-Agent l SNMP l DHCP l MAC OUI Stage 2 CPPM comes with a built-in set of rules which evaluates to a device-profile. Rules engine uses all input attributes and device profiles from Stage 1. The resulting rule evaluation may or may not result in a profile. Stage-2 is intended to refine the results of profiling. Example With DHCP options Stage-1 can identify that a device is Android.
Live Monitoring > Endpoint Profiler page detailed device distribution information along with a list of endpoints. From this page, you can also search for endpoint profiles based on category, family, name, etc. Refer to Endpoint Profiler for more information. 70 Dell Networking W-ClearPass Policy Manager 6.
Chapter 7 802.1x Wireless Use Case The basic Policy Manager Use Case configures a Policy Manager Service to identify and evaluate an 802.1X request from a user logging into a Wireless Access Device. The following image illustrates the flow of control for this Service. Figure 39: Flow of Control, Basic 802.1X Configuration Use Case Configuring the Service Follow the steps below to configure this basic 802.1X service: 1.
Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests. Table 22: 802.1X - Create Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): 802.
Navigation l l Settings [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local SQL DB] > [Admin User Repository] [Local SQL DB] > AmigoPod AD [Active Directory> Add > Upon completion, Next (to configure Authorization) The following field deserves special mention: n Strip Username Rules: Optionally, check here to pre-process the user name (to remove prefixes and suffixes) before sending it to the authentication source.
Table 25: Role Mapping Navigation and Settings Navigation Settings Create the new Role Mapping Policy: Roles (tab) > l Add New Role Mapping Policy (link) > l Add new Roles (names only): Policy (tab) > l Policy Name (freeform): ROLE_ENGINEER > l Save (button) > l Repeat for ROLE_FINANCE > l When you are finished working in the Policy tab, click the Next button (in the Rules Editor) l Create rules to map client identity to a Role: Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select a
(external), or an Audit Server (internal or external). Each of the first three use cases demonstrates one of these options; here, the Posture Server Policy Manager can be configured for a third-party posture server, to evaluate client health based on vendorspecific credentials, typically credentials that cannot be evaluated internally by Policy Manager (that is, not in the form of internal posture policies). Currently, Policy Manager supports the following posture server interface: Microsoft NPS (RADIUS).
Table 27: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: Enforcement (tab) > l Enforcement Policy (selector): Role_ Based_Allow_Access_ Policy l For instructions about how to build such an Enforcement Policy, refer to . 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list. 76 Dell Networking W-ClearPass Policy Manager 6.
Chapter 8 Web-Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service. Figure 40: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service.
2. Create a WebAuth-based Service. Table 28: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 30: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable
Navigation l l Setting 2003 (check boxes) > Save (button) > When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab,
Table 31: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 9 MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request.
1. Create a MAC Authentication Service. Table 32: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2.
Table 34: Audit Server Navigation and Settings Navigation Settings Configure the Audit Server: Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable l Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which follo
Dell Networking W-ClearPass Policy Manager 6.
Chapter 10 TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 42: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service. Dell Networking W-ClearPass Policy Manager 6.
Table 36: TACACS+ Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): [Policy Manager Admin Network Login Service] > l Name/Description (freeform) > l Upon completion, click Next (to Authentication) 2. Set up the Authentication a. Method: The Policy Manager TACACS+ service authenticates TACACS+ requests internally. b.
Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 Single Port Use Case This Service supports all three types of connections on a single port. The following figure illustrates both the overall flow of control for this hybrid service, in which complementary switch and Policy Manager configurations allow all three types of connections on a single port: Figure 43: Flow of the Multiple Protocol Per Port Case Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Services The Policy Manager policy model groups policy components that serve a particular type of request into Services, which sit at the top of the policy hierarchy. Dell offers the following default services: l 802.1X Wireless l 802.1X Wired l MAC Authentication l Web-based Authentication l Web based Health Check Only l Web-based Open Network Access l 802.1X Wireless - Identity Only l 802.
l The matching Service coordinates execution of its policy components l Those policy components process the request to return Enforcement Profiles to the network access device and, optionally, posture results to the client.
Figure 45: Service Wizard with Clickable Flow The rest of the service configuration flow is as described in Policy Manager Service Types. Dell Networking W-ClearPass Policy Manager 6.
Policy Manager Service Types The following service types come preconfigured on Policy Manager: Table 39: Policy Manager Service Types Service Type Description Template for wireless hosts connecting through a Dell W-Series 802.11 wireless access device or controller, with authentication via IEEE 802.1X. Service rules are customized for a typical Dell W-Series Mobility Controller deployment. Refer to the "802.1X Wireless " on page 96 service type for a description of the different tabs.
Service Type Description To associate a role mapping policy with this service click on the Roles tab. For information on configuring role mapping policies, refer to "Configuring a Role Mapping Policy " on page 162. By default, this type of service does not have Posture checking enabled. To enable posture checking for this service select the Posture Compliance check box on the Service tab.
Service Type Description Do SNMP bounce: This option will bounce the switch port or to force an 802.1X reauthentication (both done via SNMP). NOTE: Bouncing the port triggers a new 802.1X/MAC authentication request by the client. If the audit server already has the posture token and attributes associated with this client in its cache, it returns the token and the attributes to Policy Manager.
Service Type Description You can enable posture checking for this kind of service if you are deploying Policy Manager in a Microsoft NAP or Cisco NAC framework environment, or if you are deploying aDell hosted captive portal that does posture checks through a dissolvable agent. You can also choose to Enable auto-remediation of non-compliant end-hosts and enter the Remediation URL of a server resource that can perform remediation action (when a client is quarantined).
Service Type Description For clients connecting through an Ethernet LAN, with authentication via IEEE 802.1X. 802.1X Wired Except for the service rules shown above, configuration for the rest of the tabs is similar to the 802.1X Wireless Service. NOTE: If you want to administer the same set of policies for wired and wireless access, you can combine the service rule to define one single service.
Service Type Description NOTE: You cannot configure Posture for this type of service. Audit can optionally be enabled for this type of service by checking the Audit End-hosts check box on the Service tab. You can perform audit For known end-hosts only or For unknown end hosts only or For all end hosts. Known end hosts are defined as those clients that are found in the authentication source (s) associated with this service.
Service Type Description Note that when you configure posture policies, only those that are configured for the OnGuard Agent are shown in list of posture policies. Refer to the "802.1X Wireless " on page 96 service type for a description of the other tabs. This type of service is the same as the Web-based Authentication service, except that there is no authentication performed; only health checking is done.
Service Type Description RADIUS Enforcement [Generic] NOTE: No default rule associated with this service type. Rules can be added to handle any type of standard or vendor-specific RADIUS attributes (any attribute that is loaded through the prepackaged vendor-specific or standard RADIUS dictionaries, or through other dictionaries imported into Policy Manager). You can click on the Authorization, Posture Compliance, Audit End-hosts and Profile Endpoints options to enable additional tabs. Refer to the "802.
Service Type Description Template for any kind of TACACS+ request. TACACS+ Enforcement NOTE: No default rule is associated with this service type. Rules can be added to filter the request based on the Date and Connection namespaces. See "Rules Editing and Namespaces" on page 355 for more information. TACACS+ users can be authenticated against any of the supported authentication source types: Local DB, SQL DB, Active Directory, LDAP Directory or Token Servers with a RADIUS interface.
Service Type Description By default, this service uses the Authentication Method [PAP] [PAP] You can click on the Authorization and Audit End-hosts options to enable additional tabs. Refer to the "802.1X Wireless " on page 96 service type for a description of these tabs. Services You can use these service types as configured, or you can edit their settings. Figure 46: Service Listing Page The Services page includes the following fields.
Label Description Export Export the selected services Delete Delete the selected services For additional information, refer to the following sections: l "Adding Services " on page 106 l "Modifying Services" on page 108 l "Reordering Services " on page 110 Adding Services From the Services page (Configuration > Services) or from the Start Here page (Configuration > Start Here), you can create a new service using the Add Service option.
Label Description distinguishes vendor-specific RADIUS namespaces with the notation RADIUS:vendor (sometimes with an additional suffix for a particular device). To add a dictionary for a vendor-specific RADIUS namespace, navigate to Administration > Dictionaries > Radius > Import Dictionary (link). The notation RADIUS:IETF refers to the RADIUS attributes defined in RFC 2865 and associated RFCs. As the name suggests, RADIUS namespace is only available when the request type is RADIUS.
Label Description way for Policy Manager to re-apply policies on the network device. This can be accomplished in one of the following ways: n No Action: The audit will not apply policies on the network device after this audit. n Do SNMP bounce: This option will bounce the switch port or to force an 802.1X reauthentication (both done via SNMP). NOTE: Bouncing the port triggers a new 802.1X/MAC authentication request by the client.
Figure 49: Services Configuration The following fields are available on the Service tab. Table 42: Service Page (General Parameters) Label Description Name Enter or modify the label for a service. Description Enter or modify the service description (optional). Type This is a non-editable label that shows the type of service as it was originally configured. Status This non-editable label indicates whether the service is enabled or disabled.
Label Description l l l l l controller ID. Date: Time-of-Day, Day-of-Week, or Date-of-Year Endpoint: Filter based on endpoint information, such as enabled/disabled, device, OS, location, and more.
Figure 51: Reordering Services Table 44: Reordering Services Label Description Move Up/Move Down Select a service from the list and move it up or down Save Save the reorder operation Cancel Cancel the reorder operation Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Authentication and Authorization As the first step in Service-based processing, Policy Manager uses an Authentication Method to authenticate the user or device against an Authentication Source. Once the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the Authorization Sources associated with this Authentication Source.
Figure 52: Authentication and Authorization Flow of Control Configuring Authentication Components The following summarizes the methods for configuring authentication: 114 l For an existing Service, you can add or modify authentication method or source, by opening the Service (Configuration > Services, then select), then opening the Authentication tab. l For a new Service, the Policy Manager wizard automatically opens the Authentication tab for configuration.
Figure 53: Authentication Components From the Authentication tab of a service, you can configure three features of authentication: Table 45: Authentication Features at the Service Level Configurable Component Configuration Steps Sequence of Authentication Methods 1. 2. 3. Sequence of Authentication Sources 1. 2. 3.
Table 46: Policy Manager Supported Authentication Methods EAP Tunneled l l l l NonTunneled l l l Non-EAP EAP Protected EAP (EAP-PEAP) EAP Flexible Authentication Secure Tunnel (EAP-FAST) EAP Transport Layer Security (EAP-TLS) EAP Tunneled TLS (EAP-TTLS) EAP Message Digest 5 (EAP-MD5) EAP Microsoft Challenge Handshake Authentication Protocol version 2 (EAP- MSCHAPv2) EAP Generic Token Card (EAP-GTC) l l l l Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) Mic
Figure 54: Add Authentication Method dialog box Depending on the Type selected, different tabs and fields appear. Refer to the following: l "PAP " on page 117 l "MSCHAP " on page 118 l "EAP-MSCHAP v2 " on page 119 l "EAP-GTC " on page 120 l "EAP-TLS " on page 121 l "EAP-TTLS " on page 123 l "EAP-PEAP " on page 124 l "EAP-FAST " on page 126 l "MAC-AUTH " on page 131 l "CHAP and EAP-MD5 " on page 132 l Authorize PAP The PAP method contains one tab.
Figure 55: PAP General Tab Table 47: PAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always PAP. Encryption Scheme Select the PAP authentication encryption scheme. Supported schemes are: Clear, Crypt, MD5 SHA1 or Aruba-SSO. MSCHAP The MSCHAP method contains one tab. General Tab The General tab labels the method and defines session details. 118 Dell Networking W-ClearPass Policy Manager 6.
Figure 56: MSCHAP General Tab Table 48: MSCHAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always MSCHAP. EAP-MSCHAP v2 The EAP-MSCHAPv2 method contains one tab. General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.
Figure 57: EAP-MSCHAPv2 General Tab Table 49: EAP-MSCHAPv2 General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-MSCHAPv2. EAP-GTC The EAP-GTC method contains one tab. General Tab The General tab labels the method and defines session details. 120 Dell Networking W-ClearPass Policy Manager 6.
Figure 58: EAP-GTC General Tab Table 50: EAP-GTCGeneral Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-GTC. Challenge Specify an optional password. EAP-TLS The EAP-TLS method contains one tab. General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.
Figure 59: EAP_TLS General Tab Table 51: EAP_TLS General Tab 122 Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_TLS. Session Resumption Caches EAP-TLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TLS sessions. Authorization Required Specify whether to perform an authorization check.
Parameter Description Override OCSP URL from the Client Select this option if you want to use a different URL for OCSP. After this is enabled, you can enter a new URL in the OCSP URL field. OCSP URL If Override OCSP URL from the Client is enabled, then enter the replacement URL here. EAP-TTLS The EAP-TTLS method contains two tabs. General Tab The General tab labels the method and defines session details.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-TTLS method: Figure 61: EAP_TTLS Inner Methods Tab Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds.
Figure 62: EAP-PEAP General Tab Table 53: EAP-PEAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-PEAP. Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval.
Parameter Description Support enabled client. When enabled, Policy Manager prompts the client for Microsoft Statement of Health (SoH) credentials. Enforce Cryptobinding Enabling the cryptobinding setting ensures an extra level of protection for PEAPv0 exchanges. It ensures that the PEAP client and PEAP server (Policy Manager) participated in both the outer and inner handshakes. This is currently valid only for the client PEAP implementations in Windows 7, Windows Vista and Windows XP SP3.
Figure 64: EAP-FAST General Tab Table 54: EAP_FAST General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_FAST. Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval.
Parameter Description l l To compare specific attributes, choose Compare Common Name (CN), Compare Subject Alternate Name (SAN), or Compare CN or SAN. To perform a binary comparison of the stored (in the end-host record in Active Directory or another LDAP-compliant directory) and presented certificates, choose Compare Binary.
Figure 66: EAP_FAST PACs Tab l To provision a Tunnel PAC on the end-host after initial successful machine authentication, specify the Tunnel PAC Expire Time (the time until the PAC expires and must be replaced by automatic or manual provisioning) in hours, days, weeks, months, or years. During authentication, Policy Manager can use the Tunnel PAC shared secret to create the outer EAP-FAST tunnel.
Figure 67: EAP_FAST PAC Provisioning tab Table 55: EAP_FAST PAC Provisioning Tab 130 Parameter Description Considerations Allow Anonymous Mode When in anonymous mode, phase 0 of EAP_FAST provisioning establishes an outer tunnel without endhost/Policy Manager authentication (not as secure as the authenticated mode).
Parameter Description Considerations authentication; the end-host subsequently reauthenticates using the newly provisioned PAC. When enabled, Policy Manager accepts the endhost authentication in the provisioning mode itself; the end-host does not have to re-authenticate.
Parameter Description not in a configured authentication source. This setting is enabled, for example, when you want Policy Manager to trigger an audit for an unknown client. By turning on this check box and enabling audit (See "Configuring Audit Servers" on page 210), you can trigger an audit of an unknown client. CHAP and EAP-MD5 In addition the methods listed above, Policy Manager also comes packaged with CHAP and EAP-MD5 methods. These are named [CHAP] and [EAP-MD5], respectively.
Figure 70: EAP-MD5 General Tab Table 57: CHAP and EAP-MD5 General Tab Parameters Parameter Description Name/Description Freeform label and description. Type In this context, always CHAP or EAP-MD5. Authorize This is an authorization-only method that you can add with a custom name. Dell Networking W-ClearPass Policy Manager 6.
Figure 71: Authorize General Tab Table 58: Authorize General Tab Parameters Parameter Description Name/Description Freeform label and description. Type In this context, always Authorize.
From the Services page (Configuration > Service), you can configure authentication source for a new service (as part of the flow of the Add Service wizard), or modify an existing authentication source directly (Configuration > Authentication > Sources, then click on its name in the listing page). Figure 72: Authentication Sources Listing Page When you click Add New Authentication Source from any of these locations, Policy Manager displays the Add page.
l General Tab l Primary Tab l Attributes Tab General Tab The General tab labels the authentication source and defines session details. Figure 74: Generic LDAP or Active Directory (General Tab) Table 59: Generic LDAP or Active Directory (General Tab) 136 Parameter Description Name/Description Freeform label and description. Type In this context, General LDAP or Active Directory.
Parameter Description Server Timeout The number of seconds that Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the number of seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured. Cache Timeout Policy Manager caches attributes fetched for an authenticating entity.
Parameter Description l This is the preferred way to connect to an LDAP directory securely. Select LDAP over SSL or AD over SSL to choose the legacy way of securely connecting to an LDAP directory. Port 636 must be used for this type of connection. Bind DN/Password Distinguished Name (DN) of the administrator account. Policy Manager uses this account to access all other records in the directory. NOTE: For Active Directory, the bind DN can also be in the administrator@domain format (e.g.
Parameter Description receive the password in cleartext. Password Attribute (Available only for Generic LDAP directory) Enter the name of the attribute in the user record from which user password can be retrieved. This is not available for Active Directory. Password Header Oracle's LDAP implementation prepends a header to a hashed password string. When using Oracle LDAP, enter the header in this field so the hashed password can be correctly identified and read.
Table 61: AD/LDAP Attributes Tab (Filter Listing Screen) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the LDAP/AD attributes defined for this filter. l Alias Name: For each attribute name selected for the filter, you can specify an alias name. l Enabled As: Specify whether value is to be used directly as a role or attribute in an Enforcement Policy.
Directory Default Filters Onboard memberOf variable. The attribute fetched with this filter query is cn, which is the name of the Onboard group Generic LDAP Directory Authentication: This is the filter used for authentication. (&(objectClass=*)(uid=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 63: AD/LDAP Configure Filter Popup (Browse Tab) Navigation Description Find Node / Go Go directly to a given node by entering its Distinguished Name (DN) and clicking on the Go button. AD/LDAP Configure Filter, Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. Through this interface you can define the attributes used in the filter query.
Parameter Description By clicking on an attribute on the right hand side of the LDAP browser. The attribute name and value are automatically populated in the table. The attribute value field can be a value that has been automatically populated by selecting an attribute from the browser, or it can be manually populated. To aid in populating the value with dynamic session attribute values, a drop down with the commonly used namespace and attribute names is presented (See image below).
Figure 80: AD/LDAP Configure Filter Attributes Tab Table 66: AD/LDAP Configure Filter Popup (Attributes Tab) Parameter Description Enter values for parameters Policy Manager parses the filter query (created in the Filter tab and shown at the top of the Attributes tab) and prompts to enter the values for all dynamic session parameters in the query. For example, if you have %{Authentication:Username} in the filter query, you are prompted to enter the value for it.
Figure 81: Configure Filter Popup (Configuration Tab) Modify Default Filters When you add a new authentication source of type Active Directory or LDAP, a few default filters and attributes are pre-populated. You can modify these pre-defined filters by selecting a filter on the Authentication > Sources > Attributes tab. This opens the Configure Filter page for the specified filter. NOTE: At least one filter must be specified for the LDAP and Active Directory authentication source.
NOTE: At least one This functionality that allows you to modify the Data type exists for Generic SQL DB, Generic LDAP, Active Directory, and HTTP authentication source types. When you are finished editing a filter, click Save. Generic SQL DB (Open Data Base Connectivity (ODBC) compliant SQL Databases) Policy Manager can perform MSCHAPv2 and PAP/GTC authentication against any ODBC-compliant database (for example, Microsoft SQL Server, Oracle, MySQL, or PostgrSQL).
Table 67: General SQL DB (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Generic SQL DB. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled).
Table 68: Generic SQL DB (Primary Tab) Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value if you want to override the default port. Database Name Enter the name of the database to retrieve records from. Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters.
Figure 86: Generic SQL DB Filter Configure Popup Table 70: Generic SQL DB Configure Filter Popup Parameter Description Filter Name Name of the filter Filter Query A SQL query to fetch the attributes from the user or device record in DB Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name.
Figure 87: HTTP (General Tab) Table 71: HTTP (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, HTTP. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Figure 88: HTTP (Primary Tab) Table 72: HTTP (Primary Tab) Parameter Description Server Name Enter the hostname or IP address of the database server. Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters. Enter the password for the user account entered in the field above.
Configure Filter Popup The Configure Filter popup defines a filter query and the related attributes to be fetched from the SQL DB store. Figure 90: HTTP Filter Configure Popup Table 74: HTTP Configure Filter Popup Parameter Description Filter Name Name of the filter Filter Query A SQL query to fetch the attributes from the user or device record in DB Name / Alias Name / Data Type / Enabled As Name: This is the name of the attribute Alias Name: A friendly name for the attribute.
Figure 91: Kerberos General Tab Table 75: Kerberos (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Kerberos Use for Authorization Disabled in this context. Authorization Sources You must specify one or more authorization sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop down list, and click Add to add it to the list of authorization sources.
Figure 92: Kerberos (Primary Tab) Table 76: Kerberos (Primary Tab) Parameter Description Hostname/Port Host name or IP address of the kerberos server, and the port at which the token server listens for kerberos connections. The default port is 88. Realm The domain of authentication. In the case of Active Directory, this is the AD domain. Service Principal Name The identity of the service principal as configured in the Kerberos server. Service Principal Password Password for the service principal.
General Tab Figure 93: Okta General Tab Table 77: Okta (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Okta Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab Figure 94: Okta Primary Tab Table 78: Okta (Primary Tab) Parameter Description URL Enter the address of the OKTA server Authorization Token Enter the authorization token as provided by Okta support. Attributes Tab Figure 95: Okta Attribu tes Tab Table 79: Okta (Attributes Tab) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. (Only Group can be configured for Okta.
Device Repository], represent the three databases used to store local users, guest users and registered devices, respectively. While regular users typically reside in an authentication source such as Active Directory (or in other LDAPcompliant stores), temporary users, including guest users can be configured in the Policy Manager local repositories.
Figure 97: Static Host List (Static Host Lists Tab) Table 81: Static Hosts List (Static Host Lists Tab) Parameter Description Host List Select a Static Host List from the drop down and Add to add it to the list.Click on Remove to remove the selected static host list. Click on View Details to view the contents of the selected static host list. Click on Modify to modify the selected static host list.
Figure 98: Token Server (General Tab) Table 82: Token Server General Tab Parameter Description Name/Description Freeform label and description. Type In this context, Token Server Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab The Primary Tab defines the settings for the primary server. Figure 99: Token Server (Primary Tab) Table 83: Token Server (Primary Tab) Parameter Description Server Name/Port Host name or IP address of the token server, and the UDP port at which the token server listens for RADIUS connections. The default port is 1812. Secret RADIUS shared secret to connect to the token server. Attributes Tab The Attributes tab defines the RADIUS attributes to be fetched from the token server.
Chapter 14 Identity: Users, Endpoints, Roles and Role Mapping A Role Mapping Policy reduces client (user or device) identity or attributes associated with the request to Role(s) for Enforcement Policy evaluation. The roles ultimately determine differentiated access. Architecture and Flow Roles range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination of a user group with some dynamic constraints (e.g.
a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions. NOTE: A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service.
Figure 102: Role Mapping Policies When you click Add Role Mapping from any of these locations, Policy Manager displays the Add Role Mapping popup, which contains the following three tabs: l Policy l Mapping Rules l Summary Policy Tab The Policy tab labels the method and defines the Default Role (the role to which Policy Manager defaults if the mapping policy does not produce a match for a given request).
Mapping Rules Tab The Mapping Rules tab selects the evaluation algorithm, adds/edits/removes rules, and reorder rules. On the Mapping Rules tab, click the Add Rule button to create a new rule, or select an existing rule (by clicking on the row) and then click the Edit Rule button or Remove Rule button. Figure 104: Role Mapping (Mapping Rules Tab) When you select Add Rule or Edit Rule, Policy Manager displays the Rules Editor popup.
Label Description l l l l l l l l l Date Device Endpoint GuestUser Host LocalUser Onboard TACACS RADIUS - All enabled RADIUS vendor dictionaries Name (of attribute) Drop-down list of attributes present in the selected namespace. Operator Drop-down list of context-appropriate (with respect to the attribute data type) operators. Operators have their obvious meaning; for stated definitions of operator meaning, refer to "Operators" on page 362.
You can configure a role from within a Role Mapping Policy (Add New Role), or independently from the menu (Configuration > Identity > Roles > Add Roles). In either case, roles exist independently of an individual Service and can be accessed globally through the Role Mapping Policy of any Service. When you click Add Roles from any of these locations, Policy Manager displays the Add New Role popup.
Figure 108: Fig: Local Users Listing To add a local user, click Add User to display the Add Local User popup. Figure 109: Add Local User Table 87: Add Local User Parameter Description User ID/ Name /Password/ Verify Password Freeform labels and password. Enable User Uncheck to disable this user account. Role Select a static role for this local user. Attributes Add custom attributes for this local user. Click on the “Click to add...” row to add custom attributes.
Parameter Description By default, four custom attributes appear in the Attribute dropdown: Phone, Email, Sponsor, Designation. You can enter any name in the attribute field. All attributes are of String datatype. The value field can also be populated with any string. Each time you enter a new custom attribute, it is available for selection in Attribute dropdown for all local users. NOTE: All attributes entered for a local user are available in the role mapping rules editor under the LocalUser namespace.
l To add a guest user or device, click Add User. This opens the Add New Guest User popup. Figure 111: Add New Guest User Figure 112: Add New Guest Device Table 89: Add New Guest User/Device Parameter Description Guest Type Add a guest user or a guest device User ID/ Name /Password/ Freeform labels and password. Dell Networking W-ClearPass Policy Manager 6.
Parameter Description Verify Password (Guest User only) Click Auto Generate to auto-generate a password for the guest user. MAC Address (Guest Device only) MAC address of the guest device. Enable Guest Check to enable guest user. Expiry Time Use the date widget to select the date and time on which this Guest User’s access expires. Attributes Add custom attributes for this guest user. Click on the “Click to add...” row to add custom attributes.
Click on a device name within a row to drill down and view detailed information about the device, including the device password, start and expiry times, owner, serial number, UUID, product name, and product version. You can also use the Enable Device check box to enable or disable the device.
Figure 116: Endpoint Authentication Details To manually add an endpoint, click Add Endpoint to display the Add Endpoint popup. Figure 117: Add Endpoint Table 90: Add Endpoint Parameter Description MAC Address MAC address of the endpoint. Status Mark as Known, Unknown or Disabled client. The Known and Unknown status can be used in role mapping rules via the Authentication:MacAuth attribute. The Disabled status can be used to block access to a specific endpoint.
Notice that the Policy Cache Values section lists the role(s) assigned to the user and the posture status. Policy Manager can use these cached values in authentication requests from this endpoint. Clear Cache clears the computed policy results (roles and posture). Figure 118: Endpoint Popup To delete an endpoint, in the Endpoints listing page, select it (via check box) and click the Delete button. To export an endpoint, in the Endpoints listing page, select it (via check box) and click the Export button.
Figure 120: Add Static Host List Table 91: Add Static Host List Parameter Description Name/ Description Freeform labels and descriptions. Host Format Select a format for expression of the address: subnet, IP address or regular expression. Host Type Select a host type: IP Address or MAC Address (radio buttons). List Use the Add Host and Remove Host widgets to maintain membership in the current Static Host List.
Chapter 15 Posture Policy Manager provides several posture methods for health evaluation of clients requesting access. These methods all return Posture Tokens (E.g., Healthy, Quarantine) for use by Policy Manager for input into Enforcement Policy. One or more of these posture methods may be associated with a Service. Posture Architecture and Flow Policy Manager supports three different types of posture checking: l Posture Policy.
Figure 121: Posture Evaluation Process Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer to Peer application checks l Services to be running or not running l Processes to be running or not running Each configured health check ret
l Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. l Unknown. The posture token of the client is unknown. Upon completion of all configured posture checks, Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the Enforcement Policy.
Configurable Component How to Configure Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a Posture Server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured Posture Server, select from the Select dropdown list, then click Add. l To configure a new Posture Server, click Add New Posture Server (link) and refer to "Adding and Modifying Posture Servers " on page 205.
n ClearPass Mac OS X Universal System Health Validator. Configurable checking for product-/version-/updatespecific checking for Antivirus/Antispyware application, and Firewall configuration. Note that ClearPass OnGuard Agent - both persistent and dissolvable forms - can be used in the following scenarios: l An environment that does not support 802.1X based authentication (legacy Windows Operating Systems, or legacy devices in the network) l An OS that supports 802.
Parameter Description l l Vista, Windows XP SP3, Windows Server 2008, Windows Server 2008 R2, and Linux OSes supported by ClearPass Linux NAP Agent. OnGuard Agent - Use this to configure posture policies for guest or web portal based use cases (via a dissolvable Java-applet based agent), or for use cases where ClearPass (persistent) OnGuard Agent is installed on the endpoint.
Figure 127: Add Posture Policy (Posture Plugins Tab) - Linux OnGuard Agent Figure 128: Add Posture Policy (Posture Plugins Tab) - Mac OS X OnGuard Agent Refer to the following sections for plugin-specific configuration instructions: l "ClearPass Windows Universal System Health Validator - NAP Agent " on page 182 l "Windows System Health Validator - NAP Agent " on page 205 l "Windows Security Health Validator - NAP Agent " on page 203 l "ClearPass Windows Universal System Health Validator - OnGuard
l Unknown. The posture token of the client is unknown. 4. Click Save when you are finished. Figure 129: Fig: Add Posture Policy (Rules Tab) ClearPass Windows Universal System Health Validator - NAP Agent The ClearPass Windows Universal System Health Validator page popup appears in response to actions in the Posture Plugins tab of the Posture configuration. Figure 130: ClearPass Windows Universal System Health Validator - NAP Agent 182 Dell Networking W-ClearPass Policy Manager 6.
Select a version of Windows and click the check box to enable checks for that version. Enabling checks for a specific version displays the following set of configuration pages.These pages are explained in the sections that follow.
Parameter Description Insert To add a service to the list of available services, enter its name in the text box adjacent to this button, then click Insert. Delete To remove a service from the list of available services, select it and click Delete. Processes The Processes page provides a set of widgets for specifying specific processes to be explicitly present or absent on the system.
Processes to be Present Figure 133: Process to be Present Page (Detail) Table 96: Process to be Present Page (Detail) Parameter Process Location Enter the Process name Enter the Display name Description Choose from one of the pre-defined paths, or choose None. SystemDrive - For example, C: l SystemRoot - For example, C:\Windows l ProgramFiles - For example, “C:\Program Files” l HOMEDRIVE - For example, C: l HOMEPATH - For example, \Users\JohnDoe l None - By selecting None, you can enter a custom path n
Processes to be Absent Figure 134: Process to be Absent Page (Detail) Table 97: Process to be Absent Page (Detail) Parameter Check Type Description Select the type of process check to perform. The agent can look for Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is speicfied, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 135: Process Page (Overview - Post Add) Registry Keys The Registry Keys page provides a set of widgets for specifying specific registry keys to be explicitly present or absent.
Registry Keys to be Absent Figure 137: Registry Keys Page (Detail) Table 99: Registry Keys Page (Detail) Parameter Description Hive/Key/value (name, type, data) Identifying information for a specific setting for a specific registry key. When you save your Registry details, the key information appears in the Registry page list.
Figure 140: Antivirus Page (Detail 1) Click Add to specify product, and version check information. Figure 141: Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list.
Interface Parameter Antivirus Page (Detail 1) l Antivirus Page (Detail 2) Product/Version/Last Check l Add Trashcan icon Description l l To configure Antivirus application attributes for testing against health data, click Add. To remove configured Antivirus application attributes from the list, click the trashcan icon in that row. Configure the specific settings for which to test against health data. All of these checks may not be available for some products.
Figure 145: AntiSpyware Page (Detail 2) Figure 146: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiVirus configuration instructions Firewall In the Firewall page, you can specify that a Firewall application must be on and allows drill-down to specify information about the Firewall application.
Figure 149: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list.
Figure 151: Peer to Peer Page Table 102: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration). User Notification Enable to allow user notifications for peer to peer application/network check policy violations.
Click Add to specify product, and version check information. Figure 154: Patch Management Page (Detail 2) When you save your patches configuration, it appears in the Patch Management page list.
Windows Hotfixes The Windows Hotfixes page provides a set of widgets for checking if specific Windows hotfixes are installed on the endpoint. Figure 156: Windows Hotfixes Page Table 104: Windows Hotfixes Parameter Description Auto Remediation Enable to allow auto remediation for hotfixes checks (Automatically trigger updates of the specified hotfixes). User Notification Enable to allow user notifications for hotfixes check policy violations.
Table 105: USB Devices Parameter Description Auto Remediation Enable to allow auto remediation for USB mass storage devices attached to the endpoint (Automatically stop or eject the drive). User Notification Enable to allow user notifications for USB devices policy violations. Remediation Action for USB Mass Storage Devices l l l No Action - Take no action; do not eject or disable the attached devices. Remove USB Mass Storage Devices - Eject the attached devices.
Figure 159: Network Connections Select the Check for Network Connection Types check box, and then click Configure to specify type of connection that you want to include.
Parameter Description Storage Devices l devices. Disable Network Connections - Disable network connections for the configured network type. Click Save when you are finished. This returns you to the Network Connections Configuration page. The remaining fields on this page are described below.
Figure 161: Fig: ClearPass Linux Universal system Health Validator - NAP Agent Select a Linux version and click the Enable checks check box for that version. The Services view appears automatically and provides a set of widgets for specifying specific services to be explicitly running or stopped for the different Linux versions.
Figure 162: General Configuration Section Select Firewall Check to display a view where you can specify Firewall parameters, specifically with respect to which ports may be open or blocked. Figure 163: Firewall view Select Antivirus Check, then click Add in the view that appears to specify Antivirus details. Figure 164: Antivirus Check view When you save your Antivirus configuration, it appears in the Antivirus page list. 200 Dell Networking W-ClearPass Policy Manager 6.
Figure 165: Antivirus Check Table 110: Antivirus Check Interface Parameter Description Antivirus Main view Add To configure Antivirus application attributes for testing against health data, click Add. Trashcan icon To remove configured Antivirus application attributes from the list, click the trashcan icon in that row. Product/Version/Last Check Configure the specific settings for which to test against health data.
Figure 166: ClearPass Mac OS X Universal System Health Validator - OnGuard Agent Select a check box to enable checks for Mac OS X. Enabling these check boxes displays a corresponding set of configuration pages: l In the Antivirus page, you can specify that an Antivirus application must be on and allows drill-down to specify information about the Antivirus application. Click on An Antivirus Application is On to configure the Antivirus application information.
Figure 169: Antivirus Page (Detail 2) When you save your Antivirus configuration, it appears in the Antivirus page list. See "ClearPass Windows Universal System Health Validator - NAP Agent " on page 182 for antivirus page and field descriptions. l In the Antispyware page, an administrator can specify that an Antispyware application must be on and allows drill-down to specify information about the Antispyware application.
Figure 170: Windows Security Health Validator Windows Security Health Validator - OnGuard Agent This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types. Figure 171: Windows Security Health Validator 204 Dell Networking W-ClearPass Policy Manager 6.
Windows System Health Validator - NAP Agent This validator checks for current Windows Service Packs. An administrator can use the check boxes to enable support of specific operating systems and to restrict access based on service pack level. Figure 172: Windows System Health Validator (Overview) Windows System Health Validator - OnGuard Agent This validator checks for current Windows Service Packs.
Server evaluates the posture data and returns Application Posture Tokens. From the Services page (Configuration > Service), you can configure a posture server for a new service (as part of the flow of the Add Service wizard), or modify an existing posture server directly (Configuration > Posture > Posture Servers, then click on its name in the Posture Servers listing).
Figure 176: Microsoft NPS Settings (Primary and Backup Server tabs) Table 112: Microsoft NPS Settings (Primary and Backup Server tabs) Parameter Description RADIUS Server Name/Port Hostname or IP address and RADIUS server UDP port Shared Secret Enter the shared secret for RADIUS message exchange; the same secret has to be entered on the RADIUS server (Microsoft NPS) side Timeout How many seconds to wait before deeming the connection dead; if a backup is configured, Policy Manager will attempt to con
Dell Networking W-ClearPass Policy Manager 6.
Chapter 16 Audit Servers Audit Servers evaluate posture and/or role for unmanaged or unmanageable clients; that is, clients that lack an adequate posture agent or 802.1X supplicant (for example, printers, PDAs, or guest users may not be able to send posture credentials or identify themselves.) A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured Audit Server, which returns attributes for role mapping and posture evaluation.
Figure 177: Flow of Control of Policy Manager Auditing Refer to "Configuring Audit Servers" on page 210 for additional information. Configuring Audit Servers The Policy Manager server contains built-in Nessus (version 2.X) and NMAP servers. For enterprises with existing audit server infrastructure, or otherwise preferring external audit servers, Policy Manager supports these servers externally.
Built-In Audit Servers When configuring an audit as part of an Policy Manager Service, you can select the default Nessus ([Nessus Server ]) or NMAP ([Nmap Audit]) configuration. Adding Auditing to a Policy Manager Service 1. Navigate to the Audit tab l To configure an audit server for a new service (as part of the flow of the Add Service wizard), navigate to Configuration > Services. Select the Add Services link. In the Add Services form, select the Audit tab.
Parameter Audit Trigger Conditions Description l l l Reauthenticate client Always: Always perform an audit When posture is not available: Perform audit only when posture credentials are not available in the request. For MAC Authentication Request, If you select this option, then Policy Manager presents three additional settings: n For known end-hosts only. For example, when you want to reject unknown end-hosts, but audit known clients for.
Figure 180: Upload Nessus Plugins Popup l In the Rules tab, you can create post-audit rules for determining Role based on identity attributes discovered by the audit. Refer to Post-Audit Rules. Custom Audit Servers For enterprises with existing audit server infrastructure, or otherwise preferring custom audit servers, Policy Manager supports NESSUS (2.x and 3.x) (and NMAP scans using the NMAP plugin on these external Nessus Servers). To configure a custom Audit Server: 1. Open the Audit page.
Figure 181: NESSUS Audit Server (Audit Tab) Table 114: NESSUS Audit Server (Audit tab) Parameter Description Name/Description Freeform label and description. Type For purposes of an NESSUS-type Audit Server, always NESSUS. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list.
Figure 182: Fig: NESSUS Audit Server (Primary & Backup Tabs) Table 115: NESSUS Audit Server - Primary and Backup Server tabs Parameter Description Server Name and Port/ Username/ Password Standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box.
Figure 183: Audit Tab (NMAP) Table 116: Audit Tab (NMAP) Parameter Description Name/Description Freeform label and description. Type For purposes of an NMAP-type Audit Server, always NMAP. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list. The NMAP Options tab specifies scan configuration.
Figure 184: Options Tab (NMAP) Table 117: Options Tab (NMAP) Parameter Description TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to NMAP documentation for more information on these options. NMAP option --scanflags. UDP Scan To enable, check the UDP Scan check box. NMAP option -sU. Service Scan To enable, check the Service Scan check box. NMAP option -sV. Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option -A.
Figure 185: Nessus Scan Profile Configuration Page You can refresh the plugins list (after uploading plugins into Policy Manager, or after refreshing the plugins on your external Nessus server) by clicking Refresh Plugins List.
Figure 186: Nessus Scan Profile Configuration (Profile Tab) l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. Dell Networking W-ClearPass Policy Manager 6.
Figure 187: Nessus Scan Profile Configuration (Profile Tab) - Plugin Synopsis NOTE: Of special interest is the secton of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin click on the link to change the level to one of HOLE, WARN, INFO, NOTE. This tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
For each selected plugin, the Preferences tab contains a list of fields that require entries. In many cases, these fields will be pre-populated. In other cases, you must provide information required for the operation of the plugin. By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields.
Table 118: All Audit Server Configurations (Rules Tab) Parameter Description Rules Evaluation Algorithm Select first matched rule and return the role or Select all matched rules and eturn a set of roles. Add Rule Add a rule. Brings up the rules editor. See below. Move Up/Down Reorder the rules. Edit Rule Brings up the selected rule in edit mode. Remove Rule Remove the selected rule.
Chapter 17 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an Enfocement Policy associated with the service. The evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps the access control attributes sent to the Network Access Device.
Figure 193: Flow of Control of Policy Manager Enforcement Configuring Enforcement Profiles You configure Policy Manager Enforcement Profiles globally, but they must be referenced in an enforcement policy that is associated with a Service to be evaluate, From the Enforcement Policies page (Configuration > Enforcement > Policies), you can configure an Enforcement Profile for a new enforcement policy (as part of the flow of the Add Enforcement Policy wizard), or modify an existing Enforcement Profile directly
Figure 194: Enforcement Profiles Page Policy Manager comes pre-packaged with the following system-defined enforcement profiles: l [Allow Access Profile]. System-defined RADIUS profile to allow network access; Policy Manager sends a RADIUS AccessAccept message with no attributes. l [Deny Access Profile]. System-defined RADIUS profile to deny network access; Policy Manager sends a RADIUS AccessReject message with no attributes. l [Drop Access Profile].
Figure 195: Add Enforcement Profile Page Policy Manager comes pre-packaged with several enforcement profile templates: 226 l VLAN Enforcement - All RADIUS attributes for VLAN enforcement are pre-filled in this template. l Dell RADIUS Enforcement - RADIUS tempate that can be filled with attributes from the Dell RADIUS dictionaries loaded into Policy Manager.
l Generic Application Enforcement - Application specific enforcement profile with customization attribute-value pairs for authorization of generic applications. l CLI Based Enforcement - Enforcement profile that encapsulates CLI commands to be issued to the network device. The “Target Device” attribute specifies the device on which the “Command” attribute is executed. l Agent Enforcement - Enforcement profile that encapsulates attributes sent to Dell W-OnGuard agent.
A - VLAN Enforcement; B - Filter ID Based Enforcement; C - Cisco Downloadable ACL Enforcement; D - Cisco We Authentication Enforcement; E - Generic RADIUS Enforcement; F - Figure 196: RADIUS Enforcement Profile (Attributes Tab) Figure 197: RADIUS Enforcement Profile (Attributes Tab) - Generic RADIUS Enforcement Profile 228 Dell Networking W-ClearPass Policy Manager 6.
Table 121: RADIUS Enforcement Profile (Attributes tab) Enforcement Profile Template Description A— VLAN Enforcement Enforcement profile template to set IETF RADIUS standard VLAN attributes. B—Filter ID Based Enforcement Enforcement profile template to set IETF RADIUS standard filter ID attribute. C—Cisco Downloadable ACL Enforcement Enforcement profile template for Cisco IOS downloadable ACLs. D—Cisco Web Authentication Enforcement Enforcement profile template to set Cisco Web Authentication ACLs.
SNMP Enforcement Profiles The SNMP tab contains a VLAN identifier and timeout. Figure 198: Fig: SNMP Enforcement Profile (SNMP Tab) The SNMP Enforcement Profile SNMP tab loads the SNMP dictionary attributes supported by Policy Manager. Table 122: SNMP Enforcement Profile (SNMP tab) Interface Description VLAN Id VLAN ID to be sent to the device Session Timeout Session timeout in seconds.
Figure 199: TACACS+ Enforcement Profiles (Services Tab) Table 123: TACACS+ Enforcement Profile (Services tab) Container Description Privilege Level Enter a value, from 0 to 15. NOTE: Refer to your network device documentation for definitions of the different privilege levels. Selected Services To add supported services, click Add. To remove a service, select it and click Remove.
Figure 200: TACACS+ Enforcement Profiles (Commands tab) Table 124: Commands tab (TACACS+ Enforcement Profiles) Container Description Service Type Select Shell or PIX shell radio button. Subsequent selections in this tab configure commands and arguments allowed/disallowed for this selection. Unmatched Commands Enable to permit commands that are not explicitly entered in the Commands field. Commands Contains a list of the commands recognized for the specified Service Type: To add a command, click Add.
Figure 201: Application Enforcement Profiles (Attributes Tab) Table 125: Application Enforcement Profiles (Attributes tab) Container Description PrivilegeLevel Enter a predefined value: Admin, Sponsor, Helpdesk; or enter an application-specific custom value. NOTE: Sponsor is only valid for the Guest application SponsorProfileName Valid only for Guest application. This is the (case-sensitive) name of the sponsor profile defined in the Guest application.
Agent. Figure 203: Agent Enforcement Profile (Attributes Tab) Table 127: Agent Enforcement Profiles (Attributes tab) Container Description Bounce Client If checked, the endpoint is bounced by the OnGuard agent (this feature is only available with the persistent agent) Message A custom message to send to the endpoint. Session Timeout (in seconds) Timeout after which the OnGuard agent forces a reauthentication on the endpoint.
Table 128: Post Authentication Enforcement Profiles Enforcement Profile Template Description A— ClearPassEntity Update Enforcement Enforcement profile template used to update tags in endpoints and guest users. Type is any endpoint, guest user, or a session update. Name is the name of an attribute associated with an endpoint, guest user, or a session update. If the type is session update, the tags are updated for either an endpoint or a guest user. Value is the value of the attribute.
Figure 206: Add Enforcement Policy (Enforcement tab) Table 129: Add Enforcement Policy (Enforcement tab) Parameter Description Name/Description Freeform label and description. Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI) or Application. Based on this selection, the Default Profile list shows the right type of enforcement profiles in the dropdown list (See Below).
Figure 208: Add Enforcement Policy (Rules Editor) Table 130: Add Enforcement Policy (Rules tab) Field Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 131: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (Enforcement Profile).
Dell Networking W-ClearPass Policy Manager 6.
Chapter 18 Network Access Devices A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Figure 210: Device tab Table 132: Device tab 240 Container Description Name/ Description Specify identity of the device. IP Address or Subnet Specify the IP address or the subnet (E.g., 192.168.5.0/24) of the device. RADIUS/TACACS+ Shared Secret Enter and confirm a Shared Secret for each of the two supported request protocols. Vendor Optionally, specify the dictionary to be loaded for this device.
Figure 211: SNMP Read/Write Settings tabs Figure 212: SNMP Read/Write Settings tabs - SNMP v3 Details Table 133: SNMP Read/Write Settings tabs Container Description Allow SNMP Read/Write Toggle to enable/disable SNMP Read/Write. Default VLAN (SNMP Write only) VLAN port setting after SNMP-enforced session expires. SNMP Read/Write Setting SNMP settings for the device.
Container Description Table Info a way to discover endpoints in the network. Static IP endpoints discovered this way are further probed via SNMP to profile the device.
Table 134: CLI Settings tab Container Description Allow CLI Access Toggle to enable/disable CLI access. Access Type Select SSH or Telnet. Policy Manager uses this access method to log into the device CLI. Port SSH or Telnet TCP port number. Username/Password Credentials to log into the CLI. Username Prompt Regex Regular expression for the username prompt. Policy Manager looks for this pattern to recognize the telnet username prompt.
Policy Manager lists all configured device groups in the Device Groups page: Configuration > Network > Device Groups. Figure 214: Device Groups Page To add a Device Group, click Add Device Group. Complete the fields in the Add New Device Group popup: 244 Dell Networking W-ClearPass Policy Manager 6.
Figure 215: Add New Device Group Popup Table 135: Add New Device Group popup Container Description Name/ Description/ Format Specify identity of the device. Dell Networking W-ClearPass Policy Manager 6.
Container Description Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation); for example, 192.168.5.0/24 Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression; for example, ^192(.[0-9]*){3}$ List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected. Click Filter to filter the list based on the text in the associated text box.
Figure 216: Proxy Targets Page Add a Proxy Target To add a Proxy Target, click Add Proxy Target, and complete the fields in the Add Proxy Target popup. You can also add a new proxy target from the Services page (Configuration > Service (as part of the flow of the Add Service wizard for a RADIUS Proxy Service Type). Figure 217: Add Proxy Target Popup Table 136: Add Proxy Target popup Container Description Name/Description Freeform label and description.
Additional Available Tasks 248 l To import a Proxy Target, click Import Proxy Targets. In the Import from File popup, browse to select a file, then click Import. l To export all Proxy Targets from the configuration, click Export Proxy Targets. In the Export to File popup, specify a file path, and then click Export. l To export a single Proxy Target from the configuration, select it (check box on left), then click Export. In the Save As popup, specify a file path, and then click Export.
Chapter 19 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the Administration menus. The Policy Manager Administration menu provides the following interfaces for configuration: Dell Networking W-ClearPass Policy Manager 6.
Admin Users The Policy Manager Admin Users menu Administration > Users and Privileges > Admin Users provides the following interfaces for configuration: l "Add User" on page 250 l "Import Users " on page 251 l "Export Users " on page 252 l "Export " on page 252 Figure 218: Admin Users Table 137: Admin Users Container Description Add User Opens the Add User popup form. Import Users Opens the Import Users popup form. Export Users Exports all users to an XML file.
Figure 219: Add Admin User Table 138: Add Admin User Container Description User ID Name Specify the identity and password for a new admin user. Password Verify Password Privilege Level Select Privilege Level: Help Desk l Super Administrator l Network Administrator l Receptionist or any other custom privilege level Add/Cancel Add or dismiss changes. Import Users Select the Import Users link in the upper right portion of the page.
Table 139: Import (Admin) Users Container Description Select file Browse to select name of admin user import file. Enter secret key for file (if any) Enter the secret key used (while exporting) to protect the file. Import/Cancel Commit or dismiss import. Export Users Select the Export Users link from the upper right portion of the page. The Export (Admin) Users link exports all (admin) users. Click Export.
To create a custom admin privilege 1. Using a plain text or XML editor (not a word processor such as Microsoft Word), create an XML file that defines a privilege and its definition. (See the following sections for information on the XML structure, and privilege definitions.) 2. Go to Administration > Users and Privileges > Admin Privileges. 3. Import the admin privilege file you created in step 1. See Importing for details. The admin privilege is added to the list.
n l n Audit Viewer: taskId="mon.av" n Event Viewer: taskId="mon.ev" n Data Filters: taskId="mon.df" Configuration: taskId="con" n Start Here (Services Wizard): taskId="con.sh" n Services: taskId="con.se" n Service Templates: taskId=”con.st” n Authentication: taskId="con.au" n n n n l n Methods: taskId="con.au.am" n Sources: taskId="con.au.as" Identity: taskId="con.id" n Single Sign-On: taskId=”con.id.sso” n Local Users: taskId="con.id.lu" n Guest Users: taskId="con.id.
n n n n External Servers: taskId="adm.xs" n SNMP Trap Receivers: taskId="adm.xs.st" n Syslog Targets: taskId="adm.xs.es" n Syslog Export Filters: taskId="adm.xs.sx" n Messaging Setup: taskId="adm.xs.me" Certificates: taskId="adm.cm" n Server Certificate: taskId="adm.cm.mc" n Trust List: taskId="adm.cm.ctl" n Revocation List: taskId="adm.cm.crl" Dictionaries: taskId="adm.di" n RADIUS: taskId="adm.di.rd" n Posture: taskId="adm.di.pd" n TACACS+ Services: taskId="adm.di.
//Refers to Local Users Section PAGE 257l "Shutdown/Reboot " on page 271 l "Drop Subscriber " on page 272 Figure 222: Server Configuration Clicking on the server row provides the following interfaces for configuration: l "System Tab " on page 272 l "Services Control Tab " on page 275 l "Service Parameters Tab " on page 275 l "System Monitoring Tab " on page 283 l "Network Tab" on page 284 Set Date/Time Navigate to Administration > Server Manager > Server Configuration, and click on the Set Date and Time link.
Figure 223: Change Date and Time - Date & Time tab Table 140: Change Date and Time - Date & Time tab Container Description Date in yyyy-mm-dd format To specify date and time, use the indicated syntax. This is available only when Synchronize time with NTP server is unchecked. Time in hh:mm:ss format Synchronize Time With NTP Server To synchronize with a Network Time Protocol Server, enable this check box and specify the NTP servers. Only two servers may be specified.
Figure 224: Time zone on publisher Change Cluster Password Navigate to Administration > Server Manager > Server Configuration, and click on the Change Cluster Password link. Use this function to change the cluster-wide password. NOTE: Changing this password also changes the password for the CLI user - 'appadmin'. Figure 225: Change Cluster Password Dell Networking W-ClearPass Policy Manager 6.
Table 141: Change Cluster Password Container Description New Password Enter and confirm the new password. Verify Password Save/Cancel Commit or dismiss changes. Manage Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster.
Table 142: Policy Manager Zones Container Description Name Enter the name of the configured Policy Manager Zone. Delete Select the delete (trashcan) icon to delete a zone. NetEvents Targets Netevents is a collection of details for various ClearPass Policy Manager such as users, endpoints, guests, authentications, accounting details, and so on. This information is periodically posted to a server that is configured as the NetEvents target.
node becomes available again, the Virtual IP address is released to the primary. Figure 228: Virtual IP Settings Table 144: Virtual IP Settings Parameters Parameter Description Virtual IP Enter the IP address you want to define as the virtual IP address. Node Select the servers to use as the primary and secondary nodes. Interface Select the interface on each server where virtual IP address should be bound. Subnet This value is automatically entered. you do not need to change it.
Figure 229: Add Subscriber Node Table 145: Add Subscriber Node Container Description Publisher IP Specify publisher address and password. Note that the password specified here is the password for the CLI user appadmin Publisher Password Restore the local log database after this operation Enable to restore the log database following addition of a subscriber node.
Table 146: Upload Nessus Plugins Container Description Select File Click Browse and select the plugins file with the extension tar.gz. Enter secret for the file (if any) Always leave this blank. Import/Cancel Load the plugins, or dismiss. If there are a large number of plugins, the load time can be in the order of minutes. Cluster-Wide Parameters Navigate to the Administration > Server Manager > Server Configuration page, and click on the Cluster-Wide Parameters link.
Figure 233: Cluster-Wide Parameters dialog box, Notification tab Figure 234: Cluster-Wide Parameters dialog box, Standby Publisher tab Figure 235: Cluster-Wide Parameters dialog box, Virtual IP Configuration tab Dell Networking W-ClearPass Policy Manager 6.
Table 147: Cluster-Wide Parameters Parameter Description General Policy result cache cleanup timeout The number of minutes to store the role mapping and posture results derived by the policy engine during policy evaluation. This result can then be used in subsequent evaluation of policies associated with a service, if “Use cached Roles and Posture attributes from previous sessions” is turned on for the service. A value of 0 disables caching.
Parameter Description stored on disk Known or disabled endpoints cleanup interval This controls how often (in days) endpoints with a status of Known or Disabled are cleaned up from the endpoints table. Unknown endpoints cleanup interval This controls how often (in days) endpoints with a status of Unknown are cleaned up from the endpoints table.
Parameter Description Failover Wait Time Enter the number of minutes for the Secondary node to wait after Primary node failure before it acquires the Virtual IP Address.The default is 10 minutes so the Secondary node doesn't take over unnecessarily in conditions where the Primary node's unavailability is brief, such as a restart. Virtual IP Configuration Fallover Wait Time Enter the number of seconds for the Secondary node to wait after Primary node failure before it acquires the Virtual IP Address.
5. Enter the time period of the information you want to collect. Either: n Enter a number of days. The end of the time period will be defined as the moment you start the collection and the beginning will be 24 hours multiplied by how many days you enter. n Click the Specify date range check box, then enter a Start date and End date in yyyy.mm.dd format. 6. Click Start. You'll see the progress of the information collection. When finished: 7.
Figure 238: Post-Backup Popup Table 148: Back Up Container Description Generate filename Enable to have Policy Manager generate a filename; otherwise, specify Filename. Backup files are in the gzipped tar format (tar.gz extension). The backup file is automatically placed in the Shared Local Folder under folder type Backup Files (See "Local Shared Folders " on page 289). Filename Do not backup log database Select this if you do not want to backup the log database.
Figure 239: Restore Table 149: Restore Container Description Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file (shown only when Upload file to server radio button is selected). Shared backup files present on the server Select a file from the files in the local shared folders (See "Local Shared Folders " on page 289). This is shown only when File on server radio button is selected.
Drop Subscriber Navigate to the Administration > Server Manager > Server Configuration page, and click on the Drop Subscriber button to drop a subscriber from the cluster. Note that this button is not seen in a single node deployment. System Tab Navigate to the Administration > Server Manager > Server Configuration page, and click on a server name in the table. The Server Configuration form opens by default on the System tab.
Container Description Port: Subnet Mask Management Port: Default Gateway Default gateway for management interface Data/External Port: IP Address Data interface IP address. All authentication and authorization requests arrive on the data interface.
Figure 241: Join Active Directory Domain Table 151: Join AD Domain 274 Container Description Domain Controller Fully qualified name of the Active Directory domain controller Short Name NETBIOS name (optional) The short name or NETBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name. If this is different from your domain name (usually a shorter name), enter that name here. Contact your AD administrator about the NETBIOS name.
Services Control Tab From the Services Control tab, you can view a service status and control (stop or start) Policy Manager services. Figure 242: Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of the services.
Service Parameter Description primary server again. External Posture Server Thread Pool Size This specifies the number of threads to use for posture servers. External Posture Server Primary Retry Interval Once a primary posture server is down, Policy Manager connects to one of the backup servers. This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again.
Service Parameter Description Maximum Response Delay Time delay before retrying a proxy request, if the target server has not responded Maximum Reactivation Time Time to elapse before retrying a dead proxy server Maximum Retry Counts Maximum number of times to retry a proxy request if the target server doesn't respond Security Reject Packet Delay Delay time before sending an actual RADIUS Access-Reject after the server decides to reject the request Maximum Attributes Maximum number of RADIUS attr
Service Parameter Description EAP - TLS Fragment Size Maximum size of the EAP-TLS fragment size. Use Inner Identity in Access-Accept Reply Specify TRUE or FALSE TLS Session Cache Limit Number of TLS sessions to cache before purging the cache (used in TLS based 802.
Table 154: Service Paramters tab - TACACS server Service Parameter Description TACACS+ Profiles Cache Timeout This specifies the time (in seconds) for which TACACS+ profile result entries are cached by Policy Manager You can use the ClearPass system service parameters for PHP configuration as well as if all your http traffic flows through a proxy server.
Service Parameter Description HTTP Proxy Proxy Server Hostname or IP address of the proxy server Port Port at which the proxy server listens for HTTP traffic Username Username to authenticate with proxy server Password Password to authenticate with proxy server The ClearPass Network Services parameters aggregate service parameters from the following services: l DhcpSnooper Service l Snmp Service l WebAuth Service l Posture Service Figure 247: ClearPass Network Services Parameters Table 15
Service Parameters DHCP Request Probation Time Description Number of seconds to wait before considering the MAC to IP binding received in a DHCPREQUEST message as final.
Service Parameters Description PostureService Audit Thread Pool Size This specifies the number of threads to use for connections to audit servers. Audit Result Cache Timeout This specifies the time (in seconds) for which audit result entries are cached by Policy Manager Audit Host Ping Timeout This specifies the number of seconds for which Policy Manager pings an end-host before giving up and deeming the host to be unreachable.
Service Parameter Description 15 Min CPU load average Threshold System Monitoring Tab Navigate to the System Monitor tab to configure the SNMP parameters. This ensures that external Management Information Base (MIB) browsers can browse the system level MIB objects exposed by the Policy Manager appliance.
Service Parameter Description SNMP Configuration: SNMP v3: Authentication Protocol Authentication protocol (MD5 or SHA) and key SNMP Configuration: SNMP v3: Authentication key SNMP Configuration: SNMP v3: Privacy Protocol Privacy protocol (DES or AES) and key SNMP Configuration: SNMP v3: Privacy Key Network Tab Navigate to the Network tab to create GRE tunnels and VLANs related to guest users and to control what applications have access to the node..
Table 159: Creating GRE Tunnel Container Description Display Name Optional name for the tunnel interface. This name is used to identify the tunnel in the list of network interfaces. Local Inner IP Local IP address of the tunnel network interface. Remote Outer IP IP address of the remote tunnel endpoint. Remote Inner IP Remote IP address of the tunnel network interface. Enter a value here to automatically create a route to this address through the tunnel. Create/Cancel Commit or dismiss changes.
Parameter Description IP Address IP address of the VLAN. Netmask Netmask for the VLAN. Create/Cancel Commit or dismiss changes. Your network infrastructure must support tagged 802.1Q packets on the physical interface selected.VLAN ID 1 is often reserved for use by certain network management components; avoid using this ID unless you know it will not conflict with a VLAN already defined in your network.
Parameter Description Network Enter one or more hostnames, IP addresses, or UP subnets, separated by commas. The devices defined by what you enter here will be either specifically allowed or specifically denied access to the application you select.
Container Description WARN ERROR l FATAL Set this option first, and then override any modules as necessary. l l Module Name & Log Level If the Module Log Level Settings option is enabled, select log levels for each of the available modules (listed in decreasing level of verbosity): l DEBUG l INFO l WARN l ERROR l FATAL Restore Defaults/Save Click Save to save changes or Restore Defaults to restore default settings.
Container Description Service Name Enable Syslog Syslog Filter Level For each service, you can select the Enable Syslog check box and then override the Syslog Filter level. The current Syslog Filter level is based on the default log level specified on the Service Log Configuration tab. Restore Defaults/Save Click Save to save changes or Restore Defaults to restore default settings.
NOTE: On a VM instance of CPPM, the permanent license must be entered. These licenses are listed in the tables on the License Summary tab. There is one entry per server node in the cluster. All application licenses are also listed on the Applications tab. In this release, you can add and activate OnGuard, Guest, Onboard, and Enterprise application licenses. The Summary section shows the number of purchased licenses for Policy Manager, OnGuard,Guest, and Onboard.
Figure 259: Add License dialog box Table 164: Add a License Container Description Product Select a product from the drop down menu. License Key Enter the license key for the new license. Terms and Conditions Read the Terms and Conditions before adding a license. You must select the I agree to the above terms and conditions check box to enable the Add button. Activating an Application License Adding an application license adds an Application tab on the Licensing page.
To update a license 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click an application anywhere except in the Activation Status column. The Update License dialog box appears. 4. Enter the New License Key. 5. Read the Terms and Conditions, then select the I agree to the above terms and conditions check box. 6. Click Update. SNMP Trap Receivers Policy Manager sends SNMP traps that expose the following server information: l System uptime.
Figure 260: SNMP Trap Receivers Listing Page Table 165: SNMP Trap Receivers Container Description Add Trap Server Opens the Add Trap Server popup. Import Trap Server Opens the Import Trap Server popup. Export Trap Server Opens the Export Trap Server popup. Export Opens the Export popup. Delete To delete an SNMP Trap Configuration, select it (using the check box at the left), and then click Delete.
Container Description installed. Description Freeform description. SNMP Version V1 or V2C. Community String /Verify Community String Community string for sending the traps. Server Port Port number for sending the traps; by default, port 162. NOTE: Configure the trap server firewall for traffic on this port. Save/Cancel Click Save to commit the configuration or Cancel to dismiss.
Select the SNMP Trap server that you want to export (using the check box at the left) and click the Export button in the lower-right corner of the page. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Syslog Targets Policy Manager can export session data (seen in the Access Tracker), audit records (seen in the Audit Viewer) and event records (seen in the Event Viewer ).
Figure 264: Add Syslog Target Table 169: Add Syslog Target Container Description Host Address Syslog server hostname or IP address. Description Freeform description. Server Port Port number for sending the syslog messages; by default, port 514. Save/Cancel Click Save to commit the configuration or Cancel to dismiss. Import Syslog Target Navigate to Administration > External Servers > Syslog Targets and select Import Syslog Target.
The Export Syslog Target link exports all configured syslog targets. Click Export Syslog Target. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the Syslog Target configuration. Export Navigate to Administration > External Servers and select the Syslog Targets button. To export a syslog target, select it (check box at left) and click Export.
Container Description Export Opens Export popup. Delete To delete a Syslog Filter, select it (check box at left) and click Delete. Add Syslog Filter To add a Syslog Filter, navigate to Administration > External Servers > Syslog Filters > Add Syslog Filter. Refer to the following image. Figure 267: Add Syslog Filters (General tab) Table 172: Syslog Export Filters Configuration Container Description Name/Description Freeform label.
NOTE: We recommend that users who choose the Custom SQL method contact Support. Support can assist you with entering the correct information in this template. Figure 268: Add Syslog Filters (Filter and Columns tab) Table 173: Add Syslog Filters (Filter and Columns tab) Container Description Data Filter Specify the data filter. The data filter limits the type of records sent to syslog target. Modify/ Add new Data filter Modify the selected data filter, or add a new one.
Figure 269: Import Syslog Filter Table 174: Import from File Container Description Select File Browse to the Syslog Filter configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Filter Navigate to Administration > External Servers > Syslog Filters and select the Export Syslog Filter link.
Figure 270: Messaging Setup (SMTP Servers) Table 175: Messaging Setup (SMTP Servers tab) Container Description Select Server Specify the server for which to configure messaging. All nodes in the cluster appear in the drop down list. Use the same settings for sending both emails and SMSes Check this box to configure the same settings for both your SMTP and SMS email servers. This box is checked, by default. Server name Fully qualified domain name or IP address of the server.
Figure 271: Messaging Setup (Mobile Service Providers tab) Table 176: Messaging Setup (Mobile Service Providers tab) Container Description Add Add a mobile service provider Provider Name Name of the provider Mail Address Domain name of the provider Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from different types of Dell W-Series IAPs and RAPs via Aruba activate.
You can l Add an endpoint context server l Modify an endpoint context server l Importing l Exporting l Delete an endpoint context server Add an endpoint context server l To add an endpoint context server. 1. Go to Administration > External Servers > Endpoint Context Servers. 2. Click Add Context Server. 3. Select a Server Type. The server type will determine what other configuration options you will enter. 4. Enter the rest of the server configuration information.
Item Description Server Name Enter a valid server name. This can be either a human-readable name, such as yourserver.yourcompany.com, or an IP address. Server Base URL Enter the full URL for the server. The default is the name you entered above with "https://" prepended., You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username/password Enter the username and password (twice)for the server.
Figure 273: Server Certificates Table 178: Server Certificate Container Description Create Self-Signed Certificate Opens the Create Self-Signed Certificate popup. Create Certificate Signing Request Opens the Create Certificate Signing Request popup. Select Server Select a server in the cluster for server certificate operations. Export Opens the Export popup. Import Opens the Import popup.
Figure 274: Create Self-Signed Certificate After you click Submit, you will be prompted to install the self-signed certificate Figure 275: Generated Self Signed Certificate 306 Dell Networking W-ClearPass Policy Manager 6.
Table 179: Create Self-Signed Certificate Container Description Common Name (CN) Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. Organization (O) Name of the organization. This field is optional. Organizational Unit (OU) Name of a department, division, section, or other meaningful name. This field is optional. State (ST) State, country, and/or another meaningful location. These fields are optional.
Figure 276: Create Certificate Signing Request A generated certificate signing request displays after you click Submit. Copy the certificate and paste it into the Web form as part of the enrollment process. Figure 277: Generated Certificate Signing Request Table 180: Create Certificate Signing Request 308 Container Description Common Name (CN) Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required.
Container Description Organization (O) Name of the organization. This field is optional. Organizational Unit (OU) Name of a department, division, section, or other meaningful name. This field is optional. State (ST) State, country, and/or another meaningful location. These fields are optional. Country (C) Location (L) Subject Alternate Name (SAN) Alternative names for the specified Common Name.
Table 181: Import Server Certificate Container Description Certificate File Browse to the certificate file to be imported. Private Key File Browse to the private key file to be imported. Private Key Password Specify the private key password. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Certificate Trust List To display the list of trusted Certificate Authorities (CAs), navigate to Administration > Certificates > Certificate Trust List.
Figure 280: Add Certificate Table 183: Add Certificate Container Description Certificate File Browse to select certificate file. Add Certificate/Cancel Click Add Certificate to commit, or Cancel to dismiss the popup. Revocation Lists To display available Revocation Lists, navigate to Administration > Certificates > Revocation Lists. To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete.
Figure 282: Add Certificate Revocation List Table 185: Add Revocation List Container Description File File enables the Distribution File option. Distribution File Specify the distribution file (e.g., C:/distribution/crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list. URL URL enables the Distribution URL option. Distribution URL Specify the distribution URL (e.g., http://crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list.
Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type. Figure 284: RADIUS IETF Dictionary Attributes Table 186: RADIUS Dictionary Attributes Container Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. Enable/Disable Enable or disable this dictionary.
Table 187: Import RADIUS Dictionary Container Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. Posture Dictionaries To add a new vendor posture dictionary, click on Import Dictionary. To edit an existing dictionary, export an existing dictionary, edit the exported XML file, and then import the dictionary.
Table 189: Posture Dictionary Attributes Container Description Export Click to save the posture dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. TACACS+ Services To view the contents of the TACACS+ service dictionary, sorted by Name or Display Name, navigate to: Administration > Dictionaries > TACACS+ Services. To add a new TACACS+ service dictionary, click on the Import Dictionary link.
Figure 288: Fig: Shell Service Dictionary Attributes Fingerprints The Device Fingerprints table shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell W-ClearPass Update Portal (See "Update Portal " on page 325 for more information.) Figure 289: Device Fingerprints You can click on a line in the Device Fingerprints list to drill down and view additional details about the category. 316 Dell Networking W-ClearPass Policy Manager 6.
Figure 290: Fig: Device Fingerprints Attributes The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
Figure 291: Attributes page Table 191: Attribute settings Container Description Filter Use the drop down menu to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Shows whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Data Type Shows whether the data type is string, integer, boolean, list, text, date, MAC address, or IPv4 address.
Figure 292: Add Attributes Enter information in the fields described in the following table. Click Add when you are done. To modify attributes in an existing service dictionary, select the attribute, make any necessary changes, and then click Save. Table 192: Add Attribute settings Container Description Entity Specify whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Name Enter a unique ID for this attribute.
Table 193: Import from File settings Container Description Select File / Enter secret for the file Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Attributes Select Export Attributes on the upper right portion of the page to exports all attributes. The Export Attributes button saves the file Attributes.zip. The zip file has the server certificate (.
2. Click the name of an application. The Application Attributes dialog box appears. Delete an application dictionary In general, you should have no need to delete an application dictionary. They have no effect on Policy Manager performance. To delete an application dictionary 1. Go to Administration > Dictionaries > Applications. 2. Click the check box next to an application name. 3. Click Delete. OnGuard Settings Navigate to the Administration > Agents and Software Updates> OnGuard Settings page.
Figure 294: OnGuard Settings Table 194: OnGuard Settings Container Global Agent Settings Description Configure global parameters for OnGuard agents. Parameters include the following: CacheCredentialsForDays : Select the number of days the user credentials should be cached on OnGuard agents. l WiredAllowedSubnets : Add a comma-separated list of IP or subnet addresses.
Container Description text the “Check health - no authentication” mode. Client certificate check Enable to also perform client certificate based authentication. OnGuard extracts the client certificate from the logged in user’s certificate store and presents this in the TLS exchange with Policy Manager. Agent action when an update is available This setting determines what the agent does when an update is available. Options are Ignore, Download Installer, Notify User.
Figure 296: OnGuard Portal parameters Parameter Description Global Portal Settings l Name Name is ‘default’. Portal URL This is the URL that presents the OnGuard portal page. (Note that this is automatically generated by Policy Manager). Select Mode Attribute names and value configuration for the portal. UsernameFormat: Format of username sent in authentication requests.
Parameter Description Customize Portal Use default template to edit the different fields as described above. To import a custom HTML file to be used as the OnGuard portal, select Upload custom template. Note that the following macros must be present in the custom HTML template: l _eTIPS_GUEST_PORTAL_HEADER_ l _eTIPS_GUEST_PORTAL_BODY_ l _eTIPS_GUEST_PORTAL_FORM_ Title Click on the current title text to change the way the title appears.
l Software upgrades for the ClearPass family of products l Patch binaries, including Onboard, Guest Plugins and Skins Updates are stored on ClearPass’s webservice server. When a valid Subscription ID is saved, the Dell Networking WClearPass Policy Manager server periodically communicates with the webservice about available updates. It downloads any available updates to the Dell Networking W-ClearPass Policy Manager server.
Container Description NOTE: This button is enabled only on publisher node. Firmware & Patch Updates Import Updates If the server is not able to reach the webservice server, click Import Updates to import the latest Firmware and Update patch binaries (obtained via support or other means) into this server.
Figure 299: Install Update Table 196: Install Update dialog box buttons and descriptions Container Description Close Click on this button to close the dialog box. Clear & Close Click on this button to delete the log messages and close the popup. This will also remove the corresponding row from the Firmware & Patch Updates table. Reboot This button appears only for the updates requiring a reboot to complete the installation. Click on this button to initiate a reboot of the server.
node unless it is made a Subscriber node. A Policy Manager cluster can contain only one Publisher node. Cluster commands can be used to change the state of the node, hence the Publisher can be made a Subscriber. Upgrade the Image on a Single Policy Manager Appliance Perform these steps to upgrade the image on a single Policy Manager appliance: 1. From the ClearPass Policy Manager UI, navigate to Administration > Agents and Software Updates > Software Updates.
Dell Networking W-ClearPass Policy Manager 6.
Appendix A Command Line Configuration The Policy Manager command line provides commands of the following types: l "Cluster Commands" on page 333 l "Configure Commands" on page 336 l "Network Commands" on page 338 l "Service commands" on page 340 l "Show Commands" on page 341 l "System commands" on page 344 l "Miscellaneous Commands" on page 347 Available Commands Table 197: Command Categories Command ad auth See "Miscellaneous Commands" on page 347 ad netleave See "Miscellaneous Commands" on
Command cluster set-cluster-passwd cluster set-local-passwd configure date configure dns configure hostname configure ip configure timezone dump certchain See "Miscellaneous Commands" on page 347 dump logs See "Miscellaneous Commands" on page 347 dump servercert See "Miscellaneous Commands" on page 347 exit See "Miscellaneous Commands" on page 347 help See "Miscellaneous Commands" on page 347 krb auth See "Miscellaneous Commands" on page 347 krb list See "Miscellaneous Commands" on page 347 ldapsearch See
Command service deactivate service list service restart service start service status service stop show date show dns show domain show all-timezones show hostname show ip showlicense show timezone show version system boot-image system gen-support-key system update system restart system shutdown system install-license system upgrade Cluster Commands The Policy Manager command line interface includes the following cluster commands: l "drop-subscriber" on page 334 l "list" on page 334 l "make-publisher" o
"set-local-passwd" on page 336 l drop-subscriber Removes specified subscriber node from the cluster. Syntax cluster drop-subscriber [-f] [-i ] -s Where: Table 198: Drop-Subscriber Commands Flag/Parameter Description -f Force drop, even for down nodes -i Management IP address of the node. If not specified and the current node is a subscriber, Policy Manager drops the current node. -s Do not reset the database on the dropped node.
Continue? [y|Y]: y make-subscriber Makes this node a subscriber to the specified publisher node. Syntax make-subscriber -i [-l] Where: Table 199: Make-Subscriber Commands Flag/Parameter Description -i Required. Publisher IP address. -l Optional. Restore the local log database after this operation. Example [appadmin]# cluster make-subscriber –i 192.168.1.1 –p !alore -l reset-database Resets the local database and erases its configuration.
set-local-passwd Changes the local password. Executed locally; prompts for the new local password.
Example 2 Synchronize with a specified NTP server: [appadmin]# -s dns Configure DNS servers. At least one DNS server must be specified; a maximum of three DNS servers can be specified. Syntax configure dns [secondary] [tertiary] Example 1 [appadmin]# configure dns 192.168.1.1 Example 2 [appadmin]# configure dns 192.168.1.1 192.168.1.2 Example 3 [appadmin]# configure dns 192.168.1.1 192.168.1.2 192.168.1.3 hostname Configures the hostname.
timezone Configures time zone interactively. Syntax configure timezone Example [appadmin]# configure timezone configure timezone ********************************************************* * WARNING: When the command is completed Policy Manager services * * are restarted to reflect the changes.
Table 203: Network IP Delete Commands Flag/Parameter Description -i Id of the rule to delete. Syntax network ip list List all routing rules. Syntax network ip reset Reset routing table to factory default setting. All custom routes are removed. Example 1 [appadmin]# network ip add data -s 192.168.5.0/24 Example 2 [appadmin]# network ip add data -s 192.168.5.12 Example 3 [appadmin]# network ip list nslookup Returns IP address of host using DNS.
Table 205: Ping Commands Flag/Parameter Description -i Optional. Originating IP address for ping. -t Optional. Ping indefinitely. Host to be pinged. Example [appadmin]# network ping –i 192.168.5.10 –t sun.us.arubanetworks.com reset Reset network data port. Syntax network reset Where: Table 206: Reset Commands Flag/Parameter Description Required. Name of network port to reset.
l start l stop l status l restart l activate l deactivate l list These commands in this section have identical syntax; therefore, this section presents them as variations on . Activates the specified Policy Manager service. Syntax service Where: Table 208: Action Commands Flag/Parameter Description action Choose an action: activate, deactivate, list, restart, start, status, or stop.
l "date" on page 342 l "dns" on page 342 l "domain" on page 343 l "hostname" on page 343 l "ip" on page 343 l "license" on page 343 l "timezone" on page 344 l "version" on page 344 all-timezones Interactively displays all available timezones Syntax show all-timezones Example [appadmin]# show all-timezones Africa/Abidjan Africa/Accra ..... WET Zulu date Displays System Date, Time, and Time Zone information.
domain Displays Domain Name, IP Address, and Name Server information. Syntax show domain Example [appadmin]# show domain hostname Displays hostname. Syntax show hostname Example [appadmin]# show hostname show hostname wolf ip Displays IP and DNS information for the host. Syntax show ip Example [appadmin]# show ip show ip =========================================== Device Type : Management Port ------------------------------------------IP Address : 192.168.5.227 Subnet Mask : 255.255.255.
Example [appadmin]# show license show license timezone Displays current system timezone. Syntax show timezone Example [appadmin]# show timezone show timezone version Displays Policy Manager software version hardware model. Syntax show version Example [appadmin]# show version ======================================= Policy Manager software version : 2.0(1).
Table 209: Boot-Image Commands Flag/Parameter Description -l Optional. List boot images installed on the system. -a Optional. Set active boot image version, in A.B.C.D syntax. Example [appadmin]# system boot-image gen-support-key Generates the support key for the system.
* WARNING: This command will shutdown all applications * * and reboot the system * ******************************************************** Are you sure you want to continue? [y|Y]: y shutdown Shutdown the system Syntax system shutdown Example [appadmin]# system shutdown ******************************************************** * WARNING: This command will shutdown all applications * * and power off the system * ******************************************************** Are you sure you want to continue? [y
Table 212: Upgrade Commands Flag/Parameter Description Required. Enter filepath, using either syntax provided in the two examples provided. Example 1 [appadmin]# 71.tgz system upgrade admin@sun.us.arubanetworks.com:/tmp/PolicyManager-x86-64-upgrade- Example 2 [appadmin]# system upgrade http://sun.us.arubanetworks.com/downloads/PolicyManager-x86-64upgrade-71.
Table 213: Ad Auth Commands Flag/Parameter Description Required. username of the authenticating user. Example [appadmin]# ad auth --username=mike ad netjoin Joins host to the domain. Syntax ad netjoin [domain NETBIOS name] Where: Table 214: Ad Netjoin Commands Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional. Example [appadmin]# ad netjoin atlas.us.arubanetworks.
Syntax alias = Where: Table 215: Alias Commands Flag/Parameter Description = Sets as the alias for . = Removes the association. Example 1 [appadmin]# alias sh=show Example 2 [appadmin]# alias sh= backup Creates backup of Policy Manager configuration data. If no arguments are entered, the system auto-generates a filename and backups up the configuration to this file.
Table 217: Dump Certchain Commands Flag/Parameter Description Specifies the hostname and SSL port number. Example 1 [appadmin]# dump certchain ldap.acme.com:636 dump certchain dump logs Dumps Policy Manager application log files. Syntax dump logs -f [-s yyyy-mm-dd] [-e yyyy-mm-dd] [-n ] [-t ] [-h] Where: Table 218: Dump Logs Commands Flag/Parameter Description -f Specifies target for concatenated logs.
Example 1 [appadmin]# dump servercert ldap.acme.com:636 exit Exits shell.
krb list Lists the cached kerberos tickets Syntax krb list Example [appadmin]# krb list ldapsearch The Linux ldapsearch command to find objects in an LDAP directory. (Note that only the Policy Manager-specific command line arguments are listed below. For other command line arguments, refer to ldapsearch man pages on the Internet).
Flag/Parameter Description -p Optional. Force restore from a backup file that does not have password fields present. -s Optional. Restore cluster server/node entries from the backup. (Node entries disabled on restore.) Example [appadmin]# restore user@hostname:/tmp/tips-backup.tgz -l -i -c -s quit Exits shell. Syntax quit Example [appadmin]# quit Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Appendix B Rules Editing and Namespaces In the Policy Manager administration User Interface (UI) you use the same editing interface to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular in
l RADIUS Namespace - Dictionaries in the RADIUS namespace come pre-packaged with the product. The administration interface does provide a way to add new dictionaries into the system (See "RADIUS Dictionaries " on page 312 for more information). RADIUS namespace has the notation RADIUS:Vendor, where Vendor is the name of the Company that has defined attributes in the dictionary.
an LDAP-compliant directory, you need to define filters for that authentication source (see "Adding and Modifying Authentication Sources " on page 134 for more information). n SQL Instance Namespace - For each instance of an SQL authentication source, there is an SQL instance namespace that appears in the rules editing interface. The SQL instance namespace consists of attributes names that you have defined when you created an instance of this authentication source.
Attribute Description Client-Mac-Address MAC address of the client Client-Mac-Address-Colon, Client-MacAddress-Dot, Client-Mac-Address-Hyphen, Client-Mac-Address-Nodelim Client MAC address in different formats Client-IP-Address IP address of the client (if known) Connection namespace appears in the following editing contexts: l n Service rules n Role mapping policies Authentication Namespace - The authentication namespace can be used in role mapping policies to define roles based on what kind
Attribute Name Values Posture l l l l Status l l l l l MacAuth l l l Capable - The client is capable of providing posture credentials Collected - Posture credentials were collected from the client Not-Capable - The client is not capable of providing posture credentials Unknown - It is not known whether the client is capable of providing credentials None - No authentication took place User - The user was authenticated Machine - The machine was authenticated Failed - Authentication failed AuthSource-U
Certificate namespace appears in the following editing contexts: n l Role mapping policies Tips Namespace - Tips namespace has two pre-defined attributes: Role and Posture. Values are assigned to these attributes at run-time after Policy Manager evaluates role mapping and posture related policies. The value for the Role attribute is a set of roles assigned by the either the role mapping policy or the post-audit policy.
Table 226: Audit Namespace Attributes Attribute Name Values Audit-Status AUDIT_SUCCESS, AUDIT_INPROGRESS or AUDIT_ERROR Device-Type Type of device returned by an NMAP port scan Output-Msgs The output message returned by Nessus plugin after a vulnerability scan Network-Apps String representation of the open network ports (http, telnet, etc.
Variable Description % {RADIUS:IETF:MACAddress-NoDelim} MAC address of client in aabbccddeeff format Note that you can also use any other dictionary-based attributes (or namespace attributes defined in this chapter) as variables in role mapping rules, enforcement rules, enforcement profiles and LDAP or SQL filters. For example, you can use %{RADIUS:IETF:Calling-Station-ID} or %{RADIUS:Airespace:Airespace-Wlan-Id} in rules or filters.
Operator Description CONTAINS For string data type, true if the run-time value of the attribute is a substring of the configured value. E.g., RADIUS:IETF:NAS-Identifier CONTAINS "VPN" BEGINS_ WITH For string data type, true if the run-time value of the attribute begins with the configured value. E.g., RADIUS:IETF:NAS-Identifier BEGINS_WITH "SJ-" ENDS_ WITH For string data type, true if the run-time value of the attribute ends with the configured value. E.g.
Operator Description configured value and less than equal to the second configured value. E.g., Date:Date-of-Year IN_RANGE 2007-06-06,2007-06-12 364 MATCHES_ ANY For list data types, true if any of the run-time values in the list matches one of the configured values. E.g., Tips:Role MATCHES_ANY HR,ENG,FINANCE MATCHES_ ALL For list data types, true if all of the run-time values in the list are found in the configured values. E.g., Tips:Role MATCHES_ALL HR,ENG,FINANCE.
Appendix C Error Codes, SNMP Traps, and System Events This appendix contains listings of Dell Networking W-ClearPass Policy Manager error codes, SNMP traps, and system events. l Error Codes l SNMP Trap Details l Important System Events Error Codes The following table shows the CPPM error codes.
Code Description Type 210 Unknown CA in client certificate Authentication failure 211 Client certificate not valid Authentication failure 212 Client certificate has expired Authentication failure 213 Certificate comparison failed Authentication failure 214 No certificate in authentication source Authentication failure 215 TLS session error Authentication failure 216 User authentication failed Authentication failure 217 Search failed due to insufficient permissions Authenticati
Code Description Type 6001 Unsupported Tacacs parameter in request TACACS Protocol 6002 Invalid sequence number TACSCS Protocol 6003 Sequence number overflow TACACS Protocol 6101 Not enough inputs to perform authentication TACACS Authentication 6102 Authentication privilege level mismatch TACACS Authentication 6103 No enforcement profiles matched to perform authentication TACACS Authentication 6201 Authorization failed as session is not authenticated TACACS Authorization 6202 Author
Code Description Type 9014 Cached session data error RADIUS Protocol 9015 Client does not support configured EAP methods RADIUS Protocol 9016 Client did not send Cryptobinding TLV RADIUS Protocol 9017 Failed to contact OCSP Server RADIUS Protocol SNMP Trap Details CPPM leverages native SNMP support from the 'net-snmp' package to send trap notifications for the following events: 1. snmp daemon trap events Trap OIDs: .1.3.6.1.6.3.1.1.5.1 .1.3.6.1.6.3.1.1.5.2 2.
.1.3.6.1.4.1.2021.2.1.101.X ==> Error message on the process status. The value will contain the error message when the process is stopped and will be empty when the process is running. .1.3.6.1.4.1.2021.2.1.2.X ==> Name of the process for which the status is reported as indicated by above trap OIDs. In all the above trap OIDs, the value of X varies from 1 through N depending on the number of process status being checked.
.1.3.6.1.4.1.2021.10.1.2.3 ==> Name of CPU load-15 average Disk space threshold traps: .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag indicating the disk or partition is under the minimum required space configured for it. Value of 1 indicates the system has reached the threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.9.1.2.1 ==> Name of the partition which has met the above condition Network interface status traps: .1.3.6.1.6.3.1.1.5.
Admin Server Events Info Events “Admin server”, “INFO”, “Performed action start on Admin server” Async Service Events Info Events “Async DB write service”, “INFO”, “Performed action start on Async DB write service” “Multi-master cache”, “INFO”, “Performed action start on Multi-master cache” “Async netd service”, “INFO”, “Performed action start on Async netd service” ClearPass/Domain Controller Events Critical Events “netleave”, “ERROR”, “Failed to remove from the domain ” “netjoin”
ClearPass Update Events Critical Events “Install Update”, “ERROR”, “Installing Update”, “File: ”, “Failed with exit status - ” “ClearPass Firmware Update Checker”, “ERROR”, “Firmware Update Checker”, “No subscription ID was supplied.
Policy Server Events Info Events “Policy Server”, “INFO”, “Performed action start on Policy server” “Policy Server”, “INFO”, “Performed action stop on Policy server” RADIUS/TACACS+ Server Events Critical Events “TacacsServer”, “ERROR”, “Request”, “Nad Ip= not configured” “RADIUS”, “WARN”, “Authentication”, “Ignoring request from unknown client :” “RADIUS”, “ERROR”, “Authentication”, “Received packet from with invalid Message-Authenticator! (Shared secret is incorrect.
System Monitor Events Critical Events “Sysmon”, “ERROR”, “System”, “System is running with low memory. Available memory = %” “Sysmon”, “ERROR”, “System”, “System is running with low disk space. Available disk space = %” “System TimeCheck”, “WARN”, “Restart Services”, “Restarting CPPM services as the system detected time drift.
Appendix D Software Copyright and License Statements This appendix lists the copyright notices for the binary distribution from Aruba Networks. A copy of the source code is available for portions of the software whose copyright statement requires Aruba Networks to publish any modified source code. To cover the costs of duplication and shipping, there is a nominal cost to obtain the source code material. To obtain a copy of the source code, contact info@arubanetworks.com.
This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price.
Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you".
same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.
You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License.
11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS GNU GPL Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).
code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.
distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License.
CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability.
* endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6.
* * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code.
* * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved.
Dell Networking W-ClearPass Policy Manager 6.
