User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager 12 Common Tasks in Policy Manager 12 Importing 12 Exporting 13 Powering Up and Configuring Policy Manager Hardware 14 Server Port Overview 14 Server Port Configuration 15 Powering Off the System 17 Resetting Passwords to Factory Default 17 Generating Support Key for Technical Support 17 Policy Manager Dashboard Monitoring Access Tracker Viewing Session Details 20 24 24 25 Accounting 26 OnGuard Activity 33 Analysis and Trend
HTTP User-Agent 61 Configuration 61 MAC OUI 61 ActiveSync Plugin 62 CPPM OnGuard 62 SNMP 62 Services 66 Architecture and Flow 66 Start Here Page 67 Policy Manager Service Types 69 Services 80 Adding Services 81 Modifying Services 84 Reordering Services 85 Authentication and Authorization 88 Architecture and Flow 88 Configuring Authentication Components 89 Adding and Modifying Authentication Methods 90 PAP 92 MSCHAP 93 EAP-MSCHAP v2 94 EAP-GTC 94 EAP-TLS 95 EAP-T
Identity: Users, Endpoints, Roles and Role Mapping Architecture and Flow Configuring a Role Mapping Policy Configuring a Role Mapping Policy Adding and Modifying Role Mapping Policies 136 136 136 137 137 Policy Tab 138 Mapping Rules Tab 138 Adding and Modifying Roles Local Users, Guest Users, Onboard Devices, Endpoints, and Static Host List Configuration Adding and Modifying Local Users Additional Available Tasks 140 140 141 142 Adding and Modifying Guest Users 142 Onboard Devices 144 Adding and
NESSUS Audit Server 183 NMAP Audit Server 185 Nessus Scan Profiles 186 Post-Audit Rules 189 Enforcement Enforcement Architecture and Flow 192 Configuring Enforcement Profiles 193 RADIUS Enforcement Profiles 196 RADIUS CoA Enforcement Profiles 198 SNMP Enforcement Profiles 198 TACACS+ Enforcement Profiles 199 Application Enforcement Profiles 201 CLI Enforcement Profile 202 Agent Enforcement Profiles 202 Post Authentication Enforcement Profiles 203 Configuring Enforcement Policies
Make Subscriber 228 Upload Nessus Plugins 229 Cluster-Wide Parameters 229 Collect Logs 233 Viewing Log Files 234 Backup 235 Restore 236 Shutdown/Reboot 237 Drop Subscriber 237 System Tab 237 Multiple Active Directory Domains 238 Services Control Tab 240 Service Parameters Tab 240 System Monitoring Tab 248 Network Tab 249 Creating GRE tunnels 249 Creating VLAN 250 Defining Access Restrictions 251 Log Configuration 252 Local Shared Folders 254 Server and Application Lic
Modify an endpoint context server 268 Delete an endpoint context server 268 Endpoint Context Server Configuration Details 269 Server Certificate 269 Create Self-Signed Certificate 270 Create Certificate Signing Request 272 Export Server Certificate 273 Import Server Certificate 273 Certificate Trust List 274 Add Certificate 274 Revocation Lists 275 Add Revocation List 275 RADIUS Dictionaries 276 Import RADIUS Dictionary 277 Posture Dictionaries 278 TACACS+ Services 278 Finger
date 297 dns 298 hostname 298 ip 298 timezone 299 Network Commands 299 ip 299 nslookup 300 ping 300 reset 301 traceroute 301 Service commands 301 302 Show Commands 302 all-timezones 303 date 303 dns 303 domain 303 hostname 304 ip 304 license 304 timezone 305 version 305 System commands 305 boot-image 305 gen-support-key 306 install-license 306 restart 306 shutdown 306 update 307 upgrade 307 Miscellaneous Commands 308 ad auth 308 ad net
krb auth 312 krb list 312 ldapsearch 312 restore 313 quit 313 Rules Editing and Namespaces Namespaces 314 Variables 320 Operators 320 Error Codes, SNMP Traps, and System Events 324 Error Codes 324 SNMP Trap Details 327 Example 1 327 Example 2 328 CPPM Processes and OIDs 328 CPU Load Average Traps 328 Disk space threshold traps: 328 Network interface status traps: 328 Important System Events 329 Admin UI Events 329 Critical Events 329 Info Events 329 Admin Server Eve
Critical Events 331 Info Events 331 Policy Server Events Info Events RADIUS/TACACS+ Server Events 331 331 331 Critical Events 331 Info Events 332 SNMP Events 332 Critical Events 332 Info Events 332 Support Shell Events Info Events System Auxiliary Service Events Info Events System Monitor Events 332 332 332 332 332 Critical Events 332 Info Events 332 Service Names 333 Use Cases 334 802.
Chapter 1 About Dell Networking W-ClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform, such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration, provisioning, profiling, health checks, and guest access.
Exporting On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can export the information about one or more items. That information is exported as an XML file, and this file can be password protected. The tags and attributes in the XML file are explained in the API Guide. You can: l Export all the items. l Export one or more items. To export all the items in a list 1. Click the Export link. The Export to File dialog box appears. 2.
Chapter 2 Powering Up and Configuring Policy Manager Hardware The Policy Manager server requires initial port configuration. Its backplane contains three ports. Server Port Overview Figure 1 Policy Manager Backplane The ports in the figure above are described in the following table: Table 1: Device Ports Key Port Description A Serial Configures the ClearPass Policy Manager appliance initially, via hardwired terminal.
Server Port Configuration Before starting the installation, gather the following information that will need, write it in the table below, and keep it for your records: Table 2: Required Information Requirement Value for Your Installation Hostname) Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) Data Port IP Address must not be in the same subnet as the Management Port IP Address Data Port Gateway (optional) Data Port S
This starts the Policy Manager Configuration Wizard. 3. Configure the Appliance Replace the bolded placeholder entries in the following illustration with your local information: Enter hostname:verne.xyzcompany.com Enter Management Port IP Address: 192.168.5.10 Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.
Powering Off the System Perform the following to power off the system gracefully without logging in: l Connect to the CLI from the serial console via the front serial port and enter the following: login: poweroff password: poweroff This procedure gracefully shuts down the appliance. Resetting Passwords to Factory Default Administrator passwords in Policy Manager can be reset to factory defaults by logging into the CLI as the apprecovery user.
2. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port Configuration " on page 15 for details. 3. Reboot the system. See the restart command. 4. When the system restarts it waits at the following prompt for 10 seconds: Generate support keys? [y/n]: Enter ‘y’ at the prompt. The system prompts with the following choices: Please select a support key generation option.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Policy Manager Dashboard The Policy Manager Dashboard menu allows you to display system health and other request related statistics. Policy Manager comes pre-configured with different dashboard elements. The screen on the right of the dashboard menu is partitioned into five fixed slots. You can drag and drop any of the dashboard elements into the five slots. The dashboard elements are listed below: This shows a graph of all requests processed by Policy Manager over the past week.
This chart shows the graph of all profiled devices categorized into built in categories – Smartdevices, Access Points, Computer, VOIP phone, Datacenter Appliance, Printer, Physical Security, Game Console, Routers, Unknown and Conflict. Unknown devices are devices that the profiler was not able to profile. Conflict indicates a conflict in the categorization of the device.
Quick Links shows links to common configuration tasks: l Start Configuring Policies links to the Start Here Page under Configuration menu. Start configuring Policy Manager Services from here. l Manage Services links to the Services page under Configuration menu. Shows a list of configured services. l Access Tracker links to the Access Tracker screen under Reporting & Monitoring menu. l Analysis & Trending links to the Analysis & Trending screen under Reporting & Monitoring menu.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Monitoring The Policy Manager Monitoring menu provides the following interfaces: l Live Monitoring n "Access Tracker" on page 24 n "Accounting" on page 26 n "OnGuard Activity " on page 33 n "Analysis and Trending" on page 35 n "Endpoint Profiler " on page 36 n "System Monitor" on page 37 l "Audit Viewer" on page 39 l "Event Viewer " on page 41 l "Data Filters " on page 42 Access Tracker The Access Tracker provides a real-time display of system activity, with optional auto-refr
Container Description Select Filter Select filter to constrain data display. Modify the currently displayed data filter Go to Data Filters page to create a new data filter. Add Select Date Range Select the number of days prior to the configured date for which Access Tracker data is to be displayed. Valid number of days is 1 day to a week. Show Latest Sets the date to Today in the previous step to Today.
different tabs. l Summary - This tab shows a summary view of the transaction, including policies applied. l Input - This tab shows protocol specific attributes that Policy Manager received in the transaction request; this includes authentication and posture details (if available). It also shows Compute Attributes, which are attributes that were derived from the request attributes. All of the attributes can be used in role mapping rules.
Figure 3 Accounting (Edit Mode) Table 7: Accounting Container Description Select Server Select server for which to display dashboard data. Select Filter Select filter to constrain data display. Modify the currently displayed data filter Modify Add Go to Data Filters page to create a new data filter. Select Date Range Select the number of days prior to the configured date for which Accounting data is to be displayed. Valid number of days is 1 day to a week.
Figure 4 RADIUS Accounting Record Details (Summary tab) Figure 5 RADIUS Accounting Record Details (Auth Sessions tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 6 RADIUS Accounting Record Details (Utilization tab) Figure 7 RADIUS Accounting Record Details (Details tab) Table 8: RADIUS Accounting Record Details 29 Tab Container Description Summary Session ID Policy Manager session identifier (you can correlate this record with a record in Access Tracker) Account Session ID A unique ID for this accounting record Dell Networking W-ClearPass Policy Manager 6.
Tab Auth Sessions Utilization Container Description Start and End Timestamp Start and end time of the session Status Current connection status of the session Username Username associated with this record Termination Cause The reason for termination of this session Service Type The value of the standard RADIUS attribute ServiceType NAS IP Address IP address of the network device NAS Port Type The access method - For example, Ethernet, 802.11 Wireless, etc.
Tab Container Description Account Input Octets Account Output Octets Account Input Packets Account Output Packets Details Octets sent and received from the device port over the course of the session Packets sent and received from the device port over the course of the session Shows details of RADIUS attributes sent and received from the network device during the initial authentication and subsequent re authentications (each section in the details tab corresponds to a “session” in Policy Manager.
Figure 9 TACACS+ Accounting Record Details (Auth Sessions tab) Figure 10 TACACS+ Accounting Record Details (Details tab) Table 9: TACACS+ Accounting Record Details Tab Container Description Request Session ID Unique ID associated with a request User Session ID A session ID that correlates authentication, authorization and accounting records Dell Networking W-ClearPass Policy Manager 6.
Tab Auth Sessions Container Description Start and End Timestamp Start and end time of the session Username Username associated with this record Client IP The IP address and tty of the device interface Remote IP IP address from which Admin is logged in Flags Identifier corresponding to start, stop or update accounting record Privilege Level Privilege level of administrator: 1 (lowest) to 15 (highest). Authentication Method Identifies the authentication method used for the access.
Table 10: OnGuard Activity Container Description Auto Refresh Toggle auto-refresh. If this is turned on, all endpoint activities are refreshed automatically. Bounce Client (using SNMP) Given the MAC or IP address of the endpoint, perform a bounce operation (via SNMP) on the switch port to which the endpoint is connected. This feature only works with wired Ethernet switches.
Container Description Bounce Initiate a bounce on the managed interface on the endpoint. l Display Message - An optional message to display on the endpoint (via the OnGuard interface). l Web link - An optional clickable URL that is displayed along with the Display Message. l Endpoint Status No change - No change is made to the status of the endpoint. The existing status of Known, Unknown or Disabled continues to be applied. Access control is granted or denied based on the endpoint’s existing status.
Figure 12 Analysis and Trending To add additional filters, refer to "Data Filters " on page 42. l Select Server - Select a node from the cluster for which data is to be displayed. l Update Now- Click on this button to update the display with the latest available data. l Customize This- Click on this link to customize the display by adding filters (up to a maximum of 4 filters) l Toggle Chart Type- Click on this link to toggle chart display between line and bar type.
Figure 13 Endpoint Profiler You can view endpoint details about a specific device by clicking on a device in the table below the graphs. Select the Cancel button to return to the Endpoint Profiler page. Figure 14 Fig: Endpoint Profiler Details System Monitor The System Monitor is available by navigating to Monitoring > Live Monitoring > System Monitor. l Select Server- Select a node from the cluster for which data is to be displayed.
Figure 15 System Monitor Graphs l Process Monitor- For the selected server and process, provides critical usage statistics, including CPU, Virtual Memory, and Main Memory. Use Select Process to select the process for which you want to see the usage statistics. Dell Networking W-ClearPass Policy Manager 6.
Figure 16 Figure Process Monitor Graphs Audit Viewer The Audit Viewer display provides a dynamic report of Actions, filterable by Action, Name and Category (of policy component), and User, at: Monitoring > Audit Viewer. Figure 17 Audit Viewer 39 Dell Networking W-ClearPass Policy Manager 6.
Table 11: Audit Viewer Container Description Select Filter Select the filter by which to constrain the display of audit data. Show records Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent logins. Click on any row to display the corresponding Audit Row Details: l For Add Actions, a single popup displays, containing the new data.
Figure 20 Audit Row Details (New Data tab) Figure 21 Audit Row Details (Inline Difference tab) For Remove Actions, a popup displays the removed data. Event Viewer The Event Viewer display provides a dynamic report of system level (not request-related) Events, filterable by Source, Level, Category, and Action, at: Monitoring > Event Viewer. Figure 22 Event Viewer 41 Dell Networking W-ClearPass Policy Manager 6.
Table 12: Event Viewer Container Description Select Server Select the server for which to display accounting data. Filter Select the filter by which to constrain the display of accounting data. Show records Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent logins. Click on any row to display the corresponding System Event Details.
l Failed Requests - All authentication requests that were rejected or failed due to some reason; includes RADIUS, TACACS+ and Web Authentication results. l Guest Access Requests - All requests - RADIUS or Web Authentication - where the user was assigned the built-in role called Guest. l Healthy Requests - All requests that were deemed healthy per policy l RADIUS Requests - All RADIUS requests l Successful Requests - All authentication requests that were successful.
Table 14: Add Filter (Filter tab) Container Description Name/Description Name and description of the filter (freeform). Configuration Type Custom SQL Choose one of the following configuration types: Specify Custom SQL - Selecting this option allows you to specify a custom SQL entry for the filter. If this is specified, then the Rules tab disappears, and a SQL template displays in the Custom SQL field. NOTE: Selecting this option is not recommended.
Figure 27 Add Filter (Rules tab) - Rules Editor Table 16: Add Filter (Rules tab) - Rules Editor Container Description Matches ANY matches one of the configured conditions. ALL indicates to match all of the configured conditions. Type This indicates the namespace for the attribute.
Chapter 5 Policy Manager Policy Model From the point of view of network devices or other entities that need authentication and authorization services, Policy Manager appears as a RADIUS, TACACS+ or HTTP/S based Authentication server; however, its rich and extensible policy model allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture services and client technologies within the Enterprise.
Figure 28 Generic Policy Manager Service Flow of Control Table 17: Policy Manager Service Components Component AAuthentication Method 47 Service: component ratio Zero or more per service Description EAP or non-EAP method for client authentication. Policy Manager supports four broad classes of authentication methods: l EAP, tunneled: PEAP, EAP-FAST, or EAP-TTLS. l EAP, non-tunneled: EAP-TLS or EAP-MD5. l Non-EAP, non-tunneled: CHAP, MS-CHAP, PAP, or [MAC AUTH].
Component Service: component ratio Description BAuthentication Source Zero or more per service An Authentication Source is the identity repository against which Policy Manager verifies identity. It supports these Authentication Source types: l Microsoft® Active Directory® l any LDAP compliant directory l RSA or other RADIUS-based token servers l SQL database, including the local user store. l Static Host Lists, in the case of MAC-based Authentication of managed devices.
Component HEnforcement Profile Service: component ratio One or more per service Description Enforcement Policy Profiles contain attributes that define a client’s scope of access for the session. Policy Manager returns these Enforcement Profile attributes to the switch. Viewing Existing Services You can view all configured services in a list or drill down into individual services: l View and manipulate the list of current services.
In the Services page, click a service’s check box, then click the Export a Service link and provide the output filepath. Later, you can import this service by clicking Import a Service and providing the filepath. l Create a new service that you will configure from scratch. In the Services page, click Add a Service, then follow the configuration wizard from component to component by clicking Next as you complete each tab. l Remove a service.
Policy Component Authentication Source l l l l Role Mapping Configuration Instructions Illustrative Use Cases "802.1x Wireless Use Case" on page 336 demonstrates the principle of multiple authentication sources in a list. Policy Manager tests the sources in priority order until the client can be authenticated. In this case Active Directory is listed first.
Policy Component Illustrative Use Cases Enforcement Policy and Profiles All Use Cases have an assigned Enforcement Policy and corresponding Enforcement Rules. Configuration Instructions l l "Configuring Enforcement Profiles " on page 193 "Configuring Enforcement Policies " on page 204 Policy Simulation Once the policies have been set up, the Policy Simulation utility can be used to evaluate these policies - before deployment.
Table 19: Policy Simulation Container Description Add Simulation Test Opens the Add Simulation Test page. Import Simulations Opens the Import Simulations popup. Export Simulations Opens the Export Simulations popup. Filter Select the filter by which to constrain the display of simulation data. Copy Make a copy the selected policy simulation. The copied simulation is renamed with a prefix of Copy_Of_. Export Opens the Export popup.
Container Type Role Mapping. Description l Input (Simulation tab): Select Service (Role Mapping Policy is implicitly selected, because there is only one such policy associated with a service), Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces relevant for role mapping policies are loaded in the attributes editor.
Container Type Audit. Description l Input (Simulation tab): Select the Audit Server and host to be Audited (IP address or hostname) Returns (Results tab): Summary Posture Status, Audit Attributes and Status NOTE: Audit simulations can take a while; an AuditInProgress status is shown until the audit completes. l 55 Dell Networking W-ClearPass Policy Manager 6.
Container Type Enforcement Policy. Description l Input (Simulation tab): Select Service (Enforcement Policy is implicit by its association with the Service), Authentication Source (optional), User Name (optional), Roles, Dynamic Roles (optional), System Posture Status, and Date/Time (optional). Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. Connection and RADIUS namespaces are loaded in the attributes editor.
Container Type Chained Simulations. Description l Input (Simulation tab): Select Service, Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces that are relevant in the Role Mapping Policy context are loaded in the attributes editor. Returns (Results tab): Role(s), Post Status, Enforcement Profiles and Status Messages.
Figure 33 Add Simulation (Attributes Tab) In the Results tab, Policy Manager displays the outcome of applying the test request parameters against the specified policy component(s). What is shown in the results tab again depends on the type of simulation. Figure 34 Add Simulation (Results Tab) Import and Exporting Simulations Import Simulations Navigate to Configuration > Policy Simulation and select the Import Simulations link. Figure 35 Import Simulations Dell Networking W-ClearPass Policy Manager 6.
Table 21: Import Simulations Container Description Select file Browse to select name of simulations import file. Import/Cancel Import to commit or Cancel to dismiss popup. Export Simulations Navigate to Configuration > Policy Simulation and select the Export Simulations link. This task exports all simulations. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export.
Chapter 6 ClearPass Policy Manager Profile Profile is a ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. It can be used to implement “Bring Your Own Device” (BYOD) flows, where access has to be controlled based on the type of the device and the identity of the user.
DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class) and options list from DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network. Switches and controllers can be configured to forward DHCP packets such as DISCOVER, REQUEST and INFORM to CPPM. These DHCP packets are decoded by CPPM to arrive at the device category, family, and name.
ActiveSync Plugin ActiveSync plugin is software to be installed on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes like device-type and user-agent. These attributes are collected by the plugin software and is send to CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes. CPPM OnGuard ClearPass Onguard agents perform advanced endpoint posture assessment.
In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured devices. The default behaviour is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network. The devices discovered this way are further probed using SNMP to fingerprint and assign a Profile to the device.Network subnets to scan.
Post Profile Actions After profiling an endpoint, profiler can be configured to perform CoA on the Network Device to which an endpoint is connected. Post profile configurations are configured under Service. The administrator can select a set of categories and a CoA profile to be applied when the profile matches one of the selected categories. CoA is triggered using the selected CoA profile.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 7 Services The Policy Manager policy model groups policy components that serve a particular type of request into Services, which sit at the top of the policy hierarchy. Dell offers the following default services: l 802.1X Wireless l 802.1X Wired l MAC Authentication l Web-based Authentication l Web based Health Check Only l Web-based Open Network Access l 802.1X Wireless - Identity Only l 802.
l Bottom-Up Approach - Create all policy components (Authentication Method, Authentication Source, Role Mapping Policy, Posture Policy, Posture Servers, Audit Servers, Enforcement Profiles, Enforcement Policy) first, as needed, and then create the Service from using Service creation Wizard. l Top-Down Approach - Start with the Service creation wizard, and create the associated policy components as and when you need them, all in the same flow.
Figure 40 Service Wizard with Clickable Flow The rest of the service configuration flow is as described in Policy Manager Service Types. Dell Networking W-ClearPass Policy Manager 6.
Policy Manager Service Types The following service types come preconfigured on Policy Manager: Table 22: Policy Manager Service Types Service Type DellW-Series Wireless 802.1X Wireless Description Template for wireless hosts connecting through a Dell W-Series 802.11 wireless access device or controller, with authentication via IEEE 802.1X. Service rules are customized for a typical Dell W-Series Mobility Controller deployment. Refer to the "802.
Service Type Description To create an authorization source for this service click on the Authorization tab. This tab is not visible by default. To enable Authorization for this service select the Authorization check box on the Service tab. Policy Manager fetches role mapping attributes from the authorization sources associated with service, regardless of which authentication source was used to authenticate the user.
Service Type Description By default, this type of service does not have Audit checking enabled. To enable posture checking for this service select the Audit End-hosts check box on the Service tab. Select an Audit Server - either built-in or customized. Refer to "Configuring Audit Servers" on page 180 for audit server configuration steps. You can specify to trigger an audit always, when posture is not available, or for MAC authentication requests.
Service Type Description l l The authorization sources associated with the authentication source The authorization sources associated with the service. For more information on configuring authorization sources, refer to "Adding and Modifying Authentication Methods" on page 90. To associate a role mapping policy with this service click on the Roles tab. For information on configuring role mapping policies, refer to "Configuring a Role Mapping Policy " on page 137.
Service Type Description Select an Audit Server - either built-in or customized. Refer to "Configuring Audit Servers" on page 180 for audit server configuration steps. You can specify to trigger an audit always, when posture is not available, or for MAC authentication requests. If For MAC authentication requests is specified, then you can perform an audit For known end-hosts only or For unknown end hosts only, or For all end hosts.
Service Type Description For clients connecting through an Ethernet LAN, with authentication via IEEE 802.1X. 802.1X Wired Except for the service rules shown above, configuration for the rest of the tabs is similar to the 802.1X Wireless Service. NOTE: If you want to administer the same set of policies for wired and wireless access, you can combine the service rule to define one single service.
Service Type Description MAC Authentication MAC-based authentication service, for clients without an 802.1X supplicant or a posture agent (printers, other embedded devices, and computers owned by guests or contractors). The network access device sends a MAC authentication request to Policy Manager.
Service Type Web-based Authentication Description Web-based authentication service for guests or agentless hosts, via the Dell built-in Portal. The user is redirected to the Dell captive portal by the network device, or by a DNS server that is set up to redirect traffic on a subnet to a specific URL. The web page collects username and password, and also optionally collects health information (on Windows 7, Windows Vista, Windows XP, Windows Server 2008, Windows Server 2003, popular Linux systems).
Service Type Description This type of service is the same as regular 802.1X Wireless Service, except that posture and audit policies are not configurable when you use this template. 802.1X Wireless Identity Only This type of service is the same as regular 802.1X Wired Service, except that posture and audit policies are not configurable when you use this template. 802.1X Wired Identity Only Template for any kind of RADIUS request.
Service Type Description Template for any kind of RADIUS request that needs to be proxied to another RADIUS server (a Proxy Target). RADIUS Proxy NOTE: No default rule is associated with this service type. Rules can be added to handle any type of standard or vendor-specific RADIUS attributes. Typically, proxying is based on a realm or domain of the user trying to access the network. NOTE: Authentication, Posture, and Audit tabs are not available for this service type.
Service Type Description Template for any kind of TACACS+ request. TACACS+ Enforcement NOTE: No default rule is associated with this service type. Rules can be added to filter the request based on the Date and Connection namespaces. See "Rules Editing and Namespaces" on page 314 for more information. TACACS+ users can be authenticated against any of the supported authentication source types: Local DB, SQL DB, Active Directory, LDAP Directory or Token Servers with a RADIUS interface.
Service Type Description Web-based authentication service for guests or agentless hosts. The Cisco switch hosts a captive portal; the portal web page collects username and password. The switch then sends a RADIUS request in the form of a PAP authentication request to Policy Manager. Cisco WebAuthentication Proxy By default, this service uses the Authentication Method [PAP] [PAP] You can click on the Authorization and Audit End-hosts options to enable additional tabs. Refer to the "802.
Label Description Export Service Export all currently defined services, including all associated policies Filter Filter the service listing by specifying values for different listing fields (Name, Type, Template, Status) Status The status displays in the last column of the table. A green/red icon indicates enabled/disabled state. Clicking on the icon allows you to toggle the status of a Service between Enabled and Disabled.
Table 24: Service Page (General Parameters) Label Description Type Select the desired service type from the drop down menu. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Label Description More Options Select any of the available check boxes to enable the configuration tabs for those options. The available check boxes varies based on the type of service that is selected and may include one or more of the following: l Authorization: Select an authorization source from the drop down menu to add the source or select the Add new Authentication Source link to create a new source.
Modifying Services Navigate to the Configuration > Services page to view available services. You can use these service types as configured, or you can edit their settings. Figure 43 Service Listing Page To modify an existing service, click on its name in the Configuration > Services page. This opens the Services > Edit - form. Select the Service tab on this form to edit the service information. Figure 44 Services Configuration The following fields are available on the Service tab.
Label Description More Options Select the available check box(es) to view additional configuration tab(s). The options that are available depend on the type of service currently being modified. TACACS+ Service, for example, allows for authorization configuration.RADIUS Service allows for configuration of posture compliance, end hosts, profile endpoints, and authorization. On the lower half of the form, select an available rule within the Service Rule table. The following fields are available.
Figure 45 Service Reorder Button 2. Click the Reorder button located on the lower-right portion of the page to open the Reordering Services form. Figure 46 Reordering Services Table 27: Reordering Services Label Description Move Up/Move Down Select a service from the list and move it up or down Save Save the reorder operation Cancel Cancel the reorder operation Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 8 Authentication and Authorization As the first step in Service-based processing, Policy Manager uses an Authentication Method to authenticate the user or device against an Authentication Source. Once the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the Authorization Sources associated with this Authentication Source.
Figure 47 Authentication and Authorization Flow of Control Configuring Authentication Components The following summarizes the methods for configuring authentication: 89 l For an existing Service, you can add or modify authentication method or source, by opening the Service (Configuration > Services, then select), then opening the Authentication tab. l For a new Service, the Policy Manager wizard automatically opens the Authentication tab for configuration.
Figure 48 Authentication Components From the Authentication tab of a service, you can configure three features of authentication: Table 28: Authentication Features at the Service Level Configurable Component Configuration Steps Sequence of Authentication Methods 1. Select a Method, then select Move Up, Move Down, or Remove. 2. Select View Details to view the details of the selected method. 3. Select Modify to modify the selected authentication method.
Table 29: Policy Manager Supported Authentication Methods EAP Tunneled l l l l NonTunneled l l l Non-EAP EAP Protected EAP (EAP-PEAP) EAP Flexible Authentication Secure Tunnel (EAP-FAST) EAP Transport Layer Security (EAP-TLS) EAP Tunneled TLS (EAP-TTLS) EAP Message Digest 5 (EAPMD5) EAP Microsoft Challenge Handshake Authentication Protocol version 2 (EAPMSCHAPv2) EAP Generic Token Card (EAPGTC) l l l l Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) Micro
Figure 49 Add Authentication Method dialog box Depending on the Type selected, different tabs and fields appear. Refer to the following: l "PAP " on page 92 l "MSCHAP " on page 93 l "EAP-MSCHAP v2 " on page 94 l "EAP-GTC " on page 94 l "EAP-TLS " on page 95 l "EAP-TTLS " on page 97 l "EAP-PEAP " on page 98 l "EAP-FAST " on page 100 l "MAC-AUTH " on page 105 l "CHAP and EAP-MD5 " on page 105 l Authorize PAP The PAP method contains one tab.
Figure 50 PAP General Tab Table 30: PAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always PAP. Encryption Scheme Select the PAP authentication encryption scheme. Supported schemes are: Clear, Crypt, MD5 SHA1 or Aruba-SSO. MSCHAP The MSCHAP method contains one tab. General Tab The General tab labels the method and defines session details. Figure 51 MSCHAP General Tab 93 Dell Networking W-ClearPass Policy Manager 6.
Table 31: MSCHAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always MSCHAP. EAP-MSCHAP v2 The EAP-MSCHAPv2 method contains one tab. General Tab The General tab labels the method and defines session details. Figure 52 EAP-MSCHAPv2 General Tab Table 32: EAP-MSCHAPv2 General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-MSCHAPv2. EAP-GTC The EAP-GTC method contains one tab.
Figure 53 EAP-GTC General Tab Table 33: EAP-GTCGeneral Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-GTC. Challenge Specify an optional password. EAP-TLS The EAP-TLS method contains one tab. General Tab The General tab labels the method and defines session details. 95 Dell Networking W-ClearPass Policy Manager 6.
Figure 54 EAP_TLS General Tab Table 34: EAP_TLS General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_TLS. Session Resumption Caches EAP-TLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TLS sessions. Authorization Required Specify whether to perform an authorization check.
Parameter Description Override OCSP URL from the Client Select this option if you want to use a different URL for OCSP. After this is enabled, you can enter a new URL in the OCSP URL field. OCSP URL If Override OCSP URL from the Client is enabled, then enter the replacement URL here. EAP-TTLS The EAP-TTLS method contains two tabs. General Tab The General tab labels the method and defines session details.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-TTLS method: Figure 56 EAP_TTLS Inner Methods Tab Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds.
Table 36: EAP-PEAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-PEAP. Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval.
Figure 58 EAP-PEAP Inner Methods Tab Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds. l To remove an inner method from the displayed list, select the method and click Remove.
Figure 59 EAP-FAST General Tab Table 37: EAP_FAST General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_FAST. Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-FAST method: Figure 60 Inner Methods Tab l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds. l To remove an inner method from the displayed list, select the method and click Remove.
Figure 61 EAP_FAST PACs Tab l To provision a Tunnel PAC on the end-host after initial successful machine authentication, specify the Tunnel PAC Expire Time (the time until the PAC expires and must be replaced by automatic or manual provisioning) in hours, days, weeks, months, or years. During authentication, Policy Manager can use the Tunnel PAC shared secret to create the outer EAP-FAST tunnel.
Figure 62 EAP_FAST PAC Provisioning tab Table 38: EAP_FAST PAC Provisioning Tab Parameter Description Considerations Allow Anonymous Mode When in anonymous mode, phase 0 of EAP_ FAST provisioning establishes an outer tunnel without end-host/Policy Manager authentication (not as secure as the authenticated mode).
Parameter Description Required end-host certificate for provisioning In authenticated provisioning mode, the endhost authenticates the server by validating the server certificate, resulting in a protected outer tunnel; the end-host is authenticated by the server inside this tunnel. When enabled, the server can require the end-host to send a certificate inside the tunnel for the purpose of authenticating the end-host. Considerations MAC-AUTH The MAC-AUTH method contains one tab.
Figure 64 CHAP General Tab Figure 65 EAP-MD5 General Tab Dell Networking W-ClearPass Policy Manager 6.
Table 40: CHAP and EAP-MD5 General Tab Parameters Parameter Description Name/Description Freeform label and description. Type In this context, always CHAP or EAP-MD5. Authorize This is an authorization-only method that you can add with a custom name. Figure 66 Authorize General Tab Table 41: Authorize General Tab Parameters Parameter Description Name/Description Freeform label and description. Type In this context, always Authorize.
l "Kerberos " on page 126 l "Okta" on page 128 l "Static Host List " on page 130 l "Token Server " on page 132 From the Services page (Configuration > Service), you can configure authentication source for a new service (as part of the flow of the Add Service wizard), or modify an existing authentication source directly (Configuration > Authentication > Sources, then click on its name in the listing page).
l Attributes Tab General Tab The General tab labels the authentication source and defines session details. Figure 69 Generic LDAP or Active Directory (General Tab) Table 42: Generic LDAP or Active Directory (General Tab) 109 Parameter Description Name/Description Freeform label and description. Type In this context, General LDAP or Active Directory.
Parameter Description Cache Timeout Policy Manager caches attributes fetched for an authenticating entity. This parameter controls the number of seconds for which the attributes are cached. Backup Servers Priority To add a backup server, click Add Backup. When the Backup 1 tab appears, you can specify connection details for a backup server (same fields as for primary server, specified below). To remove a backup server, select the server name and click Remove.
Parameter Description Bind DN/Password Distinguished Name (DN) of the administrator account. Policy Manager uses this account to access all other records in the directory. NOTE: For Active Directory, the bind DN can also be in the administrator@domain format (e.g., administrator@acme.com). Password for the administrator DN entered in the Bind DN field. NetBIOS Domain Name The AD domain name for this server.
Parameter Description Bind User Enable to authenticate users by performing a bind operation on the directory using the credentials (user name and password) obtained during authentication. For clients to be authenticated by using the LDAP bind method, Policy Manager must receive the password in cleartext. Password Attribute (Available only for Generic LDAP directory) Enter the name of the attribute in the user record from which user password can be retrieved. This is not available for Active Directory.
Table 44: AD/LDAP Attributes Tab (Filter Listing Screen) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the LDAP/AD attributes defined for this filter. l Alias Name: For each attribute name selected for the filter, you can specify an alias name. l Enabled As: Specify whether value is to be used directly as a role or attribute in an Enforcement Policy.
Table 45: AD/LDAP Default Filters Explained Directory Active Directory Default Filters l l l l l Generic LDAP Directory Authentication: This is the filter used for authentication. The query searches in objectClass of type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
The Filter Creation popup displays when you click the Add More Filters button on the Authentication Sources > Add page. With this popup, you can define a filter query and the related attributes to be fetched. AD/LDAP Configure Filter Browse tab The Browse tab shows an LDAP Browser from which you can browse the nodes in the LDAP or AD directory, starting at the base DN. This is presented in read-only mode.
Figure 74 AD/LDAP Create Filter Popup (Filter Tab) Policy Manager comes pre-populated with filters and selected attributes for Active Directory and generic LDAP directory. New filters need to be created only if you need Policy Manager to fetch role mapping attributes from a new type of record Records of different types can be fetched by specifying multiple filters that use different dynamic session attributes.
Parameter Select the attributes for filter Description This table has a name and value column. There are two ways to enter the attribute name By going to a node of interest, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add... in the table row. l By clicking on an attribute on the right hand side of the LDAP browser. The attribute name and value are automatically populated in the table.
Step Description Step 3 Enter value (optional) After Step 3, you have values for a specific record (Alice’s record, in this case). Change the value to a dynamic session attribute that will help Policy Manager to associate a session with a specific record in LDAP/AD. For example, if you selected the sAMAccountName attribute in AD, click on the value field and select %{Authentication:Username}.
Parameter Description Name / Alias Name / Enable as Role Name: This is the name of the attribute Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name. Enabled As: Click here to enable this attribute value to be used directly as a role in an Enforcement Policy. This bypasses the step of having to assign a role in Policy Manager through a Role Mapping Policy.
The attributes that are defined for the authentication source show up as attributes in role mapping policy rules editor under the authorization source namespace. Then, on the Role Mappings Rules Editor page, the Operator values that display are based on the Data type specified here. If, for example, you modify the Active Directory department to be an Integer rather than a String, then the list of Operator values will populate with values that are specific to Integers.
Table 50: General SQL DB (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Generic SQL DB. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled).
Table 51: Generic SQL DB (Primary Tab) Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value if you want to override the default port. Database Name Enter the name of the database to retrieve records from. Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters.
Figure 81 Generic SQL DB Filter Configure Popup Table 53: Generic SQL DB Configure Filter Popup Parameter Description Filter Name Name of the filter Filter Query A SQL query to fetch the attributes from the user or device record in DB Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name.
Figure 82 HTTP (General Tab) Table 54: HTTP (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, HTTP. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Figure 83 HTTP (Primary Tab) Table 55: HTTP (Primary Tab) Parameter Description Base URL Enter the base URL(host name) or IP address of the HTTP server. For example: http:// or :xxxx where xxxx is the port to access the HTTP Server Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters.
Figure 85 HTTP Filter Configure Popup Table 57: HTTP Configure Filter Popup Parameter Description Filter Name Name of the filter Filter Query The HTTP path (without the server name) to fetch the attributes from the HTTP server. For example, if the full pathname to the filter is http server URL = http://:xxxx/abc/def/xyz, you enter /abc/def/xyz Name / Alias Name / Data Type / Enabled As Name: This is the name of the attribute Alias Name: A friendly name for the attribute.
Figure 86 Kerberos General Tab Table 58: Kerberos (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Kerberos Use for Authorization Disabled in this context. Authorization Sources You must specify one or more authorization sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop down list, and click Add to add it to the list of authorization sources.
Figure 87 Kerberos (Primary Tab) Table 59: Kerberos (Primary Tab) Parameter Description Hostname/Port Host name or IP address of the kerberos server, and the port at which the token server listens for kerberos connections. The default port is 88. Realm The domain of authentication. In the case of Active Directory, this is the AD domain. Service Principal Name The identity of the service principal as configured in the Kerberos server. Service Principal Password Password for the service principal.
General Tab Figure 88 Okta General Tab Table 60: Okta (General Tab) Parameter 129 Description Name/Description Freeform label and description. Type In this context, Okta. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab Figure 89 Okta Primary Tab Table 61: Okta (Primary Tab) Parameter Description URL Enter the address of the OKTA server. Authorization Token Enter the authorization token as provided by Okta support. Attributes Tab Figure 90 Okta Attribu tes Tab Table 62: Okta (Attributes Tab) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. (Only Group can be configured for Okta.
account created in the local database, the role is statically assigned to that account, which means a role mapping policy need not be specified for user accounts in the local database. However, if new custom attributes are assigned to a user (local or guest) account in the local database, these can be used in role mapping policies. The local user database is pre-configured with a filter to retrieve the password and the expiry time for the account.
Table 64: Static Hosts List (Static Host Lists Tab) Parameter Description Host List Select a Static Host List from the drop down and Add to add it to the list.Click on Remove to remove the selected static host list. Click on View Details to view the contents of the selected static host list. Click on Modify to modify the selected static host list. Only Static Host Lists of type MAC Address List or MAC Address Regular Expression can be configured as authentication sources.
Table 65: Token Server General Tab Parameter Description Name/Description Freeform label and description. Type In this context, Token Server Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled).
Table 66: Token Server (Primary Tab) Parameter Description Server Name/Port Host name or IP address of the token server, and the UDP port at which the token server listens for RADIUS connections. The default port is 1812. Secret RADIUS shared secret to connect to the token server. Attributes Tab The Attributes tab defines the RADIUS attributes to be fetched from the token server. These attributes can be used in role mapping policies.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 9 Identity: Users, Endpoints, Roles and Role Mapping A Role Mapping Policy reduces client (user or device) identity or attributes associated with the request to Role(s) for Enforcement Policy evaluation. The roles ultimately determine differentiated access. Architecture and Flow Roles range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination of a user group with some dynamic constraints (e.g.
l [Employee] - Default role for an Employee l [Guest] - Default role for guest access l [Other] - Default role for other user or device l [TACACS API Admin] -API administrator role for Policy Manager admin l [TACACS Help Desk] - Policy Manager Admin Role, limited to views of the Monitoring screens l [TACACS Network Admin] - Policy Manager Admin Role, limited to Configuration and Monitoring UI screens l [TACACS Read-only Admin] - Read-only administrator role for Policy Manager Admin l [TACACS
When you click Add Role Mapping from any of these locations, Policy Manager displays the Add Role Mapping popup, which contains the following three tabs: l Policy l Mapping Rules l Summary Policy Tab The Policy tab labels the method and defines the Default Role (the role to which Policy Manager defaults if the mapping policy does not produce a match for a given request).
When you select Add Rule or Edit Rule, Policy Manager displays the Rules Editor popup. Figure 100 Rules Editor Table 68: Role Mappings Page (Rules Editor) Label Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to "Namespaces" on page 314.
When you save your Role Mapping configuration, it appears in the Mapping Rules tab list. In this interface, you can select a rule (click and the background changes color), and then use the various widgets to Move Up, Move Down, Edit the rule, or Remove the rule. Adding and Modifying Roles Policy Manager lists all available roles in the Roles page. From the menu, select Configuration > Identity > Roles.
To authenticate local users from a particular Service, include [Local User Repository] among the Authentication Sources. The endpoints table lists the endpoints that have authenticated requests to Policy Manager. These entries are automatically populated from the 802.1X, MAC-based authentications, and web authentications processed by Policy Manager. These can be further modified to add tags, known/unknown, disabled status. A static host list comprises of list of MAC and IP addresses.
Table 70: Add Local User Parameter Description User ID/ Name /Password/ Verify Password Freeform labels and password. Enable User Uncheck to disable this user account. Role Select a static role for this local user. Attributes Add custom attributes for this local user. Click on the “Click to add...” row to add custom attributes. By default, four custom attributes appear in the Attribute dropdown: Phone, Email, Sponsor, Designation. You can enter any name in the attribute field.
Parameter Description Sponsor Name Sponsor who sponsored the guest. Guest Type USER (for guest users) and DEVICE (for devices registered from the Guest product). Status Enabled/Disabled status. Expired Whether the guest/device account has expired Source Application Where this account was created: From Policy Manager or the Guest guest provisioning product. In the Guest Users listing: l To add a guest user or device, click Add User. This opens the Add New Guest User popup.
Parameter Description User ID/ Name /Password/ Verify Password (Guest User only) Freeform labels and password. Click Auto Generate to auto-generate a password for the guest user. MAC Address (Guest Device only) MAC address of the guest device. Enable Guest Check to enable guest user. Expiry Time Use the date widget to select the date and time on which this Guest User’s access expires. Attributes Add custom attributes for this guest user. Click on the “Click to add...
Figure 109 View Onboard Devices Adding and Modifying Endpoints Policy Manager automatically lists all endpoints (that have authenticated) in the Endpoints page (Configuration > Identity > Endpoints): Figure 110 Endpoints Listing l To view the authentication details of an endpoint, select an endpoint by clicking on its check box, and then click the Authentication Records button. This opens the Endpoint Authentication Details popup.
Figure 112 Add Endpoint Table 73: Add Endpoint Parameter Description MAC Address MAC address of the endpoint. Status Mark as Known, Unknown or Disabled client. The Known and Unknown status can be used in role mapping rules via the Authentication:MacAuth attribute. The Disabled status can be used to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from the Endpoint Activity table (in the Live Monitoring section).
To export an endpoint, in the Endpoints listing page, select it (via check box) and click the Export button. To export ALL endpoints, in the Endpoints listing page, click the Export All Endpoints link in the upper right corner of the page. To import endpoints, in the Endpoints listing page, click the Import Endpoints link in the upper right corner of the page.
Table 74: Add Static Host List Parameter Description Name/ Description Freeform labels and descriptions. Host Format Select a format for expression of the address: subnet, IP address or regular expression. Host Type Select a host type: IP Address or MAC Address (radio buttons). List Use the Add Host and Remove Host widgets to maintain membership in the current Static Host List.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 10 Posture Policy Manager provides several posture methods for health evaluation of clients requesting access. These methods all return Posture Tokens (E.g., Healthy, Quarantine) for use by Policy Manager for input into Enforcement Policy. One or more of these posture methods may be associated with a Service. Posture Architecture and Flow Policy Manager supports three different types of posture checking: l Posture Policy.
l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer to Peer application checks l Services to be running or not running l Processes to be running or not running Each configured health check returns an application token representing health: l Healthy. Client is compliant: there are no restrictions on network access. l Checkup. Client is compliant; however, there is an update available.
Table 75: Posture Features at the Service Level Configurable Component How to Configure Sequence of Posture Policies Select a Policy, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured Policy, select from the Select drop-down list, then click Add. l To configure a new Policy, click the Add New Policy link and refer to "Adding and Modifying Posture Policies " on page 152.
n l Windows Security Health Validator. Configurable checking for Antivirus/Antispyware/Firewall applications, as well as automatic updates and security updates. If you have ClearPass OnGuard Agent (dissolvable or persistent) running on the client (Windows 8, Windows 7, Windows XP SP3, Windows Vista, Windows Server 2008, Windows Server 2003, SUSE Linux, Redhat Enterprise Linux, Fedora Linux, CentOS Linux, MAC OS X), use: n ClearPass Windows Universal System Health Validator.
Table 76: Add Posture Policy Parameter Description Policy Name/Description Freeform label and description. Posture Agent l l l NAP Agent - Use this to configure posture policies for host operating systems with an embedded NAP-compliant agent (Microsoft Windows NAP Agent or ClearPass Linux NAP Agent). Currently, the following OSes are supported: Windows 8, Windows 7, Windows Vista, Windows XP SP3, Windows Server 2008, Windows Server 2008 R2, and Linux OSes supported by ClearPass Linux NAP Agent.
Figure 121 Add Posture Policy (Posture Plugins Tab) - Windows OnGuard Agent Figure 122 Add Posture Policy (Posture Plugins Tab) - Linux OnGuard Agent Figure 123 Add Posture Policy (Posture Plugins Tab) - Mac OS X OnGuard Agent Refer to the following sections for plugin-specific configuration instructions: l "ClearPass Windows Universal System Health Validator - NAP Agent " on page 156 l "Windows System Health Validator - NAP Agent " on page 176 l "Windows Security Health Validator - NAP Agent " on p
l Transition. Client evaluation is in progress; typically associated with auditing a client. The network access granted is interim. l Quarantine. Client is out of compliance; restrict network access, so the client only has access to the remediation servers. l Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. l Unknown. The posture token of the client is unknown. 4. Click Save when you are finished.
Select a version of Windows and click the check box to enable checks for that version. Enabling checks for a specific version displays the following set of configuration pages.These pages are explained in the sections that follow.
Processes The Processes page provides a set of widgets for specifying specific processes to be explicitly present or absent on the system. Figure 127 Processes Page (Overview) Table 78: Process Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable to allow auto remediation for registry checks (Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration).
Table 79: Process to be Present Page (Detail) Parameter Process Location Description Choose from one of the pre-defined paths, or choose None. SystemDrive - For example, C: l SystemRoot - For example, C:\Windows l ProgramFiles - For example, “C:\Program Files” l HOMEDRIVE - For example, C: l HOMEPATH - For example, \Users\JohnDoe l None - By selecting None, you can enter a custom path name in the Process Name field. l Enter the Process name A pathname containing the process executable name.
Processes to be Absent Figure 129 Process to be Absent Page (Detail) Table 80: Process to be Absent Page (Detail) Parameter Check Type Enter the Display name Description Select the type of process check to perform. The agent can look for Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is speicfied, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 130 Process Page (Overview - Post Add) Registry Keys The Registry Keys page provides a set of widgets for specifying specific registry keys to be explicitly present or absent. Figure 131 Registry Keys Page (Overview) Table 81: Registry Keys Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable to allow auto remediation for registry checks (Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration).
Registry Keys to be Absent Figure 132 Registry Keys Page (Detail) Table 82: Registry Keys Page (Detail) Parameter Description Hive/Key/value (name, type, data) Identifying information for a specific setting for a specific registry key. When you save your Registry details, the key information appears in the Registry page list.
Click Add to specify product, and version check information. Figure 136 Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list.
Interface Parameter Description Antivirus Page (Detail 2) Product/Version/Last Check Configure the specific settings for which to test against health data. All of these checks may not be available for some products. Where checks are not available, they are shown in disabled state on the UI.
Figure 141 AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiVirus configuration instructions Firewall In the Firewall page, you can specify that a Firewall application must be on and allows drill-down to specify information about the Firewall application.
Table 84: Firewall Page Interface Firewall Page Parameter l l l l A Firewall Application is On Auto Remediation User Notification Uncheck to allow any product l Add Trashcan icon l Firewall Page (Detail 1) l Firewall Page (Detail 2) Product/Version l Description l l l l Check the Firewall Application is On check box to enable testing of health data for configured firewall application(s). Check the Auto Remediation check box to enable auto remediation of firewall status.
Parameter Description Available Applications This scrolling list contains a list of applications or networks that you can select and move to the Applications to stop panel. Click the >> or << to add or remove, respectively, the applications or networks from the Applications to stop box. Patch Management In the Patch Management page, you can specify that a patch management application must be on and allows drilldown to specify information about the patch management application.
Table 86: Patch Management Page Interface Patch Management Page Parameter l l l l A patch management application is on Auto Remediation l User Notification Uncheck to allow any product l Add Trashcan icon l Patch Management Page (Detail 1) l Patch Management Page (Detail 2) Product/Version l Description l l l Check the Patches / Hot fixes Application is On check box to enable testing of health data for configured Antivirus application (s).
Parameter Description Available Hotfixes The first scrolling list lets you select the criticality of the hotfixes. Based on this selection, the second scrolling list contains a list of hotfixes that you can select and move to the Hotfixes to be present panel (using their associated widgets). Click the >> or << to add or remove, respectively, the hotfixes from the Hotfixes to run boxes. USB Devices The USB Devices page provides configuration to control USB mass storage devices attached to an endpoint.
Table 89: Virtual Machines Parameter Description Auto Remediation Enable to allow auto remediation for virtual machines connected to the endpoint. User Notification Enable to allow user notifications for virtual machine policy violations. Allow access to clients running on Virtual Machine Enable to allow clients that running a VM to be accessed and validated. Allow access to clients hosting Virtual Machine Enable to allow clients that hosting a VM to be accessed and validated.
Configure Network Connection Type Figure 155 Network Connection Type Configuration Table 90: Network Connection Type Configuration Page Parameter Description Allow Network Connections Type l l l Allow Only One Network Connection Allow One Network Connection with VPN Allow Multiple Network Connections User Notification Enable to allow user notifications for hotfixes check policy violations. Network Connection Types Click the >> or << to add or remove Others, Wired, and Wireless connection types.
ClearPass Windows Universal System Health Validator - OnGuard Agent The ClearPass Windows Universal System Health Validator - OnGuard Agent page popup appears in response to actions in the Posture Plugins p of the Posture configuration. (When you select Windows and OnGuard Agent from the posture policy page) The OnGuard Agent version of the ClearPass Windows Universal System Health Validator supports all the features supported by the NAP Agent validator. In addiiton, it also supports Windows Server 2003.
Parameter Description Insert To add a service to the list of selectable services, enter its name in the text box adjacent to this button, then click Insert. Delete To remove a service from the list of selectable services, select it and click Delete. The last option, located on the bottom of the list of Linux versions, is the General Configuration section. This section contains two pages: Firewall Check and Antivirus Check.
When you save your Antivirus configuration, it appears in the Antivirus page list. Figure 160 Antivirus Check Table 93: Antivirus Check Interface Parameter Description Antivirus Main view Add To configure Antivirus application attributes for testing against health data, click Add. Trashcan icon To remove configured Antivirus application attributes from the list, click the trashcan icon in that row. Product/Version/Last Check Configure the specific settings for which to test against health data.
Select a check box to enable checks for Mac OS X. Enabling these check boxes displays a corresponding set of configuration pages: l In the Antivirus page, you can specify that an Antivirus application must be on and allows drill-down to specify information about the Antivirus application. Click on An Antivirus Application is On to configure the Antivirus application information. Figure 162 Antivirus Page (Overview - Before) When enabled, the Antivirus detail page appears.
Windows Security Health Validator - NAP Agent This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types. Figure 165 Windows Security Health Validator Windows Security Health Validator - OnGuard Agent This validator checks for the presence of specific types of security applications.
Figure 167 Windows System Health Validator (Overview) Windows System Health Validator - OnGuard Agent This validator checks for current Windows Service Packs. The OnGuard Agent also supports legacy Windows operating systems such as and Windows Server 2003. An administrator can use the check boxes to enable support of specific operating systems and to restrict access based on service pack level.
Figure 169 Posture Servers Listing Page When you click Add Posture Server from any of these locations, Policy Manager displays the Posture Servers configuration page. Figure 170 Add Posture Server Page Depending on the Protocol and Requested Credentials, different tabs and fields appear. Refer to "Microsoft NPS " on page 178. Microsoft NPS Use the Microsoft NPS server when you want Policy Manager to have health - NAP Statement of Health (SoH) credentials - evaluated by the Microsoft NPS Server.
Figure 171 Microsoft NPS Settings (Primary and Backup Server tabs) Table 95: Microsoft NPS Settings (Primary and Backup Server tabs) 179 Parameter Description RADIUS Server Name/Port Hostname or IP address and RADIUS server UDP port Shared Secret Enter the shared secret for RADIUS message exchange; the same secret has to be entered on the RADIUS server (Microsoft NPS) side Timeout How many seconds to wait before deeming the connection dead; if a backup is configured, Policy Manager will attempt to
Chapter 11 Audit Servers Audit Servers evaluate posture and/or role for unmanaged or unmanageable clients; that is, clients that lack an adequate posture agent or 802.1X supplicant (for example, printers, PDAs, or guest users may not be able to send posture credentials or identify themselves.) A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured Audit Server, which returns attributes for role mapping and posture evaluation.
This section contains the following topics: l "Built-In Audit Servers" on page 181 l "Custom Audit Servers" on page 183 l "Nessus Scan Profiles" on page 186 Built-In Audit Servers When configuring an audit as part of an Policy Manager Service, you can select the default Nessus ([Nessus Server]) or NMAP ([Nmap Audit]) configuration. Adding Auditing to a Policy Manager Service 1.
Table 96: Audit Tab Parameter Audit Server/Add new Audit Server Description Select a built-in server profile from the list: The [Nessus Server] performs vulnerability scanning. It returns a Healthy/Quarantine result. l The [Nmap Audit] performs network port scans. The health evaluation always returns Healthy. The port scan gathers attributes that allow determination of Role(s) through post-audit rules.
2. Modify the profile, plugins, and/or preferences. l In the Audit tab, you can modify the In Progress Posture Status and Default Posture Status. l If you selected a NESSUS Server, then the Primary/Backup Server tabs allow you to specify a scan profile. In addition, when you add a new scan profile, you can select plugins and preferences for the profile. Refer to "Nessus Scan Profiles" on page 186 for more information.
Figure 176 NESSUS Audit Server (Audit Tab) Table 97: NESSUS Audit Server (Audit tab) Parameter Description Name/Description Freeform label and description. Type For purposes of an NESSUS-type Audit Server, always NESSUS. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list.
Table 98: NESSUS Audit Server - Primary and Backup Server tabs Parameter Description Server Name and Port/ Username/ Password Standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box. Scan Profile You can accept the default Scan Profile or select Add/Edit Scan Profile to create other profiles and add them to the Scan Profile list. Refer to "Nessus Scan Profiles" on page 186.
Figure 179 Options Tab (NMAP) Table 100: Options Tab (NMAP) Parameter Description TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to NMAP documentation for more information on these options. NMAP option --scanflags. UDP Scan To enable, check the UDP Scan check box. NMAP option -sU. Service Scan To enable, check the Service Scan check box. NMAP option -sV. Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option A.
Figure 180 Nessus Scan Profile Configuration Page You can refresh the plugins list (after uploading plugins into Policy Manager, or after refreshing the plugins on your external Nessus server) by clicking Refresh Plugins List.
Figure 182 Nessus Scan Profile Configuration (Profile Tab) - Plugin Synopsis Of special interest is the secton of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin click on the link to change the level to one of HOLE, WARN, INFO, NOTE. This tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
Figure 185 Nessus Scan Profile Configuration (Preferences Tab) Upon saving the profile, plugin, and preference information for your new (or modified) plugin, you can go to the Primary/Backup Servers tabs and select it from the Scan Profile drop-down list. Post-Audit Rules The Rules tab specifies rules for post-audit evaluation of the request to assign a role.
Figure 187 All Audit Server Configurations (Rules Editor) Table 102: All Audit Server Configurations (Rules Editor) Parameter Description Conditions The Conditions list includes five dictionaries: Audit-Status, Device-Type, Output-Msgs, Mac-Vendor, Network-Apps, Open-Ports, and OS-Info.. Refer to "Namespaces" on page 314. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an Enfocement Policy associated with the service. The evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps the access control attributes sent to the Network Access Device.
Figure 188 Flow of Control of Policy Manager Enforcement Configuring Enforcement Profiles You configure Policy Manager Enforcement Profiles globally, but they must be referenced in an enforcement policy that is associated with a Service to be evaluate, From the Enforcement Policies page (Configuration > Enforcement > Policies), you can configure an Enforcement Profile for a new enforcement policy (as part of the flow of the Add Enforcement Policy wizard), or modify an existing Enforcement Profile directly
l [Allow Access Profile]. System-defined RADIUS profile to allow network access; Policy Manager sends a RADIUS AccessAccept message with no attributes. l [Deny Access Profile]. System-defined RADIUS profile to deny network access; Policy Manager sends a RADIUS AccessReject message with no attributes. l [Drop Access Profile]. System-defined profile to drop the network access request; Policy Manager silently drops the RADIUS AccessRequest message. l [TACACS Deny Profile].
l Dell RADIUS Enforcement - RADIUS tempate that can be filled with attributes from the Dell RADIUS dictionaries loaded into Policy Manager. l Dell Downloadable Role Enforcement - RADIUS template that can be filled with role attributes to create roles that can be assigned to users after successful authentication. l Filter ID Based Enforcement - All RADIUS attributes for filter-id based enforcement are pre-filled in this template.
Parameter Description Device Group List Associate the profile with pre-configured Device Groups. l Add New Device Group to add a new device group. l Add to add a device group from this drop-down list. l Remove, View Details, Modify to remove, view the details of, or modify the selected enforcement profile, respectively NOTE: This feature does not work with RADIUS CoA type Enforcement Profiles.
Figure 191 RADIUS Enforcement Profile (Attributes Tab) Figure 192 RADIUS Enforcement Profile (Attributes Tab) - Generic RADIUS Enforcement Profile Table 104: RADIUS Enforcement Profile (Attributes tab) Enforcement Profile Template 197 Description A— VLAN Enforcement Enforcement profile template to set IETF RADIUS standard VLAN attributes. B—Filter ID Based Enforcement Enforcement profile template to set IETF RADIUS standard filter ID attribute. Dell Networking W-ClearPass Policy Manager 6.
Enforcement Profile Template Description C—Cisco Downloadable ACL Enforcement Enforcement profile template for Cisco IOS downloadable ACLs. D—Cisco Web Authentication Enforcement Enforcement profile template to set Cisco Web Authentication ACLs. E—(Generic) RADIUSBased Authentication Type is any RADIUS vendor dictionary that is pre-packaged with Policy Manager, or imported by the Administrator. This field is prepopulated with the dictionary names.
Figure 193 Fig: SNMP Enforcement Profile (SNMP Tab) The SNMP Enforcement Profile SNMP tab loads the SNMP dictionary attributes supported by Policy Manager. Table 105: SNMP Enforcement Profile (SNMP tab) Interface Description VLAN Id VLAN ID to be sent to the device Session Timeout Session timeout in seconds. Reset Connection (after the settings are applied) Reset Connection is a primitive that does different actions based on the capabilities of the network device. For devices that support the 802.
Figure 194 TACACS+ Enforcement Profiles (Services Tab) Table 106: TACACS+ Enforcement Profile (Services tab) Container Description Privilege Level Enter a value, from 0 to 15. NOTE: Refer to your network device documentation for definitions of the different privilege levels. Selected Services To add supported services, click Add. To remove a service, select it and click Remove.
Figure 195 TACACS+ Enforcement Profiles (Commands tab) Table 107: Commands tab (TACACS+ Enforcement Profiles) Container Description Service Type Select Shell or PIX shell radio button. Subsequent selections in this tab configure commands and arguments allowed/disallowed for this selection. Unmatched Commands Enable to permit commands that are not explicitly entered in the Commands field. Commands Contains a list of the commands recognized for the specified Service Type: To add a command, click Add.
Figure 196 Application Enforcement Profiles (Attributes Tab) Table 108: Application Enforcement Profiles (Attributes tab) Contai ner Description Privile geLevel Enter a predefined value: Admin, Sponsor, Helpdesk; or enter an application-specific custom value. NOTE: Sponsor is only valid for the Guest application Spons orProfileName Valid only for Guest application. This is the (case-sensitive) name of the sponsor profile defined in the Guest application.
Figure 198 Agent Enforcement Profile (Attributes Tab) Table 110: Agent Enforcement Profiles (Attributes tab) Container Description Bounce Client If checked, the endpoint is bounced by the OnGuard agent (this feature is only available with the persistent agent) Message A custom message to send to the endpoint. Session Timeout (in seconds) Timeout after which the OnGuard agent forces a re authentication on the endpoint.
Table 111: Post Authentication Enforcement Profiles Enforcement Profile Template Description A— ClearPassEntity Update Enforcement Enforcement profile template used to update tags in endpoints and guest users. Type is any endpoint, guest user, or a session update. Name is the name of an attribute associated with an endpoint, guest user, or a session update. If the type is session update, the tags are updated for either an endpoint or a guest user. Value is the value of the attribute.
Figure 201 Add Enforcement Policy (Enforcement tab) Table 112: Add Enforcement Policy (Enforcement tab) Parameter Description Name/Description Freeform label and description. Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI) or Application. Based on this selection, the Default Profile list shows the right type of enforcement profiles in the dropdown list (See Below).
Figure 203 Add Enforcement Policy (Rules Editor) Table 113: Add Enforcement Policy (Rules tab) Field Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 114: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (Enforcement Profile).
Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Network Access Devices A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Table 115: Device tab Container Description Name/ Description Specify identity of the device. IP Address or Subnet Specify the IP address or the subnet (E.g., 192.168.5.0/24) of the device. RADIUS/TACACS+ Shared Secret Enter and confirm a Shared Secret for each of the two supported request protocols. Vendor Optionally, specify the dictionary to be loaded for this device. NOTE: RADIUS:IETF, the dictionary containing standard the set of RADIUS attributes, is always loaded.
Figure 207 SNMP Read/Write Settings tabs - SNMP v3 Details Table 116: SNMP Read/Write Settings tabs Container Description Allow SNMP Read/Write Toggle to enable/disable SNMP Read/Write. Default VLAN (SNMP Write only) VLAN port setting after SNMP-enforced session expires. SNMP Read/Write Setting SNMP settings for the device.
In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured devices. The default behavior is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Figure 208 CLI Settings tab Table 117: CLI Settings tab 211 Container Description Allow CLI Access Toggle to enable/disable CLI access. Access Type Select SSH or Telnet.
Additional Available Tasks l To import a device, click Import Devices. In the Import from File popup, browse to select a file, and then click Import. If you entered a secret key to encrypt the exported file, enter the same secret key to import the device back. l To export all devices from the configuration, click Export Devices. In the Export to File popup, specify a file path, and then click Export. In the Export to File popup, you can choose to encrypt the exported data with a key.
Figure 210 Add New Device Group Popup Table 118: Add New Device Group popup 213 Container Description Name/ Description/ Format Specify identity of the device. Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation); for example, 192.168.5.0/24 Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression; for example, ^192(.
For SNMP enforcement on the network device, one or more of the following traps have to be configured on the device: Link Up trap, Link Down trap, MAC Notification trap. In addition, one or more of the following SNMP MIBs must be supported by the device: RFC-1213 MIB, IF-MIB, BRIDGE-MIB, ENTITY-MIB, Q-BRIDGE-MIB, CISCO-VLANMEMBERSHIP-MIB, CISCO-STACK-MIB, CISCO-MAC-NOTIFICATION-MIB. These traps and MIBs enable Policy Manager to correlate the MAC address, IP address, switch port, and switch information.
Figure 212 Add Proxy Target Popup Table 119: Add Proxy Target popup Container Description Name/Description Freeform label and description. Hostname/Shared Secret RADIUS Hostname and Shared Secret. Use the same secret that you entered on the proxy target (refer to your RADIUS server configuration). RADIUS Authentication Port Enter the UDP port to send the RADIUS request. Default value for this port is 1812. RADIUS Accounting Port Enter the UDP port to send the RADIUS accounting request.
Chapter 14 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the Administration menus.
l "Import Users " on page 218 l "Export Users " on page 218 l "Export " on page 218 Figure 213 Admin Users Table 120: Admin Users Container Description Add User Opens the Add User popup form. Import Users Opens the Import Users popup form. Export Users Exports all users to an XML file. Export Exports a selected to an XML file. Delete Deletes a selected User. Add User Select the Add User link in the upper right portion of the page.
Table 121: Add Admin User Container Description User ID Name Specify the identity and password for a new admin user. Password Verify Password Privilege Level Select Privilege Level: Help Desk l Super Administrator l Network Administrator l Receptionist or any other custom privilege level Add/Cancel Add or dismiss changes. Import Users Select the Import Users link in the upper right portion of the page.
To export a user, select it (check box at left) and click Export. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Admin Privileges To view the available Admin Privileges, go to Administration > Users and Privileges > Admin Privileges. Figure 216 Admin Privileges See Custom Admin Privileges to create additional admin privileges and Exporting to export the definition of one or more admin privileges.
The actual admin privileges information is defined with the AdminPrivilege and AdminTask tags. You use one AdminPrivilege tag for each admin privilege you want to define. The AdminPrivilege tag contains two attributes: name and description. Inside the AdminPrivilege tag are one or more AdminTask tags, each one defining a lace within the Policy Manager application that a user with that privilege can view or change. The AdminTask tag contains one taskid attribute and a single AdminTaskAction tag.
n n n l n Roles: taskId="con.id.rs" n Role Mappings: taskId="con.id.rm" Posture: taskId="con.pv" n Posture Policies: taskId="con.pv.in n Posture Servers: taskId="con.pv.ex" n Audit Servers: taskId="con.pv.au" Enforcements: taskId="con.en" n Policies: taskId="con.en.epo" n Profiles: taskId="con.en.epr" Network: taskID="con.nw" n Devices: taskId="con.nw.nd" n Device Groups: taskId="con.nw.ng" n Proxy Targets: taskId="con.nw.pr" n Policy Simulation: taskId="con.
n Guest Portal: taskId="adm.po.gp" n Software Updates: taskId="adm.po.es" If you provide permission for an area, the same permission for all sub-areas is included by default. For example, if you give RW permissions for Enforcements (con.en), you grant permissions for its sub-areas, in this case, Policies (con.en.epo)and Profiles (con.en.epr), and you do not have to explicitly define the same permission for those sub-areas.
//Refers to Monitoring PAGE 224Set Date/Time Navigate to Administration > Server Manager > Server Configuration, and click on the Set Date and Time link. This opens by default on the Date &Time tab. Figure 218 Change Date and Time - Date & Time tab Table 123: Change Date and Time - Date & Time tab Container Description Date in yyyy-mmdd format To specify date and time, use the indicated syntax. This is available only when Synchronize time with NTP server is unchecked.
Figure 219 Time zone on publisher Change Cluster Password Navigate to Administration > Server Manager > Server Configuration, and click on the Change Cluster Password link. Use this function to change the cluster-wide password. Changing this password also changes the password for the CLI user - 'appadmin'. Figure 220 Change Cluster Password 225 Dell Networking W-ClearPass Policy Manager 6.
Table 124: Change Cluster Password Container Description New Password Enter and confirm the new password. Verify Password Save/Cancel Commit or dismiss changes. Manage Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster.
NetEvents Targets Netevents is a collection of details for various ClearPass Policy Manager such as users, endpoints, guests, authentications, accounting details, and so on. This information is periodically posted to a server that is configured as the NetEvents target. If the ClearPass Insight feature is enabled on a ClearPass Policy Manager, it will receive netevents from all other server nodes within the same CPPM cluster.
Table 127: Virtual IP Settings Parameters Parameter Description Virtual IP Enter the IP address you want to define as the virtual IP address. Node Select the servers to use as the primary and secondary nodes. Interface Select the interface on each server where virtual IP address should be bound. Subnet This value is automatically entered. you do not need to change it. Enabled Select the check box to enable the Virtual IP address.
Container Description Do not backup the existing databases before this operation Enable this check box only if you do not require a backup to the existing database. Upload Nessus Plugins Navigate to the Administration > Server Manager > Server Configuration page, and click on the Upload Nessus Plugins link. Figure 225 Upload Nessus Plugins Table 129: Upload Nessus Plugins Container Description Select File Click Browse and select the plugins file with the extension tar.gz.
Figure 227 Cluster-Wide Parameters dialog box, Cleanup Interval tab Figure 228 Cluster-Wide Parameters dialog box, Notification tab Figure 229 Cluster-Wide Parameters dialog box, Standby Publisher tab Dell Networking W-ClearPass Policy Manager 6.
Figure 230 Cluster-Wide Parameters dialog box, Virtual IP Configuration tab Table 130: Cluster-Wide Parameters Parameter Description General 231 Policy result cache cleanup timeout The number of minutes to store the role mapping and posture results derived by the policy engine during policy evaluation. This result can then be used in subsequent evaluation of policies associated with a service, if “Use cached Roles and Posture attributes from previous sessions” is turned on for the service.
Parameter Description Endpoint Context Servers polling interval Enter the number of minutes between polling of endpoint context servers. The default is 60. Cleanup Intervals Cleanup interval for session log details in the database The Number of days to keep the following data in the Policy Manager DB: session logs (found on Access Tracker), event logs (found on Event Viewer), machine authentication cache. Cleanup interval for information stored on disk The Number of days to keep log files, etc.
Parameter Description Alert Notification eMail Address Comma separated list of email addresses to which alert messages are sent. Alert Notification SMS Address Comma separated list of SMS addresses to which alert messages are sent. For example, 4085551212@txt.att.net. Standby Publisher Enable Publisher Failover Select TRUE to authorize a node in a cluster on the system to act as a publisher if the primary publisher fails.
Figure 231 Collect Logs 3. Enter a filename and add the .tar.gz extension to the filename. 4. Select which types of logging information you want to collect: n System Logs n Logs from all Policy Manager services n Capture network packets for the specified duration. Use this with caution, and use this only when you want to debug a problem. System performance can be severely impacted. n Diagnostic dumps from Policy Manager services 5. Enter the time period of the information you want to collect.
2. Extract the file in the .tar.gz file. The result will be a file with the .tar extension. 3. Open the .tar file and extract the files within it. The result will be a folder named the same as the .tar file. Inside that folder, you will find another folder with a randomly generated name that begins with "tmp." Inside that folder, you will find one folder for each of the 4 types of information you wanted to save.
Container Description Do not backup password fields in configuration database Select this if you do not want to backup password fields in configuration database. Backup databases for installed applications Select this option if you want the backup to include databases for installed applications. Restore Navigate to the Administration > Server Manager > Server Configuration page, and click on the Restore button. Note that this action can also be performed using the "restore" CLI command.
Container Description Restore cluster server/node entries from backup. Enable to include the cluster server/node entries in the restore. Do not backup the existing databases before this operation. Enable this option if you do not want to backup the existing databases before performing a restore. Shutdown/Reboot Navigate to the Administration > Server Manager > Server Configuration page, and click on the Shutdown or Reboot buttons to shutdown or reboot the node from the UI.
Container Description Enable Insight Enable the Insight reporting tool on this node. Note: l When the admin enables the checkbox for Insight on a node in cluster, Admin will automatically update the [Insight Repository] configuration to point to the management IP of that server. l When enabling the checkbox for other servers in the cluster, they will be added as backups for the same auth source.
There is no need to join CPPM to multiple domains belong to the same AD forest because a one-way trust relationship exists between these domains. In thsi case, you join CPPM to the root domain. Join Domain - Click on this button to join this Policy Manager appliance to an Active Directory domain. Leave Domain - Click on this button to disassociate this Policy Manager appliance from an Active Directory domain.
Container Description User Name User ID of the domain administrator account Password Password of the domain administrator account Services Control Tab From the Services Control tab, you can view a service status and control (stop or start) Policy Manager services. Figure 237 Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of the services.
Service Parameter Description LDAP Primary Retry Interval Once a primary LDAP server is down, Policy Manager connects to one of the backup servers. This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again. External Posture Server Thread Pool Size This specifies the number of threads to use for posture servers. External Posture Server Primary Retry Interval Once a primary posture server is down, Policy Manager connects to one of the backup servers.
Service Parameter Description Maximum Response Delay Time delay before retrying a proxy request, if the target server has not responded Maximum Reactivation Time Time to elapse before retrying a dead proxy server Maximum Retry Counts Maximum number of times to retry a proxy request if the target server doesn't respond Security Reject Packet Delay Delay time before sending an actual RADIUS Access-Reject after the server decides to reject the request Maximum Attributes Maximum number of RADIUS attr
Service Parameter Description SQL DB Authentication Source Connection Count Maximum number of SQL DB EAP - TLS Fragment Size Maximum size of the EAP-TLS fragment size. Use Inner Identity in Access-Accept Reply Specify TRUE or FALSE TLS Session Cache Limit Number of TLS sessions to cache before purging the cache (used in TLS based 802.1X EAP Methods) AD (Active Directory) Errors Window Size Enter a duration during which Active Directory errors are accumulated for possible action.
Service Parameter PACs are valid across cluster Description Whether PACs generated by this server are valid across the cluster or not Accounting Log Accounting Interim-Update Packets Store the Interim-Update packets in session logs.
Service Parameter Description Form POST Size Maximum HTTP POST content size that can be sent to the PHP application. File Upload Size Maximum file size that can be uploaded into the PHP application. Input Time Time limit after which the server will detect no activity from the user and will take some action. Socket Timeout Maximum time for any socket connections. Enable zlib output compression Setting to compress the output files.
Table 139: Service Parameters - ClearPass network services Service Parameters Description DhcpSnooper MAC to IP Request Hold time Number of seconds to wait before responding to a query to get IP address corresponding to a MAC address. Any DHCP message received in this time period will refresh the MAC to IP binding. Typically, audit service will request for a MAC to IP mapping as soon the RADIUS request is received, but the client may take some more time receive and IP address through DHCP.
Service Parameters Description SNMP v3 Trap Authentication Key SNMP v3 authentication key and privacy key for incoming traps SNMP v3 Trap Privacy Key Device Info Poll Interval This specifics the time (in minutes) between polling for device information. PostureService Audit Thread Pool Size This specifies the number of threads to use for connections to audit servers.
Service Parameter 1 Min CPU load average Threshold Description These parameters monitor the CPU load average of the system, specifying thresholds for 1-min, 5-min and 15-min averages, respectively. If any of these loads exceed the associated maximum value, then system sends traps to the configured trap servers. 5 Min CPU load average Threshold 15 Min CPU load average Threshold System Monitoring Tab Navigate to the System Monitor tab to configure the SNMP parameters.
Service Parameter Description SNMP Configuration: SNMP v3: Username Username to use for SNMP v3 communication SNMP Configuration: SNMP v3: Security Level One of NOAUTH_NOPRIV (no authentication or privacy), AUTH_NOPRIV (authenticate, but no privacy), AUTH _PRIV (authenticate and keep the communication private) SNMP Configuration: SNMP v3: Authentication Protocol Authentication protocol (MD5 or SHA) and key SNMP Configuration: SNMP v3: Authentication key SNMP Configuration: SNMP v3: Privacy Protocol
Figure 246 Creating GRE Tunnel Table 142: Creating GRE Tunnel Container Description Display Name Optional name for the tunnel interface. This name is used to identify the tunnel in the list of network interfaces. Local Inner IP Local IP address of the tunnel network interface. Remote Outer IP IP address of the remote tunnel endpoint. Remote Inner IP Remote IP address of the tunnel network interface. Enter a value here to automatically create a route to this address through the tunnel.
Table 143: Creating VLAN Parameters Parameter Description Physical Interface The physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. VLAN Name Name for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 802.1Q VLAN identifier. Enter a value between 1- 4094. The VLAN ID cannot be changed after the VLAN interface has been created. IP Address IP address of the VLAN.
Table 144: Restrict Access Parameters Parameter Description Resource Name Select the applicvation you want to allow or deny access to. Access l Network Enter one or more hostnames, IP addresses, or UP subnets, separated by commas. The devices defined by what you enter here will be either specifically allowed or specifically denied access to the application you select. Select: Allow to define allowed access l Deny to define denied access.
Container Description Default Log Level This drop down is available if the Module Log Level Settings option is disabled. This sets the default logging level for all modules. Available options include the following: l DEBUG l INFO l WARN l ERROR l FATAL Set this option first, and then override any modules as necessary.
Container Description Service Name Enable Syslog Syslog Filter Level For each service, you can select the Enable Syslog check box and then override the Syslog Filter level. The current Syslog Filter level is based on the default log level specified on the Service Log Configuration tab. Restore Defaults/Save Click Save to save changes or Restore Defaults to restore default settings.
On a VM instance of CPPM, the permanent license must be entered. These licenses are listed in the tables on the License Summary tab. There is one entry per server node in the cluster. All application licenses are also listed on the Applications tab. You can add and activate OnGuard, Guest, Onboard, Enterprise, and WorkSpace application licenses. The Summary section shows the number of purchased licenses for Policy Manager, OnGuard,Guest, Onboard, and WorkSpace.
4. In the Online Activation section, click Activate Now. If you are not connected to the Internet, follow the instructions in the Offline Activation section. Download an Activation Request Token from the Policy Manager server and email the file to Dell support. You will receive an Activation Key that you can upload. Add an Application License You can add a license by clicking the Add License button on the top right portion of this page.
4. Click OK. Update an Application License Licenses typically require updating when they expire (for example, in the case of an evaluation license) or when capacity exceeds its licensed amount. You update an application's license by entering a new license key. To update a license 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click an application anywhere except in the Activation Status column. The Update License dialog box appears. 4. Enter the New License Key. 5.
l "Export a Single SNMP Trap Server " on page 259 Figure 255 SNMP Trap Receivers Listing Page Table 148: SNMP Trap Receivers Container Description Add Trap Server Opens the Add Trap Server popup. Import Trap Server Opens the Import Trap Server popup. Export Trap Server Opens the Export Trap Server popup. Export Opens the Export popup. Delete To delete an SNMP Trap Configuration, select it (using the check box at the left), and then click Delete.
Container Description Description Freeform description. SNMP Version V1 or V2C. Community String /Verify Community String Community string for sending the traps. Server Port Port number for sending the traps; by default, port 162. NOTE: Configure the trap server firewall for traffic on this port. Save/Cancel Click Save to commit the configuration or Cancel to dismiss.
Syslog Targets Policy Manager can export session data (seen in the Access Tracker), audit records (seen in the Audit Viewer) and event records (seen in the Event Viewer ). This information can be sent to one or more syslog targets (servers). You configure syslog targets from this page.
Figure 259 Add Syslog Target Table 152: Add Syslog Target Container Description Host Address Syslog server hostname or IP address. Description Freeform description. Protocol Select from: l UDP: To reduce overhead and latency. l TCP: To provide error checking and packet delivery validation. Server Port Port number for sending the syslog messages; by default, port 514. Import Syslog Target Navigate to Administration > External Servers > Syslog Targets and select Import Syslog Target.
Export Syslog Target Navigate to Administration > External Servers > Syslog Targets and select the Export Syslog Target link. The Export Syslog Target link exports all configured syslog targets. Click Export Syslog Target. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the Syslog Target configuration. Export Navigate to Administration > External Servers and select the Syslog Targets button.
Container Description Enable/Disable Click the toggle button Enable/Disable to enable or disable the syslog filter. Export Opens Export popup. Delete To delete a Syslog Filter, select it (check box at left) and click Delete. Add Syslog Filter To add a Syslog Filter, navigate to Administration > External Servers > Syslog Filters > Add Syslog Filter. Refer to the following image.
If you selected Session Logs as the export termplate in the General tab, a new tab Filter and Columns appears. In this tab you specify the Data Filter (See Adding Data Filters) you want to use. Specifying a data filter filters the rows that are sent to the syslog target. You may also select the columns that are sent to the syslog target. This form provides two methods for configuring data filters. Option 1 allows you to choose from pre-defined field groups and to select columns based on the Type.
Figure 264 Import Syslog Filter Table 157: Import from File Container Description Select File Browse to the Syslog Filter configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Filter Navigate to Administration > External Servers > Syslog Filters and select the Export Syslog Filter link.
Figure 265 Messaging Setup (SMTP Servers) Dell Networking W-ClearPass Policy Manager 6.
Table 158: Messaging Setup (SMTP Servers tab) Container Description Select Server Specify the server for which to configure messaging. All nodes in the cluster appear in the drop down list. Use the same settings for sending both emails and SMSes Check this box to configure the same settings for both your SMTP and SMS email servers. This box is checked, by default. Server name Fully qualified domain name or IP address of the server.
Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from different types of Dell W-Series IAPs and RAPs via Aruba activate. Policy Manager supports Aruba Activate, Palo Alto Networks' Firewall and Panorama, and MDM (Mobile Device Management) from Aurwatch, JAMF, Maas360, MobileIron, and SOTI. The mobile device management platforms run on MDM servers.
To delete an endpoint context server 1. Go to Administration > External Servers > Endpoint Context Servers. 2. Click the check box next to the server name. 3. Click Delete. 4. Click Yes. Endpoint Context Server Configuration Details The following table explains each field used for configuring endpoint context servers. Table 160: Endpoint Context Server Configuration Fields Item Description Select Server Type Select the type of server Several configuration options are specific to a server type.
l "Import Server Certificate " on page 273 Figure 268 Server Certificates Table 161: Server Certificate Container Description Create Self-Signed Certificate Opens the Create Self-Signed Certificate popup. Create Certificate Signing Request Opens the Create Certificate Signing Request popup. Select Server Select a server in the cluster for server certificate operations. Export Opens the Export popup. Import Opens the Import popup.
Figure 270 Generated Self Signed Certificate Table 162: Create Self-Signed Certificate Container Description Common Name (CN) Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. Organization (O) Name of the organization. This field is optional. Organizational Unit (OU) Name of a department, division, section, or other meaningful name. This field is optional. State (ST) State, country, and/or another meaningful location.
Container Description Valid for Specify duration in days. Submit/Cancel On submit, Policy Manager generates a popup containing the self-signed certificate. Click on the Install button to install the certificate on the selected server. NOTE: All services are restarted; you must relogin into the UI to continue. Create Certificate Signing Request Navigate to Administration > Certificates > Server Certificates and click on the Create Certificate Signing Request link.
Table 163: Create Certificate Signing Request Container Description Common Name (CN) Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. The default is the fully-qualified domain name (FQDN). Organization (O) Name of the organization. This field is optional. Organizational Unit (OU) Name of a department, division, section, or other meaningful name. This field is optional.
Figure 273 Import Server Certificate Table 164: Import Server Certificate Container Description Certificate File Browse to the certificate file to be imported. Private Key File Browse to the private key file to be imported. Private Key Password Specify the private key password. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Certificate Trust List To display the list of trusted Certificate Authorities (CAs), navigate to Administration > Certificates > Certificate Trust List.
Figure 275 Add Certificate Table 166: Add Certificate Container Description Certificate File Browse to select certificate file. Add Certificate/Cancel Click Add Certificate to commit, or Cancel to dismiss the popup. Revocation Lists To display available Revocation Lists, navigate to Administration > Certificates > Revocation Lists. To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete.
Table 168: Add Revocation List Container Description File File enables the Distribution File option. Distribution File Specify the distribution file (e.g., C:/distribution/crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list. URL URL enables the Distribution URL option. Distribution URL Specify the distribution URL (e.g., http://crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list.
Table 169: RADIUS Dictionary Attributes Container Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. Enable/Disable Enable or disable this dictionary. Enabling a dictionary makes it appear in the Policy Manager rules editors (Service rules, Role mapping rules, etc.). Import RADIUS Dictionary You can add additional dictionaries using the Import too.
Posture Dictionaries To add a new vendor posture dictionary, click on Import Dictionary. To edit an existing dictionary, export an existing dictionary, edit the exported XML file, and then import the dictionary. To view the contents of the Posture dictionary, sorted by Vendor Name, Vendor ID, Application Name, or Application ID, navigate to: Administration > Dictionaries > Posture. Fig: Posture Table 171: Posture Container Description Import Dictionary Click to open the Import Dictionary popup.
Figure 282 TACACS+ Services Table 173: TACACS+ Services Dictionary Container Description Import Dictionary Click to open the Import Dictionary popup. Import the dictionary (XML file). Export Dictionary Export all TACACS+ services into one XML file containing multiple dictionaries To export a specific service dictionary, select a service and click on Export. To see all the attributes and their data types, click on a service row.
Figure 284 Device Fingerprints You can click on a line in the Device Fingerprints list to drill down and view additional details about the category. Figure 285 Fig: Device Fingerprints Attributes The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
Figure 286 Attributes page Table 174: Attribute settings Container Description Filter Use the drop down menu to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Shows whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Data Type Shows whether the data type is string, integer, boolean, list, text, date, MAC address, or IPv4 address.
Enter information in the fields described in the following table. Click Add when you are done. To modify attributes in an existing service dictionary, select the attribute, make any necessary changes, and then click Save. Table 175: Add Attribute settings Container Description Entity Specify whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Name Enter a unique ID for this attribute.
To export just one attribute, select it (check box at left) and click Export. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Application Dictionaries Application dictionaries define the attributes of the Onboard and WorkSpacePolicy Manager applications and the type of each attribute.
Use this page to configure the agent deployment packages. Once the configuration is saved, agent deployment packages are created for Windows and Mac OS X operating systems and placed at a fixed URL on the Policy Manager appliance. This URL can then be published to the user community. The agent deployment packages can also be downloaded to another location. Figure 289 OnGuard Settings Table 177: OnGuard Settings Container Description Global Agent Settings Configure global parameters for OnGuard agents.
Container Mode Description Select one of: Authenticate - no health checks. l Check health - no authentication. OnGuard does not collect username/password. l Authenticate with health checks. OnGuard collects username/password and also performs health checks on the endpoint. l Username/Password text The label for the username/password field on the OnGuard agent. This setting is not valid for the “Check health - no authentication” mode.
Figure 291 OnGuard Portal parameters Parameter Description Global Portal Settings l Name Name is ‘default’. Portal URL This is the URL that presents the OnGuard portal page. (Note that this is automatically generated by Policy Manager). Select Mode Attribute names and value configuration for the portal. UsernameFormat: Format of username sent in authentication requests. This can be used in service rules (Authentication:Full-Username attribute) to write different service rules for different portals.
Parameter Description Resource Files Click on Upload link to upload a zipped archive of resource files consisting of images, style sheets, scripts, etc. These are hosted on the Policy Manager appliance and can be referenced by prefixing the _eTIPS_GUEST_PORTAL_ RESOURCE_ to the patch component. For example, if there is a file named logo.jpg in the zipped archive, refer to this resource as “_eTIPS_GUEST_ PORTAL_RESOURCE_/logo.jpg” on the OnGuard portal page.
Update Portal Navigate to Administration > Agents and Software Updates > Software Updates. Use the Software Updates page to register for and to receive live updates for: l Posture updates, including Antivirus, Antispyware, and Windows Updates l Profile data updates, including Fingerprint l Software upgrades for the ClearPass family of products l Patch binaries, including Onboard, Guest Plugins and Skins Updates are stored on ClearPass’s webservice server.
Container Description Import Updates Use Import Updates to import (upload) the Posture and Profile Data into this server, if this server is not able to reach the webservice server. The data can be downloaded from webservice server by accessing the URL: https://clearpass.arubanetworks.com/cppm/appupdate/cppm_apps_updates.zip. When prompted, enter the provided Subscription ID for the username and the password for authentication. NOTE: This button is enabled only on publisher node.
Figure 294 Install Update Table 179: Install Update dialog box buttons and descriptions Container Description Close Click on this button to close the dialog box. Clear & Close Click on this button to delete the log messages and close the popup. This will also remove the corresponding row from the Firmware & Patch Updates table. Reboot This button appears only for the updates requiring a reboot to complete the installation. Click on this button to initiate a reboot of the server.
MySQL is supported in versions 6.0 and newer. Aruba does not ship MySQL drivers by default. If you require MySQL, contact Aruba support to get the required patch. This patch does not persist across upgrades, so customers using MySQL should contact support before they upgrade. Upgrade the Image on a Single Policy Manager Appliance Perform these steps to upgrade the image on a single Policy Manager appliance: 1.
Appendix A Command Line Configuration The Policy Manager command line provides commands of the following types: l "Cluster Commands" on page 294 l "Configure Commands" on page 297 l "Network Commands" on page 299 l "Service commands" on page 301 l "Show Commands" on page 302 l "System commands" on page 305 l "Miscellaneous Commands" on page 308 Available Commands Table 180: Command Categories Command ad auth See "Miscellaneous Commands" on page 308 ad netleave See "Miscellaneous Commands" on
Command configure date configure dns configure hostname configure ip configure timezone dump certchain See "Miscellaneous Commands" on page 308 dump logs See "Miscellaneous Commands" on page 308 dump servercert See "Miscellaneous Commands" on page 308 exit See "Miscellaneous Commands" on page 308 help See "Miscellaneous Commands" on page 308 krb auth See "Miscellaneous Commands" on page 308 krb list See "Miscellaneous Commands" on page 308 ldapsearch See "Miscellaneous Commands" on page 308 network ip netw
Command service restart service start service status service stop show date show dns show domain show all-timezones show hostname show ip showlicense show timezone show version system boot-image system gen-support-key system update system restart system shutdown system install-license system upgrade Cluster Commands The Policy Manager command line interface includes the following cluster commands: l "drop-subscriber" on page 295 l "list" on page 295 l "make-publisher" on page 295 l "make-subscriber"
drop-subscriber Removes specified subscriber node from the cluster. Syntax cluster drop-subscriber [-f] [-i ] -s Where: Table 181: Drop-Subscriber Commands Flag/Parameter Description -f Force drop, even for down nodes -i Management IP address of the node. If not specified and the current node is a subscriber, Policy Manager drops the current node. -s Do not reset the database on the dropped node.
make-subscriber Makes this node a subscriber to the specified publisher node. Syntax make-subscriber -i [-l] Where: Table 182: Make-Subscriber Commands Flag/Parameter Description -i Required. Publisher IP address. -l Optional. Restore the local log database after this operation. Example [appadmin]# cluster make-subscriber –i 192.168.1.1 –p !alore -l reset-database Resets the local database and erases its configuration.
set-local-passwd Changes the local password. Executed locally; prompts for the new local password.
Example 2 Synchronize with a specified NTP server: [appadmin]# -s dns Configure DNS servers. At least one DNS server must be specified; a maximum of three DNS servers can be specified. Syntax configure dns [secondary] [tertiary] Example 1 [appadmin]# configure dns 192.168.1.1 Example 2 [appadmin]# configure dns 192.168.1.1 192.168.1.2 Example 3 [appadmin]# configure dns 192.168.1.1 192.168.1.2 192.168.1.3 hostname Configures the hostname.
timezone Configures time zone interactively. Syntax configure timezone Example [appadmin]# configure timezone configure timezone ********************************************************* * WARNING: When the command is completed Policy Manager services * * are restarted to reflect the changes.
Table 186: Network IP Delete Commands Flag/Parameter Description -i Id of the rule to delete. Syntax network ip list List all routing rules. Syntax network ip reset Reset routing table to factory default setting. All custom routes are removed. Example 1 [appadmin]# network ip add data -s 192.168.5.0/24 Example 2 [appadmin]# network ip add data -s 192.168.5.12 Example 3 [appadmin]# network ip list nslookup Returns IP address of host using DNS.
Table 188: Ping Commands Flag/Parameter Description -i Optional. Originating IP address for ping. -t Optional. Ping indefinitely. Host to be pinged. Example [appadmin]# network ping –i 192.168.5.10 –t sun.us.arubanetworks.com reset Reset network data port. Syntax network reset Where: Table 189: Reset Commands Flag/Parameter Description Required. Name of network port to reset.
l start l stop l status l restart l activate l deactivate l list These commands in this section have identical syntax; therefore, this section presents them as variations on . Activates the specified Policy Manager service. Syntax service Where: Table 191: Action Commands Flag/Parameter Description action Choose an action: activate, deactivate, list, restart, start, status, or stop.
l "dns" on page 303 l "domain" on page 303 l "hostname" on page 304 l "ip" on page 304 l "license" on page 304 l "timezone" on page 305 l "version" on page 305 all-timezones Interactively displays all available timezones Syntax show all-timezones Example [appadmin]# show all-timezones Africa/Abidjan Africa/Accra ..... WET Zulu date Displays System Date, Time, and Time Zone information. Syntax show date Example [appadmin]# show date Wed Oct 31 14:33:39 UTC 2012 dns Displays DNS servers.
Syntax show domain Example [appadmin]# show domain hostname Displays hostname. Syntax show hostname Example [appadmin]# show hostname show hostname wolf ip Displays IP and DNS information for the host. Syntax show ip Example [appadmin]# show ip show ip =========================================== Device Type : Management Port ------------------------------------------IP Address : 192.168.5.227 Subnet Mask : 255.255.255.0 Gateway : 192.168.5.
timezone Displays current system timezone. Syntax show timezone Example [appadmin]# show timezone show timezone version Displays Policy Manager software version hardware model. Syntax show version Example [appadmin]# show version ======================================= Policy Manager software version : 2.0(1).
Example [appadmin]# system boot-image gen-support-key Generates the support key for the system. Syntax system gen-support-key Example [appadmin]# system gen-support-key system gen-support-key Support key='01U2FsdGVkX1+/WS9jZKQajERyzXhM8mF6zAKrzxrHvaM=' install-license Replace the current license key with a new one. Syntax system install-license Where: Table 193: Install-License Commands Flag/Parameter Description Mandatory. This is the newly issued license key.
Example [appadmin]# system shutdown ******************************************************** * WARNING: This command will shutdown all applications * * and power off the system * ******************************************************** Are you sure you want to continue? [y|Y]: y update Manages updates.
Miscellaneous Commands The Policy Manager command line interface includes the following miscellaneous commands: l "ad auth" on page 308 l "ad netjoin" on page 308 l "ad netleave" on page 309 l "ad testjoin" on page 309 l "alias" on page 309 l "backup" on page 310 l "dump certchain" on page 310 l "dump logs" on page 310 l "dump servercert" on page 311 l "exit" on page 311 l "help" on page 311 l "krb auth" on page 312 l "krb list" on page 312 l "ldapsearch" on page 312 l "quit" on
Table 197: Ad Netjoin Commands Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional. Example [appadmin]# ad netjoin atlas.us.arubanetworks.com ad netleave Removes host from the domain. Syntax ad netleave Example [appadmin]# ad netleave ad testjoin Tests if the netjoin command succeeded. Tests if Policy Manager is a member of the AD domain.
backup Creates backup of Policy Manager configuration data. If no arguments are entered, the system auto-generates a filename and backups up the configuration to this file. Syntax backup [-f ] [-L] [-P] Where: Table 199: Backup Commands Flag/Parameter Description -f Optional. Backup target. If not specified, Policy Manager will auto-generate a filename. -L Optional. Do not backup the log database configuration -P Optional.
Table 201: Dump Logs Commands Flag/Parameter Description -f Specifies target for concatenated logs. -s yyyy-mm-dd Optional. Date range start (default is today). -e yyyy-mm-dd Optional. Date range end (default is today). -n Optional. Duration in days (from today). -t Optional. Type of log to collect. -h Specify (print help) for available log types. Example 1 [appadmin]# dump logs –f tips-system-logs.
Example [appadmin]# help alias backup cluster configure dump exit help netjoin netleave network quit restore service show system help Create aliases Backup Policy Manager data Policy Manager cluster related commands Configure the system parameters Dump Policy Manager information Exit the shell Display the list of supported commands Join host to the domain Remove host from the domain Network troubleshooting commands Exit the shell Restore Policy Manager database Control Policy Manager services Show configur
Table 204: LDAP Search commands Flag/Parameter Description Specifies the username and the full qualified domain name of the host. The -B command finds the bind DN of the LDAP directory. Example [appadmin]# ldapsearch -B admin@corp-ad.acme.
Appendix B Rules Editing and Namespaces In the Policy Manager administration User Interface (UI) you use the same editing interface to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular in
associated RFCs. Policy Manager comes pre-packaged with a number of vendor dictionaries. Some examples of dictionaries in the RADIUS namespace are: RADIUS:IETF, RADIUS:Cisco, RADIUS:Juniper.
n RSAToken Instance Namespace - For each instance of an RSA Token Server authentication source, there is an RSA Token Server instance namespace that appears in the rules editing interface. The RSA Token Server instance namespace consists of attributes names that you have defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience.
l n Service rules n Role mapping policies Authentication Namespace - The authentication namespace can be used in role mapping policies to define roles based on what kind of authentication method was used or what the status of the authentication is.
Attribute Name Values MacAuth l l l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source Username The username as received from the client (after the strip user name rules are applied FullUsername The username as received from the client (before the strip user name rules are applied Source The name of the authentication source used to authenticate the user Authen
Tips namespace appears in the following editing contexts: n Enforcement policies l Host Namespace - Host namespace has a number of pre-defined attributes: Name, OSType, FQDN, UserAgent, CheckType, UniqueID, AgentType and InstalledSHAs. Host:Name, Host:OSType, Host:FQDN, Host:AgentType, Host:InstalledSHAs are only populated when request is originated by a Microsoft NAP-compatible agent. UserAgent and CheckType are present when Policy Manager acts as a Web authentication portal.
Attribute Name Values OS-Info OS information string returned by NMAP Open-Ports The port numbers of open applications on the host l Tacacs Namespace - Tacacs namespace has the attributes associated with attributes available in a TACACS+ request. Available attributes are AvendaAVPair, UserName and AuthSource. l Application Namespace - Application namespace has a name attribute. This attribute is an enumerated type currently containing the following string values: Guest, Insight.
Table 211: Attribute Operators Attribute Type Operators String EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, BEGINS_WITH, NOT_ BEGINS_WITH, ENDS_WITH, NOT_ENDS_WITH, BELONGS_TO, NOT_BELONGS_TO, EQUALS_IGNORE_CASE, NOT_EQUALS_IGNORE_CASE, MATCHES_REGEX, NOT_ MATCHES_REGEX, EXISTS, NOT_EXISTS Integer EQUALS, NOT_EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUALS, LESS_ THAN, LESS_THAN_OR_EQUALS, EXISTS, NOT_EXISTS, BELONGS_TO, NOT_ BELONGS_TO Time or Date EQUALS, NOT_EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL
Operator Description BELONGS_ TO For string data type, true if the run-time value of the attribute matches a set of configured string values. E.g., RADIUS:IETF:Service-Type BELONGS_TO Login-User,FramedUser,Authenticate-Only For integer data type, true if the run-time value of the attribute matches a set of configured integer values. E.g., RADIUS:IETF:NAS-Port BELONGS_TO 1,2,3 For day data type, true if run-time value of the attribute matches a set of configured days of the week. E.g.
Operator Description MATCHES_ ALL For list data types, true if all of the run-time values in the list are found in the configured values. E.g., Tips:Role MATCHES_ALL HR,ENG,FINANCE. In this example, if the run-time values of Tips:Role are HR,ENG,FINANCE,MGR,ACCT the condition evaluates to true. MATCHES_ EXACT For list data types, true if all of the run-time values of the attribute match all of the configured values. E.g., Tips:Role MATCHES_ALL HR,ENG,FINANCE.
Appendix C Error Codes, SNMP Traps, and System Events This appendix contains listings of Dell Networking W-ClearPass Policy Manager error codes, SNMP traps, and system events. l Error Codes l SNMP Trap Details l Important System Events Error Codes The following table shows the CPPM error codes.
Code Description Type 213 Certificate comparison failed Authentication failure 214 No certificate in authentication source Authentication failure 215 TLS session error Authentication failure 216 User authentication failed Authentication failure 217 Search failed due to insufficient permissions Authentication failure 218 Authentication source timed out Authentication failure 219 Bad search filter Authentication failure 220 Search failed Authentication failure 221 Authenticati
Code Description Type 6102 Authentication privilege level mismatch TACACS Authentication 6103 No enforcement profiles matched to perform authentication TACACS Authentication 6201 Authorization failed as session is not authenticated TACACS Authorization 6202 Authorization privilege level mismatch TACACS Authorization 6203 Command not allowed TACACS Authorization 6204 No enforcement profiles matched to perform command authorization TACACS Authorization 6301 New password entered does not
SNMP Trap Details CPPM leverages native SNMP support from the 'net-SNMP' package to send trap notifications for the following events: 1. SNMP daemon trap events Trap OIDs: .1.3.6.1.6.3.1.1.5.1 .1.3.6.1.6.3.1.1.5.2 2. CPPM processes stop and start events Trap OIDs: .1.3.6.1.2.1.88.2.0.2 [mteTriggerRising] .1.3.6.1.2.1.88.2.0.3 [mteTriggerFalling] 3. Network interface up and down events Trap OIDs: .1.3.6.1.6.3.1.1.5.3: .1.3.6.1.6.3.1.1.5.4: 4. Disk utilization threshold exceed events Trap OIDs: .1.3.6.1.2.1.
.1.3.6.1.4.1.2021.2.1.101.1: No policy_server process running.: Example 2 The following example shows the trap OIDs and the values set when Policy Server process is running: OID: .1.3.6.1.4.1.2021.2.1.100.1: Value: INTEGER: 0: .1.3.6.1.4.1.2021.2.1.2.1: policy_server: .1.3.6.1.4.1.2021.2.1.101.1: CPPM Processes and OIDs The following is a list of monitored CPPM processes and the corresponding OID list associated with these processes: .1.3.6.1.4.1.2021.2.1.2.1: policy_server: ==> Policy Server Module .1.3.
Important System Events This topic describes the important System Events logged by ClearPass. These messages are available for consumption on the administrative interface, and in the form of a syslog stream. The events below are in the following format
ClearPass/Domain Controller Events Critical Events “netleave”, “ERROR”, “Failed to remove from the domain ” “netjoin”, “WARN”, “configuration”, “ failed to join the domain with domain controller as ” Info Events “Netjoin”, “INFO”, " joined the domain " “Netjoin”, “INFO”, “ removed from the domain “ ClearPass System Configuration Events Critical Events “DNS”, “ERROR”, “Failed configure DNS servers = <
“ClearPass Updater”, “INFO”,” Updated Hotfixes from ClearPass Portal (Online)” Cluster Events Critical Events “Cluster”, “ERROR”, “SetupSubscriber”, “Failed to add subscriber node with management IP=“ Info Events "AddNode", “INFO”, "Added subscriber node with management IP=" "DropNode", “INFO”, "Dropping node with management IP=, hostname=" Command Line Events Info Events "Command Line”, “INFO”, “User:appadmin" DB Replication Services Events Info Events "DB replication service”, “I
“RADIUS”, “ERROR”, “Received Accounting-Response packet from client port 1813 with invalid signature (err=2)! (Shared secret is incorrect.)” “RADIUS”, “ERROR”, “Received Access-Accept packet from client port 1812 with invalid signature (err=2)! (Shared secret is incorrect.
“System monitor service”, “INFO”, “Performed action start on System monitor service” "Shutdown” “INFO” system "System is shutting down" Success Service Names 333 l AirGroup notification service l Async DB write service l Async network services l DB change notification server l DB replication service l Micros Fidelio FIAS l Multi-master cache l Policy server l RADIUS server l System auxiliary services l System monitor service l TACACS server l Virtual IP service l [YOURSERVERNAM
Appendix D Use Cases This appendix contains several specific Dell Networking W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l 802.1x Wireless Use Case l Dell Web Based Authentication Use Case l MAC Authentication Use Case l TACACS+ Use Case l Single Port Use Case Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
802.1x Wireless Use Case The basic Policy Manager Use Case configures a Policy Manager Service to identify and evaluate an 802.1X request from a user logging into a Wireless Access Device. The following image illustrates the flow of control for this Service. Figure 295 Flow of Control, Basic 802.1X Configuration Use Case Configuring the Service Follow the steps below to configure this basic 802.1X service: 1.
Navigation Settings Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): 802.1X Wireless > l Name/Description (freeform) > l Upon completion, click Next (to Authentication) The following fields deserve special mention: n Monitor Mode: Optionally, check here to allow handshakes to occur (for monitoring purposes), but without enforcement.
Table 214: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select drop-down list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local
Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy. In the event of role-mapping failure, Policy Manager assigns a default role.
Navigation Settings Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select all matches > l Add Rule (button opens popup) > l Add Rule (button) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions to Actions (drop-down list) > l Upon completion of each rule, click the Save button ( in the Rules Editor) > l When you are finished working in the Mapping Rules tab, click the Save button (in the Mapping Rules tab) Add the new Ro
Table 217: Posture Navigation and Settings Navigation Setting Add a new Posture Server: Posture (tab) > l Add new Posture Server (button) > l Configure Posture settings: Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server) l Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server.
Table 218: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies " on page 204. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Dell Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service. Figure 296 Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service.
Table 219: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 220: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Navigation Setting Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > l Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems
Navigation Setting Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions(Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
Table 222: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_ POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list. 349 Dell Networking W-ClearPass Policy Manager 6.
MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request.
Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication Note that you can select any type of authentication/authorization source for a MAC Authentication service.
Table 225: Audit Server Navigation and Settings Navigation Settings Configure the Audit Server: Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable l Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which foll
Dell Networking W-ClearPass Policy Manager 6.
TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 298 Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service.
Navigation Settings Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): [Policy Manager Admin Network Login Service] > l Name/Description (freeform) > l Upon completion, click Next (to Authentication) 2. Set up the Authentication a. Method: The Policy Manager TACACS+ service authenticates TACACS+ requests internally. b. Source: For purposes of this use case, Network Access Devices authentication data will be stored in the Active Directory.
Single Port Use Case This Service supports all three types of connections on a single port. The following figure illustrates both the overall flow of control for this hybrid service, in which complementary switch and Policy Manager configurations allow all three types of connections on a single port: Figure 299 Flow of the Multiple Protocol Per Port Case Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Appendix E Software Copyright and License Statements This appendix lists the copyright notices for the binary distribution from Aruba Networks. A copy of the source code is available for portions of the software whose copyright statement requires Aruba Networks to publish any modified source code. To cover the costs of duplication and shipping, there is a nominal cost to obtain the source code material. To obtain a copy of the source code, contact info@arubanetworks.com.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code.
A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms.
3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.
b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.
range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12.
Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License.
WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity.
3. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and 4.
* * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3.
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE.
* Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3.
Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2.