User Guide Dell Networking W-ClearPass Guest 6.
Copyright © 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About this Guide 19 Audience 19 Conventions 19 Contacting Support W-ClearPass Guest Overview 20 21 About Dell Networking W-ClearPass Guest 21 Visitor Access Scenarios 21 Reference Network Diagram 22 Key Interactions 23 AAA Framework 23 Key Features 24 Visitor Management Terminology 26 W-ClearPass Guest Deployment Process 27 Operational Concerns 27 Network Provisioning 27 Site Preparation Checklist 27 Security Policy Considerations 28 AirGroup Deployment Process 2
Exporting Guest Account Information 48 About CSV and TSV Exports 48 About XML Exports 49 MAC Authentication in W-ClearPass Guest 49 MAC Address Formats 49 Managing Devices 50 Changing a Device’s Expiration Date 51 Disabling and Deleting Devices 52 Activating a Device 52 Editing a Device 53 Viewing Current Sessions for a Device 55 Viewing and Printing Device Details 55 Device Creation Methods 55 Creating Devices Manually in W-ClearPass Guest 56 Creating Devices During Self-Registr
Certificate Configuration in a Cluster Revoking Unique Device Credentials 80 80 Revoking Credentials to Prevent Network Access 81 Re-Provisioning a Device 81 Network Requirements for Onboard 81 Using Same SSID for Provisioning and Provisioned Networks 82 Using Different SSID for Provisioning and Provisioned Networks 82 Configuring Online Certificate Status Protocol 82 Configuring Certificate Revocation List (CRL) 82 Network Architecture for Onboard Network Architecture for Onboard when Using
Uploading an iOS Provisioning Profile 110 Viewing an iOS Provisioning Profile Certificate Details 110 Viewing an iOS Provisioning Profile Details 110 Deleting an iOS Provisioning Profile 111 Apps Management Adding Any App 112 WorkSpace Apps 113 Enterprise Apps 114 Public (App Store) Apps 116 Web Apps 117 Management and Control 118 Device Management (View by Device) 118 Device Management (View by Username) 121 Certificate Management (View by Certificate) 123 Searching for Certificat
Device Restrictions Settings Creating and Editing Device Restrictions Settings Email Settings Creating and Editing Email Settings Exchange ActiveSync Creating and Editing ActiveSync Settings Network Settings 155 156 158 159 161 162 164 Configuring Basic Network Access Settings 165 Configuring 802.
Creating WorkSpace Settings 200 Editing WorkSpace Settings 204 Duplicating WorkSpace Settings 207 Viewing WorkSpace Setting 207 Showing WorkSpace Setting Usage 208 Deployment and Provisioning 208 Configuration Profiles 208 Creating and Editing Configuration Profiles 209 Provisioning Settings About Configuring Provisioning Settings 213 Configuring Basic Provisioning Settings 214 Configuring Provisioning Settings for the Web Login Page 217 Configuring Provisioning Settings for iOS and OS
Uploading Content 249 Downloading Content 250 Creating a New Content Directory 251 Digital Passes About Digital Passes 251 252 Passes for Guest Receipts in W-ClearPass Guest 253 Pass Templates 253 Apple Passbook Certificates 254 Digital Passes Process Overview 254 Viewing the Digital Pass Certificate 255 Installing Digital Pass Certificates 256 Managing Digital Passes 257 Creating and Editing a Digital Pass Template 258 Defining Basic Properties 258 Defining Pass Properties 259 D
View Field Editor 294 Customizing Guest Manager 296 Default Settings for Account Creation 296 About Fields, Forms, and Views 301 Business Logic for Account Creation 301 Verification Properties 301 Basic User Properties 301 Visitor Account Activation Properties 302 Visitor Account Expiration Properties 302 Other Properties 303 Standard Forms and Views 303 Customizing Guest Self-Registration 305 Accessing the Guest Self-Registration Customization Forms Duplicating a Self-Registration P
Configuring the Shared Locations and Shared Role Fields Example: IP Phones 328 330 331 Managing IP Phone Services 331 Creating and Editing an IP Phone Service 332 Defining General Properties+ 332 Defining Display Properties 333 Defining Behavioral Properties 333 Defining Receipt and Access Control Properties 334 Customizing Print Templates 334 Creating New Print Templates 335 Print Template Wizard 336 Modifying Wizard-Generated Templates 337 Setting Print Template Permissions 337 Con
Customizing Visitor Sign-Up Page One 361 Customizing Visitor Sign-Up Page Two 362 Customizing Visitor Sign-Up Page Three 364 Viewing the Hotspot User Interface Administration 367 Accessing Administration 367 AirGroup Services 367 AirGroup Controllers 368 Creating and Editing AirGroup Controllers 369 Configuring AirGroup Services 370 AirGroup Diagnostics 372 Creating AirGroup Administrators 373 Creating AirGroup Operators 373 Authenticating AirGroup Users via LDAP 374 Configuring L
Import Information: Palo Alto Network Services 393 Import Information: RADIUS Services 393 Import Information: Reporting Manager Definitions 395 Import Information: Server Configuration 395 Import Information: SMS Services 396 Import Information: SMTP Services 396 Plugin Manager 397 Viewing Available Plugins 397 Configuring Plugins 398 Configuring the Kernel Plugin 399 Configuring the Dell W-ClearPass Skin Plugin 400 Configuring the SMS Services Plugin 401 Configuring the IP Phone Se
Configuring SOAP Web Services 420 SOAP Debugging 421 Creating a SOAP API Operator 421 Accessing the WSDL 422 Integration Example Create a New Project 423 Add Service Reference 423 Configuring HTTP Basic Authentication 425 Performing an API Call 425 Securing Web Services Using HTTPS 426 API Documentation 427 XML Namespaces 427 SOAP Addressing 427 Types 427 Operations 430 Operator Logins 439 Accessing Operator Logins 439 About Operator Logins 439 Role-Based Access Control for
Automatic Logout The XML-RPC Interface and API XML-RPC API Overview 458 459 459 About the XML-RPC API 459 Architecture Overview 459 API Symmetry 460 Access Control 460 Parameter Names 461 Parameter Validation 461 Field Customization 461 Parameter Types 461 Data Representation 461 XML-RPC Faults 461 Accessing the API 462 Creating the Profile 462 Creating the Role 463 Creating the Local User 463 Creating the Translation Rule 464 Invoking the API 464 SSL Security 465 Metho
Parameters 472 Return Values 472 Access Control 473 Example Usage 473 Method amigopod.guest.get Parameters 473 Return Values 473 Access Control 473 Example Usage 473 Method amigopod.guest.list 474 Parameters 475 Return Values 475 Access Control 475 Example Usage 475 Method amigopod.guest.reset.password 475 Parameters 475 Return Values 475 Access Control 476 Example Usage 476 Method amigopod.mac.
Conditional Text Blocks 486 Script Blocks 487 Repeated Text Blocks 487 Foreach Text Blocks 487 Modifiers 488 Predefined Template Functions 488 dump 488 nwa_commandlink 489 nwa_iconlink 489 nwa_icontext 490 nwa_quotejs 491 nwa_radius_query 491 Advanced Developer Reference 497 nwa_assign 497 nwa_bling 497 nwa_makeid 498 nwa_nav 498 nwa_plugin 499 nwa_privilege 500 nwa_replace 500 nwa_text 500 nwa_userpref 500 nwa_youtube 501 Date/Time Format Syntax 501 nwadatefo
| Contents NwaPasswordByComplexity 508 NwaSmsIsValidPhoneNumber 508 NwaStrongPassword 508 NwaVLookup 508 NwaWordsPassword 509 Field, Form, and View Reference 509 GuestManager Standard Fields 509 Hotspot Standard Fields 517 SMS Services Standard Fields 518 SMTP Services Standard Fields 519 Format Picture String Symbols 520 Form Field Validation Functions 521 Form Field Conversion Functions 526 Form Field Display Formatting Functions 526 View Display Expression Technical Refere
Chapter 1 About this Guide Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access. Audience This User Guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Support Web Site Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 20 | About this Guide Dell Networking W-ClearPass Guest 6.
Chapter 2 W-ClearPass Guest Overview This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
Figure 1 Visitor access using W-ClearPass Guest In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network.
The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points. Key Interactions The following figure shows the key interactions between W-ClearPass Guest and the people and other components involved in providing guest access.
Figure 4 Sequence diagram for network access using AAA In the standard AAA framework, network access is provided to a user according to the following process: l The user connects to the network by associating with a local access point [1]. l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name and password of their guest account. l The NAS authenticates the user with the RADIUS protocol [5].
Table 2: List of Key features Feature Reference Visitor Access Web server providing content delivery for guests "Managing Content: Private Files and Public Files" on page 248 Guest self-registration "Customizing Guest SelfRegistration" on page 305 Visitor Management Create and manage visitor accounts, individually or in groups "Using Standard Guest Management Features" on page 35 Manage active RADIUS sessions using RFC 3576 dynamic authorization support "Active Sessions Management" on page 70 Im
Feature Reference Authentication" on page 446 Operators authenticated via LDAP "External Operator Authentication" on page 447 Role based access control for operators "Operator Profiles" on page 440 Plugin-based application features, automatically updated by W-ClearPass Policy Manager "Plugin Manager " on page 397 User Interface Features Context-sensitive help with searchable online documentation "Documentation and User Assistance" on page 29 Visitor Management Terminology The following table descr
Term Explanation User Database Database listing the guest accounts in W-ClearPass Guest. View In a user interface, a table displaying data, such as visitor account information, to operators. Visitor/Guest Someone who is permitted to access the Internet through your Network Access Server. Visitor Account Settings for a visitor stored in the user database, including username, password and other fields. Web Login/NAS Login Login page displayed to a guest user.
ü Policy Decision Segregated guest accounts? Type of network access? Time of day access? Bandwidth allocation to guests? Prioritization of traffic? Different guest roles? IP address ranges for operators? Enforce access via HTTPS? Operational Concerns Who will manage guest accounts? Guest account self provisioning? What privileges will the guest managers have? Who will be responsible for printing reports? Network Management Policy Password format for guest accounts? Shared secret format? Operator provision
l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure network security is not compromised? l What IP address ranges will operators be using to access the server? l Should HTTPS be required in order to access the visitor management server? AirGroup Deployment Process AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them.
Table 6: Quick Links For information about... Refer to...
On some forms and views, the Quick Help icon may also be used to provide additional detail about a field. If You Need More Assistance If you encounter a problem using W-ClearPass Guest, your first step should be to consult the appropriate section in this User Guide. If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.
| W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.
Chapter 3 W-ClearPass Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process.
About Guest Management Processes There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in the next sections. Sponsored Guest Access The following figure shows the process of sponsored guest access. Figure 5 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account.
The NAS performs authentication and authorization for the guest in W-ClearPass Guest. Once authorized, the guest is then able to access the network. See "Customizing Guest Self-Registration" on page 305 for details on creating and managing self-registration pages.
A random password is created for each visitor account. This is displayed on this form, but will also be available on the guest account receipt. You must mark the Terms of Use check box in order to create the visitor account. Click the Create Account button after completing the form. Creating a Guest Account Receipt After you click the Create Account button on the New Visitor Account form, the details for that account are displayed.
To complete the form, you must enter the number of visitor accounts you want to create. A random username and password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The visitor accounts cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of accounts to create. Click the Create Accounts button after completing the form.
To print the receipts, select an appropriate template from the Open print window using template… drop-down list. A new browser window opens with the Print dialog displayed. To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file.
1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions. At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_multi) has not yet been customized to include it. You will create it for the form in the next step. 2.
Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guest > List Accounts. The Guests Manager Accounts view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields" on page 270 for details about this customization process. The default settings for this view are described below.
The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created: l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the account will expire within the next hour.
l Reset password – Changes the password for a guest account. A new randomly generated password is displayed on the Reset Password form. Click Update Account to reset the guest account’s password. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Change expiration – Changes the expiration time for a guest account. This form (change_expiration) can be customized by adding new fields, or modifying or removing the existing fields.
Select an option from the drop-down list to change the activation time of the guest account. To re-enable an account that has been disabled, choose Now. Click Enable Account to set the new activation time for the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Edit – Changes the properties of a guest account. This form can be customized by adding new fields, or modifying or removing the existing fields.
This view (guest_multi) may be customized by adding new fields or by modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 305 for details about this customization process. The default settings for this view are described below.
To restore the default view, click the Clear Filter link. Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. To select guest accounts, click the accounts you want to work with. You may click either the check box or the row to select a visitor account.
The Upload User List form provides you with different options for importing guest account data. To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area. Select the Show additional import options check box to display the following advanced import options: l Character Set: W-ClearPass Guest uses the UTF-8 character set encoding internally to store visitor account information.
Because this data includes a header row that contains field names, the corresponding fields have been automatically detected in the data: Use the Match Fields form to identify which guest account fields are present in the imported data. You can also specify the values to be used for fields that are not present in the data. To complete the Match Fields form, make a selection from each of the drop-down lists.
The icon displayed for each user account indicates if it is a new entry ( updated ( ). ) or if an existing user account will be By default, this form shows ten entries per page. To view additional entries, click the arrow button at the bottom of the form to display the next page, or click the 10 rows per page drop-down list at the bottom of the form and select the number of entries that should appear on each page.
l Username – Username for the guest account l Role – Role for the guest account l Activation – Date and time at which the guest account will be activated, or “N/A” if there is no activation time l Expiration – Date and time at which the guest account will expire, or “N/A” if there is no expiration time l Lifetime – The guest account’s lifetime in minutes after login, or 0 if the account lifetime is not set l Expire Action – Number specifying the action to take when the guest account expires (0 th
l 112233AABBCC l 11:22:33:aa:bb:cc l 11-22-33-AA-BB-CC W-ClearPass Guest supports adjusting the expected format of a MAC address. To configure formatting of separators and case in the address, as well as user detection and device filtering for views, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication plugin. The MAC Authentication Configuration page opens.
In addition, icons in the MAC Address column indicate the device account’s activation status: l n —Device account is active n —Device account was created but is not activated yet n —Device account was disabled by Administrator n —Device account has expired n —Device account was deleted You can use the Filter field to narrow the search parameters.
1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date: l If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker.
1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time. 2. If you choose Activate at specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 3.
Field Description If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. AirGroup Enables AirGroup for the device. Configuration options are added to the form. Ownership Specifies whether device ownership should be personal or shared. Personal devices are automatically shared with the owner's other devices.
Field Description in the Time fields to increment the hours and minutes, then click a day to select the date. Account Role Assigns the visitor’s role. Notes Optional additional information. Update Device Commits your changes and updates the device. The Updated Device Details and print options are displayed. Viewing Current Sessions for a Device To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form.
Creating Devices Manually in W-ClearPass Guest If you have the MAC address, you can create a new device manually. To create a new device, go to Guest > List Devices and click the Create link, or you can go to the Guest navigation page and click the Create Device command. The New Device form opens. Table 11: New Device Field Description MAC Address (Required) Enter the device's MAC address. Device Name (Required) Enter the name for the device.
Field Description Locations field and press the Enter key, the location appears as a "tag" and is created in the system when the form is saved. Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators). Shared Roles User roles that can share this device.
This requires a vendor passing a MAC parameter in the redirect URL. W-ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP. To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth in the list, click the Customize fields link above the list. Click the Edit link in the field’s row.
Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields: l l l Add or enable mac n UI: Hidden field n Field Required: optional n Validator: IsValidMacAddress Add or enable mac_auth_pair n UI: Hidden field n Initial Value: -1 Any other expiration options, role choice, surveys and so on can be entered as usual. You will see an entry under both List Accounts and List Devices.
4. In the Shared Locations field, enter the locations where the device can be shared. To allow the device to be shared with all locations, leave this field blank. Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators). Each location is entered as a tag=value pair describing the MAC address of the access point (AP) closest to the registered device.
To view and edit your organization’s shared AirGroup devices: 1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all the shared AirGroup devices for the organization. You can remove a device; edit a device’s name, MAC address, shared locations, shared-user list, or shared roles; print device details; or add a new device. 2. To work with a device, click the device’s row in the list.
2. In the Your Name field, enter your username for your organization. 3. In the Device Name field, enter the name used to identify the device. 4. In the Device Type drop-down list, select the device type. 5. In the MAC Address field, enter the device’s MAC address. 6. In the Shared With field, enter the usernames of your friends or colleagues who are allowed to use the device. Use commas to separate usernames in the list. You may enter up to ten usernames.
3. To edit properties of a device, click the Edit link for the device. The row expands to include the Edit Device form. You can modify the device’s name, MAC address, and group of users. 4. When your edits are complete, click Save Changes. About AirGroup Time-Based Sharing This section discusses time-based sharing policies for an AirGroup shared device.
On the Guest > Create Device or Guest > List Devices > Edit forms, the shared user groups you created are then available for selection when you click in the Shared Groups field. (This feature requires AOS 6.4 or later) On the same screen, the next step is then to enter the rules for the time-based sharing policy, using the group names you created.
As in the first example, the device is shared with users A and B, from 9am to 10am every Monday. Outside of this time slot, the device is shared as specified by the other sharing state fields (shared users, locations, roles and/or groups). This is the meaning of the default allow statement. If default allow is not specified, the normal behavior is default deny, which is the same as in the first example.
The device is shared with a single access point named 1341-ap01, a single group named ABC, a single role named SomeRole, and 4 users named user02,user03, user04, and user05. Note the quotes are not considered to be part of the user names user04 and user05. (In this case, the quotes are redundant as there is no space or comma that requires quoting.) No time zone is specified, so the date and time are determined relative to the server's time zone. No year is specified, so the server's current year is used.
64. For more information on using time-based sharing with AirGroup, see "About AirGroup Time-Based Sharing" on page 63. The syntax for AirGroup time-based sharing policies supports all the default time-based ACL rules specified in TimeRangeACL. This ACL is a sequence of rules, one per line, according to the following syntax: l default allow|deny Specifies the default behavior for unmatched times; this is 'allow' only if no 'periodic' or 'absolute' rules are specified, otherwise it is 'deny'.
l 8:00 to 18:00 - allows access 8am to 6pm, every day, but not outside those times l weekdays 9am to 5pm - allows access 9am to 5pm, Monday through Friday, but not outside those times l weekdays 9am to 5pm weekends 10am to 4pm - allows access 9am to 5pm, Monday through Friday, with reduced hours on Saturday and Sunday Annual recurrences may be specified: l weekdays 9am to 5pm not absolute December 25 to December 26 - allows access 9am to 5pm, Monday through Friday, but not on Christmas Day Less comm
Importing MAC Devices The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests.
{/if}
You can hide the login form by having the final line of the header be: {if !$guest_receipt.u.username}{/if} and the first line of the footer be: {if !$guest_receipt.u.username}
{/if} Active Sessions Management The RADIUS server maintains a list of active visitor sessions. If your NAS equipment has RFC 3576 support, the RADIUS dynamic authorization extensions allow you to disconnect or modify an active session.l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions. See "RFC 3576 Dynamic Authorization" on page 72 for more information. n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete. n To reauthorize a session that was disconnected, click the session’s row in the list, then click its Reauthorize link.
RFC 3576 Dynamic Authorization Dynamic authorization describes the ability to make changes to a visitor account’s session while it is in progress. This includes disconnecting a session, or updating some aspect of the authorization for the session.
Table 13: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
Sending Multiple SMS Alerts The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number. An SMS alert during an active session can be used to send a group of visitors information you might want them to have immediately—for example, a special offer that will only be available for an hour, a change in a meeting’s schedule or location, or a public safety announcement. To create an SMS message: 1. Click the SMS tab on the Active Sessions page.
Chapter 4 Onboard + WorkSpace Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. The Onboard + WorkSpace module provides all the features of W-ClearPass Onboard and ClearPass WorkSpace together: l W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs).
l Enables the revocation of unique credentials on a specific user’s device. l Leverages ClearPass profiling to identify device type, manufacturer, and model.
Deployment Step Reference Configuration Configure the hostname and networking properties of the Onboard provisioning server. l DNS is required for SSL. l Ensure that hostname resolution will work for devices being provisioned. Refer to the ClearPass Policy Manager documentation Configure SSL certificate for the Onboard provisioning server. A commercial SSL certificate is required to enable secure device provisioning for iOS devices.
Table 15: Onboard Features Feature Uses l l Automatic configuration of network settings for wired and wireless endpoints. l l l Secure provisioning of unique device credentials for BYOD and IT-managed devices. l l l Support for Windows, Mac OS X, iOS, and Android devices. l l l l l l Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.
Platform Example Devices Version Required for Onboard Support Notes Mac OS X 10.5 “Leopard” Android Microsoft Windows Samsung Galaxy S Samsung Galaxy Tab Motorola Droid Android 2.2 (or higher) 2 Laptop Netbook Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 Windows 8 Windows 8.1 2 Note 1: Uses the “Over-the-air provisioning” method. Note 2: Uses the “Onboard provisioning” method.
Onboard may operate as a root CA directly, or as an intermediate CA. See "Certificate Authorities " on page 93. For information on setting up certificates when using Onboard in a cluster, see "Certificate Configuration in a Cluster " on page 80. The Onboard CA issues certificates for several purposes: l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices.
Revoking Credentials to Prevent Network Access Revoking a device's certificate will cause the device to be unable to authenticate. It will not prevent it from being reprovisioned. If you wish to deny access to a device, use the Manage Access link in the device's row on the Management and Control > View by Device form. If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate’s state.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked and deny access to the network. Using Same SSID for Provisioning and Provisioned Networks To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines: l Configure the network to use both PEAP and EAP-TLS authentication methods. l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.
For example, if the Onboard server’s hostname is onboard.example.com, the location of the CRL is: http://onboard.example.com/guest/mdps_crl.php?id=1. A certificate revocation list does not require the use of HTTPS and can be configured to use HTTP. Network Architecture for Onboard The high-level network architecture for the Onboard solution is shown in the following figure. Figure 11 ClearPass Onboard Network Architecture The sequence of events shown in Figure 11 is: 1.
Figure 12 Detailed View of the ClearPass Onboard Network Architecture The components shown in Figure 12 are: 1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2.
Figure 13 ClearPass Onboard Network Architecture when Using ClearPass Guest The user experience for device provisioning is the same in Figure 13 and Figure 11, however there are implementation differences between these approaches: l When using the ClearPass Guest RADIUS server for provisioning and authentication, EAP-TLS and PEAP authentication must be configured. Navigate to RADIUS > Authentication > EAP & 802.
1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device. 2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server. The device is configured with appropriate network settings and a device-specific certificate. 3. Authentication. Once configuration is complete, the user switches to the secure network and is authenticated using an EAP-TLS client certificate.
Figure 16 Over-the-Air Provisioning Workflow for iOS Platform 1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity. 2. An iOS device will have two certificates after over-the-air provisioning is complete: a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning process.
Figure 17 ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device. 2. Provisioning. The device provisioning page detects the device type and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server.
a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this file will launch the QuickConnect app on the device. b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes both the QuickConnect app and the Onboard configuration settings. 3. The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server.
Using the {nwa_mdps_config} Template Function Certain properties can be extracted from the Onboard configuration and used in the device provisioning page. To obtain these properties, use the {nwa_mdps_config} Smarty template function. The “name” parameter specifies which property should be returned, as described in Table 17.
A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices.
You can also block access to WorkSpace and WorkSpace managed apps if a device is not managed by MDM. You must configure a policy on ClearPass Policy Manager and assign or set the rule for the device. The rules block all the WorkSpace apps if the device is not managed by MDM. For information on creating rules and policies, see Enforcement chapter in ClearPass Policy Manager User Guide.
Table 18: Platforms Supported by ClearPass WorkSpace Platform Example Devices Version Required for WorkSpace Support Apple iOS iPhone iPad iPod Touch iOS 5 and above versions Initial Setup The first section in the Onboard + WorkSpace navigation lets you perform various initial configuration tasks. To choose a setup task, or to add and manage mobile apps, go to Onboard + WorkSpace > Initial Setup > Start Here.
l To create a copy of a certificate authority configuration to use as a basis for a new certificate authority, click its Duplicate link. The first page of the Certificate Authority Settings form opens with the identity, private key, and self-signed certificate attributes prepopulated and "Copy" appended to the name. You can rename the new certificate authority and edit any of its attributes. l To delete a certificate authority, you can click its Delete link.
To create an Onboard certificate authority: 1. Go to Onboard + WorkSpace> Initial Setup > Certificate Authorities, and then either click the Duplicate link for a certificate authority in the Certificate Authorities list or click the Create new certificate authority link. The initial setup page of the Certificate Authority Settings form opens. 2. In the Name field, give the CA a short name that identifies it clearly. Certificate authority names can include spaces.
you already have a public-key infrastructure (PKI), and would like to include the certificate issued for Onboard devices in that infrastructure. l Imported CA— If you choose Imported CA, the following fields are removed from the form. If you choose Root or Intermediate, complete the following fields. 5. In the Identity area, enter values in the Country, State, Locality, Organization, and Organizational Unit fields that correspond to your organization.
l X9.62/SECG curve over a 256-bit prime field l NIST/SECG curve over a 384-bit prime field 10. In the Self-Signed Certificate area, for a root certificate the CA Expiration field is included in the form. Use this field to specify the lifetime of the root certificate in days. The default value is 365 days. 11. Use the Digest Algorithm drop-down list to specify which hash algorithm should be used to sign the digital certificate request.
Table 20: Certificate Authority Settings, Certificate Issuing Area Field Description Authority Info Access Specify one of the following options to control automatic certificate revocation checks: Do not include OCSP responder URL – The Authority Info Access extension is not included in the client certificate. Certificate revocation checking must be configured manually on the authentication server. This is the default option.
If you are using an Aruba controller to perform EAP-TLS authentication using these client certificates, you must have Aruba OS 6.1 or later to enable this option. Table 21: Device Information Stored in TLS Client Certificates Name Description OID Device ICCID Integrated Circuit Card Identifier (ICCID) number from the Subscriber Identity Module (SIM) card present in the device. This is only available for devices with GSM (cellular network) capability, where a SIM card has been installed.
In the SCEP Server area: Onboard may be used as a CA with third-party products that use Simple Certificate Enrollment Protocol (SCEP) to enroll certificates. Table 23: Certificate Authority Settings, SCEP Server Area Field Description SCEP Server To enable access to the SCEP server, select this check box. The form expands to include SCEP server configuration options. SCEP URL Shows the URL for this SCEP server. SCEP Secret Enter the shared secret that SCEP clients must supply.
Requesting a Certificate for the Certificate Authority The Intermediate Certificate Request page displays the certificate signing request for the certificate authority’s intermediate certificate. You can copy the certificate signing request in text format using your Web browser. Use this option when you can paste the request directly into another application to obtain a certificate. You can click the Download the current CSR link to download the certificate signing request as a file.
l To upload a certificate and private key, copy and paste the certificate and private key into the Certificate text field. The text must include the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines, as well as the “BEGIN RSA PRIVATE KEY” and “END RSA PRIVATE KEY” lines. 4. If you selected Upload certificate file, click Choose File in the Certificate row to browse to the file and select it. l To upload a single certificate, choose a certificate file in PEM (base-64 encoded) or binary format (.
Using Microsoft Active Directory Certificate Services Navigate to the Microsoft Active Directory Certificate Services Web page. This page is typically found at https://yourdomain/certsrv/. The Welcome page opens. Click the Request a Certificate link on this page. The Request a Certificate page opens. Click the link to submit an advanced certificate request. The Advanced Certificate Request page opens. Click the link to submit a request using a base-64-encoded CMC or PKCS #10 file.
Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate. Either the Certificate Pending or the Certificate Issued page is displayed.
If the Certificate Issued page is displayed, select the Base 64 encoded option and then click the Download certificate chain link. A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system. Refer to the instructions in "Installing a Certificate Authority’s Certificate " on page 101 for information on uploading the certificate file to Onboard.
Installing a Push Certificate Installing the push certificate you received from the Apple Developer Center allows you communicate privately and securely with the iOS devices you manage. You can either upload the distribution certificate file you received, or you can open the file and copy and paste the certificate contents. To install a push certificate: 1. Go to Onboard + WorkSpace > Initial Setup > iOS MDM Push Certificate 2. Click iOS Push Certificate Install. 3. Click Create a new CSR. 4.
See Also: l "About Push Certificates" on page 105 l "Creating a Certificate Signing Request for Device Management" on page 105 l "Installing a Push Certificate" on page 106 l "Viewing Push Certificate Details" on page 107 Viewing Push Certificate Details To view the push certificate: 1. Go to Onboard + WorkSpace > Inital Setup > iOS MDM Push Certificate 2. Click iOS Push Certificate Details. 3. Click Show to view the certificate code.
n SHA-224 n SHA-256 n SHA-384 n SHA-512 4. Click Create Certificate Request. See Also: l "About iOS Distribution Certificates" on page 107 l "Viewing the Distribution Certificate" on page 109 l "Installing a Distribution Certificate" on page 108 l "Downloading the Distribution Certificate" on page 109 Installing a Distribution Certificate Installing the distribution certificate you receive from the Apple Developer Center allows you to digitally sign and distribute the apps you manage.
l "Downloading the Distribution Certificate" on page 109 Downloading the Distribution Certificate You can download the current distribution certificate and save it to your computer. Distribution certificate files have a default extension of .crt. To download the distribution certificate: 1. Go to Onboard + WorkSpace > Initial Setup > iOS Distribution Certificate. 2. Click Distribution Certificate Details. 3. Click Download the current distribution certificate.
l "Deleting an iOS Provisioning Profile" on page 111 Uploading an iOS Provisioning Profile Provisioning profiles typically have a .mobileconfig extension. To upload an iOS provisioning profile: 1. Go to Onboard + WorkSpace > Initial Setup > iOS Provisioning Profiles. 2. Click Upload Provisioning Profile. 3. Click Browse, then navigate to where you downloaded the provisioning profile file, select it, and click OK. 4. Click Upload.
l Application Identifier— A number generated when the provisioning profile was created that, when combined with the approved domain allows app distribution. In the profile XML, this is the value of the ApplicationIdentifierPrefix tag. l Creation Date— The date at which the provisioning profile was created. l Expiration Date— The date at which the provisioning profile expires. Apps can no longer be distributed using this profile after this date. l Wildcard Click the Details link to view the raw XML.
To add the different types of apps, use the links in the upper-right corner. To work with an app, click its row in the list to show the options links.
2. In the OS field, select the operating system of the app—either iOS or Web app. 3. in the iOS App Type field, select the type. Options include: l WorkSpace (policy managed) l Enterprise (policy managed) l Apple Public iOS AppStore (not policy managed) 4. In the Search By field, select whether to search by keyword or app ID. 5. Use the Country field, to select the iTunes store's country. 6. Enter keywords to search for in the Keywords field.
Deleting an App Deleting a managed app in WorkSpace results in it being automatically deleted from devices where it is installed within the WorkSpace app. To delete an app: 1. Go to Onboard + WorkSpace > Initial Setup > Apps Management. 2. Click the name of an app. 3. Click Delete App.
Name Description Icon Shows the icon currently used for the app. Customize Icon When selected, enables the Custom Icon and Revert Icon choices. Custom Icon Select from icon files uploaded with Content Manager. App Type The app type. App ID The app ID. Version The version of the app. URL Scheme The URL scheme, if available. Browser Select this option if the app is not a native iOS app.
2. Select iOS Enterprise Apps from the App Filter list to view only enterprise apps. 3. Click the name of an enterprise app. 4. Click Edit App Details. 5. Make any desired changes 6. Click Save Changes. Related Topics: l "Adding an iTunes Store App" on page 116 l "Adding an Enterprise App" on page 114 l "Updating an Enterprise App" on page 116 l "Deleting an App" on page 114 Updating an Enterprise App Apps get updated.
2. Click Add iOS iTunes App. 3. Make sure iOS and Apple Publid iOS AppStore (not policy managed) are selected. 4. Enter the app search information: l If adding by ID, enter the App iTunes Store ID. l If adding by keyword, select a Country, and then enter all or part of an app name or other keyword that will find the app. 5. Click Search. A list of matching apps will appear. 6. Click Add below the app you want to add.
l "Web Apps" on page 117 l "Editing Web App Details" on page 118 Editing Web App Details To edit Web app details: 1. Go to Onboard + WorkSpace > Initial Setup > Apps Management. 2. Select All Web Apps from the App Filter list to view only Web apps. 3. Click the name of an Web app. 4. Click Edit App Details. 5. Make any desired changes 6. Click Save Changes.
includes its device type, device name (operating system), device ID (MAC address), user, the device's network access status, whether it is currently onboarded, and its MDM and WorkSpace status. 2. The Device Type filter lets you filter for All, Android, iOS, OS X, or Windows device types. 3. The Enrolled For drop-down list lets you display only Onboard/MDM-enrolled devices, or only WorkSpaceenrolled devices. 4. You can use the Keywords field to filter by device type, device, name, username, or MAC address.
message advises you that any certificates associated with it will be revoked. The device cannot be re-enrolled as long as access is denied. To re-enroll the device, you must use this field to allow access again. 5. When you choose the Device Actions link, the actions that are available depend on the enrollment status of the onboarded device. Some actions are only available for an MDM-managed or WorkSpace device. l If the device is not enrolled, the only available action is Delete All Users.
7. To revoke or delete all client certificates for the device, click its Certificate Actions link. Mark the appropriate radio button, then click Manage Certificates. 8. To delete a device, click its Delete link. You will be asked to confirm the deletion. Deleting the device will also delete all user, certificate, and other data associated with the device. Certificates are deleted according to the Certificate Authority's retention policy.
To view and filter the list of users: 1. Go to Onboard + WorkSpace > Management and Control > View by Username. The Device Management (View by Username) list view opens. Information shown in this list for each user includes username, network access status, number of devices, number of onboarded devices, number of MDM-managed devices, and number of WorkSpace-enabled devices. 2. You can use the Keywords field to filter by username. To work with a username: 1.
5. When you choose the Device Actions link, the actions that are available depend on the enrollment statuses of the user's onboarded devices. Some actions are only available if the user has MDM-managed or WorkSpace devices. If the user has no enrolled devices, the only available action will be to delete all devices. If the device is enrolled for WorkSpace, the options shown below will be available: Mark the appropriate Choose Action check box(es), then click Apply. 6.
Information provided in the Certificate Management list includes common name, certificate authority, serial number (if available), certificate type, validity date range, and device type—iOS, Android, Windows, or None (if not associated with a device type). Table 25 lists the types of certificate that are displayed in this list.
l To import a code-signing certificate or profile-signing certificate, see "Importing a Code-Signing Certificate " on page 129. l To import a trusted certificate, see "Importing a Trusted Certificate " on page 131. Searching for Certificates in the List In the Certificate Management list, the Filter field can be used to quickly search for a matching certificate. Type a username into this field to quickly locate all certificates matching that username.
l Open SSL Text Format—Exports the certificate as a full openssl text-format output, allowing you to view advanced details such as X509v3 extensions. It also includes the certificate in .pem format appended to the .txt file. l PKCS#12 Certificate & Key (.p12)—Exports the certificate and its associated private key, and optionally any other certificates required to establish the trust chain for the certificate, as a PKCS#12 container.
The Delete Certificate form is displayed. Mark the Delete this client certificate check box to confirm the certificate’s deletion, and then click the Delete Certificate button. Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view. This allows for server certificates, subordinate certificate authorities, and other client certificates not associated with a device to be issued by the Onboard certificate authority.
the trust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager, mark the Include certificate trust chain check box, then click the Export Certificate button. Click the Export Request button to download the certificate signing request file in the selected format. l Sign request – Displays the Sign Request form. Use this action to approve the request for a certificate and issue the certificate.
Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. l Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. The Delete Request form is displayed.
The procedure for importing a profile-signing certificate is the same as that for importing a code-signing certificate. To import a trusted certificate, see "Importing a Trusted Certificate " on page 131. To import a code-signing certificate: 1. Do one of the following: l Go to Onboard + WorkSpace > Management and Control > View by Certificate and click the Upload a code-signing certificate link in the upper-right corner of the page.
1. Go to Onboard + WorkSpace Management and Control > Certificate Management and click the Generate a new certificate signing request link. The Certificate Request Settings form opens. 2. In the Certificate Type drop-down list, choose Code-Signing. 3. Complete the rest of the form with your information. Mark the Issue this certificate immediately check box, then click Create Certificate Request.
3. You can use the following additional options in the upper-right corner of the Import Trusted Certificate page: l Click the Upload another trusted certificate link to upload additional certificates. l Click the Edit trust settings link to open the Trust tab of the Network Settings form. Creating a Certificate To create a new certificate, go to Onboard + WorkSpace > Management and Control > View by Certificate. The Certificate Management page opens.
To create a new certificate or certificate signing request, first select the type of certificate you want to create from the Certificate Type drop-down list: l TLS Client Certificate—Use this option when the certificate is to be issued to a client, such as a user or a user’s device. n l Trusted Certificate—Use this option when the certificate is to be issued to a network server, such as a Web server or as the EAP-TLS authentication server.
The Key Type drop-down list specifies the type of private key that should be created for the certificate. You can select one of these options: l 1024-bit RSA – lower security l 2048-bit RSA – recommended for general use l 4096-bit RSA – higher security Using a private key containing more bits will increase security, but will also increase the processing time required to create the certificate and authenticate the device.
Name Description information. Product Version Software version number for the device. User Name Username of the user who provisioned the device. Issuing the Certificate Request To create the certificate, when you have completed the other fields on the Certificate Request Settings form, mark the Issue this certificate immediately check box. Click the Create Certificate Request button to save your changes.
EJILaCTBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQB8/So9KU5BS3oxjyxftIwF dWvNP2CNruKyQaba5RQ1ixdHAsPE+3uYIHNvlqqIpSzBlfYkr21S4DdR3SSC3bXy t4l/fyMuC1cEG/RpPSxdDALpeT8MuoGV1JonKo2BDitOEd4y5SXGmHmDBHrPW2Nd gthkrtBb/a2WAkNcRfDuiQ== -----END CERTIFICATE REQUEST----- Providing a Certificate Signing Request File Alternatively, if you have the certificate signing request as a file, click the Upload certificate signing request file radio button.
The Trust Chain and Uploading Certificates for the CA The Certificate Authority Trust Chain page is used to view the certificate authority’s current trust chain, or to upload a new certificate in the trust chain when configuring a certificate authority. To view the Certificate Authority’s trust chain, go to Onboard + WorkSpace > Initial Setup > Certificate Authorities and click the Trust Chain link for a certificate. The Certificate Authority Trust Chain page opens.
To export a certificate: 1. Click the Download Bundle link. The Export Certificate form opens. 2. In the Format row, choose the certificate format. The form expands to include configuration options for that format. 3. Complete the fields with the appropriate information, then click Export Certificate. Considerations for iOS Devices The server certificate is used by ClearPass to secure Web (HTTPS) and authentication (RADIUS) traffic.
The optimal configuration for Onboard is a server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012. Alternatively, if you only wish to use a single Onboard Certificate Authority, then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process.
5. If all information in the spreadsheet is approved, select the Update information for overlapping assets check box to overwrite the ClearPass database with the new information, and then click Update. The Corporate Asset Database list opens and includes the new information. See Also: l "Adding a New Asset" on page 140 l "Editing an Asset" on page 140 l "Deleting an Asset" on page 141 Adding a New Asset To add a new asset to your asset tracking list: 1.
1. Go to Onboard + WorkSpace > Management and Control > Asset Database. 2. Click the device's row in the list, and then click its Edit link. The row expands to include the Edit Asset form. 3. The form is the same as the Add Asset form, and all information is editable. Make the necessary changes to any of the fields. 4. Click Save Changes. See Also: l "Importing an Assets Spreadsheet" on page 139 l "Deleting an Asset" on page 141 Deleting an Asset To delete an asset listed in the tracking list: 1.
A variety of configuration units are available, including such things as contacts, email, passcode policy, VPN, Web clips, and app policy template settings. After you define each of the configuration units you wish to use, you can include them in configuration profiles. The configuration profiles are then available in the Provisioning Settings form, and can be associated with a device provisioning configuration set.
l To edit any of an AirPlay setting's attributes, click its Edit link. The AirPlay Settings form opens. l To create a copy of an AirPlay setting to use as a basis for a new setting, click its Duplicate link. The AirPlay Settings form opens with all attributes prepopulated and "Copy" appended to the setting's name. You can rename the new AirPlay setting, and edit any of its attributes. l To delete an AirPlay setting, click its Delete link. You will be asked to confirm the deletion.
3. In the Description field, you can briefly describe the characteristics of the AirPlay setting. 4. In the AirPlay Destinations field, specify the device ID of each AirPlay destination that will be available to the device. Each device ID must be entered on a new line. To make all destinations available, leave this field empty. 5. (Optional) In the AirPlay Destination Passwords field, you may enter a device password for each destination. 6. Click Save Changes.
Creating and Editing AirPrint Settings An AirPrint setting includes its name and description, and AirPrint printer locations that are available to the user. To configure an AirPrint setting: 1. Go to Onboard + WorkSpace > Onboard/MDM Configuration > AirPrint, then click the Create new AirPrint settings link in the upper-right corner. The AirPrint Settings form opens. 2. In the Name field, give this AirPrint setting a short name that identifies it clearly. AirPrint setting names can include spaces.
All APN settings that have been created are included in the list. You can click an APN setting's row in the list for additional options: l To view details for an APN setting, click its Show Details link. l To edit any of an APN setting's attributes, click its Edit link. The APN Settings form opens. l To create a copy of an APN setting to use as a basis for a new setting, click its Duplicate link. The APN Settings form opens with all attributes prepopulated and "Copy" appended to the setting's name.
App Lock Settings App Lock Settings lets you manage the App Lock configuration settings that will be sent to a supervised provisioned device. App Lock settings are only supported on supervised iOS devices; they are ignored by all other devices. To create and work with App Lock settings, go to Onboard + WorkSpace > Onboard/MDM Configuration > App Lock. The App Lock Settings list view opens. All App Lock settings that have been created are included in the list.
l To edit any of an App Lock setting's attributes, click its Edit link. The App Lock Settings form opens. l To create a copy of an App Lock setting to use as a basis for a new setting, click its Duplicate link. The App Lock Settings form opens with all attributes prepopulated and "Copy" appended to the setting's name. You can rename the new AirPrint setting, and edit any of its attributes. l To delete an App Lock setting, click its Delete link. You will be asked to confirm the deletion.
devices. To configure an App Lock setting: 1. Go to Onboard + WorkSpace > Onboard/MDM Configuration > App Lock, then click the Create new App Lock settings link in the upper-right corner. The App Lock Settings form opens. 2. In the Name field, give this App Lock setting a short name that identifies it clearly. App Lock setting names can include spaces. If you are duplicating an App Lock setting, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3.
For information about the list of App Lock settings, see "App Lock Settings" on page 147. For more information about configuration profiles, see "Configuration Profiles" on page 208 Global HTTP Proxy Settings Global HTTP Proxy Settings lets you manage the Global HTTP Proxy configuration settings that will be sent to a supervised provisioned device. Global HTTP Proxy settings are only supported on supervised iOS devices; they are ignored by all other devices.
Creating and Editing Global HTTP Proxy Settings A Global HTTP Proxy setting includes its name, description, and common global HTTP proxy settings. Global HTTP proxy settings are only supported on supervised iOS devices; they are ignored by all other devices. To configure a Global HTTP Proxy setting: 1. Go to Onboard + WorkSpace > Onboard/MDM Configuration > Global HTTP Proxy, then click the Create new Global HTTP Proxy settings link in the upper-right corner. The Global HTTP Proxy Settings form opens. 2.
For information about the list of Global HTTP Proxy settings, see "Global HTTP Proxy Settings" on page 150. For more information about configuration profiles, see "Configuration Profiles" on page 208 Calendar Settings CalDAV accounts give a provisioned device access to scheduling information on a remote server. CalDAV account settings are only supported on iOS devices; they are ignored by all other devices.
2. In the Name field, give this calendar setting a short name that identifies it clearly. Calendar settings names can include spaces. If you are duplicating a calendar setting, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, you can briefly describe the characteristics of the calendar settings. 4. In the Account Description field, you can enter the display name for the account. 5.
CardDAV accounts allow users of a provisioned device to access and share contact data on a server. CardDAV contacts settings are only supported on iOS devices; they are ignored by all other devices. To create and work with CardDAV contacts settings, go to Onboard + WorkSpace > Onboard/MDM Configuration > Contacts. The Contacts Settings list view opens. All contacts settings that have been created are included in the list.
2. In the Name field, give this contacts setting a short name that identifies it clearly. Contacts settings names can include spaces. If you are duplicating a contacts setting, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, you can briefly describe the characteristics of the contacts settings. 4. In the Account Description field, you can enter the display name for the account. 5.
Device restriction settings let you configure the activities that will be allowed and the behaviors and settings that will be enabled on a provisioned device. Device restrictions settings are only supported on iOS devices; they are ignored by all other devices. To create and work with device restrictions settings, go to Onboard + WorkSpace > Onboard/MDM Configuration > Device Restrictions. The Device Restrictions Settings list view opens.
l Installing apps l Camera l Video conferencing l YouTube (not available for iOS 6 or later) l iTunes l iBookstore l Opening documents in unmanaged apps in managed apps (available only in iOS 7.0 and later) l Opening documents in managed apps in unmanaged apps (available only in iOS 7.0 and later) l Autonomous single-mode apps (available only in iOS 7.0 and later) 5.
l Siri for user-generated content (available only in iOS 7.0 and later) l Voice dialing l Fingerprint for unlock (available only in iOS 7.0 and later) l Passbook when device locked l Control Center when device locked (available only in iOS 7.0 and later) l Notification view when device locked (available only in iOS 7.0 and later) l Today view in Notification Center when device locked (available only in iOS 7.
All email settings that have been created are included in the list. You can click an email setting's row in the list for additional options: l To view details for an email setting, click its Show Details link. The form expands to show the email setting's name and description, as well as account, domain, server, port, SSL, authentication, and other details for the email account and the incoming and outgoing mail servers. l To edit any of an email setting's attributes, click its Edit link.
l Provisioning - values acquired during device provisioning l Shared preset values - testing only The remaining fields available in the General Settings area will vary according to your choice in the this dropdown list. 6. In the Email Address field, enter the full email address for the account. 7. In the Email Address Domain field, enter the domain name to append to the username. 8. Choose an option in the When to Add Email Address Domain field.
In the Outgoing Mail Server Settings area: 1. Enter the hostname or IP address of the server for the outgoing mail in the Outgoing Mail Server field (for example, smtp.exampleprovider.com). 2. In the Port drop-down list, use the counter to select the server to user for outgoing mail. 3. To enable secure socket layer communication with the server and ensure that communications are encrypted, mark the check box in the Use SSL row. 4.
include in a configuration profile. Exchange ActiveSync settings are only supported by iOS devices; they will be ignored by all other device types. To create and work with Exchange ActiveSync configurations, go to Onboard + WorkSpace > Onboard/MDM Configuration > Exchange ActiveSync. The ActiveSync Settings list view opens. All Exchange ActiveSync configuration units that have been created are included in the list.
1. Go to Onboard + WorkSpace > Onboard/MDM Configuration > Exchange ActiveSync, then click the Create new ActiveSync settings link in the upper-right corner. The Exchange ActiveSync Settings form opens. 2. In the Name field, give the ActiveSync configuration a short name that identifies it clearly. ActiveSync configuration names can include spaces. If you are duplicating a configuration, the original name has a number appended to it. You may highlight this name and replace it with a new name. 3.
l User provided — entered by user on device. This option requires the user to enter their credentials on the device to access their email. l Identity certificate — created during provisioning. This option uses the device’s TLS client certificate to authenticate the user. Using this option requires configuration of the ActiveSync server to authenticate a user based on the client certificate. l Provisioning — values acquired during device provisioning. l Shared preset values — testing only.
All networks that have been provisioned are included in the list. You can click a network's row in the list for additional options: l To view details for a network, click its Show Details link. The form expands to show its name, description, and configuration values for network access, wireless networks, enterprise protocols, enterprise authentication, enterprise trust, Windows networking, and proxy settings. l To edit any of a network's attributes, click its Edit link. The Network Settings form opens.
Navigating between different tabs will save the changes you have made. The modified settings are indicated with a “#” marker in the tab. The settings used for device provisioning are not modified until you click Create Network. To edit the network’s basic and wireless network access options, click the Access tab: 1. If you need to edit the network’s name, enter the new name in the Name field. 2. (Optional) You may enter additional identifying information in the Description field. 3.
6. In the Wireless Network Settings area: l The Security Version field lets you set the encryption version for the wireless network to WPA with TKIP or WPA2 with AES. l In the Auto Join row, you can mark the Automatically join network check box to specify that the device should be automatically connected to the network when it is provisioned. If only one network is available to the user, the device will be connected automatically.
l The Android EAP option supports PEAP with MSCHAPv2, PEAP with GTC, TTLS with MSCHAPv2, TTLS with GTC, TTLS with PAP, and TLS. l The Windows EAP option supports PEAP with MSCHAPv2 and TLS. These best practices are recommended when choosing the 802.1X authentication methods to provision: l Configure PEAP with MSCHAPv2 for Onboard devices – Android, Windows, and legacy OS X (10.5/10.6). l Configure EAP-TLS for iOS devices and OS X (10.7 or later).
l Username & Password – A device certificate will be provisioned, but the client authentication will use unique device credentials (as for Onboard devices). When this option is selected, EAP-TTLS or PEAP must be selected on the Protocols tab. 2. The fields available in the Windows Authentication area depend on which option was chosen for Windows EAP on the Protocols tab. If PEAP with MSCHAPv2 was selected, this area includes the Vista Credentials and XP Credentials fields.
2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted. Enter each server name on a separate line. You can use wildcards. 3. Do one of the following: l Click Previous to return to the Authentication tab. l Click Next to continue to the l Click Save Changesto make the new network configuration settings take effect.
2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted. Enter each server name on a separate line. You can use wildcards. 3. In the Trusted Certificates row, the recommended certificate is selected by default. You may click the field to open the drop-down list and select a different certificate the client should trust.
Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy.
Select one of these options in the Proxy Type drop-down list: l None– No proxy server will be configured. l Manual– A proxy server will be configured, if the device supports it. Specify the proxy server settings in the Server and Server Port fields. l Automatic– The device will configure its own proxy server, if the device supports it. Specify the location of a proxy auto-config file in the PAC URLtext field. l Do one of the following: n Click Previous to return to the Windows tab.
All passcode policies that have been created are included in the list. You can click a passcode policy's row in the list for additional options: l To view details for a passcode policy, click its Show Details link. The form expands to show its name, description, and other configuration settings. l To edit any of a passcode policy's attributes, click its Edit link. The Passcode Policy Settings form opens.
2. In the Name field, give the passcode policy a short name that identifies it clearly. Passcode policy names can include spaces. If you are duplicating a passcode policy, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the passcode policy. 4. To require the user to create a passcode, mark the check box in the Force PIN field. 5.
10. To specify a maximum duration for the passcode, use the counter in the Max PIN Age field. After the specified number of days, the device is locked and the user must change their passcode. 11. To require that the passcode include complex characters, use the counter in the Min Complex Chars field to specify how many complex characters it must contain. Complex, or special, characters are non-alphanumeric, such as &%$#. 12.
l To view details for an SSO setting, click its Show Details link. The form expands to show the SSO setting's name and description; account description; and Kerberos principal name, realm name, and URL prefix matches. l To edit any of an SSO setting's attributes, click its Edit link. The Single Sign-On Setting form opens. l To create a copy of an SSO setting to use as a basis for a new SSO setting, click its Duplicate link.
l Instance = Optional string. Must be separated from the primary by a slash character. For a user, the instance might be null. For a host, this is the fully-qualified hostname—for example, "support.exampleSchool.edu". l Realm = The Kerberos realm. Usually the same as the domain name, in uppercase letters—for example, "EXAMPLESCHOOL.EDU". 7. In the Realm Name field, enter the Kerberos realm name. 8.
For information on creating, editing, or duplicating an applicaiton set, see "Creating and Editing Calendar Subscription Settings" on page 179. Creating and Editing Calendar Subscription Settings A calendar subscription's settings include its name and description, the account description, server, and whether SSL is enabled, as well as additional account details. To configure a calendar subscription setting: 1.
VPN Settings You can automatically configure virtual private network (VPN) settings on iOS and OS X 10.7+ devices. You can define multiple VPN configurations. Each configuration you define is a "configuration unit" that you can include in a configuration profile. Use VPN configuration profiles when you have deployed a VPN infrastructure and want to automatically provide the secure connection settings to users at the time of device provisioning.
l To create a copy of a VPN configuration to use as a basis for a new configuration, click its Duplicate link. The VPN Settings form opens with all attributes prepopulated and "Copy" appended to its name. You can rename the new configuration, and edit any of its attributes. l To delete a VPN setting, click its Delete link. You will be asked to confirm the deletion. l To see if the VPN configuration unit is currently used, click its Show Usage link.
2. In the Name field, give the VPN configuration a short name that identifies it clearly. VPN configuration names can include spaces. If you are duplicating a VPN configuration, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the VPN configuration. 4.
6. In the Machine Authentication area, you may enter a value in the Shared Secret fields, or leave them blank to prompt the user to create the shared secret. 7. In the User Authentication area of the form, you may enter a value in the Account field, or leave them blank to prompt the user to enter the account. 8. In the User Authentication field, select either Password or RSA SecurID as the authentication type for the connection. 9. You can specify a proxy server to use when the VPN connection is active.
2. In the Name field, give the VPN configuration a short name that identifies it clearly. VPN configuration names can include spaces. If you are duplicating a VPN configuration, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the VPN configuration. 4. In the Connection Type drop-down list, choose Dell VIA. The Dell VIA Settings form expands to include additional options. 5.
n Shared Secret / Group Name – An optional group name may be specified. A shared secret (pre-shared key) is used to establish the VIA connection. Authentication is performed with a username and password. b. If you choose the IKEv2 protocol, you can specify the following authentication types. For VIA deployments that use IKEv2, the VPN server always uses a certificate for IKEv2 authentication phase.
l In the Safari Domains field, enter the domain names that triggers the VPN connection with Safari. This option will be available when you select Per-App VPN. 15. Click form Save Changes. The VPN configuration is available as a configuration unit on the Configuration Profile Web Clips and Bookmarks When you create a Web clip, you can make any URL look like a native app on your device. You can assign it an icon, and when the icon is selected, the URL opens in its own frame.
1. Go to Onboard + WorkSpace > Onboard/MDM Configuration > Web Clips and Bookmarks, then click the Create new web clip link in the upper-right corner. The Web Clip Settings form opens. 2. In the Name field, give the Web clip a short name that identifies it clearly. Web clip names can include spaces. If you are duplicating a Web clip, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3.
All Web content filter settings that have been created are included in the list. You can click a Web content filter setting's row in the list for additional options: l To view details for a Web content filter setting, click its Show Details link. The form expands to show the Web content filter setting's name and description, whether automatic filtering is enabled, and the lists of permitted URLs, whitelisted bookmarks, and blacklisted URLs that have been configured.
2. In the Name field, give the Web content filter a short name that identifies it clearly. Web content filter names can include spaces. If you are duplicating a Web content filter, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the Web content filter. 4. To enable automatic filtering, select the check box in the Automatic Filtering field.
All MDM app policy templates that have been created are included in the list. You can click an MDM app policy template's row in the list for additional options: l To view details for an MDM app policy template, click its Show Details link. The form expands to show the MDM app policy template's name and description, VPN policies, single sign-on policies, and auto-configuration. l To edit any of an MDM app policy template's attributes, click its Edit link. The MDM App Policy Template Settings form opens.
2. In the Name field, give the MDM app policy template a short name that identifies it clearly. MDM app policy template names can include spaces. If you are duplicating an MDM app policy template, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the MDM app policy template. 4. To enable per-app VPN for the app, select the check box in the Per-App VPN field.
l VPN l Motion l Geographic fencing l Time fencing See Also: l "Creating a New App Policy Template" on page 192 l "Viewing App Policy Template Settings" on page 196 l "Editing App Policy Template Settings" on page 196 l "Pushing an App Policy Template" on page 197 l "Deleting an App Policy Template" on page 196 Creating a New App Policy Template To create an app policy template: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > App Policy Templates. 2.
Field Description Storage Policies Encrypt Storage Select this option to encrypt any data stored on the device by the managed apps. Note that the app must be restarted on the client device for the changes of this setting to take effect. Inter App Policies Data Copied From This App This option determines whether the data can be copied and pasted from one app to another app.
Field Description Network Access Control List This option defines networks users of apps within WorkSpace can authenticate on and communicate through. For each entry in the list, you define: Hostname/IP/range: A hostname such as example.com or an IP address. You can use the wildcard character (*) to define ranges. For example, *.example.com or 128.255.*.*. Action: Select: Allow to allow apps within WorkSpace to connect to the defined host/IP.
Field Description Motion Policies Enable Motion Policy Select this option if you want apps using this policy template to be disabled based on the velocity of the device. Device velocity is based on data from the device's GPS and accelerometer. Unit Select the unit of velocity measurement: Miles per hour Kilometres per hour Maximum velocity of the device Required when Enable Motion Policy is selected. Enter a number.
Viewing App Policy Template Settings To view an app policy template's settings: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > App Policy Templates. 2. Click the name of an app policy template. 3. Click Show Details.
l "Editing App Policy Template Settings" on page 196 l "Pushing an App Policy Template" on page 197 Pushing an App Policy Template When you push an app policy template, its settings get applied to all the apps managed within WorkSpace. To push an app policy template: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > App Policy Templates. 2. Click the name of an app policy template. 3. Click Push policies to apps. 4. Click OK.
l Showing App Set Usage Creating a New App Set App sets you define let you specify an app or group of apps to be installed during device provisioning, and whether an app requires the device to be restarted after provisioning. To configure an app set: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > App Sets, then click the Create new app set link in the upper-right corner. The App Set form opens. 2. In the Name field, give the app set a short name that identifies it clearly.
l Editing an App Set l Viewing App Set Details l Showing App Set Usage Editing an App Set To edit an app set: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > App Sets, then click the app set name in the list. 2. Modify the required details. 3. Click Save Changes. See Also: l Creating a New App Set l Viewing App Set Details l Showing App Set Usage Viewing App Set Details To view app set details: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > App Sets. 2.
3. Click Show Usage. The form expands to show a list of app sets profile. See Also: l l l Creating a New App Set Editing an App Set Viewing App Set Details WorkSpace Settings WorkSpace settings define security policies for managed apps and include settings for: l Passcode l Passcode authentication l Lock & wipe l Fail-safe l Logging Creating WorkSpace Settings To create WorkSpace settings: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > WorkSpace. 2. Click Create new WorkSpace Setting.
App Profile Option Description Allow Simple For users to use managed apps, they must enter a passcode when starting the WorkSpace app. l Select this option for passcodes to a 4-digit number. l Clear this option to define more complex passcode policies. Require Alphanumeric Available only when the Allow Simple check box is cleared. When selected, users must include at least one letter in their passcode. Minimum Passcode Length Available only when the Allow Simple check box is cleared.
App Profile Option Description a period of time you define. Offline Time Limit If you enable the fail safe, enter a number of hours. If a device with WorkSpace installed doesn't connect to a network within the number of hours you define here, the WorkSpace app will be locked and its app data wiped. Logging Policies Email Logs "To": If you want activity logs emailed to anyone within your organization for analysis, enter valid email addresses here, one per line.
App Profile Option Description ers without using password. Enter the URLs for NTLM/Basic authentication based single sign-on (SSO). With SSO enabled, the user can log in once and gain access to all systems without being prompted to log in again. Enter the Email suffix that identifies the Email address used for SSO.
Editing WorkSpace Settings WorkSpace settings define security policies for managed apps and include settings for: l Passcode l Passcode authentication l Lock & wipe l Fail-safe l Logging To edit WorkSpace settings: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > WorkSpace. 2. Click the WorkSpace name. 3. Click Edit. 4. Make any desired changes. See the table below for details about each setting option. The Name and Description fields are in the General tab.
App Profile Option Description Minimum Complex Chars Available only when the Allow Simple check box is cleared. Enter a number to define the minimum number of complex characters a passcode must contain. A "complex" character is a non-alphanumeric character, or any character other than a number or letter. Maximum Passcode Age This policy defines the number of days before a device user must change their passcode to access managed apps in WorkSpace.
App Profile Option Description server time. Email Logs "Cc": If you want activity logs emailed to anyone within your organization for analysis, enter valid email addresses here, one per line. If any email addresses are entered, they are sent once per day at midnight, server time. Device and Guest management Device Management This option enables the device management through WorkSpace app. Device Management URL Enter the server URL to access the device management API.
App Profile Option Description Interval within WorkSpace before re-entering user name and password credentials to re-authenticate with the server. Configuration Poll Interval Defines the number of minutes between times that WorkSpace checks the server to see if there have been any configuration changes to it or to managed apps. Certificate Renewal Interval Defines the number of days that the certificate that authorizes WorkSpace and its manages apps will last.
Showing WorkSpace Setting Usage To see if an app set is currently used: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > WorkSpace. 2. Click the name of a WorkSpace setting. 3. Click Show Usage. The form expands to show a list of app sets profile. See Also: l "Editing WorkSpace Settings" on page 204 l "Viewing WorkSpace Setting" on page 207 l "Duplicating WorkSpace Settings" on page 207 Deployment and Provisioning Onboard + WorkSpace lets you configure deployment and provisioning settings.
units that will be provisioned to it, and a list of supervised devices. For information on configuration units, see "Onboard/MDM Configuration" on page 141. l To edit any of a configuration profile's attributes, click its Edit link. The Profile form opens, where you can edit any of the profile's attributes. l To create a copy of a profile to use as a basis for a new profile, click its Duplicate link. The Profile form opens with all attributes prepopulated and a number appended to the profile's name.
Table 30: Create/Edit Configuration Profile Fields Field Description Name (Required) Short name that identifies the configuration profile clearly. Configuration profile names can include spaces. If you are duplicating a profile, the original name has a number appended to it. You may highlight this name and replace it with a new name. 210 | Onboard + WorkSpace Dell Networking W-ClearPass Guest 6.
Field Description Description (Optional) Brief description of the characteristics of the profile. AirPlay (Optional) AirPlay settings in this list were created on the Onboard + WorkSpace > Onboard/MDM Configuration > AirPlay Settings form. For more information, see "Creating and Editing AirPlay Settings" on page 143. AirPrint (Optional) AirPrint settings in this list were created on the Onboard + WorkSpace > Onboard/MDM Configuration > AirPrint Settings form.
Field Description For more information, see "Configuring an iOS Device VIA Connection " on page 183. Web Clips (Optional) This drop-down list is only available if you have defined Web clip settings on the Onboard + WorkSpace > Onboard/MDM Configuration > Web Clips and Bookmarks > Web Clip Settings form. For more information, see "Creating and Editing Web Clips" on page 186.
l To create a copy of a provisioning set to use as a basis for a new configuration, click its Duplicate link. The Device Provisioning Settings form opens with all attributes prepopulated and "Copy" appended to its name. You can rename the new configuration, and edit any of its attributes. l To delete a provisioning set, you can click its Delete link. l To view and test a device provisioning Web login page, click its Test link.
Tab Description provisioning. See "Configuring Provisioning Settings for Android Devices" on page 223. Onboard Client Specifies options for Windows, Android, and legacy OS X (10.5/6) device provisioning such as provisioning address and access, certificate validation, logo, and support information. See "Configuring Options for Legacy OS X, Windows, and Android Devices" on page 225.
Field Description default. If additional certificate authorities are created, they are included in this dropdown list (see "Creating a New Certificate Authority" on page 94). Signer (Required) Select the source to use for signing TLS client certificates. Options include Onboard Certificate Authority and Active Directory Certificate Services (ADCS). If Active Directory Certificate Services is chosen, the ADCS URL and ADCS Template rows are added to the form.
Table 34: Device Provisioning Settings, General Tab, Supported Devices Area Field Description iOS & OS X Devices OS X 10.5.6 Devices Windows Devices Android Devices To enable device types for provisioning, mark their check boxes. When you unmark a check box for a device type that will not be provisioned, the corresponding tab is removed from this tabbed form. MDM Managed Enables MDM for an iOS device. An iOS push certificate must be installed first.
Field Description Send Email Notification When to send the email. Options include one, two, three, or four weeks before expiration. If Email is Unknown Action to take if the user's email address is not recorded with the certificate. Options include: Do not send any message l Send a message to a fixed email address l Send a message to username@domain l Unknown Address Address to use when no email address is known for the user.
2. In the Page Name field, enter the page name for the Web login page. In the Login Form area: 1. In the Authentication drop-down list, select the authentication requirement. Options include: l Single Sign-On – Enable SSO for device provisioning (SSO support is enabled at CPPM > Configuration > Identity > Single Sign-On) l Access Code – Only require username for authentication l Anonymous – Do not require a username or password 2.
In the Network Login Access area: 1. In the Allowed Access field, enter the IP addresses and networks from which logins will be allowed. 2. In the Denied Access field, enter the IP addresses and networks from which logins will be denied. 3. Use the drop-down list in the Deny Behavior field to select the response shown to the user if their login request is denied. Options in this list include Send HTTP 404 Not Found status, Show Access Denied page, and Show a blank page. 4.
3. In the Profile Security row, select one of the following options from the drop-down list to control how a device provisioning profile may be removed: l Always allow removal – The user may remove the device provisioning profile at any time, which will also remove the associated device configuration and unique device credentials. l Remove only with authorization – The user may remove the device provisioning profile if they also provide a password.
l Generate using the Onboard CA -- This method establishes a trust chain when the CA certificate is already installed. l Use an uploaded certificate -- This method can be used for public access situations, and allows a .mobileconfig profile to be signed using a public SSL certificate (for example, one issued by VeriSign). 7. In the Common Name field, enter the display name of the certificate used to sign the configuration profile.
2. In the Disconnect Delay row, enter the duration in seconds for the Web server to wait after receiving a disconnect request before it sends the request to the controller. This delay gives the client time to receive a valid HTTP response before begin disconnected from the network. 3. In the Reconnect Delay row, enter the duration in seconds for the client to wait after sending a disconnect request to the Web server before it sends a reconnect request.
2. In the Code-Signing Certificate drop-down list, select a certificate for signing the provisioning application, or leave the default setting of None-Do not sign the application. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4.
2. In the Android Rootkit Detection drop-down list, choose one of the following options: l Provision all devices— All Android devices will be provisioned. l Do not provision rooted devices—Onboard will detect a jailbroken Android device and will not provision the device if it has been compromised. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions.
6. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 7. You may use the Insert content item drop-down list to add an image file or other content item. 8. When your entries are complete in this tab, click Save Changes.
4. The Provisioning Access warning message is displayed when HTTPS is not required for guest access. HTTPS is recommended for all deployments as it secures the unique device credentials that will be issued to the device. When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.
Users can perform the following operations on WorkSpace or Onboard: l View, enable, disable, or delete a device. l Revoke a device's client certificate. l Report a device as lost or stolen. l Lock or unlock or wipe device details. l Lock or unlock WorkSpace. l Manage apps (wipe, lock, and install/update/uninstall apps). For more information on various device actions, see "Device Management (View by Device) " on page 118. Dell Networking W-ClearPass Guest 6.
| Onboard + WorkSpace Dell Networking W-ClearPass Guest 6.
Chapter 5 Configuration Dell Networking W-ClearPass Guest’s built-in Configuration editor lets you customize many aspects of the appearance, settings, and behavior of the application.
Advertising Services Advertising Services lets you deliver marketing promotions and advertisements to your users on a variety of Guest Management registration, receipt, and login pages. To work with W-ClearPass Guest Advertising Services, go to Configuration > Advertising > Start Here.
Your materials are the actual advertisements that are delivered. They can be Web ads such as images, FLASH animations, or text, or they can be SMS ads. You can group your materials into promotions and apply some rules about how to deliver them. Materials and promotions are then organized into advertising campaigns that run over a specified date range and with a specified priority (rank and weight).
1. Create the materials. 2. Create a promotion. 3. Create a campaign. 4. Enable at least one space. 5. For each page or group of pages, specify which campaigns and spaces can be presented. About the Tutorial W-ClearPass Guest provides a Getting Started tutorial to help you become familiar with Advertising Services concepts and procedures. You can refer to the tutorial at any time. To view the tutorial, go to Configuration > Advertising > Start Here and click the Getting Started link.
Advertising Pages The Advertising Pages form lists the Guest Manager areas whose pages can be used for advertising, and provides access to advertising configuration for them. In W-ClearPass Guest, these pages include login, registration, receipt and self-service pages, and email and SMS receipts. To work with the advertising settings for a Guest Manager page group or page, go to Configuration > Advertising > Pages. The Edit Page list view opens.
In the General Properties area of the form, select a page group or page and set the basic properties: Table 38: General Properties, Edit Page Field Description Page The page group being edited. The page group name is a link to the corresponding area of the application: Guest Management opens the Start page of the Guest Manager module. Guest Self-Registration opens the Customize Guest Registration edit diagram. Parent Page Indicates the page's parent page, if there is one.
In the Campaign Options area of the form, set the options that control which campaigns can deliver advertising on this page: page: Table 40: Campaign Options, Edit Page Field Description Allowed Campaigns Policy Specifies which campaigns to use. Options include: Use parent campaigns Use parent campaigns, but also allow advertising from... Allow advertising from all campaigns Allowed Campaigns If Use parent campaigns, but also allow advertising from...
All advertising spaces that have been created are included in this list. You can click a space's row in the list for additional options. Table 41: Advertising Spaces List Field Description Edit Edit any of the space's properties. See "Creating and Editing Advertising Spaces" on page 236. Enable Enable the space so advertising will be displayed. To make advertising inactive in that space again, click the Disable link.
In the General Properties area of the form, set the basic properties for the space: Table 42: General Properties, Edit Space Field Description Name Name of this space. Enabled If selected, allows promotions to be shown in this space. Rank Applies a relative rank to the space. A rank of 1 is higher than a rank of 2. Description Optional comments or notes about this space. Location Describes position of the space on the page.
Field Description l Large Screens — show on large screens only (laptops, desktops) Minimum Width Minimum width in pixels for this space. Maximum Width Maximum width in pixels for this space. Width Minimum and/or maximum width in pixels for this space. Minimum Height Minimum height in pixels for this space. Maximum Height Maximum height in pixels for this space. Height Minimum and/or maximum height in pixels for this space. Maximum Rows Maximum number of rows.
To create and work with advertising campaigns, go to Configuration > Advertising > Campaigns. The Advertising Campaigns list view opens. All advertising campaigns that have been created are included in this list. You can click a campaign's row in the list for additional options. Table 45: Advertising Campaigns List Field Description Edit Edit any of the campaign's properties. See "Creating and Editing Advertising Campaigns" on page 239. Delete Delete the campaign from the system.
Table 46: General Properties, Edit Campaign Field Description Name (Required) Name for this campaign. Enabled If selected, allows promotions from this campaign to be delivered. Start Date Date and time on which this campaign will begin. To start delivering this campaign immediately, leave this field blank. End Date Date and time after which the campaign will no longer be delivered. To deliver this campaign indefinitely, leave this field blank.
Promotions define rules for how and when advertisements are delivered and what materials should be included. Promotions can also be configured to use intelligent delivery, presenting relevant advertising to users. To create and work with advertising promotions, go to Configuration > Advertising > Promotions. The Advertising Promotions list view opens. All advertising promotions that have been created are included in this list. You can click a promotion's row in the list for additional options.
In the General Properties area of the form, set the basic properties for the promotion: Table 49: General Properties, Edit Promotion Field Description Name (Required) Name of this promotion. Enabled If selected, allows this promotional material to be delivered. Start Date Date and time when the promotional material can start being delivered. To start delivering this promotion immediately,leave this field blank. End Date Date and time after which the promotion will no longer be delivered.
Depending on the selection in the Type field, the next area of the form will be either Rotating Content, Weighted Content, Fixed Content, or Labeled Content. In this area, set the options that control the content of the promotion. Table 50: Rotating, Fixed, Weighted, or Labeled Content, Edit Promotion Field Description Content For fixed content, select a single content item for the promotion. Content Items (Required) For rotating or weighted content, all items in this list are initially selected.
In the Intelligence area of the form, set the options that control intelligent delivery of content for the promotion: Table 51: Intelligence Options, Edit Promotion Field Description Enabled If selected, allows a more selective delivery by matching user labels to material labels. (Material also inherits labels from the promotions that include it) Requirement Levels How often the specified labels should be matched. These settings override the Default Level in the next field.
All advertising materials that have been created are included in this list. You can click a material's row in the list for additional options. Table 52: Advertising Materials List Field Description Edit Edit any of the material's properties. See "Creating and Editing Advertising Materials" on page 245. Delete Delete the material from the system. You will be asked to confirm the deletion. Disable Disable the material. To make the material active again, click the Enable link.
In the General Properties area of the form, set the basic properties for the material: Table 53: General Properties, Edit Promotional Material Field Description Name (Required) Name for this material. Enabled If selected, allows this material to be delivered. Start Date Date and time on which this campaign will begin. To start delivering this material immediately, leave this field blank. End Date Date and time after which the material will no longer be delivered.
Field Description Text advertisement YouTube video advertisement When you make a selection here, the rest of the form includes the appropriate options. l l Flash (Flash) The Flash animation file (.swf) of the material. Either select a file that is already uploaded to Content Manager, or upload a new file. Maximum file upload size is 15.0 MB. Template Code (HTML code) To code your own advertisement using raw HTML, enter the HTML code to display. Smarty template functions can be used.
Configuring W-ClearPass Guest Authentication You can use the Configuration module to modify authentication settings for the Dell Networking W-ClearPass Guest application. To configure W-ClearPass Guest’s authentication settings: 1. Go to Configuration > Authentication. The Authentication Settings form opens. 2. To send automatic disconnect or re-authorization messages when enabled or role values change, mark the check box in the Dynamic Authorization row.
To use a content item, you can insert a reference to it into any custom HTML editor within the application. To do this, select the content item you want to insert from the drop-down list located in the lower right corner of the HTML editor. The item will be inserted using HTML that is most suited to the type of content inserted. To manually reference a content item, you can use the URL of the item directly. For example, an item named logo.jpg could be accessed using a URL such as: http://192.0.2.
2. Click the Upload New Content tab . The Add Content form opens. 3. In the File row, click Browse to navigate to the file you wish to upload. The Maximum file size is 15 MB. You can upload single content files, multiple content asset files and folders, or a Web deployment archive. To upload multiple assets, first compress the files as a “tarball” or zip file, then browse to it in the File field. Allowed file formats are .tgz, .tar.gz, .tb2, .tar.bz2, or .zip.
If you clicked the Upload New Content link on the Private Files list view, the file is added to the private directory in ClearPass. If you clicked the link on the Public Files list view, it is added to the public directory on the Web server. You can reference the file when creating custom HTML templates. Creating a New Content Directory 1.
About Digital Passes A digital pass is a cryptographically signed file that contains fields and images. When viewed by a user, a pass looks like a simple card, with a front side and a back side. Passes are issued to users as boarding passes, event tickets, coupons, store passes, or other scannable items (for example, a membership pass). Passes can be organized in Apple Passbook on the user's device.
To use a pass such as a membership card or store card, the user selects it from the passbook and displays it so the barcode can be scanned. To use a pass such as a boarding pass or event ticket where date relevance or location relevance was configured, it can be accessed when it becomes active on the lock screen at the relevant time or place.
l Colors: Foreground, background, and label. If no alternate colors are specified, then default colors will be used. If there are alternate colors specified, then they will be used instead of the default colors. l Summary: Short description for a voice-over. l Icon: Displayed on the lock screen. A shine effect is automatically applied to the icon. To select an icon image, it must first be uploaded to the Public Files area of the content manager.
You also need to provide the private key for the pass certificate. If you created the certificate signing request using Keychain Access: 1. In Keychain Access, locate the private key for the certificate signing request. 2. Export this private key to a Personal Information Exchange (.p12) file. To install the pass certificate and the associated private key in ClearPass Guest, go to Configuration > Digital Passes > Start Here and click Install Pass Certificate.
If no pass certificate is installed yet, no details are displayed. Click the Upload pass certificate link to obtain and install a certificate. See "Installing Digital Pass Certificates" on page 256. Installing Digital Pass Certificates You must have a valid Pass Certificate issued by Apple in order to generate and download passes. To obtain a pass certificate, you first need an Apple developer account. Developer accounts are free; to register for an account, go to developer.apple.
Table 56: Public Files List View Field Description Format Specify whether you will upload the certificate as a file or paste in the certificate text. The form expands to include the Step 2 options. Certificate For certificates pasted as text, copy and paste the digital certificate's text. This is a block of encoded text and should include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. For uploaded certificate files, browse to the certificate to upload.
Table 57: Pass Templates List View Field Description Edit Edit any of the template's properties. Copy Make a copy of the template to use as a basis for a new template. Reset to Defaults Resets the default template to its original settings if changes were made. (Only available for the default template) Delete Deletes the pass template. (The default Guest Receipt template cannot be deleted) Create a new template Create a new template.
Defining Pass Properties For examples of variables that can be used in the Summary and Logo Text fields described in the following table, click the Example 'template code' replacements link above the form, or see "Example Template Code Variables" on page 263. For a list of image fields supported by each of the different pass styles, click the A note regarding images and icons link above the form, or see "Images in Digital Passes" on page 264.
Field Description Icon Image Icon shown on the lock screen and in notifications and emails where the pass is attached. To use the default icon, leave this field blank. The low-resolution version of the icon image should be 29 x 29 pixels. If an "@2x" high-resolution version is available, it will also be added to the pass. The "@2x" high-resolution version should be 58 x 58 pixels. Logo Image Logo shown at the top-left corner of the front of the pass. To use the default logo, leave this field blank.
Defining Pass Fields Table 60: Pass Fields, Pass Template Settings Field Description Fields (Required) List of fields currently included in this pass template, with descriptions. You can click a field's row for configuration options. Edit Opens the Field Properties editor, where you can enable the field and modify its placement, content, and presentation properties. Disable Disables the field for the pass. To enable it again, click its Enable link.
Field Description Locations (Required) Lists the locations that have been defined for this pass template. Add new location Click this link to add and configure a new location. Defining Relevant Dates When a relevant date is configured and enabled, the pass can be displayed on the user's lock screen during an appropriate window of time — for example, an Event Ticket pass would be displayed within the time window for entry to the event. The length of the time window is determined by the pass style.
Field Description generated. Date Fields If the result of processing a date field is a number, the number is interpreted as a UNIX timestamp. If the result of processing a date field is textual (not a number and not empty), the text is converted to a valid date and time value. Defining Associated Apps Multiple associated apps can be added. An Apple ID must be provided for each app.
Images in Digital Passes To make images available for selection, they must first be uploaded to the Public Files area in Content Manager. The images supported by each style of pass are shown below. This images list is also available when you go to Configuration > Digital Passes > Pass Templates, click the Edit or Create link, and then click the A note regarding images and icons link. Only PNG image files (*.png) are supported by passes. A pass can contain both a low-resolution version (i.e.
Email Receipts and SMTP Services With SMTP Services, you can configure W-ClearPass Guest to send customized guest account receipts to visitors and sponsors by email. Email receipts may be sent in plain text or HTML format. You may also send email receipts using any of the installed skins to provide a look and feel. To use the email sending features, you must have the SMTP Services Plugin installed.
The following options are available in the Enabled drop-down list to control email delivery: Table 64: Email Delivery Options, Customize Guest Self-Registration Field Description Disable sending guest receipts by email Email receipts are never sent for a guest registration. Always auto-send guest receipts by email An email receipt is always generated using the selected options, and is sent to the visitor’s email address.
Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. To configure email receipt options, go to Configuration > Email Receipt. The Customize Email Receipt form opens. Figure 23 Customize Email Receipt page Table 65: The Customize Email Receipt Form Field Description Subject Line May contain template code, including references to guest account fields.
Field Description l l l l l Do not send copies – The Copies To list is ignored and email is not copied. Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available). Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt (even if no guest account email address is available).
About Customizing SMTP Email Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per-user basis. l smtp_enabled – This field may be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used.
l smtp_warn_before_template_id – This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. l smtp_warn_before_receipt_format – This field overrides the email format under Logout Warnings to use for the receipt.
To display only the fields that you have been created, click the Custom Fields Only link in the bottom row of the list view. To return to displaying all fields, click the All Fields link. Creating a Custom Field To create a custom field, click the Create tab at the top of the window or the bottom of the window. The Create Field form is displayed. Create a new field link at the The Field Name is not permitted to have spaces but you can use underscores. Enter a description in the Description field.
You can specify the default properties to use when adding the field to a form. See "View Field Editor" on page 294 for a list of the available user interface types. If you select Text or Password as the User Interface type, the Placeholder row is added to this form. You may use this field to enter a temporary value, such as a hint for how to complete the field, that can later be overridden by the user completing the form that uses this field.
Deleting a Field Fields that do not have a lock symbol can be deleted by clicking on the Delete link. You will be asked to confirm the deletion. If you want the deletion to take place you are informed when the deletion has been completed. A field that is currently in use on a form or view may not be deleted. Displaying Forms that Use a Field Click the Show Forms link to see a list of forms that use the selected field. The list displays the forms that use the selected field.
Editing Forms and Views You can change the general properties of a form or view such as its title and description. To edit the form or view, go to Configuration > Forms & Views, click the form’s or view’s row in the list, then click its Edit link. The row expands to include the Edit Properties form. The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used.
Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Configuration > Forms & Views, click the form’s row in the Customize Forms & Views list, and then click the Edit Fields link. The Customize Form Fields view opens. Columns on the form editor: Table 66: Form Editor Columns Field Description Rank Specifies the relative ordering of the fields when displaying the form. This list always shows the fields in order by rank.
Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field. Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form. The remainder of the form field editor is split into three sections: l Form Display Properties l Form Validation Properties l Advanced Properties See "Form Display Properties" on page 276 for detailed descriptions of these form sections.
The image may be regenerated, or played as an audio sample for visually impaired users. When using the recommended validator for this field (NwaCaptchaIsValid), the security code must be matched or the form submit will fail with an error. l Check box – A check box is displayed for the field, as shown below: The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1).
The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box. Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type.
For example, suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
l Drop-down list – The field is displayed allowing a single choice from a drop-down list. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. If the “Hide when no options are selectable” check box is selected, and there is only a single option in the dropdown list, it will be displayed as a static text item rather than as a list with only a single item in it.
is submitted. If the value should be forced, use the Force Value setting under Advanced Properties to ensure the value cannot be overridden. For more information, see "Advanced Form Field Properties" on page 290. To set the value to submit for this field, use the Initial Value option in the form field editor. l Multiple Selection List -- A list of selectable options will be displayed. The text displayed for each check box or radio button is the value from the options list.
l Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field. l Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected, as shown below: The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. 282 | Configuration Dell Networking W-ClearPass Guest 6.
The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified. l Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted.
l Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk. 284 | Configuration Dell Networking W-ClearPass Guest 6.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string.
l Submit button – The field is displayed as a clickable form submit button, with the label of the field as the label of the button. The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form.
It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style option (for example, “width: 460px; height: 100px;” specifies a 460 x 100 pixel minimum area). l Text field – The field is displayed as a single-line text box. The text typed in this box is submitted as the value for the field. A short text label may be placed after the text box using the Label After option.
The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value. In particular, for drop-down list and radio button selections, the initial value should be the key of the desired default option. Likewise, for date/time fields that have a display function set, the initial value should be a value that can be passed to the display function.
The form field will contain an integer value, so you should set the field's type to Integer when you create it. Use the PHP syntax array(1, 100) to specify the minimum and maximum values for the IsInRange validator.
To match against a list of options used for a drop-down list or set of radio buttons, you can use the IsInOptionsList validator. Example 3 – To create a form field that validates U.S.
In the Force Value row, use the Always use initial value on form submit check box to prevent attempts to override the value set for a field. When this option is set, if a user modifies the field’s value, it reverts to the specified initial value when the form is submitted. A similar effect can be achieved by using appropriate validation rules, but selecting this check box is easier.
For example, consider a form field displayed as a date/time picker, such as the expire_time field used to specify an account expiration time on the create_user form. The user interface is displayed as a text field, but the value that is required for the form processing is a UNIX time (integer value). In this case, the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field (for example, “2008-01-01”) to UNIX time (for example, 1199145600).
See "Form Field Conversion Functions" on page 526 for a detailed list of the options available to you for the Conversion and Value Format functions. The Display Param is the name of a form field, the value of which will be passed to the Display Function. In almost all cases this option should contain the name of the form field. Display Arguments are available for use with a form field and are used to control the conversion process.
Editing Views A view consists of one or more columns, each of which contains a single field. You can change which fields are displayed and how each field is displayed. You can also define your own fields using the Customize Fields page, and then add them to a view by choosing appropriate display options for each new column. To add a new field to a view, reorder the fields, or make changes to an existing field in a view, select the view in the Customize Forms & Views list and click the Edit Fields link.
Each column in a view displays the value of a single field. To use the default view display properties for a field, you only need to select the field to display in the column and then click the Save Changes button. To customize the view display properties, click the Advanced view options… check box. The column type must be one of the following: l Text – The column displays a value as text. l Sortable text – The column displays a value as text, and may be sorted by clicking on the column heading.
The Display Expression is a JavaScript expression that is used to generate the contents of the column. Generally, this is a simple expression that returns an appropriate piece of data for display, but more complex expressions can be used to perform arbitrary data processing and formatting tasks. Customizing Guest Manager The Guest Manager module allows the entire guest account provisioning process to be customized.
Field Description different examples. Username Format This field is displayed if the Username Type is set to “Format picture”. It sets the format of the username to be created. See "Format Picture String Symbols" on page 520 for a list of the special characters that may be used in the format string. This may be overridden by using the random_username_picture field. Initial Sequence This field contains the next available sequence number for each username prefix that has been used.
Field Description l l At least one symbol At least one of each: uppercase letter, lowercase letter, digit, and symbol Minimum Password Length The minimum acceptable password length for guests changing their account passwords. Disallowed Password Characters Special characters that should not be allowed in a guest password. Spaces are not allowed by default.
Field Description Expiration Options The options that should be available to select from when choosing the expiration time of a guest account (expire_after). These options are displayed as the values of the “Expires After” field when creating a user account. Values are in hours for relative account expiration times. Modify Expiration Options The options that should be available to select from when modifying an account's expiration (modify_expire_time).
Figure 30 Example Guest Receipt, Showing Site SSID Displayed as the WiFi Network Figure 31 Customize Guest Manager, General Options Field Description Terms of Use URL URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager (See "Managing Content: Private Files and Public Files" on page 248). If this file is called terms.html then the Terms of Use URL should be public/terms.html.
About Fields, Forms, and Views l A field is a named item of information. It may be used to display information to a user as static text, or it may be an interactive field where a user can select an option or enter text. l A form is a group of fields that is used to collect information from an operator. l A view is a grouping of fields that is used to display information to an operator.
l random_username_length – The length in characters of random account usernames. If not specified, the default value from the GuestManager configuration is used. l random_password_method – The method used to generate a random account password. If not specified, the default value from the GuestManager configuration is used. l random_password_length – The length in characters of random account passwords. If not specified, the default value from the GuestManager configuration is used.
n Otherwise, if expire_after is zero, negative or unset, and expire_time has been specified, use that expiration time. If the expire_time specified is in the past, set do_expire to 0 and ignore the specified expiration time. n If the expire_timezone field is used in conjunction with expire_time and a time zone and date are selected, the date calculation is adjusted relative to the time zone.
Name Type Visitor Management Function Editable? create_user Form Create Account Yes guest_edit Form Edit Account Yes guest_export View Export Accounts Yes guest_multi View Edit Multiple Accounts Yes guest_multi_form Form Edit Multiple Accounts Yes guest_receipt Form Print Receipt No guest_register Form Guest Self-Registration Yes guest_register_receipt Form Guest Self-Registration Receipt Yes guest_sessions View Active Sessions Yes guest_users View List Accounts Ye
Customizing Guest Self-Registration Guest self-registration allows an administrator to customize the process for guests to create their own visitor accounts. Self-registration is also referred to as self-provisioned access. The registration process consists of a data collection step (the ‘registration page’) and a confirmation step (the ‘receipt page’): l On the registration page, you can define what information is collected from visitors.
Field Description Self-Registration Page" on page 306. Enable Enables the self-registration page so it can be used. Disable Disables the self-registration page for the user and displays a message. See "Disabling a SelfRegistration Page" on page 306. Go To Displays a preview of the Visitor Registration network access form. See "The "Go To" Option: The Registration Page" on page 307. Go to Portal Displays a preview of the Self Service Login portal. See "The "Go to Portal" Option " on page 308.
The "Go To" Option: The Registration Page When you choose the Go To option for a self-registration page, the row expands to show an active preview of the Visitor Registration page and form as the visitor would see it. This is the registration page and data collection step. You may test the behavior of the form. The Receipt Page After the visitor successfully registers, the receipt page is their confirmation and provides their login and access information. Dell Networking W-ClearPass Guest 6.
The "Go to Portal" Option When you choose the Go To Portal option for a self-registration page, the row expands to show an active preview of the Self Service Login page and form as the visitor would see it. This form lets the visitor access their account information. You may test the behavior of the form. The "Go to Login" Option When you choose the Go To Login option for a self-registration page, the row expands to show an active preview of the Network Login page and form as the visitor would see it.
Figure 32 Sequence Diagram for Guest Self-Registration In this diagram, the stages in the self-registration process are identified by the numbers in brackets, as follows: The captive portal redirects unauthorized users [1] to the registration page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account.
Field Description Name (Required) The name of this self-registration page to identify it —for example, "Guest SelfRegistration". This name can include spaces. This name is only displayed to administrators within ClearPass; it is not seen by the visitor. Description You may enter comments to further identify or describe this page. This description is only displayed within ClearPass. Enabled When creation of this page is complete, select this check box to make it available to use.
To edit a self-registration page, go to Configuration > Guest Self-Registration, select the page in the list, and click its Edit link. The Customize Guest Registration workflow diagram opens. Figure 33 Guest Self-Registration Workflow Diagram . The diagram shows the guest self-registration process. The solid orange arrows show the workflow for the visitor. The dotted blue arrows show the workflow for the administrator.
Using a Parent Page To use the settings from a previously configured self-registration page, select an existing page name from the Parent drop-down menu. This is useful if you need to configure multiple registrations. You can always override parent page values by editing field values yourself. To create a self-registration page with new values, select the Guest SelfRegistration (guest_register) option from the Parent field drop-down menu.
Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0. As another example, the network address 192.168.2.0/24 is less specific than a smaller network such as 192.168.2.192/26, which in turn is less specific than the IP address 192.168.2.201 (which may also be written as 192.168.2.201/32).
Click the Save and Reload button to update the self-registration page and launch or refresh a second browser window to show the effects of the changes. Click the Save Changes button to return to the process diagram for self-registration. Click the Save and Continue button to update the self-registration page and continue to the next editor.
Field Description Type Controls what kind of user interface element is used to interact with the user. Label The label for this field as it is displayed on the form. Description The description for this field as it is displayed on the form. To work with a form field, click its row in the list. The row expands to include configuration options: Table 70: Form Editor Options Field Description Edit Make changes to an existing field. The Form Field Editor opens.
4. In the Field row, mark the Enable this field check box. 5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field. 6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty. 7. Click Save Changes.
2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens. Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self-registered account. To enable role selection by the sponsor: Dell Networking W-ClearPass Guest 6.
1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens. 3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4.
The Guest Registration login page is displayed as the guest would see it. When a guest completes the form and clicks the Register button, the sponsor receives an email notification. 8. To confirm the guest’s access, the sponsor clicks the click here link in the email, and is redirected to the Guest Registration Confirmation form. 9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button.
Editing Email Delivery of Guest Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration.
Editing SMS Delivery of Guest Receipts The SMS Delivery options available for the receipt page actions allow you to specify the print template to use, the field containing the visitor’s phone number, and the name of an auto-send field. These options under Enabled are available to control delivery of SMS receipts: l Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration.
If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. In the Vendor Settings field, if Single Sign-On - SAML Identity Provider is selected, an appropriate service must be created in CPPM using the ClearPass IDP service template. The external service provider must then be configured to use the SAML Web login page as the IdP.
Field Description Custom Form Indicates you will provide a custom login form. If selected, you must supply your own HTML login form for the header or footer HTML areas. Custom Labels Enables altering the default labels and error messages. Username Label Label that appears on the form for the username field. Leave blank to use the default, (Username:). Password Label Label that appears on the form for the password field. Leave blank to use the default (Password:).
Field Description Terms Layout Layout for the terms and conditions text—either above or below the Terms check box. Terms Error Text to display if the terms are not accepted. Leave blank to use the default (In order to log in, you must accept the terms and conditions.). Log In Label Label that appears on the form for the login button. Leave blank to use the default (Log In). Health Check Requires the visitor to pass a health check before they can access the network.
Configuring the Login Message Part of the Page The login message page is displayed after the login form has been submitted, while the guest is being redirected to the NAS for login. The title and message displayed on this page can be customized. The login delay can be set. This is the time period, in seconds, for which the login message page is displayed. Click the Save Changes button to return to the process diagram for self-registration.
To adjust the user interface, use the override check boxes to display additional fields on the form. These fields allow you to customize all text and HTML displayed to users of the self-service portal. The behavioral properties of the self-service portal are described below: l The “Enable self-service portal” check box must be selected for guests to be able to access the portal.
Clicking the I’ve forgotten my password link displays a form where the user password may be reset: Entering a valid username will reset the password for that user account, and will then display the receipt page showing the new password and a login option (if NAS login has been enabled). This feature allows the password to be reset for any guest account on the system, which may pose a security risk.
Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked. These fields should be part of the registration form. For example, selecting the visitor_name field as the “Required Field” results in a Reset Password form like this: Customizing AirGroup Registration Forms AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them.
3. In the User Interface drop-down list, select Checklist. 4. In the Description text box, delete the existing text, then enter Select the location IDs where this device will be shared. Leave blank to share with all locations. 5. Delete any text from the CSS Class and the CSS Style fields. 6. In the Options Generator drop-down list, select (Use options). 7. In the Options text box, enter a list of values to use as the checklist options that presented to the user.
2. In the Conversion drop-down list, select NwaImplodeComma. The form expands to include the Type Error row. 3. In the Display Function drop-down list, select NwaExplodeComma. The form expands to include the Display Param and Display Arguments rows. 4. In the Display Param text field, enter the value _self. Be sure to include the leading underscore character. 5. Click Save Changes.
IP Phones IP Phone Services in W-ClearPass Guest lets you manage guest account provisioning for IP phones. To work with IP phone services, go to Configuration > IP Phones > Start Here.
Field Description the original service. You can click the copy's row in the list to open the editor and edit any of its attributes. Delete Deletes a service. You will be asked to confirm the deletion. Disable Disables a service. A progress bar is shown while the service is disabled. When it is complete, an Enable link is displayed instead of the Disable link. You can click the Enable link to enable the service again. Provision Provisions the IP phone service and deploys the application.
Field Description Name Short name that identifies the service clearly. IP phone service names can include spaces. If you are duplicating a service, the original name has a number appended to it. You may highlight this name and replace it with a new name. Description Briefly describes the characteristics of the service. Enabled Mark the check box to enable the service, or unmark the check box to disable it. Page Name (Required) Unique page name.
Field Description Sponsoring If selected, determines the sponsor name by querying the Cisco IP phone service. User Database (Required) The service handler used to create new visitor accounts. User Role (Required ) Role that will be assigned to new visitor accounts. Expiration Options (Required) Options that should be available for setting the expiration time of a guest account. Enter each option in the format "hours | description", as shown in the example text.
The Edit code action is displayed for a print template when it has been created using the wizard, but subsequently modified. See "Modifying Wizard-Generated Templates" on page 337 in this chapter for further information. Options to show where a print template is being used, and to control individual permissions for a print template, are also available when selecting a print template. See "Setting Print Template Permissions" on page 337.
This section is followed by three other sections: the body, the header and the footer. Each section must be written in HTML. There is provision in each section for the insertion of multiple content items such as logos. You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 486 for further information on Smarty template syntax.
As the print template is a HTML template, it is possible to use HTML syntax as well as Smarty template code in these areas. See the "Reference" on page 483 chapter for reference material about HTML and Smarty template code. The print template may also contain visitor account fields. The value of each field is displayed in the print template. By default, the wizard sets up the template with the username, password and role_name fields, but these may be customized.
The owner profile always has full access to the print template. To control access to this print template by other entities, add or modify the entries in the “Access” list. To add an entry to the list, or remove an entry from the list, click one of the icons in the row. A Delete icon and an Add icon will then be displayed for that row. Select one of the following entities in the Entity drop-down list: l Operator Profiles – a specific operator profile may be selected.
1. Navigate to Configuration > Guest Manager. The Configure Guest Manager form opens. 2. In the Username Type field, select Random Letters and digits. The generator matching the complexity will also include a mix of upper and lower case letters. 3. In the Username Length field, select 8 characters. 4. Configure other settings. See "Default Settings for Account Creation" on page 296 for a description. Click Configuration to save your changes.
6. Click Save Changes to save your settings. 7. To preview the new template, select the template in the Guest Manager Print Templates list, then click Preview. The template is displayed. The template created by the example text given above would look like this: Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Navigate to Configuration > Forms & Views. 2.
3. Click Create Accounts to display the Finished Creating Guest Accounts page. If you create a large number of accounts, they are created at one time but might not all be displayed at the same time. (This will not affect the printing action in the following step.) 4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. Dell Networking W-ClearPass Guest 6.
5. Click the Open print window using template drop-down list and select the new print template you created using this procedure See "Create the Print Template" on page 339 for a description of this procedure. A new window or tab will open with the cards. Customizing SMS Receipt Navigate to Configuration > SMS Receipts to configure SMS receipt options. These fields are described for the SMS plugin configuration page. Use the SMS receipt page for further customization.
l Determine the phone number – if the phone number field is set and the value of this field is at least 7 characters in length, then use the value of this field as the phone number. Otherwise, if the value of the auto-send field is at least 7 characters in length, then use the value of this field as the phone number. l If the phone number is at least 7 characters long, generate a receipt using the specified plain-text print template and send it to the specified phone number.
Field Desription Translations information, see "Customizing Translated User Interface Text" on page 344. Duplicate Create a new translation pack. You can give the copy of the translation pack a new name, enable it, and edit its display name, language code, flag image, and locales list. For more information, see "Creating and Editing Translation Packs" on page 344. Make Default Use a translation pack as the new default language for the application.
4. Click Refresh. For each ID you specified, a row with an editable text box is added to the form. The default text of the label or message is shown below the text box. 5. You can use the Common IDs field to look up text IDs. Click a link for a category of labels or messages. Rows with editable text boxes are added to the form for each item in that category, and the default text is shown below each text box. 6. For each item you want to override, enter the new text in the text box.
Field Description page is displayed in the list with "Copy of" prepended to its name. The copy has all attributes prepopulated from the original page. You can click the copy's row in the list to open the editor and edit any of its attributes. Delete Delete the page. You will be asked to confirm the deletion. View and test a Web login page. The page opens in a new tab as it would appear to a user: Test Create new Web login page Create a new Web login page.
Field Description Name (Required) Enter a name for the page. Page Name (Optional) Identifier page name that will appear in the URL -- for example, "/guest/page_ name.php". Description (Optional) Additional information or comments about the page. Vendor Settings (Required) Vendor-specific settings for network configuration. If Single Sign-On - SAML Identity Provider is selected, an appropriate service must be created in CPPM using the ClearPass IDP service template.
Field Description Key fields. URL Hash Key Confirm Key (Required) Enter the RADIUS shared secret for the redirect URL's hash verification process in both fields. Options in the Login Form area specify the behavior and content of the login form: Field Description Authentication Authentication requirement options include: Credentials -- Require a username and password Access Code -- Only require a username for authentication Anonymous -- Do not require a username or password.
Field Description None -- no extra checks will be made App Auth—check using Aruba Application Authentication (the default) Local -- match a local acount RADIUS -- check using a RADIUS request Single Sign-On -- enable SSO for this Web login -- When this option is selected, guests are redirected to the identity provider (IdP) configured in CPPM, where they authenticate themselves.
Field Description Skin (Required) Specifies the skin to use for the login page. Title The title that will be displayed on the page. Header HTML The HTML content to display above the login form. The default content is shown, and can be modified. You can also use the drop-down lists to add images or other content items, or to insert a self-registration link. Footer HTML The HTML content to display below the login form. The default content is shown, and can be modified.
Field Description Allowed Access The IP addresses and networks from which logins will be allowed. Denied Access The IP addresses and networks from which logins will be denied. Deny Behavior (Required) The response shown to the user if their login request is denied. Options in this drop-down list include Send HTTP 404 Not Found status, Show Access Denied page, and Show a blank page.
| Configuration Dell Networking W-ClearPass Guest 6.
Chapter 6 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, go to Configuration > Hotspot Manager.
Figure 37 Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created. l On page 2, the customer enters their personal details, including credit card information if purchasing access.
The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 486 in the Reference chapter for details about the template syntax you may use to format this message.
However, in this situation the MAC address of the customer will not be available, and no automatic redirection to the customer's home page will be made. You may want to recommend to your customers that JavaScript be enabled for best results. Web Site Look-and-Feel The skin of a Web site is its external look and feel. It can be thought of as a container that holds the application, its style sheet (font size and color for example), its header and footer, button style, and so on.
l To create or edit an existing plan, see "Editing or Creating a Hotspot Plan" on page 357. l To delete a plan, click the deletion. Delete button in the plan’s row.
fields set to ######.
W-ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor The Transaction Processor Configuration form is used to create and to edit transaction processors. To define a new transaction processor: 1. Go to Configuration > Hotspot Manager, click transaction processor. Manage Transaction Processors, then select Create new 2. In the Name field, enter a name for the transaction processor. 3.
Managing Existing Transaction Processors Once you define a transaction processor, it will appear in the transaction processor list.
2. The Invoice Title must be written in HTML. See "Basic HTML Syntax" on page 483 for details about basic HTML syntax. 3. Complete the rest of the fields appropriately. You can use Smarty functions on this page. See "Smarty Template Syntax" on page 486 for further information on these. You can also insert content items such as logos or prepared text. See "Customizing Guest Self-Registration" on page 305 for details on how to do this. 4. Click Save Changes.
To customize how this page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 1 (Choose Plan) link in the upper-right corner. The Edit Hotspot Plan Selection Page form opens. You can use this form to edit the title, introductory text, and footer of the “Choose Plan” page. The introduction and the footer are HTML text that can use template syntax. See "Smarty Template Syntax" on page 486 in the Reference chapter.
Although it is not shown in this illustration, the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page. The example below shows the default “Your Details” page for a customer who chooses the Free Access plan. Dell Networking W-ClearPass Guest 6.
To customize how the “Your Details” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 2 (Customer Details) link in the upper-right corner. The Edit Hotspot User Details Page form opens. You can use this form to edit the content displayed when the customer enters their personal details, including credit card information if purchasing access. The progress of the user’s transaction is also shown on this page.
To customize how the “Your Receipt” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 3 (Invoice or Receipt) link in the upper-right corner. The Edit Hotspot User Receipt Page form opens. You can use this form to edit the title, introductory text, and footer text of the receipt page. See "Smarty Template Syntax" on page 486 for details about the template syntax you may use to format the content on this page.
Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self-provisioning pages, as well as log in to and view the Hotspot self-service portal that allows customers to view their current account expiration date, purchase time extensions, log out of the Hotspot, or change their user password. To access either of these user pages, navigate to Configuration > Hotspot manager and select the Self-Provisioning or Self-Service links in the left navigation menu.
Chapter 7 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W-ClearPass Guest. Accessing Administration To access Dell Networking W-ClearPass Guest’s administration features, click the Administration link in the left navigation.
l "AirGroup Time-Based Sharing Syntax Examples" on page 64 l "Creating AirGroup Administrators" on page 373 l "Creating AirGroup Operators" on page 373 l "Authenticating AirGroup Users via LDAP " on page 374 l "Configuring LDAP User Search for AirGroup" on page 374 AirGroup Controllers You can create and manage multiple AirGroup controllers. You may configure each controller's remote access and other information, poll the current configuration, and view configuration details.
Figure 42 AirGroup Controller Details Creating and Editing AirGroup Controllers When you create a new AirGroup controller or edit an existing one, you may configure its name, description, notification status, its network connection and authentication settings, and SSH (Secure Shell) details for remote access. To create a new AirGroup controller or edit an existing controller: 1.
Table 72: Create AirGroup Controller Field Description Name Short name that identifies the controller clearly. AirGroup controller names can include spaces. Description Additional useful information about the controller. Enabled Enables Policy Manager's AirGroup notification service for the controller. With this service enabled, the controller receives change of authorization (CoA) Requests for sharing events from associated MAC addresses and the events are logged.
to exclude from the user interface, and setting an automatic polling schedule, message parameters, and logging levels. To configure AirGroup Services, go to Administration > AirGroup Services > Configuration. The Configure AirGroup Services form opens. Table 73: Configure AirGroup Services Field Description Exclusions Role names, AP group names, or AP names that should not be displayed in the AirGroup user interface. Enter each item on a separate line. Entries are not case-sensitive.
Field Description choose from when they share a device. If additional user groups are also entered by users when they share a device, the list in the configuration is automatically updated to capture these fields. Removing a group name from this list does not remove it from other shared group lists. When you type a name for the group in the Group Names field, press the Enter key, and click Save, the group is created in the system and appears as a "tag".
Table 74: AirGroup Diagnostics Field Description Show information about a device Enter the device's MAC address. Information shown includes: Device information (as entered on Guest > Create Device) l Controller IP address and AirGroup protocol version l Hostname of associated server, management IP address, and role l Times of AirGroup authorization requests along with controller IPs and enforcement profiles Show information about a controller Enter the controller's IP address or hostname.
provisioned devices. The operator can also define a group of other users who are allowed to share the operator’s devices. The AirGroup Operator profile is automatically created in W-ClearPass Guest when the AirGroup Services plugin is installed. This profile is used to define the AirGroup Operator role. To create an AirGroup Operator, see "Creating a New Operator" on page 446.
1. Create a ClearPass Guest LDAP server 2. Enable user search for this server 3. Configure the user interface for the airgroup_shared_user field 4. Specify user search options for the user interface Each of these steps is described in the following sections. Basic LDAP Server Settings In ClearPass Guest, go to Administration > Operator Logins > Servers and click the Create new LDAP server link.
User Search Settings In the User Search area of the Edit Authentication Server form: Table 76: Edit Authentication Server, User Search Field Description Enabled Mark the Use this server to search for matching users checkbox. The form expands to include additional options. Filter (Required) Select one of the following options: Use the default LDAP filter—Uses an LDAP filter suitable for an Active Directory search operation.
l displayName = text—The user’s full name is displayed as the label for a matching item. l # title = desc—Commented out and not used by default. Enables the title of the user to be shown in the description. l userPrincipalName = desc—The user’s email address is displayed as descriptive text for a matching item. Configuring the AirGroup Shared User Field The AirGroup row of the Edit Authentication Server form is the starting point to enable the server for user search in AirGroup.
In the Advanced Properties area of the form, you will customize the user interface for single and multiple-selection capabilities. Table 78: Advanced Properties, Relevant Fields Field Description Advanced Select the Show advanced properties check box. Additional configuration options are added to the form. Select2 Options Select2 Hook Save Changes Used to customize the user interface for the “select2” control, which provides both single and multiple-selection capabilities.
Option Description resultsCss.max-height = 400px Specifies that the list of matching items should be up to 400 pixels in height. Additional CSS properties may be specified using the “resultsCss” value, if required. ajax.dataType = sajax Specifies that the field should use a dynamic query mechanism to look up a search term. This parameter should not be changed. ajax.url = NwaAirGroupUserSearchAjax Specifies that the field should perform a user search. This parameter should not be changed. ajax.args.
To change the behavior of the “select2” control, you need to attach a JavaScript function definition to one or more properties of the hook function’s argument. The hook function may also set or update any of the properties specified in the “Select2 Options”. A simple example is included as the default value with the airgroup_shared_user field: function (args) { args.formatInputTooShort = function (text) { return "Start typing a user name.
l There is no additional license fee for these devices: Although MACTrac is part of W-ClearPass Guest, MACTrac device registrations do not count against the W-ClearPass Guest license. l As with other W-ClearPass Guest forms and views, the MACTrac user interface can be customized by adding a custom skin or options such as an "Add Another Device" button.
MACTrac operators can create and manage multiple device accounts. Options include editing, printing details, disabling, and deleting accounts. To work with MACTrac devices, log in to ClearPass Guest as a MACTrac operator and go to Guest > List Devices. The MACTrac Devices list view opens. All MACTrac devices that have been registered are included in the list. You can click a device account's row in the list for additional options: l To edit any of a device account's attributes, click its Edit link.
l To disable or delete a device account, click its Remove link. A confirmation dialog opens. You may specify either Disable or Delete, then click Make Changes. To enable a disabled account, click its Activate link. Registering MACTrac Devices The Register Device form is used by MACTrac operators to create their device accounts on their local network. There is no limit to the number of accounts an operator can create, and no expiration time is set on device accounts. To register a MACTrac device: 1.
4. (Optional) The Device Type field is prepopulated if detected, and indicates whether it is a computer, printer, or other type of device. 5. (Optional) The Device Platform field is prepopulated if detected, and indicates whether it is a Windows, Mac, Linux, or Android platform, and whether it is a mobile phone. 6. (Optional) The Browser Vendor/Version field is prepopulated if detected, and indicates whether it is an Internet Explorer, Google Chrome, Mozilla Firefox, or other browser. 7.
Data Retention The Data Retention Policy page (Administration > Data Retention) lets you manage historical data by deleting it. Figure 43 Data Retention Policy page 1. To enable the data retention policy option, mark the Enable check box, and then enter the time of day at which records will be deleted. 2. To configure Onboard certificate retention, click the link in the Certificate Retention row. The Certificate Authorities list in the Onboard + WorkSpace module opens.
l Upload a 3.9 configuration backup file to your 6.2 file system, making the items in it available for import. See "Uploading the 3.9 Backup File " on page 386. l Select items from it to import, restoring those configurations in your 6.2 system. See "Restoring Configuration Items " on page 388 l Review details for configuration items after import, including anything that might be different between 3.9 and 6.2 and any actions you might need to take.
5. If your file does not exceed the 15.0 MB size limit, you can use this Upload File form to browse to the location where you stored your 3.9 backup file. To use the Upload File form, click the Browse button in the Backup File row to navigate to and select the backup file you want to restore. If your file is larger than the maximum file upload size of 15.0 MB, you must specify a URL instead. Click the Restore a backup from a URL link above the Upload File form. The Specify Backup File form is displayed.
This form shows every configuration item in your backup file, and provides options for restoring items or excluding them from the restoration. For more information, see the next section, "Restoring Configuration Items " on page 388. Restoring Configuration Items This section describes how to use the Import Configuration: Step 2 form to import 3.9 configuration items to your 6.2 system after you upload them. To select and restore your configuration items: 1.
3. Select the items in the list that you want to restore, then mark the Restore settings from backup check box to confirm. Restoring the backup will overwrite your current settings. 4. Click Restore Configuration. System progress is displayed while items are being imported. When the import is complete, the Finished Import page displays the Import Notices list for the restored items. For more information, see "Viewing Imported Item Details " on page 389.
l Count -- The number of items imported for each configuration item. For example, the number shown in the Count column for Guest Manager Custom Fields indicates the number of customized fields that were imported. 2. You can click a configuration item's row in the list for additional options. l For some items, you can click a link to go to the relevant page in the application. l To view details for a configuration item, click its Show Details link.
l "Import Information: Advertising Services" on page 391 l "Import Information: AirGroup Services" on page 391 l "Import Information: Cisco IP Phones" on page 391 l "Import Information: Guest Manager" on page 391 l "Import Information: High Availability (HA)" on page 392 l "Import Information: Hotspot Manager" on page 393 l "Import Information: Onboard" on page 393 l "Import Information: Operator Logins" on page 393 l "Import Information: Palo Alto Network Services" on page 393 l "Import
Custom Fields: The following 3.9 custom fields are obsolete and are not imported: l do_schedule delete_time l The following 3.9 custom fields are renamed: 3.9 Name 6.2 Name schedule_time = start_time modify_schedule_time = modify_start_time schedule_after = start_after Custom Forms and Views: l Forms and views that referenced renamed fields are updated to reference the new field name. l Forms and views that referenced obsolete fields have those fields removed from the definition.
Import Information: Hotspot Manager l Non-default User Database settings are updated to the default ClearPass Policy Manager user database. l Non-default Transaction Processing settings reference the correct transaction processor. l A cookie check (nwa_cookiecheck) is added to the default hotspot plan template. Import Information: Onboard To restore your Onboard device provisioning pages, you must import RADIUS Web logins.
RADIUS Certificates l RADIUS certificates are unsupported. RADIUS Database Accounting Records l RADIUS database accounting records are unsupported. RADIUS Database Connections l The RADIUS database connection for the local RADIUS server is obsolete. l For any custom user databases, an authentication source must be created in CPPM. RADIUS Database User Accounts l User accounts are migrated and keep the status (disabled, pending, active, expired) they had in 3.9. Any field names that differ in 6.
RADIUS Web Logins l RADIUS Web logins are imported. Import Information: Reporting Manager Definitions l Reports must be re-created in ClearPass Insight. Import Information: Server Configuration l ClearPass settings are obsolete. Data Retention l Data Retention settings for Onboard are imported. Database Configuration l l Default (empty) database configuration settings are processed and ignored. Non-default database configuration settings should be reviewed for potential issues.
Subscription IDs l If the following settings do not have default values, they are updated to the new default values and migrated: n Session ID n Update URL n Facility l For non-default Application URLs, changes should be reviewed. l Subscription IDs must be added to CPPM. l For non-default HTTP Proxy settings, the HTTP proxy must be configured in CPPM. System HTTP Proxy For non-default HTTP Proxy settings, the HTTP proxy must be configured in CPPM.
n Reply-To n Send Copies n Skin n SMTP Port n SMTP Server n Subject Line n Username n Use Sendmail n Use SSL encryption Plugin Manager Plugins are the software components that fit together to make your Web application. The Available Plugins list shows all the plugins currently included in your application. It lets you view information about each plugin and configure some aspects of most plugins.
The About link displays information about the plugin, including the installation date and update date. The About page for the Kernel plugin also includes links to verify the integrity of all plugin files or perform an application check. Click a plugin’s Configuration link to view or modify its settings. See "Configuring Plugins" on page 398 for details about the configuration settings. Configuring Plugins You can configure most standard, kernel, skin, and translation plugins.
In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.
2. The Kernel plugin’s Debug Level and Application URL options should not be modified unless you are instructed to do so by Dell support. 3. To turn off autocomplete on forms, mark the check box in the Form Auto Complete row. This disables credentials caching. 4. In the Security row, to prevent the Web application being used from within another frame, mark the check box for Enable protection against "Clickjacking" attacks. 5.
2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page. 4. In the Font Family row, to change the font, delete the current selection and enter the list of fonts to use. 5.
Figure 44 Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format. l Phone Number Field – Select which guest account field contains the guest’s mobile telephone number. This field is used to determine the SMS recipient address.
country code option, the Australian mobile number 0412345678 would normalize to +61412345678 in the internationalized format. n Never include the country code: When you select this option, any country code specified by the visitor is removed before the SMS message is sent. Earlier W-ClearPass versions used clearpass.arubanetworks.com for a number of actions, including access to updates. The address used now is clearpass.dell-pcw.com.
For more information about translation services in ClearPass Guest, see "About Translations" on page 343. SMS Services With SMS Services, you can configure W-ClearPass Guest to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone. You can also use SMS Services to send an SMS from your Web browser. To use the SMS features, you must have the SMS Services plugin installed.
l To work with a gateway, click its row in the list. The gateway’s row expands to include the Edit, Duplicate, Delete, Make Default, and Send SMS options. Table 83: SMS Gateways List l Field Description Edit Lets you make changes to the gateway. See "Editing an SMS Gateway" on page 407. Duplicate Lets you make a copy of the gateway to use as a base for a new gateway. A new gateway will be added to the list with the name “Copy of ”.
3. In the SMS Gateway field, if you choose Custom HTTP Handler from the drop-down list, you may specify the HTTP method to use. The form expands to include options for configuring that gateway type, and the Service Method row includes the GET and POST options. 4. If you selected the POST option in the SMS Gateway field, the HTTP Headers and HTTP Post rows are added. You can use the text fields in these rows to override HTTP headers and enter the text to post. 5.
n Select a carrier—If you choose this option, the form includes the Mobile Carrier field, where you specify the carrier to use. n Configure carrier settings— If you choose this option, the form includes the SMS Address, Address Template, Number Format, and Subject Line fields. For information on completing these fields, see "Editing an SMS Gateway" on page 407. When you save your entries for the SMS over SMTP option, a new screen, Mobile Carriers, is added to the left navigation.
3. The SMS Gateway field displays the gateway service that was selected when the gateway was created. This cannot be edited after creation. 4. In the Service Settings area, you may edit the Display Name. 5. When you duplicate an SMS over SMTP gateway, the Carrier Selection configuration options are included. In the Carrier Selection drop-down list, choose one of the following options: l Registration form will have the visitor_carrier field—The visitor will supply the carrier information when they register.
Sending an SMS You are able to send an SMS message if the system has been configured to allow this. To send an SMS message: 1. Go to Administration > SMS Services > Send SMS. The New SMS Message form opens. . 2. Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. The maximum length for the message is 160 characters. If multiple services are available, you may also choose the service to use when sending the message. 3. Click Send Message.
To adjust the warning threshold, set the Credit Warning value in the configuration for the SMS Services Plugin. About SMS Guest Account Receipts You can send SMS receipts for guest accounts that are created using either sponsored guest access or self-provisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt.
2. To filter the list, click the Display Lists tab above the form. The form expands to include the Carrier Lists options. Use this drop-down list to specify the visitor carrier or MMS carrier. To be available in the drop-down lists on this Carrier Lists form, a carrier must first be enabled. 3. To enable, disable, or delete a carrier, click the carrier in the list. The carrier’s row expands to include the Edit, Enable or Disable, and Delete options.
5. In the Name field, enter the carrier’s name. If there is more than one format of the carrier company’s name, use the format the public most readily identifies with the carrier service. 6. To include the carrier in the list of choices for users, mark the Enable check box. 7. (Optional) In the Country field, enter the country where the carrier’s service is offered. If appropriate, you may also indicate an area within the country, such as a city, county, or state. 8.
Sent to: {$number} in the year {‘Y’|date} ...would produce: Sent to: 15555551234 in the year 2012 For a Smarty template syntax description, See "Smarty Template Syntax" on page 486. 14. When all fields are completed appropriately, click Save Changes. The Mobile Carrier List is updated with the changes. Support Services The Administration > Support Services page provides links to Dell Networking W-ClearPass Guest documentation, the application log, and Dell Customer Support contact information.
To view the logs for a different server when in a cluster, use the Server drop-down list above the table. To search for a particular log record, use the Keywords field above the table to enter search terms. You can use the hyphen character (-) in front of a keyword to exclude items, and you can use quotes (“ “) to group words as a key phrase. The Application Log lists the events, messages, and configuration changes for the past seven days.
2. In the Format drop-down list, choose the format you want the file saved as. The available formats are HTML document (.html), Comma-Separated Values (.CSV), Tab-Separated Values (.tsv), Text file (.txt), and XML document (.xml). The default format is HTML. 3. In the Range drop-down list, select the range of pages to save. Options include the current page only, all pages starting from the current page, or all pages starting from the first page that matched any keyword or filter criteria you entered. 4.
Viewing Available Web Services To view the Web services available in Dell Networking W-ClearPass Guest: 1. Go to Administration > Web Services > List Web Services. The Available Web Services list view opens. 2. To view details for a service, click its image in the Web Service field. The row expands to include the Service URL and Service Info fields for that Web service. 3. The Service Info field briefly describes the processes this Web service provides.
4. When you have finished reviewing the available Web services, click Done. Configuring Web Services To configure the SOAP Web Services plugin: 1. Go to Administration > Web Services > Configure Web Services. The Configure Web Services form opens. 2. To allow operators to make WSDL requests without being logged in, mark the check box in the WSDL Access field. 3. Use the counter in the Maximum Request Size field to set the maximum size in kilobytes that will be allowed for a SOAP request. 4.
Audience This API is intended for developers of applications that must interoperate with a ClearPass Guest-based visitor management solution. Solution developers are assumed to be familiar with HTTP-based Web services and the associated concepts and technologies related to these services, including Extensible Markup Language (XML), XML Schemas, Web Service Definition Language (WSDL), and the Simple Object Access Protocol (SOAP).
l At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. l The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the appliance. l The services layer provides one or more implementations of application services that are used by the layers above.
Table 84: Fault Codes and Descriptions Fault Reason for Fault Client.BadRequest Request exceeds the maximum allowable size. Increase the maximum SOAP request size, or reduce the size of the request. Client.Authentication Invalid username or password. Check that the credentials supplied are correct. Client.MethodNotFound The SOAP method request was not found. Client.Error Another non-specific client error occurred. Check the for more details. Server.
SOAP Debugging Select a higher level for the SOAP Debugging configuration option to log additional details to the application log. To access the application log, go to Administration > Plugin Manager > Application Log. At the highest debugging level of 4, every SOAP request and response will be logged including full HTTP headers and contents, which may be useful when trying to identify the exact cause of a problem.
After you have created a suitable operator profile, create the operator login. See "Local Operator Authentication" on page 446 and "External Operator Authentication" on page 447, or refer to the "Configuring LDAP Operator Logins" article on Arubapedia. Accessing the WSDL Use the List Web Services command link to browse the available Web services and obtain additional details about each one. 422 | Administration Dell Networking W-ClearPass Guest 6.
In the Web Service field, click the icon for GuestManager Web Services to view the Service URL and additional information about the service. If the "Allow anonymous access to WSDL" option is specified in the SOAP Web Services configuration, accessing the WSDL through the specified Service URL does not require logging in to the W-ClearPass Guest user interface. For more information, see "Configuring Web Services " on page 417.
The Add Service Reference dialog box appears. Enter the Service URL for the GuestManager Web Services into the Address box, and click the Go button. The WSDL is downloaded, and a list of the Web services and operations found is displayed. In the Namespace text field, type in a name. This name is used to organize the automatically generated code that interfaces with the Web service. Click the OK button to create the Web service reference.
Configuring HTTP Basic Authentication Performing a simple API call, such as the “Ping” operation described in "Operations" on page 430, can be used to verify that the Web service is correctly configured and ready for use. Because the SOAP API requires HTTP Basic authentication, ensure that you have a suitable operator profile and operator login credentials, as explained in"Using the SOAP API" on page 420. Configuring the Web service reference to use authentication requires editing the app.
When invoked, this performs the Ping operation and displays the following output: Securing Web Services Using HTTPS Because HTTP Basic authentication is insecure, it is strongly recommended that the HTTPS transport be used for all SOAP API calls. To use HTTPS as the transport for SOAP API requests, the following changes should be made to the application configuration file: l The mode attribute of the tag must be changed to “Transport”.
In a production environment, it is strongly recommended that you deploy an SSL certificate that is signed by a trusted root CA known to all parties, and use the built-in server certificate validation procedures. This will ensure the security of the transaction cannot be compromised by a man-in-the-middle attack.
EmptyType This type must be empty, that is, containing zero child elements. l Example: ErrorFlagType The error flag indicates if the operation completed successfully. Only the values zero (0) and one (1) are supported. l A successful operation is indicated with: l A failed operation is indicated with: IdResultType Standard result type), with an optional element. l Example: l Example: IdType Specifies a user ID. The user ID is a positive integer value, starting at 1.
l Example of an unsuccessful operation: UserResultType Standard result type, with an optional element. l Example of a successful operation: l Example of an unsuccessful operation: UserType The User type defines a visitor account, which consists of a number of fields. The fields available may be customized in Guest Manager. Navigate to Guest Manager > Configuration > Fields to create new fields or modify existing fields.
Operations CreateUser Creates a new user account. l The standard business logic for visitor account creation applies to visitor accounts created with the SOAP API. For details, refer to the section “Business logic for account creation” in the W-ClearPass Guest User Guide, or search for this term in the online help. l The creator_accept_terms field must be set to the Boolean value “true” in order to create an account. l A value for the role_id field must be specified to create a visitor account.
Example request for CreateUser: Successful response: Failure response: DeleteUser Deletes a user account by ID or matching fields Dell Networking W-ClearPass Guest 6.
l This operation deletes a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned and no visitor accounts will be deleted. Example code implementing visitor account deletion: Example request for DeleteUser: Successful response: 432 | Administration Dell Networking W-ClearPass Guest 6.
Failure response: EditUser Modifies properties of a user account by ID. l This operation modifies the properties of a visitor account to match the field values specified in the user parameter. l The id field must be specified to indicate the ID of the visitor account to modify. This field is assigned by the system when the visitor account is created and cannot be changed. Example code implementing visitor account modification: Dell Networking W-ClearPass Guest 6.
Example request for EditUser: Successful response: Failure response: FindUser Returns properties of a user account by matching fields. 434 | Administration Dell Networking W-ClearPass Guest 6.
l This operation locates a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned. l If a visitor account was found, its properties will be returned in the element of the result. Example code implementing search for a visitor account based on a username.
Failure response: GetUser Returns properties of a user account by ID. l Returns a element corresponding to the visitor account with the specified ID. l If the specified ID is invalid, no element is returned and the flag is set to 1. 436 | Administration Dell Networking W-ClearPass Guest 6.
Example code implementing a guest lookup operation: Example request for GetUser: Successful response: Failure response -- for example, user ID not found: Ping Checks that the SOAP server is alive. Dell Networking W-ClearPass Guest 6.
l Returns a standard result type with the message set to "pong". Example code implementing a Ping test operation. Example request for Ping: Successful response: 438 | Administration Dell Networking W-ClearPass Guest 6.
Chapter 8 Operator Logins An operator is a company’s staff member who is able to log in to Dell Networking W-ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in ClearPass Guest, or externally in an LDAP directory server.
Two types of operator logins are supported: local operators and operators who are defined externally in your company’s directory server. Both types of operators use the same login screen. Role-Based Access Control for Multiple Operator Profiles Using the operator profile editor, the forms and views used in the application may be customized for a specific operator profile, which enables advanced behaviors to be implemented as part of the role-based access control model.
The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the Access area of the form define permissions for the operator profile: 1. In the Enabled row, the Allow Operator Logins check box is selected by default. To disable a profile, unmark the Allow Operator Logins check box.
If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles. If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available. This is the default option. 4. The Operator Filter may be set to limit the types of accounts that can be viewed by operators.
Table 86: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
3. (Optional) In the Language row, the default setting is Auto-detect. This lets the application determine the operator’s language preference from their local system settings. To specify a particular language to use in the application, choose the language from the drop-down list. 4. (Optional) In the Time Zone row, the Default setting indicates that the operator’s time zone will default to the system’s currently configured time zone. You can use the drop-down list to specify a particular time zone. 5.
Custom access allows you to choose individual permissions within each group.
3. In the Account Limit field, specify an appropriate value. This is the maximum number of personal devices that an operator with this profile can create. 4. Click Save Changes. You can create a set of operator profiles and configure each profile with a different account limit. This makes it easy to assign operator profiles appropriately for small groups, larger groups, or events.
External Operator Authentication Operators defined externally in your company’s directory server form the second type of operator. Authentication of the operator is performed using LDAP directory server operations. The attributes stored for an authenticated operator are used to determine what operator profile should be used for that user.
To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See "Advanced LDAP URL Syntax" on page 450 for more details about the types of LDAP URL you may specify. This form allows you to specify the type of LDAP server your system will use.
Server Type Required Configuration Parameters l l l l l l Bind Password: The password to use when binding to the LDAP server. Leave this field blank to use an anonymous bind. Base DN: The Distinguished Name to use for the LDAP search. Unique ID: The name of an LDAP attribute used to match the username. Filter: Additional LDAP filters to use to search for the server. Attributes: List of LDAP attributes to retrieve. Or leave bland to retrieve all attributes (default).
Advanced LDAP URL Syntax For Microsoft Active Directory, the LDAP server connection will use a default distinguished name of the form dc=domain,dc=com, where the domain name components are taken from the bind username. To specify a different organizational unit within the directory, include a distinguished name in the LDAP server URL, using a format such as: ldap://192.0.2.1/ou=IT%20Services,ou=Departments,dc=server,dc=com To specify a secure connection over SSL/TLS, use the prefix ldaps://.
LDAP Operator Server Troubleshooting You can use the LDAP Operator Servers list to troubleshoot network connectivity, operator authentication, and to look up operator usernames. Testing Connectivity To test network connectivity between an LDAP server and the ClearPass Guest server, click the server’s row. The results of the test appear below the server entry in the LDAP server table. Ping link in the Testing Operator Login Authentication 1.
2. In the Lookup field, enter a lookup value. This can be an exact username, or you can include wildcards.If you use wildcards, the search might return multiple values. 3. In the Search Mode field, use the drop-down list to specify whether to search for an exact match or use wildcard values. 4. (Optional) Click the Advanced check box to display detailed authorization information for the specified sponsor. 5.
LDAP translation rules specify how to determine operator profiles based on LDAP attributes for an authenticated operator. To create a new LDAP translation rule: 1. Go to Administration > Operator Logins > Translation Rules, then click the The Edit Translation Rule form opens. Create new translation rule link. 2. In the Name field, enter a self-explanatory name for the translation rule. In the example above, the translation rule is to check that the user is an administrator, hence the name MatchAdmin. 3.
n Assign attribute’s value to operator field – uses the value of the attribute as the value for an operator field. This option can be used to store operator configuration details in the directory. n Assign custom value to operator field – uses a template to assign a value to a specific operator field. If you choose this option, the form expands to include the Custom text box for you to enter your custom template code. See "Custom LDAP Translation Processing" on page 454.
Table 89: Template Variables Variable Description $attr The name of the LDAP attribute that was matched. $user Contains settings for the operator, including all LDAP attributes returned from the server. For a Smarty template syntax description, See "Smarty Template Syntax" on page 486. These may be used to make programmatic decisions based on the LDAP attribute values available at login time.
Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups. The operator field “enabled” will determine if the user is permitted to log in or not. The custom template uses the {strip} block function to remove any whitespace, which makes the contents of the template easier to understand.
{if $current_language == 'da'}
Indtast brugernavn og password for at
få adgang til W-ClearPass Guest
Kontakt Airwire (Norden) for at få demoadgang
{elseif $current_language == 'es'} Para entrar en el web demo de W-ClearPass Guest,
necesitas un nombre y contraseña.
Si no tienes un login, puedes obtener uno
contactando con Dell.
Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator’s session will be ended. The value for Logout After should be specified in hours. You can use fractional numbers for values less than an hour; for example, use 0.25 to specify a 15 minute idle timeout. 458 | Operator Logins Dell Networking W-ClearPass Guest 6.
Chapter 9 The XML-RPC Interface and API This chapter describes the XML-RPC interface available to third-party applications that will integrate with the Dell Networking W-ClearPass Guest Visitor Management Appliance. Audience: l Developers of integrated applications. Some familiarity with HTTP based web services and XMLRPC is assumed. l System administrators of the W-ClearPass Guest application. System Requirements: l W-ClearPass Guest 6.1.
At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the VMA. The services layer provides one or more implementations of application services that are used by the layers above.
Parameter Names The parameter names passed to the XML-RPC interface are the same as the field names in the HTML user interface. Parameter Validation Each field of the forms in the HTML user interface is subject to validation according to the rules defined for that field. The same rules also apply to XML-RPC parameters. If a required field is missing, or an invalid value for a field is supplied, an error is generated by the presentation layer and returned to the XML-RPC client.
Table 91: XML-RPC Faults Name Type Description error Flag Set to 1 for an XML-RPC Fault faultCode Integer Status code indicating the cause of the fault faultString String Description of the fault This type of return might appear as: 'error' => 1, 'faultCode' => 401, 'faultString' => 'Invalid username or password', These are the predefined XML-RPC Fault codes: Table 92: XML-RPC Faults Code Description 401 Authentication problem -- invalid username or password 404 File implementation of XML-
7. Click Save Changes. The profile is added to the Operator Profiles list. Creating the Role After you create the profile, the next step is to create the role: 1. In ClearPass Policy Manager, go to Configuration > Identity > Roles and click the Add User link. The Add New Role form opens. 2. Enter a name and description that clearly identify the role. 3. Click Save. The role is added to the Roles list. Creating the Local User After you create the role, you create the local user: 1.
2. In the Role drop-down list, choose the XML-RPC Operator role you created. 3. Complete the rest of the fields appropriately, then click Add. The new XML-RPC operator is added the Local Users list. Creating the Translation Rule After you have created the profile, role, and local user (operator), create a translation rule to map the role name to the operator profile. 1. In ClearPass Guest, go to Administration > Operator Logins > Translation Rules and click the Create new translation rule link.
l at https://amigopod/xmlrpc.php SSL Security Different levels of certificate validation checks may be necessary, depending on the SSL certificate that has been installed. This corresponds to the user interface provided by Web browsers for certificate trust and verification. The examples presented in this document assume a self-signed certificate has been installed, and reduce the level of SSL verification accordingly.
l "Method amigopod.guest.reset.password" on page 475 l "Method amigopod.mac.create" on page 476 l "Method amigopod.mac.edit" on page 478 l "Method amigopod.mac.list" on page 480 Method amigopod.guest.change.expiration Change the expiration time of a guest account.
'user_enabled' => '', 'guestaccountexpiry_error' => 'Please choose from one of these options.', 'guestaccountexpiry_error_flag' => 1, 'error' => 1, Method amigopod.guest.create Create a new guest account. Parameters Name Type Description sponsor_name String Name of the person sponsoring the guest account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email addresss.
Example Usage Sample parameters for the call: 'sponsor_name' => 'Sponsor Name', 'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.com', 'expire_after' => 4, 'expire_time' => '', 'role_id' => 2, 'visitor_phone' => '0', 'creator_accept_terms' => 1, Result returned by a successful operation: 'username' => 'demo@example.
Parameters Name Type Description uid Integer ID of the guest account to delete delete_account Flag Set to 0 to disable the guest account, 1 to delete the guest account Return Values This function might return a Boolean false value if some input parameters are invalid.
'delete_account_error_flag' => 1, 'error' => 1, Method amigopod.guest.edit Change one of more properties of a guest account.
Return Values Name Type Description error Flag Set to 1 if the guest account was not modified message String Message describing the success or failure of the operation item Struct User structure containing updated field values uid Integer ID of the guest account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control in the Operator Profile Edit
'password_value' => '', 'schedule_time' => '', 'expire_time' => '', 'user_enabled' => '', 'username_error' => 'You cannot leave this field blank.
Access Control Requires the remove_account privilege (Guest Manager > Remove Accounts in the Operator Profile Editor). Example Usage Sample parameters for the call: 'uid' => '162', Sample successful call: 'error' => 0, 'message' => 'Guest account has been re-enabled', 'item' => array ( 'id' => 162, 'enabled' => 1, 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Method amigopod.guest.get List one or more guest accounts.
'id' => array ( 0 => 150, 1 => 162, ), 'users' => array ( 0 => array ( 'id' => '150', 'username' => '44454318', 'enabled' => '1', 'role_id' => '2', 'email' => '', 'notes' => 'GuestManager account 22 of 30 created by root from 192.168.2.3', 'do_expire' => '0', 'expire_time' => '', 'simultaneous_use' => '1', 'expire_postlogin' => '0', 'do_schedule' => '0', 'schedule_time' => '', 'ip_address' => '', 'netmask' => '', ), 1 => array ( 'id' => '162', 'username' => 'demo@example.
Parameters Name Type Description Flag Optional parameter; if set to 1 then full details of all guest accounts are returned, otherwise only the IDs are returned Name Type Description ids Array Array of guest account IDs (if details was 0) users Array Array of guest account structures (if details was 1) details Return Values Access Control Requires the guest_users privilege (Guest Manager > List Guest Accounts in the Operator Profile Editor).
Name Type Description failure of the operation item Struct User structure containing updated field values *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the reset_password privilege (Guest Manager > Reset Password in the Operator Profile Editor).
Name Type Description expire_time String Optional date and time at which the device account will expire. role_id Integer RADIUS role ID to assign to the device account. creator_accept_terms Flag Set to 1 to indicate acceptance of the service's terms of use. * * Other fields as specified by create_ user form customization.
'do_expire' => 4, 'expire_postlogin' => 0, 'sponsor_name' => 'Sponsor Name', 'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.com', 'creator_accept_terms' => true, 'id' => 1, Result returned by a failed operation: 'password' => 78342029', 'expire_time' => '', 'submit' => '', 'sponsor_name_error' => 'You cannot leave this field blank.', 'sponsor_name_error_flag' => 1, 'visitor_name_error' => 'You cannot leave this field blank.
Name Type Description device account enabled Flag Boolean value indicating whether the device account is enabled simultaneous_use Integer Number of simultaneous sessions allowed by the device account do_schedule Flag Flag indicating if the device account should be enabled at schedule_time schedule_time String Date and time at which the device account will be enabled do_expire Integer Action to take when the expire_time is reached expire_time String Time at which the device account will e
'do_schedule' => 0, 'schedule_time' => '', 'do_expire' => 4, 'expire_time' => '2014-12-01 00:00:00', 'expire_postlogin' => 0, Sample successful call: 'error' => 0, 'message' => 'Edited properties of guest account demo@example.com', 'item' => array ( 'id' => 162, 'username' => 'demo@example.
Parameters Name Type Description Flag Optional parameter; if set to 1 then full details of all device accounts are returned, otherwise only the IDs are returned. Name Type Description ids Array Array of device account IDs (if details was 0). users Array Array of device account structures (if details was 1). details Return Values Access Control Requires the mac_list privilege (Guest Manager > List MAC Authentication Accounts in the Operator Profile Editor).
| The XML-RPC Interface and API Dell Networking W-ClearPass Guest 6.
Chapter 10 Reference This chapter includes the following sections: l "Basic HTML Syntax" on page 483 l "Standard HTML Styles" on page 484 l "Smarty Template Syntax" on page 486 l "Date/Time Format Syntax" on page 501 l "Programmer’s Reference" on page 504 l "Field, Form, and View Reference" on page 509 l "LDAP Standard Attributes for User Class" on page 529 l "Regular Expressions" on page 530 Basic HTML Syntax Dell Networking W-ClearPass Guest allows different parts of the user interface to
Item HTML Syntax
- List item text
Text Formatting words to be made bold equivalent syntax words to be made italic equivalent syntax words to underline Shown in fixed-width font Uses CSS formatting Uses predefined style Uses CSS formatting
Uses predefined style
Hypertext Link text to click on – XTable 95: Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the material looking as if it is in a table; in other words, without borders nwaContent Tables Class used for a standard table with borders nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at
Smarty Template Syntax Dell Networking W-ClearPass Guest’s user interface is built using the Smarty template engine. This template system separates the program logic and visual elements, enabling powerful yet flexible applications to be built. When customizing template code that is used within the user interface, you have the option of using Smarty template syntax within the template. Using the programming features built into Smarty, you can add your own logic to the template.
The condition tested in the {if} … {/if} block should be a valid PHP expression. The {else} tag does not require a closing tag. Script Blocks The brace characters { and } are specially handled by the Smarty template engine.
Modifiers Smarty provides modifiers that can be used to gain greater control over the formatting of data. Modifiers can be included by following a variable with a vertical bar | and the name of the modifier. Any arguments to the modifier can be specified using a colon : followed by the arguments.
The contents of the variable are printed in a
block. Use the attribute “export=1” to use PHP’s var_export() format, or omit this attribute to get the default behavior – PHP’s var_dump() format. Use the attribute “html=1” to escape any HTML special characters in the content. This can also be done with attribute “export=html”, and is recommended for use in most situations (so that any embedded HTML is not interpreted by the browser).
l The “text” parameter is the text to display next to the icon. This will also be used as the alternate text (that is, a tooltip) for the icon image. l The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image. l The “onclick” parameter, if specified, provides the contents for the onclick attribute of the link.
The “struct” parameter, if specified, uses a standard result type. If the “error” key is set and non-zero, the “type” parameter is set to the value error, and the “message” key is converted to a HTML formatted error message for display. nwa_quotejs {nwa_quotejs} … {/nwa_quotejs} Smarty registered block function. Quotes its content in a string format suitable for use in JavaScript. This function also translates UTF-8 sequences into the corresponding JavaScript Unicode escape sequence (\uXXXX) Usage example
The methods that are available for use with this function are listed below. The $criteria array consists of one or more criteria on which to perform a database search. The array is used for advanced cases where pre-defined helper functions do not provide required flexibility. ChangeToRole() ChangeToRole($username, $role_name) Changes the RADIUS role assigned to the user.
GetCallingStationTraffic() GetCallingStationTraffic($callingstationid, $from_time, $to_time = null, $in_out = null, $mac_format = null) Calculate sum of traffic counters in a time interval. Sessions are summed if they have the same Calling-Station-Id attribute as that specified in the RADIUS Access-Request. If no Calling-Station-Id attribute was included in the request, returns zero.
'nasporttype' => '', 'calledstationid' => '', 'callingstationid' => '', 'acctstarttime' => '1249258943', 'connectinfo_start' => '', 'acctstoptime' => NULL, 'connectinfo_stop' => NULL, 'acctsessiontime' => 0, 'acctinputoctets' => 0, 'acctoutputoctets' => 0, 'acctterminatecause' => NULL, 'servicetype' => '', 'framedipaddress' => '192.168.2.
Specifying an empty value for the IP address (such as null, false, or empty string) also causes the current client IP address to be used. See "GetTraffic()" on page 496 for details on how to specify the time interval. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database. This is a multi-purpose function that has a very flexible query interface.
If $to_time is not specified, $from_time is a “look back” time, that is, the time interval in seconds before the current time. If $to_time is specified, the interval considered is between $from_time and $to_time. Returns the total session time for all matching accounting records in the time interval specified. GetTraffic() GetTraffic($criteria, $from_time, $to_time = null, $in_out = null) Calculate the sum of traffic counters for accounting records in the database.
GetUserSessions() GetUserSessions($username, $from_time, $to_time = null) Calculate the number of sessions for accounting records matching a specific user-name. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). See "GetTraffic()" on page 496 for details on how to specify the time interval. GetUserTime() GetUserTime($username, $from_time, $to_time = null) Calculate sum of session times in a specified time interval.
The “id” parameter is the ID of the HTML element to which you will add ‘bling’ effects The “type” parameter is the kind of bling desired: l “fade”: element smoothly fades in and out l “blink”: element blinks slowly nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable. Identifiers are unique for a given page instantiation.
l expanded – All L1 items have L2 items, L3 only when L2 active l all-expanded – All items shown to L3 The “reset” parameter may be specified to clear any existing navigation settings. Usage example: {nwa_nav block=level1_active}
- @a@
{/nwa_nav}{nwa_nav block=level1_ina ctive}- @a@
{/nwa_nav}...If none of the above is specified, the default is the same as specifying the ‘page’ parameter with the current script name as argument (that is, the current page). Specifying the output: l The ‘notfound’ parameter specifies the return value, if the plugin was not found (default is the empty string). l The ‘output’ parameter specifies the metadata field to return If ‘output’ is not specified, the default is ‘output=id’; that is, the plugin ID is returned.
Smarty template function.
Table 98: Date and Time Formats Preset Name Date/Time Format Example hhmmss %H%M%S 141345 hh:mm:ss %H:%M:%S 14:13:45 iso8601 %Y%m%d 20080407 iso8601t %Y%m%d%H%M%S 20080407141345 iso-8601 %Y-%m-%d 2008-04-07 iso-8601t %Y-%m-%d %H:%M:%S 2008-04-07 14:13:45 longdate %A, %d %B %Y, %I:%M %p Monday, 07 April 2008, 2:13 PM rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %l:%M %p 2:13 PM recent – 2 minutes ago The % items on the right hand side are the same
The other formats accepted for this modifier are the same as those described for the nwadateformat modifier. See "nwadateformat Modifier" on page 501.
Format Result %y Year as a decimal number without the century (00 to 99) %Y Year as a decimal number %% A literal % character Programmer’s Reference This section describes the following: l "NwaAlnumPassword" on page 504 l "NwaBoolFormat" on page 504 l "NwaByteFormat" on page 505 l "NwaByteFormatBase10" on page 505 l "NwaComplexPassword" on page 505 l "NwaCsvCache" on page 505 l "NwaDigitsPassword($len)" on page 505 l "NwaDynamicLoad" on page 505 l "NwaGeneratePictureString" on page
l If a string containing a “|” character, the string is split at this separator and used as the values for false and true respectively. l If an array, the 0 and 1 index values are used for false and true values. l Otherwise, the string values “true” and “false” are returned. NwaByteFormat NwaByteFormat($bytes, $unknown = null) Formats a non-negative size in bytes as a human readable number (bytes, KB, MB, GB, etc.) Assumes that 1 KB = 1024 bytes, 1 MB = 1024 KB, etc.
Creates a password based on a format string. For details on the special characters recognized in $string, see "Format Picture String Symbols" on page 520. NwaGenerateRandomPasswordMix NwaGenerateRandomPasswordMix($password_len, $lower = 1, $upper = 1, $digit = 1, $symbol = 1) Generates a random password that meets a certain minimum complexity requirement. l $password_len specifies the total length in characters of the generated password.
Parses text containing comma-separated values and returns the result as a list of records, where each record contains a list of fields. Supports CSV escaping using double quotes. $options may be specified to control additional parsing options described in the table below. Table 100: Parsing Options Function Description fs The field separator character (default is comma “,”) rs The record separator character (default is newline “\n”) quo The quote character (default is double quote ") excel_compatibl
NwaPasswordByComplexity NwaPasswordByComplexity($len, $mode = false) Generates a random password of at least $len characters in length, based on one of the standard complexity requirements specified in $mode. If $mode is false or the empty string, the default password complexity is taken from the Guest Manager plugin configuration.
Option Description NwaParseCsv() $column_index The desired index of the data $range_lookup Specifies whether to find an exact or approximate match. If true (default), assumes the table is sorted and returns either an exact match, or the match from the row with the next largest value that is less than $value.
Table 102: GuestManager Standard Fields Field Description account_activation String. The current account activation time in long form. This field is available on the change_expiration and guest_enable forms.
Field Description 2—Disable and logout 3—Delete l 4—Delete and logout “Disable” indicates that the enabled field will be set to 0, which will prevent further authorizations using this account. “Logout” indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See "RFC 3576 Dynamic Authorization" on page 72 for more information.
Field Description specified as a UNIX timestamp. Setting an expire_time value also requires a non-zero value to be set for the do_ expire field; otherwise, the account expiration time will not be used. Set this field to 0 to disable this account expiration timer. If the expire_timezone field is used in conjunction with expire_time and a time zone and date are selected, the date calculation is adjusted relative to the time zone. expire_timezone String.
Field Description This field controls account creation and modification behavior; it is not stored with created or modified visitor accounts. modify_expire_usage String. Value indicating how to modify the expire_usage field. This field is only of use when editing a visitor account.
Field Description the random_username_method field is set to “nwa_sequence”. netmask String. Network address mask to use for stations using the account. This field may be up to 20 characters in length. The value of this field is not currently used by the system. However, a RADIUS user role may be configured to assign network masks using this field by adding the Framed-IP-Netmask attribute, and setting the value for the attribute to: = $user["netmask"] no_password Boolean.
Field Description be set to the value ‘recur’. The value of this field should be a relative time measurement, indicated with a plus sign; for example “+15 days” or “+2 months”. password_last_change Integer. The time that the guest’s password was last changed. The password change time is specified as a UNIX timestamp. This field is automatically updated with the current time when the guest changes their password using the selfservice portal. random_password String.
Field Description padded. For example, specifying a length of 4 will result in sequence numbers 0001, 0002, etc. random_username_ method String. Identifier specifying how usernames are to be created. It may be one of the following identifiers: l nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field.
Field Description This configuration requires that guests provide the correct answer in order to reset their account password. Answers must match with regards to case in order to be considered as correct. secret_question String. The guest’s secret question used to confirm the identity of a guest during a reset password operation. simultaneous_use Integer. Maximum number of simultaneous sessions allowed for the account. sponsor_email Email address of the sponsor of the account.
Field Description hotspot_plan_id No Type. The ID of the plan (visitor access settings) selected by the visitor. hotspot_plan_name No Type. The name of the plan (visitor access settings) selected by the visitor. last_name String. The visitor’s last name. password2 String. Password for the account (used to confirm a manually typed password). personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction.
SMTP Services Standard Fields The table below describes standard fields available for the SMTP Services. Table 105: SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.
Field Description smtp_warn_before_template_id String. This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. smtp_warn_before_receipt_ format String. This field overrides the format in the Email Receipt field under Logout Warnings.
Symbol Replacement & Random character (letter, digit or punctuation excluding apostrophe and quotation marks) @ Random letter or digit, excluding vowels Any other alphanumeric characters in the picture string will be used in the resulting username or password.
n syntax_only: Default true. If false, requires that the values provided correspond to those from the AirGroup plugin configuration. n protocol_version: Default 2. If 1, changes the default validation properties (see below). n max_groups: Maximum number of groups to allow, default 32. n max_group_length: Maximum length in characters of any single group name, default 64. n max_group_list_length: Maximum total length of the group list, including comma separator characters, default 320.
n max_role_length: Maximum length in characters of any single role name, default 64. n max_role_list_length: Maximum total length of the role list, including comma separator characters, default 1000. For the same validation as performed in AirGroup protocol version 1, set $arg to array('protocol_version' => 1). Setting a max_* parameter to 0 disables validation of that property.
n The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively. n An ‘allow’ or ‘deny’ value that is a string is converted to a single element array. n Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends with the given suffix. A ‘*’ component can also be used inside the hostname, and will match zero or more domain name components.
l IsValidLdapAttribute – Checks that the value is a valid LDAP attribute name; that is, a string that starts with a letter, and which contains only letters, numbers, underscore (_) and hyphen (-). l IsValidNetmask – Checks that the value is a valid network mask in dotted-quad notation; that is, an IP address such as 255.255.255.128 that contains a single string of N 1 bits followed by (32 – N) 0 bits. l IsValidNumber – Checks that the value is numeric; that is, an integer or a decimal value.
path is /. The validator argument may optionally be an array containing a ‘scheme’ key that specifies an array of acceptable URL protocols. l IsValidUsername – Checks that the value is a valid username. Usernames cannot be blank or contain spaces. l NwaCaptchaIsValid – Checks that the value matches the security code generated in the CAPTCHA image. This validator should only be used with the standard captcha field.
Function Description separator and used for false and true values. If the argument is an array, the 0 and 1 index values are used for false and true values. Otherwise, the string values “false” and “true” are returned. l NwaByteFormat Formats a non-negative size in bytes as a human readable number (bytes, KB, MB, GB, etc). 1 KB is defined as 1,024 bytes, 1 MB as 1,024 KB (1,048,576 bytes), and 1 GB as 1,024 MB (1,073,741,824 bytes).
Function Description The specific locale settings used are from localeconv(), and are listed below. For general numeric formatting : l frac_digits – number of decimal places to display l decimal_point – character to use for decimal point l thousands_sep – character to use for thousands separator For signs for positive/negative values: l positive_sign – sign for positive values l p_sign_posn – position of sign for positive values (0..
Value Description DateFormat(data.expire_time, "%Y-%m-%d %H:%M") : "N/A" date and time string if an expiration time has been set. JavaScript functions Nwa_BooleanText( value, if_true, if_false[, if_undefined]) Returns the value of if_true or if_false depending on whether the value evaluates to a Boolean true or false, respectively. If the value has an undefined type (in other words. has not been set), and the if_undefined parameter was provided, returns if_undefined.
l badPwdCount: The badPwdCount property specifies the number of times the user tried to log on to the account using an incorrect password. l codePage: The codePage property specifies the code page for the user's language of choice. This value is not used by Windows 2000. l countryCode: The countryCode property specifies the country code for the user's language of choice. This value is not used by Windows 2000. l lastLogoff: The lastLogoff property specifies when the last logoff occurred.
Regex Matches a* Matches zero or more: empty string, a, aa, aaa… a|b Alternate matches: Matches an “a” or “b” (a.*z) Grouping: matches sequentially within parentheses a*? “Non-greedy” zero or more matches \ooo The character with octal code ooo \040 A space \d Any decimal digit \D Any character that is not a decimal digit The regular expression syntax used is Perl-compatible. For further details on writing regular expressions, consult a tutorial or programming manual.
| Reference Dell Networking W-ClearPass Guest 6.
Chapter 11 Glossary $criteria Array that consists of one or more criteria on which to perform a data-based search. This array is used for advanced cases where predefined helper functions do not provide required flexibility. 802.1X Standard for port-based network access control, designed to enhance 802.11 WLAN security. The 802.1X standard provides an authentication framework, allowing a user to be authenticated by a central authority.
Active Directory, any LDAP compliant directory, RSA or other RADIUS-based token servers, and SQL database, including the local user store. bounce To shut down and restart a service or port. BYOD Bring your own device.Refers to using personal mobile devices within an employer's enterprise network infrastructure, and the associated network and resource management challenges. CA See Certificate Authority. captive portal Implemented by NAS. Provides access to network only to authorized users.
computers on the network. DHCP allows a computer to be configured automatically, eliminating the need for a network administrator. DHCP also provides a central database to keep track of computers connected to the network; this database helps prevent any two computers from being configured with the same IP address. digital certificate Contains identification data (see distinguished name) and the public key portion of a public/private key pair, and a signature that is generated by a certificate authority.
Insight W-ClearPass analytics and reporting application. intermediate CA Certificate authority with a certificate that was issued by another certificate authority. See trust chain. iOS Operating system from Apple, Inc. for mobile devices, including the iPhone, iPad, and iPod Touch. jailbreak; jailbroken Modifying an iOS device in order to download applications, extensions, or themes not authorized by Apple. The term is also sometimes used to describe similar activity on non-Apple devices.
Onboard W-ClearPass application for automating 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs). Information Onboard collects during device onboarding is sent to Profile and used for device category, family, and name classification. WClearPass Onboard features are part of the Onboard + WorkSpace module in the W-ClearPass Guest application.
posture policies, internal Internal posture policies test requests against internal posture rules to assess health. Posture rule conditions can contain attributes present in vendor-specific posture dictionaries. posture servers Evaluate client health based on specified vendor-specific posture credentials, typically posture credentials that cannot be evaluated internally by Policy Manager (that is, not by internal posture policies).
SCEP Simple certificate enrollment protocol. Protocol for requesting and managing digital certificates. self-signed certificate See root CA. session Service provided by a NAS to an authorized user. skin A Web site’s visual appearance, or “look and feel.” It can be thought of as a container that holds the application, its layout, style sheet (font size and color for example), header and footer, and so forth.
view Page in the application that displays data but does not contain interactive fields the user can modify. Usually a table listing things like accounts or other sets of data and providing links to related actions or forms. visitor Someone who is permitted to access the Internet through your Network Access Server. Also referred to as a guest. VMA Visitor Management Appliance. Refers to the W-ClearPass Guest application. VPN Virtual private network.
Index 1 searching 414 1024-bit RSA 215 viewing 413 authentication 23, 26, 35, 49 2 authorization 23, 26, 35 2048-bit RSA 215 access, role-based 23 dynamic 72 A AAA 23 B access control, print templates 337 Base-64 encoded 125 account filters, creating 442 binary certificate 125 accounting 23, 26 accounts C passwords, multiple 315 caching, CSV 505 visitor account 27 CAPTCHA security code 276 Active Directory LDAP authentication 447 active sessions 70-71 administration 367, 413 plugin mana
legacy OS X provisioning 222 Guest Manager 296 operator logins 456 hotspot invoice 360 plugins 398 hotspot receipt 365 provisioning settings 213 hotspot selection interface 362, 364-365 receipts 410 login message 325 self-service portal, display functions 526 login page 322 shared_location field 328 receipt actions 316 shared_role field 328 receipt page 316 skin 400 Register Shared Device 328 skin plugin 400 registration form 314 SMS services 404 registration page 313 Windows provision
duplicating card_code 517 fields 272 creating 271 forms and views 274 creator_accept_terms 301 SMS gateways 404 customizing 270 dynamic authorization 70, 72 deleting 273 duplicating 272 E importing matching 47 editing base field 275, 294, 315 carrier settings 406 devices 62 expiration time, guest account 42 fields 272 form fields 276 forms 274-275 guest accounts 451 guest self-registration 311 hotspot plans 357 print templates 337 receipt pages 316 self-registration 314 SMS gateway 407 SMS gatew
multi_initial_sequence 513 smtp_warn_before_cc_action 270, 520 multi_prefix 297, 513 smtp_warn_before_cc_list 270, 520 netmask 514 smtp_warn_before_receipt_format 270 no_password 514 smtp_warn_before_subject 269, 519 no_portal 514 smtp_warn_before_template_id 270, 520 no_warn_before 514 state 518 notes 514 submit_free 518 num_accounts 514 username 301, 337 password 301, 337, 514 visitor_accept_terms 518 password_action 514 visitor_carrier 518 password_action_recur 514 visitor_fax 518 p
Date/time picker 279 filtering 41, 44 display functions 275, 526 importing 45 group heading 285 list 40 initial value 288 paging 41 validator functions 521 print 43 value format functions 526 receipts 36 formats, certificate 125 reset password 42 forms 26, 301, 304 selection row 45 change_expiration 304 SMS receipt 36 create_multi 304 view passwords 298 create_user 304 XML export 49 customizing 273 guest management 33-34 duplicating 274 custom fields 270 editing 274-275 customizin
plans 356 Maximum Passcode Age 201, 205 Hotspot Manager 353 message, sending SMS 409 HTML Minimum Complex Chars 201, 205 Smarty templates 486 Minimum Passcode Length 201, 204 standard styles 484 MMS syntax 483 SMS template for 412 mobile carrier I selecting 406, 408 importing mobile settings certificate, code-signing 129 country code 407 devices 69 national prefix 407 guest accounts 45 matching fields 47 N trusted certificate 131 NAS 34 login 27 K login, guest self-registration 321
receipt page 305 P editing 316 Passcode Authentication 201, 205 Passcode Authentication Timeout 201, 205 receipts 74, 410 Passcode History 201, 205 configuring 410 passwords email 265 generating 297 reference 483 logging 298 Register page 305 multiple accounts 315 registering MAC devices 68 recovery 226 regular expressions 530 resetting 42 Require Alphanumeric 201, 204 picture string 520 Required on Foreground 201, 205 PKCS#12 126 resetting passwords 42, 326 PKCS#7 125 plugin manageme
guest self-registration 309 SMS gateways servers creating 405 LDAP, creating 447 editing 404 session filters, creating 442 viewing 404 sessions SMS services 404 active 70-71 configuring 404 closed 71 credits available 409 closing 73 guest receipts 74, 410 device 55 low credit warning 409 disconnecting 71-72 receipt options 410 filtering 72 send 409 reauthorizing 71-72 sending message 409 SMS alert 74 SMS gateways 404 stale 71 SMTP services 265 shared locations 60 customizing rec
devices 62 documentation 415 plugins 397 sessions, device 55 SMS gateways 404 SMTP carriers 410 views 27, 301, 304 column format 295 customization 273 duplicating 274 editing 274, 294 field editor 295 guest_export 48, 304 guest_multi 44, 304 guest_sessions 71, 304 guest_users 40, 304 visitors 27 account 27 VPN settings 181, 183 W Web logins 27 WiFi network 299 wizards print template 336 WPA key 299 X XML guest account list 49 parsing 507 Dell Networking W-ClearPass Guest 6.
| Index Dell Networking W-ClearPass Guest 6.