User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager Common Tasks in Policy Manager 21 21 Importing 21 Exporting 22 Powering Up and Configuring Policy Manager Hardware 23 Server Port Overview 23 Server Port Configuration 23 Powering Off the System 25 Resetting the Passwords to Factory Default 26 Generating a Support Key for Technical Support 26 Policy Manager Dashboard Monitoring Live Monitoring Access Tracker 29 35 35 35 Editing the Access Tracker 37 Viewing Access Tracker Sessi
Old Data Tab 62 New Data tab 63 Inline Difference tab 64 Viewing Audit Row Details (Remove Page) Event Viewer 65 Creating an Event Viewer Report Using Default Values 66 Creating an Event Viewer Report Using Custom Values 66 Viewing Report Details 67 Data Filters Add a Filter Blacklisted Users Policy Manager Policy Model Services Paradigm 67 68 70 73 73 Viewing Existing Services 77 Adding and Removing Services 77 Links to Use Cases and Configuration Instructions 78 Policy Simulation
Enforcement Tab 104 Audit Tab 104 Profiler Tab 104 802.1X Wireless 105 Service Tab 105 Authentication Tab 105 Authorization Tab 106 Roles Tab 106 Posture Tab 106 Enforcement Tab 107 Audit Tab 107 Profiler Tab 107 802.
Service Tab 119 Authentication Tab 119 Authorization Tab 119 Roles Tab 120 Enforcement Tab 120 Dell W-Series Application Authentication Service Tab 120 Authentication Tab 121 Roles Tab 121 Enforcement Tab 121 Dell W-Series Application Authorization 121 Cisco Web Authentication Proxy 122 Service Tab 122 Authentication Tab 122 Authorization Tab 123 Roles Tab 123 Enforcement Tab 124 Audit Tab 124 Services 124 Adding Services 125 Modifying Services 128 Reordering Services
Inner Methods Tab 149 MAC-AUTH 149 MSCHAP 150 PAP 151 Adding and Modifying Authentication Sources Generic LDAP and Active Directory 151 152 General Tab 153 Primary Tab 154 Attributes Tab 157 Add More Filters 160 Browse Tab 160 Filter Tab 161 Attributes Tab 163 Configuration Tab 164 Modify Default Filters 164 Generic SQL DB 165 General Tab 165 Primary Tab 167 Attributes Tab 168 HTTP 169 General Tab 169 Primary Tab 170 Attributes Tab 171 Kerberos 172 General Tab
Additional Available Tasks 190 Configuring a Role Mapping Policy 191 Adding and Modifying Roles 191 Adding and Modifying Role Mapping Policies 192 Policy Tab 192 Mapping Rules Tab 193 Posture 197 Posture Architecture and Flow Posture Policy 197 Posture Server 197 Audit Server 197 Configuring Posture 199 Adding a Posture Policy 200 NAP Agent 200 OnGuard Agent (Persistent or Dissolvable) 202 ClearPass Mac OS X 204 ClearPass Windows Universal System Health Validator - NAP Agent 2
Profile tab 254 Role Configuration tab 255 Captive Portal Profile 256 Policer Profile: 256 QOs Profile 257 VoIP Profile 257 NetService Configuration 258 NetDestination Configuration 258 Time Range Configuration 259 ACL 259 Aruba RADIUS Enforcement 261 Profile tab 261 Attributes tab 262 Cisco Downloadable ACL Enforcement 262 Profile tab 263 Attributes tab 263 Cisco Web Authentication Enforcement 264 Profile tab 264 Attributes tab 265 ClearPass Entity Update Enforcement
SNMP Based Enforcement Profile tab 277 Attributes tab 278 TACACS+ Based Enforcement 278 Profile tab 278 Services tab 279 VLAN Enforcement 280 Profile ta 280 Attributes tab 281 Configuring Enforcement Policies Network Access Devices Adding and Modifying Devices 281 285 285 Adding a Device 285 Additional Available Tasks 289 Adding and Modifying Device Groups Additional Available Tasks Adding and Modifying Proxy Targets 289 291 291 Add a Proxy Target 292 Additional Available Tasks
Simulation tab 305 Attributes tab 307 NAS Type: Aruba Wireless Controller 308 NAS Type: Aruba Wired Switch Controller 308 NAS Type: Cisco Wireless Switch 309 Results tab 309 Role Mapping 310 Simulation tab 310 Attributes tab 311 Results tab 312 Service Categorization 313 Simulation tab 313 Attributes tab 313 Results tab 314 ClearPass Policy Manager Profile 315 Device Profile 315 Collectors 315 DHCP Sending DHCP Traffic to CPPM 316 316 ClearPass Onboard 316 HTTP User-Age
Server Configuration Editing Server Configuration Settings 332 System Tab 332 Join AD Domain 334 Add Password Server 336 Services Control Tab 337 Service Parameters Tab 337 System Monitoring Tab 347 Network Tab 349 Set Date & Time 351 Change Cluster Password 353 Manage Policy Manager Zones 354 NetEvents Targets 355 Virtual IP Settings 355 Make Subscriber 356 Upload Nessus Plugins 357 Cluster-Wide Parameters 357 Collect Logs 362 Backup 363 Restore 364 Shutdown/Reboot 36
Adding a Syslog Export Filter (General tab) 376 Adding a Syslog Export Filter (Summary tab) 376 Messaging Setup 377 Endpoint Context Servers 379 Adding an Endpoint Context Server 379 Modify an endpoint context server 380 Delete an endpoint context server 380 Adding an AirWatch Endpoint Context Server 380 Adding an AirWave Endpoint Context Server 382 Adding an Aruba Activate Endpoint Context Server 382 Adding a ClearPass Cloud Proxy Endpoint Context Server 383 Adding a Generic HTTP Endp
Applications Dictionary 410 View an application dictionary 411 Delete an application dictionary 411 Endpoint Context Server Actions 411 Filter an Endpoint Context Server Action Report 412 View Details About Endpoint Context Server Actions 412 Add an Endpoint Context Server Action Item 412 Import Context Server Actions 413 Export Context Server Actions 414 OnGuard Settings 414 Software Updates 416 Install Update dialog box 419 Updating the Policy Manager Software Upgrade the Image on
Service Commands 435 435 Show Commands 436 all-timezones 436 date 436 dns 437 domain 437 hostname 437 ip 437 license 438 timezone 438 version 438 System Commands 438 boot-image 439 gen-support-key 439 install-license 439 morph-vm 440 restart 440 shutdown 440 update 440 upgrade 441 Miscellaneous Commands 441 ad auth 442 ad netjoin 442 ad netleave 443 ad testjoin 443 alias 443 backup 444 dump certchain 444 dump logs 444 dump servercert 445 e
Application Namespace 450 Audit Namespaces 451 Authentication Namespaces 451 Authentication namespace editing context 451 Authorization Namespaces 453 Authorization editing context 453 AD Instance Namespace 453 Authorization 453 LDAP Instance Namespace 453 RSAToken Instance Namespace 453 Sources 454 SQL Instance Namespace 454 Certificate Namespaces 454 Certificate namespace editing context 454 Connection Namespaces 455 Connection namespace editing contexts 455 Date Namespaces
Process Status Traps 469 1 (a) RADIUS server stop SNMP trap 469 1 (b) RADIUS server start SNMP trap 469 2 (a) Admin Server stop SNMP trap 470 2 (b) Admin Server start SNMP trap 470 3 (a) System Auxiliary server stop SNMP trap 470 3 (b) System Auxiliary server start SNMP trap 470 4 (a) Policy server stop SNMP trap 471 4 (b) Policy server start SNMP trap 471 5 (a) Async DB write service stop SNMP trap 471 5 (b) Async DB write service start SNMP trap 471 6 (a) DB replication service stop
Critical Events 479 Info Events 479 ClearPass System Configuration Events Critical Events 479 Info Events 479 ClearPass Update Events 480 Critical Events 480 Info Events 480 Cluster Events 480 Critical Events 480 Info Events 480 Command Line Events Info Events DB Replication Services Events 480 480 480 Info Events 480 Licensing Events 480 Critical Events 480 Info Events 480 Policy Server Events Info Events RADIUS/TACACS+ Server Events 481 481 481 Critical Events 481 Info Ev
Single Port Use Case Supported Browsers and Java Versions Configuring a Web Agent Flow 501 502 502 Configuration of a Web Agent Flow in Dell Networking W-ClearPass Policy Manager 502 Configuration of a Web Agent Flow in ClearPass Guest 503 Dell Networking W-ClearPass Policy Manager 6.
| Contents Dell Networking W-ClearPass Policy Manager 6.
Chapter 1 About Dell Networking W-ClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager platform provides role and device-based network access control across any networks such as wired, wireless, and Virtual Private Network (VPN).
Figure 1: Import from file screen example 2. Click Choose File. 3. Select the file you want to import. You must select an XML file in the correct format. If you have exported files from different places in Policy Manager, ensure that you are selecting the correct file. See Dell Networking W-ClearPass Policy Manager Configuration API for more information about the format and contents of XML files. 4. If the file is password protected, enter the password. 5. Click Import.
Chapter 2 Powering Up and Configuring Policy Manager Hardware This section provides an overview of the server ports. It also provides information on the initial Policy Manager setup using the Command Line Interface (CLI).
Table 2: Required Information Requirement Value for Your Installation Hostname (Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) NOTE: The Data Port IP Address must not be in the same subnet as the Management Port IP Address. Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional) Perform the following steps to set up the Policy Manager appliance: 1.
Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4. Change your password Use any string with a minimum of six characters: New Password:************ Confirm Password: ************ From now, you must use this password for cluster administration and management of the appliance. 5.
Resetting the Passwords to Factory Default To reset Administrator passwords in Policy Manager to factory defaults, you can login to the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1. Connect to the Policy Manager appliance using the front serial port (using any terminal program). See "Resetting the Passwords to Factory Default" on page 26 for details. 2.
1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit. 5. To generate the support key, select option 2. Select 3, if you want to generate a password recovery key as well. 6. After the password recovery key is generated, email the key to Dell technical support. A unique password can now be generated by Dell technical support to log into the support shell. Dell Networking W-ClearPass Policy Manager 6.
| Powering Up and Configuring Policy Manager Hardware Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Policy Manager Dashboard Drag and drop elements from the left pane to customize the Dashboard layout. Table 3: Dashboard Layout Parameters Drag and drop the All Requests widget to Dashboard to view the graph that displays all requests processed by Policy Manager over the past week. Processed requests include RADIUS, TACACS+, and WebAuth requests. Clicking on each bar in the graph drills down into the Access Tracker page and shows the requests for a selected day.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Latest Authentications widget to Dashboard to view the table with the latest authentications. Clicking on a row in the table drills down into the Access Tracker page and shows requests sorted by timestamp with the latest request displayed on the top.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Request Processing Time widget to Dashboard to view the trend of total request processing time. Drag and drop the System Summary widget to Dashboard to view the Percentage Used statistics for the following: l Main Memory l Swap Memory l Disk l Swap Disk Drag and drop the Successful Authentications widget to view a table with the latest successful authentications.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Quick Links widget to view the links to the following common configuration tasks: l Start Configuring Policies links to the Start Here page under the Configuration menu. Start configuring Policy Manager services from here. l Manage Services links to the Services page under the Configuration menu. This page shows a list of configured services. l Access Tracker links to the Access Tracker screen in the Monitoring > Live Monitoring menu.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Cluster Status widget to view the status of all nodes in a cluster. The following fields are shown for each node: l Status - This shows the overall health status of the system. Green indicates healthy and red indicates connectivity problems or high CPU or memory utilization. The status also shows red when a node is out-of-sync with the rest of the cluster. l Host Name - Specifies the name of the host and IP address of the node.
| Policy Manager Dashboard Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Monitoring The Monitoring feature in Policy Manager provides access to live monitoring of components and other functions. For more information, see: l "Live Monitoring" on page 35 l "Audit Viewer" on page 60 l "Event Viewer" on page 65 l "Data Filters" on page 67 l "Blacklisted Users" on page 70 Live Monitoring The Live Monitoring link provides access to six monitoring features.
Table 4: Access Tracker Page Parameters Parameter Description Shows all requests without any rows filtered. See "Data Filters" on page 67 to modify this setting. Specifies the IP address or domain name of the server. Displays information for the past 24 hours. This shows the current setting for the number of days prior to the configured date for which Access Tracker data to be displayed. Auto Refresh Click this to enable or disable automatic page refresh.
Editing the Access Tracker You can change the Access Tracker parameters by clicking the Edit button. Figure 5: Access Tracker Page (edit mode) Table 5: Access Tracker Edit Page (edit mode) Parameters Parameter Description Select Server/Domain Select the server for which the dashboard data to be displayed. Select all the servers to display transactions from all nodes in the Policy Manager cluster. Auto Refresh Click to enable or disable the automatic page refresh.
action is supported by all devices. Some devices support setting a session timeout, changing the VLAN for the session, applying an ACL, and so on. Summary tab This tab shows a summary view of the transaction including policies that are applied. Figure 6: Request Details Summary tab Parameters Input tab This tab shows protocol specific attributes that Policy Manager received in the transaction request; this includes authentication and posture details (if available).
Figure 8: Output tab Parameters Administrators can view the posture response and posture evaluation results with the accurate results. For example, the administrator can view details such as missing registry keys and the reasons for a failed registry key check. Alerts tab This tab is displayed when there is an error occurs. For example, if you select a row in a report where the Login Status displays TIMEOUT or REJECT, an Alerts tab is displayed.
Table 6: Request Details Page Control Parameters Parameter Description Change Status The button is enabled only if you use the RADIUS and WebAuth authentication types. After you click this button, the Access Control Capabilities tab opens. You can view or change the Access Control Type. Click this button to change the access control status of a session. l Agent This control is available for a session where the endpoint has the OnGuard Agent installed.
RADIUS CoA tab The RADIUS tab is only available for RADIUS transactions for which a RADIUS Change of Authorization command was sent to the network device by Policy Manager. The view shows the RADIUS CoA actions sent to the network device in chronological order. Accounting The Accounting display provides a dynamic report that describes accesses (as reported by the network access device by means of RADIUS/TACACS+ accounting records), at: Monitoring > Live Monitoring > Accounting.
Table 7: Accounting Page (Edit Mode) Parameters (Continued) Parameter Description Show Latest: Sets the date to Today in the previous step to Today. Select Columns: Click the right or left arrows to move data between Available Columns and Selected Columns. Click the Up or Down buttons to rearrange columns in either column. Show records: Show 10, 20, 50 or 100 rows. After being selected, this setting is saved and available in subsequent sessions.
RADIUS Accounting Record Details (Details tab) This topic describes the parameters of the Accounting Record Details Details tab for the RADIUS Protocol. Figure 12: RADIUS Accounting Details tab Table 9: RADIUS Accounting Record Details tab Parameters Param eter Details tab Description Shows details of RADIUS attributes sent and received from the network device during the initial authentication and subsequent re authentications (each section in the details tab corresponds to a “session” in Policy Manager.
Figure 13: RADIUS Accounting Record Details (Summary tab) Table 10: RADIUS Accounting Record Details Summary tab Parameters Param eter Description Session ID: Policy Manager session identifier (you can correlate this record with a record in Access Tracker). Account Session ID: A unique ID for this accounting record. Start and End Timesta mp: Start and end time of the session. Status: Current connection status of the session. Userna me: Username associated with this record.
Table 10: RADIUS Accounting Record Details Summary tab Parameters (Continued) Param eter Description Service Type: The value of the standard RADIUS attribute ServiceType. NAS IP Addres s: IP address of the network device. NAS Port Type: The access method - For example, Ethernet, 802.11 Wireless, etc. Calling Station ID: In most use cases supported by Policy Manager this is the MAC address of the client. Called Station ID: MAC Address of the network device.
Figure 14: RADIUS Accounting Record Details (Utilization tab) Table 11: RADIUS Accounting Record Details Utilization tab Parameters Parameter Description Active Time: How long the session was active. Account Delay Time: How many seconds the network device has been trying to send this record for (subtract from record time stamp to arrive at the time this record was actually generated by the device).
Figure 15: TACACS+ Accounting Record Details (Auth Sessions tab) Table 12: TACACS+ Accounting Record Details Auth Sessions tab Parameters Parameter Description Number of Authentication Sessions: Total number of authentications (always 1) and authorizations in this session. Authentication Sessions Details: For each request ID, denotes whether it is an authentication or authorization request, and the time at which the request was sent.
Figure 16: TACACS+ Accounting Record Details (Details tab) Table 13: TACACS+ Accounting Record Details tab Parameters Parameter Description Details tab For each authorization request, shows: cmd (command typed), priv-lvl (privilege level of the administrator executing the command), service (shell), etc. TACACS+ Accounting Record Details (Request tab) This topic describes the parameters of the Accounting Record Details Request Sessions tab for the TACACS+ Protocol.
Table 14: TACACS+ Accounting Record Request tab Parameters Parameter Description Session ID: The Session ID is a Unique ID associated with a request. User Session ID: A session ID that correlates authentication, authorization and accounting records. Start and End Timestamp: Start and end time of the session. Username: Username associated with this record. Client IP: The IP address and tty of the device interface. Remote IP: The IP address from which Admin is logged in.
Figure 18: OnGuard Activity Table 15: OnGuard Activity Parameter Description Auto Refresh Toggle auto-refresh. If this is turned on, all endpoint activities are refreshed automatically. Send Message Send a message to the selected endpoints. Bounce an Agent (non-SNMP) This page is used to initiate a bounce on the managed interface on the endpoint.
Table 16: Bounce Agents Page Parameters Parameter Description Display Message (Optional): An optional message to display on the endpoint via the OnGuard interface. Web link for more details (Optional): An optional clickable URL that is displayed along with the Display Message. Endpoint Status: No change in status - No change is made to the status of the endpoint. The existing status of Known, Unknown or Disabled continues to be applied.
Table 17: Bounce Client (Using SNMP) Page Parameters Parameter Description Client IP or MAC address Enter the Client IP or MAC address of the bounce client. Host MAC: Displays the Host MAC information. Host IP: Displays the Host IP address. Switch IP Address: Displays the Switch IP address. Switch Port: Displays the Switch port number. Description: Displays the description of the client. Status: Displays the status of the client.
Analysis and Trending The Analysis and Trending Page displays monthly, bi-weekly, weekly, daily, or 12-hourly, 6-hourly, 3-hourly or hourly quantity of requests for the subset of components included in the selected filters. The data can be aggregated by minute, hour, day or week. The list at the end of this topic shows the per-filter count for the aggregated data. Each bar corresponding to each filter in the bar graph is clickable.
Figure 23: Endpoint Profiler (view 1) Figure 24: Endpoint Profiler (view 2) Click a device in the table below the graphs to view endpoint details about a specific device. Select the Cancel button to return to the Endpoint Profiler page. 54 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 25: Endpoint Profiler Details System Monitor The System Monitor page has four tabs. Each tab provides one or more charts or graphs that gives real-time information about various components. System Monitor tab - Displays charts and graphs that include information about CPU load and usage, memory usage, and disk usage. Process Monitor tab - Displays reports about a selected process. The processes that you can monitor include Policy server, Tacacs server, Stats collection service, and more.
l "Process Monitor tab" on page 58 l "Network tab" on page 59 l "ClearPass tab" on page 60 Figure 26: System Monitor Page System Monitor tab The system monitor tab displays information about component usage and load.
Figure 28: CPU Load Graph Example Monitoring Memory Usage This graph shows the percentage of free and total memory in Gigabytes. Figure 29: Memory Usage Graph Example Monitoring Swap Memory Usage This graph shows the percentage of free and total swap memory in Gigabytes. Figure 30: Used and Free Memory Graph Example Dell Networking W-ClearPass Policy Manager 6.
Monitoring Disk - / Usage This chart shows the percentage of used and free disk space. Figure 31: Used and Free Disk Space Graph Example Monitoring Disk Swap Usage The Disk - Swap Usage chart shows the used and total swap space. Figure 32: Used and Free Disk Swap Chart Example Process Monitor tab Click this tab to view graphs that show data about CPU Usage and Main Memory Usage on the selected process or service.
Figure 33: Process Monitor tab Page Example Monitoring Main Memory Usage This graph shows the main memory usage in time and Kilobytes. Figure 34: Main Memory Usage Graph Example Network tab Select the Network tab to view network activity charts and graphs about the following components: l OnGuard l Database l Web Traffic l RADIUS l TACACS l SSH l NTP Dell Networking W-ClearPass Policy Manager 6.
Figure 35: Network Monitor Tab Graph Example (Web Traffic) ClearPass tab ClearPass can plot graphs based on the performance monitoring counters and timers for the following components: l Service Categorization l Authentication l Authorization l Role Mapping l Posture Evaluation l Enforcement l End to End request processing for Radius, Tacacs and WebAuth based requests. These components are actively monitored and the ClearPass tab displays the past 30 minutes of the monitored data.
Figure 37: Audit Viewer Page Table 19: Audit Viewer Page Parameters Parameter Description Select Filter Select the filter by which to constrain the display of audit data. Show records Show 10, 20, 50 or 100 rows. After being selected, this setting is saved and available in subsequent logins. Viewing Audit Row Details (Add Page) If you click a row on the main page where the Action was ADD, an Audit Row Details page opens. The page gives details that are specific to the Action category.
Figure 39: Audit Row Details Page Example 2 (Virtual IP Server Added) Viewing Audit Row Details (Modify Page) If you click a row on the main page where the Action was MODIFY, an Audit Row Details page opens. The Audit Row Details page for the MODIFY category has three tabs. Old Data Tab The top section of the old data tab is a summary of details about the original data values. The bottom section shows data about the original attributes and values.
Figure 41: Old Data tab Attributes Section New Data tab The top section of the old data tab is a summary of details about the original data values. The top section is a summary of the new data values, such as User ID, Password and Guest Type. The bottom section displays new and changed Attributes. The figures show a MODIFY action that was taken in the category Guest User. Figure 42: New Data tab Dell Networking W-ClearPass Policy Manager 6.
Figure 43: New Data tab Attributes Section Inline Difference tab This tab is a summary of the difference(s) between the old and new data. The example shows the modification made to the value on Line 20 of the Old Data Attribute named airgroup_shared_time. Modifications are highlighted in yellow. Additions are highlighted in green. Deletions are highlighted in red. A green arrow indicates that the value was moved up, and a red arrow indicates the value was moved down.
Figure 45: Audit Row Details (Remove Page) Event Viewer The Event Viewer page provides reports about system-level events. For more information, see: l "Creating an Event Viewer Report Using Default Values" on page 66 l "Creating an Event Viewer Report Using Custom Values" on page 66 l "Viewing Report Details" on page 67 Figure 46: Event Viewer Report Page (Default Values) Dell Networking W-ClearPass Policy Manager 6.
Table 20: Event Viewer Report Page Parameters (Default Values) Parameter Description Select Server Shows the name and IP address of the server you are logged into. Click to select a new server. Filter Select a topic to filter for. The options are: Source l Level l Category l Action l Description l Go Click to create the report. Clear Filter Click to restore the default filter settings. Click to add up to four filter fields.
9. Change the Show records value to 20. 10. Click Go. Figure 47: Event Viewer Report Example (Custom Values) Viewing Report Details Click a row in the Event View report to display System Event Details.
For more information, see "Add a Filter " on page 68. Figure 49: Data Filters Page Table 21: Data Filters Page Parameters Parameter Description Add Click to open the Add Filter wizard. Import Click to open the Import Filters popup. Export All Click to open the Export Filters popup. This exports all configured filters. Copy Copy the selected filters. Export Click to open the Export popup to export selected reports. Delete Click to delete the selected filters.
Table 22: Add Filter (Filter tab) Parameter Description Name/Description Name and description of the filter (freeform). Configuration Type Choose one of the following configuration types: l Specify Custom SQL - Selecting this option allows you to specify a custom SQL entry for the filter. If this is specified, then the Rules tab disappears, and a SQL template displays in the Custom SQL field. NOTE: Selecting this option is not recommended.
Figure 52: Add Filter (Rules tab) - Rules Editor Table 24: Add Filter (Rules tab) Parameter Description Matches ANY matches one of the configured conditions. ALL indicates to match all of the configured conditions. Type This indicates the namespace for the attribute. l Common - These are attributes common to RADIUS, TACACS, and WebAuth requests and responses. l RADIUS - Attributes associated with RADIUS authentication and accounting requests and responses.
Figure 53: Monitoring Blacklisted Users Dell Networking W-ClearPass Policy Manager 6.
| Monitoring Dell Networking W-ClearPass Policy Manager 6.
Chapter 5 Policy Manager Policy Model From the point of view of network devices or other entities that need authentication and authorization services, Policy Manager appears as a RADIUS, TACACS+ or HTTP/S based Authentication server; however, its rich and extensible policy model allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture services and client technologies within the Enterprise.
Figure 54: Generic Policy Manager Service Flow of Control 74 | Policy Manager Policy Model Dell Networking W-ClearPass Policy Manager 6.
Table 25: Policy Manager Service Components Component Service: component ratio Description A - Authentication Method Zero or more per service EAP or non-EAP method for client authentication. Policy Manager supports four broad classes of authentication methods: l l l l EAP, tunneled: PEAP, EAP-FAST, or EAP-TTLS. EAP, non-tunneled: EAP-TLS or EAP-MD5. Non-EAP, non-tunneled: CHAP, MS-CHAP, PAP, or MAC-AUTH. MAC_AUTH must be used exclusively in a MACbased Authentication Service.
Table 25: Policy Manager Service Components (Continued) Component Service: component ratio Description C - Role Mapping Policy Zero or one per service Policy Manager evaluates Requests against Role Mapping Policy rules to match Clients to Role(s). All rules are evaluated and Policy Manager may return more than one Role. If no rules match, the request takes the configured Default Role.
Viewing Existing Services You can view all configured services in a list or drill down into individual services: In the menu panel, click Services to view a list of services that you can filter by phrase or sort by order. Figure 55: List of services with sorting tool In the Services page, click the name of a Service to display its details.
Figure 57: Disable/Enable toggle for a Policy Manager Service Links to Use Cases and Configuration Instructions For each of a Service’s policy components that you can configure, the following table references an illustrative Use Case and detailed Configuration Instructions. Table 26: Policy Component Use Cases and Configuration Instructions Policy Component Service Configuration Instructions Illustrative Use Cases l l l l "802.
Table 26: Policy Component Use Cases and Configuration Instructions (Continued) Policy Component Illustrative Use Cases Role Mapping "802.1X Wireless Use Case" on page 483 has an explicit Role Mapping Policy that tests request attributes against a set of rules to assign a role.
deployment. The Policy Simulation utility applies a set of request parameters as input against a given policy component and displays the outcome, at: Configuration > Policy Simulation. The following types of simulations are supported: l Service Categorization - A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into.
Table 27: Policy Simulation Page Parameters (Continued) Parameter Description Export Opens the Export popup. Delete Click to delete a selected (check box on left) Policy Simulation. Adding Simulation Test Navigate to Configuration > Policy Simulation and click on the Add Simulation link. Depending on the simulation type selected the contents of the Simulation tab changes.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Role Mapping. Description l Input (Simulation tab): Select Service (Role Mapping Policy is implicitly selected, because there is only one such policy associated with a service), Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces relevant for role mapping policies are loaded in the attributes editor.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Audit. Description l Input (Simulation tab): Select the Audit Server and host to be Audited (IP address or hostname) Returns (Results tab): Summary Posture Status, Audit Attributes and Status NOTE: Audit simulations can take a while; an AuditInProgress status is shown until the audit completes. l Dell Networking W-ClearPass Policy Manager 6.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Enforcement Policy. Description l Input (Simulation tab): Select Service (Enforcement Policy is implicit by its association with the Service), Authentication Source (optional), User Name (optional), Roles, Dynamic Roles (optional), System Posture Status, and Date/Time (optional). Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test.
Table 28: Add Policy Simulation (Simulation tab) (Continued) Parameter Type Chained Simulations. Description l Input (Simulation tab): Select Service, Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces that are relevant in the Role Mapping Policy context are loaded in the attributes editor. Returns (Results tab): Role(s), Post Status, Enforcement Profiles and Status Messages.
Figure 59: Add Simulation (Attributes Tab) In the Results tab, Policy Manager displays the outcome of applying the test request parameters against the specified policy component(s). What is shown in the results tab again depends on the type of simulation. Figure 60: Add Simulation (Results Tab) Import and Export Simulations Navigate to Configuration > Policy Simulation and select the Import link. Figure 61: Import Simulations 86 | Policy Manager Policy Model Dell Networking W-ClearPass Policy Manager 6.
Table 29: Import Simulations Parameter Description Select file Browse to select name of simulations import file. Import/Cancel Import to commit or Cancel to dismiss popup. Export Simulations Click the Export All link. This task exports all simulations. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Export To export one simulation, click Export. In the Save As dialog, enter the name of the XML file to contain the exported data.
| Policy Manager Policy Model Dell Networking W-ClearPass Policy Manager 6.
Chapter 6 Services The Policy Manager policy model groups policy components that serve a particular type of request into Services, which sit at the top of the policy hierarchy.
l "Aruba Auto Sign-On" on page 93 l "ClearPass Admin Access" on page 94 l "ClearPass Admin SSO Login (SAML SP Service)" on page 94 l "ClearPass Identity Provider (SAML IdP Service)" on page 95 l "EDUROAM Service" on page 95 l "Guest Access Web Login" on page 97 l "Guest Access" on page 97 l "Guest MAC Authentication" on page 98 l "Onboard" on page 99 l "WorkSpace Authentication" on page 100 Figure 62: Service Templates page (partial view) 802.
Table 30: 802.1X Wired, 802.1X Wireless, and Dell 802.1X Wireless Service Template Parameters (Continued) Parameter Description Description Enter a description that will help you identify the characteristics of this template. Server Enter the hostname or the IP address of the Active Directory server. Identity Enter the Distinguished Name of the administrator account. NETBIOS Enter the server Active Directory domain name.
Table 31: Dell VPN Access with Posture Checks Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Authentication AD Name Enter your active directory name. Description Enter a description that will help you identify the characteristics of this template. Server Enter the hostname or the IP address of the Active Directory server.
Aruba Auto Sign-On This application service template allows access to SAML based single sign on enabled applications (such as Policy Manager, Guest, Onboard, and Insight) using network authenticated (802.1X) identity through Dell controllers. Table 32: ClearPass Aruba Auto Sign-On Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates.
ClearPass Admin Access This template is designed for services that authenticate users against Active Directory (AD) and use AD attributes to determine appropriate privilege levels for Dell Networking W-ClearPass Policy Manager admin access. Table 33: ClearPass Admin Access Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates.
Parameter Description Service Rule Application Select the application that single-sign-on-authenticated administrative users will be able to access. ClearPass Identity Provider (SAML IdP Service) This template is designed for services that act as an Identity Provider (IdP). This IdP feature provides a way for the layer-2 device, RADIUS server, and Security Asserting Markup Language (SAML) IdP to work together to deliver application-based single sign-on using network authentication information.
Table 36: EDUROAM Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Service Rule Service Rule Enter domain details Enter the domain name of the network. Select Vendor Select the vendor of the network device. Authentication AD Name Enter the hostname or the IP address of the Active Directory server.
Table 36: EDUROAM Service Template Parameters (Continued) Parameter Description IP Address The IP address of the federation RADIUS server. Vendor Name Select the manufacturer of the wireless controller. RADIUS Shared Secret Enter the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS requests. Enable RADIUS CoA Select to enable Radius - Initiated Change of Authorization on the network device.
Table 38: Guest Access Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Wireless Network Settings Wireless SSID for Guest access Enter the SSID value here. Wireless controller name The name given to the Wireless Controller. Controller IP Address The wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Table 39: Guest MAC Authentication Service Template Parameters. (Continued) Parameter Description Wireless SSID for Guest access Enter the SSID name of your network. Wireless controller name The name given to the Wireless Controller. Controller IP Address The wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Table 40: Onboard Authorization Service Template Parameters Parameter Description Name Prefix Enter an optional prefix that will be prepended to services using this template. Use this to identify services that use templates. Wireless Network Settings Wireless controller name The name given to the Wireless Controller. Controller IP Address The wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Table 41: WorkSpace Authorization Service Template Parameters (Continued) Parameter Description Identity Enter the Distinguished Name of the administrator account. NETBIOS Enter the server Active Directory domain name. Base DN Enter the Distinguished Name of the administrator account. Password Enter the account password. Port Enter the TCP port where the server is listening for connection. Device Access Restrictions Days allowed for access Select the days on which access is allowed.
deployment. This service by default includes a rule that specifies that a Dell ESSID exists. The default, configuration tabs are Service, Authentication, Roles, and Enforcement. You can also select Authorization, Posture Compliance, Audit End Hosts, and Profile Endpoints in the More Options section to access those configuration tabs. Figure 63: Dell 802.1X Wireless Service Service Tab The Service tab includes basic information about the service including: Name, Description, and Service Type.
For both Authentication Methods and Authentication Sources, you can select one item in the list and use the buttons on the right to: l Move it up or down The order of authentication matters. When a client tries to do 802.1X authentication, Policy Manager proposes the first authentication method configured. The client can accept the authentication method proposed by Policy Manager and continue authentication or send a NAK and propose a different authentication method.
through a dissolvable agent. You can also choose to Enable auto-remediation of non-compliant end-hosts and enter the Remediation URL of a server resource that can perform remediation action (when a client is quarantined). When you configure posture policies, only those that are configured for the OnGuard Agent are shown in a list of posture policies.
802.1X Wireless Configure the 802.1X Wireless service for wireless clients connecting through an 802.11 wireless access device or controller with authentication via IEEE 802.1X. The default configuration tabs are: Service, Authentication, Roles, and Enforcement. You can also select Authorization, Posture Compliance, Audit End Hosts, and Profile Endpoints in the More Options section to access those configuration tabs. Figure 64: 802.
For both Authentication Methods and Authentication Sources, you can select one item in the list and use the buttons on the right to: l Move it up or down The order of authentication matters. When a client tries to do 802.1X authentication, Policy Manager proposes the first authentication method configured. The client can accept the authentication method proposed by Policy Manager and continue authentication or send a NAK and propose a different authentication method.
through a dissolvable agent. You can also choose to Enable auto-remediation of non-compliant end-hosts and enter the Remediation URL of a server resource that can perform remediation action (when a client is quarantined). When you configure posture policies, only those that are configured for the OnGuard Agent are shown in a list of posture policies.
Except for the NAS-Port-Type service rule value (which is Ethernet for 802.1X Wired and Wireless 802.11 for 802.1X Wireless), configuration for the rest of the tabs is similar to the 802.1X Wireless Service. See "802.1X Wireless" on page 105 for details. Figure 65: 802.1X Wired Service MAC Authentication MAC-based authentication service, for clients without an 802.1X supplicant or a posture agent (printers, other embedded devices, and computers owned by guests or contractors).
Authentication Tab The Authentication tab contains options for configuring authentication methods and sources. The default Authentication method used for this type of service is [MAC AUTH], which is a special type of method called MACAUTH. When this authentication method is selected, Policy Manager does stricter checking of the MAC Address of the client.
l Modify it. For more information on configuring authorization sources, see "Adding and Modifying Authentication Methods" on page 133. Roles Tab To associate a role mapping policy with this service click on the Roles tab. For information on configuring role mapping policies, see "Configuring a Role Mapping Policy" on page 191. Enforcement Tab The Enforcement tab is where you select an enforcement policy for a service. You must select one.
Web-based Authentication Configure this service for guests or agentless hosts that connect via the Dell built-in Portal. The user is redirected to the Dell captive portal by the network device or by a DNS server that is set up to redirect traffic on a subnet to a specific URL. The Web page collects username and password, and also optionally collects health information (on Windows 7, Windows Vista, Windows XP, Windows Server 2008, Windows Server 2003, and popular Linux systems).
Select Strip Username Rules to, optionally, pre-process the user name (to remove prefixes and suffixes) before authenticating and authorizing against the authentication source. There is no authentication method associated with this type of service. Authentication methods are only relevant for RADIUS requests. Authorization Tab The Authorization tab is not visible by default. To access it, select the Authorization check box on the Services tab.
Web-based Health Check Only This type of service is the same as the Web-based Authentication service, except that there is no authentication performed; only health checking is done. There is an internal service rule (Connection:Protocol EQUALS WebAuth) that categorizes requests into this type of service. There is also an external service rule that is automatically added when you select this type of service: Host:CheckType EQUALS Health.
802.1X Wireless - Identity Only Configuration for this type of service is the same as regular 802.1X Wireless Service, except that posture and audit policies are not configurable when you use this template. Refer to "802.1X Wireless" on page 105 for more information. Figure 70: 802.1X Wireless - Identity Only Service 802.1X Wired - Identity Only Configure this service for clients connecting through an Ethernet LAN, with authentication via IEEE 802.1X. Configuration for the 802.
There are no default rules associated with this service type. Rules can be added to handle any type of standard or vendor-specific RADIUS attributes (any attribute that is loaded through the pre-packaged vendor-specific or standard RADIUS dictionaries, or through other dictionaries imported into Policy Manager. Figure 72: RADIUS Enforcement (Generic) Service Service Tab The Service tab includes basic information about the service including: Name, Description, and Service Type.
Select Strip Username Rules to pre-process the user name (to remove prefixes and suffixes) before authenticating and authorizing against the authentication source. Authorization Tab The Authorization tab is not visible by default. To access it, select the Authorization check box on the Services tab. The Authorization tab is where you select authorization sources for this service.
l Select an Audit Server - either built-in or customized. See "Configuring Audit Servers" on page 237 for audit server configuration steps. l Select an Audit Trigger Condition: n Always n When posture is not available n For MAC authentication requests. If you select this, then select also one of: n For known end-hosts only n For unknown end hosts only n For all end hosts Known end hosts are defined as those clients that are found in the authentication source(s) associated with this service.
Figure 73: RADIUS Proxy Service RADIUS Authorization Configure this service type for services that perform authorization using RADIUS. When selected, the Authorization tab is enabled by default. Configuration for this service is the same as RADIUS Enforcement (Generic), except that you do not configure Authentication or Posture with this service type. Refer to "RADIUS Enforcement (Generic)" on page 114 for more information.
Figure 75: TACACS+ Enforcement Service Service Tab The Service tab includes basic information about the service including: Name, Description, and Service Type. When adding a service, enter a Name and Description that will help you know what the service does without looking at its details. The Service Type defines what can be configured. Select the Monitor Mode check box to exclude enforcement. Select any of the More Options check boxes to access that category of configuration options.
The Authorization tab is where you select authorization sources for this service. Policy Manager fetches role mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user. For a given service, role mapping attributes are fetched from the following authorization sources: l The authorization sources associated with the authentication source. l The authorization sources associated with the service.
Select the Monitor Mode check box to exclude enforcement. Select any of the More Options check boxes to access that category of configuration options. Service Rules define a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules pre-defined. Click on a service rule to modify any of its options. Authentication Tab The Authentication tab contains options for configuring authentication sources.
Figure 77: Dell W-Series Application Authorization Cisco Web Authentication Proxy This service is a Web-based authentication service for guests or agentless hosts. The Cisco switch hosts a captive portal, and the portal Web page collects username and password information. The switch then sends a RADIUS request in the form of a PAP authentication request to Policy Manager. By default, this service uses the PAP Authentication Method.
l Authentication Methods: The authentication methods used for this service depend on the authentication methods you choose to deploy. Policy Manager automatically selects the appropriate method for authentication when a user attempts to connect. In this case, PAP is selected by default. l Authentication Sources: The Authentication Sources used for this type of service.
Enforcement Tab The Enforcement tab is where you select an enforcement policy for a service. You must select one. See "Configuring Enforcement Policies" on page 281 for more information. Audit Tab By default, this type of service does not have Audit checking enabled and the Audit tab is not visible. To access it and enable posture checking for this service select the Audit End-hosts check box on the Service tab. l Select an Audit Server - either built-in or customized.
Figure 79: Service Listing Page Table 42: Services page Parameter Description Add Add a service. Import Import previously exported services. Export All Export all currently defined services, including all associated policies. Filter: Filter the service listing by specifying values for different listing fields: Name l Type l Template l Status l Status: The status displays in the last column of the table. A green/red icon indicates enabled/disabled state.
Figure 80: Add Service Page (all options enabled) The Add Service tab includes the following fields. Table 43: Service Page (General Parameters) Label Description Type Select the desired service type from the drop-down list. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Table 43: Service Page (General Parameters) (Continued) Label Description Monitor Mode Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement. In monitor mode, no enforcement profiles (and associated attributes) are sent to the network device.
Modifying Services Navigate to the Configuration > Services page to view available services. You can use these service types as configured, or you can edit their settings. Figure 81: Service Listing Page To modify an existing service, click on its name in the Configuration > Services page. This opens the Services > Edit - form. Select the Service tab on this form to edit the service information. Figure 82: Services Configuration The following fields are available on the Service tab.
Table 44: Service Page (General Parameters) (Continued) Parameter Description More Options Select the available check box(es) to view additional configuration tab(s). The options that are available depend on the type of service currently being modified. TACACS+ Service, for example, allows for authorization configuration. RADIUS Service allows for configuration of posture compliance, end hosts, profile endpoints, and authorization.
Reordering Services Policy Manager evaluates requests against the service rules of each service that is configured, in the order in which these services are defined. The service associated with the first matching service rule is then associated with this request. To change the order in which service rules are processed, you can change the order of services. 1. To reorder services, navigate to the Configuration > Services page. 2.
Chapter 7 Authentication and Authorization As the first step in Service-based processing, Policy Manager uses an Authentication Method to authenticate the user or device against an Authentication Source. After the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the Authorization Sources associated with this Authentication Source.
After Policy Manager successfully authenticates the user or device against an authentication source, it retrieves role mapping attributes from each of the authorization sources configured for that authentication source. It also, optionally, can retrieve attributes from authorization sources configured for the Service.
Figure 86: Authentication Components From the Authentication tab of a service, you can configure three features of authentication: Table 47: Authentication Features at the Service Level Component Configuration Steps Sequence of Authentication Methods 1. Select a Method, then select Move Up, Move Down, or Remove. 2. Select View Details to view the details of the selected method. 3. Select Modify to modify the selected authentication method.
In tunneled EAP methods, authentication and posture credential exchanges occur inside of a protected outer tunnel.
l "EAP-TLS" on page 146 l "EAP-TTLS" on page 148 l "MAC-AUTH" on page 149 l "MSCHAP" on page 150 l "PAP" on page 151 Figure 87: Add Authentication Method dialog box Authorize This is an authorization-only method that you can add with a custom name. Dell Networking W-ClearPass Policy Manager 6.
Figure 88: Add Authentication General tab Table 49: Add Authentication General Tab Parameters Parameter Description Name/Description: Freeform label and description. Type: In this context, always Authorize. CHAP and EAP-MD5 Policy Manager is preconfigured with CHAP and EAP-MD5 authentication methods, You can add CHAP and EAPMD5 methods, and associate the new methods with a Service. 136 | Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Figure 89: Add Authentication Method CHAP General tab Figure 90: Add Authentication Method EAP-MD5 General tab Dell Networking W-ClearPass Policy Manager 6.
Table 50: Add Authentication Methods for CHAP and EAP-MD5 General tab Parameters Parameter Description Name/Description Freeform label and description. Type In this context, always CHAP or EAP-MD5. EAP-FAST The EAP-FAST method contains four tabs: General, Inner Methods, PACs, PAC Provisioning. The PACs and PAC Provisioning tabs are only available when Using PACs is specified on the General tab for the EndHost Authentication setting.
Table 51: EAP_FAST General tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. If session timeout value is set to 0, the cached sessions are not purged.
Figure 92: Add Authentication Inner Methods tab To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds. To remove an inner method from the displayed list, select the method and click Remove. To set an inner method as the default (the method tried first), select it and click Default.
Figure 93: EAP_FAST PACs Tab To provision a Tunnel PAC on the end-host after initial successful machine authentication, specify the Tunnel PAC Expire Time (the time until the PAC expires and must be replaced by automatic or manual provisioning) in hours, days, weeks, months, or years. During authentication, Policy Manager can use the Tunnel PAC shared secret to create the outer EAP-FAST tunnel.
Figure 94: EAP_FAST PAC Provisioning tab Table 52: EAP_FAST PAC Provisioning tab Parameters Parameter Description Considerations Allow Anonymous Mode When in anonymous mode, phase 0 of EAP_ FAST provisioning establishes an outer tunnel without end-host/Policy Manager authentication (not as secure as the authenticated mode).
Table 52: EAP_FAST PAC Provisioning tab Parameters (Continued) Parameter Description Accept endhost after authenticated provisioning After the authenticated provisioning mode is complete and the end-host is provisioned with a PAC, Policy Manager rejects end-host authentication; the end-host subsequently reauthenticates using the newly provisioned PAC. When enabled, Policy Manager accepts the end-host authentication in the provisioning mode itself; the end-host does not have to reauthenticate.
Table 53: EAP-GTC General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-GTC. Challenge Specify an optional password. EAP-MSCHAPv2 The EAP-MSCHAPv2 method contains one tab: General. This tab labels the method and defines session details. Figure 96: EAP-MSCHAPv2 General Tab Table 54: EAP-MSCHAPv2 General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-MSCHAPv2.
Figure 97: EAP-PEAP General Tab Table 55: EAP-PEAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-PEAP. Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval.
Figure 98: EAP-PEAP Inner Methods Tab Select any method available in the current context from the drop-down list. Additional functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds. l To remove an inner method from the displayed list, select the method and click Remove.
Figure 99: EAP-TLS General Tab Table 56: EAP-TLS General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_TLS. Session Resumption Caches EAP-TLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TLS sessions. Authorization Required Specify whether to perform an authorization check.
Table 56: EAP-TLS General Tab (Continued) Parameter Description Verify Certificate using OCSP Select Optional or Required if the certificate should be verified by the Online Certificate Status Protocol (OCSP). Select None to not verify the certificate. Override OCSP URL from the Client Select this option if you want to use a different URL for OCSP. After this is enabled, you can enter a new URL in the OCSP URL field.
Table 57: EAP-TTLS General Tab (Continued) Parameter Description Session Resumption Caches EAP-TTLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TTLS sessions. Inner Methods Tab The Inner Methods tab controls the inner authentication methods for the EAP-TTLS method: Figure 101: EAP_TTLS Inner Methods Tab Select any method available from the drop-down list.
Figure 102: MAC-AUTH General Tab Table 58: MAC-Auth General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always MAC-AUTH. Allow Unknown End-Hosts Enables further policy processing of MAC authentication requests of unknown clients. If this is not enabled, Policy Manager automatically rejects a request whose MAC address is not in a configured authentication source.
PAP The PAP method contains one tab: General. This tab labels the method and defines session details. From this tab, you also specify the PAP encryption scheme. Figure 104: PAP General Tab Table 60: PAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always PAP. Encryption Scheme Select the PAP authentication encryption scheme. Supported schemes are: Clear, Crypt, MD5, SHA1 and Aruba-SSO.
l "Okta" on page 174 l "Static Host List" on page 177 l "Token Server" on page 179 Figure 105: Authentication Sources Listing Page After you click Add Authentication Source from any of these locations, Policy Manager displays the Add page. Depending on the Authentication Source selected, different tabs and fields appear.
General Tab The General tab labels the authentication source and defines session details. Figure 107: Generic LDAP or Active Directory (General Tab) Table 61: Generic LDAP or Active Directory (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, General LDAP or Active Directory. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Table 61: Generic LDAP or Active Directory (General Tab) (Continued) Parameter Description Server Timeout The number of seconds that Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the number of seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured.
Parameter Connection Security Description l l l Select None for default non-secure connection (usually port 389). Select StartTLS for secure connection that is negotiated over the standard LDAP port. This is the preferred way to connect to an LDAP directory securely. Select LDAP over SSL or AD over SSL to choose the legacy way of securely connecting to an LDAP directory. Port 636 must be used for this type of connection.
Parameter Description Base DN Enter DN of the node in your directory tree from which to start searching for records. After you have entered values for the fields described above, click on Search Base DN to browse the directory hierarchy. The LDAP Browser opens. You can navigate to the DN that you want to use as the Base DN. Click on any node in the tree structure that is displayed to select it as a Base DN. Note that the Base DN is displayed at the top of the LDAP Browser.
Parameter Description Password Type (Available only for Generic LDAP) Specify whether the password type is Cleartext, NT Hash, or LM Hash. Password Header (Available only for Generic LDAP) Oracle's LDAP implementation prepends a header to a hashed password string. If using Oracle LDAP, enter the header in this field so the hashed password can be correctly identified and read. User Certificate Enter the name of the attribute in the user record from which user certificate can be retrieved.
Table 63: D/LDAP Attributes Tab (Filter Listing Screen) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the LDAP/AD attributes defined for this filter. l Alias Name: For each attribute name selected for the filter, you can specify an alias name. l Enabled As: Specify whether value is to be used directly as a role or attribute in an Enforcement Policy.
Table 64: AD/LDAP Default Filters Explained Directory Active Directory Default Filters l l l l l Authentication: This is the filter used for authentication. The query searches in objectClass of type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) After a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 64: AD/LDAP Default Filters Explained (Continued) Directory Default Filters Generic LDAP Directory Authentication: This is the filter used for authentication. (&(objectClass=*)(uid=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 65: AD/LDAP Configure Filter Popup (Browse Tab) Navigation Description Find Node / Go Go directly to a given node by entering its Distinguished Name (DN) and clicking on the Go button. Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. Through this interface you can define the attributes used in the filter query.
Table 66: Configure Filter Popup (Filter Tab) (Continued) Parameter Select the attributes for filter Description This table has a name and value column. There are two ways to enter the attribute name By going to a node of interest, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add... in the table row. l By clicking on an attribute on the right hand side of the LDAP browser. The attribute name and value are automatically populated in the table.
Table 67: Filter Creation Steps (Continued) Step Description Step 3 Enter value (optional) After Step 3, you have values for a specific record (Alice’s record, in this case). Change the value to a dynamic session attribute that will help Policy Manager to associate a session with a specific record in LDAP/AD. For example, if you selected the sAMAccountName attribute in AD, click on the value field and select %{Authentication:Username}.
Table 68: AD/LDAP Configure Filter Popup (Attributes Tab) (Continued) Parameter Description Execute After you have entered the values for all dynamic parameters, click Execute to execute the filter query. You see all entries that match the filter query. Click on one of the entries (nodes) and you see the list of attributes for that node. You can now click on the attribute names that you want to use as role mapping attributes.
Figure 115: Modify Default Filters The attributes that are defined for the authentication source show up as attributes in role mapping policy rules editor under the authorization source namespace. Then, on the Role Mappings Rules Editor page, the Operator values that display are based on the Data type specified here. If, for example, you modify the Active Directory department to be an Integer rather than a String, then the list of Operator values will populate with values that are specific to Integers.
Figure 116: Generic SQL DB (General Tab) Table 69: General SQL DB (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, Generic SQL DB. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab The Primary tab defines the settings for the primary server. Figure 117: General SQL DB (Primary Tab) Table 70: Generic SQL DB (Primary Tab) Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value if you want to override the default port. Database Name Enter the name of the database to retrieve records from. Login Username/Password Enter the name of the user used to log into the database.
Attributes Tab The Attributes tab defines the SQL DB query filters and the attributes to be fetched by using those filters. Figure 118: Generic SQL DB (Attributes Tab) Table 71: Generic SQL DB Attributes Tab (Filter List) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enabled As Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the SQL DB attributes defined for this filter.
Parameter Description Filter Query A SQL query to fetch the attributes from the user or device record in DB. Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute. Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name. Data Type: Specify the data type for this attribute, such as String, Integer, Boolean, etc. Enabled As: Specify whether this value is to be used directly as a role or attribute in an Enforcement Policy.
Figure 120: HTTP (General Tab) Table 73: HTTP (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, HTTP. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Figure 121: HTTP (Primary Tab) Table 74: HTTP (Primary Tab) Parameter Description Base URL Enter the base URL(host name) or IP address of the HTTP server. For example: http:// or :xxxx where xxxx is the port to access the HTTP Server. Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters.
Figure 123: HTTP Filter Configure Popup Table 76: HTTP Configure Filter Popup Parameter Description Filter Name Name of the filter. Filter Query The HTTP path (without the server name) to fetch the attributes from the HTTP server. For example, if the full path name to the filter is http server URL = http://:xxxx/abc/def/xyz, you enter /abc/def/xyz. Name / Alias Name / Data Type / Enabled As Name: This is the name of the attribute. Alias Name: A friendly name for the attribute.
details. Figure 124: Kerberos General Tab Table 77: Kerberos (General tab) Parameter Description Name/Description Freeform label and description. Type In this context, Kerberos. Use for Authorization Disabled in this context. Authorization Sources You must specify one or more authorization sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list, and click Add to add it to the list of authorization sources.
Figure 125: Kerberos (Primary Tab) Table 78: Kerberos (Primary Tab) Parameter Description Hostname/Port Host name or IP address of the kerberos server, and the port at which the token server listens for kerberos connections. The default port is 88. Realm The domain of authentication. In the case of Kerberos, this is the Kerberos domain. Service Principal Name The identity of the service principal as configured in the Kerberos server. Service Principal Password Password for the service principal.
General Tab Figure 126: Okta General Tab Table 79: Okta (General tab) Parameter Description Name/Description Freeform label and description. Type In this context, Okta. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Primary Tab Figure 127: Okta Primary Tab Table 80: Okta (Primary Tab) Parameter Description URL Enter the address of the OKTA server. Authorization Token Enter the authorization token as provided by Okta support. Attributes Tab Figure 128: Okta Attributes Tab Table 81: Okta (Attributes Tab) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter. (Only Group can be configured for Okta.
Figure 129: Okta Filter Configure Popup Table 82: Okta Configure Filter Popup Parameter Description Filter Name Name of the filter. Filter Query A SQL query to fetch the attributes from the user or device record in DB. Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute. Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name. Data Type: Specify the data type for this attribute, such as String, Integer, Boolean, etc.
General Tab The General Tab labels the authentication source. Figure 130: Static Host List (General Tab) Table 83: Static Host List (General Tab) Parameter Description Name/ Description Freeform label. Type Static Host List, in this context. Use for Authorization/Authorization Sources These options are not configurable. Static Host Lists Tab The Static Hosts List tab defines the list of static hosts to be included as part of the authorization source.
Token Server Policy Manager can perform GTC authentication against any token server than can authenticate users by acting as a RADIUS server (e.g., RSA SecurID Token Server) and can authenticate users against a token server and fetch role mapping attributes from any other configured Authorization Source. Pair this Source type with an authorization source (identity store) containing user records.
Table 85: Token Server General tab Parameters (Continued) Parameter Description Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled).
Table 86: Token Server (Primary Tab) Parameter Description Server Name/Port Host name or IP address of the token server, and the UDP port at which the token server listens for RADIUS connections. The default port is 1812. Secret RADIUS shared secret to connect to the token server. Attributes Tab The Attributes tab defines the RADIUS attributes to be fetched from the token server. These attributes can be used in role mapping policies.
| Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Chapter 8 Identity Roles can range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination of a user group with some dynamic constraints (e.g., “San Jose Night Shift Worker”- - An employee in the Engineering department who logs in through the San Jose network device between 8 PM and 5 AM on weekdays). It can also apply to a list of users.
other database); by way of an example of such a class of users, guest or contractor records can be stored in the local user repository. To authenticate local users from a particular Service, include [Local User Repository] among the Authentication Sources. The Single Sign-On page allows you to enable access for Insight, Guest, and/or Policy Manager using a trusted IdP certificate. The Local Users page configures role-based access for individual users.
Figure 136: Single Sign-On - SAML SP Configuration tab Figure 137: Single Sign-On SAML IdP Configuration tab Adding and Modifying Local Users Policy Manager lists all local users in the Local Users page. To add a local user, click Add to display the Add Local User popup. l To edit a local user, in the Local Users listing page, click on the name to display the Edit Local User popup. l To delete a local user, in the Local Users listing page, select it (via the check box) and click Delete.
Figure 138: Local Users Listing Figure 139: Add Local User page Table 87: Add Local User Page Parameters 186 | Identity Parameter Description User ID/ Name /Password/ Verify Password: Freeform labels and password. Enable User: Uncheck to disable this user account. Role: Select a static role for this local user. Dell Networking W-ClearPass Policy Manager 6.
Table 87: Add Local User Page Parameters (Continued) Parameter Description Attributes: Add custom attributes for this local user. Click on the “Click to add...” row to add custom attributes. By default, four custom attributes appear in the Attribute drop-down list: Phone, Email, Sponsor, Designation. You can enter any name in the attribute field. All attributes are of String datatype. The value field can also be populated with any string.
Figure 142: Add Endpoint Page Table 88: Add Endpoint Page Parameters Parameter Description MAC Address MAC address of the endpoint. Description Specify the description of the endpoint. Status Mark as Known, Unknown or Disabled client. The Known and Unknown status can be used in role mapping rules via the Authentication:MacAuth attribute. The Disabled status can be used to block access to a specific endpoint.
Figure 143: Endpoint Popup Additional Available Tasks l To delete an endpoint, in the Endpoints listing page, select it (using check box) and click the Delete button. l To export an endpoint, in the Endpoints listing page, select it (using check box) and click the Export button. l To export ALL endpoints, in the Endpoints listing page, click the Export All link in the upper right corner of the page.
Figure 145: Add Static Host List Page Table 89: Add Static Host List Page Parameters Parameter Description Name/ Description: Freeform labels and descriptions. Host Format: Select a format for expression of the address: subnet, IP address or regular expression. Host Type: Select a host type: IP Address or MAC Address (radio buttons). List: Use the Add Host and Remove Host widgets to maintain membership in the current Static Host List.
Configuring a Role Mapping Policy After authenticating a request, a Policy Manager Service invokes its Role Mapping Policy, resulting in assignment of a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions. A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service.
Figure 147: Add New Role Page Table 90: Add New Role Page Parameters Parameter Description Role Name /Description Freeform label and description. Adding and Modifying Role Mapping Policies From the Services page (Configuration > Service), you can configure role mapping for a new service (as part of the flow of the Add Service wizard), or modify an existing role mapping policy directly (from the Configuration > Identity > Role Mappings page).
Figure 149: Role Mappings (Policy Tab) Table 91: Role Mappings (Policy tab) Parameters Parameter Description Policy Name /Description Freeform label and description. Default Role Select the role to which Policy Manager will default when the role mapping policy does not produce a match. View Details / Modify / Add new Role Click on View Details to view the details of the default role. Click on Modify to modify the default role. Click on Add new Role to add a new role.
Figure 151: Rules Editor Page Table 92: Role Mappings Page (Rules Editor) Page Parameters Parameter Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to "Namespaces" on page 449.
The Operator values that display for each Type and Name are based on the data type specified for the Authentication Source (from the Configuration > Authentication > Sources page). If, for example, you modify the UserDN Data type on the Authentication Sources page to be an Integer rather than a string, then the list of Operator values here will populate with values that are specific to Integers. After you save your Role Mapping configuration, it appears in the Mapping Rules list.
| Identity Dell Networking W-ClearPass Policy Manager 6.
Chapter 9 Posture Policy Manager provides several posture methods to evaluate the health of the clients that request access. These methods all return Posture Tokens (E.g., Healthy, Quarantine for use by Policy Manager for input into Enforcement Policy. One or more posture methods can be associated with a Service.
Figure 152: Posture Evaluation Process Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer to Peer application checks l Services to be running or not running l Processes to be running or not running Each configured health check ret
Upon completion of all configured posture checks, Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the Enforcement Policy. A Service can also be configured without any Posture policy. Configuring Posture The following image displays how to configure Posture at the Service level.
Table 93: Posture Features at the Service Level (Continued) Configurable Component How to Configure Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a Posture Server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured Posture Server, select from the Select drop-down list, then click Add.
Table 94: NAP Agent Posture Plugins for Windows Operating Systems (Continued) Operating System Versions Windows System Health Validator The Windows System Health Validator parameters permit or deny client computers to connect to your network, and to restrict client access to computers that have a Service Pack less than Service Pack x.
Table 95: NAP Agent Posture Plugins for Linux Operating Systems (Continued) LINUX Operating Systems AntiVirus Enable or disable AntiVirus check, configure auto remediation and user notification, add productspecific checks. yes yes yes yes Firewall Enable or disable Firewall check, configure remediation checks, configure which UDP and TCP ports to open, and which TCP and UDP ports to block or open.
Table 96: OnGuard Agent Validator Supported Windows Operating Systems (Continued) Supported Operating System Versions ClearPassWi ndows Universal System Health Validator The configurable parameter categories for this validator are Services, Processes, Registry Keys, AntiVirus, AntiSpyware, Firewall, Peer To Peer, Patch Management, Windows HotFixes, USB Devices, Virtual Machines, Network Connections, Disk Encryption, and Installed Applications.
Table 96: OnGuard Agent Validator Supported Windows Operating Systems (Continued) Supported Operating System Versions Windows Security Health Validator The configurable parameter categories for this validator allow you to configure parameters that permit or deny client computers access to your network, subject to checks of the client's system for Firewall, Virus Protection, Spyware Protection, Automatic Updates, and Security Updates*.
ClearPass Windows Universal System Health Validator - NAP Agent The ClearPass Windows Universal System Health Validator - NAP Agent page popup appears in response to actions in the Posture Plugins page of the Posture configuration page if you select Windows and NAP Agent. The OnGuard Agent version of the ClearPass Windows Universal System Health Validator supports all the features supported by the OnGuard Agent validator.
Table 98: Services View (Continued) Parameter Description Insert To add a service to the list of selectable services, enter its name in the text box adjacent to this button, then click Insert. Delete To remove a service from the list of selectable services, select it and click Delete. The last option, located on the bottom of the list of Linux versions, is the General Configuration section. This section contains two pages: Firewall Check and Antivirus Check.
Figure 157: Antivirus Check view When you save your Antivirus configuration, it appears in the Antivirus page list. Figure 158: Antivirus Check Table 99: Antivirus Check Interface Parameter Description Antivirus Main view Add To configure Antivirus application attributes for testing against health data, click Add. Trashcan icon To remove configured Antivirus application attributes from the list, click the trashcan icon in that row.
Figure 159: Windows System Health Validator (Overview) Windows Security Health Validator - NAP Agent This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types.
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent The ClearPass Mac OS X Universal System Health Validator page popup appears after you click Configure in the Posture Plugins tab of the Posture configuration. Select a check box to enable checks for Mac OS X. Enabling these check boxes displays a corresponding set of configuration pages that are described in the following sections.
Figure 162: Services Configuration Page Processes The Processes page provides a set of components for specifying specific processes to be explicitly present or absent on the system. Figure 163: Processes Page Figure 164: Processes Add Page Antivirus In the Antivirus page, you can specify that an Antivirus application must be on and allows drill-down to specify information about the Antivirus application. Click on An Antivirus Application is On to configure the Antivirus application information.
Click Add to specify product and version check information. Figure 166: Antivirus Page (Detail 2) When you save your Antivirus configuration, it appears in the Antivirus page list. See "ClearPass Windows Universal System Health Validator - OnGuard Agent" on page 215 for antivirus page and field descriptions. AntiSpyware In the AntiSpyware page, an administrator can specify that an Antispyware application must be on and allows drilldown to specify information about the Antispyware application.
Figure 168: AntiSpyware Add Page In the Antispyware page, click An Antispyware Application is On to configure the Antispyware application information. See Antivirus configuration details above for a description of the different configuration elements. When you save your Antispyware configuration, it appears in the Antispyware page list. The configuration elements are the same for anti-virus and antispyware products. Refer to the anti-virus configuration instructions above.
Patch Management In the Patch Management page, you can view or add the patch management product, and configure Auto Remediation and User Notification features. Figure 171: Patch Management Overview Figure 172: Patch Management Add Page Peer To Peer The Peer To Peer page provides a set of widgets for specifying specific peer to peer applications or networks to be explicitly stopped. When you select a peer to peer network, all applications that make use of that network are stopped.
Figure 174: Virtual Machine Page Network Connections The Network Connections page provides configuration to control network connections based on connection type. Select the Check for Network Connection Types check box, and then click Configure to specify type of connection that you want to include.
Figure 178: Disk Encryption Add Page Installed Applications The Installed applications category groups classes that represent software-related objects. In the Installed Applications page, you can turn on the installed applications check and specify information about which installed applications you want to monitor. You can take the following actions: l Specify installed applications to monitor on a mandatory basis. l Specify installed applications to be monitored on an optional basis.
Figure 181: ClearPass Windows Universal System Health Validator Select a version of Windows and click the check box to enable checks for that version. Enabling checks for a specific version displays the following set of configuration pages. These pages are explained in the following sections.
Figure 182: Services Page Table 100: Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop or start services based on the entries in Service to run and Services to stop configuration). User Notification Enable to allow user notifications for service check policy violations.
Table 101: Process Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable to allow auto remediation for registry checks (Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration). User Notification Enable to allow user notifications for registry check policy violations.
Figure 185: Process to be Absent Page (Detail) Table 103: Process to be Absent Page (Detail) Parameter Check Type Enter the Display name Description Select the type of process check to perform. The agent can look for: Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is specified, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 186: Process Page (Overview - Post Add) Registry Keys The Registry Keys page allows you to specify which registry keys are to be explicitly present or absent. Figure 187: Registry Keys Page (Overview) Table 104: Registry Keys Page (Overview - Pre-Add) 220 | Posture Parameter Description Auto Remediation Enable auto remediation for registry checks.
Click Add to display the Registry page detail. Registry Keys to be Absent Figure 188: Registry Keys Page (Detail) Table 105: Registry Keys Page (Detail) Parameter Description Select the Registry Hive Specify the registry hive from the following options: l HKEY_CLASSES_ROOT l HKEY_CURRENT_USER l HKEY_LOCAL_MACHINE l HKEY_USERS l HKEY_CURRENT_CONFIG Enter the Registry key Specify the registry key using the examples given in the GUI. Enter the Registry value name Specify the name of the registry value.
Figure 189: Registry Keys Page (Overview - Post Add) AntiVirus In the Antivirus page, you can turn on an Antivirus application.. Click An anti-virus application is on to configure the Antivirus application information. Figure 190: Antivirus Page (Overview - Before) When enabled, the Antivirus detail page appears. Figure 191: Antivirus Page (Detail 1) Click Add to specify product, and version check information.
Figure 193: Antivirus Page (Overview - After) Table 106: Antivirus Page Interface Antivirus Page Parameter l l l l An Antivirus Application is On Auto Remediation User Notification Display Update URL Description l l l l Click Antivirus application is on to enable testing of health data for configured Antivirus application (s). Check the Auto Remediation check box to enable auto remediation of anti-virus status.
Figure 194: AntiSpyware Page (Overview Before) When enabled, the AntiSpyware detail page appears. Figure 195: AntiSpyware Page (Detail 1) Click Add to specify product, and version check information. Figure 196: AntiSpyware Page (Detail 2) Figure 197: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products.
Figure 199: Firewall Page (Detail 1) When enabled, the Firewall detail page appears. Figure 200: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list.
Peer To Peer The Peer To Peer page provides a set of widgets for specifying specific peer to peer applications or networks to be explicitly stopped. When you select a peer to peer network, all applications that make use of that network are stopped. Figure 202: Peer to Peer Page Table 108: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration).
Figure 205: Patch Management Page (Detail 2) When you save your patches configuration, it appears in the Patch Management page list.
Table 109: Patch Management Page (Continued) Interface Parameter Description Patch Management Page (Detail 2) Product/Version Configure settings for which to test against health data. All checks might not be available for some products. Where checks are not available, they are shown in disabled state on the UI. Select Patch Management product: Select a vendor. This option is only enabled if the Product-specific checks checkbox is checked. l Product version is at least: Enter version number.
Table 110: Windows Hotfixes Parameter Description Auto Remediation Enable to allow auto remediation for hotfixes checks (Automatically trigger updates of the specified hotfixes). User Notification Enable to allow user notifications for hotfixes check policy violations. Monitor Mode Click to enable Monitor Mode. Available Hotfixes The first scrolling list lets you select the criticality of the hotfixes.
Figure 209: Virtual Machines Table 112: Virtual Machines Parameter Description Auto Remediation Enable to allow auto remediation for virtual machines connected to the endpoint. User Notification Enable to allow user notifications for virtual machine policy violations. Allow access to clients running on Virtual Machine Enable to allow clients that running a VM to be accessed and validated.
Select the Check for Network Connection Types check box, and then click Configure to specify the type of connection that you want to include.
Table 114: Network Connections Configuration (Continued) Parameter Description Remediation Action for Adhoc/Hosted Wireless Networks If Allow Adhoc/Hosted Wireless Networks is disabled, then specify whether to take no action when an adhoc wireless networks exists or to disable all adhoc/hosted wireless networks. Disk Encryption Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people.
In the Installed Applications page, you can turn on the installed applications check and specify information about which installed applications you want to monitor. You can take the following actions: l Specify installed applications to monitor on a mandatory basis. l Specify installed applications to be monitored on an optional basis. l Specify installed applications that are never monitored. l Specify that only the mandatory and optional applications are monitored.
Figure 213: Windows Security Health Validator Windows System Health Validator - OnGuard Agent This validator checks for current Windows Service Packs. The OnGuard Agent also supports legacy Windows operating systems such as and Windows Server 2003. An administrator can use the check boxes to enable support of specific operating systems and to restrict access based on service pack level.
Figure 215: Posture Servers Listing Page When you click Add Posture Server from any of these locations, Policy Manager displays the Posture Servers configuration page. Figure 216: Add Posture Server Page Microsoft NPS Use the Microsoft NPS server when you want Policy Manager to have health - NAP Statement of Health (SoH) credentials - evaluated by the Microsoft NPS Server. Table 117: Microsoft NPSSettings (Posture Server tab) Parameter Description Name/Description: Freeform label and description.
Figure 217: Microsoft NPS Settings (Primary and Backup Server tabs) Table 118: Microsoft NPS Settings (Primary and Backup Server tabs) 236 | Posture Parameter Description RADIUS Server Name/Port Hostname or IP address and RADIUS server UDP port. Shared Secret Enter the shared secret for RADIUS message exchange; the same secret has to be entered on the RADIUS server (Microsoft NPS) side.
Chapter 10 Audit Servers Audit Servers evaluate posture, role, or both, for unmanaged or unmanageable clients. One example could be clients that lack an adequate posture agent or 802.1X supplicant. For example, printers, PDAs, or guest users might not be able to send posture credentials or identify themselves. A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured audit server, and the server returns attributes for role mapping and posture evaluation.
l "Built-In Audit Servers" on page 238 l "Custom Audit Servers" on page 240 l "Post-Audit Rules" on page 246 Built-In Audit Servers When configuring an audit as part of an Policy Manager Service, you can select the default Nessus ([Nessus Server]) or NMAP ([Nmap Audit]) configuration. Add Auditing to a Policy Manager Service 1.
Table 119: Audit tab Parameter Audit Server/Add new Audit Server Description Select a built-in server profile from the list: The [Nessus Server] performs vulnerability scanning. It returns a Healthy/Quarantine result. l The [Nmap Audit] performs network port scans. The health evaluation always returns Healthy. The port scan gathers attributes that allow determination of Role(s) through post-audit rules.
Figure 220: Audit Servers Listing 2. Modify the profile, plugins, and/or preferences. l In the Audit tab, you can modify the In Progress Posture Status and Default Posture Status. l If you selected a NESSUS Server, then the Primary/Backup Server tabs allow you to specify a scan profile. In addition, when you add a new scan profile, you can select plugins and preferences for the profile. Refer to "Nessus Scan Profiles" on page 242 for more information.
Figure 222: Nessus Audit Server (Audit Tab) Table 120: Nessus Audit Server (Audit tab) Parameter Description Name/Description Freeform label and description. Type For purposes of an NESSUS-type Audit Server, always NESSUS. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list.
Table 121: Nessus Audit Server - Primary and Backup Server tabs Parameter Description Server Name and Port/ Username/ Password Standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box. Scan Profile You can accept the default Scan Profile or select Add/Edit Scan Profile to create other profiles and add them to the Scan Profile list. Refer to "Nessus Scan Profiles" on page 242.
Figure 225: Nessus Scan Profile Configuration (Profile Tab) l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. Figure 226: Nessus Scan Profile Configuration (Profile Tab) - Plugin Synopsis Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon.
Figure 227: Nessus Scan Profile Configuration (Selected Plugins Tab) Figure 228: Nessus Scan Profile Configuration (Selected Plugins Tab) - Vulnerability Level For each selected plugin, the Preferences tab contains a list of fields that require entries. In many cases, these fields will be pre-populated. In other cases, you must provide information required for the operation of the plugin.
Figure 230: Audit Tab (NMAP) Table 122: Audit Tab (NMAP) Parameter Description Name/Description Freeform label and description. Type For purposes of an NMAP-type Audit Server, always NMAP. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list. The NMAP Options tab specifies scan configuration.
Table 123: Options Tab (NMAP) Parameter Description TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to NMAP documentation for more information on these options. NMAP option --scanflags. UDP Scan To enable, check the UDP Scan check box. NMAP option -sU. Service Scan To enable, check the Service Scan check box. NMAP option -sV. Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option A.
Figure 233: All Audit Server Configurations (Rules Editor) Table 125: All Audit Server Configurations (Rules Editor) Parameter Description Conditions The Conditions list includes five dictionaries: Audit-Status, Device-Type, Output-Msgs, Mac-Vendor, Network-Apps, Open-Ports, and OS-Info. Refer to "Rules Editing and Namespaces" on page 449. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save.
| Audit Servers Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an Enforcement Policy associated with the service. The evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps the access control attributes sent to the Network Access Device.
Figure 234: Flow of Control of Policy Manager Enforcement Configuring Enforcement Profiles You configure Policy Manager Enforcement Profiles globally, but they must be referenced in an enforcement policy that is associated with a Service.
l "RADIUS Change of Authorization (CoA)" on page 273 l "Session Restrictions Enforcement" on page 276 l "SNMP Based Enforcement" on page 277 l "TACACS+ Based Enforcement" on page 278 l "VLAN Enforcement" on page 280 Figure 235: Enforcement Profiles Page Policy Manager comes pre-packaged with the default profiles described in : Table 126: Default Enforcement Profiles Profile Available for the following Enforcement Types [Aerohive - Terminate Session] RADIUS_CoA [AirGroup Personal Device] RADI
Table 126: Default Enforcement Profiles (Continued) Profile Available for the following Enforcement Types [Drop Access Profile] RADIUS [Handle AirGroup Time Sharing] HTTP [HP - Terminate Session] RADIUS_CoA [Juniper Terminate Session] RADIUS_CoA [Motorola - Terminate Session] RADIUS_CoA [Operator Login - Admin Users] Application [Operator Login - Local Users] Application [TACACS API Admin] TACACS [TACACS Deny Profile] TACACS [TACACS Help Desk] TACACS [TACACS Network Admin] TACACS [TA
Table 127: Add Agent Enforcement Profile tab Parameters (Continued) Parameter Description Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type Agent. The value field is populated automatically. Action Disabled. Enabled only when RADIUS type is selected.
Table 128: Agent Enforcement Attributes tab Parameters Attribute Attribute Name Parameter Select one of the following attribute names: Bounce Client l Message l Health Check Interval (in hours) l Session Timeout (in seconds) l NOTE: Specify the health check interval value in hours for different Agent Enforcement Profiles for different users. The allowed range is of 0 – 1000 hours.
Table 129: Aruba Downloadable Role Enforcement Profile tab Parameters Parameter Description Template: Aruba Downloadable Role Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: RADIUS. This field is populated automatically. Action: Enabled.
Table 130: Role Configuration Attributes page Role Configuration Parameter Reauthentication Interval Time (0-4096) Enter the number of minutes between reauthentication intervals. VLAN To Be Assigned (14904) Enter a number between 1 and 4094 that defines when the VLAN is to be assigned. Click to modify profiles and parameters on the page. ACL Type: Select from: l Ethertype l MAC l Session l Stateless ACL Name: Click the name of the selected ACL type. Click Add to move the ACL Name to the ACL field.
Figure 241: Add Policer Profile Attributes Page QOs Profile Click the Add QoS Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. Figure 242: Add QosProfle Attributes Page VoIP Profile Click the Add VoIP Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. Dell Networking W-ClearPass Policy Manager 6.
Figure 243: Add VoIP Profile Attributes page NetService Configuration Click the Manage NetServices link. Configure the required attributes and click Save, Delete or Cancel. Figure 244: Manage NetServices Attributes Page NetDestination Configuration Click the Manage NetDestinations link. Configure the required attributes. Click Reset or Save Rule. Then click Save, Delete, Reset, or Cancel. 258 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Figure 245: Manage NetDestinations Attributes page Time Range Configuration Click the Manage Time Ranges link. Configure the required attributes and click Save, Delete or Cancel. Figure 246: Time Range Configuration Attributes page ACL Click the Add Stateless Access Control List link. Enter a name for the Stateless ACL. Click the Add Rule link on the General tab. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel. Dell Networking W-ClearPass Policy Manager 6.
Figure 247: Stateless Access Control List Configuration Attributes Page Click the Add Session Access Control List link. Enter a name for the Session ACL. Click the Add Rule link on the General tab. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel. Figure 248: Session Access Control List Attributes Page Click the Add Ethernet/MAC Access Control List link. Enter a name for the Ethernet/MAC ACL.
Figure 249: Ethernet/MAC Access Control List Attributes Page Aruba RADIUS Enforcement Use this page to configure profile and attribute parameters for the Aruba RADIUS Enforcement Profile. Profile tab Figure 250: Aruba RADIUS Enforcement Profile tab Table 131: Aruba RADIUS Enforcement Profile tab Parameters Parameter Description Template Aruba RADIUS Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Table 131: Aruba RADIUS Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 252: Cisco Downloadable ACL Enforcement Profile tab Table 133: Cisco Downloadable ACL Enforcement Profile tab Parameters Parameter Description Template: Cisco Downloadable ACL Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page.
Table 134: Cisco Downloadable ACL Enforcement Attributes tab Parameters Parameter Type: Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda l For more information, see "RADIUS Namespaces" on page 458 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Table 135: Cisco Web Authentication Enforcement Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 256: ClearPass Entity Update Enforcement Profile tab Table 137: ClearPass Entity Update Enforcement Profile tab Parameters Parameter Description Template: ClearPass Entity Update Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page.
Table 138: ClearPass Entity Update Enforcement Attributes tab Parameters Attribute Type: Description l l l l Endpoint Expire-Time-Update GuestUser Status-Update Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected. CLI Based Enforcement Use this page to configure profile and attribute parameters for the CLI Based Enforcement Profile.
Table 139: CLI Based Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed on the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Parameter Description Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: RADIUS. The field is populated automatically. Action: Enabled. Click Accept, Reject, or Drop to define the action taken on the request.
Generic Application Enforcement Use this page to configure profile and attribute parameters for the Generic Application Enforcement Profile. Profile tab Figure 262: Generic Application Enforcement Profile tab Table 143: Generic Application Enforcement Profile tab Parameters Parameter Description Template: Generic Application Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Table 144: Generic Application Enforcement Attributes tab Parameters Parameter Description Attribute Name Select an attribute name from the list. The list has multiple pages. Attribute Value The options displayed for the Attribute Value depend on the Attribute Name that was selected. HTTP Based Enforcement Use this page to configure profile and attribute parameters for the HTTP Based Enforcement Profile.
Attributes tab Figure 265: HTTP Based Enforcement Attributes tab Table 146: HTTP Based Enforcement Attributes tab Parameters Parameter Description Attribute Name Select Target Server or Action. Attribute Value The options displayed for the Attribute Value depend on the Attribute Name that was selected. RADIUS Based Enforcement Use this page to configure profile and attribute parameters for the RADIUS Based Enforcement Profiles.
Table 147: RADIUS Based Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups.
Profile tab Figure 268: Radius Change of Authorization (CoA) Profile tab Table 149: Radius Change of Authorization (CoA) Profile tab Parameters Parameter Description Template: Select from: l Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l HP - Generic-CoA l Aruba - Change-User-Role l IETF - Terminate-Session-IETF l Aruba - Change-VPN-User-Role l IETF- Generic-CoA-IETF Type: Select one of the following attribute types: Radius:Aruba l Radius:IETF
Table 149: Radius Change of Authorization (CoA) Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed on the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Session Restrictions Enforcement Use this page to configure profile and attribute parameters for Session Restrictions Enforcement Profile. Profile tab Figure 270: Session Restrictions Enforcement Profile tab Table 151: Session Restrictions Enforcement Profile tab Parameters Parameter Description Template: Session Restrictions Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Table 152: Session Restrictions Enforcement Attributes tab Parameter Type Description Select from: Bandwidth-Check l Expire-Check l Post-Auth-Check l Session-Check NOTE: Palo Alto integration is extended to Guest MAC Caching use cases. Configure: l Session-Check::IP-Address-Change-Notify = Session-Check::Username = %{Endpoint:Username} Post Auth sends the Guest username instead of the MAC Address in the user id updates.
Table 153: SNMP Based Enforcement Profile tab Parameters (Continued) Parameter Description Action: Disabled. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Table 155: TACACS+ Based Enforcement Profile tab Parameters Parameter Description Template: TACACS+ Based Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: TACACS. The field is populated automatically. Action: Disabled.
Table 156: TACACS+ Based Enforcement Services tab Parameters (Continued) Parameter Description Custom Services: To add new TACACS+ services / attributes, upload the modified dictionary xml click the Update TACACS+ Services Dictionary. Type: Select a Service Attribute parameter from the list. Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected.
Table 157: VLAN Enforcement Profile tab Parameters (Continued) Parameter Description Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Figure 278: Enforcement Policies Listing Page Click Add Enforcement Policy to open the Add Enforcement Policy wizard: Figure 279: Add Enforcement Policy (Enforcement tab) Table 159: Add Enforcement Policy (Enforcement tab) Parameter Description Name/Description Freeform label and description. Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI)/CoA or Application. Based on this selection, the Default Profile list shows the right type of enforcement profiles in the drop-down list (See Below).
Figure 280: Add Enforcement Policy (Rules Tab) Table 160: Add Enforcement Policy (Rules tab) Field Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 161: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (Enforcement Profile).
| Enforcement Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Network Access Devices A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Figure 282: Device tab Table 162: Device tab Parameters Parameter Description Name/ Description Specify identity of the device. IP Address or Subnet Specify the IP address or the subnet (E.g., 192.168.5.0/24) of the device. RADIUS/TACACS+ Shared Secret Enter and confirm a Shared Secret for each of the two supported request protocols. Vendor Optionally, specify the dictionary to be loaded for this device.
Figure 283: SNMP Read/Write Settings tabs Figure 284: SNMP Read/Write Settings tabs - SNMP v3 Details Table 163: SNMP Read/Write Settings tabs Parameter Description Allow SNMP Read/Write Toggle to enable/disable SNMP Read/Write. Default VLAN (SNMP Write only) VLAN port setting after SNMP-enforced session expires. SNMP Read/Write Setting SNMP settings for the device.
Table 163: SNMP Read/Write Settings tabs (Continued) Parameter Description Username (SNMP v3 only) Admin user name to use for SNMP read/write operations Authentication Key (SNMP v3 only) SNMP v3 with authentication option (SHA & MD5) Privacy Key (SNMP v3 only) SNMP v3 with privacy option Privacy Protocol (SNMP v3 w/ privacy only) Add/Cancel Choose one of the available privacy protocols: DES-CBC l AES-128 l Click Add to commit or Cancel to dismiss the popup.
Table 164: CLI Settings tab (Continued) Parameter Description Access Type Select SSH or Telnet. Policy Manager uses this access method to log into the device CLI. Port SSH or Telnet TCP port number. Username/Password Credentials to log into the CLI. Username Prompt Regex Regular expression for the username prompt. Policy Manager looks for this pattern to recognize the telnet username prompt. Password Prompt Regex Regular expression for the password prompt.
Policy Manager lists all configured device groups in the Device Groups page: Configuration > Network > Device Groups. Figure 286: Device Groups Page To add a Device Group, click Add. Complete the fields in the Add New Device Group popup: Figure 287: Add New Device Group Popup 290 | Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Table 165: Add New Device Group popup Parameter Description Name/ Description/ Format Specify identity of the device. Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation); for example, 192.168.5.0/24 Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression; for example, ^192(.[0-9]*){3}$ List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected.
Figure 288: Proxy Targets Page Add a Proxy Target To add a Proxy Target, click Add and complete the fields in the Add Proxy Target popup. You can also add a new proxy target from the Services page (Configuration > Service (as part of the flow of the Add Service wizard for a RADIUS Proxy Service Type). Figure 289: Add Proxy Target Popup Table 166: Add Proxy Target popup Parameter Description Name/Description Freeform label and description. Hostname/Shared Secret RADIUS Hostname and Shared Secret.
Export one Proxy Target Click a checkbox to select the proxy target and then click Export. In the Save As popup, specify a file path, and then click Export. Delete one Proxy Target Click a checkbox to select the Proxy Target and then click Delete. Commit the deletion by selecting Yes. Dismiss the popup by selecting No. Custom Admin Privileges Dell Networking W-ClearPass Policy Manager ships with six read-only default administrator privilege XML files.
| Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Policy Simulation After the policies are final, you can use the Configuration > Policy Simulation utility to evaluate the policies before deployment. The Policy Simulation utility applies a set of request parameters as input against a given policy component and displays the outcome in the Results tab.
Active Directory Authentication This simulation tests authentication against an Active Directory domain or trusted domain to verify that the CPPM domain membership is valid. The Attributes tab is not available for this simulation type. Simulation tab Figure 292: Active Directory Authentication Simulation tab Table 169: Active Directory Authentication Simulation tab Parameters Parameter Description Active Directory Domain: Select the domain(s) to which the node is joined.
Simulation tab Figure 294: Application Authentication Simulation tab Table 171: Application Authentication Simulation tab Parameters Parameter Description CPPM IP Address/FQDN: Enter the IP Address or FQDN of the domain(s) to which the node is joined. Username: Enter the username. Password: Enter the password. Attributes tab Enter the attributes of the policy component to be tested.
Figure 296: Application Authentication Results tab Table 173: Application Authentication Results tab Parameters Parameter Description Summary - Displays the results of the Active Directory Authentication simulation. Application Authentication Output Attributes- Displays the output attributes, such as Super Administrator. Audit This simulation allows you to specify an audit against a Nessus Server or Nmap Server, given its IP address. The Attributes tab is not available for this simulation type.
Results tab Figure 298: Audit Simulation Results tab Table 175: Audit Results tab Parameters Parameter Description Summary - Displays information about the Audit Status, Temporary Status, and Audit Timeout. Audit Output Attributes - Displays the Audit-Status, such as AUDIT_INPROGRESS.
Table 176: Chained Simulation tab Parameters Parameters Service: Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Authentication Source: Default Value = [Local User Repository] if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l Default Value = [Guest Device Repository] if you select: [AirGroup Authori
Attribute Parameter Application See "Application Namespace" on page 450 Certificate See "Certificate Namespaces" on page 454 l l l l l l l l l l l Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Trend:AV Cisco: HIPS Cisco:HOST Cisco:PA NAI:AV Symantec:AV See "RADIUS Namespaces" on page 458 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected.
Table 178: Chained Simulation Results tab Parameters Parameter Summary - Description Provides the following information about the Chained Simulation: Status l Roles l System Posture Status l Enforcement Profiles l Enforcement Policy Given the service name (and the associated enforcement policy), a role or a set of roles, the system posture status, and an optional date and time, the enforcement policy simulation evaluates the rules in the enforcement policy and displays the resulting enforcement profiles a
Table 179: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description Enforcement Policy: Autofilled with [Admin Network Login Policy] if you select [Policy Manager Admin Network Login Service] Autofilled with [AirGroup Enforcement Policy] if you select [AirGroup Authorization Service] Autofilled with [Aruba Device Access Policy] if you select [Aruba Device Access Service] Autofilled with [Guest Operator Logins] if you select [Guest Operator Logins] service Autofilled with Copy_of_Gue
Table 179: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description Dynamic Roles: Add Role: Enter the name of a dynamic role in the Add Role field and click the Add Role button to populate the Dynamic Roles list. Remove role: Highlight a dynamic role and click Remove Role button.
Results tab Figure 304: Policy Simulation Results tab Table 181: Enforcement Policy Results tab Parameters Parameter Description Deny Access- Displays the output of the Deny Access test. Enforcement Profile Displays the name of the Enforcement Profile. RADIUS Authentication Dictionaries in the RADIUS namespace come pre-packaged with the product. The administration interface does provide a way to add dictionaries into the system (see "RADIUS Dictionary" on page 403 for more information).
Table 182: RADIUS Simulation tab Parameters Parameter Description Server: Select Local or Remote. CPPM IP Address or FQDN NOTE: This field is only displayed if Remote Server is selected. Enter the IP Address or FQDN of the remote CPPM server. Port: NOTE: This field is only displayed if Remote Server is selected. Enter the port number of the remote CPPM server. The default port number is 1812. Shared Secret: NOTE: Only displayed if Remote Server is selected.
Table 182: RADIUS Simulation tab Parameters (Continued) Parameter Authentication outer method: Description l l l l l l PAP - Authentication inner method: field is disabled. CHAP - Authentication inner method field: is disabled. MSCHAPv2 - Authentication inner method field: is disabled. PEAP - Authentication inner method field: is enabled. The selections are: n EAP-MSCHAPv2 n EAP-GTC n EAP-TLS* TTLS -Authentication inner method field: is enabled.
The attributes that you set depend on the NAS Type selected on the Simulation page. NAS Type: Aruba Wireless Controller Figure 307: Aruba Wireless Controller Type Attributes tab Table 183: Aruba Wireless Controller Required Attribute Settings Attribute Parameter Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Wireless-802.
NAS Type: Cisco Wireless Switch Figure 309: NAS Type: Cisco Wireless Switch Attributes tab Table 185: [NAS Type: Cisco Wireless Switch Required Attribute Settings Attribute Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = 802.11(19) l Line 2: Type = Radius:IETF l Name = Service-Type l Value = Framed-User(2) l Results tab Figure 310: Results tab Table 186: RADIUS Authentication Results tab Parameters Parameter Description Summary - Displays a summary of the simulation.
Table 186: RADIUS Authentication Results tab Parameters (Continued) Parameter Description Details Click this link to open a popup that provides details about the Authentication test. You can take the following actions: l l Status Message(s) Click the Summary, Input and Output tabs Click the Change Status, Show Logs, Export or Close buttons. Displays the status messages resulting from the test.
Table 187: Role Mapping Simulation tab Parameters (Continued) Parameter Role Mapping Policy: Description Field is disabled if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l [Guest Operator Logins] Field is auto-filled with [AirGroup Version Match] if you select [AirGroup Authorization Service] Field is autofilled with [Guest Roles] if you select Guest Access Field is autofilled with Guest MAC Authentication Role Mapping if you select Guest Access With MAC Caching
Table 188: Role Mapping Simulation Attributes tab Parameters Attribute Parameter Type: Host See "Host Namespaces" on page 457 Authentication See "Authentication Namespaces" on page 451 Connection See "Connection Namespaces" on page 455 Application See "Application Namespace" on page 450 Certificate See "Certificate Namespaces" on page 454 l l l l l See "RADIUS Namespaces" on page 458 Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Name: The options displayed for the Name
Service Categorization A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into. The request attributes that you specify represent the attributes sent in the simulated request.
Table 191: Service Categorization Simulation Attributes tab Parameters (Continued) Attribute Parameter Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected. Results tab Figure 316: Results tab Table 192: Service Configuration Results tab Parameters Parameter Description Summary - Gives the name of the service.
Chapter 14 ClearPass Policy Manager Profile Profile is a Dell Networking W-ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. You can use Profile to implement “Bring Your Own Device” (BYOD) flows, where access must be controlled, based on the type of the device and the identity of the user.
l "MAC OUI" on page 316* l "ActiveSync Plugin" on page 317 l "CPPM OnGuard" on page 317 l "SNMP" on page 317 l "Subnet Scan" on page 318 * Acquired via various authentication mechanisms such as 802.1X, MAC authentication, etc. DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class) and options list from DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network.
ActiveSync Plugin The ActiveSync plugin is to be installed on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes like device-type and user-agent. These attributes are collected by the plugin software and are sent to the CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes. CPPM OnGuard The ClearPass OnGuard agent performs advanced endpoint posture assessment.
Figure 317: SNMP Read/Write Settings Tabs In large or geographically spread cluster deployments, you do not want all CPPM nodes to probe all SNMP configured devices. The default behavior is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network.
l SNMP l DHCP l MAC OUI Stage 2 CPPM comes with a built-in set of rules that evaluates to a device-profile. Rules engine uses all input attributes and device profiles from Stage 1. The resulting rule evaluation may or may not result in a profile. Stage 2 is intended to refine the results of profiling. Example With DHCP options, Stage 1 can identify an Android device. Stage 2 uses rules to combine this with MAC OUI to further classify an Android device as Samsung Android, HTC Android, etc.
Table 193: Profiler tab Parameters Parameter Description Endpoint Classification: Select the classification after which an action must be triggered. You can select a new action, or remove a current action. RADIUS CoA Action: Select an action. Click View Details to view details about the selected action. Click Modifyto change the values of the selected action. Add new RADIUS CoA Action: Click to add a RADIUS CoA action to the list.
Chapter 15 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the Administration menus. The Policy Manager Administration menu provides the following interfaces for configuration: Dell Networking W-ClearPass Policy Manager 6.
ClearPass Portal Navigate to the Administration > Agents and Software Updates > ClearPass Portal page.
Admin Users The Policy Manager Admin Users menu Administration > Users and Privileges > Admin Users provides the following interfaces for configuration: l "Add User" on page 323 l "Import Users" on page 324 l "Export Users" on page 324 l "Export" on page 325 Figure 321: Admin Users Table 195: Admin Users Container Description Add Opens the Add User popup form. Import Opens the Import Users popup form. Export All Exports all users to an XML file. Export Exports a selected to an XML file.
Table 196: Add Admin User Container Description User ID Name Specify the identity and password for a new admin user. Password Verify Password Privilege Level Select Privilege Level: Help Desk l Super Administrator l Network Administrator l Receptionist or any other custom privilege level Add/Cancel Add or dismiss changes. Import Users Select the Import link in the upper right portion of the page.
Export Select the Export button on the lower right portion of the page. To export a user, select it (check box at left) and click Export. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Admin Privileges To view the available Admin Privileges, go to Administration > Users and Privileges > Admin Privileges.
Administrator Privileges and IDs The following list provides the areas and sub-areas of the Policy Manager application and the associated taskid of each one. If you provide permission for an area, the same permission for all sub-areas is included by default. For example, if you give RW permissions for Enforcements (con.en), you grant permissions for its sub-areas, in this case, Policies (con.en.epo) and Profiles (con.en.epr), and you do not have to explicitly define the same permission for those sub-areas.
l n Device Groups: taskId="con.nw.ng" n Proxy Targets: taskId="con.nw.pr" n Policy Simulation: taskId="con.ps" n Profile Settings: taskId="con.prs" Administration: taskId="adm" n n n n n n User and Privileges: taskId="adm.us" n Admin Users: taskId="adm.us.au" n Admin Privileges: taskId="adm.us.ap" Server Manager: taskId="adm.mg" n Server Configuration: taskId="adm.mg.sc" n Log Configuration: taskId="adm.mg.ls" n Local Shared Folders: taskId="adm.mg.sf" n Licensing: taskId="adm.mg.
3. Go to Administration > Users and Privileges > Admin Privileges. 4. Click Import Admin Privileges. 5. Import the administrator privilege file you created in step 1. See Importing for details. After you complete steps 1-5, the new administrator privileges document is displayed on the Admin Privileges page.
//Refers to DashBoard //Refers to Monitoring PAGE 330Table 198: Log Configuration Service Log Configuration tab Parameters (Continued) Parameter Description Module Log Level Settings: Enable this option to set the log level for each module individually (listed in decreasing level of verbosity. For optimal performance you must run Policy Manager with log level set to ERROR or FATAL): l DEBUG l INFO l WARN l ERROR l FATAL If this option is disabled, then all module level logs are set to the default log level.
Table 199: Log Configuration System Level tab Parameters Parameter Description Select Server Specify the server for which to configure logs. Number of log files Specify the number of log files of a specific module to keep at any given time. When a log file reaches the specified size (see below), Policy Manager rolls the log over to another file until the specified number of log files is reached; once log files exceed this number, Policy Manager overwrites the first numbered file.
Figure 327: Server Configuration Page Editing Server Configuration Settings Navigate to the Administration > Server Manager > Server Configuration page, and click on a server name in the table. The Server Configuration form opens by default on the System tab.
Figure 329: System Tab Table 200: Server Configuration System tab Parameter Description Hostname Hostname of Policy Manager appliance. It is not necessary to enter the fully qualified domain name here. Policy Manager Zone Select a previously configured timezone from the drop-down list. Click on the Policy Manager Timezone link to add and edit timezones from within this page. Enable Profile Enable the profile to perform endpoint classifications.
Table 200: Server Configuration System tab (Continued) Parameter Description DHCP Span Port If desired, specify the port number for DHCP spanning. Management Port: IP Address Management interface IP address. You access the Policy Manager UI via the management interface. Management Port: Subnet Mask Management interface Subnet Mask Management Port: Default Gateway Default gateway for management interface Data/External Port: IP Address Data interface IP address.
Join Domain - Click on this button to join this Policy Manager appliance to an Active Directory domain. Password servers can be configured after Policy Manager is successfully joined. Refer to "Add Password Server" on page 336 for more information. Leave Domain - If the server is already part of multiple AD domains, click on this button to disassociate this Policy Manager appliance from an Active Directory domain.
Table 201: Join AD Domain Parameters (Continued) Parameter Description Domain Controller name conflict In some deployments (especially if there are multiple domain controllers, or if the domain name has been wrongly entered in the last step), the domain controller FQDN returned by the DNS query can be different from what was entered. In this case, you may: l Use specified Domain Controller - Continue to use the domain controller name that you entered.
Figure 332: Configure AD Password Servers Services Control Tab From the Services Control tab, you can view a service status and control (stop or start) various Policy Manager services, including any AD Domains to which this server is currently joined. Figure 333: Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of a variety of services. The options on this page vary based on the selected service. Determine the service that you want to edit.
l "Policy Server Options" on page 342 l "Radius Server Options" on page 343 l "Stats Collection Service Options" on page 346 l "System Monitor Service Options" on page 346 l "Tacacs Server Options" on page 347 Figure 334: Service Parameters tab - Policy server example Async Network Services Options Configure the Post-Auth and Command Control parameters for the Async network service on this page.
ClearPass Network Services Options The ClearPass Network Services parameters aggregate service parameters from the following services: l DhcpSnooper Service l Snmp Service l WebAuth Service l Posture Service Figure 336: ClearPass Network Services Parameters Table 203: Service Parameters - ClearPass network services Service Parameters Description DhcpSnooper MAC to IP Request Hold time Number of seconds to wait before responding to a query to get IP address corresponding to a MAC address.
Table 203: Service Parameters - ClearPass network services (Continued) Service Parameters Description LinkUp Timeout Seconds to wait before processing link-up traps. If a MAC notification trap arrives in this time, SNMP service will not try to poll the switch for MAC addresses behind a port for link-up processing. IP Address Cache Timeout Duration in seconds for which MAC to IP lookup response is cached.
Table 203: Service Parameters - ClearPass network services (Continued) Service Parameters Description Audit Thread Pool Size This specifies the number of threads to use for connections to audit servers. Audit Result Cache Timeout This specifies the time (in seconds) for which audit result entries are cached by Policy Manager. Audit Host Ping Timeout This specifies the number of seconds for which Policy Manager pings an end-host before giving up and deeming the host to be unreachable.
Table 204: Service Parameters - ClearPass system services (Continued) Service Parameter Description Enable zlib output compression Setting to compress the output files. Include PHP header in web server response Setting to include PHP header in the HTTP responses. HTTP Proxy Proxy Server Hostname or IP address of the proxy server. Port Port at which the proxy server listens for HTTP traffic. Username Username to authenticate with proxy server. Password Password to authenticate with proxy server.
Table 205: Service Parameters tab - Policy Server service Service Parameter Description Machine Authentication Cache Timeout This specifies the time (in hours) for which machine authentication entries are cached by Policy Manager. Authentication Thread Pool Size This specifies the number of threads to use for LDAP/AD and SQL connections. LDAP Primary Retry Interval After a primary LDAP server is down, Policy Manager connects to one of the backup servers.
Table 206: Service Parameters tab - Radius Server Service Service Parameter Description Proxy Maximum Response Delay Time delay before retrying a proxy request, if the target server has not responded. Maximum Reactivation Time Time to elapse before retrying a dead proxy server. Maximum Retry Counts Maximum number of times to retry a proxy request if the target server doesn't respond.
Table 206: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description AD/LDAP Authentication Source Connection Count Maximum number of AD/LDAP connections opened. SQL DB Authentication Source Connection Count Maximum number of SQL DB. EAP - TLS Fragment Size Maximum size of the EAP-TLS fragment size. Use Inner Identity in Access-Accept Reply Specify TRUE or FALSE. TLS Session Cache Limit Number of TLS sessions to cache before purging the cache (used in TLS based 802.
Table 206: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description Master Key Expire Time Lifetime of a generated EAP-FAST master key. Master Key Grace Time Grace period for an EAP-FAST master key after its lifetime. If a client presents a PAC that is encrypted using the master key in this period after its TTL, it is accepted and a new PAC encrypted with the latest master key is provisioned on the client.
Table 208: Services Parameters tab - System monitor service Service Parameter Description Free Disk Space Threshold This parameter monitors the available disk space. If the available disk free space falls below the specified threshold (default 30%), then system sends SNMP traps to the configured trap servers. 1 Min CPU load average Threshold These parameters monitor the CPU load average of the system, specifying thresholds for 1-min, 5-min and 15-min averages, respectively.
Figure 343: System Monitoring Tab Table 210: System Monitoring tab details Parameter Description System Location/System Contact: Policy Manager appliance location and contact information. SNMP Configuration: Version: V1, V2C or V3. SNMP Configuration: Community String: Read community string. SNMP Configuration: SNMP v3: Username: Username to use for SNMP v3 communication.
Network Tab Navigate to the Network tab to create GRE tunnels and VLANs related to guest users and to control what applications have access to the node. Figure 344: Network Interfaces Tab Creating GRE tunnels The administrator can create a generic routing encapsulation (GRE) tunnel. This protocol can be used to create a virtual point-to-point link over standard IP network or the internet. Navigate to the Network tab and click Create Tunnel.
Figure 346: Creating VLAN Page Table 212: Creating VLAN Parameters Parameter Description Physical Interface The physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. VLAN Name Name for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 802.1Q VLAN identifier. Enter a value between 1- 4094. The VLAN ID cannot be changed after the VLAN interface has been created.
Figure 347: Restrict Access dialog box Table 213: Restrict Access Parameters Parameter Description Resource Name Select the application to which you want to allow or deny access. Access l Network Enter one or more hostnames, IP addresses, or IP subnets per line. The devices defined by what you enter here will be either specifically allowed or specifically denied access to the application you select. Select: Allow to define allowed access. l Deny to define denied access.
Figure 348: Change Date and Time - Date & Time tab Table 214: Change Date and Time - Date & Time tab Parameters Parameter Description Date in yyyy-mm-dd format To specify date and time, use the indicated syntax. This is available only when Synchronize time with NTP server is unchecked. Time in hh:mm:ss format Synchronize Time With NTP Server To synchronize with a Network Time Protocol Server, enable this check box and specify the NTP servers. Only two servers may be specified.
Figure 349: Time zone on publisher tab Change Cluster Password Navigate to Administration > Server Manager > Server Configuration, and click on the Change Cluster Password link. Use this function to change the cluster-wide password. Changing this password also changes the password for the CLI user - 'appadmin'. Figure 350: Change Cluster Password Dell Networking W-ClearPass Policy Manager 6.
Table 215: Change Cluster Password Parameter Description New Password Enter and confirm the new password. Verify Password Save/Cancel Commit or dismiss changes. Manage Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster.
Table 216: Policy Manager Zones (Continued) Parameter Description Add Delete Select the delete (trashcan) icon to delete a zone. NetEvents Targets NetEvents are a collection of details for various ClearPass Policy Manager such as users, endpoints, guests, authentications, accounting details, and so on. This information is periodically posted to a server that is configured as the NetEvents target.
Figure 353: Virtual IP Settings Table 218: Virtual IP Settings Parameters Parameter Description Virtual IP Enter the IP address you want to define as the virtual IP address. Node Select the servers to use as the primary and secondary nodes. Interface Select the interface on each server where virtual IP address should be bound. Subnet This value is automatically entered. You do not need to change it. Enabled Select the check box to enable the Virtual IP address.
Table 219: Add Subscriber Node Parameter Description Publisher IP Publisher Password Specify publisher address and password. NOTE: The password specified here is the password for the CLI user appadmin Restore the local log database after this operation Enable to restore the log database following addition of a subscriber node. Do not backup the existing databases before this operation Enable this check box only if you do not require a backup to the existing database.
Figure 356: Cluster-Wide Parameters dialog box, General tab Figure 357: Cluster-Wide Parameters dialog box, Cleanup Interval tab Figure 358: Cluster-Wide Parameters dialog box, Notifications tab 358 | Administration Dell Networking W-ClearPass Policy Manager 6.
Figure 359: Cluster-Wide Parameters dialog box, Standby Publisher tab Figure 360: Cluster-Wide Parameters dialog box, Virtual IP Configuration tab Table 221: Cluster-Wide Parameters Parameter Description General Policy result cache timeout The maximum time allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation.
Table 221: Cluster-Wide Parameters (Continued) Parameter Description Auto backup configuration options l Free disk space threshold value This controls the percentage below which disk usage warnings are issued in the Policy Manager Event Viewer. For example, a value of 30% indicates that a warning is issued if only 30% or below of disk space is available. Free memory threshold value This controls the percentage below which RAM usage warnings are issued in the Policy Manager Event Viewer.
Table 221: Cluster-Wide Parameters (Continued) Parameter Description Known endpoints cleanup interval A value (in days) that ClearPass uses to determine when to start deleting known or disabled entries from the Endpoint repository. Known entries are deleted based on their last "Updated At" value for each Endpoint. For example, if this value is 7, then known Endpoints that do not have an "Updated At" value within the last 7 days will be deleted.
Table 221: Cluster-Wide Parameters (Continued) Parameter Description Enable Publisher Failover Select TRUE to authorize a node in a cluster on the system to act as a publisher if the primary publisher fails. Designated Standby Publisher Select the server in the cluster to act as the standby publisher.
4. Select the types of logging information you want to collect: n System Logs n Logs from all Policy Manager services n Capture network packets for the specified duration. Use this with caution, and use this only when you want to debug a problem. System performance can be severely impacted. n Diagnostic dumps from Policy Manager services n Backup CPPM Configuration data 5. Enter the time period of the information you want to collect. Either: n Enter a number of days.
Table 222: Backup (Continued) Parameter Description Do not backup password fields in configuration database Select this if you do not want to backup password fields in configuration database. Backup databases for installed applications Select this option if you want the backup to include databases for installed applications. Restore Navigate to the Administration > Server Manager > Server Configuration page, and click on the Restore button.
Parameter Description Restore CPPM session log data (if it exists in the backup). Enable to include the log data in the restore. Restore Insight data (if it exists in the backup) Enable to include Insight reporting data in the restore. Ignore version mismatch and attempt data migration This option must be checked when you are migrating configuration and/or log data from a backup file that was created with a previous compatible version. Restore cluster server/node entries from backup.
Figure 364: Local Shared Folders Page Licensing The Administration > Server Manager > Licensing page shows all the licenses that have been activated for the entire CPPM cluster. You must have a Dell Networking W-ClearPass Policy Manager base license for every instance of the product.
Activating an Application License After you add or update an application license, it must be activated. Adding an application license installs an Application tab on the Licensing page. 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click Activate in the Activation Status column for the application you want to activate. 4. Click OK.
5. Click the Add button. Figure 369: Add License Page Updating an Application License Licenses typically require updating after they expire, for example, after the evaluation license expires, or when capacity exceeds its licensed amount. You update an application license by entering a new license key. 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click an application anywhere except in the Activation Status column. The Update License page appears. 4.
l Process monitoring information. Check for the processes that should be running. Maximum and minimum number of allowed instances. Sends traps if there is a change in value of maximum and minimum numbers. l Disk usage. Check for disk space usage of a partition. The agent can check the amount of available disk space, and make sure it is above a set limit. The value can be in % as well. Sends traps if there is a change in the value. l CPU load information. Check for unreasonable load average values.
Table 224: Add SNMP Trap Server fields (Continued) Parameter Description Description: Freeform description. SNMP Version: V1 or V2C. Community String /Verify : Enter and re-enter the community string for sending the traps. Server Port: Port number for sending the traps; by default, port 162. NOTE: Configure the trap server firewall for traffic on this port.
Syslog Targets Dell Networking W-ClearPass Policy Manager can export session data (see "Access Tracker" on page 35), audit records (see "Audit Viewer" on page 60) and event records (see "Event Viewer" on page 65). This information can be sent to one or more syslog targets (servers). You configure syslog targets from this page.
Figure 374: Add Syslog Target Table 227: Add Syslog Target Parameter Description Host Address Syslog server hostname or IP address. Description Freeform description. Protocol Select from: l UDP: To reduce overhead and latency. l TCP: To provide error checking and packet delivery validation. Server Port Port number for sending the syslog messages; by default, port 514. Import Syslog Target Navigate to Administration > External Servers > Syslog Targets and select Import.
Parameter Description Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Target Navigate to Administration > External Servers > Syslog Targets and select the Export All link. The Export All link exports all configured syslog targets. Click Export Syslog Target. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the Syslog Target configuration.
Table 229: Syslog Export Filters Page Parameters (Continued) Parameter Description Import Opens Import Syslog Filter popup. Export All Opens Export Syslog Filter popup. Enable/Disable Click the toggle button Enable/Disable to enable or disable the syslog filter. Export Opens Export popup. Delete To delete a Syslog Filter, select it (check box at left) and click Delete. Import Syslog Filter Navigate to Administration > External Servers > Syslog Filters > Import.
Adding a Syslog Export Filter (Filter and Columns tab) This tab provides two methods for configuring data filters and is only visible if you selected Session Logs as the export template in the General tab. Option 1 allows you to choose from pre-defined field groups and to select columns based on the Type. Option 2 allows you to create a custom SQL query. You can view a sample template for the custom SQL by clicking the link below the text entry field.
Adding a Syslog Export Filter (General tab) This topic describes the parameters on the General tab of the Add Syslog Export Filters page. The Filter and Columns tab shown in the figure below is only visible if you select Active sessions as the Data Filter type (see "Adding a Syslog Export Filter (Filter and Columns tab)" on page 375).
Table 233: Syslog Export Filters Summary tab Parameters Parameter Description General: Name: Name created for the new filter. Description: Description of the new syslog export filter. Export Template: The template selected as the export template. Syslog Servers: IP address of the syslog server selected during configuration. ClearPass Servers: IP address of the ClearPass Servers selected during configuration.
Figure 380: Messaging Setup SMTP Servers tab Table 234: Messaging Setup MTP Servers tab Parameters Parameter Description Select Server: Specify the server for which to configure messaging. All nodes in the cluster appear in the drop-down list. Use the same settings for sending both emails and SMSes: Check this box to configure the same settings for both your SMTP and SMS email servers. This box is checked, by default. Server name: Fully qualified domain name or IP address of the server.
Figure 381: Messaging Setup Mobile Service Providers tab Table 235: Messaging Setup Mobile Service Providers tab Parameters Parameter Description Add: Add a mobile service provider Provider Name: Name of the provider Mail Address: Domain name of the provider Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from different types of Dell W-Series IAPs and RAPs via Aruba Activate.
Modify an endpoint context server 1. Go to Administration > External Servers > Endpoint Context Servers. 2. Click the server name. 3. Make any desired changes. See "Endpoint Context Servers" on page 379 for more information. 4. Click Save. Delete an endpoint context server Deleting an endpoint context server just removes its configuration information from Policy Manager.
Table 236: Add Air Watch Server tab Parameters (Continued) Parameter Description Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username. Password: Enter and verify the password. Verify Password: API Key: Enter the API key that was provided by the vendor.
Adding an AirWave Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. Figure 385: Add AirWave Endpoint Context Server tab Table 238: Add AirrWave Endpoint Context Server tab Parameters Parameter Description Select Server Type: AirWave Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server.
Figure 386: Add Aruba Activate Endpoint Context Server tab Table 239: Add Aruba Activate Endpoint Context Server tab Parameter Parameter Description Select Server Type: Aruba Activate Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Tunnel is applicable for which customer. Individual CPPM nodes in the cluster can be selected to establish the Cloud Tunnel, rather than all nodes in the CPPM cluster. See "Enable Cloud Tunnel" on page 333 for more information.
Figure 388: Add Generic HTTP Endpoint Context Server Server tab Table 241: Add Generic HTTP Endpoint Context Server tab Parameters Parameter Description Select Server Type: Generic HTTP Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Figure 389: Add Generic HTTP Endpoint Context Server Actions tab Table 242: Add Generic HTTP Endpoint Context Server Actions tab Parameters Parameter Description Handle AirGroup Time Sharing Sends time-based sharing policy to the AirGroup notification service Adding a JAMF Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 243: Add JAMF Endpoint Context Server tab Parameters (Continued) Parameter Description Server Base URL: Read community string. Username: Username to use for SNMP v3 communication. Password: One of NOAUTH_NOPRIV (no authentication or privacy), AUTH_NOPRIV (authenticate, but no privacy), or AUTH _PRIV (authenticate and keep the communication private). Fetch Computer Records Authentication protocol (MD5 or SHA) and key.
Table 244: Add MaaS360 Endpoint Context Server tab Parameters (Continued) Parameter Description Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username. Password: Enter and verify the password. Application Access Key: Application ID: Enter the application ID.
Table 245: Add MobileIron Endpoint Context Server tab Parameters Parameter Description Select Server Type: Select MobileIron. Server Name: Enter server name. Server Base URL: Enter the URL of the base server. Username: Enter the username. Password: Enter the password. Verify Password: Re-enter the password. Validate Server: Click to enable validation of the server.
Figure 394: Add Palo Alto Networks Firewall tab Table 247: Add Palo Alto Networks Firewall tab Parameters Parameter Description Select Server Type: Palo Alto Networks Firewall. Server Name: Enter the server name. Server Base URL: Enter the server base URL. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Use Full Username: Click to use full user name in UID updates.
Figure 395: Palo Alto Networks Panorama Endpoint Context Server tab Table 248: Palo Alto Networks Panorama Endpoint Context Server tab Parameters Parameter Description Select Server Type: Palo Alto Networks Panorama. Server Name: Enter the server name. Server Base URL: Enter the base URL of the server. Username: Enter the username. Password: Enter the password. Verify Password: Re-enter the password. Use Full Username: Click to use full username in UID updates.
Figure 396: Add SOTI Endpoint Context Server tab Table 249: Add SOTI Endpoint Context Server tab Parameters Parameter Description Select Server Type: SOTI. Server Name: Enter the server name. Server Base URL: Enter the base URL of the server. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Group ID: (optional) Enter the group ID. Validate Server: Click to enable validation of the server.
Figure 397: Add XenMobile Endpoint Context Server tab Table 250: Add XenMobile Endpoint Context Server tab Parameter Description Parameter Description Select Server Type: XenMobile. Server Name: Enter the server name. Server Base URL: Enter the base name of the URL server. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Validate Server: Click to enable validation of the server certificate.
Table 251: Server Certificate Interfaces (Common) Parameter Description Create SelfSigned Certificate Opens the Create Self-Signed Certificate page where you can create and install a SelfSigned Certificate. Create Certificate Signing Request Opens the Create Certificate Signing Request page where you can create and install a Certificate Signing Request. Select Server Select a server in the cluster for server certificate operations. Select Type Select a certificate type.
Table 252: Server Certificate Parameters (RADIUS Server Certificate Type) Parameters (Continued) Parameter Description Expiry Date: The date when the Certificate expires. Validity Status: The status of the Certificate. View Details Click this button to view details about the Certificate, such as Signature Algorithm, Subject Public Key Info, and more. Delete This button is disabled.
Figure 399: Create Certificate Signing Request After you create a Certificate Signing Request form and click Submit, the generated certificate signing request is displayed. Copy the certificate and paste it into the Web form as part of the enrollment process. Figure 400: Generated Certificate Signing Request 396 | Administration Dell Networking W-ClearPass Policy Manager 6.
Table 254: Create Certificate Signing Request Parameters Parameter Description Common Name (CN): Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. The default is the fully-qualified domain name (FQDN). Organization (O): Name of the organization. This field is optional. Organizational Unit (OU): Name of a department, division, section, or other meaningful name. This field is optional.
Figure 401: Create Self-Signed Certificate Page Table 255: Create Self-Signed Certificate Page Parameters Parameter Description Selected Server: Displays the name of the server selected on the Server Certificate page. Selected Type: Displays the name of the selected certificate type selected for the server. Common Name (CN): Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. Organization (O): Name of the organization.
Table 255: Create Self-Signed Certificate Page Parameters (Continued) Parameter Description Private Key Password: Enter and re-enter the Private Key Password. Verify Private Key Password: Private Key Type: If you selected the RADIUS Server Certificate type for the server, select from: 1024-bit RSA. l 2048-bit RSA l 4096-bit RSA l X9.62/SECG curve over a 256 bit prime field l NIST/SECG curve over a 384 bit prime field l Digest Algorithm: Select message digest algorithm to use: SHA-1, MD5, and MD2.
Table 256: Install Self-Signed Certificate Page Parameters Parameter Description Selected Server: Displays the name of the server selected on the first page. Selected Type: Displays the name of the certificate type selected for the server. Subject DN: Displays information about the organization, common name and location of the Subject DN. Issuer DN: Displays information about the organization, common name and location of the Subject DN.
Table 257: Import Server Certificate Parameters Parameter Description Selected Server Enter the name of the server. Selected Type Select RADIUS Server Certificate or HTTPS Server Certificate. Certificate File Browse to the certificate file to be imported. Private Key File Browse to the private key file to be imported. Private Key Password Specify the private key password that was entered when the Server Certificate was configured.
Figure 405: Add Certificate Table 259: Add Certificate Parameter Description Certificate File: Browse to select certificate file. Add Certificate/Cancel Click Add Certificate to commit, or Cancel to dismiss the popup. Revocation Lists To display available Revocation Lists, navigate to Administration > Certificates > Revocation Lists. To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete.
Figure 407: Add Certificate Revocation List Page Table 261: Add Revocation List Page Parameters Parameter Description File File enables the Distribution File option. Distribution File: Specify the distribution file (e.g., C:/distribution/crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list. URL URL enables the Distribution URL option. Distribution URL: Specify the distribution URL (e.g., http://crl.verisign.com/Class3InternationalServer.
Figure 408: RADIUS Dictionaries Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type. Figure 409: RADIUS IETF Dictionary Attributes Table 262: RADIUS Dictionary Attributes Parameter Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager.
Figure 410: Import RADIUS Dictionary Table 263: Import RADIUS Dictionary Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. Posture Dictionary To add a vendor posture dictionary, click on Import. To edit an existing dictionary, export an existing dictionary, edit the exported XML file, and then import the dictionary.
Figure 412: Posture Attributes Page Table 265: Posture Attributes Parameters Parameter Description Export Click to save the posture dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. TACACS+ Services Dictionary To view the contents of the TACACS+ service dictionary, sorted by Name or Display Name, navigate to: Administration > Dictionaries > TACACS+ Services. To add a new TACACS+ service dictionary, click on the Import link.
Figure 414: Shell Service Dictionary Attributes Fingerprints Dictionary The Device Fingerprints table shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell W-ClearPass Update Portal (see "Software Updates" on page 416 for more information.) Figure 415: Device Fingerprints Page You can click on a line in the Device Fingerprints list to drill down and view additional details about the category.
Figure 416: Device Fingerprint Dictionary Attributes Page Attributes Dictionary The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
Table 267: Attributes Page Parameters (Continued) Parameter Description Name The name of the attribute. Entity Shows whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Data Type Shows whether the data type is string, integer, boolean, list, text, date, MAC address, or IPv4 address. Is Mandatory Shows whether the attribute is required for a specific entity. Allow Multiple Shows whether multiple attributes are allowed for an entity.
Import Attributes Select Import on the upper right portion of the page. The imported file is in XML format. To view a sample of this XML format, export a dictionary file and open it in an XML viewer. Figure 419: Import from file Page Table 269: Import From File Setting Parameters Parameter Description Select File / Enter secret for the file Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary.
l "Importing" on page 21 l "Exporting" on page 22 View an application dictionary 1. Go to Administration > Dictionaries > Applications. 2. Click the name of an application. The Application Attributes dialog box appears. Delete an application dictionary In general, you should have no need to delete an application dictionary. They have no effect on Policy Manager performance. 1. Go to Administration > Dictionaries > Applications. 2. Click the check box next to an application name. 3. Click Delete.
Figure 420: Endpoint Context Server Actions Page Table 270: Endpoint Context Server Action Page Parameters Parameter Description Server Type The server type configured when the server action was configured. Name The name of the action, such as Enterprise Wipe, Lock Device, and more. HTTP Method The HTTP method selected when the server action was configured. Description A description of the action, such as "Delete all information stored" if the configured action is Remote Wipe.
Figure 421: Endpoint Context Server Details Action tab Table 271: Endpoint Context Server Action tab Parameters Parameter Description Action Specifies the server type, name, description and HTTP Method. Enter the URL of the server. Header Specifies the key-value pairs to be included in the HTTP Header. Content Specifies a content-Type. Choose from CUSTOM, HTML, JSON, PLAIN, XML. Attributes Specifies the mapping for attributes used in the content to parameterized values from the request.
Table 272: Import Context Server Action Parameter Description Select File / Enter secret for the file (if any) Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Context Server Actions Select Export All on the upper right portion of the page. The file that you export will be sent to your default download folder in XML format.
Table 274: OnGuard Settings Container Description Global Agent Settings Configure global parameters for OnGuard agents. Parameters include the following: l Allowed Subnets for Wired access: Add a comma-separated list of IP or subnet addresses. l Allowed Subnets for Wireless access: Add a comma-separated list of IP or subnet addresses. l Cache Credentials Interval (in days): Select the number of days the user credentials should be cached on OnGuard agents.
Table 274: OnGuard Settings (Continued) Container Description Windows The URLs for the different agent deployment packages for Windows. Mac OS X The URLs for the different agent deployment packages for Mac OS X. Agent Customization Managed Interfaces Mode Select the type(s) of interfaces that OnGuard will manage on the endpoint. Options include: l Wired l Wireless l VPN l Other Select one of: Authenticate - no health checks. l Check health - no authentication.
l Posture updates, including Antivirus, Antispyware, and Windows Updates l Profile data updates, including Fingerprint l Software upgrades for the ClearPass family of products l Patch binaries, including Onboard, Guest Plugins and Skins Updates are stored on the ClearPass webservice server. When a valid Subscription ID is saved, the Dell Networking WClearPass Policy Manager server periodically communicates with the webservice about available updates.
Table 275: Software Updates Page Parameters (Continued) Parameter Description Import Updates Use Import Updates to import (upload) the Posture and Profile Data into this server, if this server is not able to reach the webservice server. The data can be downloaded from webservice server by accessing the URL: https://clearpass.dell-pcw.com/cppm/appupdate/cppm_apps_updates.zip. When prompted, enter the provided Subscription ID for the username and the password for authentication.
Install Update dialog box The Install Update dialog box shows the log messages generated during the install of an update. This popup appears when an Install button is clicked. If the popup is closed, it can be brought up again by clicking the ‘Install in progress…’ link while and installation is in progress or by clicking the ‘Installed’, ‘Install Error’, ‘Needs Restart’ links after the installation is completed.
write operations are allowed only on this master node. The Policy Manager appliance defaults to a Publisher node unless it is made a Subscriber node. A Policy Manager cluster can contain only one Publisher node. Cluster commands can be used to change the state of the node, hence the Publisher can be made a Subscriber. MySQL is supported in versions 6.0 and newer. Aruba does not ship MySQL drivers by default. If you require MySQL, contact Aruba support to get the required patch.
If the publisher is not available when the subscriber boots up after the upgrade, adding the node back to the cluster fails. In that case, the subscriber comes up with an empty database. Fix the problem by adding the subscriber back into the cluster from the CLI. All node configuration, including certificates, log configuration and server parameters are restored (as long as the node entry exists in the publisher with Cluster Sync=false).
Figure 427: Remote Assistance Session Page Table 277: Remote Assistance Session Page Parameters Parameter Description Name Text name of session. Type Indicates if the session is a one-time session or a periodic session. Move the cursor over the entry to view the schedule of the session. Support Contact The email address of the support contact. Status Provides the session state.
Table 279: Add Session Page Parameters Parameter Description Session Name Text name of session. Session Type l l l Duration Status One Time Future (will initiate a session in future, on a selected date and time) Weekly (will initiate a session on a selected Weekday at the selected time) Monthly (will initiate a session on a selected day of every month at the selected time) The duration of a session is specified in Hours and Minutes.
Figure 429: Documentation page 424 | Administration Dell Networking W-ClearPass Policy Manager 6.
Appendix A Command Line Interface Refer to the following sections: l "Available Commands" on page 425 l "Cluster Commands" on page 427 l "Configure Commands" on page 430 l "Network Commands" on page 432 l "Service Commands" on page 435 l "Show Commands" on page 436 l "System Commands" on page 438 l "Miscellaneous Commands" on page 441 Available Commands Table 280: Command Categories Command ad auth See "Miscellaneous Commands" on page 441 ad netleave See "Miscellaneous Commands" on page 441
Table 280: Command Categories (Continued) Command cluster set-local-passwd configure date configure dns configure hostname configure ip configure timezone dump certchain See "Miscellaneous Commands" on page 441 dump logs See "Miscellaneous Commands" on page 441 dump servercert See "Miscellaneous Commands" on page 441 exit See "Miscellaneous Commands" on page 441 help See "Miscellaneous Commands" on page 441 krb auth See "Miscellaneous Commands" on page 441 krb list See "Miscellaneous Commands" on page 441
Table 280: Command Categories (Continued) Command restore See "Miscellaneous Commands" on page 441 service activate service deactivate service list service restart service start service status service stop show date show dns show domain show all-timezones show hostname show ip showlicense show timezone show version system boot-image system gen-support-key system update system restart system shutdown system install-license system upgrade Cluster Commands The Policy Manager command line interface includes t
l "drop-subscriber" on page 428 l "list" on page 428 l "make-publisher" on page 428 l "make-subscriber" on page 429 l "reset-database" on page 429 l "set-cluster-passwd" on page 429 l "set-local-passwd" on page 430 drop-subscriber Removes specified subscriber node from the cluster. Syntax cluster drop-subscriber [-f] [-i ] -s Where: Table 281: Drop-Subscriber Commands Flag/Parameter Description -f Force drop, even for down nodes.
Example [appadmin]# cluster make-publisher ******************************************************** * WARNING: Executing this command will promote the * * current machine (which must be a subscriber in the * * cluster) to the cluster publisher. Do not close the * * shell or interrupt this command execution. * ******************************************************** Continue? [y|Y]: y make-subscriber Makes this node a subscriber to the specified publisher node.
Returns [appadmin]# cluster set-cluster-passwd cluster set-cluster-passwd Enter Cluster Passwd: santaclara Re-enter Cluster Passwd: santaclara INFO - Password changed on local (publisher) node Cluster password changed set-local-passwd Changes the local password. Executed locally; prompts for the new local password.
Table 283: Date Commands (Continued) Flag/Parameter Description -t
Table 284: IP Commands Flag/Parameter ip Description Network interface type: mgmt or data l Server ip address. netmask Netmask address. gateway Gateway address. Example [appadmin]# configure ip data 192.168.5.12 netmask 255.255.255.0 gateway 192.168.5.1 timezone Configures time zone interactively.
Table 285: IP Commands Flag/Parameter Description Specify management or data interface -i id of the network ip rule. If unspecified, the system will auto-generate an id. Note that the id determines the priority in the ordered list of rules in the routing table. -s Optional. Specifies the ip address or network (for example, 192.168.5.0/24) or 0/0 (for all traffic) of traffic originator. Only one of SrcAddr or DstAddr must be specified. -d Optional.
Table 287: Nslookup Commands Flag/Parameter Description Type of DNS record. For example, A, CNAME, PTR Host or domain name to be queried. Example 1 [appadmin]# nslookup sun.us.arubanetworks.com Example 2 [appadmin]# nslookup -q SRV arubanetworks.com ping Tests reachability of the network host. Syntax network ping [-i ] [-t] Where: Table 288: Ping Commands Flag/Parameter Description -i Optional. Originating IP address for ping. -t Optional.
Example [appadmin]# network reset data traceroute Prints route taken to reach network host. Syntax network traceroute Where: Table 290: Traceroute Commands Flag/Parameter Description Name of network host. Example [appadmin]# network traceroute sun.us.arubanetworks.
Example 1 [appadmin]# service activate tips-policy-server Example 2 [appadmin]# service list all service list Policy server [ tips-policy-server ] Admin UI service [ tips-admin-server ] System auxiliary services [ tips-system-auxiliary-server ] Radius server [ tips-radius-server ] Tacacs server [ tips-tacacs-server ] Async DB write service [ tips-dbwrite-server ] DB replication service [ tips-repl-server ] System monitor service [ tips-sysmon-server ] Example 3 [appadmin]# service status tips-domain-ser
Example [appadmin]# show date Wed Oct 31 14:33:39 UTC 2012 dns Displays DNS servers. Syntax show dns Example [appadmin]# show dns show dns =========================================== DNS Information ------------------------------------------Primary DNS : 192.168.5.3 Secondary DNS : Tertiary DNS : =========================================== domain Displays Domain Name, IP Address, and Name Server information.
Subnet Mask : 255.255.255.0 Gateway : 192.168.5.1 =========================================== Device Type : Data Port ------------------------------------------IP Address : Subnet Mask : Gateway : =========================================== DNS Information ------------------------------------------Primary DNS : 192.168.5.
l "install-license" on page 439 l "restart" on page 440 l "shutdown" on page 440 l "update" on page 440 l "upgrade" on page 441 boot-image Sets system boot image control options. Syntax system boot-image [-l] [-a ] Where: Table 292: Boot-Image Commands Flag/Parameter Description -l Optional. List boot images installed on the system. -a Optional. Set active boot image version, in A.B.C.D syntax.
Example [appadmin]# system install-license morph-vm Converts an evaluation VM to a production VM. With this command, licenses are still required to be installed after the morph operation is complete. Syntax system morph-vm Where: Table 294: Install-License Commands Flag/Parameter Description Mandatory. This is the updated ClearPass version.
Syntax system update [-i user@hostname:/ | http://hostname/] system update [-l] Where: Table 295: Update Commands Flag/Parameter Description -i user@hostname:/ | http://hostname/ Optional. Install the specified patch on the system. -l Optional. List the patches installed on the system. NOTE: This command supports only SCP and http uploads. Example [appadmin]# system update upgrade Upgrades the system.
l "ad netleave" on page 443 l "ad testjoin" on page 443 l "alias" on page 443 l "backup" on page 444 l "dump certchain" on page 444 l "dump logs" on page 444 l "dump servercert" on page 445 l "exit" on page 445 l "help" on page 445 l "krb auth" on page 446 l "krb list" on page 446 l "ldapsearch" on page 446 l "quit" on page 447 l "restore" on page 447 l "system start-rasession" on page 448 l "system terminate-rasession" on page 448 l "system status-rasession" on page 448 ad
Table 298: Ad Netjoin Commands Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional. Example [appadmin]# ad netjoin atlas.us.arubanetworks.com ad netleave Removes host from the domain. Syntax ad netleave Example [appadmin]# ad netleave ad testjoin Tests if the netjoin command succeeded. Tests if Policy Manager is a member of the AD domain.
backup Creates backup of Policy Manager configuration data. If no arguments are entered, the system auto-generates a filename and backs up the configuration to this file. Syntax backup [-f ] [-L] [-P] Where: Table 300: Backup Commands Flag/Parameter Description -f Optional. Backup target. If not specified, Policy Manager will auto-generate a filename. -L Optional. Do not backup the log database configuration -P Optional.
Table 302: Dump Logs Commands Flag/Parameter Description -f Specifies target for concatenated logs. -s yyyy-mm-dd Optional. Date range start (default is today). -e yyyy-mm-dd Optional. Date range end (default is today). -n Optional. Duration in days (from today). -t Optional. Type of log to collect. -h Specify (print help) for available log types. Example 1 [appadmin]# dump logs –f tips-system-logs.
Example [appadmin]# help alias backup cluster configure dump exit help netjoin netleave network quit restore service show system help Create aliases Backup Policy Manager data Policy Manager cluster related commands Configure the system parameters Dump Policy Manager information Exit the shell Display the list of supported commands Join host to the domain Remove host from the domain Network troubleshooting commands Exit the shell Restore Policy Manager database Control Policy Manager services Show configur
Table 305: LDAP Search commands Flag/Parameter Description Specifies the username and the full qualified domain name of the host. The -B command finds the bind DN of the LDAP directory. Example [appadmin]# ldapsearch -B admin@corp-ad.acme.com quit Exits shell. Syntax quit Example [appadmin]# quit restore Restores Policy Manager configuration data from the backup file.
system start-rasession Allows administrators to configure and begin a Remote Assistance session through the CPPM CLI. Configuring a Remote Assistance session through a CLI can be used if the CPPM UI at the customer site is inaccessible. Syntax system start-rasession Where: Table 307: Start Remote Session Commands Flag/Parameter Description Defines the duration in hours of the Remote Assistance Session.
Appendix B Rules Editing and Namespaces In the Policy Manager administration User Interface (UI) you use the same editing interface to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular in
l "Audit Namespaces" on page 451 l "Authentication Namespaces" on page 451 l "Authorization Namespaces" on page 453 l "Certificate Namespaces" on page 454 l "Connection Namespaces" on page 455 l "Date Namespaces" on page 456 l "Device Namespaces" on page 456 l "Endpoint Namespaces" on page 457 l "Guest User Namespaces" on page 457 l "Host Namespaces" on page 457 l "Local User Namespaces" on page 457 l "Posture Namespaces" on page 458 l "RADIUS Namespaces" on page 458 l "Tacacs Nam
l MDM-Data-Roaming l MDM-Voice-Roaming l Onboard-Max-Devices l Page-Name l Provisioning-Settings-ID l SAMLRequest l SAMLResponse l Session-Timeout l User-Email-Address Audit Namespaces The Dictionaries in the audit namespace come pre-packaged with the product. The Audit namespace has the notation Vendor:Audit, where Vendor is the name of the company that has defined attributes in the dictionary. Examples of dictionaries in the audit namespace are AvendaSystems:Audit or Qualys:Audit.
Table 311: Authentication Namespace Attributes Attribute Name InnerMethod Values l l l l l l l OuterMethod l l l l l l l l Phase1PAC l l l Phase2PAC l l l Posture l l l l Status l l l l l 452 | Rules Editing and Namespaces CHAP EAP-GTC EAP-MD5 EAP-MSCHAPv2 EAP-TLS MSCHAP PAP CHAP EAP-FAST EAP-MD5 EAP-PEAP EAP-TLS EAP-TTLS MSCHAP PAP None - No PAC was used to establish the outer tunnel in the EAP-FAST authentication method Tunnel - A tunnel PAC was used to establish the outer tunnel in the
Table 311: Authentication Namespace Attributes (Continued) Attribute Name MacAuth Values l l l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source Username The username as received from the client (after the strip user name rules are applied). FullUsername The username as received from the client (before the strip user name rules are applied).
Sources This is the list of the authorization sources from which attributes were fetched for role mapping. Authorization namespaces appear in Role mapping policies SQL Instance Namespace For each instance of an SQL authentication source, there is an SQL instance namespace that appears in the rules editing interface. The SQL instance namespace consists of attributes names defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience.
Table 312: Certificate Namespace Attributes (Continued) Attribute Name l l l l l l l l l l l l l l l l l l l Values Issuer-C Issuer-CN Issuer-DC Issuer-DN Issuer-emailAddress Issuer-GN Issuer-L Issuer-O Issuer-OU Issuer-SN Issuer-ST Issuer-UID Attributes associated with the issuer (Certificate Authorities or the enterprise CA). Not all of these fields are populated in a certificate.
Table 313: Connection Namespace Pre-defined Attributes (Continued) Attribute Description NAD-IP-Address IP address of the network device from which the request originated. Client-Mac-Address MAC address of the client. l l l l Client-Mac-Address-Colon Client-Mac-Address-Dot Client-Mac-Address-Hyphen Client-Mac-Address-Nodelim Client-IP-Address Client MAC address in different formats. IP address of the client (if known).
Endpoint Namespaces Use these attributes to look for attributes of authenticating endpoints, which are present in the Policy Manager endpoints list. The Endpoint namespace has the following attributes: l Disabled By l Disabled Reason l Enabled By l Enabled Reason l Info URL Guest User Namespaces The GuestUser namespace has the attributes associated with the guest user (resident in the Policy Manager guest user database) who authenticated in this session.
l Phone l Sponsor Custom attributes also appear in the attribute list if they are defined as custom tags for the local user. These attributes can be used only if you have pre-populated the values for these attributes when a local user is configured in Policy Manager. Posture Namespaces The dictionaries in the posture namespace are pre-packaged with the product.
l Post-proxy attribute pruning rules l RADIUS Enforcement profiles: All RADIUS namespace attributes that can be sent back to a RADIUS client (the ones marked with the OUT or INOUT qualifier) l Role mapping policies l Service rules: All RADIUS namespace attributes that can appear in a request (the ones marked with the IN or INOUT qualifier) Tacacs Namespaces The Tacacs namespace has the attributes associated with attributes available in a TACACS+ request.
Table 314: Policy Manager Variables Variable Description %{attributename} attribute-name is the alias name for an attribute that you have configured to be retrieved from an authentication source. See "Adding and Modifying Authentication Sources" on page 151. % {RADIUS:IETF:MACAddress-Colon} MAC address of client in aa:bb:cc:dd:ee:ff format % {RADIUS:IETF:MACAddress-Hyphen} MAC address of client in aa-bb-cc-dd-ee-ff format % {RADIUS:IETF:MACAddress-Dot} MAC address of client in aabb.ccdd.
Table 315: Attribute Operators Attribute Type String Operators l l l l l l l l l l l l l l l l Integer l l l l l l l l l l Dell Networking W-ClearPass Policy Manager 6.
Table 315: Attribute Operators (Continued) Attribute Type Operators Time or Date l EQUALS NOT_EQUALS l GREATER_THAN GREATER_THAN_OR_EQUALS l l LESS_THAN LESS_THAN_OR_EQUALS l IN_RANGE l BELONGS_TO NOT_BELONGS_TO l Day l List (Example: Role) l l l l l l l l Group (Example: Calling-Station-Id, NAS-IPAddress) l l EQUALS NOT_EQUALS MATCHES_ALL NOT_MATCHES_ALL MATCHES_ANY NOT_MATCHES_ANY MATCHES_EXACT NOT_MATCHES_EXACT BELONGS_TO_GROUP NOT_BELONGS_TO_GROUP and all string data types The
Operator Description For string data type, true if the run-time value of the attribute matches a set of configured string values. E.g., RADIUS:IETF:Service-Type BELONGS_TO LoginUser,Framed-User,Authenticate-Only BELONGS_TO For integer data type, true if the run-time value of the attribute matches a set of configured integer values. E.g., RADIUS:IETF:NAS-Port BELONGS_TO 1,2,3 For day data type, true if run-time value of the attribute matches a set of configured days of the week. E.g.
Operator Description GREATER_THAN_OR_EQUALS For integer, time and date data types, true if the run-time value of the attribute is greater than or equal to the configured value. E.g., RADIUS:IETF:NAS-Port GREATER_THAN_OR_EQUALS 10 IN_RANGE For time and date data types, true if the run-time value of the attribute is less than or equal to the first configured value and less than equal to the second configured value. E.g.
Appendix C Error Codes, SNMP Traps, and System Events This appendix contains listings of Dell Networking W-ClearPass Policy Manager error codes, SNMP traps, and important system events. l "Error Codes" on page 465 l "SNMP Trap Details" on page 468 l "Important System Events" on page 478 Error Codes The following table shows the CPPM error codes.
Table 317: CPPM Error Codes (Continued) Code Description Type 211 Client certificate not valid Authentication failure 212 Client certificate has expired Authentication failure 213 Certificate comparison failed Authentication failure 214 No certificate in authentication source Authentication failure 215 TLS session error Authentication failure 216 User authentication failed Authentication failure 217 Search failed due to insufficient permissions Authentication failure 218 Authenticat
Table 317: CPPM Error Codes (Continued) Code Description Type 5009 Request - No MAC address record found Command and Control 6001 Unsupported TACACS parameter in request TACACS Protocol 6002 Invalid sequence number TACACS Protocol 6003 Sequence number overflow TACACS Protocol 6101 Not enough inputs to perform authentication TACACS Authentication 6102 Authentication privilege level mismatch TACACS Authentication 6103 No enforcement profiles matched to perform authentication TACACS Auth
Table 317: CPPM Error Codes (Continued) Code Description Type 9009 Unknown Phase2 PAC RADIUS Protocol 9010 Invalid Phase2 PAC RADIUS Protocol 9011 PAC verification failed RADIUS Protocol 9012 PAC binding failed RADIUS Protocol 9013 Session resumption failed RADIUS Protocol 9014 Cached session data error RADIUS Protocol 9015 Client does not support configured EAP methods RADIUS Protocol 9016 Client did not send Cryptobinding TLV RADIUS Protocol 9017 Failed to contact OCSP Server
.1.3.6.1.4.1.2021.8.1.2.X ==> Process Name .1.3.6.1.4.1.2021.2.1.101.X ==> Process Status Message Network Interface up and Down Events OIDs: .1.3.6.1.6.3.1.1.5.3 ==> Link Down .1.3.6.1.6.3.1.1.5.4 ==> Link Up Disk Utilization Threshold Exceed Events OIDs: .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.6.1.4.1.2021.9.1.2.1 ==> Name of the partition CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds OIDs .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is running 2 (a) Admin Server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.1 .1.3.6.1.2.1.88.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.2: cpass-system-auxiliary-server .1.3.6.1.4.1.2021.8.1.101.2: System auxiliary service [ cpass-system-auxiliary-server ] is running 4 (a) Policy server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.3.6.1.4.1.2021.8.1.101.6: Async DB write service [ cpass-dbwrite-server ] is running 6 (a) DB replication service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.8: cpass-dbcn-server .1.3.6.1.4.1.2021.8.1.101.8: DB change notification server [ cpass-dbcn-server ] is running 8 (a) Async netd service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.10: cpass-multi-master-cache-server .1.3.6.1.4.1.2021.8.1.101.10: Multi-master cache [ cpass-multi-master-cache-server ] is running 10 (a) AirGroup Notification service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is running 12 (a) TACACS server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.4 .1.3.6.1.2.1.88.2.1.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.3.6.1.4.1.2021.8.1.101.13: ClearPass Virtual IP service [ cpass-vip-service ] is running 14 (a) Stats Collection service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.14: cpass-carbon-server .1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is running. Network Interface Status Traps .1.3.6.1.6.3.1.1.5.3 ==> Indicates the linkdown trap with the 'ifAdminStatus' and 'ifOperStatus' values set to 2. .1.3.6.1.6.3.1.1.5.
.1.3.6.1.4.1.2021.10.1.100.2 ==> Error flag on the CPU load-5 average. Value of 1 indicates the load-5 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.2 ==> Name of CPU load-5 average Figure 434: CPU load-5 average example .1.3.6.1.4.1.2021.10.1.100.3 ==> Error flag on the CPU load-15 average. Value of 1 indicates the load-15 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.3 ==> Name of CPU load-15 average.
"Admin UI", “INFO” “Email Successful”, “Sending email succeeded” "Admin UI", “INFO” “SMS Successful”, “Sending SMS succeeded” Admin Server Events Info Events “Admin server”, “INFO”, “Performed action start on Admin server” Async Service Events Info Events “Async DB write service”, “INFO”, “Performed action start on Async DB write service” “Multi-master cache”, “INFO”, “Performed action start on Multi-master cache” “Async netd service”, “INFO”, “Performed action start on Async netd service” ClearPass/Doma
“timezone”, “INFO”, “configuration”, “” “datetime”, “INFO”, “configuration”, “Successfully changed system datetime.\nOld time was ” ClearPass Update Events Critical Events “Install Update”, “ERROR”, “Installing Update”, “File: ”, “Failed with exit status - ” “ClearPass Firmware Update Checker”, “ERROR”, “Firmware Update Checker”, “No subscription ID was supplied.
Policy Server Events Info Events “Policy Server”, “INFO”, “Performed action start on Policy server” “Policy Server”, “INFO”, “Performed action stop on Policy server” RADIUS/TACACS+ Server Events Critical Events “TACACSServer”, “ERROR”, “Request”, “Nad Ip= not configured” “RADIUS”, “WARN”, “Authentication”, “Ignoring request from unknown client :” “RADIUS”, “ERROR”, “Authentication”, “Received packet from with invalid Message-Authenticator! (Shared secret is incorrect.
System Monitor Events Critical Events “Sysmon”, “ERROR”, “System”, “System is running with low memory. Available memory = %” “Sysmon”, “ERROR”, “System”, “System is running with low disk space. Available disk space = %” “System TimeCheck”, “WARN”, “Restart Services”, “Restarting CPPM services as the system detected time drift.
Appendix D Use Cases This appendix contains several specific Dell Networking W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l "802.1X Wireless Use Case" on page 483 l "Web Based Authentication Use Case" on page 489 l "MAC Authentication Use Case" on page 496 l "TACACS+ Use Case" on page 499 l "Single Port Use Case" on page 501 802.
column) at each step. Below the table, we call attention to any fields or functions that may not have an immediately obvious meaning. Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests. Table 318: 802.1X - Create Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): 802.
Table 319: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select drop-down list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local
Table 320: 02.1X - Configure Authorization Navigation and Settings Navigation l l Settings Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping). 4. Apply a Role Mapping Policy. Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy.
Table 321: Role Mapping Navigation and Settings (Continued) Navigation Settings Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select all matches > l Add Rule (button opens popup) > l Add Rule (button) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions to Actions (drop-down list) > l Upon completion of each rule, click the Save button ( in the Rules Editor) > l When you are finished working in the Mapping Rules tab, clic
Table 322: Posture Navigation and Settings Navigation Setting Add a new Posture Server: Posture (tab) > l Add new Posture Server (button) > l Configure Posture settings: Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server) l Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server.
Table 323: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies" on page 281. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.
Figure 437: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service. Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal, which captures username and password and optionally launches an agent that returns posture data.
Table 324: Service Navigation and Settings (Continued) Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b. Source: Administrators typically configure Guest Users in the local Policy Manager database. 4.
Table 325: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 326: Posture Policy Navigation and Settings (Continued) Navigation Setting Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > l Dell Networking W-ClearPass Policy Manager 6.
Table 326: Posture Policy Navigation and Settings (Continued) Navigation Setting Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > l Save (button) > l When finished working in the Posture Plugin tab click Next to move to the Rules tab) 494 | Use Cases Dell Networking W-ClearPass
Table 326: Posture Policy Navigation and Settings (Continued) Navigation Setting Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
The SNMP_POLICY selected in this step provides full guest access to a Role of [Guest] with a Posture of Healthy, and limited guest access. Table 327: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_ POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
Figure 438: Flow-of-Control of MAC Authentication for Network Devices Configuring the Service Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service. Table 328: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: l Services > l Add Service (link) > Dell Networking W-ClearPass Policy Manager 6.
Table 328: MAC Authentication Service Navigation and Settings (Continued) Navigation Settings Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
Table 330: Audit Server Navigation and Settings Navigation Settings Configure the Audit Server: l Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which foll
Figure 439: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service.
b. Source: For purposes of this use case, Network Access Devices authentication data will be stored in the Active Directory. Table 333: Active Directory Navigation and Settings Navigation Settings Select an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Add > l Sources (Select drop-down list): AD (Active Directory) > l Add > l Upon completion, click Next (to Enforcement Policy) 3. Select an Enforcement Policy.
Figure 440: Flow of the Multiple Protocol Per Port Case Appendix D Supported Browsers and Java Versions This section provides information on the steps to configure a web agent flow on Dell Networking W-ClearPass Policy Manager 6.3. This section also provides information on supported browsers and java versions for the OnGuard Dissolvable Agent. The versions given in the Supported Browsers and Java Versions table are tested in house and are up to date at the time of this release.
Figure 441: Web Agent Flow - 802.1X Service 2. Create a service named Web-based Health Check Only on the Dell Networking W-ClearPass Policy Manager server. Figure 442: Web Agent Flow - Health Only 3. Create a simple web auth service to authenticate users against ClearPass Guest user database to accept or perform app authentication request after completing a sandwich flow.
Figure 444: Web Login - Login Form Select the Local - match a local account option in the Post Authentication field. Figure 445: Web Login - Post-Authentication You can see the final web agent flow similar to the following screen output: Table 335: Supported Browsers and Java Versions Operating System Browser Java Version Test Results Known Issues Windows XP SP3 Firefox 27.x Java plugin 10.51.2.13 or JRE-1.7 Update 51b13 Passed in Dell Networking WClearPass Policy Manager 6.3.1.
Table 335: Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Known Issues Windows 7 32-bit IE-8.0.7600 Java plugin 10.45.2.18 or JRE-1.7_45-b18 (TM) Passed in Dell Networking WClearPass Policy Manager 6.3.1.61855 None Windows 7 32-bit Firefox 27.x Java plugin 10.51.2.13 or JRE- 1.7 Update 51b13 Passed in Dell Networking WClearPass Policy Manager 6.3.1.61855 None Windows 8 32-bit IE-10.x Java plugin 10.51.2.13 or JRE_1.
Refer the Dell Networking W-ClearPass Policy Manager Release Notes for more information. 506 | Supported Browsers and Java Versions Dell Networking W-ClearPass Policy Manager 6.