User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager Common Tasks in Policy Manager 1 1 Importing 1 Exporting 2 Powering Up and Configuring Policy Manager Hardware 5 Server Port Overview 5 Server Port Configuration 5 Powering Off the System 7 Resetting the Passwords to Factory Default 8 Generating a Support Key for Technical Support 8 Policy Manager Dashboard Monitoring Live Monitoring Access Tracker 11 17 17 17 Editing the Access Tracker 18 Viewing Access Tracker Session Details
Old Data Tab 53 New Data tab 54 Inline Difference tab 55 55 Viewing Audit Row Details (Remove Page) Event Viewer 56 Creating an Event Viewer Report Using Default Values 56 Creating an Event Viewer Report Using Custom Values 56 Viewing Report Details 57 Data Filters 58 Add a Filter 59 Blacklisted Users 61 Policy Manager Policy Model 63 Services Paradigm 63 Viewing Existing Services 66 Adding and Removing Services 67 Links to Use Cases and Configuration Instructions 68 Policy Sim
Enforcement Tab 105 Audit Tab 106 Summary Tab 107 802.1X Wireless 108 802.1X Wired 108 MAC Authentication 109 Web-based Authentication 110 Web-based Health Check Only 110 Web-based Open Network Access 111 802.1X Wireless - Identity Only 112 802.
EAP-TLS 148 EAP-TTLS 149 General Tab 149 Inner Methods Tab 150 MAC-AUTH 151 MSCHAP 152 PAP 153 154 Adding and Modifying Authentication Sources Generic LDAP and Active Directory 155 General Tab 155 Primary Tab 157 Attributes Tab 160 Summary Tab 169 Generic SQL DB 169 General Tab 169 Primary Tab 171 Attributes Tab 172 Summary Tab 174 HTTP 174 General Tab 174 Primary Tab 176 Attributes Tab 177 Summary Tab 178 178 Kerberos General Tab 179 Primary Tab 180 Summary T
Adding and Modifying Local Users 193 Adding and Modifying Endpoints 195 Additional Available Tasks Adding and Modifying Static Host Lists Additional Available Tasks Configuring a Role and Role Mapping Policy 200 200 201 202 Adding and Modifying Roles 202 Adding and Modifying Role Mapping Policies 203 Policy Tab 204 Mapping Rules Tab 204 Posture Posture Architecture and Flow 207 207 Posture Policy 207 Posture Server 207 Audit Server 207 Configuring Posture 209 Adding a Posture Policy
Profile tab 267 Attributes tab 267 Aruba Downloadable Role Enforcement Profile tab 269 Role Configuration tab 269 Captive Portal Profile 270 Policer Profile 271 QOs Profile 272 VoIP Profile 272 NetService Configuration 273 NetDestination Configuration 273 Time Range Configuration 274 NAT Pool Configuration 274 ACL 275 Aruba RADIUS Enforcement 277 Profile tab 277 Attributes tab 277 Cisco Downloadable ACL Enforcement 278 Profile tab 278 Attributes tab 279 Cisco Web Authen
Attributes tab Session Restrictions Enforcement 291 292 Profile tab 292 Attributes tab 293 SNMP Based Enforcement 294 Profile tab 294 Attributes tab 295 TACACS+ Based Enforcement 295 Profile tab 296 Services tab 296 VLAN Enforcement 297 Profile tab 297 Attributes tab 298 Configuring Enforcement Policies 298 Network Access Devices 303 Adding and Modifying Devices 303 Adding a Device 303 Additional Available Tasks 309 Adding and Modifying Device Groups Additional Available Ta
Simulation tab 322 Attributes tab 324 Results tab 325 RADIUS Authentication Simulation tab 326 Attributes tab 328 NAS Type: Aruba Wireless Controller 328 NAS Type: Aruba Wired Switch Controller 329 NAS Type: Cisco Wireless Switch 329 Results tab 330 Role Mapping 330 Simulation tab 331 Attributes tab 332 Results tab 333 Service Categorization 333 Simulation tab 333 Attributes tab 334 Results tab 335 ClearPass Policy Manager Profile 337 Device Profile 337 Collectors 337
Administrator Privileges and IDs 348 Creating Custom Administrator Privileges 351 Sample Administrator Privilege XML File 352 Log Configuration 353 Server Configuration 355 Editing Server Configuration Settings 356 System Tab 357 Join AD Domain 359 Add Password Server 360 Services Control Tab 361 Service Parameters Tab 362 ClearPass Network Services Options 363 System Monitoring Tab 374 Network Tab 376 FIPS Tab 379 Set Date & Time 382 Change Cluster Password 383 Manage Poli
Exporting a Single SNMP Trap Server 408 Importing an SNMP Trap Server 408 Syslog Targets 408 Add Syslog Target 409 Import Syslog Target 410 Export Syslog Target 410 Export 410 411 Syslog Export Filters Import Syslog Filter 411 Export Syslog Filter 412 Export 412 Adding a Syslog Export Filter (Filter and Columns tab) 412 Session Logs 412 Insight Logs 413 Adding a Syslog Export Filter (General tab) 414 Adding a Syslog Export Filter (Summary tab) 416 Messaging Setup 416 Endpoint
Certificate Trust List 447 Add Certificate 448 Revocation Lists Adding a Revocation List Dictionaries RADIUS Dictionary Import RADIUS Dictionary 449 449 450 450 451 Posture Dictionary 452 TACACS+ Services Dictionary 453 Fingerprints Dictionary 454 Attributes Dictionary 455 Adding Attributes 456 Import Attributes 457 Export Attributes 458 Export 458 Applications Dictionary 458 View an application dictionary 459 Delete an application dictionary 459 Endpoint Context Server Actions
make-publisher 481 make-subscriber 481 reset-database 481 set-cluster-passwd 482 set-local-passwd 482 Configure Commands 482 date 482 dns 483 fips-mode 484 hostname 484 ip 484 ip6 485 mtu 486 timezone 487 Network Commands ip 487 ip6 489 nslookup 490 ping 491 ping6 491 reset 492 traceroute 492 traceroute6 493 Service Commands 14 | 487 493 493 Show Commands 494 all-timezones 494 date 495 dns 495 domain 495 fipsmode 495 hostname 496 ip 496
refresh-license 500 restart 500 shutdown 501 sso-reset 501 start-rasession 501 status-rasession 501 terminate-rasession 502 update 502 upgrade 502 Miscellaneous Commands 504 ad auth 505 ad netjoin 505 ad netleave 505 ad testjoin 506 alias 506 backup 506 dump certchain 507 dump logs 507 dump servercert 508 exit 508 help 509 krb auth 509 krb list 509 ldapsearch 510 quit 510 restore 510 system start-rasession 511 system terminate-rasession 512 system stat
Certificate Namespaces 518 518 Certificate namespace editing context Connection Namespaces 519 519 Connection namespace editing contexts Date Namespaces 520 520 Date namespace editing contexts Device Namespaces 520 Endpoint Namespaces 521 Guest User Namespaces 521 Host Namespaces 521 Local User Namespaces 521 Posture Namespaces 522 Posture Namespace Editing Context 522 522 RADIUS Namespaces RADIUS namespace editing contexts 522 Tacacs Namespaces 523 Tips Namespaces 523 Role 523 P
6 (b) DB replication service start SNMP trap 536 7 (a) DB Change Notification server stop SNMP trap 536 7 (b) DB Change Notification server start SNMP trap 537 8 (a) Async netd service stop SNMP trap 537 8 (b) Async netd service start SNMP trap 537 9 (a) Multi-master Cache service stop SNMP trap 537 9 (b) Multi-master Cache service start SNMP trap 538 10 (a) AirGroup Notification service stop SNMP trap 538 10 (b) AirGroup Notification service start SNMP trap 538 11 (a) Micros Fidelio FIAS
Info Events 545 545 DB Replication Services Events Info Events 545 Licensing Events 545 Critical Events 545 Info Events 545 Policy Server Events 545 545 Info Events RADIUS/TACACS+ Server Events 545 Critical Events 545 Info Events 545 SNMP Events 546 Critical Events 546 Info Events 546 Support Shell Events 546 546 Info Events System Auxiliary Service Events 546 546 Info Events System Monitor Events 546 Critical Events 546 Info Events 546 Service Names 546 Use Cases 549 8
Configuring Web Agent Flow in ClearPass Guest 579 Native Dissolvable Agent - Supported Browsers 580 Supported Browsers and Java Versions 583 Dell Networking W-ClearPass Policy Manager 6.
| Dell Networking W-ClearPass Policy Manager 6.
Chapter 1 About Dell Networking WClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager platform provides role and device-based network access control across networks such as wired, wireless, and Virtual Private Network (VPN).
Figure 1: Import from file example 2. Click Choose File. 3. Select the file you want to import. You must select an XML file in the correct format. If you have exported files from different places from Policy Manager, ensure that you are selecting the correct file. See Dell Networking W-ClearPass Policy Manager Configuration API Guide for more information about the format and contents of XML files. 4. If the file is password protected, enter the password in the Enter secret for the file (if any) field. 5.
2. If you want the file password protected, select Yes and enter a password in the Secret Key and Verify Secret fields. If you do not want the file password protected, select No. 3. Click Export. Depending on the browser you use, the file is either automatically saved to your hard drive, or you are prompted to save it in a specific location. To export multiple items, select the check boxes in the rows of the specific items that you want to export. Dell Networking W-ClearPass Policy Manager 6.
4 | About Dell Networking W-ClearPass Policy Manager Dell Networking W-ClearPass Policy Manager 6.
Chapter 2 Powering Up and Configuring Policy Manager Hardware This section provides an overview of the server ports. It also provides information on the initial Policy Manager setup using the Command Line Interface (CLI).
Table 2: Required Information Requirement Value for Your Installation Hostname (Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) NOTE: The Data Port IP Address must not be in the same subnet as the Management Port IP Address. Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional) Perform the following steps to set up the Policy Manager appliance: 1.
Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4. Change your password Use any string with a minimum of six characters: New Password:************ Confirm Password: ************ From now, you must use this new password for cluster administration and management of the appliance. 5.
Resetting the Passwords to Factory Default To reset the administrator password in Policy Manager to factory defaults, you can login to the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1. Connect to the Policy Manager appliance using the front serial port (using any terminal program). See Server Port Configuration on page 5 for details. 2. Reboot the system using the restart command. 3.
1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit. 5. To generate the support key, select option 2. If you want to generate a support key and a password recovery key, select option 3. 6. After the password recovery key is generated, email the key to Dell technical support. A unique password can now be generated by Dell technical support to log into the support shell.
10 | Powering Up and Configuring Policy Manager Hardware Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Policy Manager Dashboard Policy Manager Dashboard organizes and presents the key information about various elements on Status, Performance, Summary, and so on. The Dashboard information is illustrated in interactive bar chart, graph, and table formats and you can click them to view the respective pages.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Latest Authentications widget to Dashboard to view the table with the latest authentications. Clicking on a row in the table drills down into the Access Tracker page and shows requests sorted by timestamp with the latest request displayed on the top.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Request Processing Time widget to Dashboard to view the trend of total request processing time. Drag and drop the System Summary widget to Dashboard to view the Percentage Used statistics for the following: l Main Memory l Swap Memory l Disk l Swap Disk Drag and drop the Successful Authentications widget to Dashboard to view a table with the latest successful authentications.
Table 3: Dashboard Layout Parameters (Continued) Drag and drop the Quick Links widget to Dashboard to view the links to the following common configuration tasks: l Start Configuring Policies links to the Start Here page under the Configuration menu. You can start configuring Policy Manager services from here. l Manage Services links to the Services page under the Configuration menu. This page shows a list of configured services.
Table 3: Dashboard Layout Parameters (Continued) l l l Dell Networking W-ClearPass Policy Manager 6.4 | User Guide CPU Util - Specifies the snapshot of the CPU utilization in percentage. Mem Util - Specifies the snapshot of the memory utilization in percentage. Server Role - Specifies the name of the publisher or subscriber.
16 | Policy Manager Dashboard Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Monitoring The Monitoring feature in Policy Manager provides access to live monitoring of components and other functions. For more information, see: l Live Monitoring on page 17 l Audit Viewer on page 51 l Event Viewer on page 56 l Data Filters on page 58 l Blacklisted Users on page 61 Live Monitoring The Live Monitoring link provides access to six monitoring features.
Table 4: Access Tracker Page Parameters Parameter Description Server Displays the IP address of the server. Source Displays the source of authentication. For example, TACACS or web authentication. Username Displays the MAC address of the user. Service Displays the name of the service. For example, Health Only, MAC authentication, or AirGroup Authorization. Login Status Displays the login status such as ACCEPT or REJECT.
Table 5: Access Tracker Edit Page (edit mode) Parameters Parameter Description Select Server/Domain Select the server for which the dashboard data to be displayed. Select all the servers to display transactions from all nodes in the Policy Manager cluster. Select Filter Select a filter category to constrain data display. For a description of available filters, see Data Filters on page 58. Click to modify the current data filter. For more information, see Data Filters on page 58.
Figure 6: Request Details - Summary tab Input tab This tab shows protocol specific attributes that Policy Manager received in a transaction request; this includes authentication and posture details (if available). The Input tab also shows Computed Attributes that were derived from the request attributes. All of the attributes can be used in role mapping rules.
Output tab This tab shows the attributes that were sent to the network device and the posture-capable endpoint. The following figure shows an example of the Request Details - Output tab: Figure 8: Request Details - Output tab Administrators can view the posture response and posture evaluation with accurate results. For example, the administrator can view details such as missing registry keys and the reasons for a failed registry key check. Alerts tab This tab is displayed only when an error occurs.
Figure 9: Request Details - Alerts tab Access tracker shows an alert if more than two anti-malware products are installed on a client. Access Control Capabilities You can use the Access Control Capabilities page to view or change the access control type. The Access Control Capabilities page is displayed if you click the Change Status button in the Request Details screen. The Change Status button is enabled only if you use the RADIUS and WebAuth authentication types.
Figure 10: Access Control Capabilities Dell Networking W-ClearPass Policy Manager 6.
Table 6: Request Details - Access Control Capabilities Page Parameters Parameter Description Change Status You can view or change to any of the following access control types: . l Agent - This control is available for a session where the endpoint has the OnGuard Agent installed. The following actions are allowed: n Bouncing n Sending Messages n Tagging the status of the endpoint as Disabled or Known.
Figure 11: Accounting Page (Edit Mode) Table 7: Accounting Page (Edit Mode) Parameters Parameter Description Select Server/Domain Select server for which the dashboard data to be displayed. Select Filter Select filter to constrain data display. Modify the currently displayed data filter. Modify Go to Data Filters page to create a new data filter. Add Select Date Range Select the number of days prior to the configured date for which the accounting data to be displayed.
RADIUS Accounting Record Details (Auth Sessions tab) This section describes the parameters of the Accounting Record Details - Auth Sessions tab for the RADIUS protocol. Figure 12: RADIUS Accounting Record Details Auth Sessions tab Table 8: RADIUS Accounting Record Details Auth Sessions tab Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session.
RADIUS Accounting Record Details (Details tab) This section describes the parameters of the Accounting Record Details - Details tab for the RADIUS protocol.
Figure 14: RADIUS Accounting Record Details Summary tab Table 10: RADIUS Accounting Record Details Summary tab Parameters Parameter Description Session ID Specifies the Policy Manager session identifier. You can correlate this record with a record in Access Tracker. Account Session ID Specifies a unique ID for this accounting record. Start and End Timestamp Shows the start and end time of the session. Status Shows the current connection status of the session.
Table 10: RADIUS Accounting Record Details Summary tab Parameters (Continued) Parameter Description Service Type Shows the value of the standard RADIUS attribute service type. Network Details NAS IP Address Shows the IP address of the network device. NAS Port Type Shows the access methods. For example, Ethernet, 802.11 Wireless, and so on. Calling Station ID Specifies the MAC address of the client that is supported by Policy Manager. Called Station ID Shows the MAC Address of the network device.
Figure 15: RADIUS Accounting Record Details (Utilization tab) Table 11: RADIUS Accounting Record Details Utilization tab Parameters Parameter Description Active Time Displays how long the session was active. Account Delay Time Displays how many seconds the network device has been trying to send this record for (subtract from record time stamp to determine the time this record was actually generated by the device).
TACACS+ Accounting Record Details (Auth Sessions tab) This section describes the parameters of the Accounting Record Details - Auth Sessions tab for the TACACS+ Protocol. Figure 16: TACACS+ Accounting Record Details (Auth Sessions tab) Table 12: TACACS+ Accounting Record Details Auth Sessions tab Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session.
Figure 17: TACACS+ Accounting Record Details (Details tab) Table 13: TACACS+ Accounting Record Details tab Parameters Parameter Description Accounting Packet Details Shows cmd (command typed), priv-lvl (privilege level of the administrator executing the command), service (shell), and so on for each authorization request. TACACS+ Accounting Record Details (Request tab) This topic describes the parameters of the Accounting Record Details - Request Sessions tab for the TACACS+ Protocol.
Figure 18: TACACS+ Accounting Record Details (Request tab) Table 14: TACACS+ Accounting Record Request tab Parameters Parameter Description Session ID Specifies the Session ID is a unique ID associated with a request. User Session ID Specifies a session ID that correlates authentication, authorization, and accounting records. Start and End Timestamp Shows the start and end time of the session. Username Shows the username associated with this record.
Table 14: TACACS+ Accounting Record Request tab Parameters (Continued) Parameter Description 1 (lowest) to 15 (highest). Authentication Method Identifies the authentication method used for the access. Authentication Type Identifies the authentication type used for the access. Authentication Service Identifies the authentication service used for the access.
Table 15: OnGuard Activity Parameters (Continued) Parameter Description Status Displays the online status of the host. Green indicates online and red indicates offline. Date and Time Displays the date and time at which the user was created. Authentication Records Click the View button to see the Endpoint Authentication Details screen with the authentication records.
Figure 20: Agent and Endpoint details Table 16: Agent and Endpoint details Parameters Parameter Description User Displays the name of the user. Host MAC Displays the MAC address of the user. Host IP Displays the IP address of the host. Status Shows the online or offline status of the agent. Agent Type Specifies the type of the OnGuard agent. Host OS Displays the operating system that runs on the endpoint.
Table 16: Agent and Endpoint details Parameters (Continued) Parameter Description Unhealthy Health Classes Displays the health classes that are unhealthy. For example, AntiVirus and PatchAgent. Description Status Displays the status of the endpoint. Added by Displays the server name. Click Bounce and the Bounce Agents window opens.
Bouncing a Client Using SNMP Perform a bounce operation (using SNMP) with the MAC or IP address of the endpoint on the switch port to which the endpoint is connected. This feature only works with wired Ethernet switches. Requirements To bounce a client using SNMP successfully, the following conditions are mandatory: l The network device must be added to Policy Manager and SNMP read and write parameters must be configured.
Broadcast Message After you click the Broadcast Message link on the top right of the OnGuard Activity page, a page appears where you can write and send a message to all active endpoints. Figure 23: Broadcast Notification to Agents Page Table 19: Broadcast Notification to Agents Page Parameters Parameter Description Display Message Enter the message that needs to be notified to the active endpoints. Web link for more details (Optional) A clickable URL that is displayed along with the Display Message.
Table 20: Send Notifications to Agents Page Parameters Parameter Description Display Message Enter the message that needs to be notified to the active endpoints. Web link for more details (Optional) A clickable URL that is displayed along with the Display Message. This field is optional.
Component Description Toggle Chart Type Click to toggle chart display between line and bar type. Add new Data Filter Click to add a data filter in the global filter list. To add filters, refer to Data Filters on page 58. Endpoint Profiler If the Profile license is enabled, a list of the profiled endpoints are visible in the Endpoints Profiler table. The list of endpoints you view is based on the Device Category, Device Family, and Device Name items that you selected.
Figure 27: Endpoint Profiler (view 2) Click a device in the table below the graphs to view endpoint details about a specific device. Select the Cancel button to return to the Endpoint Profiler page. 42 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 28: Endpoint Profiler Details System Monitor The System Monitor page has four tabs. Each tab provides one or more charts or graphs that give real-time information about various components. System Monitor tab - Displays charts and graphs that include information about CPU load and usage, memory usage, and disk usage. Process Monitor tab - Displays reports about a selected process. The processes that you can monitor include Policy server, TACACS server, stats collection service, and so on.
l Audit Scan l Enforcement l End to End request processing These components are actively monitored and the ClearPass tab displays the data collected for the last 30 minutes during the monitoring process. Auto refresh ensures that the System Monitor page is updated for every 2 minutes. You can see the last updated time in the Last updated at field in the System Monitor page.
Figure 30: CPU Usage Graph Example Monitoring CPU Load This graph shows the percentage of CPU load in increments of 1, 5, and 15 minutes. Figure 31: CPU Load Graph Example Monitoring Memory Usage This graph shows the percentage of free and total memory in Gigabytes. Dell Networking W-ClearPass Policy Manager 6.
Figure 32: Memory Usage Graph Example Monitoring Swap Memory Usage This graph shows the percentage of free and total swap memory in Gigabytes. Figure 33: Swap Memory Usage Graph Example Monitoring Disk - / Usage This chart shows the percentage of used and free disk space. 46 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 34: Disk - / Usage Chart Example Monitoring Disk Swap Usage The Disk - Swap Usage chart shows the used and total swap space. Figure 35: Disk Swap Usage Chart Example Process Monitor tab Click this tab to view graphs that show data about CPU Usage and Main Memory Usage for the selected process or service. The CPU Usage graph on this tab shows only the percentage used and time in minutes for the selected process.
l Async DB write service l Async network services l DB change notification server l DB replication service l Micros Fidelio FIAS l Multi-master cache l Policy server l Radius server l Stats aggregation service l Stats collection service l System auxiliary services l System monitor service l Tacacs server l Virtual IP service Figure 36: Process Monitor tab Page Example Monitoring CPU Usage This graph shows the CPU usage in time and percentage.
Figure 37: CPU Usage Graph Example Monitoring Main Memory Usage This graph shows the main memory usage in time and Kilobytes. Figure 38: Main Memory Usage Graph Example Network tab Select the Network tab to view network activity charts and graphs for the following components: Dell Networking W-ClearPass Policy Manager 6.
l OnGuard l Database l Web Traffic l RADIUS l TACACS l SSH l NTP Figure 39: Network Monitor Tab Graph Example (Web Traffic) ClearPass tab ClearPass can plot graphs based on the performance monitoring counters and timers for the following components: l Service Categorization l Authentication l Authorization l Role Mapping l Posture Evaluation l Audit Scan l Enforcement l End to End request processing for Radius, TACACS, and WebAuth based requests.
Figure 40: Service Categorization Graph Example Audit Viewer The Audit Viewer page provides a dynamic report on Actions, Name, Category of policy component, User, and Timestamp. The following figure displays the Audit Viewer page followed by parameter definition.. Figure 41: Audit Viewer Page Table 21: Audit Viewer Page Parameters Parameter Description Action Displays the type of actions. For example, ADD, MODIFY, or REMOVE. Name Displays the name of the policy component.
Details Page Example 2 figures show the example of the Audit Row Details page. Figure 42: Audit Row Details Page Example 1 52 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 43: Audit Row Details Page Example 2 Viewing Audit Row Details (Modify Page) If you click a row with the Action type MODIFY on the main page, an Audit Row Details page opens. The Audit Row Details page for the MODIFY category has three tabs. Old Data Tab The Old Data tab is a summary of details about the original data values. The Attributes section shows data about the original attributes and values.
Figure 44: Old Data tab New Data tab The top section of the New Data tab is a summary of details about the original data values. The Profile section is a summary of the profile values. The Attributes section displays new and changed Attributes. The following figure shows an agent enforcement action that was taken in the Enforcement Profile category. Figure 45: New Data tab 54 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Inline Difference tab The Inline Difference tab is a summary of the difference(s) between the old and new data. Modifications are highlighted in yellow, Additions are highlighted in green, and deletions are highlighted in red. A green arrow indicates that the value was moved up and a red arrow indicates the value was moved down.
Event Viewer The Event Viewer page provides reports about system-level events. The following figure shows an example of the Event Viewer page followed by parameter definition: Figure 48: Event Viewer Page (Default Values) Table 22: Event Viewer Page Parameters (Default Values) Parameter Description Source Displays the source of the event. For example, AdminUI, RADIUS, SnmpService, and so on.
2. Click Select ANY match. 3. In the first Filter field, select Level as the Filter value. 4. Leave the search term set to contains. 5. Enter ERROR in the text field. 6. In the second Filter field, select Source as the Filter value. 7. Change the search field to equals. 8. Enter SYSMON in the text field. 9. Change the Show records value to 20. 10.Click Go. Figure 49: Event Viewer Report Example (Custom Values) Viewing Report Details Click a row in the Event Viewer page to display System Event Details.
Table 23: System Event Details Page Parameters Parameter Description Source Displays the source of the event. For example, AdminUI, RADIUS, SnmpService, and so on. Level Displays the level of the event from the following options: INFO l WARN l ERROR l Category Displays the category of the event. For example, Request, Authentication, System, and so on. Action Displays the action of the events. For example, Success, Failed, Unknown, and None.
Figure 51: Data Filters Page Table 24: Data Filters Page Parameters Parameter Description Name Displays the name of the data filter. Description Displays the description about the data filter. Add a Filter To add a filter, configure the name and description in the Filter tab and its rules in the Rules tab. Figure 52: Add Filter (Filter tab) Dell Networking W-ClearPass Policy Manager 6.
Table 25: Add Filter (Filter tab) Parameter Description Name/Description Name and description of the filter. Configuration Type Choose one of the following configuration types: l Specify Custom SQL - Specify a custom SQL entry for the filter. If this is specified, the Rules tab disappears and a SQL template displays in the Custom SQL field. NOTE: Using this option is not recommended.
Figure 54: Add Filter (Rules tab) - Rules Editor Table 27: Add Filter (Rules tab) Parameter Description Matches ANY matches one of the configured conditions. ALL indicates to match all of the configured conditions. Type This indicates the namespace for the attribute. Common - Attributes common to RADIUS, TACACS, and WebAuth requests and responses. l RADIUS - Attributes associated with RADIUS authentication, accounting requests, and responses.
l Session duration You can delete a user from this blacklist by selecting the user row and then clicking Delete. After deletion, the user is eligible to access the network again. Figure 55: Monitoring Blacklisted Users 62 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Chapter 5 Policy Manager Policy Model The network devices or other entities that need authentication and authorization services view the Policy Manager as a RADIUS, TACACS+, or HTTP/S based authentication server. However, the Policy Manager's rich and extensible policy model allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture services, and client technologies within an enterprise.
Figure 56: Generic Policy Manager Service Flow of Control 64 | Policy Manager Policy Model Dell Networking W-ClearPass Policy Manager 6.
Table 28: Policy Manager Service Components Component Service: Component ratio Description A - Authentication Method Zero or more per service Specifies the EAP or non-EAP method for client authentication. Policy Manager supports the following classes of authentication methods: l EAP, tunneled: PEAP, EAP-FAST, or EAP-TTLS l EAP, non-tunneled: EAP-TLS or EAP-MD5 l Non-EAP, non-tunneled: CHAP, MS-CHAP, PAP, or MAC-AUTH l MAC_AUTH: Must be used exclusively in a MACbased Authentication Service.
Table 28: Policy Manager Service Components (Continued) Component Service: Component ratio Description Some Services (for example, MAC-based Authentication) may handle role mapping differently: l For MAC-based Authentication Services, where role information is not available from an authentication source, an audit server can determine the role by applying post-audit rules against the client attributes gathered during the audit.
Services page, click the name of a Service to view its details. The following figure shows an example of the Services tab with the list of services with sorting tool: Figure 57: List of services with sorting tool The Summary tab provides the detailed information about the selected service with the link to other tabs. For example, you can click Authentication to view the Authentication tab and add authentication sources and authentication methods.
l Create a new service - In the Services page, click Add, then follow the configuration wizard by clicking Next as you complete each tab. l Remove a service - From the Services page, select the check box for a service and then click the Delete button. You can also disable or enable a service from the Service details page by clicking Disable or Enable in the lower right of page.
Table 29: Policy Component Use Cases and Configuration Instructions (Continued) Policy Component Illustrative Use Cases l l l Role Mapping Configuration Instructions Web Based Authentication Use Case on page 556 uses the local Policy Manager repository. This is a common practice among administrators configuring ClearPass Guest users. MAC Authentication Use Case on page 564uses a Static Host List for authentication of the MAC address sent by the switch as the device’s username.
Table 29: Policy Component Use Cases and Configuration Instructions (Continued) Policy Component Illustrative Use Cases Configuration Instructions Posture Server 802.1X Wireless Use Case on page 549 appends a third-party posture server to evaluate health policies based on vendorspecific posture credentials. Adding and Modifying Posture Servers on page 247 Audit Server MAC Authentication Use Case on page 564uses an audit server to provide port scanning for health.
l l Enforcement Policy - The Enforcement Policy simulation evaluates the rules in the enforcement policy and displays the resulting enforcement profiles with the following inputs: n Service name and the associated enforcement policy n A role or a set of roles n System posture status n Date and time (optional) Chained Simulation - The Chained Simulation combines the results of role mapping, posture validation, and enforcement policy simulations and displays the corresponding results with the follow
Table 31: Add Policy Simulation - Simulation tab Parameters Parameter Description Name/Descripti on Specify name and description (freeform). Type Service Categorization l Input (Simulation tab): Select Test Date and Time. This field is optional and use if you want to create time based service rules. l Input (Attributes tab): Use Rules Editor to create a request with the attributes you want to test. All namespaces relevant to service rules creation are loaded in the Attributes editor.
Table 31: Add Policy Simulation - Simulation tab Parameters (Continued) Parameter Type Posture Validation Description l Input (Simulation tab): Select Service (Posture policies are implicitly selected by their association with the service). l Input (Attributes tab): Use Rules Editor to create a request with the attributes you want to test. All namespaces relevant to posture evaluation (posture dictionaries) are loaded in the Attributes editor.
Table 31: Add Policy Simulation - Simulation tab Parameters (Continued) Parameter Description Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. Connection and RADIUS namespaces are loaded in the Attributes editor. l Returns (Results tab): Enforcement Profile(s) and the attributes sent to the device. NOTE: Authentication Source and User Name inputs are used to derive dynamic values in the enforcement profile that are fetched from authorization source.
Table 31: Add Policy Simulation - Simulation tab Parameters (Continued) Parameter Description l l Input (Attributes tab): Use Rules Editor to create a request with the attributes you want to test. All namespaces that are relevant in the Role Mapping Policy context are loaded in the Attributes editor. Returns (Results tab): Role(s), Post Status, Enforcement Profiles, and Status Messages. Test Date/Time Use the calendar widget to specify date and time for simulation test.
Figure 61: Add Simulation - Attributes Tab In the Results tab, Policy Manager displays the results of applied test request parameters against the specified policy component(s). The result shown in the Results tab is depend on the type of simulation selected. The following figure shows an example of the Add Simulation - Results tab: Figure 62: Add Simulation - Results Tab Import and Export Simulations Navigate to Configuration > Policy Simulation and select the Import link.
Table 32: Import from file page Parameters Parameter Description Select file Browse to select name of simulations to import. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Export Simulations Click the Export All link to export all simulations. The browser displays the Save As dialog box in which you can enter the name of the XML file to export all simulations.
78 | Policy Simulation Dell Networking W-ClearPass Policy Manager 6.
Chapter 6 Services The Policy Manager policy model groups policy components that serve a specific type of request into Services page, which is at the top of the policy hierarchy.
l 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless on page 81 l Dell VPN Access with Posture Checks on page 84 l Aruba Auto Sign-On on page 86 l ClearPass Admin Access on page 87 l ClearPass Admin SSO Login (SAML SP Service) on page 89 l ClearPass Identity Provider (SAML IdP Service) on page 89 l EDUROAM Service on page 90 l Encrypted Wireless Access via 802.
l Guest MAC Authentication l OAuth2 API User Access The following service types are supported when the HCG mode is enabled: l MAC Authentication l RADIUS Authorization l 1RADIUS Enforcement l RADIUS Proxy l Dell Application Authentication l Dell Application Authorization l TACACS+ Enforcement l Web-based Authentication l Web-based Open Network Access The following authentication methods are used in service templates in the HCG mode: l PAP l CHAP l MSCHAP l EAP_MD5 l MAC_AUTH
Figure 66: Adding, Editing, or Deleting from a Service Template To add a new service for the selected Service Template, specify a unique Name Prefix (applies only to the selected template) in the General tab and update the required fields in the Authentication and Enforcement Details sections and click Add Service. Subsequently, an entry for the new set of configuration is created under the Services, Roles, Role Mapping, Enforcement Policies and Profiles menu.
Table 34: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Description Select Authentication Source Select any available Authentication Source from the list, the information updated in the Authentication and Enforcement Details tabs will be auto-populated. Active Directory Name Enter the active directory name. This field is mandatory. Description Enter a description that helps you to identify the characteristics of this template.
Table 34: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Description Device Name Enter the name of the device. IP Address Enter the IP address of the device. Vendor Name Select the manufacturer of the wired controller. RADIUS Shared Secret Enter the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS requests.
The following table describes the parameter definitions of Dell VPN Access with Posture Checks service template: Table 35: Dell VPN Access with Posture Checks Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Authentication Dell Wireless Controller for VPN Settings and Dell User Roles for different access privileges sections. The Name Prefix field is not editable.
Table 35: Dell VPN Access with Posture Checks Service Template Parameters (Continued) Parameter Description Enable RADIUS CoA Select to enable RADIUS initiated CoA on the network device. RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. Change this value only if you defined a custom port on the network device.
Table 36: ClearPass Aruba Auto Sign-On Service Template Parameters (Continued) Parameter Description field is mandatory. Server Enter the hostname or the IP address of the Active Directory server. This field is mandatory. Identity Enter the Distinguished Name of the administrator account. This field is mandatory. NETBIOS Enter the server Active Directory domain name. This field is mandatory. Base DN Enter the Distinguished Name of the administrator account. This field is mandatory.
Table 37: ClearPass Admin Access Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Authentication and Role Mapping sections. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template. Use this to identify services that use templates.
ClearPass Admin SSO Login (SAML SP Service) This application service template allows SAML-based Single Sign-On (SSO) authenticated users to access Policy Manager, Guest, Insight, and Operator pages. The following table describes the parameter definition of the ClearPass Admin SSO Login service template: Table 38: ClearPass Admin SSO Login Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 39: ClearPass Admin Access Service Template Parameters (Continued) Parameter Description Server Enter the hostname or the IP address of the Active Directory server. This field is mandatory. Identity Enter the Distinguished Name of the administrator account. This field is mandatory. NETBIOS Enter the server Active Directory domain name. This field is mandatory. Base DN Enter the Distinguished Name of the administrator account. This field is mandatory. Password Enter the account password.
Table 40: EDUROAM Service Template Parameters (Continued) Parameter Description Enter domain details Enter the domain name of the network. For example, @edunet.ucla.com. This field is mandatory. Select Vendor Select the vendor of the network device. This field is mandatory. Authentication Select Active Directory Select an Authentication Source from the list, the information updated in the Authentication, Wireless and Federation Level Radius Server (FLR) tabs are auto-populated.
Table 40: EDUROAM Service Template Parameters (Continued) Parameter Description RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. Change this value only if you defined a custom port on the network device. Federation Level RADIUS Server (FLR) Host Name The hostname of the federation RADIUS server. IP Address The IP address of the federation RADIUS server. Vendor Name Select the manufacturer of the wireless controller.
Table 41: Encrypted Wireless Access via 802.1X Public PEAP Method Service Template Parameters (Continued) Parameter Description Vendor Name Select the manufacturer of the wireless controller. RADIUS Shared Secret Enter the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS requests. Enable RADIUS CoA Select to enable RADIUS initiated CoA on the network device. RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled.
Guest Access This template is designed for authenticating guest users who log in using captive portal. Guests must reauthenticate after session expiry. Guest access can be restricted based on day of the week, bandwidth limit, and number of unique devices used by the guest user.
Guest MAC Authentication This template is designed for authenticating guest accounts based on the cached MAC Addresses used during authentication. A guest can belong to a specific role such as Contractor, Guest, or Employee, and each role can have different lifetime for the cached MAC Address.
Table 44: Guest MAC Authentication Service Template Parameters (Continued) Parameter Description Cache duration for Contractor role Enter the duration in number of days the MAC account will remain valid for the Contractor role. After this the guest must re-authenticate using captive portal. Guest Access Restrictions Days allowed for access Select the duration in number of days to enable on which the guest users are allowed network access.
The following table describes the parameter definition of the Onboard Authorization service template: Table 46: Onboard Authorization Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Wireless Network Settings, Device Access Restrictions, and Provisioning Wireless Network Settings sections. The Name Prefix field is not editable.
Policy Manager Service Types The following service types are available in Policy Manager: l Dell 802.1X Wireless on page 98 l 802.1X Wireless on page 108 l 802.1X Wired on page 108 l MAC Authentication on page 109 l Web-based Authentication on page 110 l Web-based Health Check Only on page 110 l Web-based Open Network Access on page 111 l 802.1X Wireless - Identity Only on page 112 l 802.
Figure 67: Dell 802.1X Wireless Service Service Tab The Service tab includes basic information about the service. The Service Rules section defines a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. You can click on a service rule to modify any of its options. The following figure shows an example of the Service tab followed by parameter definition: Figure 68: Dell 802.
Table 47: Dell 802.1X Wireless Service - Service tab Parameters Parameter Description Type Select a service from the drop-down list that defines what type of service can be configured. Name Enter the name of the service. Description Provide additional information that helps to identify what the service does. Monitor Mode Check this box to exclude enforcement. More Options Check these boxes to access the category of configuration options.
Figure 69: Dell 802.1X Wireless Service - Authentication Tab Dell Networking W-ClearPass Policy Manager 6.
Table 48: Dell 802.1X Wireless Service - Authentication tab Parameters Parameter Description Authentication Methods Select authentication methods using the Select to Add field used for this service depend on the 802.1X supplicants and the type of authentication methods you choose to deploy. Policy Manager automatically selects the appropriate method for authentication, when a user attempts to connect.
The Authorization tab is not displayed by default. To access this tab, select the Authorization check box from the More Options on the Services tab.
Table 50: Dell 802.1X Wireless Service - Roles tab Parameters Parameter Description Role Mapping Policy Select a Role Mapping Policy from the drop-down list. NOTE: A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service. Role Mapping Policy Details Description Provides additional information about the selected Role Mapping Policy.
Table 51: Dell 802.1X Wireless Service - Posture tab Parameters Parameter Description Posture Policies Posture Policies Select the Posture Policy from the Select to Add drop-down list. If you do not have any pre-configured Posture Policies, click Add new Posture Policy to create a new Posture Policy. Only NAP agent type Posture Policies are applicable for this service. Default Posture Token Select the default Posture Token from the drop-down list.
Table 52: Dell 802.1X Wireless Service - Enforcement tab Parameters Parameter Description Use Cached Results Select this check box to use cached Roles and Posture attributes from previous sessions. Enforcement Policy Select the pre-configured Enforcement Policy from the drop-down list. This is mandatory. If you do not have any pre-configured Enforcement Policies, click Add new Enforcement Policy to create a new Enforcement Policy.
Table 53: Dell 802.1X Wireless Service - Audit tab Parameters (Continued) Parameter Description l l Do SNMP bounce - This option bounces the switch port or force an 802.1X re-authentication (both done using SNMP). Bouncing the port triggers a new 802.1X or MAC authentication request by the client. If the audit server already has the posture token and attributes associated with this client in its cache, it returns the token and the attributes to Policy Manager.
802.1X Wireless Configure the 802.1X Wireless service for wireless clients connecting through an 802.11 wireless access device or controller with authentication using IEEE 802.1X.
Except for the NAS-Port-Type service rule value (which is Ethernet for 802.1X Wired and Wireless 802.11 for 802.1X Wireless), configuration for the rest of the tabs is similar to the Dell 802.1X Wireless service. See Dell 802.1X Wireless on page 98 for details. The following figure shows an example of the 802.1X Wired service page: Figure 76: 802.1X Wired Service MAC Authentication MAC-based authentication service, for clients without an 802.
Except for the Posture tab, configuration for the rest of the tabs is similar to the Dell 802.1X Wireless service. For more information on configuration tabs, See Dell 802.1X Wireless on page 98 for details. Web-based Authentication Configure this service for guests or agent-less hosts that connect through the Dell built-in Portal. The user is redirected to the Dell captive portal by the network device or by a DNS server that is set up to redirect traffic on a subnet to a specific URL.
This service does not include authentication options. This service performs health checks only. The following figure shows an example of the Web-Based Health Check Only service: Figure 79: Web-Based Health Check Only Service For more information on configuration tabs, see Dell 802.1X Wireless on page 98 Web-based Open Network Access This type of service is similar to other Web-based Authentication service, except that health check is not performed on the endpoints.
Figure 80: Web-based Open Network Access Service For more information on configuration tabs, see Dell 802.1X Wireless on page 98 802.1X Wireless - Identity Only Configuration for this type of service is the same as the Dell 802.1X Wireless service except that Posture and Audit policies are not configurable, when you use this template. For more information, see 802.1X Wireless on page 108. The following figure shows an example of the 802.1X Wireless - Identity Only service: Figure 81: 802.
802.1X Wired - Identity Only Configure this service for clients connecting through an Ethernet LAN with authentication using IEEE 802.1X. Configuration for the 802.1X Wired - Identity Only service is same as the 802.1X Wired service except that Posture and Audit policies are not configurable, when you use this template. For more information, see 802.1X Wired on page 108. The following figure shows an example of the 802.1X Wired - Identity Only service: Figure 82: 802.
Figure 83: RADIUS Enforcement (Generic) Service Configuring a service for RADIUS requests is similar to configuring the Dell 802.1X Wireless service. For more information on configuration tabs, see Dell 802.1X Wireless on page 98 RADIUS Proxy Configure the RADIUS Proxy service for any kind of RADIUS request that needs to be proxied to another RADIUS server (a Proxy Target). There are no default rules associated with this service type.
Figure 84: RADIUS Proxy Service For more information, see RADIUS Enforcement (Generic) on page 113. RADIUS Authorization Configure the RADIUS Authorization service type for services that perform authorization using RADIUS. When this service is selected, the Authorization tab is enabled by default.
TACACS+ Enforcement Configure the TACACS+ Enforcement service for any kind of TACACS+ request. TACACS+ users can be authenticated against any of the supported authentication source types: Local DB, SQL DB, Active Directory, LDAP Directory, or Token Servers with a RADIUS interface. Similarly, service level authorization sources can be specified from the Authorization tab. Note that this tab is not enabled by default.
Figure 87: Dell W-Series Application Authentication Configuring the Dell W-Series Application Authentication service is similar to configuring the Dell 802.1X Wireless service except that the Posture Compliance, Audit End-hosts, and Profile Endpoints options are not available. For more information on configuration tabs, see Dell 802.
Cisco Web Authentication Proxy This service is a web-based authentication service for guests or agent-less hosts. The Cisco switch hosts a captive portal and the portal web page that collects username and password information. Subsequently, the switch sends a RADIUS request in the form of a password authentication protocol (PAP) authentication request to Policy Manager. By default, this service uses the PAP authentication method.
Table 55: Services page Parameters Parameter Description Name Displays the name of the service. Type Displays the type of authentication associated with the service. For example, RADIUS, Web Authentication, and TACACS. Template Specifies the type of the service template to create a service. Status Displays the status of the service. A green/red icon indicates enabled/disabled state. Click the icon to toggle the status of a service between Enabled and Disabled.
Table 56: Service Page (General Parameters) Label Description Type Select the desired service type from the drop-down list. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Table 56: Service Page (General Parameters) (Continued) Label Description Monitor Mode Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement. In Monitor Mode, no enforcement profiles (and associated attributes) are sent to the network device.
Table 56: Service Page (General Parameters) (Continued) Label Description l Optionally configure Profiler settings. Select one or more Endpoint Classification items from the drop down list, then select the RADIUS CoA action. You can also create a new action by selecting the Add new RADIUS CoA Action link. Modifying Services Navigate to the Configuration > Services page to view available services. You can use these service types as configured, or you can edit their settings.
Table 57: Service Page - General Parameters Parameter Description Name Enter or modify the label for a service. Description Enter or modify the service description. This field is optional. Type This is a non-editable label that shows the type of service as it was originally configured. Status This non-editable label indicates whether the service is enabled or disabled. NOTE: You can disable a service by clicking the Disable button on the bottom-right corner of the form.
Table 58: Service Page (Rules Editor) Label Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on Service type. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Figure 94: Service Reorder Button Figure 95: Reordering Services Table 59: Reordering Services Label Description Name Shows the name of the service selected. Service Details Name Shows the name of the service selected. Template Displays the name of the service template used to create the service. Type Displays the type of authentication used to create the service. Description Shows additional information about the service.
126 | Services Dell Networking W-ClearPass Policy Manager 6.
Chapter 7 Authentication and Authorization As a first step in Service-based processing, Policy Manager uses an authentication method to authenticate the user or device against an authentication source. After the user or device is authenticated, Policy Manager fetches attributes for Role Mapping policies from the authorization sources associated with this authentication source.
Where no authentication source is specified (for example, for unmanageable devices), Policy Manager passes the request to the next configured policy component for this service. If Policy Manager does not find the connecting entity in any of the configured authentication sources, it rejects the request.
For an existing service, you can add or modify an authentication method or source by opening the Services (Configuration > Services page > Authentication tab) page. For a new service, the Policy Manager wizard automatically opens the Authentication tab for configuration. You can open an authentication method or source from the Configuration > Authentication > Methods or Configuration > Authentication > Sources page.
Table 60: Authentication Features at the Service Level Component Configuration Steps Sequence of Authentication Methods 1. Select a method, then select Move Up, Move Down, or Remove. 2. Select View Details to view the details of the selected method. 3. Select Modify to modify the selected authentication method. This displays a popup with the edit widgets for the select authentication method. a. To add a previously configured authentication method, select from the Select drop-down list, then click Add.
Table 61: Policy Manager Supported Authentication Methods EAP Tunneled l l l l NonTunneled l l l Non-EAP EAP Protected EAP (EAP-PEAP) EAP Flexible Authentication Secure Tunnel (EAP-FAST) EAP Transport Layer Security (EAP-TLS) EAP Tunneled TLS (EAP-TTLS) EAP Message Digest 5 (EAPMD5) EAP Microsoft Challenge Handshake Authentication Protocol version 2 (EAP- MSCHAPv2) EAP Generic Token Card (EAPGTC) Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) l Microsoft
Figure 98: Add Authentication Method Page The EAP-MD5 authentication type is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS mode.
Figure 99: Add Authentication - General tab Table 62: Authorize General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select Authorize. CHAP and EAP-MD5 Policy Manager also comes packaged with CHAP and EAP-MD5 methods. You can add methods of this type with a custom name.
Figure 100: CHAP General Tab 134 | Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Figure 101: EAP-MD5 General tab The EAP-MD5 authentication type is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS mode. Table 63: CHAP and EAP-MD5 - General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, always CHAP or EAP-MD5.
The PACs and PAC Provisioning tabs are only available when Using PACs is specified on the General tab for the End-Host Authentication setting. General Tab The General tab labels the method and defines session details. The following figure shows an example of the EAP-FAST - General tab followed by parameter definition: Figure 102: EAP-FAST - General Tab Table 64: EAP_FAST - General tab Parameters Parameter Description Name Specify the label of the authentication method.
Table 64: EAP_FAST - General tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. If session timeout value is set to 0, the cached sessions are not purged.
Table 65: EAP-FAST - Inner Methods tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select from the drop-down list. The list can contain multiple inner methods, which Policy Manager sends in priority order until negotiation succeeds.
Table 66: EAP-FAST PACs tab Parameters Parameter Description Tunnel PAC Expire Time Specify Tunnel PAC Expire Time (the time until the PAC expires and must be replaced by automatic or manual provisioning) in hours, days, weeks, months, or years. To provision a Tunnel PAC on the end-host after initial successful machine authentication, Policy Manager can use the Tunnel PAC shared secret to create the outer EAP-FAST tunnel during authentication.
Figure 105: EAP_FAST PAC Provisioning Tab Table 67: EAP_FAST PAC Provisioning tab Parameters Parameter Description Considerations Allow Anonymous Mode When in anonymous mode, phase 0 of EAP_ FAST provisioning establishes an outer tunnel without end-host/Policy Manager authentication (not as secure as the authenticated mode).
Table 67: EAP_FAST PAC Provisioning tab Parameters (Continued) Parameter Description Considerations mode itself; the end-host does not have to reauthenticate. Required endhost certificate for provisioning In authenticated provisioning mode, the endhost authenticates the server by validating the server certificate resulting in a protected outer tunnel; the end-host is authenticated by the server inside this tunnel.
Table 68: EAP-GTC General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select EAP-GTC. Method Details Challenge Specify an optional password. EAP-MSCHAPv2 The EAP-MSCHAPv2 method contains the General tab that labels the method and defines session details.
Table 69: EAP-MSCHAPv2 - General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select EAP-MSCHAPv2. EAP-PEAP The EAP-PEAP method contains two tabs: l General l Inner Methods General Tab The General tab labels the method and defines session details.
Table 70: EAP-PEAP - General tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. If session timeout value is set to 0, the cached sessions are not purged.
The EAP-MD5 authentication method is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS mode. Table 71: EAP-PEAP Inner Methods tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list.
Figure 110: EAP-PEAP-Public - General Tab Table 72: EAP-PEAP-Public - General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Specify the type of authentication. In this context, select EAP-PEAP-Public.
Table 72: EAP-PEAP-Public - General tab Parameters (Continued) Parameter Description session resumption must be enabled. Public Username Enter the Guest username. In this context, enter 'public'. Public Password Enter the Guest password. In this context, enter 'public'. Inner Methods The Inner Methods tab controls the inner methods for the EAP-PEAP-Public method.
Table 73: EAP-PEAP-Public Inner Methods tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select the inner authentication method available from the drop-down list. In this context, only the EAP-MSCHAPv2 method is available. The following functions are available in this tab: l To append an inner method to the displayed list, select it from the drop-down list.
Table 74: EAP_TLS - General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Specify the type of authentication. In this context, select EAP_TLS. Session Resumption Caches EAP-TLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval.
Figure 113: EAP-TTLS - General Tab Table 75: EAP-TTLS - General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select EAP-TTLS. NOTE: The EAP-MD5 authentication type is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS mode.
Figure 114: EAP_TTLS - Inner Methods Tab Table 76: EAP-TTLS - Inner Methods tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list. The list can contain multiple inner methods, which Policy Manager sends in priority order until negotiation succeeds.
Figure 115: MAC-AUTH - General Tab Table 77: MAC-Auth - General tab Parameters Parameter Description General Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select MAC-AUTH. Method Details Allow Unknown End-Hosts Enables further policy processing of MAC authentication requests of unknown clients.
Table 78: MSCHAP - General Tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select MSCHAP. PAP The PAP method contains the General tab that labels the method and defines session details.
Table 79: PAP - General tab Parameters Parameter Description Name Specify the label of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select PAP. Method Details Encryption Scheme Select the PAP authentication encryption scheme.
Figure 119: Add Authentication Source Page For more information, see: l Generic LDAP and Active Directory on page 155 l Generic SQL DB on page 169 l HTTP on page 174 l Kerberos on page 178 l Okta on page 181 l Static Host List on page 185 l Token Server on page 187 Generic LDAP and Active Directory Policy Manager can perform NTLM/MSCHAPv2, PAP/GTC, and certificate-based authentications against Microsoft Active Directory and against any LDAP-compliant directory (For example, Novell eDirectory,
Figure 120: Generic LDAP or Active Directory - General Tab Table 80: Generic LDAP or Active Directory - General tab Parameters Parameter Description Name Specify the label of the authentication source. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select General LDAP or Active Directory.
Table 80: Generic LDAP or Active Directory - General tab Parameters (Continued) Parameter Description NOTE: As described in Services on page 79, you can specify additional authorization sources at the service level. Policy Manager fetches role mapping attributes regardless of which authentication source the user or device was authenticated against. Server Timeout Specifies the duration in number of seconds that Policy Manager waits before considering this server unreachable.
Table 81: Generic LDAP or Active Directory - Primary Tab Parameters Paramete r Description Hostname Specify the hostname or the IP address of the LDAP or Active Directory server. Connection Security l l l Select None for default non-secure connection (usually port 389). Select StartTLS for secure connection that is negotiated over the standard LDAP port. This is the preferred way to connect to an LDAP directory securely.
Table 81: Generic LDAP or Active Directory - Primary Tab Parameters (Continued) Paramete r Description Click on any node in the tree structure that is displayed to select it as a Base DN. Note that the Base DN is displayed at the top of the LDAP Browser. NOTE: This is also a method to test the connectivity to your LDAP or AD directory. If the values entered for the primary server attributes are correct, you can browse the directory hierarchy by clicking Search Base Dn.
Table 81: Generic LDAP or Active Directory - Primary Tab Parameters (Continued) Paramete r Description Password Type (Available only for Generic LDAP) Specify whether the password type is Cleartext, NT Hash, or LM Hash. Password Header (Available only for Generic LDAP) Specifies the Oracle's LDAP implementation that prepends a header to a hashed password string. If using Oracle LDAP, enter the header in this field to correctly identify and read the password .
Figure 123: Generic LDAP Directory Attributes Tab Table 82: D/LDAP Attributes Tab (Filter Listing Screen) Parameters Tab Parameter/Description Filter Name Specifies the name of the filter. Attribute Name Specify the name of the LDAP/AD attributes defined for this filter. Alias Name Specify the alias name for each attribute name selected for the filter. Enable As Specify whether the value is to be used directly as a role or attribute in an Enforcement Policy.
Table 83: AD/LDAP Default Filters Directory Active Directory Default Filters l l l l l Generic LDAP Directory Authentication: This filter is used for authentication. The query searches in the objectClass of type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) After a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 83: AD/LDAP Default Filters (Continued) Directory Default Filters dn (aliased to UserDN): This is an internal attribute that is populated with the user record’s Distinguished Name (DN) Group: This is the filter used for retrieving the name of the groups to which a user belongs.
Table 84: AD/LDAP Configure Filter Page - Browse tab Parameters Navigation Description Find Node Find the node by entering the Distinguished Name (DN) and clicking on the Go button. Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. You can define the attributes used in the filter query using this interface.
Table 85: Configure Filter Page - Filter tab Parameters Paramete r Description Find Node Find a node by entering the Distinguished Name (DN) and clicking the Go button. Select the attributes for filter This table has a name and value column. There are two ways to enter the attribute name l By selecting a node, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add... in the table row. l By selecting an attribute on the right hand side of the LDAP browser.
Table 86: Filter Creation Steps Step Description Step 1 Select filter node The goal of filter creation is to help Policy Manager to understand how to find a user or device connecting to the network in LDAP or Active Directory. From the Filter tab, click on a node that you want to extract user or device information from. For example, browse to the Users container in Active Directory and select the node for a user (Alice, for example).
Figure 126: AD/LDAP Configure Filter - Attributes Tab Table 87: AD/LDAP Configure Filter Page - Attributes tab Paramters Parameter Description Enter values for parameters Policy Manager parses the filter query (created in the Filter tab and shown at the top of the Attributes tab) and prompts to enter the values for all dynamic session parameters in the query. For example, if you have %{Authentication:Username} in the filter query, you are prompted to enter the value for it.
Configuration Tab The Configuration tab shows the filter and attributes configured in the Filter and Attributes tabs respectively. From this tab, you can also manually edit the filter query and attributes to be fetched. The following figure shows an example of the Configure Filter - Configuration tab: Figure 127: Configure Filter Popup - Configuration tab Modify Default Filters When you add a new authentication source of type Active Directory or LDAP, a few default filters and attributes are populated.
The attributes that are defined for the authentication source display as attributes in role mapping policy rules editor under the authorization source namespace. Then, on the Role Mappings - Rules Editor page, the Operator values that display are based on the Data type specified here. For example, if you modify the Active Directory department to be an integer rather than a string, then the list of operator values populate with values that are specific to integers.
Figure 129: Generic SQL DB - General Tab Table 88: General SQL DB - General tab Parameters Parameter Description Name Specify the label of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of source. In this context, select Generic SQL DB. Use for Authorization Enable this option to request Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Table 88: General SQL DB - General tab Parameters (Continued) Parameter Description Authorization Sources Specify additional sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list and click Add to add to the list of authorization sources. Click Remove to remove the authorization source from the list.
Table 89: Generic SQL DB - Primary tab Parameters Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value to override the default port. Database Name Enter the name of the database from which records can be retrieved. Login Username Enter the name of the user used to log into the database. This account must have read access to all the attributes that need to be retrieved by the specified filters.
Table 90: Generic SQL DB - Attributes tab (Filter List) Parameters Tab Parameter/Description Filter Name Specifies the name of the filter. Attribute Name Specifies the name of the SQL DB attributes defined for this filter. Alias Name Specifies an alias name for each attribute name selected for the filter. Enabled As Indicates whether the filter is enabled as a role or attribute type. This can also be blank. Add More Filters Click this button to open the Configure Filter page.
Parameter Description Alias Name Specifies the name for the attribute. By default, this is the same as the attribute name. Data Type Specify the data type for this attribute such as String, Integer, and Boolean. Enabled As Specify whether this value is to be used directly as a role or attribute in an Enforcement Policy. This bypasses the step of having to assign a role in Policy Manager through a Role Mapping Policy. Summary Tab You can use the Summary tab to view configured parameters.
Figure 133: HTTP - General Tab Table 92: HTTP - General tab Parameters Parameter Description Name Specify the label of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of source. In this context, select HTTP. Dell Networking W-ClearPass Policy Manager 6.
Table 92: HTTP - General tab Parameters (Continued) Parameter Description Use for Authorization Enable this option to request Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source if the Use for Authorization field is enabled. This check box is enabled by default.
Table 93: HTTP - Primary tab Parameters Parameter Description Base URL Enter the base URL(host name) or IP address of the HTTP server. For example, http:// or :xxxx, where xxxx is the port to access the HTTP Server. Login Username Enter the name of the user used to log into the database. This account must have read access to all the attributes that need to be retrieved by the specified filters.
Figure 136: HTTP Filter Configure Page Table 95: HTTP Configure Filter Page Parameters Parameter Description Filter Name Displays the name of the selected filter. Filter Query Specifies the HTTP path (without the server name) to fetch the attributes from the HTTP server. For example, if the full path name to the filter is http server URL = http://:xxxx/abc/def/xyz, you enter /abc/def/xyz. Name Specifies the name of the attribute.
l General Tab on page 179 l Primary Tab on page 180 l Summary Tab General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure shows an example of the Kerberos - General tab followed by parameter definition: Figure 137: Kerberos - General Tab Table 96: Kerberos - General tab Parameters Parameter Description Name Specify the label of the authentication source.
Table 96: Kerberos - General tab Parameters (Continued) Parameter Description Use for Authorization Disable in this context. Authorization Sources Specify one or more authorization sources from which role mapping attributes to be fetched. Select a previously configured authentication source from the drop-down list and click Add to add it to the list of authorization sources. Click Remove to remove the selected authentication source from the list.
Table 97: Kerberos - Primary tab Parameters Parameter Description Hostname Specify the name of the host or the IP address of the kerberos server. Port Specify the port at which the token server listens for kerberos connections. The default port is 88. Realm Specify the domain of authentication. In the case, specify Kerberos domain. Service Principal Name Enter the identity of the service principal as configured in the Kerberos server.
Figure 139: Okta - General Tab Table 98: Okta - General tab Parameters Parameter Description Name Specify the label of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of source. In this context, select Okta. Use for Authorization Enable this check box to request Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Table 98: Okta - General tab Parameters (Continued) Parameter Description Server Timeout Specify the duration in number of seconds that Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the duration in number of seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured.
Figure 141: Okta - Attributes Tab Table 100: Okta - Attributes tab Parameters Tab Parameter/Description Filter Name Displays the name of the filter. NOTE: You can configure only Group for Okta. Attribute Name Specifies the name of the LDAP/AD attributes defined for this filter. Alias Name Specifies the alias name for each attribute name selected for the filter. Enable As Specifies whether value is to be used directly as a role or attribute in an Enforcement Policy.
Figure 142: Okta - Configure Filter Page Table 101: Okta Configure Filter Page Parameter Description Filter Name Enter the name of the filter. Filter Query Specifies an SQL query to fetch attributes from the user or device record in DB. Name Displays the name of the attribute. Alias Name Specifies an alias name for the attribute. By default, this is the same as the attribute name. Data Type Specifies the data type for this attribute such as String, Integer, and Boolean.
attributes are assigned to a user (local or guest) account in the local database, these can be used in role mapping policies. The local user database is pre-configured with a filter to retrieve the password and the expiry time for the account. Policy Manager can perform MSCHAPv2 and PAP/GTC authentication against the local database.
Figure 144: Static Host List - Static Host Lists Tab Table 103: Static Hosts List - Static Host Lists tab Parameters Parameter Description MAC Address Host Lists Select a Static Host List from the drop-down list and click Add to add it to the list. Click Remove to remove the selected static host list. Click on View Details to view the contents of the selected static host list. Click on Modify to modify the selected static host list.
Figure 145: Token Server - General Tab Table 104: Token Server - General tab Parameters Parameter Description Name Specify the label of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of authentication. In this context, select Token Server.
Table 104: Token Server - General tab Parameters (Continued) Parameter Description Authorization Sources Specify additional sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list, and click Add to add it to the list of authorization sources. Click Remove to remove it from the list.
Attributes Tab The Attributes tab defines the RADIUS attributes to be fetched from the token server. These attributes can be used in role mapping policies. Policy Manager loads all RADIUS vendor dictionaries in the Type drop-down list to help select the attributes. The following figure shows an example of the Token Server - Attributes tab followed by parameter definition: Figure 147: Token Server - Attributes Tab See Configuring a Role and Role Mapping Policy on page 202 for more information.
Chapter 8 Identity Roles can range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination of a user group with some dynamic constraints (e.g., “San Jose Night Shift Worker”- An employee in the Engineering department who logs in through the San Jose network device between 8 PM and 5 AM on weekdays). It can also apply to a list of users.
Configuring Single Sign-On, Local Users, Endpoints, and Static Host Lists The internal Policy Manager database ([Local User Repository], [Guest User Repository]) supports storage of user records, when a particular class of users is not present in a central user repository (e.g., neither Active Directory nor other database); by way of an example of such a class of users, guest or contractor records can be stored in the local user repository.
Figure 149: Single Sign-On - SAML SP Configuration tab Figure 150: Single Sign-On SAML IdP Configuration tab Adding and Modifying Local Users Policy Manager lists all local users in the Configuration > Identity > Local Users page. To add a local user, click Add to display the Add Local User popup. l To edit a local user, in the Local Users listing page, click on the name to display the Edit Local User popup.
l To import local users, in the Local Users listing page, click Import. For more information, see the following figures and parameter definition table. Figure 151: Local Users Listing Figure 152: Add Local User page Table 107: Add Local User Page Parameters 194 | Identity Parameter Description User ID Enter the user name of the local user. Name Enter the name of the local user. Password Enter the password of the local user. Dell Networking W-ClearPass Policy Manager 6.
Table 107: Add Local User Page Parameters (Continued) Parameter Description Verify Password Re-enter the password of the local user. Enable User Uncheck to disable this user account. Role Select a static role for this local user. Attributes Add custom attributes for this local user. Click on the Click to add... row to add custom attributes. By default, four custom attributes appear in the Attribute dropdown list: Phone, Email, Sponsor, Designation. You can enter any name in the attribute field.
Table 108: Endpoint Page Parameters (Continued) Parameter Description Device OS Family Specifies the operating system that the device is configured with. For example, when the category is Computer, ClearPass Policy Manager shows a Device OS Family of Windows, Linux, or Mac OS X. Status Displays the status of the endpoint. Profiled Displays whether the device is profiled or not.
Figure 155: Endpoints - Trigger Server Action Page Table 109: Trigger Server Action Page Parameters Parameter Description Server Action Select the server action. For example, Send message, Lock Device, Remote Wipe, and so on. Context Server Enter a valid server name. You can enter an IP address or domain name. Server Type Specifies the server type configured when the server action was configured. Action Description Specifies the description of the action.
Figure 156: Update Device Fingerprint Table 110: Update Device Fingerprint parameters Parameter Description Device Category Select the built-in category of the profiled device belongs to. For example, Smartdevices, Access Points, Computer, VOIP phone, and so on. Device OS Family Select the operating system configured on the device. For example, when the category is Computer, you can select Windows, Linux, or Mac OS X. Device Name Enter the name of the device.
Figure 157: Add Endpoint Page Table 111: Add Endpoint Page Parameters Parameter Description MAC Address Specifies the MAC address of the endpoint. Description Specifies the description that provides additional information about the endpoint. Status Mark the status as Known, Unknown, or Disabled client. The Known and Unknown status can be used in role mapping rules using the Authentication:MacAuth attribute. You can use the Disabled status to block access to a specific endpoint.
Figure 158: Edit Endpoint Page Additional Available Tasks l To delete an endpoint, in the Endpoints page, select an endpoint (using check box) and click the Delete button. l To export an endpoint, in the Endpoints page, select an endpoint (using check box) and click the Export button. l To export all endpoints, in the Endpoints page, click the Export All link in the upper right corner of the page.
Figure 159: Static Host Lists Page To add a Static Host List, go to Configuration > Identity > Static Host Lists page and click the Add link. The Add Static Host List popup opens. For more information, see the following figure and parameter definition table. Figure 160: Add Static Host List Page Table 112: Add Static Host List Page Parameters Parameter Description Name Enter the name of the static host list. Description Specify the description of the static host list.
l To import Static Host Lists, in the Static Host Lists listing page, click the Import link Configuring a Role and Role Mapping Policy After authenticating a request, a Policy Manager Service invokes its Role Mapping Policy, resulting in assignment of a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions. A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service.
You can configure a role from within a Role Mapping Policy (Add New Role), or independently from the menu Configuration > Identity > Roles > Add. In either case, roles exist independently of an individual service and can be accessed globally through the Role Mapping Policy of any service. When you click Add roles from any of these locations, Policy Manager displays the Add New Role popup. For more information, see the following figures and parameter definition table.
Policy Tab The Policy tab labels the method and defines the Default Role (the role to which Policy Manager defaults if the mapping policy does not produce a match for a given request). Figure 164: Role Mappings (Policy Tab) Table 114: Role Mappings (Policy tab) Parameters Parameter Description Policy Name Enter the name of the role mapping policy. Description Specify the description of the role mapping policy.
When you select Add Rule or Edit Rule, Policy Manager displays the Rules Editor popup. Figure 166: Rules Editor Page Table 115: Role Mappings Page (Rules Editor) Page Parameters Parameter Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to Namespaces on page 513.
Table 115: Role Mappings Page (Rules Editor) Page Parameters (Continued) Parameter Description Operators have their obvious meaning; for stated definitions of operator meaning, refer to Operators on page 524. Value Depending on attribute data type, this may be a free-form (one or many line) edit box, a drop-down list, or a time/date widget.
Chapter 9 Posture Policy Manager provides several posture methods to evaluate the health of the clients that request access. These methods all return Posture Tokens (E.g., Healthy, Quarantine for use by Policy Manager for input into Enforcement Policy. One or more posture methods can be associated with a Service.
Figure 167: Posture Evaluation Process Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer to Peer application checks l Services to be running or not running l Processes to be running or not running Each configured health check ret
l Quarantine. Client is out of compliance; restrict network access, so the client only has access to the remediation servers. l Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. l Unknown. The posture token of the client is unknown.
Table 116: Posture Features at the Service Level Configurable Component How to Configure Sequence of Posture Policies Select a Policy, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured Policy, select from the Select dropdown list, then click Add. l To configure a new Policy, click the Add New Policy link and refer to Adding a Posture Policy on page 210. l To edit the selected posture policy, click Modify and refer to Adding a Posture Policy on page 210.
Table 117: NAP Agent Posture Plugins for Windows Operating Systems Operating System Versions Plugin Name Description Windows 8 Windows 7 Windows Vista Windows XP Service Pack 3 Windows Server 2008 Windows Server 2008R2 Windows System Health Validator The Windows System Health Validator parameters permit or deny client computers to connect to your network, and to restrict client access to computers that have a Service Pack less than Service Pack x.
Table 118: NAP Agent Posture Plugins for Linux Operating Systems LINUX Operating Systems Plugin Name Description CentOS Fedora RedHat Enterprise Linux SUSE Linux Enterprise Desktop ClearPassWindows Universal System Health Validator Services, which allows you to enable or disable health checks, set auto remediation checks, select or insert available services, and set which services to run and which to stop.
Table 119: OnGuard Agent Validator Supported Windows Operating Systems Supported Operating System Versions Posture Plugin Name Description Window s 2003 Window s8 Window s7 Window s Vista Window s XP Service Pack 3 Window s Server 2008 Window s Server 2008R2 ClearPassWindow s Universal System Health Validator The configurable parameter categories for this validator are Services, Processes, Registry Keys, AntiVirus, AntiSpyware, Firewall, Peer To Peer, Patch Managemen t, Windows HotFixes, USB Devic
Table 119: OnGuard Agent Validator Supported Windows Operating Systems (Continued) Supported Operating System Versions determine the service pack level. Windows Security Health Validator The configurable parameter categories for this validator allow you to configure parameters that permit or deny client computers access to your network, subject to checks of the client's system for Firewall, Virus Protection, Spyware Protection, Automatic Updates, and Security Updates*.
Table 120: OnGuard Agent (Persistent or Dissolvable) Posture Plugins for Mac OS X Name of the Plugin Description ClearPassMac OS X Universal System Health Validator The configurable parameter categories for this validator are: l Services l Processes l AntiVirus l AntiSpyware l Firewall l Patch Management l Peer To Peer l USB Devices l Virtual Machines l Network Connections l Disk Encryption l Installed Applications.
Figure 169: Windows System Health Validator (Overview) Windows Security Health Validator - NAP Agent This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types. Figure 170: Windows Security Health Validator 216 | Posture Dell Networking W-ClearPass Policy Manager 6.
ClearPass Linux Universal System Health Validator - OnGuard Dissolvable Agent The ClearPass Linux Universal System Health Validator - OnGuard Dissolvable Agent page pop up appears in response to actions in the Posture Plugins tab of the Posture configuration (When you select Linux and OnGuard Dissolvable Agent from the Posture Policy page).
Services Use the Services page to configure which services to run and which services to stop. See ClearPass Windows Universal System Health Validator - OnGuard Agent on page 225 for a description of the fields on this page. Figure 172: Services Configuration Page Processes The Processes page provides a set of components for specifying specific processes to be explicitly present or absent on the system. Figure 173: Processes Page 218 | Posture Dell Networking W-ClearPass Policy Manager 6.
Figure 174: Processes Add Page Antivirus In the Antivirus page, you can specify that an Antivirus application must be on and allows drill-down to specify information about the Antivirus application. Click on An Antivirus Application is On to configure the Antivirus application information. When enabled, the Antivirus detail page appears. Figure 175: Antivirus Page (Detail 1) Click Add to specify product and version check information.
AntiSpyware In the AntiSpyware page, an administrator can specify that an Antispyware application must be on and allows drill-down to specify information about the Antispyware application. Figure 177: AntiSpyware Page Figure 178: AntiSpyware Add Page In the Antispyware page, click An Antispyware Application is On to configure the Antispyware application information. See Antivirus configuration details above for a description of the different configuration elements.
Figure 179: Firewall Page Figure 180: Firewall Add Page When enabled, the Firewall detail page appears. See ClearPass Windows Universal System Health Validator OnGuard Agent on page 225 for firewall page and field descriptions. Patch Management In the Patch Management page, you can view or add the patch management product, and configure Auto Remediation and User Notification features.
Peer To Peer The Peer To Peer page provides a set of widgets for specifying specific peer to peer applications or networks to be explicitly stopped. When you select a peer to peer network, all applications that make use of that network are stopped. USB Devices Use this page to configure Auto Remediation and User Notification parameters, and whether or not to take action on Remediation Action for USB Mass Storage Devices or to remove USB Mass Storage Devices.
Figure 185: Network Connections Overview Page Figure 186: Network Connections Configuration Page Disk Encryption Disk encryption is a technology that protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage.
Figure 188: Disk Encryption Add Page Installed Applications The Installed applications category groups classes that represent software-related objects. In the Installed Applications page, you can turn on the installed applications check and specify information about which installed applications you want to monitor. You can take the following actions: l Specify installed applications to monitor on a mandatory basis. l Specify installed applications to be monitored on an optional basis.
Figure 190: Installed Applications Add Page ClearPass Windows Universal System Health Validator - OnGuard Agent The ClearPass Windows Universal System Health Validator page is displayed after you configure the OnGuard agent and the Windows system in the Posture Plugins tab. Figure 191: ClearPass Windows Universal System Health Validator Select a version of Windows and click the check box to enable checks for that version.
l Disk Encryption on page 243 l Installed Applications on page 244 Services The Services page provides a set of widgets for specifying services to run or stop. Figure 192: Services Page Table 121: Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop or start services based on the entries in Service to run and Services to stop configuration).
Figure 193: Processes Page (Overview) Table 122: Process Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable to allow auto remediation for registry checks (Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration). User Notification Enable to allow user notifications for registry check policy violations.
Table 123: Process to be Present Page (Detail) Parameter Description Process Location Choose from Applications, UserBin, UserLocalBin, UserSBin, or None Enter the Process name A pathname containing the process executable name. Enter the Display name Enter a user friendly name for the process. This is displayed in end-user facing messages. After you save your Process details, the key information appears in the Processes to be present page list.
Table 124: Process to be Absent Page (Detail) Parameter Description Check Type Select the type of process check to perform. The agent can look for: l Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is specified, the agent kills all processes whose name matches, regardless of the location from which these processes were started. l MD5 Sum - This specifies one or more (comma separated) MD5 checksums of the process executable file.
Figure 197: Registry Keys Page (Overview) Table 125: Registry Keys Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable auto remediation for registry checks. Use this page to automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent fields. User Notification Enable user notifications for registry check policy violations. Monitor Mode Enable this to set the health status of the Registry Keys health class healthy.
Figure 198: Registry Keys Page (Detail) Table 126: Registry Keys Page (Detail) Parameter Description Select the Registry Hive Specify the registry hive from the following options: l HKEY_CLASSES_ROOT l HKEY_CURRENT_USER l HKEY_LOCAL_MACHINE l HKEY_USERS l HKEY_CURRENT_CONFIG Enter the Registry key Specify the registry key using the examples given in the GUI. Enter the Registry value name Specify the name of the registry value.
Figure 199: Registry Keys Page (Overview - Post Add) AntiVirus In the Antivirus page, you can turn on an Antivirus application.. Click An anti-virus application is on to configure the Antivirus application information. Figure 200: Antivirus Page (Overview - Before) When enabled, the Antivirus detail page appears. Figure 201: Antivirus Page (Detail 1) Click Add to specify product, and version check information. 232 | Posture Dell Networking W-ClearPass Policy Manager 6.
Figure 202: Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list. Figure 203: Antivirus Page (Overview - After) Table 127: Antivirus Page Interface Antivirus Page Parameter l l l l An Antivirus Application is On Auto Remediation User Notification Display Update URL Description l l l l Click Antivirus application is on to enable testing of health data for configured Antivirus application(s).
Table 127: Antivirus Page (Continued) Interface Parameter l l l l l Engine version check Datafile version check Data file has been updated in Last scan has been done before Real-time Protection Status Check Description the UI. l Select the antivirus product - Select a vendor from the list. l Product version check - No Check, Is Latest (requires registration with ClearPass portal), At Least, In Last N Updates (requires registration with ClearPass Portal).
Figure 206: AntiSpyware Page (Detail 2) Figure 207: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiSpyware configuration instructions. Firewall In the Firewall page, you can specify that a Firewall application must be on and specify information about the Firewall application.
Figure 210: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list.
Figure 212: Peer to Peer Page Table 129: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration). User Notification Enable to allow user notifications for peer to peer application/network check policy violations.
Figure 215: Patch Management Page (Detail 2) When you save your patches configuration, it appears in the Patch Management page list.
Table 130: Patch Management Page (Continued) Interface Parameter Description Status Check Type: Select this field to check whether Patch Agent is enabled or not. Dell Networking W-ClearPass Policy Manager server compares the Patch Agent Status sent by OnGuard Agent with the configured value. If the Patch Agent Status value is different from configured value, then client is treated as unhealthy.
Figure 217: Windows Hotfixes Page Table 131: Windows Hotfixes Parameter Description Auto Remediation Enable to allow auto remediation for hotfixes checks (Automatically trigger updates of the specified hotfixes). User Notification Enable to allow user notifications for hotfixes check policy violations. Monitor Mode Click to enable Monitor Mode. Available Hotfixes The first scrolling list lets you select the criticality of the hotfixes.
Table 132: USB Devices Parameter Description Auto Remediation Enable to allow auto remediation for USB mass storage devices attached to the endpoint (Automatically stop or eject the drive). User Notification Enable to allow user notifications for USB devices policy violations. Remediation Action for USB Mass Storage Devices l l l No Action - Take no action; do not eject or disable the attached devices. Remove USB Mass Storage Devices - Eject the attached devices.
Network Connections The Network Connections page provides configuration to control network connections based on connection type. Figure 220: Network Connections Select the Check for Network Connection Types check box, and then click Configure to specify the type of connection that you want to include. Configure Network Connection Type Figure 221: Network Connection Type Configuration 242 | Posture Dell Networking W-ClearPass Policy Manager 6.
Table 134: Network Connection Type Configuration Page Parameter Description Allow Network Connections Type l l l Allow Only One Network Connection Allow One Network Connection with VPN Allow Multiple Network Connections Network Connection Types Click the >> or << to add or remove Others, Wired, and Wireless connection types. Remediation Action for USB Mass Storage Devices l l No Action - Take no action; do not eject or disable the attached devices.
Figure 222: Disk Encryption Configuration Page Table 136: Disk Encryption Parameters Parameter Description User Notification Enable to allow user notifications for virtual machine policy violations. Productspecific checks Clear to allow disk encryption on any product. The Select Disk Encryption product and Product Version is at least fields are disabled after you clear the checkbox. Select Disk Encryption product Select a specific disk encryption product.
Table 137: Installed Applications Configuration Page Parameter Description Remediation checks Auto-remediation for Installed Applications health class is not supported. User Notification A Remediation message having a list of applications to install/uninstall will be displayed to end user. Monitor Mode Enable Monitor Mode to treat all the installed applications as always healthy. Applications Allowed (Mandatory) Enter the application name as it is shown in Add/Remove Programs.
Figure 223: Windows Security Health Validator Windows System Health Validator - OnGuard Agent This validator checks for current Windows Service Packs. The OnGuard Agent also supports legacy Windows operating systems such as and Windows Server 2003. An administrator can use the check boxes to enable support of specific operating systems and to restrict access based on service pack level.
Adding and Modifying Posture Servers Policy Manager can forward all or part of the posture data received from the client to Posture Servers. The Posture Server evaluates the posture data and returns Application Posture Tokens.
Table 138: Microsoft NPSSettings (Posture Server tab) Parameter Description Name/Description: Freeform label and description. Server Type: Always Microsoft NPS. Default Posture Token: Posture token assigned if the server is unreachable or if there is a posture check failure. Select a status from the drop-down list.
Chapter 10 Audit Servers Audit Servers evaluate posture, role, or both, for unmanaged or unmanageable clients. One example could be clients that lack an adequate posture agent or 802.1X supplicant. For example, printers, PDAs, or guest users might not be able to send posture credentials or identify themselves. A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured audit server, and the server returns attributes for role mapping and posture evaluation.
Configuring Audit Servers The Policy Manager server contains built-in Nessus (version 2.X) and NMAP servers. For enterprises with existing audit server infrastructure, or otherwise preferring external audit servers, Policy Manager supports these servers externally.
Table 140: Audit tab Parameter Description Audit Server/Add new Audit Server Select a built-in server profile from the list: l The [Nessus Server] performs vulnerability scanning. It returns a Healthy/Quarantine result. l The [Nmap Audit] performs network port scans. The health evaluation always returns Healthy. The port scan gathers attributes that allow determination of Role (s) through post-audit rules.
Figure 230: Audit Servers Listing 2. Modify the profile, plugins, and/or preferences. l In the Audit tab, you can modify the In Progress Posture Status and Default Posture Status. l If you selected a NESSUS Server, then the Primary/Backup Server tabs allow you to specify a scan profile. In addition, when you add a new scan profile, you can select plugins and preferences for the profile. Refer to Nessus Scan Profiles on page 254 for more information.
Nessus Audit Server Policy Manager uses the Nessus Audit Server interface primarily to perform vulnerability scanning. It returns a Healthy/Quarantine result. The Audit tab identifies the server and defines configuration details. Figure 232: Nessus Audit Server (Audit Tab) Table 141: Nessus Audit Server (Audit tab) Parameter Description Name/Description Freeform label and description. Type For purposes of an NESSUS-type Audit Server, always NESSUS.
Figure 233: Nessus Audit Server (Primary & Backup Tabs) Table 142: Nessus Audit Server - Primary and Backup Server tabs Parameter Description Server Name and Port/ Username/ Password Standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box.
Figure 234: Nessus Scan Profile Configuration Page You can refresh the plugins list (after uploading plugins into Policy Manager, or after refreshing the plugins on your external Nessus server) by clicking Refresh Plugins List.
Figure 235: Nessus Scan Profile Configuration (Profile Tab) l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. 256 | Audit Servers Dell Networking W-ClearPass Policy Manager 6.
Figure 236: Nessus Scan Profile Configuration (Profile Tab) - Plugin Synopsis Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin, click on the link to change the level to one of HOLE, WARN, or INFO. This action tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields. Figure 239: Nessus Scan Profile Configuration (Preferences Tab) After saving the profile, plugin, and preference information for your new (or modified) plugin, you can go to the Primary/Backup Servers tabs and select it from the Scan Profile drop-down list.
Table 143: Audit Tab (NMAP) Parameter Description Name/Description Freeform label and description. Type For purposes of an NMAP-type Audit Server, always NMAP. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list. The NMAP Options tab specifies scan configuration.
Parameter Description Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option -A. Port Range/ Host Timeout/ In Progress Timeout l l l Port Range - Range of ports to scan. NMAP option -p. Host Timeout - Give up on target host after this long. NMAP option --hosttimeout In Progress Timeout - How long to wait before polling for NMAP results. The Rules tab provides specifies rules for post-audit evaluation of the request to assign a role.
Figure 243: All Audit Server Configurations (Rules Editor) Table 146: All Audit Server Configurations (Rules Editor) Parameter Description Conditions The Conditions list includes five dictionaries: Audit-Status, Device-Type, Output-Msgs, Mac-Vendor, Network-Apps, Open-Ports, and OS-Info. Refer to Namespaces on page 513. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save.
262 | Audit Servers Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an Enforcement Policy associated with the service. The evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps the access control attributes sent to the Network Access Device.
Figure 244: Flow of Control of Policy Manager Enforcement Configuring Enforcement Profiles You configure Policy Manager Enforcement Profiles globally, but they must be referenced in an enforcement policy that is associated with a Service.
l ClearPass Entity Update Enforcement on page 281 l CLI Based Enforcement on page 282 l Filter ID Based Enforcement on page 284 l Generic Application Enforcement on page 285 l HTTP Based Enforcement on page 287 l RADIUS Based Enforcement on page 288 l RADIUS Change of Authorization (CoA) on page 289 l Session Restrictions Enforcement on page 292 l SNMP Based Enforcement on page 294 l TACACS+ Based Enforcement on page 295 l VLAN Enforcement on page 297 Figure 245: Enforcement Profiles P
Table 147: Default Enforcement Profiles (Continued) Profile Available for the following Enforcement Types [Cisco - Bounce-Host-Port] RADIUS_CoA [Cisco - Disable Host-Port] RADIUS_CoA [Cisco - Reauthenticate-Session] RADIUS_CoA [Cisco - Terminate-Session] RADIUS_CoA [Deny Access Profile] RADIUS [Deny Application Access Profile] Application [Drop Access Profile] RADIUS [Handle AirGroup Time Sharing] HTTP [HP - Terminate Session] RADIUS_CoA [Juniper Terminate Session] RADIUS_CoA [Motorola
Profile tab Figure 246: Agent Enforcement Profile tab Table 148: Add Agent Enforcement Profile tab Parameters Parameter Description Template Agent Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type Agent. The value field is populated automatically.
Table 149: Agent Enforcement Attributes tab Parameters Attribute Attribute Name Parameter Select one of the following attribute names: Bounce Client - Set the value to true by checking the box to terminate the network connection. l Message - Enter the message that needs to be notified on the endpoint. l Enable to hide Retry button - Set the value to true to hide the Retry button in the OnGuard Agent. l Enable to hide Logout button - Set the value to true to hide the Logout button in the OnGuard Agent.
Profile tab Figure 248: Aruba Downloadable Role Enforcement Profile tab Table 150: Aruba Downloadable Role Enforcement Profile tab Parameters Parameter Description Template Select Aruba Downloadable Role Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile. This description is displayed in the Description column on the Configuration > Enforcement > Profiles page.
Figure 249: Aruba Downloadable Role Enforcement Role Configuration tab Table 151: Role Configuration Attributes Page Parameters Role Configuration Parameter Reauthentication Interval Time (04096) Enter the number of minutes between reauthentication intervals. You can select the range between 0 to 4096 minutes. VLAN To Be Assigned (1-4904) Enter a number between 1 and 4094 that defines when the VLAN is to be assigned. Click to modify profiles and parameters on the page.
Figure 250: Add Captive Portal Profile Attributes Page Policer Profile Click the Add Policer Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. Figure 251: Add Policer Profile Attributes Page Dell Networking W-ClearPass Policy Manager 6.
QOs Profile Click the Add QoS Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. Figure 252: Add QosProfle Attributes Page VoIP Profile Click the Add VoIP Profile link. Enter a name for the profile. Configure the required attributes and click Save or Cancel. 272 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Figure 253: Add VoIP Profile Attributes Page NetService Configuration Click the Manage NetServices link. Configure the required attributes and click Save, Delete, or Cancel. Figure 254: Manage NetServices Attributes Page NetDestination Configuration Click the Manage NetDestinations link. Configure the required attributes. Click Reset or Save Rule. Then click Save, Delete, Reset, or Cancel. Dell Networking W-ClearPass Policy Manager 6.
Figure 255: Manage NetDestinations Attributes Page Time Range Configuration Click the Manage Time Ranges link. Configure the required attributes and click Save, Delete or Cancel. Figure 256: Time Range Configuration Attributes page NAT Pool Configuration Use the NAT Pool Configuration page to configure the start and end of the source NAT range and associate them with session ACLs. 274 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Figure 257: NAT Pool Configuration Page ACL Click the Add Stateless Access Control List link. Enter a name for the Stateless ACL. Click the Add Rule link on the General tab. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel. Figure 258: Stateless Access Control List Configuration Attributes Page Click the Add Session Access Control List link and enter the name for the Session ACL. Click the Add Rule link on the General tab.
Figure 259: Session Access Control List Attributes Page Click the Add Ethernet/MAC Access Control List link. Enter a name for the Ethernet/MAC ACL. Enter the required attributes in the Rules section of the page and click Reset, Save Rule. Then click Save or Cancel. Figure 260: Ethernet/MAC Access Control List Attributes Page 276 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Aruba RADIUS Enforcement Use this page to configure profile and attribute parameters for the Aruba RADIUS Enforcement Profile. Profile tab Figure 261: Aruba RADIUS Enforcement Profile tab Table 152: Aruba RADIUS Enforcement Profile tab Parameters Parameter Description Template Aruba RADIUS Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
Table 153: Aruba RADIUS Enforcement Attributes tab Parameters Attribute Description Type: Select one of the following attribute types: l l l l l Radius:Aruba Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda For more information, see RADIUS Namespaces on page 522 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Table 154: Cisco Downloadable ACL Enforcement Profile tab Parameters (Continued) Parameter Description request. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 265: Cisco Web Authentication Enforcement Profile tab Table 156: Cisco Web Authentication Enforcement Parameters Parameter Description Template Cisco Web Authentication Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type RADIUS.
Table 157: Cisco Web Authentication Enforcement Parameters Parameter Description Type Select one of the following attribute types: l l l l l Radius:Aruba Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda For more information, see RADIUS Namespaces on page 522 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Table 158: ClearPass Entity Update Enforcement Profile tab Parameters (Continued) Parameter Description Action: Disabled. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups.
Profile tab Figure 269: CLI Based Enforcement Profile tab Table 160: CLI Based Enforcement Profile tab Parameters Parameter Description Template: CLI Based Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: CLI Action: Disabled.
Table 161: CLI Based Enforcement Attributes tab Parameters Attribute Parameter Attribute Name Select Command or Target Device. Attribute Value The options displayed for the Attribute Value depend on the Attribute Name that was selected. Filter ID Based Enforcement Use this page to configure profile and attribute parameters for the Filter ID Based Enforcement Profile.
Parameter Description Action: Enabled. Click Accept, Reject, or Drop to define the action taken on the request. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile tab Figure 273: Generic Application Enforcement Profile tab Table 164: Generic Application Enforcement Profile tab Parameters Parameter Description Template: Generic Application Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: Application.
Table 165: Generic Application Enforcement Attributes tab Parameters Parameter Description Attribute Name Select an attribute name from the list. The list has multiple pages. Attribute Value The options displayed for the Attribute Value depend on the Attribute Name that was selected. HTTP Based Enforcement Use this page to configure profile and attribute parameters for the HTTP Based Enforcement Profile.
Attributes tab Figure 276: HTTP Based Enforcement Attributes tab Table 167: HTTP Based Enforcement Attributes tab Parameters Parameter Description Attribute Name Select Target Server or Action. Attribute Value The options displayed for the Attribute Value depend on the Attribute Name that was selected. RADIUS Based Enforcement Use this page to configure profile and attribute parameters for the RADIUS Based Enforcement Profiles.
Table 168: RADIUS Based Enforcement Profile tab Parameters (Continued) Parameter Description Action Enabled. Click Accept, Reject or Drop to define the action taken on the request. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups.
Profile tab Figure 279: Radius Change of Authorization (CoA) Profile tab Table 170: Radius Change of Authorization (CoA) Profile tab Parameters Parameter Description Template: Select from: l Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l HP - Generic-CoA l Aruba - Change-User-Role l IETF - Terminate-Session-IETF l Aruba - Change-VPN-User-Role l IETF- Generic-CoA-IETF Type: Select one of the following attribute types: Radius:Aruba l Radius:IETF
Table 170: Radius Change of Authorization (CoA) Profile tab Parameters (Continued) Parameter Description Action: Disabled. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed on the Device Groups page: Configuration > Network > Device Groups.
Table 171: Radius Change of Authorization (CoA) Attributes tab Parameters Parameter Description RADIUS CoA Template: Select from: l Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l HP - Generic-CoA l Aruba - Change-User-Role l IETF - Terminate-Session-IETF l Aruba - Change-VPN-User-Role l IETF- Generic-CoA-IETF Type: Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda l For mor
Table 172: Session Restrictions Enforcement Profile tab Parameters Parameter Description Template: Session Restrictions Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: Post_Authentication. The field is populated automatically. Action: Disabled.
Table 173: Session Restrictions Enforcement Attributes tab Parameter Type Description Select from: Bandwidth-Check l Expire-Check l Post-Auth-Check l Session-Check NOTE: Palo Alto integration is extended to Guest MAC Caching use cases. Configure: l Session-Check::IP-Address-Change-Notify = Session-Check::Username = %{Endpoint:Username} Post Auth sends the Guest username instead of the MAC Address in the user id updates.
Table 174: SNMP Based Enforcement Profile tab Parameters (Continued) Parameter Description Type: SNMP. The field is populated automatically. Action: Disabled. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups.
Profile tab Figure 285: TACACS+ Based Enforcement Profile tab Table 176: TACACS+ Based Enforcement Profile tab Parameters Parameter Description Template: TACACS+ Based Enforcement Name: Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description: Enter a description of the profile. The Description is displayed in the Description column on the Configuration > Enforcement > Profiles page. Type: TACACS.
Table 177: TACACS+ Based Enforcement Services tab Parameters Parameter Description Privilege Level: Select a level between 0 and 15. Selected Services Select a service from the list and add it to the Selected Services: field. Click Remove to remove a service from the field. Export All Click this link to download the TACACS+ Services dictionary is downloaded to the local computer.
Table 178: VLAN Enforcement Profile tab Parameters (Continued) Parameter Description Action: Enabled. Click Accept, Reject, or Drop to define the action taken on the request. Device Group List: Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups.
l From the Configuration > Enforcement > Enforcement Policies. l From the Configuration > Services page as part of the flow of the Add Service wizard. Figure 289: Enforcement Policies Listing Page Click Add Enforcement Policy to open the Add Enforcement Policy wizard: Figure 290: Add Enforcement Policy (Enforcement tab) Table 180: Add Enforcement Policy (Enforcement tab) Parameter Description Name/Description Freeform label and description.
Table 180: Add Enforcement Policy (Enforcement tab) (Continued) Parameter Description values associated with those attributes to determine the Enforcement Profile. If none of the rules matches, Policy Manager applies the Default Profile. Click Add new Enforcement Profile to add a new profile (This is integrated into the flow. After you are done creating the profile, Policy Manager brings you back to the current page/tab.
Table 182: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (Enforcement Profile). NOTE: A condition in an Enforcement Policy rule can contain attributes from the following namespaces: Tips:Role, Tips:Posture, and Date. NOTE: The value field for the Tips:Role attribute can be a role defined in Policy Manager, or a role fetched from the authorization source.
302 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Network Access Devices A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Figure 293: Device Tab Table 183: Device tab Parameters Parameter Description Name Specify the identity of the device. Description Provide the additional information that helps to identify the device. IP Address or Subnet Specify the IP address or the subnet of the device. For example, 192.168.5.0/24. RADIUS/TACACS+ Shared Secret Enter and confirm a Shared Secret for each of the two supported request protocols. 304 | Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Table 183: Device tab Parameters (Continued) Parameter Description Vendor Specify the dictionary to be loaded for this device. This field is optional. NOTE: RADIUS:IETF, the dictionary containing the standard set of RADIUS attributes, is always loaded. When you specify a vendor here, the RADIUS dictionary associated with this vendor is automatically enabled. Enable RADIUS CoA RADIUS CoA Port Enable RADIUS CoA (RFC 3576/5176) for this device. Set the UDP port on the device to send CoA actions.
Figure 295: SNMP Read/Write Settings tabs - SNMP v3 Details Table 184: SNMP Read/Write Settings tabs Parameters Parameter Description Allow SNMP Read/Write Toggle to enable or disable SNMP Read/Write. Default VLAN (SNMP Write only) Specify the VLAN port setting after SNMP-enforced session expires. SNMP Read Setting Specify the SNMP Read settings for the device.
Table 184: SNMP Read/Write Settings tabs Parameters (Continued) Parameter Description Force Read (SNMP v1 and v2 only) Enable this setting to ensure that all Dell Networking W-ClearPass Policy Manager nodes in the cluster read SNMP information from this device regardless of the trap configuration on the device. This option is useful when demonstrating static IP-based device profiling because this does not require any trap configuration on the network device.
Figure 296: CLI Settings Tab Table 185: CLI Settings tab Parameters Parameter Description Allow CLI Access Toggle to enable or disable CLI access. Access Type Select SSH or Telnet. Policy Manager uses the selected access method to log into the device CLI. Port Specify the SSH or Telnet TCP port number. Username/Password Enter the credentials to log into the CLI. Username Prompt Regex Specify the regular expression for the username prompt.
Additional Available Tasks l To import a device, click Import Devices. In the Import from File popup, browse to select a file, and then click Import. If you entered a secret key to encrypt the exported file, enter the same secret key to import the device back. l To export all devices from the configuration, click Export Devices. In the Export to File popup, specify a file path, and then click Export. In the Export to File popup, you can choose to encrypt the exported data with a key.
Figure 298: Add New Device Group Popup Table 186: Add New Device Group popup Parameter Description Name/ Description/ Format Specify identity of the device. Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation); for example, 192.168.5.0/24 Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression; for example, ^192(.[0-9]*){3}$ 310 | Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Table 186: Add New Device Group popup (Continued) Parameter Description List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected. Click Filter to filter the list based on the text in the associated text box. Save/Cancel Click Save to commit or Cancel to dismiss the popup. For SNMP enforcement on the network device, one or more of the following traps have to be configured on the device: Link Up trap, Link Down trap, MAC Notification trap.
Add a Proxy Target To add a Proxy Target, click Add and complete the fields in the Add Proxy Target popup. You can also add a new proxy target from the Services page (Configuration > Service (as part of the flow of the Add Service wizard for a RADIUS Proxy Service Type). Figure 300: Add Proxy Target Popup Table 187: Add Proxy Target popup Parameter Description Name/Description Freeform label and description. Hostname/Shared Secret RADIUS Hostname and Shared Secret.
Custom Admin Privileges Dell Networking W-ClearPass Policy Manager ships with six read-only default administrator privilege XML files. You have the option to export one or more default files and modify the file to create a customized administrator privileges file. Customized administrator privileges are defined in a specifically formatted XML file and then imported into Policy Manager on the Admin Privileges page.
314 | Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Policy Simulation After the policies are final, you can use the Configuration > Policy Simulation utility to evaluate the policies before deployment. The Policy Simulation utility applies a set of request parameters as input against a given policy component and displays the outcome in the Results tab.
Active Directory Authentication This simulation tests authentication against an Active Directory domain or trusted domain to verify that the CPPM domain membership is valid. The Attributes tab is not available for this simulation type. Simulation tab Figure 303: Active Directory Authentication Simulation tab Table 190: Active Directory Authentication Simulation tab Parameters Parameter Description Active Directory Domain Select the domain(s) to which the node is joined.
Application Authentication This simulation tests authentication requests generated from ClearPass Guest application. Simulation tab Figure 305: Application Authentication Simulation tab Table 192: Application Authentication Simulation tab Parameters Parameter Description CPPM IP Address/FQDN: Enter the IP Address or FQDN of the domain(s) to which the node is joined. Username: Enter the username. Password: Enter the password. Attributes tab Enter the attributes of the policy component to be tested.
Results tab The Results tab of the Application Authentication simulation displays the outcome of the Authentication Result and the Application Output Attributes. Figure 307: Application Authentication Results tab Table 194: Application Authentication Results tab Parameters Parameter Description Summary Displays the results of the Active Directory Authentication simulation. Application Authentication Output Attributes Displays the output attributes, such as Super Administrator.
Table 195: Audit Simulation tab Parameters Parameter Description Audit Server: Select [Nessus Server] or [Nmap Audit]. Audit Host IP Address: Enter the host IP address of the audit host. Results tab Figure 309: Audit Simulation Results tab Table 196: Audit Results tab Parameters Parameter Description Summary - Displays information about the Audit Status, Temporary Status, and Audit Timeout. Audit Output Attributes - Displays the Audit-Status, such as AUDIT_INPROGRESS.
Table 197: Chained Simulation tab Parameters Parameters Description Service: Select from: l [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching Authentication Source: Default Value = [Local User Repository] if you select: l [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] Default Value = [Guest Device Repository] if you select: [AirGroup Author
Attribute Parameter Application See Application Namespace on page 514 Certificate See Certificate Namespaces on page 518 l l l l l l l l l l l Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Trend:AV Cisco: HIPS Cisco:HOST Cisco:PA NAI:AV Symantec:AV See RADIUS Namespaces on page 522 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected.
Table 199: Chained Simulation Results tab Parameters Parameter Summary - Description Provides the following information about the Chained Simulation: Status l Roles l System Posture Status l Enforcement Profiles l Enforcement Policy Given the service name (and the associated enforcement policy), a role or a set of roles, the system posture status, and an optional date and time, the enforcement policy simulation evaluates the rules in the enforcement policy and displays the resulting enforcement profiles a
Table 200: Enforcement Policy Simulation tab Parameters Parameter Description Service: Select from: l [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching Enforcement Policy: Autofilled with [Admin Network Login Policy] if you select [Policy Manager Admin Network Login Service] Autofilled with [AirGroup Enforcement Policy] if you select [AirGroup Authorization Service] Aut
Table 200: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description l l l l l l l l Dynamic Roles: [Onboard Mac OS X] Onboard iOS] [Aruba TACACS root Admin] [Aruba TACACS read-only Admin] [Device Registration] [BYOD Operator] [AirGroup V1] [AirGroup v2] Add Role: Enter the name of a dynamic role in the Add Role field and click the Add Role button to populate the Dynamic Roles list. Remove role: Highlight a dynamic role and click Remove Role button.
Table 201: Enforcement Policy Attributes tab Parameters (Continued) Attribute l l l l l Description Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba See RADIUS Namespaces on page 522 Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Simulation tab Figure 316: RADIUS Authentication Simulation tab (Local Server selected) Figure 317: RADIUS Authentication Simulation tab (Remote Server selected) Table 203: RADIUS Simulation tab Parameters Parameter Description Server: Select Local or Remote. CPPM IP Address or FQDN NOTE: This field is only displayed if Remote Server is selected. Enter the IP Address or FQDN of the remote CPPM server. Port: NOTE: This field is only displayed if Remote Server is selected.
Table 203: RADIUS Simulation tab Parameters (Continued) Parameter Description Shared Secret This field is only displayed if Remote Server is selected. NAS IP Address (optional): Enter the IP address of the network device to populate the NAS-IP-Address attribute in a RADIUS request. NAS Type: Select the type of network device to simulate in terms of RADIUS attributes in the request.
Table 203: RADIUS Simulation tab Parameters (Continued) Parameter Description Client Certificate PKCS12 (PFX)* 1. Click Choose File. 2. Navigate to the client certificate that is used for TLS in PKCS12 - .pfx format, or .pfx or .p12 format. 3. Click Open. 4. Click Upload. Passphrase for PFX file* Enter the Passphrase for the selected PFX file. * These fields are only displayed if you select TTLS or PEAP as the Authentication outer method: and you select EAP-TLS as the Authentication inner method.
NAS Type: Aruba Wired Switch Controller Figure 319: NAS Type: Aruba Wired Switch Controller Attributes tab Table 205: NAS Type: Aruba Wired Switch Controller Required Attribute Settings Attribute Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Ethernet (15) l Line 2: Type = Radius:IETF l Name = Service-Type l Value = Login-User (1) l NAS Type: Cisco Wireless Switch Figure 320: NAS Type: Cisco Wireless Switch Attributes tab Table 206: [NAS Type: Cisco Wireless Switch Required Attribute Settin
Results tab Figure 321: Results tab Table 207: RADIUS Authentication Results tab Parameters Parameter Description Summary - Displays a summary of the simulation. Authentication Result Displays the outcome of the Authentication test. Details Click this link to open a popup that provides details about the Authentication test. You can take the following actions: l l Status Message(s) Click the Summary, Input and Output tabs Click the Change Status, Show Logs, Export or Close buttons.
Simulation tab Figure 322: Role Mapping Simulation tab Table 208: Role Mapping Simulation tab Parameters Parameter Service: Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Role Mapping Policy: Field is disabled if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l [Guest Operator Logins] Field is auto-f
Table 208: Role Mapping Simulation tab Parameters (Continued) Parameter Description l Guest Access With MAC Caching Values = [Guest Device Repository] or [Local User Repository] if you select [Guest Operator Logins] Username: Enter the user name. Test Date and Time: Click calendar icon to select start date and time for simulation test. For more information, see Date Namespaces on page 520 Attributes tab Enter the attributes of the policy component to be tested.
Table 209: Role Mapping Simulation Attributes tab Parameters (Continued) Attribute l l l l l Parameter See RADIUS Namespaces on page 522 Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Name: The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value: The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
Table 211: Service Categorization Simulation tab Parameter Description Parameter Type Namespace Details Test Date and Time: Click calendar widget and select: l Test start date l Test start time Attributes tab Enter the attributes of the policy component to be tested.
Results tab Figure 327: Results tab Table 213: Service Configuration Results tab Parameters Parameter Description Summary - Gives the name of the service. Dell Networking W-ClearPass Policy Manager 6.
336 | Policy Simulation Dell Networking W-ClearPass Policy Manager 6.
Chapter 14 ClearPass Policy Manager Profile Profile is a Dell Networking W-ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. You can use Profile to implement “Bring Your Own Device” (BYOD) flows, where access must be controlled, based on the type of the device and the identity of the user.
l MAC OUI on page 338* l ActiveSync Plugin on page 339 l CPPM OnGuard on page 339 l SNMP on page 339 l Subnet Scan on page 340 * Acquired via various authentication mechanisms such as 802.1X, MAC authentication, etc. DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class) and options list from DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network.
ActiveSync Plugin The ActiveSync plugin is to be installed on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes like device-type and user-agent. These attributes are collected by the plugin software and are sent to the CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes. CPPM OnGuard The ClearPass OnGuard agent performs advanced endpoint posture assessment.
Figure 328: SNMP Read/Write Settings Tabs In large or geographically spread cluster deployments, you do not want all CPPM nodes to probe all SNMP configured devices. The default behavior is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network.
Stage 1 tries to derive device profiles using static dictionary lookups. Based on the available attributes available, Stage 1 looks up DHCP, HTTP, ActiveSync, MAC OUI, and SNMP dictionaries and derives multiple matching profiles. After multiple matches are returned, the priority of the source that provided the attribute is used to select the appropriate profile. The following list shows the decreasing order of priority.
Figure 330: Profiler tab Table 214: Profiler tab Parameters Parameter Description Endpoint Classification: Select the classification after which an action must be triggered. You can select a new action, or remove a current action. RADIUS CoA Action: Select an action. Click View Details to view details about the selected action. Click Modifyto change the values of the selected action. Add new RADIUS CoA Action: Click to add a RADIUS CoA action to the list.
Chapter 15 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the Administration menus. The Policy Manager Administration menu provides the following interfaces for configuration: Dell Networking W-ClearPass Policy Manager 6.
ClearPass Portal Navigate to the Administration > ClearPass Portal page.
Table 215: ClearPass Portal parameters (Continued) Parameter Description Top section Click to enter text that displays in the header. Bottom section Click to enter text that displays in the footer. Copyright Click to enter copyright text. Both HTTP and HTTPS protocols are supported for Guest Portal re-direction.
Table 216: Admin Users (Continued) Container Description Export Exports a selected to an XML file. Delete Deletes a selected User. Add User Select the Add link in the upper right portion of the page. Figure 333: Add Admin User Table 217: Add Admin User Container Description User ID Specify the identity and password for a new admin user.
Figure 334: Import (Admin) Users Table 218: Import (Admin) Users Container Description Select file Browse to select name of admin user import file. Enter secret key for file (if any) Enter the secret key used (while exporting) to protect the file. Import/Cancel Commit or dismiss import. Export Users Select the Export All link from the upper right portion of the page. The Export (Admin) Users link exports all (admin) users. Click Export.
Administrator Privilege XML File Structure Admin privilege files are XML files and have a very specific structure. A header must be at the beginning of an admin privilege XML file and must be exactly: The root tag is TipsContents. It is a container for the data in the XML file and should look like this: ⋮ Following the TipsContents tag is an optional TipsHeader tag.
Table 219: Administrator Privileges and IDs (Continued) Area (Dell Networking W-ClearPass Policy Manager Menu) Task ID n Onguard Activity mon.li.ag n Analysis and Trending mon.li.sp n Endpoint Profiles mon.li.ep n System Monitor mon.li.sy l Audit Viewer mon.av l Blacklisted Users mon.bl l Event Viewer mon.ev l Data Filters mon.df Configuration con l Start Here (Services Wizard) con.sh l Services con.se l Service Templates con.st l Authentication con.
Table 219: Administrator Privileges and IDs (Continued) Area (Dell Networking W-ClearPass Policy Manager Menu) n l l Audit Servers Enforcements Task ID con.pv.au con.en n Policies con.en.epo n Profiles con.en.epr Network con.nw n Devices con.nw.nd n Device Groups con.nw.ng n Proxy Targets con.nw.pr Policy Simulation con.ps Profile Settings con.prs Administration adm l l l User and Privileges adm.us n ClearPass Portal adm.po.cp n Admin Users adm.us.
Table 219: Administrator Privileges and IDs (Continued) Area (Dell Networking W-ClearPass Policy Manager Menu) l l l l Task ID n Endpoint Context Servers adm.xs.cs n Context Server Actions adm.di.csa Certificates adm.cm n Server Certificate adm.cm.mc n Trust List adm.cm.ctl n Revocation List adm.cm.crl Dictionaries adm.di n RADIUS adm.di.rd n Posture adm.di.pd n TACACS+ Services adm.di.td n Fingerprints adm.di.df n Attributes adm.di.at n Applications adm.di.
2. Store the new file. 3. Go to Administration > Users and Privileges > Admin Privileges. 4. Click Import Admin Privileges. 5. Import the administrator privilege file you created in step 1. See Importing for details. After you complete steps 1-5, the new administrator privileges document is displayed on the Admin Privileges page.
PAGE 374Table 220: Log Configuration Service Log Configuration tab Parameters Parameter Description Select Server: Specify the server for which to configure logs. All nodes in the cluster appear in the drop-down list. Select Service: Specify the service for which to configure logs. Module Log Level Settings: Enable this option to set the log level for each module individually (listed in decreasing level of verbosity.
Figure 337: Log Configuration System Level tab Table 221: Log Configuration System Level tab Parameters Parameter Description Select Server Specify the server for which to configure logs. Number of log files Specify the number of log files of a specific module to keep at any given time.
l Manage Policy Manager Zones on page 384 l NetEvents Targets on page 385 l Virtual IP Settings on page 386 l Make Subscriber on page 387 l Upload Nessus Plugins on page 387 l Cluster-Wide Parameters on page 388 l Collect Logs on page 398 l Backup on page 399 l Restore on page 399 l Shutdown/Reboot on page 401 l Drop Subscriber on page 401 Figure 338: Server Configuration Page Editing Server Configuration Settings Navigate to the Administration > Server Manager > Server Configuration
Figure 339: Editing Server Configuration System Tab The Server Configuration page opens by default on the System tab. For more information about the tasks you can perform on this tab, see: l Manage Policy Manager Zones on page 384 l Join AD Domain on page 359 l Add Password Server on page 360 (for joined AD domains) The following figure is an example of the System tab followed by parameter definition: Figure 340: System Tab Dell Networking W-ClearPass Policy Manager 6.
Table 222: Server Configuration System Tab Parameters Parameter Description Hostname Specifies the hostname of Policy Manager appliance. You do not need to enter the fully qualified domain name in this field. Policy Manager Zone Select a previously configured timezone from the drop-down list. Click on the Policy Manager Timezone link to add and edit timezones. Enable Profile Enable the profile to perform endpoint classifications.
Table 222: Server Configuration System Tab Parameters (Continued) Parameter Description Data/External Port: Subnet Mask Specify the data interface subnet mask in the Configure Management Port page by clicking the Configure button to specify the subnet mask to specify IPv4 address. Data/External Port: Default Gateway Specify the default gateway for data interface. Open the Configure Management Port page by clicking the Configure button to specify IPv4 or IPv6 address.
Figure 341: Join AD Domain Table 223: Join AD Domain Parameters Parameter Description Domain Controller Fully qualified name of the Active Directory domain controller. NETBIOS name (optional) The NETBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name. If this is different from your domain name (usually a shorter name), enter that name here. Contact your AD administrator about the NETBIOS name.
DNS will be included. Perform the following steps to add a password server. 1. In the AD Domains section of the System tab, click the Add Password Server icon. (See Figure 342.) Figure 342: Add Password Server icon 2. The Configure AD Password Servers page appears. Specify the domain name, NetBIOS Name, and the Password Servers. The password servers can be in the format of hostname or IP address. Use a new line for each entry. 3. Click Save when you are finished.
Figure 344: Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of a variety of services. The options on this page vary based on the selected service. Determine the service that you want to edit.
Figure 346: Async Network Services Table 224: Service Parameters tab - Async Network Services Parameter Description Post Auth Number of request processing threads Set the number of request processing threads. The default value is 20 threads, and the allowed values are between 20 and 100. Lazy handler polling frequency Set the Lazy handler polling frequency. The frequency is configured in minutes. The default value is 5 minutes, and the allowed values are from 3-10 minutes.
Figure 347: ClearPass Network Services - Service Parameters Tab Figure 348: ClearPass Network Services - Service Parameters Tab FIPS Mode 364 | Administration Dell Networking W-ClearPass Policy Manager 6.
Table 225: ClearPass Network Services - Service Parameters tab Parameters Service Parameters Description DhcpSnooper MAC to IP Request Hold time Specifies the number of seconds to wait before responding to a query to get an IP address corresponding to a MAC address. Any DHCP message received in this time period refreshes the MAC to IP binding.
Table 225: ClearPass Network Services - Service Parameters tab Parameters (Continued) Service Parameters Description SNMP v3 Trap Privacy Protocol Specifies the SNMP v3 Privacy protocol for traps. Must be one of DES_CBC, AES_128, or empty (to disable privacy). NOTE: The DES_CBC privacy protocol is not supported if you use the Dell Networking WClearPass Policy Manager in the FIPS mode. SNMP v3 Trap Authentication Key Specifies the SNMP v3 authentication key and privacy key for incoming traps.
Figure 349: ClearPass System Services Parameters (partial view) Table 226: Service Parameters - ClearPass system services Service Parameter Description PHP System Configuration Memory Limit Maximum memory that can be used by the PHP applications. Form POST Size Maximum HTTP POST content size that can be sent to the PHP application. File Upload Size Maximum file size that can be uploaded into the PHP application.
Table 226: Service Parameters - ClearPass system services (Continued) Service Parameter Description Proxy Server Hostname or IP address of the proxy server. Port Port at which the proxy server listens for HTTP traffic. Username Username to authenticate with proxy server. Password Password to authenticate with proxy server. Database Configuration Maximum connections Specify a number between 300 and 2000 for a maximum number of allowed connections.
Table 226: Service Parameters - ClearPass system services (Continued) Service Parameter Description Maximum Requests Specify the maximum number of requests. The default value is 500. You can specify the range of 0 – 3000. Enable Host Header check Specify TRUE or FALSE. The default value is TRUE. When you set this value to TRUE, the Host Header Restriction check is enabled and only the allowed or whitelisted host headers are allowed.
Table 227: Service Parameters tab - Policy Server service (Continued) Service Parameter Description External Posture Server Thread Pool Size This specifies the number of threads to use for posture servers. External Posture Server Primary Retry Interval After a primary posture server is down, Policy Manager connects to one of the backup servers. This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again.
Table 228: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description Counts Security Reject Packet Delay Delay time before sending an actual RADIUS Access-Reject after the server decides to reject the request. Maximum Attributes Maximum number of RADIUS attributes allowed in a request. Process ServerStatus Request Send replies to Status-Server RADIUS packets. Main Authentication Port Ports on which radius server listens for authentication requests.
Table 228: Service Parameters tab - Radius Server Service (Continued) Service Parameter Description EAP - TLS Fragment Size Maximum size of the EAP-TLS fragment size. Use Inner Identity in Access-Accept Reply Specify TRUE or FALSE. TLS Session Cache Limit Number of TLS sessions to cache before purging the cache (used in TLS based 802.1X EAP Methods). AD (Active Directory) Errors Window Size Enter a duration during which Active Directory errors are accumulated for possible action.
Table 228: Service Parameters tab - Radius Server Service (Continued) Service Parameter PACs are valid across cluster Description Whether PACs generated by this server are valid across the cluster or not. Accounting Log Accounting Interim-Update Packets Store the Interim-Update packets in session logs.
Table 230: Services Parameters tab - System monitor service Service Parameter Description Free Disk Space Threshold This parameter monitors the available disk space. If the available disk free space falls below the specified threshold (default 30%), then system sends SNMP traps to the configured trap servers. 1 Min CPU load average Threshold These parameters monitor the CPU load average of the system, specifying thresholds for 1-min, 5min and 15-min averages, respectively.
Figure 355: System Monitoring Tab Table 232: System Monitoring tab Parameters Parameter Description System Location Specify the location of the Policy Manager appliance. System Contact Specify the contact information of the Policy Manager appliance. SNMP Configuration Version Specify the SNMP version from the options V1, V2C, or V3. The GUI options on this page vary based on the SNMP version selected. Community String Enter and re-enter the community string for sending traps.
Table 232: System Monitoring tab Parameters (Continued) Parameter Description SNMP v3: Authentication Protocol Select the authentication protocol from MD5 or SHA. These protocols vary depends on the security level that you selected in the Security Level field. This field is available only if you selected V3 as the SNMP version in the Version field. NOTE: The MD5 authentication protocol is not supported in the FIPS mode. SNMP v3: Authentication key Enter and re-enter the authentication key.
Figure 357: Create Tunnel page Table 233: Create Tunnel Page Parameters Parameter Description Display Name Specify the name for the tunnel interface. This name is used to identify the tunnel in the list of network interfaces. Local Inner IP Local IP address of the tunnel network interface. Remote Outer IP IP address of the remote tunnel endpoint. Remote Inner IP Remote IP address of the tunnel network interface. Enter a value here to automatically create a route to this address through the tunnel.
Table 234: Creating VLAN Parameters Parameter Description Physical Interface The physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. VLAN Name Name for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 802.1Q VLAN identifier. Enter a value between 1- 4094. The VLAN ID cannot be changed after the VLAN interface has been created. IP Address IP address of the VLAN.
Figure 359: Restrict Access dialog box Table 235: Restrict Access Parameters Parameter Description Resource Name Select the application to which you want to allow or deny access. Access Select: Allow to define allowed access. l Deny to define denied access. l Network Enter one or more hostnames, IP addresses, or IP subnets per line. The devices defined by what you enter here will be either specifically allowed or specifically denied access to the application you select.
OpenSSL FIPS Object Module. The OpenSSL FIPS Object Module has obtained FIPS 140-2 certificate number 1747, listed at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 A Dell Networking W-ClearPass Policy Manager server running in FIPS mode is FIPS-compliant. There are no additional steps required to ensure FIPS 140-2 compliant operation of the ClearPass Policy Manager in the FIPS mode.
Figure 361: FIPS Mode - Configuration Summary Alternatively, you can enable or disable the FIPS mode in the Administration > Server Manager > Server Configuration > FIPS tab.
You can view the status of the FIPS mode in the status bar. The following figure shows an example of the Status bar with the status of the FIPS mode: Figure 363: FIPS Status You can also view the status of the FIPS mode using the CLI commands. For more information, see Show Commands on page 494. Set Date & Time Navigate to Administration > Server Manager > Server Configuration, and click on the Set Date and Time link. This opens by default on the Date &Time tab.
After configuring the date and time, select the time zone on the Time zone on publisher tab. This displays a time zone list alphabetical order. Select a time zone and click Save. This option is only available on the publisher. To set time zone on the subscriber, select the specific server and set time zone from the server-specific page. Figure 365: Time zone on publisher tab Change Cluster Password Use this function to change the cluster-wide password.
Figure 366: Change Cluster Password Dialog 2. Enter the new password, then verify the password. 3. Click Save. Manage Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster. These runtime states include: l Roles and Postures of connected entities l Connection status of all endpoints running OnGuard l Endpoint details gathered by OnGuard Agent CPPM uses this runtime state information to make policy decisions across multiple transactions.
Figure 367: Policy Manager Zones Table 237: Policy Manager Zones Parameter Description Name Enter the name of the configured Policy Manager Zone. Add Click this to add a zone. Delete Select the delete (trashcan) icon to delete a zone. NetEvents Targets NetEvents are a collection of details for various ClearPass Policy Manager such as users, endpoints, guests, authentications, accounting details, and so on.
Table 238: NetEvents targets Parameter Description Target URL HTTP URL for the service that support POST and requires Authentication using Username / Password. NOTE: For an external Insight server, you can enter https:///insight/netevents as the Target URL Username/Password Credentials configured for authentication for the HTTP service that is provided in the Target URL. Reset Reset the dialog. Delete Delete the information.
Make Subscriber In the Policy Manager cluster environment, the Publisher node acts as master. A Policy Manager cluster can contain only one Publisher node. Administration, configuration, and database write operations may occur only on this master node. The Policy Manager appliance defaults to a Publisher node unless it is made a Subscriber node. Cluster commands can be used to change the state of the node, hence the Publisher can be made a Subscriber. When it is a Subscriber, you will not see this link.
Figure 371: Upload Nessus Plugins Table 241: Upload Nessus Plugins Parameter Description Select File Click Browse and select the plugins file with the extension tar.gz. Enter secret for the file (if any) Always leave this blank. Import/Cancel Load the plugins, or dismiss. If there are a large number of plugins, the load time can be in the order of minutes. Cluster-Wide Parameters Use the Cluster-Wide Parameters page to configure the parameters that apply to all the nodes in a cluster.
Figure 372: Cluster-Wide Parameters - General Tab Table 242: Cluster-Wide Parameters - General tab Parameters Parameter Description Policy result cache timeout Specifies the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation. This result can then be used in subsequent evaluation of policies associated with a service, if the Use cached Roles and Posture attributes from previous sessions option is turned on for the service.
Table 242: Cluster-Wide Parameters - General tab Parameters (Continued) Parameter Description NOTE: It is recommended to set this option to Off or Config before starting an upgrade. This ensures the Auto-backup process does not interfere with migration after upgrade. You can change this setting back to the Config|SessionInfo option after 24 hours on completion of upgrade if required.
Figure 373: Cluster-Wide Parameters - Cleanup Interval Tab Table 243: Cluster-Wide Parameters - Cleanup Interval tab Parameters Parameter Cleanup interval for Session log details in the database Description Specify the duration in number of days to keep the following data in the Policy Manager DB: session logs (found on Access Tracker page) l event logs (found on Event Viewer page) l machine authentication cache The default value is 7 days.
Table 243: Cluster-Wide Parameters - Cleanup Interval tab Parameters (Continued) Parameter Description accounts cleanup interval Profiled Unknown endpoints cleanup interval Specify the cleanup interval in number of days that ClearPass uses to determine when to start deleting profiled unknown entries from the Endpoint repository. Profiled unknown entries are deleted based on their last Updated At value for each Endpoint.
Table 244: Cluster-Wide Parameters - Notifications tab Parameters Parameter Description System Alert Level Specify the alert notifications that are generated for system events logged at this level or higher. Selecting INFO generates alerts for INFO, WARN, and ERROR messages. Selecting WARN generates alerts for WARN and ERROR messages. Selecting ERROR generates alerts for ERROR messages. The default value is WARN.
Table 245: Cluster-Wide Parameters - Standby Publisher tab Parameters Parameter Description Enable Publisher Failover Select TRUE to authorize a node in a cluster on the system to act as a publisher if the primary publisher fails. The default value is FALSE. Designated Standby Publisher Select the server in the cluster to act as the standby publisher. The default value is 0.
You can define a virtual IP address by configuring only the primary server and omit the secondary server if required. This can be used to add an additional IP address to the Dell Networking W-ClearPass Policy Manager server without any redundancy. Mode The High Capacity Guest mode addresses the high volume licensing requirements in the Public Facing Enterprises (PFE) environment, where a large volume of unique endpoints need wireless access.
l The High Capacity Guest mode is intended only for high volumes of guest access. l Use-case related settings other than the High Capacity Guest mode are restricted. l OnGuard and OnBoard access are restricted. l Default cleanup interval values are reset. l Only guest application licenses are allowed.
Table 248: Cleanup Interval Values in the High Capacity Guest Mode (Continued) Parameter Description cleanup interval Expired guest accounts cleanup interval The default value of the Expired guest accounts cleanup interval is 10 days. Profiled endpoints cleanup interval The default value of the Profiled endpoints cleanup interval is 3 days. Old Audit Records cleanup interval The default value of the Old Audit Records cleanup interval is 10 days.
l EAP_PEAP_PUBLIC Collect Logs When you need to review performance or troubleshoot issues in detail, Policy Manager can compile and save transactional and diagnostic data into several log files. These files are saved in Local Shared Folders and can be downloaded to your computer. To collect logs: 1. Go to Administration > Server Manager > Server Configuration, 2. Click Collect Logs. The Collect Logs dialog box appears. Figure 378: Collect Logs 3. Enter a filename and add the .tar.
The following information is useful if you are attempting to open a capture file (.cap or .pcap) using WireShark. First, untar or unzip the file (based on the file extension). When the entire file is extracted, navigate to the PacketCapture folder. Within this folder, you will see a file with a .cap extension. WireShark can be used to open this file and study the network traffic. Backup Navigate to the Administration > Server Manager > Server Configuration page, and click on the Back Up button.
Figure 380: Restore Table 250: Restore Parameter Description Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file. NOTE: This option is only available only when the Upload file to server option is selected. Shared backup files present on the server If the files is on a server, select a file from the files in the local shared folders. (See Local Shared Folders.
Parameter Description Ignore version mismatch and attempt data migration This option must be checked when you are migrating configuration and/or log data from a backup file that was created with a previous compatible version. Restore cluster server/node entries from backup. Enable to include the cluster server/node entries in the restore. Do not backup the existing databases before this operation. Enable this option if you do not want to backup the existing databases before performing a restore.
Figure 381: Local Shared Folders Page Licensing The Administration > Server Manager > Licensing page shows all the licenses that have been activated for the entire CPPM cluster. You must have a Dell Networking W-ClearPass Policy Manager base license for every instance of the product.
Figure 383: Licensing Page - Servers tab If the number of licenses used exceeds the number purchased, you will see a warning four months after the number is exceeded. The licenses used number is based on the daily moving average. Activating an Application License After you add or update an application license, it must be activated. Adding an application license installs an Application tab on the Licensing page. 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3.
Figure 385: Online Activation Page Adding an Application License You can add a license by clicking the Add License button on the top right portion of this page. 1. Select a product from the drop-down list. 2. Enter the license key for the new license. 3. Read the 4. Terms and Conditions before adding a license. 5. Click the I agree to the above terms and conditions check box. 6. Click the Add button. 404 | Administration Dell Networking W-ClearPass Policy Manager 6.
Figure 386: Add License Page Updating an Application License Licenses typically require updating after they expire, for example, after the evaluation license expires, or when capacity exceeds its licensed amount. You update an application license by entering a new license key. 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click an application anywhere except in the Activation Status column. The Update License page appears. 4. Enter the New License Key. 5.
SNMP Trap Receivers Policy Manager sends SNMP traps that expose the following server information: l System uptime. Conveys information about how long the system is running. l Network interface statistics [up/down]. Provides information if the network interface is up or down. l Process monitoring information. Check for the processes that should be running. Maximum and minimum number of allowed instances. Sends traps if there is a change in value of maximum and minimum numbers. l Disk usage.
Figure 387: SNMP Trap Receivers Listing Page Adding an SNMP Trap Server To add a trap server, navigate to Administration > External Servers > SNMP Trap Receivers and select the Add SNMP Trap Server link. Figure 388: Add SNMP Trap Server Table 251: Add SNMP Trap Server fields Parameter Description Host Address: Trap destination hostname or ip address. NOTE: This server must have an SNMP trap receiver or trap viewer installed. Description: Freeform description. SNMP Version: V1 or V2C.
Export Trap Server. Enter the XML file name in the Save As dialog. Exporting a Single SNMP Trap Server To export a single SNMP trap server, navigate to Administration > External Servers > SNMP Trap Receivers. Select the SNMP Trap server that you want to export and click the Export button in the lower-right corner of the page. Enter the name of the XML file Save As dialog.
Figure 390: Syslog Target Listing Page Table 253: Syslog Target Configuration Parameter Description Add Opens the Add Syslog Target popup. Import Opens the Import Syslog Target popup. Export All Opens the Export Syslog Target popup. Export Opens the Export popup. Delete To delete a Syslog Target, select it (check box at left) and click Delete. Add Syslog Target To add a Syslog Target, navigate to Administration > External Servers > Syslog Targets and select Add.
Table 254: Add Syslog Target Parameter Description Host Address Syslog server hostname or IP address. Description Freeform description. Protocol Select from: l UDP: To reduce overhead and latency. l TCP: To provide error checking and packet delivery validation. Server Port Port number for sending the syslog messages; by default, port 514. Import Syslog Target Navigate to Administration > External Servers > Syslog Targets and select Import.
Syslog Export Filters Policy Manager can export session data (see Access Tracker on page 17), audit records (see Audit Viewer on page 51) and event records (see Event Viewer on page 56). You configure Syslog Export Filters to tell Policy Manager where to send this information, and what kind of information should be sent through Data Filters.
Figure 394: Import Syslog Filter Table 257: Import from File Parameter Description Select File Browse to the Syslog Filter configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Filter Navigate to Administration > External Servers > Syslog Filters and select the Export All link.
Figure 395: Add Syslog Filters - Filter and Columns tab (Session Logs) Table 258: Add Syslog Filters (Filter and Columns tab) Parameter Description Data Filter Specify the data filter. The data filter limits the type of records sent to syslog target. Modify/ Add new Data filter Modify the selected data filter, or add a new one. Specifying a data filter filters the rows that are sent to the syslog target. You may also select the columns that are sent to the syslog target.
Figure 396: Add Syslog Filters - Filter and Columns tab (Insight Logs) The data collection interval for Insight logs is - 4 to - 2 minutes from the current time. Table 259: Add Syslog Filters - Filter and Columns tab (Insight Logs) Parameter Description Columns Selection Determine the group of reports that you want to include in syslog filters in the Columns Selection field, This helps to limit the type of columns sent to syslog filters.
Figure 397: Add Syslog Export Filters (General tab) Table 260: Syslog Export Filters General tab Parameters Parameter Description Name/Description Enter name and description in the respective text fields. Export Template You can select from the following options: l Audit Records l Insight Logs l Session Logs l System Events Syslog Servers Syslog servers define the receivers of syslog messages sent by servers in the ClearPass cluster. l To add a syslog server, select it from the drop-down list.
Adding a Syslog Export Filter (Summary tab) This topic describes the parameters on the Summary tab of the Add Syslog Export Filters page. Table 261: Syslog Export Filters Summary tab Parameters Parameter Description General Name Name created for the new filter. Description Description of the new syslog export filter. Export Template The template selected as the export template. Syslog Servers IP address of the syslog server selected during configuration.
the Configure SMS Gateway link at the top right to configure a new SMS gateway using the ClearPass Guest portal. The following figure shows an example of the SMTP Server page followed by parameter definition: Figure 398: Messaging Setup SMTP Server Page Table 262: Messaging Setup SMTP Server Page Parameters Parameter Description Server name Specify the Fully Qualified Domain Name (FQDN) or the IP address of the server.
Figure 399: Send Test Email Page Click the Send Test SMS button to send the test SMS message to the preferred mobile phone number. The following figure shows an example of the Send Test SMS page with the options to specify the recipient's mobile phone number and the message to be sent: Figure 400: Send Test SMS page The recipient's mobile number must be in international format consists of a + sign, then a country code followed by the mobile phone number (without the first ‘0′ of the number).
Information gathered from mobile devices can include policy breaches, data consumption, and existing configuration settings. Endpoint context servers are listed and managed at Administration > External Servers > Endpoint Context Servers. Figure 401: Endpoint Context Servers Page Adding an Endpoint Context Server 1. Go to Administration > External Servers > Endpoint Context Servers. 2. Click Add Context Server. 3. Select a server type.
Figure 402: Add AirWatch Server tab Table 263: Add Air Watch Server tab Parameters Parameter Description Select Server Type: Add AirWatch. Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber. Username: Enter the username.
Figure 403: Add AirWatch Actions tab Table 264: Add AirWatch Actions tab Parameters Parameter Description Clear Passcode Reset passcode on the device. Enterprise Wipe Deletes only stored corporate information. Lock Device Locks the associated device. Remote Wipe Deletes all stored information. Adding an AirWave Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Figure 404: Add AirWave Endpoint Context Server tab Table 265: Add AirrWave Endpoint Context Server tab Parameters Parameter Description Select Server Type: AirWave Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Figure 405: Add Aruba Activate Endpoint Context Server tab Table 266: Add Aruba Activate Endpoint Context Server tab Parameter Parameter Description Select Server Type: Aruba Activate Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Adding a ClearPass Cloud Proxy Endpoint Context Server The Cloud Proxy is a virtual instance configured in the cloud. This multi-tenant and single instance serves multiple customers having many CPPM nodes. Once configured, the CPPM server establishes a Cloud Tunnel to the Cloud Proxy instance given the credentials and Domain. The Domain is required as an identifier to indicate which Cloud Tunnel is applicable for which customer.
Verify Password Verify the password. Domain An identifier used to determine the specific Cloud Tunnel to which the request must be sent by the Cloud Proxy. Validate Server Click to enable validation of the server certificate. Adding a Generic HTTP Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 268: Add Generic HTTP Endpoint Context Server tab Parameters (Continued) Parameter Description Password: Enter and verify the password. Verify Password: Validate Server: Click to enable validation of the server certificate.
Figure 409: Add JAMF Endpoint Context Server tab Table 270: Add JAMF Endpoint Context Server tab Parameters Parameter Description Select Server Type Select the type of the Policy Manager appliance. Server Name Specify the name of the server. For example, V1, V2C, or V3. Server Base URL Specify the server base URL. Username Specify the username to use for SNMP v3 communication. Password Enter and re-enter the password. Fetch Computer Records Select the check box to fetch computer records.
Figure 410: Add MaaS360 Endpoint Context Server tab Table 271: Add MaaS360 Endpoint Context Server tab Parameters Parameter Description Select Server Type: MaaS360 Server Name: Enter a valid server name. You can enter an IP address or domain name. Server Base URL: Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Table 271: Add MaaS360 Endpoint Context Server tab Parameters (Continued) Parameter Description Platform ID: Enter the application version number. Billing ID: Enter the Billing ID. Validate Server: Click to enable validation of the server. Adding a MobileIron Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 272: Add MobileIron Endpoint Context Server tab Parameters (Continued) Parameter Description Password Enter the password. Verify Password Re-enter the password. Validate Server Click to enable validation of the server. Figure 412: Add MobileIron Endpoint Context Server Actions tab Table 273: Add MobileIron Endpoint Context Server Actions tab Parameter Description Parameter Description Lock Device Locks the associated device. Remote Wipe Deletes all stored information.
Figure 413: Add Palo Alto Networks Firewall tab Table 274: Add Palo Alto Networks Firewall tab Parameters Parameter Description Select Server Type: Palo Alto Networks Firewall. Server Name: Enter the server name. Server Base URL: Enter the server base URL. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Use Full Username: Click to use full user name in UID updates.
Figure 414: Palo Alto Networks Panorama Endpoint Context Server tab Table 275: Palo Alto Networks Panorama Endpoint Context Server tab Parameters Parameter Description Select Server Type: Palo Alto Networks Panorama. Server Name: Enter the server name. Server Base URL: Enter the base URL of the server. Username: Enter the username. Password: Enter the password. Verify Password: Re-enter the password. Use Full Username: Click to use full username in UID updates.
Figure 415: Add SAP Afaria Endpoint Context Server - Server Tab Table 276: Add SAP Afaria Endpoint Context Server - Server tab Parameters Parameter Description Select Server Type Select SAP Afaria. Server Name Enter the server name. Server Base URL Enter the base URL of the server. Username Enter the user name. Password Enter the password. Verify Password Re-enter the password. Group ID (optional) Enter the group ID. Validate Server Click to enable validation of the server.
Figure 416: Add SAP Afaria Endpoint Context Server - Actions Tab Table 277: Add SAP Afaria Endpoint Context Server - Actions tab Parameters Parameter Description Enterprise Wipe Deletes only stored corporate information. Lock Device Locks the associated device. Remote Wipe Deletes all stored information. Send Message Sends message to the device.
Figure 417: Add SOTI Endpoint Context Server tab Table 278: Add SOTI Endpoint Context Server tab Parameters Parameter Description Select Server Type: SOTI. Server Name: Enter the server name. Server Base URL: Enter the base URL of the server. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Group ID: (optional) Enter the group ID. Validate Server: Click to enable validation of the server.
Figure 418: Add XenMobile Endpoint Context Server tab Table 279: Add XenMobile Endpoint Context Server tab Parameter Description Parameter Description Select Server Type: XenMobile. Server Name: Enter the server name. Server Base URL: Enter the base name of the URL server. Username: Enter the user name. Password: Enter the password. Verify Password: Re-enter the password. Validate Server: Click to enable validation of the server certificate.
Server Certificate Page Overview The page interface controls that are not dependent on the Server Certificate Type are described below. Table 280: Server Certificate Interfaces (Common) Parameter Description Create SelfSigned Certificate Opens the Create Self-Signed Certificate page where you can create and install a Self-Signed Certificate. Create Certificate Signing Request Opens the Create Certificate Signing Request page where you can create and install a Certificate Signing Request.
Table 281: Server Certificate Parameters (RADIUS Server Certificate Type) Parameters Parameter Description Subject: Displays Organization and Common Name. Issued by: Displays Organization and Common Name. Issue Date: The date the Certificate was installed. Expiry Date: The date when the Certificate expires. Validity Status: The status of the Certificate. View Details Click this button to view details about the Certificate, such as Signature Algorithm, Subject Public Key Info, and more.
Creating a Certificate Signing Request Navigate to Administration > Certificates > Server Certificates and click the Create Certificate Signing Request link. This task creates a self-signed certificate to be signed by a CA.
Figure 421: Create Certificate Signing Request - FIPS Mode Table 283: Create Certificate Signing Request Parameters Parameter Description Common Name (CN) Displays the name associated with this entity. This can be a host name, IP address, or other name. The default is the fully-qualified domain name (FQDN). This field is mandatory. Organization (O) Specify the name of the organization. This field is optional. Organizational Unit (OU) Specify the name of the department, division, or section.
Table 283: Create Certificate Signing Request Parameters (Continued) Parameter Description rid: id This field is optional. l Private Key Password Enter and re-enter the Private Key Password. Verify Private Key Password Private Key Type l Select the length for the generated private key types from the following options: 1024-bit RSA l 2048-bit RSA l 4096-bit RSA l X9.62/SECG curve over a 256 bit prime field l NIST/SECG curve over a 384 bit prime field The default private key type is 2048-bit RSA.
Figure 422: Generated Certificate Signing Request Creating a Self-Signed Certificate After you select a server and a certificate type, you can create and install a self-signed certificate. 1. Navigate to Administration > Certificates > Server Certificate. 2. Select a server, for example, localhost. 3. Select a service by selecting Backend Services or click the Create Self-Signed Certificate link. This opens the Create Self-Signed Certificate form.
Figure 423: Create Self-Signed Certificate Page The following figure shows an example of the Create Self-Signed Certificate page in the FIPS mode: Figure 424: Create Self-Signed Certificate Page - FIPS Mode Dell Networking W-ClearPass Policy Manager 6.
Table 284: Create Self-Signed Certificate page Parameters Parameter Description Selected Server Displays the name of the server selected on the Server Certificate page. Selected Type Displays the name of the selected certificate type for the server. Common Name (CN) Displays the name associated with this entity. This can be a host name, IP address, or other meaningful name. This field is mandatory. Organization (O) Specify the name of the organization. This field is optional.
Table 284: Create Self-Signed Certificate page Parameters (Continued) Parameter Description Private Key Type If you selected the RADIUS Server Certificate type for the server, select from the following options: l 1024-bit RSA. l 2048-bit RSA l 4096-bit RSA l X9.
Figure 425: Install Self Signed Certificate Table 285: Install Self-Signed Certificate Page Parameters Parameter Description Selected Server Displays the name of the server selected on the Server Certificate page. Selected Type Displays the name of the certificate type selected for the server. Subject DN Displays information about the organization, common name, and location of the Subject DN. Issuer DN Displays information about the organization, common name, and location of the Subject DN.
Exporting a Server Certificate Navigate to Administration > Certificates > Server Certificates, and select the Export Server Certificate link. This link provides a form that enables you to save the file ServerCertifcate.zip. The zip file has the server certificate (.crt file) and the private key (.pvk file). Importing a Server Certificate Navigate to Administration > Certificates > Server Certificates, and select the Import Server Certificate link.
Figure 427: Certificate Trust List page Table 287: Certificate Trust List page Parameters Parameter Description Subject Displays the Distinguished Name (DN) of the subject field in the certificate. Validity Indicates whether the CA certificate is valid or expired. Enabled Indicates whether the CA certificate is enabled or disabled. To view the details of a certificate, select the check box to the left of the certificate. From the View Certificate Details popup, you can enable the CA certificate.
Revocation Lists To display available Revocation Lists, navigate to Administration > Certificates > Revocation Lists. To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete. Figure 429: Revocation Lists Table 289: Revocation Lists Parameter Description Add Revocation List Click to launch the Add Revocation List popup.
Table 290: Add Revocation List Page Parameters Parameter Description File File enables the Distribution File option. Distribution File: Specify the distribution file (e.g., C:/distribution/crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list. URL URL enables the Distribution URL option. Distribution URL: Specify the distribution URL (e.g., http://crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list.
Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type. Figure 432: RADIUS IETF Dictionary Attributes Table 291: RADIUS Dictionary Attributes Parameter Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. Enable/Disable Enable or disable this dictionary.
Figure 433: Import RADIUS Dictionary Table 292: Import RADIUS Dictionary Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. Posture Dictionary To add a vendor posture dictionary, click on Import. To edit an existing dictionary, export an existing dictionary, edit the exported XML file, and then import the dictionary.
Click on a vendor row to see all the attributes and their data type. For example, click on vendor Microsoft/System SHV to see all the associated posture attributes and their data type. Figure 435: Posture Attributes Page Table 294: Posture Attributes Parameters Parameter Description Export Click to save the posture dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager.
Table 295: TACACS+ Services Dictionaries Page Parameters Parameter Description Import Click to open the Import Dictionary popup. Import the dictionary (XML file). Export All Export all TACACS+ services into one XML file containing multiple dictionaries To export a specific service dictionary, select a service and click on Export. To see all the attributes and their data types, click on a service row. For example, click on shell service to see all shell service attributes and their data type.
Figure 438: Device Fingerprints Page You can click on a line in the Device Fingerprints list to drill down and view additional details about the category. Figure 439: Device Fingerprint Dictionary Attributes Page Attributes Dictionary The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
l Adding Attributes on page 456 l Import Attributes on page 457 l Export Attributes on page 458 l Export on page 458 Figure 440: Attributes page Table 296: Attributes Page Parameters Parameter Description Filter Use the drop-down list to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Shows whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint.
Figure 441: Add Attributes Page Enter information in the fields described in the following table. Click Add when you are done. To modify attributes in an existing service dictionary, select the attribute, make any necessary changes, and then click Save. Table 297: Attribute Setting Parameters Parameter Description Entity Specify whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Name Enter a unique ID for this attribute.
Figure 442: Import from file Page Table 298: Import From File Setting Parameters Parameter Description Select File / Enter secret for the file Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Attributes Select Export All on the upper right portion of the page to export all attributes. The Export Attributes button saves the file Attributes.zip.
l Exporting on page 2 View an application dictionary 1. Go to Administration > Dictionaries > Applications. 2. Click the name of an application. The Application Attributes dialog box appears. Delete an application dictionary In general, you should have no need to delete an application dictionary. They have no effect on Policy Manager performance. 1. Go to Administration > Dictionaries > Applications. 2. Click the check box next to an application name. 3. Click Delete.
Figure 443: Endpoint Context Server Actions Page Table 299: Endpoint Context Server Action Page Parameters Parameter Description Server Type Specifies the server type configured when the server action was configured. Name Specifies the name of the action such as Enterprise Wipe, Lock Device, and so on. HTTP Method Specifies the HTTP method selected when the server action was configured. Description Specifies the description of the action.
Figure 444: Endpoint Context Server Details Action tab Table 300: Endpoint Context Server Action tab Parameters Parameter Description Action Specifies the following options: Server Type - Specifies the Specifies the server type configured when the server action was configured. You can select the server type from the drop-down list. Server Name - Lists the context servers specific to the server type selected in the Server Type field.
Figure 445: Import Context Server Actions Table 301: Import Context Server Action Parameter Description Select File / Enter secret for the file (if any) Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Context Server Actions Select Export All on the upper right portion of the page.
OnGuard Settings Use the OnGuard Settings page (Administration > Agents and Software Updates > OnGuard Settings) to configure the agent deployment packages. Once the configuration is saved, agent deployment packages are created for Windows and Mac OS X operating systems and provided at a fixed URL on the Policy Manager appliance. This URL can then be published to the user community. The agent deployment packages can also be downloaded to another location.
Table 303: OnGuard Settings Container Description Global Agent Settings Configure the global parameters for OnGuard agents. The global parameters include the following: l Allowed Subnets for Wired access: Add comma-separated list of IP or subnet addresses. l Allowed Subnets for Wireless access: Add comma-separated list of IP or subnet addresses. l Cache Credentials Interval (in days): Select the number of days the user credentials should be cached on OnGuard agents.
Table 303: OnGuard Settings (Continued) Container Description Windows Use the download link to download OnGuard Agent for Windows.This binary file is in .exe and .msi formats. Mac OS X Use the download link to download OnGuard Agent for Mac OS X. This binary file is in .DMG format. Web Agent Apps Windows Click the URL to download Native Dissolvable Agent for Windows. Mac OS X Click the URL to download Native Dissolvable Agent for Mac OS X.
l Software upgrades for the ClearPass family of products n Patch binaries, including Onboard, Guest Plugins, and Skins You can also: l Reinstall a patch in the event the previous installation attempt fails. l Uninstall a skin, translation, or plug-in. The Dell Networking W-ClearPass Policy Manager checks for available updates to the ClearPass webservice server. The administrator can download and install these updates directly from the Software Updates page.
Table 304: Software Updates Page Parameters (Continued) Parameter Description Posture & Profile Data Updates Import Updates If this Dell Networking W-ClearPass Policy Manager server is not able to reach the webservice server, use Import Updates to import (upload) the Posture and Profile Data into this server. You can download the data from the webservice server by accessing the following URL: https://clearpass.dell-pcw.com/cppm/appupdate/cppm_apps_updates.
Table 304: Software Updates Page Parameters (Continued) Parameter Description Other Check Status Now Click this button to perform an on-demand check for available updates. Check Status Now applies to updates (only on a publisher node, as well as Firmware & Patch Updates). Delete Use this option to delete a downloaded update. The Firmware & Patch Updates table shows only the data that is known to webservice or imported using the Import Updates button.
Table 305: Install Update Page Parameters Parameter Description Close Click this button to close the dialog box. Clear & Close Click this button to delete the log messages and close the popup. Clear & Close also removes the corresponding row from the Firmware & Patch Updates table. Reboot The Reboot button appears only for updates that require a reboot to complete the installation. To initiate a reboot of the server, click Reboot.
4. To reinstall the patch or software update, click Re-Install. The Install Update screen closes and the reinstallation process begins. A pop-up displays, showing the installation progress via log messages. Uninstalling a Skin, Translation, or Plugin The ClearPass Policy Manager Administrator can uninstall a Skin, Translation, or Plugin. To uninstall one of these elements: 1. Navigate to Administration > Agents and Software Updates > Software Updates. The Software Updates screen appears. 2.
4. To uninstall the patch or software update, click Uninstall. The Install Update screen closes and the software is uninstalled. Updating the Policy Manager Software By way of background, the Policy Manager Publisher node acts as master. Administration, configuration, and database write operations are allowed only on this master node. The Policy Manager appliance defaults to a Publisher node unless it is made a Subscriber node. A Policy Manager cluster can contain only one Publisher node.
2. Use the command system upgrade, which will upgrade your second partition, then reboot. Policy Manager boots into the upgraded image. If you access the appliance via serial console, you should also be able to boot into the previous image by choosing that image in the Grub boot screen. 3. Verify that all configuration and session logs are restored and all services are running.
Figure 449: Contact Support Remote Assistance The Remote Assistance feature enables the Dell Networking W-ClearPass Policy Manager administrator to allow an Aruba Networks support engineer to remotely log in using ssh to the ClearPass Policy Manager server and also view the Administration UI to debug any issues customer is facing or to perform pro-active monitoring of the server. Remote Assistance Process Flow Description 1. Administrator schedules a Remote Assistance session for a specific duration. 2.
Table 306: Remote Assistance Session Page Parameters Parameter Description Name Text name of session. Type Indicates if the session is a one-time session or a periodic session. Move the cursor over the entry to view the schedule of the session. Support Contact The email address of the support contact. Status Provides the session state.
Table 308: Add Session Page Parameters Parameter Description Session Name Text name of session. Session Type l l l One Time Future (will initiate a session in future, on a selected date and time) Weekly (will initiate a session on a selected Weekday at the selected time) Monthly (will initiate a session on a selected day of every month at the selected time) Duration The duration of a session is specified in Hours and Minutes.
Documentation The Administration > Support > Documentation page includes links to various sections of the ClearPass Policy Manager Online Help system. For example, to view documentation for the CLI, click the Command Line Interface button. This page also provides links to PDF versions of the Dell Networking W-ClearPass Policy Manager 6.4 User Guide and the Dell Networking W-ClearPass Policy Manager 6.4 Getting Started Guide.
Appendix A Command Line Interface Refer to the following sections: l Cluster Commands on page 479 l Configure Commands on page 482 l Network Commands on page 487 l Service Commands on page 493 l Show Commands on page 494 l System Commands on page 498 l Miscellaneous Commands on page 504 Available Commands Table 309: Command Categories Command ad auth See Miscellaneous Commands on page 504 ad netleave See Miscellaneous Commands on page 504 ad netjoin See Miscellaneous Commands on page 504 ad t
Table 309: Command Categories (Continued) Command cluster set-local-passwd configure date configure dns configure hostname configure ip configure timezone dump certchain See Miscellaneous Commands on page 504 dump logs See Miscellaneous Commands on page 504 dump servercert See Miscellaneous Commands on page 504 exit See Miscellaneous Commands on page 504 help See Miscellaneous Commands on page 504 krb auth See Miscellaneous Commands on page 504 krb list See Miscellaneous Commands on page 504 ldapsearch See
Table 309: Command Categories (Continued) Command See Miscellaneous Commands on page 504 service activate service deactivate service list service restart service start service status service stop show date show dns show domain show all-timezones show hostname show ip showlicense show timezone show version system boot-image system gen-support-key system update system restart system shutdown system install-license system upgrade Cluster Commands The Policy Manager command line interface includes the followin
l list on page 480 l make-publisher on page 481 l make-subscriber on page 481 l reset-database on page 481 l set-cluster-passwd on page 482 l set-local-passwd on page 482 drop-subscriber Use the drop-subscriber command to remove a specific subscriber node from the cluster.
make-publisher Use the make-publisher command to makes a specified node as a publisher. Syntax cluster make-publisher Example The following example makes a node as a publisher: [appadmin]# cluster make-publisher ******************************************************** * WARNING: Executing this command will promote the * * current machine (which must be a subscriber in the * * cluster) to the cluster publisher. Do not close the * * shell or interrupt this command execution.
* Do not close the shell or interrupt this command * * execution. * ********************************************************* Continue? [y|Y]: y set-cluster-passwd Use the set-cluster-passwd to change the cluster password on all publisher nodes. If this command is executed on the publisher, the publisher prompts for the new cluster password.
Syntax configure date -d [-t
Example 3 The following example configures primary, secondary, and tertiary DNS servers: [appadmin]# configure dns 192.168.xx.1 2001:4860:4860::8888 192.168.xx.2 fips-mode Use the fips-mode command to enable or disable the FIPS mode. Syntax configure fip-smode [0|1] The following table describes the required and optional parameters for the fips-mode command: Table 313: fips-mode Command Parameters Flag/Parameter Description 0 Enter 0 to disable the FIPS mode.
Syntax [appadmin]# address> configure ip netmask gateway Specifies the network interface type: management or data. specifies the IPv4 address of the host. netmask Specifies the netmask address. gateway Specifies the gateway address.
mtu Use the mtu command to set the Maximum Transmission Unit (MTU) for the management and data port interfaces. Syntax configure mtu The following table describes the parameters used in the mtu command: Table 316: mtu Command Parameters Flag/Parameter Description mtu Specifies the Network interface types: management or data port. mtu-value Specify the MTU value in bytes. The default value is 1500 bytes.
Gateway : 2607:f0d0:1002:0011:0000:0000:0000:0001 Hardware Address : 00:0C:29:70:27:40 MTU : 1499 =========================================== Device Type : Data Port ------------------------------------------IPv4 Address : Subnet Mask : Gateway : IPv6 Address : fe80:0000:0000:0000:020c:29ff:fe70:274a Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000 Gateway : fe80:0000:0000:0000:020c:29ff:fe70:2741 Hardware Address : 00:0C:29:70:27:4A MTU : 1498 =======
Syntax network ip add [-i ] <[-s ] [-d ]> [-g ] The following table describes the required and optional parameters for the ip command: Table 317: IP Command Parameters Flag/Parameter Description Specifies management interface, data interface or the name of the GRE tunnel. In , N specifies the GRE tunnel number ranging from 1,2,3...N. -i Specifies the ID of the network IP rule.
[appadmin]# network ip list =============================================== IP Rule Information ----------------------------------------------0: from all lookup local 10020: from all to 10.xx.4.0/24 lookup mgmt 10040: from 10.xx.4.200 lookup mgmt 10060: from 10.xx.5.200 lookup data 32766: from all lookup main 32767: from all lookup default =============================================== ip6 Use the ip6 command to add, delete, or list custom routes to the data or management interface routing table.
Example 1 The following example adds a custom route: [appadmin]# network ip6 add data -s fe82::20c:29ff:fe7e:d3e1/d3e24 You can use IPv6 address when adding a custom route.
The following example performs network nslookup for the destination with IPv6 address: Example [appadmin]# network nslookup 2001::93 Server: 2001::94 Address: 2001::94#53 3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa ipv6test-n1.cppmipv6.com. [appadmin]# network nslookup -q AAAA ipv6test-n1.cppmipv6.com Server: 2001::94 Address: 2001::94#53 ipv6test-n1.cppmipv6.com has AAAA address 2001::93 name = ping Use the ping command to test the reachability of the network host.
Table 322: Ping6 Command Parameters Flag/Parameter Description -i Specifies the originating IPv6 address for ping. This field is optional. -t Use this parameter to ping indefinitely. This field is optional. Specifies the host to be pinged. Example The following example pings a network host to test the reachability: [appadmin]# network ping6 –i fe82::20c:29ff:fe7e:d3e1 –t sun.us.dellnetworks.com reset Use the reset command to reset the network data and management port.
Example The following example prints the route taken to reach the network host: [appadmin]# network traceroute sun.us.dellnetworks.com traceroute6 Use the traceroute6 command to print the route taken to reach the network host. Syntax network traceroute6 The following table describes the required and optional parameters for the traceroute command: Table 325: Traceroute Command Parameters Flag/Parameter Description Specifies the name of network host.
Table 326: Action Command Parameters Flag/Parameter Description action Choose an action: activate, deactivate, list, restart, start, status, or stop. service-name Choose a service: tips-policy-server, tips-adminserver, tips-system-auxiliary-server, tips-radiusserver, tips-tacacs-server, tips-dbwrite-server, tipsrepl-server, or tips-sysmon-server.
Example The following example displays all available timezones: [appadmin]# show all-timezones Africa/Abidjan Africa/Accra ..... WET Zulu date Use the date command to view the System Date, Time, and Time Zone information. Syntax show date Example The following example displays the System Date, Time, and Time Zone information: [appadmin]# show date Wed Oct 31 14:33:39 UTC 2012 dns Use the dns command to view DNS servers.
Example The following example displays that the FIPS mode is enabled: [appadmin]# show fipsmode FIPS Mode: Enabled hostname Use the hostname command to view hostname. Syntax show hostname Example The following example displays the hostname: [appadmin]# show hostname show hostname wolf ip Use the ip command to view the IPv4, IPv6, and DNS information of the host.
Primary DNS : 10.2.xx.3 Secondary DNS : 10.1.xx.50 Tertiary : 10.1.xx.200 DNS =========================================== license Use the license command to view the license key.
Syntax show version Example The following example displays the Policy Manager software version and the hardware model: [appadmin]# show version ======================================= Policy Manager software version : 2.0(1).
Table 327: Boot-Image Command Parameters Flag/Parameter Description -l Lists the boot images installed on the system. -a Sets the active boot image version in A.B.C.D syntax. This field is optional. Example The following example sets the system boot image control options: [appadmin]# system boot-image -l gen-recovery-key Use the gen-recovery-key command to generate the recovery key for the system.
morph-vm Use the morph-vm command to convert an evaluation virtual machine (VM) to a production VM. With this command, licenses are still required to be installed after the morph operation is completed. Syntax system morph-vm The following table describes the required and optional parameters for the morph-vm command: Table 329: Morph-VM Commands Flag/Parameter Description This is the updated ClearPass version.
******************************************************** Are you sure you want to continue? [y|Y]: y shutdown Use the shutdown command to shut down the system.
Example The following example displays the status of a RemoteAssist session: [appadmin]# system status-rasession 3001 terminate-rasession Use the terminate-rasession command to terminate a running RemoteAssist session. Syntax system terminate-rasession Example The following example terminates a running RemoteAssist session: [appadmin]# system terminate-rasession 3001 update The update command provides options to manage system patch updates.
Syntax Upgrade from a Linux server: l system upgrade user@hostname:/ [-w] [-l] [-L] See Example 1: Upgrading from a Linux server. l Upgrade from a Web server: l system upgrade http://hostname/ [-w] [-l] [-L] See Example 2: Upgrading from a Web server. Upgrade by performing an offline upgrade: l system upgrade [-w] [-l] [-L] See Example 3: Performing an offline upgrade.
For example: [appadmin]# system upgrade http://sun.us.dellnetworks.com/downloads/PolicyManager-x86-64upgrade-71.tgz Example 3: Performing an offline upgrade To perform an offline upgrade: 1. Log in to the Dell Support Center and select the Download Software tab. 2. Navigate to the ClearPass > Policy Manager > Current Release > Upgrade folder. 3. In the Description Remarks section, click the link for the appropriate upgrade. The upgrade file is uploaded to your local system. 4.
l quit on page 510 l restore on page 510 l system start-rasession on page 511 l system terminate-rasession on page 512 l system status-rasession on page 512 ad auth Use the ad auth command to authenticate the user against Active Directory. Syntax ad auth --username= The following table describes the required and optional parameters for the ad auth command: Table 333: Ad Auth Command Parameters Flag/Parameter Description Specifies the username of the authenticating user.
Example The following example removes host from the domain: [appadmin]# ad netleave ad testjoin Use the ad testjoin to test if the netjoin command succeeded. This command also test if Policy Manager is a member of the AD domain. Syntax ad testjoin Example The following example tests if the netjoin command is succeeded: [appadmin]# ad testjoin alias Use the alias command to create or remove aliases.
Table 336: Backup Command Parameters Flag/Parameter Description -f Specifies the backup target. If not specified, Policy Manager auto-generates a filename. This field is optional. -L Do not backup the log database configuration. This field is optional. -P Do not backup password fields from the configuration database. This field is optional. Example [appadmin]# backup -f PolicyManager-data.tar.
Table 338: Dump Logs Command Parameters Flag/Parameter Description -f Specifies target for concatenated logs. -s yyyy-mm-dd Specifies the start date range. The default value is today. This field is optional. -e yyyy-mm-dd Specifies the end date range. The default value is today. This field is optional. -n Specifies the duration in days (from today). This field is optional. -t Specifies the type of log to collect. This field is optional.
Example The following example exits the shell: [appadmin]# exit help Use the help command to display the list of supported commands: Syntax help Example The following example displays the list of supported commands: [appadmin]# help alias backup cluster configure dump exit help netjoin netleave network quit restore service show system help Create aliases Backup Policy Manager data Policy Manager cluster related commands Configure the system parameters Dump Policy Manager information Exit the s
Syntax krb list Example The following example lists the cached kerberos tickets: [appadmin]# krb list ldapsearch Use the Linux ldapsearch command to find objects in an LDAP directory. Note that only the Policy Manager specific command line arguments are listed. For other command line arguments, refer to ldapsearch man pages on the Internet.
Table 342: Restore Command Parameters Flag/Parameter Description user@hostname:/ Specify filepath of restore source. -c Restores configuration database (default). -C Does not restore configuration database. -l If it exists in the backup, restores log database. This field is optional. -i Ignores version mismatch errors and proceeds. This field is optional. -p Forces restore from a backup file that does not have password fields present. This field is optional.
Table 343: Start Remote Session Command Parameters (Continued) Flag/Parameter Description Specifies the IP address of a Dell Networking WClearPass Policy Manager in the cluster. system terminate-rasession The system terminate-rasession allows administrators to terminate the session on the Dell Networking WClearPass Policy Manager where the Remote Assistance session is running.
Appendix B Rules Editing and Namespaces In the Policy Manager administration User Interface (UI) you use the same editing interface to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular in
l Audit Namespaces on page 515 l Authentication Namespaces on page 515 l Authorization Namespaces on page 517 l Certificate Namespaces on page 518 l Connection Namespaces on page 519 l Date Namespaces on page 520 l Device Namespaces on page 520 l Endpoint Namespaces on page 521 l Guest User Namespaces on page 521 l Host Namespaces on page 521 l Local User Namespaces on page 521 l Posture Namespaces on page 522 l RADIUS Namespaces on page 522 l Tacacs Namespaces on page 523 l Tip
l Onboard-Max-Devices l Page-Name l Provisioning-Settings-ID l SAMLRequest l SAMLResponse l Session-Timeout l User-Email-Address Audit Namespaces The Dictionaries in the audit namespace come pre-packaged with the product. The Audit namespace has the notation Vendor:Audit, where Vendor is the name of the company that has defined attributes in the dictionary. Examples of dictionaries in the audit namespace are AvendaSystems:Audit or Qualys:Audit.
Authentication namespace editing context Table 347: Authentication Namespace Attributes Attribute Name InnerMethod Values CHAP EAP-GTC l EAP-MD5 l EAP-MSCHAPv2 l EAP-TLS l MSCHAP l PAP NOTE: The EAP-MD5 authentication type is not supported if you use the Dell Networking W-ClearPass Policy Manager in the FIPS mode.
Table 347: Authentication Namespace Attributes (Continued) Attribute Name MacAuth Values l AuthSource-Unreachable - The authentication source was unreachable l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source l l Username The username as received from the client (after the strip user name rules are applied).
attributes names defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience. Sources This is the list of the authorization sources from which attributes were fetched for role mapping. Authorization namespaces appear in Role mapping policies. SQL Instance Namespace For each instance of an SQL authentication source, there is an SQL instance namespace that appears in the rules editing interface.
Table 348: Certificate Namespace Attributes (Continued) Attribute Name l l l l l l l l l l l l Values Issuer-O Issuer-OU Issuer-SN Issuer-ST Issuer-UID Subject-AltName-DirName Subject-AltName-DNS Subject-AltName-EmailAddress Subject-AltName-IPAddress Subject-AltName-msUPN Subject-AltName-RegisterdID Subject-AltName-URI Attributes associated with the subject (user or machine, in this case) alternate name. Not all of these fields are populated in a certificate.
Table 349: Connection Namespace Pre-defined Attributes (Continued) Attribute Description Client-Mac-Address MAC address of the client. l l l l Client-Mac-Address-Colon Client-Mac-Address-Dot Client-Mac-Address-Hyphen Client-Mac-Address-Nodelim Client-IP-Address Client MAC address in different formats. IP address of the client (if known).
Endpoint Namespaces Use these attributes to look for attributes of authenticating endpoints, which are present in the Policy Manager endpoints list. The Endpoint namespace has the following attributes: l Disabled By l Disabled Reason l Enabled By l Enabled Reason l Info URL Guest User Namespaces The GuestUser namespace has the attributes associated with the guest user (resident in the Policy Manager guest user database) who authenticated in this session.
l Phone l Sponsor Custom attributes also appear in the attribute list if they are defined as custom tags for the local user. These attributes can be used only if you have pre-populated the values for these attributes when a local user is configured in Policy Manager. Posture Namespaces The dictionaries in the posture namespace are pre-packaged with the product.
l Role mapping policies l Service rules: All RADIUS namespace attributes that can appear in a request (the ones marked with the IN or INOUT qualifier) Tacacs Namespaces The Tacacs namespace has the attributes associated with attributes available in a TACACS+ request. Available attributes are: l AuthSource l AvendaAVPair l UserName Tips Namespaces The pre-defined attributes for the Tips namespace are Role and Posture.
Table 350: Policy Manager Variables Variable Description %{attributename} attribute-name is the alias name for an attribute that you have configured to be retrieved from an authentication source. See Adding and Modifying Authentication Sources on page 154. % {RADIUS:IETF:MACAddress-Colon} MAC address of client in aa:bb:cc:dd:ee:ff format % {RADIUS:IETF:MACAddress-Hyphen} MAC address of client in aa-bb-cc-dd-ee-ff format % {RADIUS:IETF:MACAddress-Dot} MAC address of client in aabb.ccdd.
Table 351: Attribute Operators Attribute Type String Operators l l l l l l l l l l l l l l l l Integer l l l l l l l l l l Time or Date Dell Networking W-ClearPass Policy Manager 6.
Table 351: Attribute Operators (Continued) Attribute Type Operators Day l LESS_THAN_OR_EQUALS l IN_RANGE l BELONGS_TO NOT_BELONGS_TO l List (Example: Role) l l l l l l l l Group (Example: Calling-Station-Id, NAS-IPAddress) l l EQUALS NOT_EQUALS MATCHES_ALL NOT_MATCHES_ALL MATCHES_ANY NOT_MATCHES_ANY MATCHES_EXACT NOT_MATCHES_EXACT BELONGS_TO_GROUP NOT_BELONGS_TO_GROUP and all string data types The following table describes all operator types.
Table 352: Operator Types Operator Description BEGINS_WITH For string data type, true if the run-time value of the attribute begins with the configured value. E.g., RADIUS:IETF:NAS-Identifier BEGINS_WITH "SJ-" BELONGS_TO For string data type, true if the run-time value of the attribute matches a set of configured string values. E.g.
Operator Description GREATER_THAN For integer, time and date data types, true if the run-time value of the attribute is greater than the configured value. E.g., RADIUS:IETF:NAS-Port GREATER_THAN 10 GREATER_THAN_OR_EQUALS For integer, time and date data types, true if the run-time value of the attribute is greater than or equal to the configured value. E.g.
Appendix C Error Codes, SNMP Traps, and System Events This appendix contains listings of Dell Networking W-ClearPass Policy Manager error codes, SNMP traps, and important system events. l Error Codes on page 529 l SNMP Trap Details on page 532 l Important System Events on page 542 Error Codes The following table shows the CPPM error codes.
Table 353: CPPM Error Codes (Continued) Code Description Type 211 Client certificate not valid Authentication failure 212 Client certificate has expired Authentication failure 213 Certificate comparison failed Authentication failure 214 No certificate in authentication source Authentication failure 215 TLS session error Authentication failure 216 User authentication failed Authentication failure 217 Search failed due to insufficient permissions Authentication failure 218 Authenticat
Table 353: CPPM Error Codes (Continued) Code Description Type 5006 Query - No supported actions Command and Control 5007 Query - Cannot fetch MAC address details Command and Control 5008 Request - MAC address not online Command and Control 5009 Request - No MAC address record found Command and Control 6001 Unsupported TACACS parameter in request TACACS Protocol 6002 Invalid sequence number TACACS Protocol 6003 Sequence number overflow TACACS Protocol 6101 Not enough inputs to perfor
Table 353: CPPM Error Codes (Continued) Code Description Type 9006 Received error TLV from client RADIUS Protocol 9007 Received failure TLV from client RADIUS Protocol 9008 Phase2 PAC not found RADIUS Protocol 9009 Unknown Phase2 PAC RADIUS Protocol 9010 Invalid Phase2 PAC RADIUS Protocol 9011 PAC verification failed RADIUS Protocol 9012 PAC binding failed RADIUS Protocol 9013 Session resumption failed RADIUS Protocol 9014 Cached session data error RADIUS Protocol 9015 Client
SNMP Daemon Trap Events OIDs: .1.3.6.1.6.3.1.1.5.1 ==> Cold Start .1.3.6.1.6.3.1.1.5.2 ==> Warm Start CPPM Processes Stop and Start Events OIDs: .1.3.6.1.4.1.2021.8.1.2.X ==> Process Name .1.3.6.1.4.1.2021.2.1.101.X ==> Process Status Message Network Interface up and Down Events OIDs: .1.3.6.1.6.3.1.1.5.3 ==> Link Down .1.3.6.1.6.3.1.1.5.4 ==> Link Up Disk Utilization Threshold Exceed Events OIDs: .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.6.1.4.1.2021.9.1.2.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is stopped 1 (b) RADIUS server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.2: cpass-system-auxiliary-server .1.3.6.1.4.1.2021.8.1.101.2: System auxiliary service [ cpass-system-auxiliary-server ] is stopped 3 (b) System Auxiliary server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 1 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.3.6.1.4.1.2021.8.1.101.6: Async DB write service [ cpass-dbwrite-server ] is stopped 5 (b) Async DB write service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.8: cpass-dbcn-server .1.3.6.1.4.1.2021.8.1.101.8: DB change notification server [ cpass-dbcn-server ] is stopped 7 (b) DB Change Notification server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.10: cpass-multi-master-cache-server .1.3.6.1.4.1.2021.8.1.101.10: Multi-master cache [ cpass-multi-master-cache-server ] is stopped 9 (b) Multi-master Cache service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is stopped 11 (b) Micros Fidelio FIAS service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 1 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.3.6.1.4.1.2021.8.1.101.13: ClearPass Virtual IP service [ cpass-vip-service ] is stopped 13 (b) Virtual IP service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 1 .1.3.6.1.4.1.2021.8.1.2.14: cpass-carbon-server .1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is stopped 15 (b) stats Aggregation service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.
CPU Load Average Traps OIDs .1.3.6.1.4.1.2021.10.1.100.1 ==> Error flag on the CPU load-1 average. Value of 1 indicates the load-1 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.1 ==> Name of CPU load-1 average Figure 456: CPU load-1 average example .1.3.6.1.4.1.2021.10.1.100.2 ==> Error flag on the CPU load-5 average. Value of 1 indicates the load-5 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.
Admin UI Events Critical Events “Admin UI”, “ERROR” “Email Failed”, “Sending email failed” “Admin UI”, “ERROR” “SMS Failed”, “Sending SMS failed” “Admin UI”, “WARN”, “Login Failed”, “User:” "Admin UI", "WARN", "Login Failed", description Info Events "Admin UI", "INFO", "Logged out" "Admin UI", "INFO", "Session destroyed" "Admin UI", "INFO", "Logged in", description "Admin UI", "INFO", "Clear Authentication Cache", “Cache is cleared for authentication source " "Admin UI", "INFO", "Clear Blacklist User
ClearPass System Configuration Events Critical Events “DNS”, “ERROR”, “Failed configure DNS servers = ” “datetime”, “ERROR”, “Failed to change system datetime.
Command Line Events Info Events "Command Line”, “INFO”, “User:appadmin" DB Replication Services Events Info Events "DB replication service”, “INFO”, “Performed action start on DB replication service” "DB replication service”, “INFO”, “Performed action stop on DB replication service” “DB change notification server”, “INFO”, “Performed action start on DB change notification server” “DB replication service”, “INFO”, “Performed action start on DB replication service” Licensing Events Critical Events “Admin UI
SNMP Events Critical Events “SNMPService”, “ERROR”, “ReadDeviceInfo”, “SNMP GET failed for device with error=No response received\nReading sysObjectId failed for device=\nReading switch initialization info failed for ” "SNMPService","ERROR", "Error fetching table snmpTargetAddr. Request timed out. Error reading SNMP target table for NAD=10.1.1.1 Maybe SNMP target address table is not supported by device? Allow NAD update. SNMP GET failed for device 10.1.1.
l Multi-master cache l Policy server l RADIUS server l System auxiliary services l System monitor service l TACACS server l Virtual IP service l [YOURSERVERNAME] Domain service Dell Networking W-ClearPass Policy Manager 6.
548 | Error Codes, SNMP Traps, and System Events Dell Networking W-ClearPass Policy Manager 6.
Appendix D Use Cases This appendix contains several specific Dell Networking W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l 802.1X Wireless Use Case on page 549 l Web Based Authentication Use Case on page 556 l MAC Authentication Use Case on page 564 l TACACS+ Use Case on page 567 l Single Port Use Case on page 569 802.
Configuring the Service Follow the steps below to configure this basic 802.1X service: 1. Create the Service. The following table provides the model for information presented in Use Cases, which assume the reader’s ability to extrapolate from a sequence of navigational instructions (left column) and settings (in summary form in the right column) at each step. Below the table, we call attention to any fields or functions that may not have an immediately obvious meaning.
Table 355: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select dropdown list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local S
Table 356: 02.1X - Configure Authorization Navigation and Settings Navigation l l Settings Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping). 4. Apply a Role Mapping Policy. Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy.
Table 357: Role Mapping Navigation and Settings Navigation Settings Create the new Role Mapping Policy: l Roles (tab) > l Add New Role Mapping Policy (link) Add new Roles (names only): l Policy (tab) > l Policy Name (freeform): ROLE_ ENGINEER > l Save (button) > l Repeat for ROLE_FINANCE > l When you are finished working in the Policy tab, click the Next button (in the Rules Editor) Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select
Table 357: Role Mapping Navigation and Settings (Continued) Navigation Settings Add the new Role Mapping Policy to the Service: l Back in Roles (tab) > l Role Mapping Policy (selector): RMP_DEPARTMENT > l Upon completion, click Next (to Posture) 5. Configure a Posture Server. For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server (external), or an Audit Server (internal or external).
Table 358: Posture Navigation and Settings Navigation Setting Add a new Posture Server: l Posture (tab) > l Add new Posture Server (button) > Configure Posture settings: l Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server) Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server.
Table 359: Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy For instructions about how to build such an Enforcement Policy, refer to Configuring Enforcement Policies on page 298. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.
Figure 460: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service. Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal, which captures username and password and optionally launches an agent that returns posture data.
Table 360: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l l Name/Descriptio n (freeform) > Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 361: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 362: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab 560 | Use Cases Dell Networking W-ClearPass Polic
Table 362: Posture Policy Navigation and Settings (Continued) Navigation Setting Select a Validator: l Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > Save (button) > Dell Networking W
Table 362: Posture Policy Navigation and Settings (Continued) Navigation l Setting When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l l l l l 562 | Use Cases Add Rule (button opens popup) > Rules Editor (popup) > Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> In the Rules Editor, upon completion of each rule, click the Save butto
Table 362: Posture Policy Navigation and Settings (Continued) Navigation Setting Add the new Posture Policy to the Service: Back in Posture (tab) > Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button The following fields deserve special mention: n Default Posture Token. Value of the posture token to use if health status is not available. n Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. n Remediation URL.
MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device.
Table 364: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an audit. An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity.
TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 462: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service. Dell Networking W-ClearPass Policy Manager 6.
Table 368: TACACS+ Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): [Policy Manager Admin Network Login Service] > l Name/Description (freeform) > l Upon completion, click Next (to Authentication) 2. Set up the Authentication. a. Method: The Policy Manager TACACS+ service authenticates TACACS+ requests internally. b.
Table 370: Enforcement Policy Navigation and Settings Navigation Setting Select the Enforcement Policy: Enforcement (tab) > l Enforcement Policy (selector): Device Command Authorization Policy l When you are finished with your work in this tab, click Save. l 4. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Single Port Use Case This Service supports all three types of connections on a single port.
Figure 463: Flow of the Multiple Protocol Per Port Case 570 | Use Cases Dell Networking W-ClearPass Policy Manager 6.
Appendix E OnGuard Dissolvable Agent You can configure the OnGuard Dissolvable Agent flow in different modes to perform health scan on endpoints. This section provides information on configuring OnGuard Dissolvable Agent in the following modes and the end-to-end flow: l Native agents only - Native Dissolvable Agent communicates with ClearPass Guest to send information about endpoints such as status, health status, remediation messages and so on.
1. Select the Policy-initiated - An enforcement policy will control a change of authorization option from the drop-down list in the Login Method field. The following figure shows an example configuration of the policy-initiated login method in the Web Login Editor page: Figure 464: Policy-initiated Login Method 2. Select the Require a successful OnGuard health check option in the Health Check field. If you select this field, the guest needs to pass a health check before accessing the network.
Figure 466: Native Dissolvable Agent - Login Page The Terms specified in the Login page is optional. You can configure this optionally by selecting the Require a Terms and Conditions confirmation check box in the Terms field in ClearPass Guest Login Form. 2.
Figure 469: Native Dissolvable Agent Installation If you are running Windows OS, Internet Explorer provides options to Run or Save. FireFox and Chrome browsers provide option to save the .exe files. If you are running Mac OS X, FireFox provides options to open the binary with DiskImageMounter or Save the .DMG files. Safari and Google Chrome browsers provide the option to Save only. 5. Select the ClearPass OnGuard Web Agent application in the Launch Application page.
Figure 471: Native Dissolvable Agent Installation Progress 7. After the successful installation, the health check scanning is initiated. The following figure shows an example of the progress indicator: Figure 472: Health Check Progress 8. After the health check scanning is completed, the figure similar to the following example appears with the health check results if the client is unhealthy: Figure 473: Health Check Results Dell Networking W-ClearPass Policy Manager 6.
9. Take the appropriate actions to fix the issues listed in remediation and agent enforcement messages and click Scan Again. Repeat this step till the client becomes healthy. Once the client is healthy, you can access the destination URL. 10.You can track the events with the end-to-end flow in the Access Tracker page.
Figure 475: Policy-initiated Login Method 2. Select the Require a successful OnGuard health check option in the Health Check field. If you select this field, the guest needs to pass a health check before accessing the network. Select the Native agents with Java fallback mode in the Client Agents field: Figure 476: Native Agents with Java Fallback Mode End-to-end flow in Native Agents with Java Fallback Mode The posture assessment is performed based on your selection.
Configuring Web Agent Flow - Java Only Mode You can configure a new web agent flow in two different locations (Dell Networking W-ClearPass Policy Manager and ClearPass Guest) to perform health scan on endpoints. Configuring Web Agent Flow in Dell Networking W-ClearPass Policy Manager Use the following steps to configure a new web agent flow in Dell Networking W-ClearPass Policy Manager: 1. Create a 802.
Figure 480: Web Agent Flow - Services Web Auth Configuring Web Agent Flow in ClearPass Guest Use the following steps to create a web agent flow in ClearPass Guest: 1. Click Create a new web login page on the right corner of the ClearPass Guest UI. The following figure shows an example of the Web Login Editor page: Figure 481: Web Login Editor 2. Select the Anonymous - Do not require a username or password option from the drop-down. 3.
Figure 482: Web Login - Login Form 7. Select the Local - match a local account option in the Post Authentication field. The following figure shows an example of the Web Login - Post-Authentication page: Figure 483: Web Login - Post-Authentication The following figure shows an example of the final web agent flow: For more information, refer to ClearPass Guest Online Help.
Table 372: Supported Browsers and Java Versions Operating System Windows 7 64-bit Windows 7 32-bit Windows 8 64-bit Windows 8 32-bit Windows 8.1 64-bit Windows Browser Test Results Chrome Passed #24518 Dell Networking W-ClearPass Policy Manager 6.4.0.65408 and Chrome 35.X Firefox Passed #24566, #24534 Dell Networking W-ClearPass Policy Manager 6.4.0.65408 and Firefox 30.X IE Passed None Dell Networking W-ClearPass Policy Manager 6.4.0.65408 and IE 11.
Table 372: Supported Browsers and Java Versions (Continued) Operating System Browser Test Results Known Issues 2008 64-bit Windows XP SP3 Windows 2003 32-bit Windows Vista MAC 10.9 MAC 10.8 Tested Versions Manager 6.4.0.65823 and Chrome 34.X Firefox Passed IE 32-bit Passed Chrome Not supported Dell Networking W-ClearPass Policy Manager 6.4.0.65552 and Chrome 34.X Firefox Not supported Dell Networking W-ClearPass Policy Manager 6.4.0.65552 and Firefox 30.
Table 372: Supported Browsers and Java Versions (Continued) Operating System MAC 10.7.5 Browser Test Results Chrome Passed Safari Passed Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Safari 6.X Firefox Passed Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Firefox 31.X Chrome Passed Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Chrome 36.X Known Issues Tested Versions #24933 Dell Networking W-ClearPass Policy Manager 6.4.0.65823 and Chrome 35.
Table 373: Supported Browsers and Java Versions (Continued) Operating System Windows 7 32-bit Windows 8 64-bit Windows 8 32-bit Windows 8.1 64-bit Browser Java Version Test Results Chrome 7u65 Passed None Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Chrome 36.X Firefox 7u65 Passed None Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Firefox 30.X IE 7u65 Passed None Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and IE 11.
Table 373: Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Known Issues Tested Versions W-ClearPass Policy Manager 6.4.0.65658 and Chrome 36.X Windows 2008 64-bit Windows 2003 32-bit Firefox JRE: 7u65 32-bit Passed None Dell Networking W-ClearPass Policy Manager 6.4.0.65762 and Firefox 30.X IE 32-bit 7U65 Passed None Dell Networking W-ClearPass Policy Manager 6.4.0.65762 and IE 11.
Table 373: Supported Browsers and Java Versions (Continued) Operating System Windows XP 32-bit MAC 10.9 MAC 10.8 Browser Java Version Test Results Chrome JRE: 7u65 Not supported None Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Chrome 35.X Firefox JRE: 7u65 Not supported None Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Firefox 30.X IE JRE: 7u65 Not supported None Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and IE 8.
Table 373: Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results MAC 10.7.5 Safari JRE: 7u65 Passed #20191 Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Safari 6.X Firefox JRE: 7u65 Passed #23340 Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Firefox 30.X Chrome JRE: 7u65 Failed #18031 Dell Networking W-ClearPass Policy Manager 6.4.0.65658 and Chrome 34.