User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © Copyright 2017 Hewlett Packard Enterprise Development LP. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses.
Contents About W-ClearPass Policy Manager About the W-ClearPass Access Management System 21 21 About This Guide 21 Getting Started 21 W-ClearPass Access Management System Overview 22 Key Features 23 Advanced Policy Management 23 W-ClearPass Specifications 24 Accessing Configuration Information 29 Introduction 30 Start Here 30 Services 30 Authentication and Authorization 31 Identity 31 Posture 31 Enforcement 31 Network 31 Policy Simulation 31 Profile Settings 32 Importing
Certificate/Two-Factor Authentication for W-ClearPass Application Login Service Template 53 W-ClearPass Admin Access Service Template 55 W-ClearPass Admin SSO Login (SAML SP Service) Service Template 56 W-ClearPass Identity Provider (SAML IdP Service) Service Template 57 Device MAC Authentication Service Template 58 EDUROAM Service Template 60 Encrypted Wireless Access via 802.
TACACS+ Accounting Record Details > Request Tab 137 TACACS+ Accounting Record Details > Auth Sessions Tab 138 TACACS+ Accounting Record Details > Details Tab 139 Live Monitoring: OnGuard Activity 140 About OnGuard Activity 140 Bouncing an Agent Using Non-SNMP 141 Bouncing a Client Using SNMP 144 Broadcasting a Message to Active Endpoints 145 Sending a Message to Selected Endpoints 146 Live Monitoring: Analysis and Trending 146 Live Monitoring: System Monitor 147 System Monitor Page 14
Authentication Methods and Sources 179 Supported Authentication Methods 179 Tunneled EAP Authentication Methods 179 Non-Tunneled Authentication Methods 179 Authentication and Authorization Architecture and Flow 179 Configuring Authentication Methods for an Existing Service 181 Adding and Configuring Authentication Methods 183 Adding a New Authentication Method 183 Modifying an Existing Authentication Method 185 Authorize Authentication Method 185 CHAP Authentication Method 186 EAP-FAST
Adding and Modifying Endpoints 259 Viewing the List of Authentication Endpoints 259 Viewing Endpoint Authentication Details 260 Performing Bulk Updates of Endpoint Attributes 260 Triggering Actions to Be Performed on Endpoints 261 Updating Device Fingerprints From a Hosted Portal 262 Manually Adding an Endpoint 263 Modifying an Endpoint 264 Managing Static Host Lists 268 About Static Host Lists 268 Adding a Static Host List 269 Static Hosts Lists Configuration Summary 271 Editing a S
Audit Service Flow Control 355 Default Audit Servers 356 Custom Audit Servers 359 Post-Audit Rules 368 Configuring Enforcement Policies and Profiles Configuring Enforcement Policies 371 Configuring Enforcement Profile 373 Adding an Enforcement Profile 374 Modifying an Existing Enforcement Profile 376 Agent Enforcement Profile 376 Agent Script Enforcement Profile 379 Dell Downloadable Role Enforcement Profile 383 Dell RADIUS Enforcement Profile 393 Cisco Downloadable ACL Enforcement P
Attributes tab 434 Results Tab 435 RADIUS Authentication Simulation 436 Adding a RADIUS Authentication Simulation 436 Setting the Attributes to Be Tested 438 Viewing the Simulation Results 440 Role Mapping Simulation 441 Simulation Tab 441 Attributes Tab 442 Results Tab 443 Service Categorization Simulation 444 Simulation Tab 444 Attributes Tab 444 Results Tab 445 Import and Export Simulations 446 W-ClearPass Policy Manager Profile W-ClearPass Profile Overview 447 447 Introdu
Adding and Modifying Device Groups 474 Configuring the Ingress Event Sources 476 Administration 479 W-ClearPass Guest Portal 480 Managing Admin Users 481 Changing the Administration Password 481 Adding an Admin User 482 Importing and Exporting Admin Users 483 Setting Password Policy for Admin Users 483 Disabling Admin User Accounts 485 Managing Admin Privileges 486 Overview 486 Defining Custom Admin Privileges 486 Creating Custom Administrator Privileges 489 Administrator Privile
Downloading Local Shared Folders 570 License Management 571 About License Usage Limits 571 Managing Licenses 572 Adding an Application License 573 Activating a Server License 574 Activating an Application License 576 Updating a Server License 579 Updating an Application License 580 SNMP Trap Receivers 581 SNMP Trap Receivers Main Page 582 Adding an SNMP Trap Server 582 Importing an SNMP Trap Server 584 Exporting All SNMP Trap Servers 585 Exporting an SNMP Trap Server 586 Deleti
Deleting an Endpoint Context Server 613 Configuring Endpoint Context Server Actions Filtering an Endpoint Context Server Action Report 614 Configuring Endpoint Context Server Actions 614 Adding machine-os and host-type Endpoint Attributes 618 Adding Vendor-Specific Endpoint Context Servers 619 Adding an AirWatch Endpoint Context Server 620 Adding an AirWave Endpoint Context Server 622 Adding an Aruba Activate Endpoint Context Server 624 Adding a ClearPass Cloud Proxy Endpoint Context Server
Device Fingerprints Dictionary 688 Dictionary Attributes 689 Introduction 689 Adding a Dictionary Attribute 690 Modifying Dictionary Attributes 691 Importing Dictionary Attributes 691 Exporting All Dictionary Attributes 692 Exporting Selected Dictionary Attributes 693 Software Updates and OnGuard Settings 693 Software Updates 693 About Software Updates 694 Software Updates Page 694 Install Update Dialog Box 696 Reinstalling a Patch 698 Uninstalling a Skin 698 OnGuard Settings a
Configuring Processing for Ingress Events 731 Overview 731 Enabling Ingress Event Dictionaries 731 Configuring the Ingress Event Sources 732 Configuring the Ingress Receiving Ports 734 Configuring an Event-Based Enforcement Service 734 Introduction 734 Adding an Event-Based Enforcement Service 735 Associating the Enforcement Service with an Enforcement Policy 735 Enabling Ingress Events Processing 736 OnGuard Dissolvable and Native Agents 739 Introduction 739 Accessing the OnGuard Su
Endpoints Dashboard 777 Guest Dashboard 778 Network Dashboard 779 Posture Dashboard 779 System Dashboard 780 System Monitor Dashboard 780 Searching the Insight Database 781 About Insight Search 782 Search Example 782 Creating Alerts 783 Introduction 783 Creating New Alerts 784 Modifying the User Watchlist 785 Adding or Removing Users from the Watchlist 788 Creating Reports 789 Overview 790 Settings Configuration 791 Report Filters Configuration 793 Specifying the Logo and
Command Line Interface Cluster Commands 821 cluster drop-subscriber 821 cluster list 822 cluster make-publisher 822 cluster make-subscriber 822 cluster reset-database 823 cluster set-cluster-passwd 823 cluster sync-cluster-passwd 824 Configure Commands 824 configure date 824 configure dns 826 configure fips-mode 826 configure hostname 827 configure ip 827 configure ip6 828 configure mtu 828 configure timezone 830 Network Commands 830 network ip6 831 network ip 832 nsl
quit 844 restore 844 Service Commands service Show Commands 845 845 847 show all-timezones 847 show date 847 show dns 848 show domain 848 show fipsmode 849 show hostname 849 show ip 849 show license 850 show ntp 851 show sysinfo 851 show timezone 851 show version 852 SSH Timed Account Lockout 852 Introduction 852 SSH Account Lockout Configuration 853 SSH Account Lockout Alerts 855 SSH Account Lockout Behavior 855 System Commands 856 system ap
Introduction 867 System MIB Entries 867 RADIUS Server MIB Entries 868 Policy Server MIB Entries 869 Web Authentication Server MIB Entries 871 TACACS+ Server MIB Entries 871 Network Traffic MIB Entries 872 W-ClearPass SNMP Traps and OIDs 872 Introduction 873 W-ClearPass SNMP Traps 873 SNMP Trap Details SNMP Daemon Traps 875 SNMP Daemon Trap Events 875 Network Interface up and Down Events 875 Network Interface Status Traps 875 W-ClearPass Processes Stop and Start Events 876 Disk
Creating a New Role Mapping Policy Web Based Authentication Use Case Configuring a Service MAC Authentication Use Case Configuring the Service TACACS+ Use Case Configuring the Service Single Port Use Case Rules Editing and Namespaces Namespaces 900 905 905 912 912 915 916 917 919 919 Application Namespace 920 Audit Namespaces 921 Authentication Namespaces 921 Authorization Namespaces 923 Certificate Namespaces 924 Connection Namespaces 925 Date Namespaces 926 Device Namespaces 926 Endpoi
| Contents Dell Networking W-ClearPass Policy Manager 6.
Chapter 1 About W-ClearPass Policy Manager This chapter provides an overview of the W-ClearPass 6.6 Policy Manager Access Management System.
l For a list of common configuration tasks and pointers to information about how to perform each task, refer to Accessing Configuration Information on page 29. l If you are planning a new W-ClearPass Policy Manager deployment, refer to the W-ClearPass Deployment Guide. The W-ClearPass Deployment Guide is organized in a way that presents the recommended sequence in which W-ClearPass deployment should take place, and makes the major deployment tasks easy to implement.
Third-Party Security and IT Systems W-ClearPass can be extended to third-party security and IT systems using REST-based APIs to automate work flows that previously required manual IT intervention. W-ClearPass integrates with mobile device management to leverage device inventory and posture information, which enables well-informed policy decisions.
l Secure configuration of personal devices W-ClearPass Onboard fully automates the provisioning of any Windows, Mac OS X, iOS, Android, Chromebook, and Ubuntu devices via a built-in captive portal. Valid users are redirected to a templatebased interface to configure required SSIDs and 802.1X settings, and download unique device credentials.
Supported Identity Stores l Microsoft Active Directory l Kerberos l Any LDAP-compliant directory l Any ODBC-compliant SQL server l Token servers l Built-in SQL store l Built-in static-hosts list Dell Networking W-ClearPass Policy Manager 6.
Using the Policy Manager Dashboard The Policy Manager Dashboard organizes and presents the key information about the status and performance of the current W-ClearPass server or cluster, as well as a set of Quick Links to the most commonly used functions, such as configuring policies, viewing the Access Tracker, and so on. The Dashboard information is illustrated in interactive bar chart, graph, and table formats.
Table 1: Dashboard Widget Summary (Continued) l l Last Replication: Date of the last replication. Status: Indicates the status of the cluster node. To view the chart that shows the graph of all profiled devices categorized into the following categories: l Access Points l Computer l Conflict Indicates a conflict occurred in the categorization of the device.
Table 1: Dashboard Widget Summary (Continued) l l Unhealthy requests are the requests to which the health state was deemed to be quarantined (posture data received but health status is not compliant) or unknown (no posture data received). This includes RADIUS and WebAuth requests. The default data filters Health Requests and Unhealthy Requests are used to plot this graph.
Table 1: Dashboard Widget Summary (Continued) To view the bar chart with each bar representing a categorized Policy Manager service request, drag and drop the Service Categorization widget to the Dashboard. l Clicking on a bar drills down to the Access Tracker that shows the requests that were categorized into a specific service. To view a table with the latest successful authentications, drag and drop the Successful Authentications widget to the Dashboard.
Introduction This section provides pointers to information on how to configure the primary configuration tasks in W-ClearPass Policy Manager. You can access all these configuration tasks via the W-ClearPass Configuration menu. To access the W-ClearPass Configuration menu, select Configuration.
Authentication and Authorization The Authentication page provides options to configure the following components: l Adding and Configuring Authentication Methods on page 183 l Adding and Configuring Authentication Sources on page 207 l Configuring Authentication Methods for an Existing Service on page 181 Identity The Identity page provides options on the settings required to configure W-ClearPass Policy Manager Identity settings.
Profile Settings The Profile Settings page provides options to configure the following elements: l Subnet Scans: See Configuring Subnet Scans on page 457 and Initiating a Network Discovery Scan on page 160. l SNMP Configuration: See SNMP Credentials Configuration on page 154. l SSH Configuration: See SSH Credentials Configuration on page 156. l WMI Configuration: See WMI Credentials Configuration.
See Appendix B, "Using the W-ClearPass Configuration API" in the W-ClearPass Deployment Guide for more information about the format and contents of XML files. 4. Enter secret for the file (if any): If you entered a secret key to encrypt the exported file, enter the same secret key to import the device back. 5. Click Import.
Figure 4: Export XML File to Zip File Dialog 4. Specify to open the zip file or save the XML file to your system. 5. Click OK to proceed. Export Considerations The XML file generated from an export operation has a specific layout that is unique for each function in the ClearPass user interface. If you import an XML file with an incorrect layout (usually because it's from the wrong function), it will be rejected.
Chapter 2 Services This chapter describes the following topics: l Services Architecture and Flow l Start Here: About Policy Manager Service Templates l Viewing the List of Services l Configuring Policy Manager Services The Policy Manager policy model groups policy components that serve a specific type of request into the Services page.
2. Create the associated policy components as and when required, all in the same flow. To help you get started, W-ClearPass provides 17 service types or templates. If these service types do not suit your needs, you can create a new service using custom rules (as described in the next sectionStart Here: About Policy Manager Service Templates).
Figure 5: Start Here Page (Partial View) 2. Select the desired service template. The configuration dialog for the selected service template opens, as shown in the following example figure: Dell Networking W-ClearPass Policy Manager 6.
Figure 6: Auto Sign-On Service Template 3. Fill in the various fields that are presented in the templates—Policy Manager then creates the configuration elements that are needed for that particular service. Service Templates Provided Refer to the following descriptions of the W-ClearPass service templates for configuration details: l 802.1X Wired, 802.1X Wireless, and Dell 802.
l RADIUS Enforcement l RADIUS Proxy l Dell Application Authentication l Dell Application Authorization l TACACS+ Enforcement l Web-based Authentication l Web-based Open Network Access Viewing the List of Services The Services page shows the current list and order of services that W-ClearPass Policy Manager follows during authentication and authorization. You can use the configured default service types or you can add additional services.
For more information, see: l Adding Services on page 1 l Modifying Services on page 1 l Reordering Services on page 44 Viewing Existing Services You can view all configured services in a list or drill down to individual services in the Services page. You can filter the list of services by phrase or sort the services by order. To view a list of services: 1. Navigate to Configuration > Services. The Services page opens: Figure 8: Services Page 2. To view a service's details, select the service.
Adding and Removing Services This section provides the following information: l Adding a New Service l Modifying a Service l Removing a Non-Default Service You can modify a list of services by creating a new service, copying an existing service, and then modifying or deleting the existing service. Adding a New Service To add a new service: 1. Navigate to Configuration > Services. The Services page opens. Figure 10: Services Page 2. Click Add. The Add Services dialog opens.
Table 4: Add Services Page Parameters Parameter Action/Description Type Select the desired service type from the drop-down list. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Table 4: Add Services Page Parameters (Continued) Parameter Action/Description Monitor Mode Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement. In Monitor Mode, no enforcement profiles (and associated attributes) are sent to the network device.
Modifying a Service For full access in modifying a service, you must log in to the Publisher node. To modify an existing service: 1. From the Services page, click the check box for the service you want to modify. The Configuration > Services > Edit > dialog opens. Figure 12: Edit Services Dialog 2. Select the Service tab to edit the service information. 3. Modify the parameters as needed, then click Save.
The Services page appears. Figure 13: Services Page Reorder Button 2. Click the Reorder button (located on the lower-right portion of the page). The Reorder Services page appears. 3. Click the service you want to move to another position in the order (see Figure 14). In this example, we will move Guest Operator Logins at the 5th position to the 2nd position. Figure 14: Selecting the Service to Be Reordered 4. Select the position where you want to move the service (see Figure 15).
6. Click Save. You return to the Services page, which shows the service in its new order and displays the message: Services have been reordered successfully. Configuring Service Templates Refer to the following descriptions of the W-ClearPass Policy Manager Service Templates for configuration details: l 802.1X Wired, 802.1X Wireless, and Dell 802.
Figure 17: Service Templates > 802.1X Wired Service Template Adding a New Service for the Selected Service Template To add a new service for the selected service template: 1. Specify a unique Name Prefix (applies only to the selected template) in the General tab. 2. Update the required fields in the Authentication and Enforcement Details sections. 3. Click Add Service. An entry for the new set of configuration is created under the Services, Roles, Role Mapping, Enforcement Policies and Profiles menus.
Table 5: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Action/Description Server 4. Enter the hostname or the IP address of the Active Directory server. This field is mandatory. Port 5. Enter the TCP port where the server is listening for a connection. This field is mandatory. Identity 6. Enter the Distinguished Name (DN) of the administrator account. This field is mandatory. Password 7. Enter the account password.
Table 5: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Action/Description Enable RADIUS CoA 6. Select to enable RADIUS initiated Change of Authorization (CoA) on the network device. RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. 7. Change this value only if you defined a custom port on the network device. Wireless Network Settings Wireless Controller Name 1. Enter the name of the wireless controller.
When you edit or delete the entities of a service, a message is displayed at the top of the entity page stating that the selected entity was created through the service template. Do not delete entities used in service configurations that are not created using the service template.
Table 6: W-ClearPass Auto Sign-On Service Template Parameters (Continued) Parameter Action/Description Base DN Enter the DN of the administrator account. This field is mandatory. Password Enter the account password. This field is mandatory. Port Enter the TCP port where the server is listening for a connection. This value defaults to 389. This field is mandatory.
The following figure displays the Dell VPN Access with Posture Checks service template: Figure 19: Dell VPN Access with Posture Checks Service Template Specify the Dell VPN Access with Posture Checks service template parameters as described in the following table: Table 7: Dell VPN Access with Posture Checks Service Template Parameters Parameter Action/Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 7: Dell VPN Access with Posture Checks Service Template Parameters (Continued) Parameter Action/Description Select Wireless Controller Select a wireless controller from the drop-down list. Wireless controller name Enter the name given to the wireless controller. Controller IP Address Enter the wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller.
Specify the Certificate/Two-Factor Authentication for ClearPass Application Login service template parameters as described in the following table: Table 8: W-ClearPass Certificate/Two-Factor Authentication Service Template Parameters Parameter Action/Description General Select Prefix 1. Select a prefix from the existing list of prefixes. This field populates the pre-configured information in the Authentication, SP details, and Enforcement Details sections. The Name Prefix field is not editable.
Table 8: W-ClearPass Certificate/Two-Factor Authentication Service Template Parameters (Continued) Parameter Action/Description Certificate Attribute Super Admin Condition 14. Select the certificate attribute from the drop-down list. 15. Enter the value in the Super Admin Condition field that matches the Certificate Attribute value to provide the super administrator access. Certificate Attribute Read Only Admin Condition 16. Select the certificate attribute from the drop-down list. 17.
Specify the W-ClearPass Admin Access service template parameters as described in the following table: Table 9: W-ClearPass Admin Access Service Template Parameters Parameter Action/Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the preconfigured information in the Authentication and Role Mapping sections. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
The following figure displays the W-ClearPass Admin SSO Login service template: Figure 22: W-ClearPass Admin SSO Login (SAML SP Service) Service Template Specify the W-ClearPass Admin SSO Login service template parameters as described in the following table: Table 10: W-ClearPass Admin SSO Login Service Template Parameters Parameter Action/Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the preconfigured information in the Service Rule tab.
Specify the W-ClearPass Identity Provider (SAML IdP Service) service template parameters: Table 11: W-ClearPass Identity Provider (SAML IdP Service) Service Template Parameters Parameter Action/Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Authentication and SP Details sections. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
The following figure displays the Device MAC Authentication service template: Figure 24: Device MAC Authentication Service Template Specify the parameters in the Device MAC Authentication service template as described in the following table: Table 12: Device MAC Authentication Template Parameters Parameter Action/Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the preconfigured information in the Authentication and SP Details sections.
Table 12: Device MAC Authentication Template Parameters (Continued) Parameter Action/Description Device Access Restrictions Days allowed for access Select the days on which network access is allowed. Maximum bandwidth allowed per device Enter a number to set an upper limit for the amount of data in megabytes to which a device is allowed per day. A value of 0 (zero), the default, means no limit is set.
Table 13: EDUROAM Service Template Parameters (Continued) Parameter Action/Description Enter domain details Enter the domain name of the network. For example, @edunet.ucla.com. This field is mandatory. Select Vendor Select the vendor of the network device. This field is mandatory. Authentication Select Active Directory Select an authentication source from the list, the information updated in the Authentication, Wireless, and Federation Level Radius Server (FLR) tabs are auto-populated.
Table 13: EDUROAM Service Template Parameters (Continued) Parameter Action/Description Federation Level RADIUS Server (FLR) Host Name Enter the host name of the federation RADIUS server. IP Address Enter the IP address of the federation RADIUS server. Vendor Name Select the manufacturer of the wireless controller. RADIUS Shared Secret Enter the shared secret that is configured on the controllerand inside Policy Manager to send and receive RADIUS requests.
Specify the parameters used in the Encrypted Wireless Access via 802.1X Public PEAP method service template s described in the following table: Table 14: Encrypted Wireless Access via 802.1X Public PEAP Method Service Template Parameters Parameter Action/Description General Name Prefix Enter a prefix that you want to append to services using this template. You can use this to identify services that use templates.
The following figure displays the Guest Access service template: Figure 27: Guest Access Service Template Specify the parameters used in the Guest Access service template as described in the following table: Table 15: Guest Access Service Template Parameters Parameter Action/Description General Select Prefix Select any one prefix from the existing list of prefixes. This populates the pre-configured information in the Wireless Network Settings and Guest Access Restrictions sections.
Table 15: Guest Access Service Template Parameters (Continued) Parameter Action/Description Host Operating System Select the operating system: Windows, Linux, or Mac OS X. Quarantine Message Specify the quarantine message that will appear on the client. Initial Role/ VLAN Enter the initial role of the client before posture checks are performed. Quarantine Role/VLAN Enter the role of clients that fail posture checks.
Table 16: Guest Web Login Service Template Parameters (Continued) Parameter Action/Description Use this to identify services that use templates. Service Rule Page name Enter the name of the Guest Web Login page. Add New Guest Web Login page Click this link to launch a new Web session for the Guest Web Login page. Guest Access Restrictions Days allowed for access Select the days of the week that guest users are allowed network access. NOTE: All seven days of the week are enabled by default.
Table 17: Guest MAC Authentication Service Template Parameters (Continued) Parameter Action/Description Wireless SSID Enter the SSID name of your network. Wireless Controller Name Enter the name of the wireless controller. Controller IP Address Enter the wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller. RADIUS Shared Secret Enter the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS requests.
Table 17: Guest MAC Authentication Service Template Parameters (Continued) Parameter Action/Description Initial Role/VLAN Enter the initial role of the client before posture checks are performed. Quarantine Role/VLAN Enter the role of clients that fail posture checks.
The following figure displays the Guest Social Media Authentication service template: Figure 30: Guest Social Media Authentication Service Template Specify the Guest Social Media Authentication service template parameters as described in the following table: Table 18: Guest Social Media Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 18: Guest Social Media Service Template Parameters (Continued) Parameter Description Social Login Provider Select the social media network options: Google, Facebook, LinkedIn, and Twitter. Days allowed for access Select the days of the week that the guest users are allowed network access. By default, all seven days of the week are enabled. Maximum bandwidth allowed per user Specify the maximum amount of data in Megabytes a user is allowed per day.
The following figure displays the Onboard Authorization service template: Figure 32: Onboard Pre-Authorization Service Template The following table describes the Onboard Authorization service template parameters: Table 20: Onboard Authorization Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes or enter the name of a new prefix.
Table 20: Onboard Authorization Service Template Parameters (Continued) Parameter Description Provisioning Wireless Network Settings Wireless SSID for Onboard Provisioning Enter the SSID of your network. Add New Onboard Network Settings Click the Add New Onboard Network Settings link to launch the Web UI to modify the Onboard network settings. Configuring Policy Manager Services You can configure the following types of services in W-ClearPass Policy Manager: l Dell 802.
Figure 33: Add 802.1X Wired Service Dialog 802.1X Wired—Identity Only Service Configure this service for clients connecting through an Ethernet LAN with authentication using IEEE 802.1X. Configuration for the 802.1X Wired—Identity Only service is same as the 802.1X Wired service, except that Posture and Audit policies are not configurable when you use this template. For more information, see 802.1X Wired Service on page 72. The following figure displays the 802.
l Accounting Proxy Configuration on page 83 Configure this service for wireless hosts that are connecting through a Dell 802.1X wireless access device or controller using IEEE 802.1X authentication. Service rules are customized for a typical Dell W-Series Controller deployment. The Dell WLANW-Series 802.1X service includes a rule that specifies that a Dell ESSID exists. The following figure displays the Add Dell 802.1X Wireless Service dialog: Figure 35: Add Dell 802.
Figure 36: Add Dell 802.1X Wireless Service > Service Dialog 1. Specify the Service tab parameters as described in the following table: Table 21: Add Dell 802.1X Wireless Service > Service Tab Parameters Parameter Action/Description Type Select a service from the drop-down list that defines what type of service can be configured. Name Enter the name of the service. Description Provide additional information that helps to identify the service.
Service rules define a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. 2. Click a service rule to modify its options. If you want to administer the same set of policies for wired and wireless access, you can combine the service rule to define one single service.
Table 22: Add Dell 802.1X Wireless Service > Authentication Parameters Parameter Action/Description Authentication Methods Select authentication methods using the Select to Add field used for this service depend on the 802.1X supplicants and the type of authentication methods you choose to deploy. Policy Manager automatically selects the appropriate method for authentication, when a user attempts to connect.
The Authorization tab is not displayed by default. To access this tab, select the More Options > Authorization check box. W-ClearPass fetches role-mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user.
Roles Configuration Use the Roles tab to associate a role-mapping policy with this service. The following figure displays the Dell 802.1X Wireless Service > Roles dialog: Figure 39: Add Dell 802.1X Wireless Service > Roles Dialog 1. Specify the Roles parameters as described in the following table: Table 24: Add Dell 802.1X Wireless Service > Roles Tab Parameters Parameter Action/Description Role Mapping Policy Select a role mapping policy from the drop-down list.
Figure 40: Add Dell 802.1X Wireless Service > Posture Dialog 2. Specify the Wireless Service Posture parameters as described in Table 25: Table 25: Add Dell 802.1X Wireless Service > Posture Parameters Parameter Action/Description Posture Policies Posture Policies Select the posture policy from the Select to Add drop-down list. If you do not have any preconfigured posture policies, click Add New Posture Policy to create a new posture policy.
Table 26: Dell 802.1X Wireless Service > Enforcement Parameters Parameter Action/Description Use Cached Results Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy Select the preconfigured enforcement policy from the drop-down list. This is mandatory. If you do not have any preconfigured enforcement policies, click Add New Enforcement Policy to create a new enforcement policy.
Table 27: Add Dell 802.1X Wireless Service > Audit End-Hosts Parameters Parameter Action/Description Audit Server Select the audit server from the following options: l Nessus Server: Interfaces with Policy Manager primarily to perform vulnerability scanning. l Nmap Audit: Performs specific Nmap audit functions. Audit Trigger Conditions n To view the Policy Manager Entity Details dialog with the summary of audit server details, click the View Details button.
Figure 43: Add Dell 802.1X Wireless Service > Profile Endpoints Dialog 1. Specify the Profile Endpoints parameters as described in the following table: Table 28: Add Dell 802.1X Wireless Service > Profile Endpoints Parameters Parameter Action/Description Endpoint Classification Select one or more endpoint classification items from the drop-down list. RADIUS CoA Action Select the RADIUS CoA action from the drop-down list.
Table 29: Add Dell 802.1X Wireless Service > Accounting Proxy Tab Parameters Parameter Action/Description Accounting Proxy Targets Specify the proxy targets to which the RADIUS server should be forwarded and the attributes to be added in the accounting. Select the accounting proxy target from the Select to Add drop-down list. Add New Accounting Proxy Target Click this link to add a new accounting proxy target.
Dell 802.1X Wireless Service This section provides the following information: l Service Configuration on page 85 l Authentication Configuration on page 87 l Roles Configuration on page 90 l Enforcement Configuration on page 91 l Summary Information on page 95 You can configure the following additional Dell 802.
Figure 47: Add Dell 802.1X Wireless Service > Service Dialog 1. Specify the Service tab parameters as described in the following table: Table 30: Add Dell 802.1X Wireless Service > Service Tab Parameters Parameter Action/Description Type Select a service from the drop-down list that defines what type of service can be configured. Name Enter the name of the service. Description Provide additional information that helps to identify the service.
Service rules define a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. 2. Click a service rule to modify its options. If you want to administer the same set of policies for wired and wireless access, you can combine the service rule to define one single service.
Table 31: Add Dell 802.1X Wireless Service > Authentication Parameters Parameter Action/Description Authentication Methods Select authentication methods using the Select to Add field used for this service depend on the 802.1X supplicants and the type of authentication methods you choose to deploy. Policy Manager automatically selects the appropriate method for authentication, when a user attempts to connect.
The Authorization tab is not displayed by default. To access this tab, select the More Options > Authorization check box. W-ClearPass fetches role-mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user.
Roles Configuration Use the Roles tab to associate a role-mapping policy with this service. The following figure displays the Dell 802.1X Wireless Service > Roles dialog: Figure 50: Add Dell 802.1X Wireless Service > Roles Dialog 1. Specify the Roles parameters as described in the following table: Table 33: Add Dell 802.1X Wireless Service > Roles Tab Parameters Parameter Action/Description Role Mapping Policy Select a role mapping policy from the drop-down list.
Figure 51: Add Dell 802.1X Wireless Service > Posture Dialog 2. Specify the Wireless Service Posture parameters as described in Table 34: Table 34: Add Dell 802.1X Wireless Service > Posture Parameters Parameter Action/Description Posture Policies Posture Policies Select the posture policy from the Select to Add drop-down list. If you do not have any preconfigured posture policies, click Add New Posture Policy to create a new posture policy.
Table 35: Dell 802.1X Wireless Service > Enforcement Parameters Parameter Action/Description Use Cached Results Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy Select the preconfigured enforcement policy from the drop-down list. This is mandatory. If you do not have any preconfigured enforcement policies, click Add New Enforcement Policy to create a new enforcement policy.
Table 36: Add Dell 802.1X Wireless Service > Audit End-Hosts Parameters Parameter Action/Description Audit Server Select the audit server from the following options: l Nessus Server: Interfaces with Policy Manager primarily to perform vulnerability scanning. l Nmap Audit: Performs specific Nmap audit functions. Audit Trigger Conditions n To view the Policy Manager Entity Details dialog with the summary of audit server details, click the View Details button.
Figure 54: Add Dell 802.1X Wireless Service > Profile Endpoints Dialog 1. Specify the Profile Endpoints parameters as described in the following table: Table 37: Add Dell 802.1X Wireless Service > Profile Endpoints Parameters Parameter Action/Description Endpoint Classification Select one or more endpoint classification items from the drop-down list. RADIUS CoA Action Select the RADIUS CoA action from the drop-down list.
Table 38: Add Dell 802.1X Wireless Service > Accounting Proxy Tab Parameters Parameter Action/Description Accounting Proxy Targets Specify the proxy targets to which the RADIUS server should be forwarded and the attributes to be added in the accounting. Select the accounting proxy target from the Select to Add drop-down list. Add New Accounting Proxy Target Click this link to add a new accounting proxy target.
The following figure displays the Cisco Web Authentication Proxy service: Figure 56: Cisco Web Authentication Proxy Service Configuring the Cisco Web Authentication Proxy service is similar to configuring the Dell 802.1X Wireless service except that the Posture Compliance and Profile Endpoints options are not available. For more information on configuration, see Dell 802.1X Wireless Service on page 85. MAC Authentication Service The MAC-based authentication service is used for clients without an 802.
The following figure displays the MAC Authentication service configuration dialog. Figure 57: MAC Authentication Service Configuration Dialog The Posture tab is not available for the MAC-based authentication service. Configuration for the rest of the tabs is similar to the Dell 802.1X Wireless service configuration. For details on this service's configuration, see Dell 802.1X Wireless Service on page 85.
RADIUS Enforcement (Generic) Service Configure the RADIUS Enforcement (Generic) service for any kind of RADIUS request. The AirGroup Authorization Service service is the only RADIUS Enforcement (Generic) service that is available by default. In addition to the default configuration tabs (Service, Authentication, Roles, and Enforcement), from More Options you can also enable the Authorization, Posture Compliance, Audit End Hosts, and Profile Endpoints tabs.
The following figure displays the RADIUS Proxy service configuration dialog: Figure 60: RADIUS Proxy Service Configuration Dialog For configuration details, see RADIUS Enforcement (Generic) Service on page 98. Dell W-Series Application Authentication Service This type of service provides authentication and authorization to users of W-Series W-ClearPass Guest and WSeries W-ClearPass Insight.
Configuring the Dell W-Series Application Authentication service is similar to configuring the Dell 802.1X Wireless service except that the Posture Compliance, Audit End-hosts, and Profile Endpoints options are not available. For configuration details, see Dell 802.1X Wireless Service on page 85. Dell W-Series Application Authorization Service This type of service provides authorization for users of Dell applications: W-Series W-ClearPass Guest and WSeries W-ClearPass Insight.
l Detects when a new endpoint connects to the network. l Scans the endpoint to identify the logged-in user and other device-specific information. l Triggers a Web-based authentication (WebAuth) for the device. l Performs SNMP-based enforcement to change the network access profile for the device. Adding a W-ClearPass OnConnect Enforcement Service To add an OnConnect Enforcement service: 1. Navigate to Configuration > Services. The Services page opens. 2. To add the service, click Add.
Figure 64: Selecting the W-ClearPass OnConnect Enforcement Policy From the Services > Add > Enforcement page, you can either select an existing enforcement policy or create a new one. 2. From the Enforcement Policy drop-down list, select the appropriate OnConnect Enforcement policy. a. If you have not configured an OnConnect-type Enforcement policy, click Add New Enforcement Policy to create a new enforcement policy. 3.
The Services page appears. The Services page provides options to add, modify, and remove a service. 2. To add the service, click Add. The Add Services dialog appears. 3. From the Type drop-down list, select Event-based Enforcement (see Figure 65). Figure 65: Specifying Event -Based Enforcement 4. Enter the name or label of the event-based enforcement service. 5. Enter the values for any other parameters, including service rules, required for this service.
Table 40: Service Enforcement Page Parameters Parameter Description Use Cached Results 1. Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy 2. From the drop-down list, select the preconfigured enforcement policy. This is mandatory. Enforcement Policy Details Description Displays additional information about the selected enforcement policy. Default Profile Displays a default profile applied by .
Figure 67: Adding a New TACACS+ Enforcement Service 2. Specify the Service tab parameters as described in the following table: Table 41: Add TACACS+ Enforcement > Service Tab Parameters Parameter Action/Description Type From the drop-down list, select TACACS+ Enforcement. Name Enter the name of the service. Description Provide additional information that helps to identify the service. Monitor Mode The Monitor Mode option is disabled for an enforcement policy.
Table 41: Add TACACS+ Enforcement > Service Tab Parameters (Continued) Parameter Action/Description Name Select the name of the service rule from the drop-down list. Operator Select an appropriate operator from the list of operators for the data type of the attribute. For example, you can select from BELONGS_TO, NOT_BELONGS_TO, CONTAINS, or EQUALS. Value Select the value from the drop-down list. The value list depends on the operator selected.
Table 42: TACACS+ Enforcement > Service Tab Parameters Parameter Action/Description Type From the drop-down list, select TACACS+ Enforcement. Name Enter the name of the service. Description Provide additional information that helps to identify the service. Monitor Mode The Monitor Mode option is disabled for an enforcement policy. More Options The Authorization tab is not enabled by default. To bring up the Authorization configuration tab, check the Authorization check box.
l Mac OS X l Windows 10 l Windows 8 l Windows 7 l Windows Vista l Windows XP l Windows Server 2008 l Windows Server 2008 R2 l Windows Server 2003 l Windows Server 2003 R2 An internal service rule—Connection:Protocol EQUALS WebAuth—categorizes requests into this type of service. You can add additional rules if needed. In addition, you can select a Web-based Authentication service based on the operating system (OS) name.
1. From the Service tab > Service Rule area, select Click to add. Figure 70: Host OS Name Specified in the Web-Based Authentication Service 2. Specify the Host OS Architecture attribute as follows: n Type=Host n Name=OSArch n Operator=EQUALS n Value=i386 or x86_64 3. Specify the Host OS Type attribute as follows: n Type=Host n Name=OSType n Operator=EQUALS n Value=Windows 10 4.
Table 43: Service Rule > Web-Based Authentication Host Attributes Attribute Name Host 110 | Services AgentType Specifies the type of OnGuard Agent. This attribute provides a way to define a separate service for each OnGuard Agent Type. The supported values are: l OnGuardAgent: OnGuard Agent l OnGuardAgentService: OnGuard Agent running as a service l NativeWebAgent: Native Dissolvable Agent l JavaWebAgent: Java Dissolvable Agent Agent Version OnGuard Agent version.
Table 43: Service Rule > Web-Based Authentication Host Attributes (Continued) Attribute Name to create services for a specific OS. For example, you can use this attribute to differentiate between Windows 8 and Windows 8.1 OSNameVersion OSType Provides the Windows OS name and the build version. This attribute can be used to create different Posture policies for different Windows 10 versions such as 2015 LTSB or 2016 LTSB. Specifies the Operating System type.
This service does not include authentication options. This service performs health checks only. To create a Web-based Health Check Only service: 1. Navigate to Configuration > Services, then select the Add link. The Web-Based Health Check Only service configuration dialog opens: Figure 71: Web-Based Health Check Only Service Configuration Dialog 2.
Table 44: Add Web-based Health Check Only Service > Service Tab Parameters (Continued) Parameter Action/Description Name Select the name of the service rule from the drop-down list. Operator Select an appropriate operator from the list of operators for the data type of the attribute. For example, you can select from BELONGS_TO, NOT_BELONGS_TO, CONTAINS, or EQUALS. Value Select the value from the drop-down list. The value list depends on the operator selected.
Table 45: Service Rule > Web-Based Health Check Only Host Attributes (Continued) Attribute Name Installed SHAs 114 | Services Specifies the SHAs installed on the client. Dell Networking W-ClearPass Policy Manager 6.
Table 45: Service Rule > Web-Based Health Check Only Host Attributes (Continued) Attribute Name InterfaceType Specifies the type of Network Interface. This attribute can be used to define different services based on Network Interface type. The supported values are: l Wired l Wireless l VPN Name This is the host name of the client (without the domain name). OSArch Specifies whether the client is running a 32-bit or 64-bit OS.
Table 45: Service Rule > Web-Based Health Check Only Host Attributes (Continued) Attribute Name SDKVersion Specifies the SDK version. ServerCertificateCheck This attribute's value shows the status of the W-ClearPass Server Certificate Check performed by OnGuard agent while sending a WebAuth request to the W-ClearPass server.This attribute can also be used in a Service Classification.
Chapter 3 Monitoring The Monitoring features in Policy Manager provide access to live monitoring of components and other functions.
Figure 73: Access Tracker Page Table 46 describes the information in the Access Tracker page: Table 46: Access Tracker Page Columns Column Description Server Displays the IP address of the server. Source Displays the authentication source for the session. For example, TACACS or web authentication (WEBAUTH). Username Displays the username or MAC address of the host. Service Displays the name of the service. Login Status Displays the status of the request, such as Accept, Reject, or Timeout.
Figure 74: Edit Access Tracker Page 2. Modify the Edit Access Tracker page parameters as described in the following table, then click Save: Table 47: Edit Access Tracker Page Parameters Parameter Action/Description Select Server/ Domain Displays information for the selected server or domain on the Access Tracker page. To display transactions from all nodes in the Policy Manager cluster, select all the servers. Select Filter Select a filter category to filter the displayed data.
Table 47: Edit Access Tracker Page Parameters (Continued) Parameter Action/Description Select Date To select a date, click the Show Latest To set the date in the before field to the current date, click Show Latest. Select Columns icon. This section displays the following two fields: Available Columns: Displays the data column available to be displayed in an Access Tracker table. l Selected Columns: Displays the data columns currently selected for display.
The Session Details for the selected RADIUS transaction are displayed. The information in this page varies, depending upon the session selected. RADIUS > Summary Tab The Summary page shows the basic high-level information of the transaction. Figure 76: Access Tracker > RADIUS Request Details > Summary Page RADIUS > Input Tab The Input tab shows protocol-specific attributes that Policy Manager received in a transaction request, including authentication and posture details (if available).
Figure 77: Access Tracker > RADIUS Request Details > Input Page RADIUS > Output Tab The RADIUS Request Details > Output tab shows the attributes that were sent to the network device (switch or controller) and the posture-capable endpoint (for example, MAC devices). You can view the posture response and posture evaluation with accurate results. For example, you can view details such as missing registry keys and the reasons for a failed registry key check. To view the Request Details > Output page: 1.
RADIUS > Accounting Tab The RADIUS Request Details > Accounting tab shows the account session details, as well as the following information: l Network Details l Utilization information l Authentication Session Details To view the RADIUS Request Details > Accounting page: 1. Navigate to the Monitoring > Live Monitoring > Access Tracker page. 2. Click any RADIUS session in the Access Tracker page. 3. Select the Accounting tab.
WebAuth > Summary Tab The Request Details page for the selected WebAuth (Web Authentication) transaction opens to the Summary page. The information in this page varies, depending upon the type of session selected.
Figure 81: Access Tracker > WebAuth Request Details > Input Page WebAuth > Output Tab The WebAuth Request Details > Output tab shows the attributes that were sent to the network device (switch or controller) and the posture-capable endpoint (for example, MAC devices). You can view the posture response and posture evaluation with accurate results. For example, you can view details such as missing registry keys and the reasons for a failed registry key check.
TACACS+ Session TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
Table 48: TACACS Session Details > Summary Page Parameters Field Action/Description Session ID Displays the automatically-generated session ID for the selected TACACS+ session. Username Indicates the name of the admin user. Time Indicates the time that the TACACAS+ session was initiated. Status Indicates the authentication status of the selected TACACS+ session. Authorizations Indicates the number of authentication authorizations that have taken place for this session.
Table 49: TACACS Session Details > Request Page Parameters Field Action/Description Username Indicates the name of the admin user. Session ID Displays the automatically-generated session ID for the selected TACACS+ session. Time Indicates the time that the TACACS+ session was initiated. Status Indicates the authorization status of the selected TACACS+ session.
Table 50: TACACS Session Details > Policies Used Page Parameters Field Action/Description Service Name Indicates the name of the W-ClearPass service through which the user is authenticated. Authentication Source Specifies the authentication source used bythe client. For more information, see Adding and Configuring Authentication Sources on page 207. Role Indicates the Policy Manager role assigned to the client. For more information, see Adding and Modifying Roles on page 274.
This section provides the following information: l Modifying the Accounting Page Parameters l RADIUS Accounting Details > Summary Tab l RADIUS Accounting Record Details > Auth Sessions Tab l RADIUS Accounting Record Details > Utilization Tab l RADIUS Accounting Record Details > Details Tab l TACACS+ Accounting Record Details > Request Tab l TACACS+ Accounting Record Details > Auth Sessions Tab l TACACS+ Accounting Record Details > Details Tab The Monitoring > Live Monitoring > Accounting pag
The Edit Accounting Page dialog opens. Figure 89: Edit Accounting Page Dialog 3. Specify the Edit Accounting Page parameters as described in Table 53: Table 53: Edit Accounting Page Parameters Parameter Action/Description Select Server/ Domain Select the W-ClearPass server for the dashboard data to be displayed. Select Filter To constrain the data display, select a filter from the drop-down list.
Figure 90: RADIUS Accounting Record Details Summary Page The following table describes the configuration parameters on the RADIUS Accounting Record Details > Summary page: Table 54: RADIUS Accounting Record Details Summary Tab Parameters Parameter Description Session ID Specifies the Policy Manager session identifier. You can correlate this record with a record in Access Tracker. Account Session ID Specifies a unique ID for this accounting record.
Table 54: RADIUS Accounting Record Details Summary Tab Parameters (Continued) Parameter Description Service Type Shows the value of the standard RADIUS attribute service type. Network Details NAS IP Address Shows the IP address of the network device. NAS Port Type Shows the access methods. For example, Ethernet, or 802.11 Wireless. Calling Station ID Specifies the MAC address of the client that is supported by Policy Manager. Called Station ID Shows the MAC address of the network device.
The following table describes the RADIUS Accounting Record Details >Auth Sessions parameters: Table 55: RADIUS Accounting Record Details Auth Sessions Tab Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session. Authentication Sessions Details Session ID Displays the Policy Manager session ID. Type Specifies the type of authentication: Initial authentication or reauthentication.
The following table describes the configuration parameters on the RADIUS Accounting Record Details Utilization tab: Table 56: RADIUS Accounting Record Details > Utilization Tab Parameters Parameter Description Active Time Displays the duration of the session that was active. Account Delay Time Displays how many seconds the network device has been trying to send this record for (subtract from record time stamp to determine the time this record was actually generated by the device).
Figure 93: RADIUS Accounting > Details Page The following table summarizes the configuration information provided on the RADIUS Accounting Record Details > Details page: Table 57: RADIUS Accounting Record > Details Page Summary Parameter Description Accounting Packet Details Shows the details of RADIUS attributes sent and received from the network device during an initial authentication and subsequent reauthentications. Each section in the Details page corresponds to a session in Policy Manager.
TACACS+ Accounting Record Details > Request Tab When you navigate to the Monitoring > Live Monitoring > Accounting page and select a TACACS+ Accounting record, the Accounting Record Details page opens to the Request page.
Table 58: TACACS+ Accounting Record Request Page Parameters (Continued) Parameter Description Authentication Method Identifies the authentication method used for network access. Authentication Type Identifies the authentication type used for network access. Authentication Service Identifies the authentication service used for network access.
The following table summarizes the information available on the TACACS+ Accounting Record Details > Auth Sessions page: Table 59: TACACS+ Accounting Record Details > Authentication Sessions Page Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session.
Table 60: TACACS+ Accounting Record > Details Page Parameters Parameter Description Accounting Packet Details Shows command typed (cmd), privilege level of the administrator executing the command (privlvl) and service (shell) for each authorization request, as well as the start time, task ID, and the time zone.
Table 61: OnGuard Activity Parameters Parameter Description User Displays the name of the user. Host MAC Displays the MAC address of the host. Host IP Displays the IP address of the host. Host OS Displays the operating system that runs on the host. Status Displays the online status of the host. Green indicates online and red indicates offline. Date and Time Displays the date and time at which the user was created.
Figure 98: Agent and Endpoint Details The following table describes the configuration parameters on the Agent and Endpoint Details page: Table 62: Agent and Endpoint Details Parameters Parameter Description Host MAC Displays the MAC address of the user. Description Optional description of the endpoint. Status Displays the status of the endpoint. Added by Displays the server name. MAC Vendor Vendor name and OS of the endpoint device. OnGuard Details User Displays the name of the user.
Table 62: Agent and Endpoint Details Parameters (Continued) Parameter Description Host OS Displays the operating system that runs on the endpoint. Registered Policy Manager Server Displays the name and IP address of the Policy Manager server. Registered at Displays the date and time at which the Policy Manager installation was registered. Last Unregistered at Displays the date and time at which the Policy Manager installation was last unregistered.
Table 63: Bounce Agents Page Parameters (Continued) Parameter Action/Description Allow network access: Allow network access by white-listing this endpoint. Clicking Allow network access sets the status of the endpoint as Known. NOTE: You must configure Enforcement Policy Rules to allow access to the endpoints with the status Known. l Block network access: Block network access by blacklisting this endpoint. Clicking Block network access sets the status of the endpoint to Disabled.
Figure 100: Bounce Client (Using SNMP) Dialog 3. Enter the client IP or MAC Address. 4. Click Go, then click Bounce. The following table describes the configuration parameters on the Bounce Client (Using SNMP) page: Table 64: Bounce Client (Using SNMP) Page Parameters Parameter Action/Description Client IP or MAC address Enter the client IP address or MAC address of the bounce client. Host MAC Displays the MAC address of the host. Host IP Displays the IP address of the host.
Figure 101: Broadcast Notification to Agents Dialog 4. Display Message: Enter the text of the message you want to send to the selected active endpoints. 5. Web link: Optionally, enter a URL to be included with the Display Message. 6. Click Send. Sending a Message to Selected Endpoints To send a message to selected endpoints: 1. Navigate to Monitoring > OnGuard Activity. The OnGuard Activity page opens. 2. Select one or more devices listed on the OnGuard Activity page. 3. Click the Send Message button.
Figure 103: Analysis and Trending 2. Use the following components in the user interface to customize and filter the Analysis and Trending page: Component Action/Description Select Server Select a W-ClearPass node from the cluster. Update Now! Click to update the display with the latest available data. Customize This! Click to customize the display by adding filters. You can add a maximum of four filters. Toggle Chart Type Click to toggle the chart display between line and bar type.
l Network Monitor Page l ClearPass Monitor Page System Monitor Page The System Monitor page displays charts and graphs that display information about CPU load, CPU usage, memory usage, and disk usage for the selected W-ClearPass server. To access the System Monitor page for the selected W-ClearPass server: 1. Navigate to Monitoring > Live Monitoring > System Monitor. 2. From the Select Server drop-down, select the desired W-ClearPass server.
Process Monitor Page The Process Monitor page displays CPU Usage and Main Memory Usage for a selected process or service. To access the Process Monitor page: 1. Navigate to Monitoring > Live Monitoring > System Monitor > Process Monitor. Figure 105: System Monitoring: Process Monitor Page 2. To view CPU Usage and Main Memory usage for the selected process or service, click the Select Process drop-down list. 3.
n System auxiliary services n System monitor service n Tacacs server n Virtual IP service Network Monitor Page The Network Monitor page displays information about the selected network traffic type. To access the Network Monitor page: 1. Navigate to Monitoring > Live Monitoring > System Monitor > Network tab. 2. From the Select drop-down, select the desired traffic type.
ClearPass Monitor Page The ClearPass Monitoring page displays performance monitoring counters and timers for the last 30 minutes of activity for the following W-ClearPass components: l Service Categorization l Authentication (RADIUS, TACACS, or WebAuth) l Authorization l Role Mapping l Posture Evaluation l Audit Scan l Enforcement l End-to-End Request Processing (RADIUS, TACACS, or WebAuth) l Advanced To access the ClearPass Monitor page: 1.
Profiler and Discovery: Endpoint Profiler If the Profile license is enabled, a list of the profiled endpoints are visible in the Endpoints Profiler page. 1. To access the Endpoint Profiler, navigate to the Monitoring > Profiler and Discovery > Endpoint Profiler page. The list of endpoints you view is based on the Device Category, Device Family, and Device Name items that you selected. Figure 108 shows an example of the graphs available on the Endpoint Profiler page: Figure 108: Endpoint Profiler Page 2.
Figure 109: Endpoint Profiler Details 5. To return to the Endpoint Profiler page, select the Cancel button.
An SNMP description is necessary for discovering and profiling the network devices. For more information, see SNMP Credentials Configuration on page 154. l SSH credentials For Linux server or network device discovery, specify SSH configuration credentials. For more information, see SSH Credentials Configuration on page 156. l WMI credentials For Windows device discovery, specify WMI (Windows Management Instrumentation) credentials. For more information, see WMI Credentials Configuration on page 158.
For network device discovery, specify SNMP Read credentials. An SNMP-based scan sends an SNMP request to retrieve the network device information. To add the SNMP configuration: 1. Navigate to Configuration > Profile Settings, then select the SNMP Configuration tab. The Profile Settings > SNMP Configuration page opens. 2. Click the SNMP Configuration tab. Figure 110: Adding an SNMP Configuration 3. Click Add SNMP Configuration. The SNMP Configuration dialog opens. Figure 111: SNMP Configuration Dialog 4.
Table 66: SNMP Configuration Parameters Field Action/Description IP Subnets/ IP Addresses 1. Enter either one or more IP subnets or one or more IP addresses. For multiple entries, separate multiple IP addresses with commas. When you initiate the network discovery scan, W-ClearPass will use the SNMP configuration to fetch the network device information for discovered devices. SNMP Version 2. From the drop-down, select the appropriate SNMP version. Description 3.
Figure 114: SSH Configuration Page 4. Specify the parameters in the SSH Configuration dialog as described in the following table, then click Save Entry. Table 67: SSH Configuration Parameters Field Action/Description IP Subnets/ IP Addresses 1. Enter either one or more IP subnets or one or more IP addresses. For multiple entries, separate multiple IP addresses with commas. Username 2. Enter the username for the device or subnet specified. Password 3.
Figure 115: SSH Configuration Added Successfully WMI Credentials Configuration For Windows device discovery, specify WMI (Windows Management Instrumentation) configuration credentials. WMI configuration is necessary to discover Windows systems and device fingerprint details. WMI a key part of the Windows operating system. It is used to gather system statistics, monitor system health, and manage system components. To work properly, WMI relies on the WMI service.
3. Click Add Configuration. The WMI Configuration page opens. Figure 118: WMI Configuration Page 4. Specify the WMI Configuration parameters as described in Table 68, then click Save Entry. Table 68: WMI Configuration Parameters Field Action/Description IP Subnets/ IP Addresses 1. Enter either one or more IP subnets or one or more IP addresses. For multiple entries, separate multiple IP addresses with commas. NOTE: The WMI configuration can be for a single IP address or a subnet.
Figure 119: WMI Configuration Added Successfully Initiating a Network Discovery Scan Seed devices are the initial IP addresses provided by the network administrator to start the network scan. When you initiate a network discovery scan and specify the seed devices, network discovery uses SNMP to: l Find any other devices connected to the seed devices. l Profile the connected devices. l W-ClearPass uses that information to detect more devices in the network.
Figure 121: Initiating the Seed Devices Scan 3. Enter the appropriate information in the Initiate Scan dialog as described in Table 69. Table 69: Initiating Network Discovery Scan Parameters Field Action/Description Server 1. From the drop-down list, select the W-ClearPass Policy Manager server. If the W-ClearPass server is in a cluster, the list will display the cluster node IP addresses that you can choose. NOTE: Once you select the node, the network discovery scan starts with that node.
Figure 122: Seed Device Successfully Scanned 5. You can stop a scheduled seed device scan or restart a completed scan: a. To stop the scan operation, click the Red Action button, then click Yes to confirm the stop operation. b. To restart a completed scan, click the Green Action button. About Auto-Refresh When Auto-Refresh is enabled (it is enabled by default), W-ClearPass fetches fresh data every few seconds to ensure that the network discovery scan status is always current.
Figure 124: Discovered Devices Page Importing Network Devices The devices that you import are added to the set of network devices known to W-ClearPass. You can import devices from the Publisher node only. To import and add discovered devices to the set of W-ClearPass Network Devices: 1. From the list of discovered devices, select a device you wish to import (as shown in Figure 124). You can select all of the discovered devices at once by clicking the Name check box. 2. Click the Import button.
Table 70: Specifying Network Device Details for Importing Devices Field Action/Description RADIUS Shared Secret 1. If using RADIUS, enter the RADIUS Shared Secret for the selected discovered device. TACACS+ Shared Secret 2. If using TACACS+, enter the TACACS+ Shared Secret for the selected discovered device. Override Vendor 3. Optionally, to override the discovered vendor type, select this check box. Vendor This field is displayed when you select Override Vendor. 4.
Figure 127: Viewing Details fora Discovered Device 3. When finished, click Close. Viewing Discovered Endpoints To view all the discovered endpoints that are connected to the network: 1. Navigate to Monitoring > Profiler and Discovery > Network Discovery. The Network Discovery page opens. 2. Click View Endpoints. The Endpoint Profiler opens. Figure 128: Viewing the Discovered Endpoints Information 3. When finished, click Back to Network Discovery. Dell Networking W-ClearPass Policy Manager 6.
Configuring Nmap-Based Endpoint Port Scans The Network Discovery scan feature supports running an Nmap-based scan on a host to detect open ports and also to fingerprint the service(s) running behind those ports. This information is used in the device profile. The steps to fully configure endpoint port scans using Nmap are as follows: 1. Enable Nmap-based endpoint port scans. a. Navigate to Administration > Server Manager > Server Configuration > Cluster-Wide Parameters.
Figure 130: Endpoint Fingerprint Details with Nmap Data Audit Viewer This section provides the following information: l Introduction l Audit Viewer l Audit Viewer l Audit Viewer Introduction The Audit Viewer page provides a dynamic report on actions, device name, category of Policy Manager component, user, and timestamp. To access the Audit Viewer: 1. Navigate to Monitoring > Audit Viewer. The Audit Viewer page opens. Figure 131: Audit Viewer Page 2.
The Audit Row Details page opens. Figure 132: Audit Row Details for Add Event For example, if a TACACS enforcement profile is added, the Audit Row Details page displays detailed information about that profile. If a policy is created, the Audit Row Details page displays information about the policy. Modify Events To display additional details information about the change, including the previous values, the latest, updated values, and the differences between the two, click a row with the Modify action type.
Table 71: Audit Row Details > Modify Event Page Parameter Description Old Data Displays a summary of details about the original data values. l The Profile section shows a summary of the profile values. l The Attributes section shows data about the original attributes and values. New Data Displays a summary of details about the new data values. The Profile section shows a summary of the profile values. l The Attributes section shows data about the original attributes and values.
About the Event Viewer The Event Viewer page provides reports about system-level events. All attempted upgrade, patch, and hotfix installations are logged in the Event Viewer, including failed system installation attempts. Session Idle time-out values for Admin WebUI session time-out and CLI session time-out events generate Event Viewer messages with a description that includes the client IP address and session ID when necessary.
Table 72: Event Viewer Page Parameters (Continued) Parameter Description Action Displays the status of the event action. For example, Success, Failed, Unknown, and None. Timestamp Displays the date and time when the event occurred. Creating an Event Viewer Report Using Default Values 1. In the Filter field, select Source as the filter parameter. 2. Click Go. W-ClearPass returns all event records. Creating an Event Viewer Report Using Custom Values 1. Click the icon. A new filter is added.
Viewing Report Details To display the System Event Details page, click a row in the Event Viewer page. Figure 136: System Event Details Page The following table describes the System Event Details parameters: Table 73: System Event Details Page Parameters Parameter Description Source Displays the source of the event. For example, Admin UI, RADIUS, and SnmpService. Level Displays the level of the event from the following options: INFO l WARN l ERROR l Category Displays the category of the event.
l Live Monitoring: Accounting on page 129 Preconfigured Data Filters Policy Manager is preconfigured with the following data filters: Table 74: Access Tracker Edit Page Parameters Data Filter Description RADIUS Requests Shows all RADIUS requests. TACACS Requests Shows all TACACS requests. WebAuth Requests Shows all Web Authentication requests (requests originated from the Guest Portal). Event Requests Displays all event-based records.
Figure 137: Data Filters Page Adding a Data Filter To add a data filter: 1. Click the Add link in the top-right corner of the page. The Add Data Filters page opens to the Filter tab. Figure 138 shows the Filter dialog when you choose Select Attributes. Figure 138: Add Data Filter > Filter Tab > Select Attributes 174 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 139 shows the Filter dialog when you choose Specify Custom SQL. Figure 139: Add Data Filter > Filter Tab > Specify Custom SQL 2. Specify the Add Data Filters parameters as described in the following table. Table 75: Add Data Filters Page > Filter Tab Parameters Parameter Action/Description Name Enter a name for the data filter. Description Optionally,enter a description of this data filter (recommended).
Rules Tab The Rules tab displays when you choose the Select Attributes configuration type on the Filter dialog. Figure 140: Add Data Filter > Rules Dialog Table 76 describes the Add Filter > Rules tab parameters: Table 76: Add Filter > Rules Tab Parameter Action/Description Rule Evaluation Algorithm Select ANY match is a logical OR operation of all the rules. Select ALL matches is a logical AND operation of all the rules. Add Rule Add a rule to the filter. Edit Rule Edit an existing rule.
Table 77 describes the Dashboard Filters > Rules Editor parameters: Table 77: Dashboard Filters > Rules Editor Configuration Parameters Parameter Matches Action/Description Specify the match conditions: ANY matches one of the configured conditions. l ALL specifies to match all of the configured conditions. l Type Select the type of data filter. l Common: Attributes common to RADIUS, TACACS, and WebAuth requests and responses.
Figure 142: Blacklisted Users Page 2. To delete a user from this blacklist, select the user row and click Delete. The deleted Blacklisted user is now eligible to access the network. 178 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Authentication Methods and Sources This section provides the following information: l Supported Authentication Methods on page 179 l Adding and Configuring Authentication Methods on page 183 l Adding and Configuring Authentication Sources on page 207 l Configuring Authentication Methods for an Existing Service on page 181 Supported Authentication Methods As a first step in the service-based processing, Policy Manager uses an authentication method to authenticate the user or device against
l Authentication source l Authorization source Authentication Method Policy Manager initiates the authentication handshake by sending available methods in a priority order until the client accepts a method or until the client rejects the last method with the following possible outcomes: l Successful negotiation returns a method, which is used to authenticate the client against the authentication source.
Authentication and Authorization Flow of Control The flow of control for authentication takes the following components in sequence: Figure 143: Authentication and Authorization Flow of Control Configuring Authentication Methods for an Existing Service To add or modify an authentication method or source for an existing service: 1. Navigate to the Configuration > Services page, then click Add. The Add Services page opens. 2. Select the Authentication tab.
Figure 144: Specifying Authentication Methods and Sources for a Selected Service 3. Specify the Authentication methods and sources for the selected service as described in the following table. You can open an authentication method or source from the Configuration > Authentication > Methods or Configuration > Authentication > Sources page.
Adding and Configuring Authentication Methods This section provides the following information: l Adding a New Authentication Method l Modifying an Existing Authentication Method Adding a New Authentication Method To add a new authentication method: 1. Navigate to Configuration > Authentication > Methods. The Authentication Methods page opens. Figure 145: Authentication Methods Page 2. Click Add. The Add Authentication Method page opens. Dell Networking W-ClearPass Policy Manager 6.
Figure 146: Add Authentication Method Page 3. Enter the name and description of the new authentication method. 4. From the Type drop-down, select the type of authentication type.
n EAP-PWD on page 199 n EAP-TLS on page 200 n EAP-TTLS on page 202 n MAC-AUTH Authentication Method on page 204 n MSCHAP on page 205 n PAP on page 206 Modifying an Existing Authentication Method To modify an existing authentication method: 1. Navigate to Configuration > Authentication > Methods. The Authentication Methods page opens. 2. Click the authentication method of interest. The Edit Authentication Method page opens. Figure 147: Edit Authentication Method Page (EAP-FAST) 3.
Figure 148: Add Authorize Authentication Method Configuration Dialog 3. Specify the Authorize Authentication Method parameters as described in the following table: Table 79: Authorize Authentication Method Parameters Parameter Action/Description Name Specify the label of the authentication method. Description Provide additional information that helps to identify the authentication method. Type Select authentication method type Authorize. 4. Click Save.
Figure 149: Adding CHAP Authentication Method 3. Specify the CHAP parameters as described in the following table: Table 80: CHAP Parameters Parameter Description Name Specify the name of the CHAP authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select CHAP. 4. Click Save.
Figure 150: Adding the EAP-FAST Authentication Method 3. Configure the EAP-FAST authentication service as described in Table 81. Table 81: Specifying the EAP-FAST > General Parameters Parameter Action/Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select EAP-FAST.
Table 81: Specifying the EAP-FAST > General Parameters (Continued) Parameter Action/Description Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session-timeout interval. Specify the Session Timeout in the number of hours. l The default is 6 hours. l If the Session Timeout value is set to 0, the cached sessions are not purged.
Table 82: EAP-FAST > Inner Methods Tab Parameters Parameter Action/Description Specify inner authentication methods in the preferred order Select a method from the drop-down list: l Dell EAP GTC l EAP GTC l EAP MD5 l EAP MSCHAPV2 (Default) l EAP PWD l EAP TLS with OSCP Enabled l EAP TLS Functions available in this tab include: l To append an inner method to the displayed list, select from the Select a method drop-down list.
PAC Provisioning Tab The PAC Provisioning dialog controls anonymous and authenticated modes. The following figure displays the EAP-FAST PAC > Provisioning dialog: Figure 153: EAP_FAST PAC Provisioning Dialog 1. Configure the PAC Provisioning parameters as described in Table 83. 2. When finished, click Save.
Table 83: EAP_FAST PAC Provisioning Parameters (Continued) Parameter Action/Description Considerations authenticates using the newly provisioned PAC. When this field is enabled, Policy Manager accepts the end-host authentication in the provisioning mode itself. The end-host does not have to reauthenticate.
3. Specify the EAP-GTC General parameters as described in the following table: Table 84: EAP-GTC Authentication Method Parameters Parameter Action/Description Name If necessary, specify the name of the authentication method. Description Optionally, provide the additional information that helps to identify the authentication method. Type EAP-GTC is preselected. Method Details Challenge Optionally, specify a password. 4. Click Save.
Table 85: EAP-MSCHAPv2 Parameters Parameter Description Name Specify the name of the authentication method. Description Optionally, provide the additional information that helps to identify the authentication method. Type Select EAP-MSCHAPv2. 4. Click Save. EAP-PEAP EAP-Protected Extensible Authentication Protocol (EAP-PEAP) is a protocol that creates an encrypted (and more secure) channel before the password-based authentication occurs. PEAP is an 802.
Table 86: EAP-PEAP > General Parameters Parameter Action/Description Name Specify the name of the authentication method. Description Optionally, provide the additional information that helps to identify the authentication method. Type Select EAP-PEAP. Method Details Session Resumption Check the Session Resumption check box if you intend to enable Fast Reconnect.
Inner Methods Tab The tunneled method is frequently referred to as the "inner method." The Inner Methods tab controls the inner methods for the EAP-PEAP authentication method. Figure 157: EAP-PEAP > Inner Methods Tab In FIPS mode, the EAP-MD5 authentication method is not supported.
to encrypt the traffic and provide secured wireless access without intruding the privacy of others though the same username and password is shared to all devices. The EAP-PEAP-Public method contains the following two tabs: l General on page 197 l Inner Methods on page 198 General The General tab labels the authentication method and defines session details.
Table 88: EAP-PEAP-Public - General Tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-PEAP-Public sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. By default, this option is enabled. Session Timeout Caches EAP-PEAP-Public sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval in hours.
Figure 159: EAP-PEAP-Public - Inner Methods Tab The EAP-MD5 authentication method is not supported if you use W-ClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS tab) mode. Table 89: EAP-PEAP-Public Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select the inner authentication method available from the drop-down list. In this context, only the EAP-MSCHAPv2 method is available.
1. Navigate to Configuration > Authentication > Methods. The Authentication Methods page opens. 2. Select the Add link. The Add Authentication Method dialog opens: Figure 160: EAP-PWD Authentication Method Configuration Dialog 3. Specify the EAP-PWD parameters as described in the following table: Table 90: EAP-PWD Parameters Parameter Description Name Enter the name of the authentication method. Description Provide the additional information that helps to identify the authentication method.
1. Navigate to Configuration > Authentication > Methods. The Authentication Methods page opens. 2. Click Add. The Add Authentication Method dialog opens. Figure 161: EAP-TLS Authentication Method Dialog 3. Specify the Add Authentication Method parameters as described in the following table, then click Save. Table 91: EAP_TLS Authentication Method Parameters Parameter Action/Description Name Specify the name of the authentication method.
Table 91: EAP_TLS Authentication Method Parameters (Continued) Parameter Action/Description Authorization Required This parameter is enabled by default. Specify whether to perform an authorization check. Certificate Comparison Specify the type of certificate comparison (identity matching) upon presenting Policy Manager with a client certificate: l To skip the certificate comparison, choose Do not compare.
General Tab The General tab labels the method and defines session details. The following figure is an example of the EAPTTLS - General tab: Figure 162: EAP-TTLS - General Tab The following table describes the EAP-TTLS - General parameters: Table 92: EAP-TTLS - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-TTLS method. The following figure is an example of the EAP-TTLS - Inner Methods tab: Figure 163: EAP_TTLS - Inner Methods Tab The following table describes the EAP-TTLS - Inner Methods parameters: Table 93: EAP-TTLS - Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list.
The MAC-AUTH method contains the General dialog that labels the authentication method and defines session details. The following figure is an example of the MAC-AUTH > General dialog: Figure 164: Adding MAC-AUTH Authentication Method The following table describes the MAC-Auth parameters: Table 94: MAC-Auth Parameters Parameter Action/Description General Name Specify the name of the authentication method.
The following figure is an example of the MSCHAP - General tab: Figure 165: MSCHAP - General Tab The following table describes the MSCHAP - General parameters: Table 95: MSCHAP - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select MSCHAP.
displays the Add Authentication Method > PAP dialog. Figure 166: Adding the PAP Authentication Method Table 96 describes the PAP parameters: Table 96: PAP Authentication Method Parameters Parameter Action/Description Name 1. Specify the name of the authentication method. Description 2. Provide the additional information that helps to identify the authentication method. Type 3. Select PAP as the Type of authentication. Method Details Enable ArubaSSO 4.
Figure 167: Authentication Sources Page 2. Click Add. The Add Authentication Sources page opens. Different tabs and fields appear, depending on the authentication source selected.
l Attributes Configuration on page 213 l Summary Information on page 221 Policy Manager can perform NTLM/MSCHAPv2, PAP/GTC, and certificate-based authentications against Microsoft Active Directory and against any LDAP-compliant directory (for example, Novell eDirectory, OpenLDAP, or Sun Directory Server). Both LDAP and Active Directory-based server configurations are similar. You can retrieve role-mapping attributes by using filters.
Table 97: Active Directory or GEneric LDAP Authentication Source> General Parameters (Continued) Parameter Action/Description Use for Authorization Enable this check box to instruct Policy Manager to fetch role-mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role-mapping attributes from the same source if the Use for Authorization field is enabled.
Primary Server Configuration The Primary tab defines the settings for the primary server.
Table 98: Active Directory or Generic LDAP > Primary Parameters (Continued) Parameter Action/Description NOTE: This setting is available only for Active Directory. Base DN Search Scope Enter the DN (Distinguished Name) of the node in your directory tree from which to start searching for records. 1. After entering the values for the fields described above, click Search Base DN to browse the directory hierarchy. The LDAP browser opens. You can navigate to the DN that you want to use as the base DN. 2.
Table 98: Active Directory or Generic LDAP > Primary Parameters (Continued) Parameter Action/Description Password Header Specify Oracle's LDAP implementation that prepends a header to a hashed password string. If using Oracle LDAP, enter the header in this field to correctly identify and read the password. NOTE: This is available only for Generic LDAP and is not available for Active Directory.
Specify the Active Directory or LDAP Attributes > Filter Listing Screen parameters as described in the following table: Table 99: Active Directory or Generic LDAP Attributes > Filter Listing Parameters Parameter Action/Description Filter Name Specify the name of the filter. Attribute Name Specify the name of the LDAP or Active Directory attributes defined for this filter. Alias Name Specify the alias name for each attribute name selected for the filter.
The following table describes the available directories: Table 100: Active Directory/Generic LDAP Default Filters Directory Active Directory Default Filters l l l l l Generic LDAP Directory Authentication: This filter is used for authentication. The query searches in the objectClass of the type user.
Table 100: Active Directory/Generic LDAP Default Filters (Continued) Directory Default Filters dn (aliased to UserDN): This is an internal attribute that is populated with the user record’s DN. Group: This is the filter used for retrieving the name of the groups to which a user belongs.
Specify the Active Directory or Generic LDAP Configure Filter Page > Browse tab parameter as described in the following table: Table 101: Active Directory or Generic LDAP Configure Filter Page > Browse Tab Parameter Navigation Action/Description Find Node To find the node, enter the DN, then click the Go button. Filter Configuration The Filter tab provides an LDAP browser interface to define the filter search query.
The following table describes the Configure Filter Page > Filter tab parameters: Table 102: Configure Filter Page > Filter Tab Parameters Parameter Action/Description Find Node To find a node, enter the DN, then click the Go button. Select the attributes for filter This table has a Name and Value column. You can enter the attribute name in the following two ways: l By selecting a node, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add...
The following figure displays the Active Directory or Generic LDAP Configure Filter > Attributes tab: Figure 175: Active Directory or Generic LDAP Configure Filter > Attributes Dialog Specify the Active Directory/LDAP Configure Filter Page > Attributes tab parameters as described in the following table: Table 103: Active Directory/LDAP Configure Filter Page > Attributes Parameters Parameter Action/Description Enter values for parameters Policy Manager parses the filter query (created in the Filter tab a
Configuration Tab The Configuration tab shows the filter and attributes configured in the Filter and Attributes tabs respectively. From this tab, you can also manually edit the filter query and the attributes to be fetched. The following figure displays the Configure Filter > Configuration dialog: Figure 176: Configure Filter > Configuration Dialog Modify Default Filters When you add a new authentication source of type Active Directory or LDAP, a few default filters and attributes are populated.
Figure 177: Modify Default Filters > Configuration Dialog The attributes that are defined for the authentication source display as attributes in role-mapping policy Rules Editor under the authorization source namespace. 2. From the Configure Filter > Configuration dialog, select the attribute you wish to modify. 3. Change the attribute operator values as needed, then click Save. The operator values that display are based on the Data Type specified here.
Generic SQL DB Configure the primary and backup servers, session details, filter query, and role-mapping attributes to fetch the Generic SQL authentication sources on the following tabs: l General Tab on page 222 l Primary Tab on page 224 l Attributes Tab on page 225 l Summary Tab on page 227 W-ClearPass Policy Manager can perform MSCHAPv2 and PAP/GTC authentication against any Open Database Connectivity (ODBC)-compliant SQL database such as Microsoft SQL Server, Oracle, MySQL, or PostgrSQL.
The following table describes the Add General SQL DB > General parameters: Table 104: Add Generic SQL DB > General Parameters Parameter Action/Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select Generic SQL DB. Use for Authorization Enable this option to request Policy Manager to fetch role-mapping attributes (or authorization attributes) from this authentication source.
Primary Tab The Primary tab defines the settings for the primary server. The following figure displays the Add General SQL DB > Primary tab: Figure 180: Add Generic SQL DB > Primary Tab The following table describes the Generic SQL DB > Primary parameters: Table 105: Generic SQL DB > Primary Tab Parameters Parameter Action/Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value to override the default port.
Parameter Action/Description Timeout Enter the duration in seconds that Policy Manager waits before attempting to fail over from primary to backup servers (in the order in which they are configured). ODBC Driver Select the ODBC (Open Database Connectivity) driver to connect to the database. MySQL is supported in versions 6.0 and later. Dell does not ship MySQL drivers by default. If you require MySQL, contact Dell support at dell.com/support to get the required patch.
Parameter Action/Description Enabled As Indicates whether the filter is enabled as a role or attribute type. This can also be blank. Add More Filters Click this button to open the Configure Filter page. Use this page to define a filter query and the related attributes to be fetched from the SQL DB store. Figure 182 displays the Generic SQL DB > Configure Filter page. Adding More Filters To add more filter queries and their related attributes: 1. Click Add More Filters.
Parameter Action/Description Alias Name Specify the name for the attribute. By default, this is the same as the attribute name. Data Type Specify the data type for this attribute such as String, Integer, or Boolean. Enabled As Specify whether this value to be used directly as a role or attribute in an enforcement policy. This bypasses the step of having to assign a role in Policy Manager through a role-mapping policy. Summary Tab Use the Summary tab to view the parameters configured.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the HTTP - General tab: Figure 184: HTTP - General Tab The following table describes the HTTP - General tab parameters: Table 108: HTTP - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source.
Table 108: HTTP - General Tab Parameters (Continued) Parameter Description Use for Authorization Enable this option to request Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source if the Use for Authorization field is enabled. This check box is enabled by default.
The following table describes the HTTP - Primary tab parameters: Table 109: HTTP - Primary Tab Parameters Parameter Description Base URL Enter the base URL (host name) or IP address of the HTTP server. For example, http:// or :xxxx, where xxxx is the port to access the HTTP Server. Login Username Enter the name of the user used to log into the database. This account must have read access to all the attributes that need to be retrieved by the specified filters.
Add More Filters The Configure Filter page defines a filter query and the related attributes to be fetched from the SQL DB store. The following figure displays the HTTP Filter Configure page: Figure 187: HTTP Filter Configure Page The following table describes the HTTP Configure - Filter parameters: Table 111: HTTP Configure Filter Page Parameters Parameter Description Filter Name Displays the name of the selected filter.
Summary Tab You can use the Summary tab to view configured parameters. The following figure is an example of the HTTP - Summary tab: Figure 188: HTTP - Summary Tab Kerberos Policy Manager can perform standard PAP/GTC or tunneled PAP/GTC (for example, EAP-PEAP[EAP-GTC]) authentication against any Kerberos 5 compliant server such as Microsoft Active Directory server. It is mandatory to pair this source type with an authorization source (identity store) containing user records.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Kerberos - General tab: Figure 189: Kerberos - General Tab The following table describes the Kerberos - General parameters: Table 112: Kerberos - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 112: Kerberos - General Tab Parameters (Continued) Parameter Description Use for Authorization Disable in this context. Authorization Sources Specify one or more authorization sources from which role mapping attributes to be fetched. Select a previously configured authentication source from the drop-down list and click Add to add it to the list of authorization sources. Click Remove to remove the selected authentication source from the list.
The following table describes the Kerberos - Primary parameters: Table 113: Kerberos - Primary Tab Parameters Parameter Description Hostname Specify the name of the host or the IP address of the kerberos server. Port Specify the port at which the token server listens for kerberos connections. The default port is 88. Realm Specify the domain of authentication. In the case, specify Kerberos domain.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure is an example of the Okta - General tab: Figure 192: Okta - General Tab The following table describes the Okta - General parameters: Table 114: Okta - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source.
Table 114: Okta - General Tab Parameters (Continued) Parameter Description Server Timeout Specify the duration in number of seconds that Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the duration in number of seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured.
Attributes Tab The Attributes tab defines the Okta query filters and the attributes to be fetched by using those filters. The following figure displays the Okta - Attributes tab: Figure 194: Okta - Attributes Tab The following table describes the Okta - Attributes parameters: Table 116: Okta - Attributes Tab Parameters Parameter Description Filter Name Displays the name of the filter. You can configure only Group for Okta.
Add More Filters The Configure Filter page defines a filter query and the related attributes to be fetched from the SQL DB store. The following figure displays the Okta - Configure Filter page: Figure 195: Okta - Configure Filter Page The following table describes the Okta Configure Filter parameters: Table 117: Okta Configure Filter Page Parameter Description Filter Name Enter the name of the filter. Filter Query Specifies an SQL query to fetch attributes from the user or device record in DB.
Summary Tab You can use the Summary tab to view configured parameters. The following figure displays the Okta Summary tab: Figure 196: Okta - Summary Tab RADIUS Server You can use the RADIUS Server as an authentication source to allow W-ClearPass to query a third-party RADIUS Server for authentication.
The following table describes the Radius Server - General parameters: Table 118: Radius Server - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of source. In this context, select RADIUS Server.
The following table describes the Radius Server - Primary parameters: Table 119: RADIUS Server - Primary Tab Parameters Parameter Description Connection Details Server Names Enter the name of the RADIUS Server. Port The default port number is 1812. You may enter a different port number if required. Secret Enter the secret key for authentication. Attributes Tab The Attributes tab defines the Okta query filters and the attributes to be fetched by using those filters.
Summary Tab You can use the Summary tab to view configured parameters.
Adding a Static Host List as an Authentication Source To add a static host list as an authentication source: 1. Navigate to Configuration > Authentication > Sources. The Authentication Sources page appears. Figure 201: Authentication Sources Page 2. Click the Add link. The Add Authentication Sources dialog opens. Figure 202: Specifying a Static Host List as Authentication Source 3. Enter the name and description of the static host list. 4. In the Type field, select Static Host List.
Figure 203: Existing Static Host List Added Only static host lists of type MAC Address Host Lists or MAC Address Regular Expression can be configured as authentication sources. a. To remove the selected static host list, click Remove. b. To view the contents of the selected static host list, click View Details. c. To modify the selected static host list, click Modify. 7. Click Save.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Token Server - General tab: Figure 204: Token Server - General Tab The following table describes the Token Server - General parameters: Table 121: Token Server - General Tab Parameters Parameter Description Name Specify the label of the authentication source.
Table 121: Token Server - General Tab Parameters (Continued) Parameter Description NOTE: You can specify additional authorization sources at the service level. Policy Manager fetches role mapping attributes irrespective of which authentication source the user or device was authenticated against. Server Timeout Specify the duration in seconds that Policy Manager waits before attempting to fail over from primary to backup servers (in the order in which they are configured).
The following figure is an example of the Token Server - Attributes tab: Figure 206: Token Server - Attributes Tab See Configuring a Role and Role-Mapping Policy on page 272 for more information. The following table describes the Token Server - Attribute parameters: Table 123: Token Server - Attribute Tab Parameters Parameter Description Type Select the type of authentication source from the drop-down list. Name Specifies the name of the token server attributes.
Chapter 5 Configuring Identity Settings This chapter provides information on the following topics: l Configuring Single Sign-On l Managing Local Users l Adding and Modifying Endpoints l Managing Static Host Lists l Configuring a Role and Role-Mapping Policy This chapter provides details on the settings required to configure W-ClearPass Policy Manager Identify settings.
Figure 208: Configuring Single Sign-On > SAML Service Provider Parameters 2. Select the application(s) you want users to access with single sign-on. To complete this task, specify the SAML SP Configuration tab parameters as described in Table 124. 3. Create trusted relationships between a Service Provider and Identity Provider by providing the Identity Provider (IdP) URL and IdP certificate. To complete this task, specify the SAML IdP Configuration tab parameters as described in Table 125.
Table 124: Single Sign-On Service Provider Configuration Settings (Continued) Parameter Action/Description Validity Status Signature Algorithm n Public Key Format n Serial Number n Enabled This field only displays certificates that are enabled in the certificate trust list. See also Certificate Trust List on page 681. n n CPPM Service Provider (SP) Metadata SP Metadata: 4. To download and view an XML file containing metadata for the Service Provider Uniform Resource Identifier (URI), click Download.
Table 125: Single Sign-On Identity Provider Configuration Settings (Continued) Parameter Action/Description CPPM Service Provider (SP) Metadata SP Metadata section: 5. To download and view an XML file containing metadata for the Service Provider Uniform Resource Identifier (URI), click Download. The Metadata URI: 6. View the location of this metadata file.
Figure 211: Adding a Local User 3. Specify the Add Local User parameters as described in the following table, then click Add: Table 126: Adding a Local User Parameters Parameter Action/Description User ID 1. Specify the local user's user ID. Name 2. Enter the local user's name. Password/ Verify Password 3. Specify a password for the local user, then verify the password. Enable User 4. You must enable this check box to enable the local user account. Otherwise, the local user account is disabled.
Table 126: Adding a Local User Parameters (Continued) Parameter Action/Description Role 6. Select a static role to be assigned to the user from the Role drop-down list. Attributes 7. To add attributes for the local users, click Click to add... A new row is created with a drop-down list in the Attribute column. This field is optional. The list of local user attributes are: n Department n Designation n Email n Phone n Sponsor n Title a.
Figure 212: Modifying a Local User 3. Modify any values as necessary in the Edit Local User dialog. 4. Click Save. Importing and Exporting Local Users You can import or export the admin user accounts by using the Import and Export All links at the top-right corner of the Local Users page. For more information, see Importing and Exporting Information on page 32. After selecting one or more user accounts from the list, you can also export specific user accounts by clicking the Export button .
Figure 213: Account Settings > Password Policy Settings Dialog 3. Specify the Password Policy parameters as described in Table 127, then click Save. Table 127: Password Policy Parameters Parameter Action/Description Minimum Length 1. Specify the minimum length required for the password. Complexity 2. Select the complexity setting from the Complexity drop-down list.
Table 127: Password Policy Parameters (Continued) Parameter Action/Description n n May not contain User ID or its characters in reversed order. May not contain a repeated character four or more times consecutively. Expiry Days 6. Set the password expiration time for local users. The allowed range is 0 to 500 days. The default value is 0. NOTE: If the value is set to 0, the password never expires. For any other value, local users are forced to reset the expired password when they log in.
2. Click the Account Settings link. The Account Settings page opens. 3. Select the Disable Accounts tab. The Disable Accounts dialog opens. Figure 214: Disable Accounts Dialog 4. Specify the Disable Accounts parameters as described in Table 128, then click Save. Table 128: Disable Accounts Parameters Parameter Action/Description Days Exceed 1. Specify the number of days before the account is disabled. The range is from 1 to 100 days. Date Exceeds 2.
Adding and Modifying Endpoints This section provides the following information: l Viewing the List of Authentication Endpoints l Viewing Endpoint Authentication Details l Performing Bulk Updates of Endpoint Attributes l Triggering Actions to Be Performed on Endpoints l Updating Device Fingerprints From a Hosted Portal l Manually Adding an Endpoint l Modifying an Endpoint For related information, see: l Configuring Endpoint Context Server Actions on page 614 l Adding Vendor-Specific Endpoint
Table 129: Endpoint Page Parameters (Continued) Parameter Action/Description Device OS Family Specifies the operating system that the device runs on. For example, when the category is Computer, W-ClearPass shows a Device OS Family of Windows, Linux, or Mac OS X. Status Displays the status of the endpoint: Unknown l Known client l Unknown client l Disabled client l Profiled Indicates whether the device has been added to the W-ClearPass Profile.
In network discovery, when endpoints do not have a MAC address, W-ClearPass creates MAC addresses for them that include the prefix xa. 2. Click the Bulk Update button. The Bulk Update Attributes dialog opens. Figure 217: Configuring Bulk Update Attributes 3. To select an attribute you want to update, select Click to add, select the attribute from the Attribute list, and then specify its Value. 4. Repeat the selection process for all the attributes you want to update, then click Update.
Table 130: Trigger Server Action Page Parameters Parameter Action/Description Server Action Select the server action from the drop-down list. The available server actions are as follows: l Check Point Login - AD User l Check Point Logout - Guest User l Fortinet Login l Fortinet Logout l Handle AirGroup Time Sharing l Infoblox Login l Nmap Scan l SNMP Scan Context Server Enter a valid context server name. You can enter an IP address or domain name.
Figure 220 shows the Update Device Fingerprint page when you set the Update Type to Add fingerprint rule. Figure 220: Update Device Fingerprint Page: Add Fingerprint Rule 3.
Figure 221: Add Endpoint Page 2. Specify the Add Endpoint page parameters as described in the following table, then click Save: Table 132: Add Endpoint Page Parameters Parameter Action/Description MAC Address Specify the MAC address of the endpoint. Description Enter a description that provides additional information about the endpoin (recommended).
To modify an endpoint: 1. From the Configuration > Identity > Endpoints page, click the endpoint of interest from the list of endpoints. The Edit Endpoint page opens. Modifying an Endpoint Figure 222: Edit Endpoint Page 2. Specify the Edit Endpoint page parameters as described in the following table, then click Save: Table 133: Edit Endpoint Page Parameters Parameter Action/Description MAC Address Displays the MAC address of the endpoint.
Table 133: Edit Endpoint Page Parameters (Continued) Parameter Action/Description even when no other profiling information is available for an endpoint. Added by Online Status Displays the name of the W-ClearPass server that added the endpoint. Displays the online status of the endpoint: Online l Not Available l Connection Type Indicates the connection type; for example, Wireless. If the connection type is not known, the connection type is displayed as Unknown.
Configuring the Attributes for the Selected Endpoint To configure the endpoint attributes for the selected endpoint: 1. From the Edit Endpoint page, select the Attributes tab. Figure 223: Adding Endpoint Attributes 2. To add attributes for the selected endpoint, select Click to add... A new row is created with a drop-down list in the Attribute column. 3. To add an attribute to the endpoint, select one or more attributes from the drop-down list, then click Save.
Figure 224: Endpoint Fingerprint Details Page Managing Static Host Lists This section provides the following information: l About Static Host Lists l Adding a Static Host List l Static Hosts Lists Configuration Summary l Editing a Static Host List l Importing and Exporting Static Host Lists About Static Host Lists You can configure primary and backup servers, session details, and the list of static hosts for Static Host List authentication sources.
l l l [Local User Repository] [Guest User Repository] [Guest Device Repository] While regular users reside in an authentication source such as Active Directory (or in other LDAP-compliant stores), you can configure the temporary users, including guest users, in the Policy Manager local repositories. Role Statically Assigned For a user account created in a local database, the role is statically assigned to that account.
Figure 226: Adding a Static Host List 3. Specify the parameters to add a static host list as described in Table 134, then click Save. Table 134: Add Static Host List Parameters Parameter Action/Description Name 1. Enter the name of the static host list. Description 2. Enter the description that provides additional information about the static host list. Host Format 3. Select a format for expression of the address: l Subnet l Regular Expression l List Host Type 4.
Static Hosts Lists Configuration Summary You can use the Summary tab to view the static host list's configuration information. Figure 227: Static Hosts Lists Configuration Summary Editing a Static Host List To edit a static host list: 1. Navigate to the Configuration > Identity > Static Host Lists page . The Static Hosts Lists page opens. 2. Click on the name of the static hosts list you want to edit. The Edit Static Host List dialog opens. Figure 228: Edit Static Host List Dialog 3.
Importing and Exporting Static Host Lists You can import static host lists into W-ClearPass or export them to a file. 1. Navigate to the Configuration > Identity > Static Host Lists page . The Static Hosts Lists page opens. 2. Click on the name of the static hosts list you want to import or export. 3. To import a static host list into W-ClearPass, click the Import link. 4. To export a static host list to a file, click the Export All link.
l [TACACS Network Admin]: Policy Manager Admin role, limited to Configuration and Monitoring screens l [TACACS Read-only Admin]: Read-only administrator role for Policy Manager Admin l [TACACS Receptionist]: Policy Manager Guest provisioning role l [TACACS Super Admin]: Policy Manager Admin role with unlimited access to all user interface screens Identity Roles Architecture and Workflow Roles can range in complexity from a simple user group (for example, Finance, Engineering, or Human Resources) to
Adding and Modifying Roles Roles exist independently of an individual service and can be accessed globally through the role-mapping policy of any service. Policy Manager lists all available roles in the Roles page. To add a role: 1. Navigate to Configuration > Identity > Roles. The Roles page opens. Figure 230: Roles Page You can also configure a role from within a role-mapping policy (Add New Role). 2. Click Add. The Add New Role page opens. Figure 231: Add New Role Page 3.
Adding and Modifying Role-Mapping Policies This section includes the following information: l Adding a Role-Mapping Policy l Mapping Rules l Modifying a Role-Mapping Policy Adding a Role-Mapping Policy To add a role-mapping policy: 1. Navigate to the Configuration > Identity > Role Mappings page. The Role Mappings page opens: Figure 232: Role Mappings Page 2. Click Add. The Add Role-Mappings page opens to the Policy tab. The Policy tab labels the method and defines the default role.
Table 136: Role Mappings > Policy Parameters Parameter Action/Description Policy Name Enter the name of the role-mapping policy. Description Enter the description that provides additional information about the role mapping policy. Default Role Select the role to which Policy Manager will default when the role-mapping policy does not produce a match. View Details To view the details of the default role, click View Details. Modify To modify the default role, click Modify.
Figure 235: Rules Editor Page 2. Specify the Role Mappings Page > Rules Editor page parameters as described in the following table. Table 137: Rules Editor Page Parameters Parameter Action/Description Type The Rules Editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries, depending on context. (Refer to Namespaces on page 919.
Table 137: Rules Editor Page Parameters (Continued) Parameter Action/Description Value Depending on attribute data type, this may be a free-form (one or many line) edit box, a dropdown list, or a time/date widget. The operator values that display for each type and name are based on the data type specified for the authentication source (from the Configuration > Authentication > Sources page).
Chapter 6 Posture This chapter provides the following information: l Posture Architecture and Flow l Creating a New Posture Policy l Configuring Posture Policy Agents and Hosts l Configuring Posture Policy Plug-ins l Configuring Posture Policy Rules l Configuring Posture for Services l Configuring Audit Servers l Unified Agent System Tray Status Icons Posture Architecture and Flow This section provides the following information: l Posture Policy l Audit Servers l Assessing Client Consi
Figure 236: Posture Evaluation Process Assessing Client Consistency W-ClearPass Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of software components l Peer-to-Peer (P2P) application checks l Services to be running or not running l Processes to be running or not runn
l Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. l Unknown. The posture token of the client is unknown. System Token Upon completion of all configured posture checks, Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the enforcement policy.
Table 138: Unified Agent System Tray Icons (Continued) OnGuard Status Network Type VPN Status Unhealthy Trusted Disconnected Healthy Untrusted Connected Healthy Untrusted Disconnected Unhealthy Untrusted Connected Unhealthy Untrusted Disconnected Healthy N/A Error Unhealthy N/A Error Logged Out: No Health Status N/A Error Error Trusted Connected Error Trusted Disconnected Error Untrusted Connected Error Untrusted Disconnected Error No Profile N/A Error N/A Error
Table 138: Unified Agent System Tray Icons (Continued) OnGuard Status Network Type VPN Status Logged Out: No Health Status No Profile N/A Logged Out: No Health Status Trusted Connected Logged Out: No Health Status Untrusted Disconnected Icon OnGuard-Only System Tray Icons Table 139 describes that icons that indicate the possible states for OnGuard-only.
such as devices lacking adequate posture agents or supplicants. For more information on audit servers, see Configuring Audit Servers on page 355. Creating a New Posture Policy From the Posture Policies page, you can create a new policy or edit an existing policy. To create a new posture policy: 1. Navigate to Configuration > Posture > Posture Policies. The Posture Policies page displays a list of all existing posture policies. Figure 237: Posture Policies Page 2. Click the Add link.
Configuring Posture Policy Agents and Hosts This section provides the following information: l Introduction l NAP Agent Posture Plug-ins l OnGuard Agent Posture Plug-ins Introduction To configure posture policy agents and hosts: 1. Navigate to Configuration > Posture > Posture Policies. The Posture Policies page displays a list of all existing posture policies. Figure 239: Posture Policies Page 2. Click the Add link. The Add Posture Policies page opens. Figure 240: Add Posture Policies Page 3.
Table 140: Add Posture Policy Parameters Parameter Action/Description Policy Name 1. Enter the name assigned to the policy by the W-ClearPass Policy Manager administrator. Description 2. Specify the description that provides additional information about the posture policy. Posture Agent 3. Select the posture agent type. For detailed information on these agents, see NAP Agent Posture Plug-ins on page 286 and OnGuard Agent Posture Plug-ins on page 286. Host Operating System 4.
When you select the Posture Agent: OnGuard Agent (Persistent or Dissolvable), you can configure the posture plug-ins for: l Windows (see Table 142) l Macintosh OS X (see Table 143) l Linux (see Table 144) Table 142: OnGuard Agent Validator Posture Plug-in Windows OS Support Plug-in Description Windows Support W-ClearPassWindows Universal System Health Validator The configurable parameter categories for this validator are: Services, Processes, Registry Keys, AntiVirus, AntiSpyware, Firewall, Peer T
Table 143: OnGuard Agent (Persistent or Dissolvable) Posture Plug-ins for Mac OS X Plug-in Description W-ClearPass Macintosh OS X Universal System Health Validator The configurable parameter categories for this validator are: n Services n Processes n AntiVirus n AntiSpyware n Firewall n Patch Management n Peer-to-Peer n USB Devices n Virtual Machines n Network Connections n Disk Encryption n Installed Applications n File Check Table 144: OnGuard Agent (Persistent or Dissolvable) Posture Plug-ins for Lin
n Policy Name n Description n Posture Agent n Host Operating System 4. Select the Posture Plugins tab . The Add Posture Plugins page appears.
The Add Posture Policies dialog opens. Figure 244: Adding a Posture Policy a. Enter the name and a description of the posture policy. b. Posture Agent: Choose OnGuard Agent (Persistent or Dissolvable). c. Host Operating System: Windows is selected by default. d. Click Next. The Posture Plugins dialog opens. Figure 245: Selecting the Windows Posture Plugin 2. In the Posture Plugins page, click the check box for ClearPass Windows Universal System Health Validator. 3. Click Configure.
Figure 246: ClearPass Windows Universal System Health Validator Page The following list of configuration pages for the selected version of Windows appears (see Figure 246): l Services on page 291 l Processes on page 296 l Registry Keys on page 299 l AntiVirus on page 302 l AntiSpyware on page 304 l Firewall on page 305 l Peer To Peer on page 307 l Patch Management on page 308 l Windows Hotfixes on page 312 l USB Devices on page 317 l Virtual Machines on page 317 l Network Connections
To define Windows Service Groups, specify the evaluation rules, and add or remove specific Windows services on the endpoint: 1. Navigate to Configuration > Posture > Posture Policies, then click Add. 2. From the Add Posture Policies page, select the Posture Plugins tab. 3. Select the W-ClearPass Windows Universal System Health Validator, then click Configure. 4. Select the Windows operating system, then check the Enable checks for Windows_OS. 5. Select Services.
Defining the Service Group to Be Present You can configure the name of the service group and specify the evaluation rule for the service group. 1. To configure the Service Groups for Services to Run, click Add. The Add Service Group to Be Present dialog opens. Figure 248: Specifying the Service Group Evaluation Rule 2.
Figure 249: Specifying the Services to Run 2. Select one or more of the desired services from the Available Services list. 3. To move the desired services to the Services to Run box,click >>, then click Save. 4. You can also add a service to the list of available services. To do so, enter the service name in the Insert text box, then click Insert. Defining the Service Group to Be Absent You can configure the name of the service group and specify the evaluation rule for the service group. 1.
Table 147: Add Service Group to Be Absent Parameters Parameter Action/Description Enter the Service Group Name 1. Enter the name of the Service Group. Service Group Evaluation Rule 2. Select the appropriate Service Group Evaluation Rule: l Pass All: Select this evaluation rule if you want all service groups to be stopped. Pass All is the equivalent of an AND condition. l Pass Any One: Select this evaluation rule if you want any one of the service groups to be stopped.
Figure 252: Example of Services Configured Processes The Processes page provides a set of parameters to specify which processes to be explicitly present or absent on the system. To configure Processes: 1. Navigate to Configuration > Posture > Posture Policies, then click Add. 2. From the Add Posture Policies page, select the Posture Plugins tab. 3. Select the W-ClearPass Windows Universal System Health Validator, then click Configure. 4.
6. Specify the Processes configuration parameters as described in the following table: Table 148: Processes Page Parameters Parameter Action/Description Auto Remediation 1. Enable to allow auto-remediation for processes. User Notification 2. Enable to allow user notifications in the event of process policy violations. Processes to be Present Parameters 1. In the Processes to be Present section, click Add. The Add Processes to be Present page opens. Figure 254: Add Processes to be Present Page 2.
Figure 255 shows the configuration parameters for when you select Process Name and when you select MD5 Sum. Figure 255: Process to be Absent Pages: Process Name and MD5 Sum 2. Specify the Processes to be Absent parameters as described in the following table, then click Save: Table 150: Processes to be Absent Page Parameters Parameter Action/Description Check Type 1. Select the type of process check to perform.
Figure 256: Processes Configured Registry Keys The Registry Keys page allows you to specify which registry keys are to be explicitly present or absent. To define the registry keys: 1. Navigate to Configuration > Posture > Posture Policies, then click Add. 2. From the Add Posture Policies page, select the Posture Plugins tab. 3. Select the W-ClearPass Windows Universal System Health Validator, then click Configure. 4. Select the Windows operating system, then check the Enable checks for Windows_OS. 5.
Table 151: Registry Keys Page Parameters Parameter Action/Description Auto Remediation 1. Enable auto remediation for registry checks. Use this page to automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent fields. User Notification 2. Enable user notifications for registry check policy violations. Monitor Mode 3. Enable this to set the health status of the Registry Keys health class healthy.
Table 152: Registry Keys Page (Detail) Parameter Action/Description Select the Registry Hive 1. Specify the registry hive from the following options: n HKEY_CLASSES_ROOT n HKEY_CURRENT_USER n HKEY_LOCAL_MACHINE n HKEY_USERS n HKEY_CURRENT_CONFIG Enter the Registry key 2. Specify the registry key using the examples given in the GUI. Enter the Registry value name 3. Specify the name of the registry value. Select the Registry value data type 4. Specify the registry value data types.
AntiVirus In the Antivirus page, you can turn on an Antivirus application. To define the Antivirus health class: 1. Navigate to Configuration > Posture > Posture Policies, then click Add. 2. From the Add Posture Policies page, select the Posture Plugins tab. 3. Select the W-ClearPass Windows Universal System Health Validator, then click Configure. 4. Select the Windows operating system, then check the Enable checks for Windows_OS. 5. Select Antivirus.
8. Specify the Antivirus health class parameters as described in the following table: Table 153: Antivirus Health Class Parameters Parameter Action/Description An Antivirus Application is On Click Antivirus application is on to enable testing of health data for configured Antivirus application(s). Auto Remediation Check the Auto Remediation check box to enable auto remediation of anti-virus status. This option is enabled by default.
Table 153: Antivirus Health Class Parameters (Continued) Parameter Action/Description Data file has been updated in Enter the number, then specify the interval in hours, days, weeks, or months. Last scan has been done before Enter the number, then specify the interval in hours, days, weeks, or months. Real-time Protection Status Check l l No Check: W-ClearPass does not use Real-time Protection status value for health evaluation.
When enabled, the AntiSpyware detail page opens. Figure 265: AntiSpyware Page (Detail 1) 7. To specify product and version check information, click Add. Figure 266: AntiSpyware Page (Detail 2) 8. Specify the AntiSpyware parameters, then click Save. Figure 267: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page.
Figure 269: Firewall Page (Detail 1) When enabled, the Firewall detail page appears. Figure 270: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list. Figure 271: Firewall Page (Overview After) 306 | Posture Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Firewall parameters: Table 154: Firewall Page Parameters Interface Firewall Page Parameter l l l l A Firewall Application is On Auto Remediation User Notification Uncheck to allow any product l Add Trashcan icon l Firewall Page (Detail 1) l Firewall Page (Detail 2) Product/Version l Description l l l l Check the Firewall Application is On check box to enable testing of health data for configured firewall application(s).
The following table describes the Peer to Peer parameters: Table 155: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration). User Notification Enable to allow user notifications for peer to peer application/network check policy violations.
Figure 273: ClearPass Windows Universal System Health Validator: Patch Management 9. Specify the Patch Management parameters as described in the following table. Table 156: Patch Management Parameters Parameter Action/Description A patch management application is on To enable testing of health data for configured Antivirus application(s), check the A patch management application is on check box.
The Patch Management Health Checks configuration page opens: Figure 274: Configuration Page for the Patch Management Application 11.Specify these parameters as described in the following table: All checks might not be available for some products. Where checks are not available, they are shown in a disabled state.
Table 157: Patch Management Parameters (Continued) Parameter Action/Description No Check: W-ClearPass Policy Manager server ignores the Patch Agent Status value. This means it will not check the status of the Patch Agent application on the client. n Enabled: Patch Agent is turned on and it automatically updates the client. n Disabled: Patch Agent is disabled and it will not check for missing patches and update the client.
Figure 275: Patch Management Configuration Summary Windows Hotfixes There are two Hotfixes evaluation rules that can be applied: l The Windows Hotfixes Groups to be Present Evaluation Rule specifies how to evaluate the health among multiple Hotfixes groups (see Table 158 for details).
Figure 276: Windows Hotfixes Page 6. Specify the Windows Hotfixes parameters as described in the following table: Table 158: Windows Hotfixes Page Parameters Parameter Action/Description Auto Remediation Enable to allow auto-remediation for hotfix checks. Enabling this automatically triggers updates of the specified hotfixes. Auto-remediation for the Windows Hotfixes health class is enabled by default. User Notification Enable to allow user notifications to check for hotfix policy violations.
Figure 277: Defining the Hotfix Group 2. Specify the Hotfixes Group parameters as described in the following table: Table 159: Specifying Hotfixes Group to Be Present Parameters Parameter Action/Description Enter the Windows Hotfixes Group Name Enter the name of the Hotfixes Group. Windows Hotfixes Group Evaluation Rule This evaluation rule specifies how to evaluate the health of a specific Hotfixes Group.
Figure 278: Specifying the Hotfixes to Be Present 3. From the first list, specify the criticality of the hotfixes: l Critical l Important l Moderate l Low l Unspecified As shown in Figure 278, the list of hotfixes for the selected criticality are displayed. 4. Select one or more of the desired hotfixes from the Available Hotfixes list. As shown in Figure 278, when you select a Hotfix from the list of available hotfixes, information about that hotfix is displayed. 5.
Figure 279: Windows Hotfixes Added 6. To remove a hotfix from the Hotfixes to be present list, select the hotfix to be removed. The Edit Hotfixes to be Present dialog opens. Figure 280: Removing Hotfixes from the Hotfixes to Be Present List 7. From the Hotfixes to be present list, select the hotfix(es) you wish to remove and click <<. The selected hotfix is removed from the Hotfixes to be present list. 8. When finished, click Save.
Figure 281: Summary of Hotfixes Groups Configuration USB Devices The USB Devices page provides configuration to control USB mass storage devices attached to an endpoint. Figure 282: USB Devices The following table describes the USB Devices parameters: Table 160: USB Devices Parameter Description Auto Remediation Enable to allow auto remediation for USB mass storage devices attached to the endpoint (Automatically stop or eject the drive).
Figure 283: Virtual Machines The following table describes the Virtual Machines parameters: Table 161: Virtual Machines Parameter Description Auto Remediation Enable to allow auto remediation for virtual machines connected to the endpoint. User Notification Enable to allow user notifications for virtual machine policy violations. Allow access to clients running on Virtual Machine Enable to allow clients that running a VM to be accessed and validated.
Figure 284: Network Connections Configuration Page 4. Select the Check for Network Connection Types check box. 5. To specify the type of connection that you want to include, click Configure. The Network Connection Types configuration page appears. Figure 285: Network Connection Types Configuration Page The following table describes the Network Connection Types configuration parameters: Dell Networking W-ClearPass Policy Manager 6.
Table 162: Network Connection Type Configuration Parameters Parameter Action/Description Allow Network Connections Type 1. Select one of the following options: n Allow Only One Network Connection n Allow One Network Connection with VPN n Allow Multiple Network Connections Network Connection Types 2. To add or remove Others, Wired, and Wireless network connection types, click >> or <<. Remediation Action for Network Connection Types Not Allowed 3.
Figure 286: Disk Encryption Configuration Page The following table describes the Disk Encryption parameters: Table 164: Disk Encryption Parameters Parameter Description User Notification Enable to allow user notifications for virtual machine policy violations. Productspecific checks Clear to allow disk encryption on any product. The Select Disk Encryption product and Product Version is at least fields are disabled after you clear the check box.
In the Installed Applications Configuration page (see Figure 287), you can turn on the installed applications check and specify information about which installed applications you want to monitor.
Table 165: Installed Applications for Windows Configuration Page Parameters (Continued) Parameter Action/Description Applications Allowed (Mandatory) 3. Specify installed applications to be monitored on a mandatory basis. NOTE: Enter the application name as they are shown in Add/Remove Programs. Applications Allowed (Optional) 4. Specify installed applications to be monitored on an optional basis. NOTE: Enter the application name as they are shown in Add/Remove Programs.
Table 166: Mandatory Applications Parameters Parameter Action/Description Enter the Application Name 1. Enter the name of the application. Enable Regular Expression 2. Check (enable) this check box to enable the use of regular expressions in the Application Name. When this field is enabled, W-ClearPass treats the Application Name as regular expression when comparing application names. Remediation Message 3.
The following figure displays the File Check Health Class configuration page: Figure 290: Windows File Check Health Class Configuration The following table describes the File Check Configuration parameters: Table 167: File Check Configuration Parameters Parameter Action/Description Remediation checks Auto-remediation for the File Check health class is not supported. User Notification 1.
The following table describes the File Group to be Present > Add parameters: Table 168: File Group to be Present - Add Parameters Parameter Action/Description Enter the File Group Name 1. Enter the name of the file group. File Group Evaluation Rule 2. Select the appropriate File Group Evaluation Rule: l Pass All: Select this evaluation rule if you want the File Check health class to be deemed as 'healthy' only if all the configured file groups are present.
Figure 291: File to be Present > Add Dialog The following table describes the File to be Present > Add parameters: Table 169: File to be Present > Add Parameters Parameter Action/Description File Location 1. Select any location of the file from the drop-down list: n SystemDrive n Systemroot n ProgramFiles n ProgramFiles (x86) n HOMEDRIVE n HOMEPATH n None Enter the File Path 2. Enter the file path as described in the examples from the user interface. Enter the File Name 3.
Figure 292: File Group to be Present Parameters Displayed Windows System Health Validator: OnGuard Agent This Windows System Health Validator checks for current Windows Service Packs. The OnGuard Agent also supports legacy Windows operating systems such as Windows Server 2003 and Windows Server 2012. Use the check boxes to enable support of specific operating systems and to restrict access based on the Service Pack level. To configure the Windows System Health Validator: 1.
Figure 293: OnGuard Agent: Windows System Health Validator 6. To enable support of specific operating systems, click the corresponding check box. 7. Enter the minimum Service Pack level required on the client computer to connect to your network. 8. Click Save. Windows Security Health Validator: OnGuard Agent The Windows Security Health Validator checks for the presence of specific types of security applications.
The following screen appears: Figure 294: Onguard Agent: Windows Security Health Validator Page 5. To enable support of specific operating systems, click the corresponding check box. 6. Enter the minimum Service Pack level required on the client computer to connect to your network. 7. Click Save. W-ClearPass Linux Universal System Health Validator Plugin The W-ClearPass Linux Universal System Health Validator plugin appears on the Posture Plugins (Configuration > Posture > Posture Policies > Add) tab.
Antivirus Use the Antivirus page to turn on an Antivirus application. Click An antivirus application is on to configure the Antivirus application information. The following figure displays the Antivirus health class configuration page: Figure 295: Antivirus Page The following table describes the Antivirus parameters: Table 170: Antivirus Configuration Parameters Parameter Description Remediation checks Auto-remediation for the File Check health class is not supported.
The following table describes the Antivirus Product configuration parameters: Table 171: Antivirus Product configuration Parameters Parameter Description Product-specific checks Select this check box if you want to configure a specific antivirus product. If you want to allow any antivirus product, do not select this field. Select the Antivirus product Select the Antivirus from the drop-down list.
The following table describes the Services page parameters: Table 172: Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop or start services based on the entries in Service to run and Services to stop configuration). User Notification Enable to allow user notifications for service check policy violations.
The Posture Plugins dialog appears. Figure 299: Selecting the Mac OS X Universal System Health Validator Posture Plug-in 4. In the Posture Plugins page, click the check box for ClearPass Mac OS X Universal System Health Validator. 5. Click Configure. The ClearPass Mac OS X Universal System Health Validator configuration page is displayed. 6. To enable checks for Mac OS X, select the Enable checks for Mac OS X check box.
n Disk Encryption on page 341 n Installed Applications on page 342 n File Check on page 345 Services From the Services page, you can configure which services to run and which services to stop. See ClearPass Windows Universal System Health Validator > OnGuard Agent on page 289 for description of the fields on this page.
Figure 303: Processes to be Present - Add Page Antivirus In the Antivirus page, you can specify information about the antivirus application. Click on An antivirusapplication is on to configure the anti-virus application information. The following figure displays the Antivirus page: Figure 304: Antivirus Page (Detail 1) Click Add to specify product and version check information in the antivirus configuration page.
AntiSpyware In the AntiSpyware page, an administrator can specify information about the antispyware application. The following figures describe the examples of the AntiSpyware page and the AntiSpyware - Add page: Figure 306: Anti-Spyware Page In the Antispyware page, click An Antispyware Application is On to configure different configuration elements specific to the antispyware product that you select. When you save the antispyware configuration, it appears in the Antispyware page list.
Firewall From the Firewall page, click A Firewall Application is On to configure the firewall application information. The following figure displays the Firewall page: Figure 308: Firewall Page Click Add from the Firewall page to configure different configuration elements specific to the firewall product that you select. When you save the firewall configuration, it appears in the Firewall page list. Figure 309: Firewall Add Page When enabled, the Firewall detail page appears.
Click Add in the Patch Management page to view the configuration options for the specific patch management product. The following figure displays the Patch Management - Add page: Figure 311: Patch Management - Add Page Peer To Peer From the Peer To Peer page, you can view and add peer-to-peer applications. Clicking A Peer to Peer application is on provides configuration options to specify peer to peer applications or networks that need to be explicitly stopped.
The following figure displays the USB Devices page: Figure 313: USB Devices Page Virtual Machine The Virtual Machines page provides configuration options to virtual machines utilized by the network. Select the Virtual Machine Detection is on option to enable the Auto Remediation and User Notification options.
Select the Check for Network Connection Types check box from the Network Connections page, and then click Configure to specify type of network connection.
The following image is an example of the Disk Encryption - Add page: Figure 318: Disk Encryption Add Page Installed Applications The Installed Applications category groups classes that represent software-related objects. From the Installed Applications page, you can specify information about which installed applications you want to monitor. Figure 319: Installed Applications Page for Macinstosh OS X 342 | Posture Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Installed Applications for Mac OSX Configuration page parameters: Table 173: Installed Applications for Mac OS X Configuration Page Parameters Parameter Action/Description Remediation checks Auto-Remediation for the Installed Applications health class is not supported. User Notification 1. Enable sending a remediation message with a list of applications to install or uninstall to the user. Monitor Mode 2.
Figure 320: Enabling Regular Expression 4. Configure the Add Mandatory Applications parameters as described in Table 174. Table 174: Add Mandatory Applications Parameters Parameter Action/Description Enter the Application Name 1. Enter the name of the application. Enable Regular Expression 2. Check (enable) this check box to enable the use of regular expressions in the Application Name.
Figure 321: Regular Expression Enabled File Check From the File Check page, you can turn on the file check feature and specify information about which the files you want to check. Use the File Check page to verify the group of files to be present or absent. The following figure is an example of the File Check health class configuration dialog: Figure 322: Mac OS X File Check Health Class Configuration Dell Networking W-ClearPass Policy Manager 6.
The following table describes the File Check Configuration parameters: Table 175: File Check Configuration Parameters Parameter Action/Description Remediation checks Auto-remediation for the File Check health class is not supported. User Notification 1. When enabled, a remediation message that includes the groups of files to be present or absent is displayed to the end user. Monitor Mode 2. To treat all the file check health classes as always healthy, enable Monitor Mode.
Table 176: File Group to Be Present > Add Parameters Parameter Action/Description Enter the File Group Name 1. Enter the name of the file group. File Group Evaluation Rule 2. Select the appropriate File Group Evaluation Rule: l Pass All: Select this evaluation rule if you want the File Check health class to be deemed as 'healthy' only if all the configured file groups are present.
Table 177: File to Be Present > Add Parameters (Continued) Parameter Action/Description Enter the MD5 Sum Optionally, you can specify one or more (comma separated) MD5 checksums of the process executable file. Remediation Message 4. Specify the custom remediation message to be displayed to end users if File check fails. 5. When finished, click Save.
Windows System Health Validator: NAP Agent The Windows System Health Validator NAP (Network Access Protection) Agent checks for the level of Windows Service Packs. To configure the minimum service pack level required, perform the following steps: 1. Navigate to Configuration > Posture > Posture Policies. The Posture Policies page appears. 2. Click Add. The Add Posture Policies > Policy dialog opens. Figure 327: Adding a Windows NAP Agent Posture Policy 3. Specify the following: a.
Figure 329: Onguard NAP Agent: Windows System Health Validator 6. To enable support of specific Windows operating systems, click the corresponding check boxes. 7. Enable the Restrict clients... check box and specify the minimum Service Pack level required on the client computer to connect to your network. 8. Click Save. You return to the Posture Plugins page where the status of the plug-in is now set to Configured.
Figure 330: Adding Windows Security Health Validator: NAP Agent Posture Policy 3. Specify the following: a. Policy Name: Enter the name of the posture policy. b. Posture Agent: Select NAP Agent. c. Host Operating System: Select Windows. 4. Click Next. The Posture Policies > Posture Plugins page appears. Figure 331: Selecting Posture Plugins for Windows Security Health Validator: NAP Agent 5. From the Posture Plugins page, select Windows Security Health Validator, then click Configure.
Figure 332: Windows Security Health Validator 7. To enable support of specific operating systems, click the corresponding check boxes. 8. Click Save. You return to the Posture Plugins page where the status of the Windows Security Health Validator plug-in is now Configured. Configuring Posture Policy Rules Once you have defined the posture hosts, agents, and plugins, you must configure the rules for the posture policy.
Figure 333: Posture Policy Rules Tab and Rules Editor The following table describes the Rules Editor configuration parameters: Table 178: Posture Policy Rules Editor Parameters Parameter Select Plugin Checks Description Click select one of the following plugin check types for System Health Validators (SHVs): Passes all SHV checks l Passes one or more SHV checks l Fails all SHV checks l Fails one or more SHV checks l Select Plugins Select the plug-in to which the plug-in checks should apply.
l Dell hosted captive portal that performs posture checks through a dissolvable agent The following figure displays an example on how to configure a posture at the service level: The Posture Compliance check box must be selected on the Service tab in order for posture to be enabled.
Table 179: Posture Features at the Service Level (Continued) Configurable Component How to Configure Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a posture server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured posture server, select from the Select dropdown list, then click Add.
Figure 335: Flow of Policy Manager Auditing Control Default Audit Servers When you configure an audit as part of a Policy Manager service, you can select the default Nessus (Nessus Server) or the Nmap Audit configuration. Adding Auditing to a Service To configure an audit server for a new service: 1. Navigate to Configuration > Services. The Services page opens. 2. Select the Add link in the top-right corner. The Add Services dialog opens. 3.
The Add Services > Audit dialog opens. Figure 336: Add Services > Audit Dialog 5. Complete the fields in the Add Services > Audit tab as described in Table 180, then click Save. Dell Networking W-ClearPass Policy Manager 6.
Table 180: Add Services > Audit Dialog Parameters Parameter Action/Description Audit Server Select a server profile from the list: l Nessus Server: Performs vulnerability scanning and returns a Healthy/Quarantine result. l Nmap Audit: Performs network port scans. The health evaluation always returns a Healthy result. The port scan gathers attributes that allow determination of role(s) through post-audit rules.
Table 180: Add Services > Audit Dialog Parameters (Continued) Parameter Action/Description l If the audit server already has the posture token and attributes associated with this client in its cache, it returns the token and the attributes to Policy Manager. Trigger RADIUS CoA action: This option sends a RADIUS CoA command to the network device. Modifying Default Audit Servers To reconfigure default Policy Manager audit servers: 1. Navigate to Configuration > Posture > Audit Servers.
Adding a Nessus Audit Server W-ClearPass uses the Nessus audit server interface primarily to perform vulnerability scanning. It returns a result of Healthy or Quarantine. To add a Nessus audit server: 1. Navigate to Configuration > Posture > Audit Servers, then click Add. The Add Audit Servers dialog opens to the Audit tab. Figure 338: Add Nessus Audit Server > Audit Tab 2. Specify the Nessus Audit Server > Audit tab parameters as described in Table 181.
Figure 339: Add Nessus Audit Server > Primary and Backup Server Tabs 3. Specify the Nessus Audit Server > Primary Server tab and Backup Server tab parameters as described in Table 182. Table 182: Nessus Audit Server > Primary and Backup Server Tabs Parameters Parameter Action/Description Backup On the Backup Server dialog: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box.
Modifying a Nessus Audit Server To modify an existing Nessus audit server: 1. Navigate to Configuration > Posture > Audit Server. The Audit Servers dialog opens. Figure 340: Selecting a Nessus Audit Server 2. Select the Nessus audit server you wish to modify. The Edit Nessus Server dialog opens to the Summary tab, which displays the configuration settings for the selected Nessus server. Figure 341: Edit Nessus Server > Summary Page 3. Make any necessary configuration changes, then click Save.
2. Restart the Nessus service. For example: centos# service nessusd restart 3. If the external Nessus server has Transport Layer Security (TLS) enabled, add the Nessus CA Certificate to the W-ClearPass Certificate Trust List (see Certificate Trust List on page 681). You can download the Nessus CA certificate from: https://:8834/getcert Nessus Scan Profiles A scan profile contains a set of scripts (plugins) that perform specific audit functions.
Figure 343: Nessus Scan Profile Configuration - Profile Tab l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. 364 | Posture Dell Networking W-ClearPass Policy Manager 6.
Figure 344: Nessus Scan Profile Configuration Profile Tab - Plugin Synopsis Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin, click on the link to change the level to one of HOLE, WARN, or INFO. This action tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields. Figure 347: Nessus Scan Profile Configuration - Preferences Tab After saving the profile, plugin, and preference information for your new (or modified) plugin, you can go to the Primary/Backup Servers tabs and select it from the Scan Profile drop-down list.
Table 183: Audit Tab Parameters Parameter Action/Description Name Enter the name of the NMAP audit server. Description Optionally (and recommended), enter the description of the Nmap audit server. Type Select NMAP. In-Progress Posture Status Specify the posture status during audit. Default Posture Status Select the posture status if evaluation does not return a condition/action match. NMAP Options Tab You can use the NMAP Options tab to specify the type of scan configuration.
Table 184: NMAP Options Tab Parameter Action/Description TCP Scan Specify the type of TCP scan: l TCP SYN scan l TCP Connect scan l TCP Null Scan l TCP FIN scan l TCP Xmas scan l TCP ACK scan l TCP Window scan l TCP Maimon scan Refer to Nmap documentation for more information on the TCP scan options. Nmap option: scanflags. UDP Scan To enable UDP (User Datagram Protocol) scanning, check the UDP Scan check box. Nmap option: sU. Service Scan To enable Service scanning, check the Service Scan check box.
Figure 350: All Audit Server Configurations > Rules Dialog Table 185: All Audit Server Configurations > Rules Dialog Parameters Parameter Action/Description Rules Evaluation Algorithm Select first matched rule and return the role or Select all matched rules and return a set of roles. Add Rule When you add a rule, the Rules Editor opens. See below for details. Move Up/Down Reorder the rules as necessary. Edit Rule Opens the selected rule in Edit mode. Remove Rule Removes the selected rule.
Table 186: All Audit Server Configurations > Rules Editor Parameters Parameter Description Conditions The Conditions list includes five dictionaries: l Audit-Status l Device-Type l Output-Msgs l MAC-Vendor l Network-Apps l Open-Ports l OS-Info For more information, refer to Namespaces on page 919. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save. 370 | Posture Dell Networking W-ClearPass Policy Manager 6.
Chapter 7 Configuring Enforcement Policies and Profiles This chapter describes the following topics: l Configuring Enforcement Policies on page 371 l Configuring Enforcement Profile on page 373 Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an enforcement policy associated with the service.
Figure 353: Add Enforcement Policy > Enforcement Tab 2. Specify the Add Enforcement Policy > Enforcement parameters as described in the following table: Table 187: Add Enforcement Policy > Enforcement Tab Parameters Parameter Action/Description Name Enter the name of this enforcement policy. Description Enter a useful description of this enforcement policy (recommended).
Figure 354: Add Enforcement Policy > Rules Editor 4. Specify the Add Enforcement Policy > Rules tab parameters as described in the following table: Table 188: Add Enforcement Policy: Rules Editor Field Action/Description Add Rule Click this button to bring up the Rules Editor. Move Up/Down To reorder the rules in the enforcement policy, select an enforcement policy rule, then click Move Up or Move Down. Remove Rule To delete a rule, select the rule, then click Remove Rule.
l Adding an Enforcement Profile l Modifying an Existing Enforcement Profile You can configure Policy Manager enforcement profiles globally, but they must be referenced to an enforcement policy that is associated with a service.
Figure 356: Add Enforcement Profile Dialog The following table describes the default set of enforcement profiles included with Policy Manager: Table 190: Default Enforcement Profiles Enforcement Profile Available for These Enforcement Types [Aerohive - Terminate Session] RADIUS_CoA [AirGroup Personal Device] RADIUS [AirGroup Response] RADIUS [AirGroup Shared Device] RADIUS [Allow Access Profile] RADIUS [Allow Application Access Profile] Application [Aruba TACACS read-only Access] TACACS [Ar
Table 190: Default Enforcement Profiles (Continued) Enforcement Profile Available for These Enforcement Types [Drop Access Profile] RADIUS [Handle AirGroup Time Sharing] HTTP [HP - Terminate Session] RADIUS_CoA [Juniper Terminate Session] RADIUS_CoA [Motorola - Terminate Session] RADIUS_CoA [Operator Login - Admin Users] Application [Operator Login - Local Users] Application [TACACS API Admin] TACACS [TACACS Deny Profile] TACACS [TACACS Help Desk] TACACS [TACACS Network Admin] TACACS
3. From the Template drop-down, select Agent Enforcement. The following figure displays the Agent Enforcement > Profile dialog: Figure 357: Agent Enforcement > Profile Tab 4. Specify the Add Agent Enforcement > Profile parameters as described in the following table: Table 191: Add Agent Enforcement > Profile Parameters Parameter Action/Description Template Select the template from the drop-down list. In this context, select Agent Enforcement. Name Enter the name of the enforcement profile.
Configuring Agent Enforcement Attributes Use the Attributes tab to configure the attribute name and attribute value for each attribute you add. Figure 358: Agent Enforcement > Attributes Dialog Specify the Agent Enforcement > Attributes parameters as described in the following table: Table 192: Agent Enforcement > Attributes Tab Parameters Attribute Attribute Name Action/Description Select one of the following attribute names: Bounce Client: To bounce the network interface, set the value to True.
Summary Information The Summary tab summarizes the parameters configured in the Profile and Attribute tabs.
l Pass Health Evaluation Results to Script l Success Message l Failure Message l Progress Message l Description l Download URL Configuring the Agent Script Enforcement Profile To configure an Agent Script Enforcement profile: 1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens. 2. Click Add. The Add Enforcement Profiles dialog opens to the Profile tab. Figure 360: Agent Script Enforcement > Profile Dialog 3.
Configuring Agent Script Enforcement Attributes Use the Attributes tab to configure the attribute name and attribute value for each attribute you add. The following figure displays the Agent Enforcement > Attributes dialog: Figure 361: Agent Script Enforcement > Attributes Dialog Specify the Agent Script Enforcement > Attributes parameters as described in the following table: Dell Networking W-ClearPass Policy Manager 6.
Table 194: Agent Script Enforcement > Attributes Parameters Attribute Action/Description Attribute Name Select one of the following attribute names: l Path of the Script: Complete the path of the script/program, including the filename. This attribute checks for the existence of a file on an endpoint device and also verifies the SHA256 Checksum. l Command to Execute: Specify the complete command that OnGuard Agent should execute. You can use the command to launch scripts or pass command line arguments.
Viewing the Configuration Summary The Summary page summarizes the parameters configured in the Profile and Attribute tabs.
Figure 363: Dell Downloadable Role Enforcement > Profile Page (Standard Mode) 2. Specify the Dell Downloadable Role Enforcement > Profile parameters as described in the following table: Table 195: Dell Downloadable Role Enforcement > Profile Parameters Parameter Action/Description Template Select the Dell Downloadable Role Enforcement template. Name Enter the name of the profile. . Description Enter a description of the profile. Type This field is automatically populated with: RADIUS.
Role Configuration Mode: Standard When Role Configuration is set to Standard (the default), the Role Configuration tab appears. The fields on the Role Configuration tab require you to select a link to launch a new page where you set role configuration profiles and related parameters.
Table 196: Role Configuration Parameters (Continued) Parameters Action/Configuration NetDestination Configuration Select the Manage NetDestinations link to add, edit, and delete the NetDestinations definitions. For more information, see NetDestination Configuration. Time Range Configuration Select the Manage Time Ranges link to add, edit, and delete time range definitions. For more information, see Time Range Configuration.
Policer Profile To define a Policer Profile: 1. Click the Add Policer Profile link. The Add Policer Profile dialog opens: Figure 366: Add Policer Configuration Profile 2. Enter a name of the profile and configure the required attributes. QoS Profile To define a QoS Profile: 1. Click the Add QoS Profile link. The Add QoS Profile opens: Figure 367: Add QosProfle Configuration Profile 2. Enter a name of the profile and configure the required attributes. VoIP Profile To define a VoIP Profile: 1.
Figure 368: Add VoIP Configuration Profile 2. Enter a name for the profile and configure the required attributes. NetService Configuration To define a NetService Configuration profile: 1. Click the Manage NetServices link. The NetService dialog opens: Figure 369: NetService Configuration Profile 2. Enter a name for the profile and configure the required attributes. NetDestination Configuration To define a NetDestination Configuration profile: 1. Click the Manage NetDestinations link.
Figure 370: NetDestinations Configuration Profile 2. Enter a name for the profile and configure the required attributes. Time Range Configuration To define a Time Range Configuration profile: 1. Click the Manage Time Ranges link. The Time Range Configuration dialog opens: Figure 371: Time Range Configuration Profile 2. Enter a name for the profile and configure the required attributes. NAT Pool Configuration To define a NAT (Network Address Translation) Pool Configuration profile: 1.
2. Enter a name for the profile and configure the required attributes. Adding a Stateless Access Control List To add a Stateless Access Control List: 1. Click the Add Stateless Access Control List link. The Stateless Access Control List Configuration dialog opens: Figure 373: Stateless Access Control List Configuration Profile 2. Enter a name for the Stateless ACL. 3. On the General tab, click the Add Rule link. The Rule Configuration dialog opens. 4.
Figure 374: Session Access Control List Rule Configuration Profile You can view different fields depending on the Action type you choose. For example, if you select the dualnat action type, you can view the Dual NAT Pool field additionally to specify the action. 4. Enter the required attributes in the Rule Configuration dialog. 5. Click Save Rule. Adding an Ethernet/MAC Access Control List To add an Ethernet/MAC Access Control List: 1. Click the Add Ethernet/MAC Access Control List link.
Role Configuration Mode: Advanced When you set Role Configuration Mode to Advanced, the Enforcement Profile page displays the Attributes tab (see Figure 376 below). In Advanced mode, the Aruba Downloadable Role Enforcement profile provides two dictionaries and two attributes. The supported dictionaries and their associated attributes are: l Dictionary: Aruba Attribute: Aruba-CPPM-Role The Aruba-CPPM-Role attribute supports Mobility Access Switches.
4. To specify the Hewlett-Packard Enterprise dictionary and attribute: a. Type: Hewlett-Packard Enterprise b. Name: HPE-CPPM-Role (27) c. Value: Enter the appropriate ArubaOS switch commands. 5. Click Save. Summary Information For a profile in Standard Role Configuration Mode, the Summary tab summarizes the parameters configured in the Profile and Role Configuration tabs.
Table 197: Dell RADIUS Enforcement > Profile Parameters (Continued) Parameter Action/Description Action Click Accept, Reject, or Drop to define the action taken on the request. Device Group List Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page.
Summary Information The Summary tab summarizes the parameters configured in the Profile and Attributes tab. Figure 380: Dell RADIUS Enforcement > Summary Tab Cisco Downloadable ACL Enforcement Profile Use this page to configure the Cisco Downloadable ACL Enforcement profile. Profile Configuration Use the Profile tab to configure the Cisco Downloadable ACL Enforcement profile.
Table 199: Cisco Downloadable ACL Enforcement > Profile Parameters (Continued) Parameter Action/Description Action To define the action to take on the request, click Accept, Reject, or Drop. Device Group List Select a Device Group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page.
Summary Information The Summary tab summarizes the parameters configured in the Cisco Downloadable ACL Enforcement profile. Figure 383: Cisco Downloadable ACL Enforcement > Summary Tab Cisco Web Authentication Enforcement Profile Use this page to configure profile and attribute parameters for the Cisco Web Authentication Enforcement profile. Profile Configuration Use the Profile tab to configure the template, type of the profile, and device group list.
Table 201: Cisco Web Authentication Enforcement > Profile Tab Parameters (Continued) Parameter Action/Description Action Click Accept, Reject, or Drop to define the action taken on the request. Device Group List Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page.
Summary Information The Summary tab summarizes the parameters configured in the Profile and Attribute tabs. Figure 386: Cisco Web Authentication Enforcement > Summary Tab W-ClearPass Entity Update Enforcement Profile Use this page to configure profile and attribute parameters for the W-ClearPass Entity Update Enforcement profile. Profile Configuration Use the Profile tab to configure the template, type of the profile, and device group list.
Table 203: W-ClearPass Entity Update Enforcement > Profile Parameters (Continued) Parameter Acvtion/Description Action Click Accept, Reject, or Drop to define the action taken on the request. Device Group List Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page.
Summary Information The Summary tab summarizes the parameters configured in the Profile and Attributes tab. Figure 389: W-ClearPass Entity Update Enforcement > Summary Tab CLI-Based Enforcement Profile Use this page to configure profile and attribute parameters for the CLI-Based Enforcement profile.
Table 205: CLI Based Enforcement > Profile Parameters (Continued) Parameter Action/Description Action Click Accept, Reject, or Drop to define the action taken on the request. Device Group List Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Device Groups ( Configuration > Network > Device Groups) page.
Summary Information The Summary tab summarizes the parameters configured in the Profile and Attributes tab. The following figure displays the CLI-Based Enforcement > Summary tab: Figure 392: CLI-Based Enforcement > Summary Tab Filter ID Based Enforcement Profile This section provides the following information: l Profile Configuration on page 403 l Attributes Configuration on page 404 Use this page to configure profile and attribute parameters for the Filter ID based enforcement profile.
Parameter Action/Description Type RADIUS. The field is populated automatically. Action Enabled. Click Accept, Reject, or Drop to define the action taken on the request. Device Group List Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups.
Generic Application Enforcement Profile Use this page to configure profile and attribute parameters for the Generic Application Enforcement profile. The Generic Application Enforcement profile contains the following tabs: l Profile Configuration on page 405 l Attributes Configuration on page 406 l Summary Information on page 406 Profile Configuration Use the Profile tab to configure the template, type of the profile, and device group list.
Attributes Configuration Use the Attribute tab to configure the attribute type, name, and value for the enforcement profile.
Specify the HTTP Based Enforcement > Profile parameters as described in the following table: Table 211: HTTP Based Enforcement Profile Parameters Parameter Action/Description Template Select the HTTP Based Enforcement template. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
Use this page to configure profile and attribute parameters for the RADIUS based enforcement profiles. Profile Configuration The following figure displays the RADIUS Based Enforcement Profile tab: Figure 400: RADIUS Based Enforcement > Profile Tab Specify the RADIUS Based Enforcement Profile parameters as described in the following table: Table 213: RADIUS Based Enforcement Profile Parameters Parameter Action/Description Template Select the RADIUS Based Enforcement template.
Specify the RADIUS Based Enforcement > Attributes parameters as described in the following table: Table 214: RADIUS Based Enforcement > Attributes Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius: Hewlett-Packared-Enterprise l Radius: Lucent-Alcatel-Enterprise l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 928.
Table 215: RADIUS Change of Authorization (CoA) Profile Parameters (Continued) Parameter Action/Description Action Disabled. Device Group List Optionally, select a Device Group from the drop-down list. All configured device groups are listed on the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l To delete the selected Device Group List entry, click Remove.
The following table describes the RADIUS Change of Authorization (CoA) > Attributes parameters: Table 216: RADIUS Change of Authorization (CoA) Attributes Parameters Parameter Select RADIUS CoA Template Action/Description Select one of the following RADIUS CoA templates: Dell - Change-User-Role l Aruba - Change-VPN-User-Role l Cisco - Bounce-Host-Port l Cisco-Disable-Host-Port l Cisco - Reauthenticate-Session l Hewlett-Packard-Enterprise - Change-VLAN l Hewlett-Packard-Enterprise - Generic-CoA l Hewlett-Pa
Profile Configuration The following figure displays the Session Notification Enforcement > Profile tab: Figure 404: Session Notification Enforcement > Profile Configuration Dialog The following table describes the Session Notification Enforcement > Profile parameters: Table 217: Session Notification Enforcement Profile Tab Parameters Parameter Action/Description Template Select Session Notification Enforcement. Name Enter the name of the profile.
Specify the Session Notification Enforcement > Attributes parameters as described in the following table: Table 218: Session Notification Enforcement > Attributes Parameters Parameter Type Action/Description Select one of the following Type attributes: Session-Check l Session-Notify Palo Alto integration is extended to Guest MAC Caching use cases.
Profile Configurations). For related information, see OnGuard Global Agent Settings on page 708. Profile Configuration To configure Profile and Attribute parameters for a Session Restrictions Enforcement profile: 1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens. 2. Click Add. The Add Enforcement Profiles > Profile tab opens. 3. From the Template drop-down, select Session Restrictions Enforcement.
Attributes Configuration The following figure displays the Session Restrictions Enforcement > Attributes tab: Figure 408: Session Restrictions Enforcement Profile > Attributes Dialog 1. Specify the Session Restrictions Enforcement > Attributes parameters as described in Table 220: Dell Networking W-ClearPass Policy Manager 6.
Table 220: Session Restrictions Enforcement Attributes Parameters Parameter Description Type Select from the following attribute types: l Bandwidth-Check l Expiry-Check l Post-Auth-Check l Session-Check Name The options displayed for the Name attribute depend on the Type attribute that was selected. l Type: Bandwidth-Check n Allowed-Limit: Defines the total bandwidth limit to be allowed per user or endpoint. n Check-Type: Defines the period/interval for bandwidth-based checks.
Table 220: Session Restrictions Enforcement Attributes Parameters (Continued) Parameter Description Username: Defines the username for which session restrictions are enabled. Used when the client MAC address is to be defined as a username. For configuration examples, see the section below, Examples of Session-Check Enforcement Profile Configurations. n Value The options displayed for the Value attribute depend on the Type and Name attributes that were selected.
n Post-Auth-Check > Action = Disconnect 4. Session Duration: The User/Endpoint is allowed access to the network daily for three hours in a specified time period (between 9:00 a.m. and 5:00 p.m.
Table 221: SNMP Based Enforcement > Profile Tab Parameters (Continued) Parameter Description Action Disabled. Device Group List Select a Device Group from the drop-down list. All configured device groups are listed in the Configuration > Network > Device Groups page. After you add one or more device group(s), you can select a group and take one of the following actions: l To delete the selected Device Group List entry, click Remove. l To see the device group parameters, click View Details.
Profile Configuration The following figure displays the TACACS+ Based Enforcement > Profile tab: Figure 411: TACACS+ Based Enforcement Profile Dialog Specify the TACACS+ Based Enforcement Profile > Profile parameters as described in the following table: Table 223: TACACS+ Based Enforcement > Profile Parameters Parameter Action/Description Template Select the TACACS+ Based Enforcement template. Name Enter the name of the profile.
Services Configuration The following figure displays the TACACS+ Based Enforcement > Services dialog: Figure 412: TACACS+ Based Enforcement > Services Dialog Specify the TACACS+ Based Enforcement Profile > Service parameters as described in the following table: Table 224: TACACS+ Based Enforcement > Services Parameters Parameter Action/Description Privilege Level Select a level between 0 and 15, with 0 being the mininum privilege level and 15 being the highest.
Table 224: TACACS+ Based Enforcement > Services Parameters (Continued) Parameter Action/Description Type Select one of the following Service Attribute types: l PPP:IP l Shell l cpass:HTTP Name The options displayed for the Name attribute depend on the Type attribute that was selected. Value The options displayed for the Value attribute depend on the Type and Name attributes that were selected. VLAN Enforcement Profile Use this page to configure the VLAN Enforcement profile.
Table 225: VLAN Enforcement > Profile Parameters (Continued) Parameter Description Action To define the action taken on the request, click Accept, Reject, or Drop. Device Group List Select a Device Group from the drop-down list. All configured device groups are listed in the Configuration > Network > Device Groups page. After you add one or more device group(s), you can select a group and take one of the following actions: l To delete the selected Device Group List entry, click Remove.
| Configuring Enforcement Policies and Profiles Dell Networking W-ClearPass Policy Manager 6.
Chapter 8 Configuring Policy Simulation This chapter describes the following types of simulations: l Active Directory Authentication Simulation l Application Authentication Simulation l Audit Simulation l Chained Simulation l Enforcement Policy Simulation l RADIUS Authentication Simulation l Role Mapping Simulation l Service Categorization Simulation After creating the policies, use the Policy Simulation utility in the Configuration > Policy Simulation page to evaluate those policies before
This simulation tests authentication against an Active Directory domain or trusted domain to verify that the W-ClearPass Policy Manager domain membership is valid. The Attributes tab is not available for this simulation type. Adding an Active Directory Simulation To add the RADIUS authentication server for the authentication test: 1. Navigate to the Configuration > Policy Simulation > Add page. The Add Policy Simulation dialog appears. 2. Enter the Name of the simulation. 3.
Table 229: Active Directory Authentication Results Tab Parameters Parameter Description Summary Displays the results of the Active Directory Authentication simulation. Status Displays the status message. Application Authentication Simulation This simulation tests authentication requests generated from W-ClearPass Guest.
Table 231: Application Authentication - Attributes Tab Parameters Attribute Parameter Type Select Application or select Application:ClearPass. See Application Namespace on page 920 Name The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
The following figure displays the Audit Simulation tab: Figure 421: Audit Simulation - Simulation Tab The following table describes the Audit Simulation - Simulation tab parameters: Table 233: Audit Simulation Tab Parameters Parameter Description Audit Server Select [Nessus Server] or [Nmap Audit]. Audit Host IP Address Enter the host IP address of the audit host.
Chained Simulation Given the service name, authentication source, user name, and an optional date and time, the chained simulation combines the results of role mapping, posture validation and enforcement policy simulations and displays the corresponding results.
Figure 424: Chained Simulation Attributes Tab The following table describes the Chained Simulation Attributes - Results tab parameters: Table 236: Chained Simulation Attributes tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
Results Tab The following figure displays the Chained Simulation - Results tab: Figure 425: Chained Simulation Results Tab Table 237: Chained Simulation Results Tab Parameters Parameter Summary Description Provides the following information about the chained simulation: Status l Roles l System Posture Status l Enforcement Profiles l Enforcement Policy Simulation Given the service name (and the associated enforcement policy), a role or a set of roles, the system posture status, and an optional date and ti
Simulation Tab The following figure displays the Enforcement Policy Simulation tab: Figure 426: Enforcement Policy Simulation Tab The following table describes the Enforcement Policy Simulation tab parameters: Table 238: Enforcement Policy Simulation tab Parameters Parameter Service Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Enforcement P
Table 238: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description Values = [Local User Repository] or [Guest Device Repository] if you select Guest Operator Logins Username Roles Enter username.
Enter the attributes of the policy component to be tested. The following figure displays the Enforcement Policy - Attributes tab: Figure 427: Enforcement Policy Attributes Tab Table 239: Enforcement Policy Attributes tab Parameters Attribute Description Type: Select the type of attributes from the drop-down list.
Table 240: Enforcement Policy Results Tab Parameters Parameter Description Deny Access Displays the output of the Deny Access test. Enforcement Profile Displays the name of the Enforcement Profile. RADIUS Authentication Simulation This section provides the following information: l Adding a RADIUS Authentication Simulation l Setting the Attributes to Be Tested l Viewing the Simulation Results Dictionaries in the RADIUS namespace come prepackaged with the W-ClearPass Policy Manager.
Figure 429: RADIUS Authentication Simulation Details Dialog 4. Enter the values for each of the RADIUS Simulation parameters as described in Table 241. Table 241: RADIUS Simulation Tab Parameters Parameter Action/Description Server 1. Specify Local or Remote. CPPM IP Address or FQDN This field is displayed only if Remote Server is selected. 2. Enter the IP address or the fully qualified domain name (FQDN) of the remote W-ClearPass Policy Manager server.
Table 241: RADIUS Simulation Tab Parameters (Continued) Parameter Action/Description l l TTLS: Authentication inner method field: enabled. Select one of the following TTLS Authentication inner methods: n PAP n CHAP n MSCHAPv2 n EAP-MSCHAPv2 n EAP-GTC n EAP-TLS TLS Client MAC Address (optional) 7. Enter the client MAC address of the network device to populate the NAS-IP address attribute in the RADIUS request. Username 8. Enter the user name.
Figure 430: Specifying Policy Simulation Attributes 3. Select the attribute Name. 4. Select the attribute Value. 5. Repeat these steps for each additional attribute you wish to add. 6. Click Save, or click Next to proceed to the Results tab. NAS Type: Aruba Wireless Controller Figure 431: Aruba Wireless Controller Type - Attributes Table 242: Dell Wireless Controller Required - Attribute Settings Attribute Parameter Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Wireless-802.
NAS Type: Aruba Wired Switch Controller Figure 432: NAS Type: Aruba Wired Switch Controller Attributes Tab Table 243: NAS Type: Aruba Wired Switch Controller—Required Attribute Settings Attribute Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Ethernet (15) l Line 2: l Type = Radius:IETF l Name = Service-Type l Value = Login-User (1) NAS Type: Cisco Wireless Switch Figure 433: NAS Type: Cisco Wireless Switch Attributes Table 244: NAS Type: Cisco Wireless Switch Required Attribute Settings At
Figure 434: Results Tab Table 245: RADIUS Authentication Results Tab Parameters Parameter Description Summary Displays a summary of the simulation. Authentication Result Displays the outcome of the Authentication test. Details Click this link to open a dialog that provides details about the Authentication test. You can take the following actions: l Click the Summary, Input, or Output tabs. l Click the Change Status, Show Logs, Export, or Close buttons.
Figure 435: Role Mapping Simulation Tab Table 246: Role Mapping Simulation Tab Parameters Parameter Service Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Role Mapping Policy Field is disabled if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Field is auto-filled with [Air
Enter the attributes of the policy component to be tested. The following figure displays the Role Mapping Simulation Attributes tab: Figure 436: Role Mapping Simulation Attributes Tab The following table describes the Role Mapping Simulation Attributes tab parameters: Table 247: Role Mapping Simulation Attributes Tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
The following table describes the Role Mapping Simulation - Results tab parameters: Table 248: Role Mapping Results Tab Parameters Parameter Description Summary Displays the results of the simulation. Service Categorization Simulation A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into.
Table 250: Service Categorization Simulation Attributes Tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
Import and Export Simulations Navigate to Configuration > Policy Simulation and select the Import link. The following figure shows an example of the Import from file page. Figure 441: Import Simulations Table 252: Import from file page Parameters Parameter Description Select file Browse to select name of simulations to import. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here.
Chapter 9 W-ClearPass Policy Manager Profile This chapter contains the following information: l W-ClearPass Profile Overview l About the Device Profile l Endpoint Information Collectors W-ClearPass Profile Overview This section contains the following information: l Introduction l Enabling Endpoint Classification l Configuring CoA for an Endpoint-Connected Device l How W-ClearPass Profile Classifies Endpoints l Fingerprint Dictionaries l Viewing Live Endpoint Information for a Specific Devi
Figure 443: Enable Profile Option 3. If it is not already enabled, select the Enable this server for endpoint classification check box, then click Save. Configuring CoA for an Endpoint-Connected Device After profiling an endpoint, use the Profiler page to configure Change of Authorization (CoA) on the network device to which an endpoint is connected. The Profiler tab is not displayed by default. To access the Profiler tab: 1. Navigate to Configuration > Services, then click Add. 2.
Figure 445: Profiler Page 5. You can select a set of categories and a CoA profile to be applied when the profile matches one of the selected categories. CoA is triggered using the selected CoA profile. You can use any option from Endpoint Classification to invoke CoA on a change of any one of the fields (category, family, and name). Table 254 describes the Profiler page parameters: Table 254: Profiler Page Parameters Parameter Action/Description Endpoint Classification 1.
d. DHCP e. MAC OUI Stage 2: Refining Results W-ClearPass Policy Manager includes a set of rules that evaluates a device profile. The Rules engine uses all input attributes and device profiles from Stage 1. The resulting rule evaluation may or may not result in a profile. Stage 2 refines the results of profiling. Example With DHCP options, Stage 1 can identify an Android device. Stage 2 uses rules to combine this with the MAC OUI to further classify an Android device as Samsung Android and HTC Android.
Figure 447: Device Fingerprint Dictionary Attributes Page 3. To exit, click Close. Viewing Live Endpoint Information for a Specific Device The W-ClearPass Live Monitoring feature allows you to view endpoint information in graphic format for the device category, device family, and device name items you selected. You can also examine the endpoint details and attributes about a specific device . To access the Endpoint Profiler Live Monitoring information: 1.
n Using the Policy Manager Dashboard on page 26 About the Device Profile A device profile is a hierarchical model consisting of three elements that are derived by the endpoint attributes—DeviceCategory, DeviceFamily, and DeviceName. Table 255: Elements of a Device Profile Endpoint Attributes Description DeviceCategory Denotes the type of the device, for example, Computer, Smart Device, Printer, or Access Point. DeviceFamily Classifies devices based on the type of operating system or vendor.
DHCP Collector Dynamic Host Configuration Protocol (DHCP) attributes such as option 55 (parameter request list), option 60 (vendor class), and the options list from the Discover and Request packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network. You can configure switches and controllers to forward DHCP Discover, Request, and Inform packets to W-ClearPass.
MAC OUI Collector The MAC OUI (Organization Unique Identifier) is expressed in the first 24 bits of a MAC address for a networkconnected device. Thus, the MAC OUI indicates the specific vendor for that device. The MAC OUI is acquired through various authentication mechanisms, such as 802.1X and MAC address authentication. The MAC OUI can be useful to more accurately classify endpoints.
Setting SNMP Community Attributes The SNMP-based mechanism is capable of profiling devices only if they respond to SNMP, or if the device advertises its capability via LLDP (Link Layer Discovery Protocol). When performing SNMP reads for a device, W-ClearPass uses SNMP Read credentials configured in the network devices, or defaults to using SNMPv2 with "public" community strings specified. To specify SNMPv2 with community strings: 1. Navigate to Configuration > Network > Devices. 2.
Table 257: SNMP Read Settings Parameters (Continued) Parameter Action/Description Community String Enter the Community String value, then reenter the string to verify it. Force Read Enable the Force Read check box to ensure that all W-ClearPass nodes in the cluster will read the SNMP information from this device, regardless of the trap configuration on the device.
5. In the minutes field, enter the Device Info Poll Interval, then click Save. About the Subnet Scan Collector A network subnet scan discovers the IP addresses of devices in the network. The devices discovered in this way are further probed using SNMP to fingerprint and assign a profile to the device. Network subnets to be scanned are configured per Policy Manager Zone. This is particularly useful in deployments that are geographically distributed.
Figure 452: Scheduling a Subnet Scan 3. Configure the Schedule Subnet Scan parameters as described in the following table. When finished, click Add. Table 258: Schedule Subnet Scan Parameters Parameter Action/Description Policy Manager Zone Select the Policy Manager Zone. NOTE: If Policy Manager Zones have not yet been set up, you can select the default zone, which will allow you to proceed with the subnet scan configuration procedure. For details, see Managing Policy Manager Zones on page 541.
Initiating an On-Demand Subnet Scan In cases in which you wish to initiate a subnet scan without saving the configuration, you can run an OnDemand Subnet Scan. To run an On-Demand Subnet Scan: 1. Navigate to Configuration > Profile Settings. The Profile Settings page opens to the Subnet Scans tab. Figure 454: Initiating an On-Demand Subnet Scan 2. Click the On-Demand Subnet Scan link. The Initiate On-Demand Subnet Scan dialog opens. Figure 455: Initiate On-Demand Subnet Scan Dialog 3.
To configure SNMP for wired network profiling: 1. Navigate to Configuration > Profile Settings. 2. Click the SNMP Configuration tab. Figure 457: Profile Settings > SNMP Configuration Page 3. Click Add SNMP Configuration. The SNMP Configuration dialog opens. Figure 458: Configuring SNMP Community Strings 4.
Accessing SSH and WMI Configuration Information For information on configuring SSH and WMI credentials: l SSH credentials For Linux server or network device discovery, specify SSH configuration credentials. For more information, see SSH Credentials Configuration on page 156. l WMI credentials For Windows device discovery, specify WMI (Windows Management Instrumentation) credentials. For more information, see WMI Credentials Configuration on page 158. Dell Networking W-ClearPass Policy Manager 6.
| W-ClearPass Policy Manager Profile Dell Networking W-ClearPass Policy Manager 6.
Chapter 10 Network Access Devices This chapter describes the following tasks that you can perform by using the Policy Manager user interface: l Adding and Modifying Network Devices on page 464 l Adding and Modifying Device Groups on page 474 l Adding and Modifying Proxy Targets on page 473 l Configuring the Ingress Event Sources on page 732 Introduction A Policy Manager device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, T
l Configure DHCP Relay configuration on the network device to ensure that DHCP requests are forwarded from the clients. For more information, see DHCP Collector on page 453.
Figure 460: Network Devices Page 2. Click the Add link at the top-right corner. The Add Device page opens. Device Parameters Figure 461: Add Device > Device Dialog 3. Enter the Add Device > Device parameters as described in Table 260: Table 260: Add Device > Device Parameters Parameter Action/Description Name Enter the name of the device. IP Address or Subnet Specify the IP address or the subnet of the device. You can use a hyphen to indicate the range of device IP addresses following the format a.
Table 260: Add Device > Device Parameters (Continued) Parameter Action/Description TACACS+ Shared Secret Enter the TACACS+ shared secret. Vendor Name Specify the name of the vendor to load the dictionary associated with this vendor for this device. This field is optional. NOTE: RADIUS:IETF, the dictionary containing the standard set of RADIUS attributes, is always loaded. When you specify a vendor here, the RADIUS dictionary associated with this vendor is automatically enabled.
Table 261: Add Device > SNMP Read Settings Parameters Parameter Action/Description Allow SNMP Read Toggle to enable or disable SNMP Read operations. Policy Manager Zone You can assign Network Access Devices to a zone, allowing the SNMP service to poll or query only the NADs that are in its zone. l From the Policy Manager Zone drop-down, select the zone assigned to the network device that is being added. OnConnect Enforcement is triggered when a trap from a NAD is received by a W-ClearPass node.
Table 261: Add Device > SNMP Read Settings Parameters (Continued) Parameter Action/Description Authentication Key Specify the SNMP v3 with authentication option (SHA or MD5). NOTE: The EAP-MD5 authentication type is not supported if you run W-ClearPass Policy Manager in FIPS mode. NOTE: Authentication Key is available in SNMP v3 only. Privacy Key Specify the SNMP v3 with privacy option. NOTE: Available in SNMP v3 only.
Table 262: Add Device > SNMP Write Settings Parameters (Continued) Parameter Action/Description SNMP v3 with no Authentication n SNMP v3 with Authentication using MD5 and no Privacy n SNMP v3 with Authentication using MD5 and with Privacy n SNMP v3 with Authentication using SHA and no Privacy n SNMP v3 with Authentication using SHA and with Privacy NOTE: The MD5 authentication type is not supported if you use W-ClearPass Policy Manager in FIPS mode.
Table 263: Add Device > CLI Parameters Parameter Action/Description Allow CLI Access Toggle to enable or disable CLI access. Access Type Select SSH or Telnet. Policy Manager uses the selected access method to log into the device CLI. Port Specify the SSH or Telnet TCP port number. Username Enter the username to log into the CLI. Password Enter the password to log into the CLI. Username Prompt Regex Specify the regular expression for the username prompt.
Figure 465: Add Device > OnConnect Enforcement Dialog 2. Enter the OnConnect Enforcement parameters as described in Table 264. Table 264: Add Device > OnConnect Enforcement Parameters Parameter Action/Description Enable Select this check box to enable W-ClearPass OnConnect on the network access device being added. Port Names Specify the names and descriptions of the ports to be enabled for OnConnect Enforcement (see the next section for details). You can do so in two ways: l Click Query Ports.
The list of ports are displayed, as shown in Figure 466. Figure 466: Querying Ports 6. Select the ports to use, then click Add to Port Names. The selected port names are added to the Port Names list. Only the ports added in the Port Names field will have OnConnect Enforcement enabled. 7. Click Save. Attributes Parameters To add custom attributes for this device: 1. From the Add Device page, select the Attributes tab. The Attributes dialog opens: Figure 467: Adding Custom Device Attributes 2.
n Controller ID n Device Type n Device Vendor n Location n OS Version n sysContact n sysLocation n sysName 3. Select one of the defalt attributes or enter a new attribute. You can enter any name in the Attribute field. All attributes are of string datatype. 4. Specify the attribute's value. You can populate the Value field with any string. 5. Repeat this procedure as necessary. 6. When finished adding custom attributes, click Add.
Figure 468: Add Proxy Target Dialog 3. Specify the Add Proxy Target parameters as described in the following table, then click Save: Table 265: Add Proxy Target Parameters Parameter Action/Description Name Enter the name of the proxy target. Description Enter the description that provides additional information about the proxy target. Hostname/Shared Secret Specify the RADIUS hostname. Shared Secret Verify Shared Secret Enter the shared secret, then verify it.
Policy Manager lists all configured device groups in the Device Groups page (Configuration > Network > Device Groups) . The following figure displays the Network Device Groups page: Figure 469: Device Groups Page To add a device group, click Add at the top-right corner of the Network Device Groups page. Complete the fields in the Add New Device Group page as described in the following figure: Figure 470: Add New Device Group Page Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Add New Device Group page parameters: Table 266: Add New Device Group Page Parameter Description Name Enter the name of the device group. Description Enter the description that provides additional information about the device group. Format Select the format: Subnet, Regular Expression, or List. Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation). For example, 192.168.5.0/24.
Table 267: Configuring the Event Source Parameters Parameter Action/Description Name 1. Enter the IP address of the device that will send Syslog events to W-ClearPass. Description Optionally, enter a description of this Event Source. IP Address 2. Enter the IP address of the device that will send Syslog events to W-ClearPass. Type 3. From the drop-down, select the Event Source Type. Vendor 4. From the drop-down, select the Event Source Vendor. Enable 5.
| Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 Administration You can access all W-ClearPass administrative activities, including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance from the following Administration sections: l W-ClearPass Portal n l Services n l l l l l l W-ClearPass Guest Portal on page 480 Services on page 1 Users and Privileges n Managing Admin Users on page 481 n Managing Admin Privileges on page 486 Server Manager n
l l OnGuard n Accessing the OnGuard Support Charts on page 739 n Upgrading From OnGuard Plugin Version 1.0 to 2.
2. Specify the W-ClearPass Guest Portal parameters as described in the following table, then click Save: Table 268: W-ClearPass Guest Portal Parameters Parameter Action/Description Select Option Select the page that the user first sees after logging in to W-ClearPass: n Default Landing Page n Application Login Page: n Guest Portal Page Title Click and enter the text to appear as the page title in the default landing page.
Figure 474: Admin Users Page In this page, you can view the administrator details such as user ID, user name, and privilege level. You can also change the admin password, and add, import, export, and set password policies for the admin users by using the links provided at the top-right corner of this page. 2. Select the Admin user you want to modify. The Edit Admin User dialog opens. Figure 475: Changing the Administration Password 3. Change the administration password, then click Save.
3. Specify the Add Admin User parameters as described in the following table, then click Save: Table 269: Adding an Admin User Parameters Parameter Action/Description User ID 1. Specify a user ID for this administrator. Name 2. Specify the name for the admin user. Password/ Verify Password 3. Specify a password for the local user, then verify the password. Enable User 4. You must enable this check box to enable the admin user account (is is enabled by default).
Figure 477: Admin Users > Setting Password Policy 3. Specify the Password Policy parameters as described in Table 270, then click Save: Table 270: Password Policy Parameters Parameter Action/Description Minimum Length 1. Specify the minimum length required for the password. Complexity 2. Select the complexity setting from the Complexity drop-down list.
Password Policy settings are effective only for the users created or modified after the changes are saved. Disabling Admin User Accounts The Admin user account can be disabled in two ways: l When the Admin user tries to log in with an invalid password for a configured number of times defined by the Failed attempts count parameter, the Admin user account is locked.
Table 271: Admin Users > Disable Accounts Parameters Parameter Action/Description Failed attempts count 1. Specify the number of failed log-in attempts are allowed before the account is disabled. The range is from 1 to 100 attempts. Reset failed attempts count 2. To reset the failed attempts count to zero and reenable those admin users who were disabled after exceeding the failed attempts count, click Reset.
Figure 479: Admin Privileges Page 2. Click the Add link. The Add Admin Privileges dialog opens. Figure 480: Add Admin Privileges Page: Basic Information Tab 3. Specify the parameters in the Basic Information tab as described in Table 272. Table 272: Add Admin Privileges Parameters: Basic Information Tab Parameter Action/Description Name 1. Enter the name of the Admin Privileges administrator. Description 2. Provide a description of this new admin privileges administrator. Access Type 3.
Configuring Policy Manager Admin Privileges To configure the Policy Manager admin privileges: 1. Select the Policy Manager tab. The following dialog opens: Figure 481: Specifying Policy Manager Admin Privileges 2. Specify the admin privileges for each of the W-ClearPass components, then click Save. Configuring Insight Admin Privileges To configure the Insight admin privileges: 1. Select the Insight tab. The following dialog opens: Figure 482: Specifying Insight Admin Privileges 2.
Creating Custom Administrator Privileges To create a custom admin privilege XML file, you must use a plain text or XML editor. Do not use word processing applications such as Microsoft Word, which introduce tags and corrupt the XML file. To create a custom administrator privilege: 1. Create an XML file that defines a privilege. 2. Store the new file. 3. Navigate to Administration > Users and Privileges > Admin Privileges. 4. Click Import Admin Privileges. 5.
The users have access to the elements based on the permissions set for each task or element. By default, any permission provided for a task is applicable for all its sub-tasks. For example, if you give RW (read-write) permissions for the task, Enforcements (con.en), it is automatically applied to its subtasks, Policies (con.en.epo) and Profiles (con.en.epr). Hence, you need not explicitly define the same permission for those subtasks.
Table 273: Administrator Privileges and Task IDs (Continued) Area (W-ClearPass Policy Manager Menu) l l l Task ID n Single Sign-On con.id.sso n Local Users con.id.lu n Endpoints con.id.ep n Static Host Lists con.id.sh n Roles con.id.rs n Role Mappings con.id.rm Posture con.pv n Posture Policies con.pv.in n Posture Servers con.pv.ex n Audit Servers con.pv.au Enforcements con.en n Policies con.en.epo n Profiles con.en.epr Network con.nw n Devices con.nw.
Table 273: Administrator Privileges and Task IDs (Continued) Area (W-ClearPass Policy Manager Menu) l l l l Task ID n Server Configuration adm.mg.sc n Log Configuration adm.mg.ls n Local Shared Folders adm.mg.sf n Licensing adm.mg.li External Servers adm.xs n SNMP Trap Receivers adm.xs.st n Syslog Targets adm.xs.es n Syslog Export Filters adm.xs.sx n Messaging Setup adm.xs.me n Endpoint Context Servers adm.xs.cs n Context Server Actions adm.di.csa Certificates adm.
Table 273: Administrator Privileges and Task IDs (Continued) Area (W-ClearPass Policy Manager Menu) l Support Task ID adm.su n Contact Support adm.su.cs n Remote Assistance adm.su.ra n Documentation adm.su.
//Refers to Endpoints Section Read/Write Permissions The following sample provides Read/Write permissions to DashBoard/ Monitoring and ReadOnly permissions to Server Configuration: PAGE 495You can perform numerous server configuration tasks by navigating to Administration > Server Manager > Server Configuration page in W-ClearPass Policy Manager. Figure 483: Server Configuration Page Editing Server Configuration Settings This section provides the following information: l Cluster-Related Options l Modifying W-ClearPass Server Settings l Configuration Tasks for Disabled Nodes in a Cluster To modify the configuration settings of a W-ClearPass server: 1.
Figure 485: Server Configuration Page for the Selected Server Cluster-Related Options For details on the cluster-related options, see Server Configuration Cluster Options on page 537.
Synchronizing the Cluster Password Use the Synchronize Cluster Password link to synchronize the password of the selected node with cluster. Synchronizing the cluster password will change the appadmin password for all the nodes in the cluster.
Figure 489: Server Configuration > Join Server Back to Cluster Link 2. Click the Join server back to cluster link at the top-right corner. A warning message appears with a prompt to promote the node to Publisher. This option can only be triggered from a node that is currently active in the cluster. The following message displays the warning message: Figure 490: Join Server Back to Cluster Confirmation Dialog 3. Click Yes. A progress indicator shows the progress of the operation.
4. For a failed Publisher node, the following message will be displayed in the Dashboard page: Figure 492: Publisher Warning Message System Page The Server Configuration page opens onto the System page (see Figure 493). Figure 493: Server Configuration > System Page 1. Specify the Server Configuration > System page parameters as described in the following table, then click Save: Table 274: Server Configuration > System Page Parameters Parameter Action/Description Hostname 1.
Table 274: Server Configuration > System Page Parameters (Continued) Parameter Action/Description Enable Performance Monitoring 5. To enable the W-ClearPass Policy Manager server to perform performance monitoring, select the Enable Performance Monitoring check box. Insight Setting 6. To enable the Insight reporting tool on this node, select the Enable Insight check box.
Table 274: Server Configuration > System Page Parameters (Continued) Parameter Action/Description This field is optional. Enable TCP/ARP Fingerprinting 13. To enable TCP/ARP fingerprinting, select the Enable TCP/ARP Fingerprinting check box. This feature allows the Netbridge service to capture TCP and ARP packets and post the derived inputs to the Device Profiler. NOTE: This option appears only when you specify a Span Port. Management Port 14.
Data/External Port Configuration To configure the W-ClearPass server's Data/External port: 1. From the Server Configuration > System > Data/External Port section, click Configure. The Configure Data/External Port dialog opens. Figure 495: Configure Data/External Port Dialog 2. Select IP Version: Select the IP version—IPv4 or IPv6. 3. IP Address: Specify the IP address (IPv4 or IPv6) of the W-ClearPass server's data interface. 4. Subnet Mask: Specify the data interface subnet mask for an IPv4 address.
4. Tertiary: Optionally, in the rare event of both the primary and secondary DNS servers going down, you can configure a tertiary DNS server. 5. Click Update. Join AD Domain Configuration To join the selected W-ClearPass server to an Active Directory domain: 1. From the Server Configuration page > System tab > AD Domains, click Join AD Domain. The Join AD Domain dialog opens. Figure 497: Join AD Domain Dialog 2.
Table 275: Characters Allowed and Not Allowed for Active Directory Username and Password Field Characters Allowed Not Allowed Username ~!@#$%^ * _-+={ } ,.\'"?/ `&() Password !@#$%^ &*( ) _-+={ } <,>.?/ ~`[]\| ;:'" The Join AD Domain status screen opens. The screen displays the message “Adding host to AD domain,” and the screen displays status during the joining process. When the joining process completes successfully, you see the message “Added host to the domain.” 4. Click Close.
The following figure displays the Join AD Domain dialog: Figure 498: Join AD Domain Dialog Specify the Join AD Domain parameters as described in the following table. Table 276: Join AD Domain Parameters Parameter Action/Description Domain Controller Enter the fully qualified name of the Active Directory domain controller. NETBIOS name (optional) Enter the NetBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name.
Table 276: Join AD Domain Parameters (Continued) Parameter Action/Description Use default domain admin user Check this box to use the Administrator user name to join the domain Username Enter the user ID of the domain administrator account. This field is disabled if the Use default domain admin user check box is selected. Password Enter the password of the domain administrator account.
Figure 500: Active Directory Password Server Added Services Control Page From the Services Control page, you can: l View the status of all the services: Running or Stopped. l Stop or start Policy Manager services, including any Active Directory domains that the server joins. The following figure displays the Services Control page: Figure 501: Services Control Page Dell Networking W-ClearPass Policy Manager 6.
Service Parameters Page Navigate to the Administration > Server Manager > Server Configuration > Service Parameters page to change system parameters of the services listed below.
Enter the Service Parameters > Async Network Services parameters as described in Table 277 Table 277: Service Parameters > Async Network Services Parameter Action/Description Ingress Event Batch Processing Interval Specify the batch processing interval for ingress event processing. The default interval is 30 seconds. The range of values is 10 to 300 seconds. NOTE: For changes to the Batch Processing Interval to take effect, you must restart the Async Network service.
3. From the Select Service drop-down, select W-ClearPass IPsec service. The following dialog opens: Figure 504: W-ClearPass IPsec Service Dialog 4. Specify the Service Parameters > W-ClearPass IPsec Service parameters as described in Table 278, then click Save.
The following figure displays the Service Parameters tab > W-ClearPass Network Services parameters (partial view): Figure 505: Service Parameters > W-ClearPass Network Services The following figure displays the Service Parameters tab > W-ClearPass Network Services parameters in FIPS mode: Figure 506: Service Parameters > W-ClearPass Network Services in FIPS Mode Dell Networking W-ClearPass Policy Manager 6.
Specify the W-ClearPass Network Services parameters as described in the following table: Table 279: Service Parameters > W-ClearPass Network Services Service Parameters Action/Description SnmpService SNMP Timeout Specify the seconds to wait for an SNMP response from the network device. SNMP Retries Specify the number of retries for SNMP requests. LinkUp Timeout Specify the seconds to wait before processing link-up traps.
Table 279: Service Parameters > W-ClearPass Network Services (Continued) Service Parameters Action/Description OCSP Check Specify one of the following options for initiating an Online Certificate Status Protocol (OCSP) check: l None (the default setting) l Optional l Required WebAuthService Max time to determine network device where client is connected Specifies the maximum time to wait for Policy Manager to determine the network device to which the client is connected.
The following figure displays the Service Parameters > W-ClearPass System Services parameters (partial view): Figure 507: W-ClearPass System Services Parameters Specify the Service Parameters > W-ClearPass System Services parameters as described in the following table. Table 280: Service Parameters > W-ClearPass System Services Service Parameter Action/Description PHP System Configuration Memory Limit Specify the maximum memory that can be used by the PHP applications.
Table 280: Service Parameters > W-ClearPass System Services (Continued) Service Parameter Action/Description Port Specify the port at which the proxy server listens for HTTP traffic. Username Specify the user name to authenticate with the proxy server. Password Specify the password to authenticate with the proxy server. Database Configuration Maximum connections Specify a number between 300 and 2000 for a maximum number of allowed connections.
Table 280: Service Parameters > W-ClearPass System Services (Continued) Service Parameter Action/Description Maximum Requests Specify a number between 0 and 3000 for the maximum number of requests allowed. The default value is 500. Enable Host Header check Specify whether to enable the host header check. The default value is TRUE. l When you set this value to TRUE, the Host Header Restriction check is enabled and only the allowed or whitelisted host headers are allowed.
Policy Server Options The following figure displays the Service Parameters > Policy Server dialog: Figure 509: Policy Server Service Parameters Specify the Service Parameters > Policy Server parameters. Table 281: Service Parameters > Policy Server Service Service Parameter Action/Description Machine Authentication Cache Timeout 1. Specify the time (in hours) for which machine authentication entries are cached by W-ClearPass Policy Manager. The default is 24 hours.
RADIUS Server Options The following figure displays the Service Parameters tab > RADIUS Server parameters (partial list): Figure 510: RADIUS Server Parameters Dialog Specify the Service Parameters > RADIUS server parameters as described in the following table: Table 282: Service Parameters > RADIUS Server Service Service Parameter Action/Description EAP-FAST Master Key Expire Time Specify the lifetime of a generated EAP-FAST master key.
Table 282: Service Parameters > RADIUS Server Service (Continued) Service Parameter Action/Description Accounting Log Accounting InterimUpdate Packets To store the Interim-Update packets in session logs, select TRUE. FALSE is the default setting. Thread Pool Maximum Number of Threads Specify the maximum number of threads in the RADIUS server thread pool to process requests. Number of Initial Threads Specify the initial number of threads in the RADIUS server thread pool to process requests.
Table 282: Service Parameters > RADIUS Server Service (Continued) Service Parameter Action/Description Accounting Port Specify the ports on which the RADIUS server listens for accounting requests. The default values are 1646 and 1813. NOTE: You can configure the Accounting Port to different values if desired. Maximum Request Time Specify the maximum time (in seconds) allowed for processing a request after which it is considered timed out. The default is 30 seconds.
Table 282: Service Parameters > RADIUS Server Service (Continued) Service Parameter Action/Description certificates in the chain against CRLs Lists (CRLs), select TRUE. Else, select FALSE. ECDH Curve Select one of the following ECDH curve (Elliptic Curve Diffie-Helman) options from the drop-down list: l X9.62/SECG curve over a 256-bit prime field l NIST/SECG curve over a 384-bit prime field Disable TLS 1.2 To disable Transport Layer Security 1.2 (TLS 1.2), select TRUE.
The following table describes the Service Parameters tab > Stats Collection Service parameter: Table 283: Service Parameters > Stats Collection Service Service Parameter Enable Stats Collection Action/Description Enable or disable statistics collection and aggregation. The Statistics Collection Service is enabled by default (TRUE). If this is not enabled, statistics collection and aggregation services will not run on the node.
TACACS Server Options The Service Parameters >TACACS Server dialog provides two parameters: l TACACS+ Profiles Cache Timeout l TACACS+ HTTP Thread Pool Size Figure 513: Service Parameters > TACACS+ Server Dialog Specify the Service Parameters > TACACS server parameters as described in the following table: Table 285: Service Parameters > TACACS Server Service Parameter Action/Description TACACS+ Profiles Cache Timeout Specify the time (in seconds) for which TACACS+ profile result entries are cached b
Figure 514: System Monitoring Configuration Dialog 4. Specify the System Monitoring configuration parameters as described in the following table: Table 286: System Monitoring Parameters Parameter Action/Description System Location Specify the location of the W-ClearPass Policy Manager appliance. System Contact Specify the contact information of the W-ClearPass Policy Manager appliance. Engine ID A unique identifier for the SNMP v3 agent.
Table 286: System Monitoring Parameters (Continued) Parameter Action/Description Authentication key V3 only: Enter and reenter the authentication key. This field is available only if you selected V3 as the SNMP version in the Version field. Privacy Protocol V3 only: Select the privacy protocol from DES or AES. Privacy Key V3 only: Enter the privacy key.
The Server Configuration > Network page opens. 4. From the Application Access Control option, click Restrict Access. The Restrict Access dialog opens. Figure 516: Restrict Access Configuration Dialog 5.
1. Navigate to Administration > Server Manager > Server Configuration. The Server Configuration page opens. 2. Select the W-ClearPass server for which passwordless SSH is needed. The Server Configuration dialog for the selected server opens. 3. Select the Network tab. The Server Configuration >Network page opens. 4. From the SSH Public Keys option, click Add Public Key. The Add Public Key configuration page opens. Figure 517: Adding a Public Key 5.
Figure 518: Creating a GRE Tunnel 5. Specify the Create Tunnel parameters as described in the following table, then click Create: Table 288: Create Tunnel Parameters Parameter Action/Description Display Name Specify the name for the tunnel interface. This name is used to identify the tunnel in the list of network interfaces. Local Inner IP Enter the local IP address of the tunnel network interface. Remote Outer IP Enter the IP address of the remote tunnel endpoint.
Figure 519: Creating an IPsec Tunnel Dialog 5. Specify the Create IPsec Tunnel parameters as described in the following table, then click Create: Table 289: Create IPSec Tunnel Parameters Parameter Action/Description Local Interface Specify the local Management interface. Remote IP Address Specify the IP address of the remote host.
Table 289: Create IPSec Tunnel Parameters (Continued) Parameter Action/Description Hash Algorithm Select one of the following hash algorithms: n HMAC SHA n HMAC-SHA256 n HMAC-SHA384 n HMAC-MD5 Diffie Hellman Group Select one of the following Diffie Hellman groups: n Group 5 n Group 14 n Group 19 n Group 20 Authentication Type Select one of the following authentication types: n Pre-Shared Key n Certificate IKE Shared Secret Verify IKE Shared Secret Enter the IKE secret key, then verify the secret ke
Figure 520: Create IPsec Tunnel > Traffic Selectors Dialog 2. Specify the Traffic Selectors parameters as described in the following table, then click Create. Table 290: Create IPSec Tunnel > Traffic Selectors Parameters Parameter Action/Description Encrypt Rules Displays the IPsec tunnel encryption rules configured for this IPsec tunnel. Bypass Rules Displays the IPsec tunnel bypass rules configured for this IPsec tunnel.
Checking IPsec Tunnel Status To check the status of an IPsec tunnel: 1. Navigate to the Server Manager > Configuration > Network page. The IPsec Tunnels section displays the configuration summary for each configured IPsec tunnel, along with an Action button to provide each IPsec tunnel's current status. Figure 521: IPsec Tunnel Summary and Action Button to See Tunnel Status 2. To see the current status for an IPsec tunnel, click the Action button (see Figure 521).
Understanding the IPsec Tunnel Status Information A way to quickly decipher the IPsec tunnel status information is as follows: l If the tunnel status shows ESTABLISHED, only IKE Phase 1 is complete. l If the tunnel status shows INSTALLED, Rekeying, IKE Phase 2 is complete. Example 1 If tunnel status shows as shown in Figure 523, Phase 1 is complete but Phase 2 is failing. Look at the Audit Viewer events (Monitoring > Audit Viewer) to find the root cause.
Figure 525: Creating a VLAN 5. Specify the Create VLAN parameters as described in the following table, then click Create: Table 291: Server Configuration > Create VLAN Parameters Parameter Action/Description Physical Interface Enter the physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. NOTE: Make sure your network supports tagged 802.1Q packets on the selected physical interface. VLAN Name Enter the name for the VLAN interface.
Enabling FIPS Mode Using CLI You can enable FIPS mode in W-ClearPass during installation using the CLI or post-installation using the Web UI. The following figure displays the prompt to enable FIPS mode using the CLI: Figure 526: Enabling FIPS Mode After enabling FIPS mode using the CLI commands, you can verify whether FIPS mode is enabled or not in the Configuration Summary page. Figure 527: FIPS Mode > Configuration Summary Dell Networking W-ClearPass Policy Manager 6.
Enabling FIPS Mode in the W-ClearPass User Interface Alternatively, you can enable or disable the FIPS mode in the W-ClearPass user interface: 1. Navigate to Administration > Server Manager > Server Configuration. 2. From the Server Configuration page, select the server of interest. The Server Configuration dialog for the selected server opens. 3. Select the FIPS tab.
Server Configuration Cluster Options This section describes the cluster-related options that are available from the Administration > Server Manager > Server Configuration page.
Table 292: Change Date and Time > Date & Time Parameters Parameter Description Synchronize time with NTP server To synchronize with a Network Time Protocol (NTP) server, enable this check box (enabled by default). NOTE: You can also specify the date and time for the cluster manually by disabling the Synchronize time with NTP server check box and entering the current date and time in the dialog provided.
Table 292: Change Date and Time > Date & Time Parameters (Continued) Parameter Description Key ID The Key ID is a number that specifies the index for key values. The Key ID value can be from 1 to 65534 inclusive. Typically an NTP client and server have to trust the same key index and key value pair for authentication to succeed. Key Value The Key Value is a form of shared secret, which both the client and server use for authenticating NTP messages.
Specifying the Time Zone on the Publisher To specify the time zone on the Publisher node: 1. Click the Time Zone on Publisher tab. Figure 531: Time Zone on Publisher Dialog The time zones are listed in alphabetical order. 2. Select the time zone where the Publisher node resides, then click Save. This option is available only on the Publisher. To set the time zone on a Subscriber node, select the specific server and set the time zone from the server-specific page.
3. Enter the new cluster password, then verify the password. 4. Click Save. Changing this password changes the password for the CLI user appadmin as well. Managing Policy Manager Zones This section provides the following information: l About Policy Manager Zones l Adding Policy Manager Zones l Mapping Policy Manager Zones About Policy Manager Zones W-ClearPass Policy Manager shares a distributed cache of run-time states across all nodes in a cluster.
Figure 533: Policy Manager Zones Dialog 3. To add a new Policy Manager Zone, click Click to add... and enter the name of the Policy Manager Zone to be added, click the Save icon, then click Save. 4. To delete a zone, click the trash can icon— . Mapping Policy Manager Zones To configure the Policy Manager Zone you created: 1. Navigate to Administration > Agents and Software Updates > OnGuard Settings. The OnGuard Settings page opens. 2. Click Policy Manager Zones.
Table 293: OnGuard Settings > Policy Manager Zones Parameters Parameter Action/Description Policy Manager Zone Lists the Policy Manager zones with radial buttons for selection. Client Subnets Displays the client subnet addresses specific to the Policy Manager zone. Server IPs Displays the server IP addresses specific to the Policy Manager zone. Zone Network Details Policy Manager Zone 1.
Figure 535: NetEvents Target Link on Server Configuration Page 2. Click the NetEvents Targets link. The NetEvents Targets configuration dialog opens. Figure 536: NetEvents Targets Configuration Dialog 3. Specify the NetEvents Targets parameters as described in the following table, then click Save: Table 294: NetEvents Targets Parameters Parameter Action/Description Target URL 1.
Configuring Virtual IP Settings You can configure two nodes in a cluster to share a virtual IP address. The virtual IP address is bound to the primary node by default. The secondary node takes over when the primary node is unavailable. In a virtual machine deployment of W-ClearPass Policy Manager, you must enable forged transmits on the VMWare distributed virtual switch for the Virtual IP feature to be effective. To configure a virtual IP address: 1.
cleared from all nodes in the cluster. Once the machine authentication cache is cleared, it takes up to 5 seconds to resync the cache. To clear machine authentication cache on all the nodes in a cluster: 1. Navigate to the Administration > Server Manager > Server Configuration page. The Server Configuration page opens: Figure 538: Server Configuration Page > Clear Machine Authentication Cache 2. Click the Clear Machine Authentication Cache link.
Figure 539: Adding a Subscriber Node 3. Specify the Add Subscriber Node parameters as described in the following table, then click Save: Table 296: Add Subscriber Node Parameters Parameter Action/Description Publisher IP Enter the Publisher node's IP address. Publisher Password Specify the Publisher node's password. NOTE: The password specified here is the password for the CLI user appadmin.
General Parameters You can configure the parameters that apply to all the nodes in a W-ClearPass cluster by configuring the Cluster-Wide Parameters. To configure Cluster-Wide parameters: 1. Navigate to the Administration > Server Manager > Server Configuration page. 2. Select the Cluster-Wide Parameters link. The Cluster-Wide Parameters page opens to the General page: Figure 540: Cluster-Wide Parameters > General Page 548 | Administration Dell Networking W-ClearPass Policy Manager 6.
3. Configure the Cluster-Wide Parameters > General parameters as described in the following table, then click Save. Table 297: Cluster-Wide Parameters > General Page Parameters Parameter Action/Description Policy result cache timeout Specify the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation. A value of 0 disables caching.
Table 297: Cluster-Wide Parameters > General Page Parameters (Continued) Parameter Action/Description Performance Monitor Rendering Port Specify the port for performance monitor rendering. The default value is 80. Multi Master Cache Durability For the Multi-Master Cache to survive most abrupt shutdowns, set this to Normal or Full. The default value is OFF. NOTE: Enabling this feature may result in some performance degradation.
Table 297: Cluster-Wide Parameters > General Page Parameters (Continued) Parameter Action/Description TACACS User Prompt Text You can modify the text to be used for the TACACS username and password prompts as needed. The default TACACS prompts are as follows: UserName: Password: TACACS Password Prompt Text TACACS Connection Idle Timeout Console Session Idle Timeout An idle TACACS login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard.
Cleanup Intervals Parameters The following figure displays the Cluster-Wide Parameters > Cleanup Intervals dialog: Figure 541: Cluster-Wide Parameters > Cleanup Intervals Dialog 1.
Table 298: Cluster-Wide Parameters > Cleanup Intervals Parameters (Continued) Parameter Action/Description Unknown endpoints cleanup interval Specify the duration in number of days that W-ClearPass uses to determine when to start deleting unknown entries from the Endpoint repository. Unknown entries are deleted based on the last Updated At value for each Endpoint.
1. Specify the Cluster-Wide Parameters > Notifications parameters as described in the following table: Table 299: Cluster-Wide Parameters > Notifications Parameters Parameter Action/Description System Alert Level Specify the alert notifications that are generated for system events logged at this level or higher. l INFO: Alerts that provide Information, Warnings, and Error messages are generated. l WARN: Alerts that provide Warnings and Error messages are generated.
1. Specify the Cluster-Wide Parameters > Standby Publisher parameters as described in the following table: Table 300: Cluster-Wide Parameters > Standby Publisher Parameters Parameter Action/Description Enable Publisher Failover To authorize a node in a cluster on the system to act as a publisher if the primary publisher fails, select TRUE. The default value is FALSE. Designated Standby Publisher Select the server in the cluster to act as the standby publisher. The default value is 0.
Mode Parameters The Mode tab in the Cluster-Wide Parameters page allows you to enable or disable High Capacity Guest Mode and Common Criteria Mode. Figure 545: Cluster-Wide Parameters Page 1. Specify the Cluster-Wide Parameters > Mode parameters as described in the following table: Table 302: Cluster-Wide Parameters > Mode Parameter Parameter Action/Description High Capacity Guest Mode To enable or disable High Capacity Guest Mode, select TRUE or FALSE. The default is FALSE.
The licensing scheme in High Capacity Guest mode supports a high volume of user traffic in the following public-facing enterprises where the number of endpoints changes every day: l Transportation: Airports and rail stations l Hospitality: Hotels, casinos, and resorts l Healthcare: Hospitals, clinics, and health centers l Retail: Shopping malls l Large public venues: Stadiums, convention centers, and theaters l Restaurants and coffee shops: Quick-serve restaurants In enterprise deployments, W-Cl
l Only Guest application licenses are supported. Insight Requirement High Capacity Guest mode requires W-ClearPass Insight to be enabled on at least one node in the cluster. 1. Specify the default cleanup interval values when High Capacity Guest mode is enabled as described in the following table: Table 303: Cleanup Interval Values in High Capacity Guest Mode Parameter Action/Description Cleanup interval for Session log details in the database The default value is 3days.
l RADIUS Proxy l Dell Application Authentication l Dell Application Authorization l TACACS+ Enforcement l Web-based Authentication l Web-based Open Network Access Authentication Methods Supported in High Capacity Guest Mode The following authentication methods are used in service templates in High Capacity Guest mode: l PAP l CHAP l MSCHAP l EAP_MD5 l MAC_AUTH l AUTHORIZE l EAP_PEAP_PUBLIC Common Criteria Mode Use Common Criteria Mode for deployments that require strict compliance
X.509 is an important standard for a public key infrastructure to manage digital certificates and public-key encryption. X.509 is a key part of the Transport Layer Security protocol used to secure web and email communication. l All HTTPS communication to external services using X.509 v3 certificates must pass the basic constraint checks. Database Parameters The following figure displays the Cluster-Wide Parameters > Database dialog: Figure 548: Cluster-Wide Parameters > Database Dialog 1.
Table 304: Cluster-Wide Parameters > Database Parameters (Continued) Parameter Action/Description the NTLM hash passwords are removed for all the users. NOTE: When you set this value to TRUE, you must reset all the passwords to reenable RADIUS MSCHAP authentication against the user repositories. Store Local User Passwords using reversible encryption To enable cleartext password comparison against local users, set this to TRUE.
Table 305: Cluster-Wide Parameters > Profiler Tab Parameters (Continued) Parameter Action/Description When Nmap scan is enabled, the following warning is displayed: WARNING: Setting this value to TRUE enables active scan of the host for open ports. This can be resource intensive. Also, the Profiler Scan Ports value is ignored when Nmap scan is enabled. Enable Endpoint Port Scans using WMI Set this option to TRUE to enable Endpoint scans using WMI (Windows Management Instrumentation).
n System Logs n Logs from all Policy Manager services n Capture network packets Duration of dump in seconds. Use this option only when you want to debug a problem. System performance can be severely impacted. n Diagnostic dumps from Policy Manager services n Back up Policy Manager configuration data 5. Enter the time period for which you want to collect the information. n Specify a number to collect logs for the number of days until the current day.
Table 306: Back up Policy Manager Database Parameters Parameter Action/Description Generate file name To enable Policy Manager to generate a file name for the database backup, select this check box. This option is enabled by default. File Name To manually specify the backup file name, click this check box, then enter the desired file name. Backup CPPM configuration data The option to back up Policy Manager configuration data is enabled by default.
Table 307: Restore Policy Manager Database Parameter Action/Description Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file. NOTE: This option is available only when the Upload file to server option is selected. Shared backup files present on the server If the files is on a server, select a file from the files in the local shared folders. (See Downloading Local Shared Folders.
The Force Cleanup Files dialog opens. Figure 553: Force Cleanup Files Dialog 3. Enter the number of days system files can remain before they are removed. The allowed range is 0 to 15 days. 4. To initiate the cleanup process, click Start. The Force Cleanup Files status report opens: Figure 554: Force Cleanup Files Status Report Shutting Down or Rebooting the Server To shut down the current W-ClearPass server: 1. Navigate to the Administration > Server Manager > Server Configuration page . 2.
Dropping a Subscriber Node To drop a Subscribe node from the cluster: 1. Navigate to the Administration > Server Manager > Server Configuration page. 2. Select the node you want to drop from the cluster. 3. Click the Drop Subscriber button. This option is not available in a single-node deployment. Log Configuration To configure logs for services and system level, navigate to the Administration > Server Manager > Log Configuration page.
The following table describes the Service Log Configuration parameters: Table 308: Log Configuration > Service Log Configuration Parameters Parameter Action/Description Select Server 1. From the Select Server drop-down, specify the server for which you want to configure logs. All nodes in the cluster appear in the drop-down list. Select Service 2. Specify the service for which you want to configure logs. Module Log Level Settings 3.
System Level Configuration The following figure displays the System Level dialog: Figure 556: Log Configuration - System Level tab The following table describes the System Level tab parameters: Table 309: Log Configuration > System Level Parameters Parameter Action/Description Select Server 1. Specify the server for which you want to configure logs. Number of log files 2. Specify the number of log files of a specific module to keep at any given time.
Table 309: Log Configuration > System Level Parameters (Continued) Parameter Action/Description Enable Syslog 6. To override the Syslog Filter Level for a service, select the Enable Syslog check box. Syslog Filter Level 7. If desired, change the Syslog Filter Level. The current Syslog Filter level is based on the default log level specified on the Service Log Configuration tab. Restore Defaults/Save 8. Click Save to save your changes. n To restore the default settings, click Restore Defaults.
4. You can either browse to an application to open the selected folder or save the tar.gz file to your hard disk: a. To open the folder, click Browse, select the application to open the tar.gz file, then click OK. b. To save the file, select Save File, then click OK. The file is downloaded to your system.
Managing Licenses The Licensing page shows all the licenses that are activated for the entire W-ClearPass Policy Manager cluster. You must have a W-ClearPass Policy Manager base license for every instance of the product. If the number of licenses used exceeds the number of licenses purchased, you will see a warning four months after the number is exceeded. The number of used licenses is based on the daily average. On a virtual machine instance of W-ClearPass, the permanent license must be entered.
Figure 560: Licensing > Applications Tab Adding an Application License To add an application license: 1. Navigate to Administration > Server Manager > Licensing. 2. Click the Add License link at the top-right section of the page. The Add License page opens. Figure 561: Add License Page 3.
4. Click Add. You return to the Licensing > License Summary page, where the new application license is now listed and the following message is displayed: license added successfully. Figure 562: License Added Successfully When you add an application license, the Applications tab is enabled to allow you to activate a new application license. Activating a Server License You activate an server license only once, when you first install W-ClearPass Policy Manager on a server.
Figure 564: Activate License Page 4. In the Online Activation section, click Activate Now. The W-ClearPass Policy Manager application license is now activated. The Applications tab > Activation Status column shows a green circle next to the keyword Activated. Figure 565: ClearPass Server License Activated Offline Activation: Creating a Case to Receive the Activation Key If you are not connected to the Internet, you must submit a case through the HP Enterprise My Networking portal: 1.
Figure 566: My Networking > Case Submission Form 7. To attach the activation token from W-ClearPass, click Browse and select the activation request token. 8. Click Create a case. Figure 567: Create a Case Button 9. The Support team will activate the token and send you the activation key. 10.Click Browse to locate the activation key file on your system, then click Upload.
After you add or update an application license, it must be activated. Adding or updating an application license enables the Applications tab on the Licensing page. Online Activation 1. Navigate to Administration > Server Manager > Licensing. The Licensing page opens to the License Summary page. 2. Select the Applications tab. The new application licenses are listed. The Activation Status column shows a red circle next to the keyword Activate.
Figure 570: Application License Activated Offline Activation: Creating a Case to Receive the Activation Key If you are not connected to the Internet, you must submit a case through the HP Enterprise My Networking portal: 1. In the Offline Activation section, click Download to download an activation request token from the Policy Manager server. 2. Go to the My Networking Portal and log in. 3. Click the Support link. 4. Click Open/View Case. This will show all the cases you have submitted to Support. 5.
Figure 571: My Networking > Case Submission Form 7. To attach the activation token from W-ClearPass, click Browse and select the activation request token. 8. Click Create a case. Figure 572: Create a Case Button 9. The Support team will activate the token and send you the activation key. 10.Click Browse to locate the activation key file on your system, then click Upload.
1. Navigate to Administration > Server Manager > Licensing. The Licensing page opens. Figure 573: Licensing Page 2. Select the Servers tab. Figure 574: Licensing > Servers Tab 3. Click the W-ClearPass server entry. The Update License dialog opens. Figure 575: Update License Dialog 4. Enter the new license key. 5. Click the I agree to the above terms and conditions check box. The Update button is now activated. 6. Click Update. The W-ClearPass server license is updated.
1. Navigate to Administration > Server Manager > Licensing. The Licensing page opens. Figure 576: Licensing Page 2. Select the Applications tab. Figure 577: Licensing Applications Tab 3. Select the application license you need to update. The Update License dialog opens. Figure 578: Update License Dialog 4. Enter the new license key. 5. Click the I agree to the above terms and conditions check box. The Update button is now activated. 6. Click Update. The selected application license is updated.
l Adding an SNMP Trap Server on page 582 l Importing an SNMP Trap Server on page 584 l Exporting All SNMP Trap Servers on page 585 l Exporting an SNMP Trap Server on page 586 l Deleting an SNMP Trap Server on page 587 W-ClearPass Policy Manager sends SNMP traps that expose the following server information: l System up-time: Provides information about how long the W-ClearPass server has been running.
For SNMP trap server configuration, W-ClearPass provides the Type parameter to specify whether the SNMP notification is a standard Trap notification or an Inform notification (see Figure 580). An Inform notification is an acknowledged SNMP trap. When you send an Inform notification, W-ClearPass uses an SNMP Engine ID when sending the message. The Engine ID is a unique identifier for the SNMP v3 agent.
Table 311: Add SNMP Trap Server Parameters (Continued) Parameter Action/Description SNMP v1 with community strings n SNMP v2 with community strings n SNMP v3 with no Authentication n SNMP v3 with Authentication using MD5 and no Privacy n SNMP v3 with Authentication using MD5 and with Privacy n SNMP v3 with Authentication using SHA and no Privacy n SNMP v3 with Authentication using SHA and with Privacy NOTE: The MD5 authentication type is not supported when you use W-ClearPass Policy Manager in FIPS mode.
The following figure displays the Import from file pop-up: Figure 581: Import from file Pop-up The following table describes the Import from file parameters: Table 312: Import from file Parameters Parameter Description Select File Browse to the SNMP Trap Server configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the secret key here. Exporting All SNMP Trap Servers This link exports all configured SNMP Trap Receivers.
The following figure displays the Export to file pop-up: Figure 582: Export to file Pop-up The following table describes the Export to file parameters: Table 313: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Exporting an SNMP Trap Server To export a single SNMP trap server: 1.
The following table describes the Export to file parameters: Table 314: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting an SNMP Trap Server To delete a single SNMP trap server: 1. Navigate to Administration > External Servers > SNMP Trap Receivers. 2. Click the check box next to the Host Address entry and click Delete. 3.
The following table describes the Syslog Targets parameters: Table 315: Syslog Targets Parameters Parameter Description Add Opens the Add Syslog Target pop-up. Import Opens the Import from file pop-up. You can import the syslog target from a file. Export All Opens the Export to file pop-up. You can export all the syslog target entries to a file. Export Opens the Export to file pop-up. With this option, you can export individual syslog targets. Delete Deletes a syslog target server.
The following table describes the Add Syslog Target parameters: Table 316: Add Syslog Target Parameters Parameter Description Host Address Syslog server hostname or IP address. Description Enter a short description of the syslog server. Protocol Select one of the following options: l UDP: This option reduces overhead and latency. l TCP: this option provides error checking and packet delivery validation. Server Port Port number for sending the syslog messages. Default port number is 514.
The following table describes the Import from file parameters: Table 317: Import from file Parameters Parameter Description Select File Browse to the Syslog Target configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Exporting All Syslog Target To export all syslog targets: 1. Navigate to Administration > External Servers > Syslog Targets. 2.
3. Enter the name of the XML file in the Save As dialog. 4. Click Save. The following figure displays the Export to file pop-up: Figure 588: Export to file Pop-up The following table describes the Export to file parameters: Table 319: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting a Syslog Target To delete a syslog target: 1.
You configure syslog export filters to instruct Policy Manager where to send this information, and what kind of information should be sent through data filters. Syslog Export Filters Page To configure syslog export filters: 1. Navigate to Administration > External Servers > Syslog Export Filters. The Syslog Export Filters page opens.
2. From the Syslog Export Filters page, click Add. The Add Syslog Filters page opens to the General tab. Figure 590: Add Syslog Export Filters Page > General Tab The Filter and Columns tab shown in the figure above is only visible if you select Insight Logs or Session Logs as the export template. For more information, see Filter and Columns Tab on page 597.
Table 321: Add Syslog Export Filters > General Tab Parameters (Continued) Parameter Action/Description Export Event Format Type Select any one of the export event formats from the following options: l Standard: Select this event format type to send the event types in raw syslog format. This is the default event format type. l LEEF: Select this event format type to send the event types in Log Enhanced Event Format (LEEF).
10.20.23.178,Category=Logged in,Action=None,Level=INFO,src=10.17.5.228,Component=Support Shell,Timestamp=Jan 20, 2015 16:45:59 IST Mar 21 16:49:10 10.17.5.228 2017-01-20 16:50:05,210 10.17.5.228 System Events 1 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description='Failed to start ClearPass Virtual IP service',Category=start,Action=Failed,Level=WARN,src=10.17.5.228,Component=ClearPass Virtual IP service,Timestamp=Jan 20, 2017 16:48:53 IST 2015-01-20 16:50:05,210 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.
LEEF Event Format Type > Insight Logs The following example describes the LEEF event format type for the Insight Logs syslog export filter template: Dec 03 2017 16:50:44.085 IST 10.17.4.208 LEEF:1.0|Dell|ClearPass|6.5.0.69058|0-10|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:48:41+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.
CEF Event Format Type > Session Logs The following example describes the CEF event format type for the Session Logs syslog export filter template: Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0Dell|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IPAddress=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.
Figure 591: Syslog Export Filters > Filter and Columns >Insight Logs As shown in Figure 591, administrators can select EndpointTag attributes as a column in Syslog Export Filters. Custom attributes fetched by users and recorded in an endpoint are sent in syslog export filters to the Syslog server. When there is a update on endpoints, syslog events are generated. The data collection interval for Insight logs is -4 to -2 minutes from the current time.
It is recommended to contact support if you choose the option 2. Support can assist you with entering the correct information in this template. The following figure displays the Syslog Export Filters - Filter and Columns (Session Logs) tab.
Table 323: Syslog Export Filters > Filter and Columns > Insight Logs Parameters (Continued) Parameter Action/Description Custom SQL Specify custom SQL query for export. This option is for advanced use cases. NOTE: If you choose this option, contact Dell Support at Administration > Support > Contact Support. Support can assist you with entering the correct information in this template.
Table 324: Syslog Export Filters - Summary Tab Parameters (Continued) Parameter Description Data Filter Displays the data filter selected when configuring option 1 in the Filter and Columns tab. Columns Selection Displays the predefined field groups and available columns type selected when configuring option 1 in the Filter and Columns tab. Custom SQL Displays the SQL query selected when configuring option 2 in the Filter and Columns tab. Importing a Syslog Filter To import a syslog target: 1.
Exporting All Syslog Filter To export all syslog filters: 1. Navigate to Administration > External Servers > Syslog Export Filters. 2. Click the Export All link on the top right section of the page. Enter the details based on Table 326. 3. Click Export. 4. Enter the XML file name in the Save As dialog box. 5. Click Save.
The following figure displays the Export to file pop-up: Figure 596: Export to file Pop-up The following table describes the Export to file parameters: Table 327: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting a Syslog Filter To delete a syslog filter: 1. Navigate to Administration > External Servers > Syslog Export Filters.
Figure 597: Messaging > SMTP Server Page 2. To configure a new SMS gateway using the W-ClearPass Guest portal, click the Configure SMS Gateway link at the top right section of the page. The following table describes the Messaging > SMTP Server page parameters: Table 328: Messaging > SMTP Server Page Parameters Parameter Action/Description Server name 1. Enter the Fully Qualified Domain Name (FQDN) or the IP address of the SMTP server. User Name 2.
Figure 598: Send Test Email Dialog 2. Recipient Email Address: Enter the email address of the recipient. 3. Message: Enter the test message. 4. Click Send Email. Sending a Test SMS Message To send a test SMS message to the preferred email address: 1. Click Send Test SMS. The Send Test SMS dialog opens. Figure 599: Send Test SMS Dialog 2. Recipient in International format: Enter the mobile phone number of the recipient in international format.
Endpoint Context Servers This section describes the following topics: l Introduction l Endpoint Context Servers Page l Adding an Endpoint Context Server l Importing an Endpoint Context Server l Exporting All Endpoint Context Servers l Modifying an Endpoint Context Server l Polling an Endpoint Context Server l Deleting an Endpoint Context Server For related information, see: l Configuring Endpoint Context Server Actions on page 614 l Adding Vendor-Specific Endpoint Context Servers on page
Table 329: Endpoint Context Server Categories Parameter Description Server Name Displays the name of the endpoint context server. Server Type Displays the type of the endpoint context server. Status Displays the status of the endpoint context server: Enabled or Disabled. For non-MDM servers, the status is always displayed as Disabled. Adding an Endpoint Context Server To add an endpoint context server: 1. Navigate to Administration > External Servers > Endpoint Context Servers. 2.
Table 330 describes the Add Endpoint Context Servers parameters: Table 330: Add Endpoint Context Server Parameters Parameter Description Select Server Type 1. Choose one of the Server Types (endpoint context server vendors) from the following options. The Server Type you select determines the configuration parameters.
Table 330: Add Endpoint Context Server Parameters (Continued) Parameter Description Validate Server 7. Select the Enable to validate the server certificate check box to validate. By default, this field is disabled. NOTE: Checking this option enables the Certificate tab. Enable Server 8. Select the Enable to fetch endpoints from the server check box to enable the endpoint context server. By default, this field is disabled. NOTE: The Bypass Proxy field is enabled only if you enable this field.
Figure 602: Import from File Dialog The following table describes the Import from file parameters: Table 331: Import from File Dialog Parameters Parameter Description Select File Browse to the Endpoint Context Server configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Exporting All Endpoint Context Servers To export all endpoint context servers: 1.
Table 332 describes the Export to file parameters: Table 332: Export to File Dialog Parameters Parameter Action/Description Export file with password protection 1. To export the file with password protection, choose Yes. Secret Key 2. Enter the secret key. Verify Secret 3. Re-enter the secret key. Modifying an Endpoint Context Server To modify an endpoint context server: 1. Navigate to Administration > External Servers > Endpoint Context Servers. 2.
The following table describes the Modify Endpoint Context Server > Server parameters: Table 333: Modify Endpoint Context Server > Server Parameters Parameter Action Description Server Type The Server Type cannot be modified. Server Name 1. Enter the name of the server or host. Server Base URL 2. Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.
Figure 605: Modify Endpoint Context Server > Actions Tab Polling an Endpoint Context Server To poll an endpoint context server: You can poll only one server at a time. You cannot poll multiple server entries. Also, you can only poll MDM-type servers. 1. Navigate to Administration > External Servers > Endpoint Context Servers. 2. In the Endpoint Context Servers main page, click the check box next to the server name entry. Figure 606: Selecting the Trigger Poll Option 3. Click Trigger Poll.
Configuring Endpoint Context Server Actions This section contains the following information: l Filtering an Endpoint Context Server Action Report l Configuring Endpoint Context Server Actions l Adding machine-os and host-type Endpoint Attributes Filtering an Endpoint Context Server Action Report Use the Filter controls to configure a search for a subset of Endpoint Context Server Action items. To filter an endpoint context server action report: 1.
Table 334: Endpoint Context Server Actions Page Settings Settings Description Server Type Indicates the server type configured when the server action was configured. Action Name Indicates the name of the context server action. The available server actions vary depending on what Server Type is specified. HTTP Method Specifies the HTTP method selected when the server action was configured. Description Provides the description of the server action. 2.
Table 335: Action Parameters—Endpoint Context Server Details Parameter Description Server Type Specifies the server type configured when the server action was configured. You can select the server type from the drop-down list. Server Name Lists the context servers specific to the server type selected in the Server Type field. This field is visible only if you selected the service type Generic HTTP. Action Name Specifies the name of the action configured.
Content Tab Use the Content tab to specify a content type and add non-default context server attributes (see Figure 610). The information in the Content window is the template of what will be posted to the server. The fields preceded by the % sign are replaced with their corresponding values.
Attributes Tab Parameters Use the Attributes tab to specify the mapping for attributes used in the content to parameterized values from the request. Figure 611: Attributes Tab—Endpoint Context Server Details Table 338 describes the Endpoint Context Server Details—Attributes parameters: Table 338: Attributes Parameters—Endpoint Context Server Details Parameter Description Attribute Name Enter attribute names and assign values to those names. These name/value pairs are included in context server actions.
Figure 612: Selecting the Check Point Login Server Action The Endpoint Context Server Details dialog opens. 3. Select the Content tab (see Figure 613). 4. In the Content field, add the following attributes (see Figure 613): n "machine-os":" %{device_family}" n "host-type":"%{device_type}" Figure 613: Adding Endpoint Context Server Attributes 5. Click Save.
l Adding an Aruba Activate Endpoint Context Server l Adding a ClearPass Cloud Proxy Endpoint Context Server l Adding a Generic HTTP Endpoint Context Server l Adding a Google Admin Console Endpoint Context Server l Integrating W-ClearPass with Infoblox l Adding a JAMF Endpoint Context Server l Integrating W-ClearPass with Juniper Networks SRX l Adding a MaaS360 Endpoint Context Server l Adding a MobileIron Endpoint Context Server l Adding a Palo Alto Networks Firewall Endpoint Context Serv
You can add more than one endpoint context server of the same type. Specify the Add Airwatch Endpoint Context Server > Server parameters as described in the following table: Table 339: Adding an Airwatch Endpoint Context Server > Server Tab Parameters Parameter Action/Description Select Server Type Choose AirWatch from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or a hostname. Server Base URL Enter the full URL for the server.
Actions Tab The following figure displays the Airwatch Add Endpoint Context Server > Actions page: Figure 615: Adding an Airwatch Endpoint Context Server > Actions Page Specify the Airwatch Add Endpoint Context Server > Actions parameters as described in the following table: Table 340: Adding an Airwatch Endpoint Context Server > Actions Tab Parameters Parameter Action/Description Clear Passcode Reset passcode on the device. Enterprise Wipe Delete only stored corporate information.
2. Click Add. The Add Endpoint Context Server dialog opens. 3. From the Select Server Type drop-down, select AirWave. The following dialog is displayed: Figure 616: Add an AirWave Endpoint Context Server > Server Dialog You can add multiple endpoint context servers of the same type. 4. Enter the appropriate values for each of the AirWave Add Endpoint Context Server parameters described in Table 341. 5. When satisfied with the settings, click Save.
Table 341: Adding an AirWave Endpoint Context Server > Server Parameters (Continued) Parameter Action/Description Verify Password Validate Server 6. Enable Validate Server to validate the server certificate. Checking this option enables the Certificate tab. Bypass Proxy 7. Enable Bypass Proxy to bypass the proxy server. Adding an Aruba Activate Endpoint Context Server For more information about Activate, refer to Aruba Activate documentation.
Table 342: Adding an Aruba Activate Endpoint Context Server > Server Parameters (Continued) Parameter Action/Description Username 4. Enter the username for the Aruba Activate server. Password 5. Enter the password, then verify the password. Verify Password Device Filter The Device Filter field is populated with a default regular expression to retrieve only the Remote AP (RAP) and Instant AP (IAP) information. Folder Filter The Folder Filter field is set to "*" by default.
Adding a ClearPass Cloud Proxy Endpoint Context Server The Cloud Proxy is a virtual instance configured in the cloud. This multi-tenant and single instance serves multiple customers having many W-ClearPass server nodes. Once configured, the W-ClearPass Policy Manager server establishes a Cloud Tunnel to the Cloud Proxy instance given the credentials and Domain. The Domain is required as an identifier to indicate which Cloud Tunnel is applicable for which customer.
Parameter Action/Description Password Domain Specify a domain identifier used to determine the specific Cloud Tunnel to which the request must be sent by the Cloud Proxy. Validate Server Click the Validate Server check box to enable validation of the server certificate. Adding a Google Admin Console Endpoint Context Server Consult Google Developer documentation for information about the parameters that you must enter to configure this endpoint.
The following table describes the Add Endpoint Context Server - Server (Google Admin Console) tab parameters: Table 344: Add Endpoint Context Server - Server (Google Admin Console) Tab Parameters Parameter Description Select Server Type Choose Google Admin Console from the drop-down list. Client Id Enter the client ID. For example, 9169879216kpl50kxuaq6q6qqwe0i.apps.googleusercontent.com. Client Secret Enter the client secret. For example, gMcfg342ePaKgx1ZlXK.
Adding a Generic HTTP Endpoint Context Server The following figure displays the Generic HTTP Add Endpoint Context Server > Server tab: Figure 622: Adding a Generic HTTP Endpoint Context Server You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 345: Add Endpoint Context Server - Server (Generic HTTP) Tab Parameters (Continued) Parameter Action/Description Validate Server 6. Enable Validate Server to validate the server certificate. Checking this option enables the Certificate tab. Bypass Proxy 7. Enable Bypass Proxy to bypass the proxy server. 8. Click Save to save your changes.
2. Click Add. The Add Endpoint Context Server dialog opens. This dialog opens in the Server page. Figure 624: Adding an Infoblox Endpoint Context Server 3. Enter the following information: a. Select Server Type: From the drop-down list, select Generic HTTP. b. Server Name: Enter the IP address of the Infoblox server. c. Server Base URL: As you enter the IP address in the Server Name field, the Server Base URL is populated automatically with the same IP address. d.
2. Select the Infoblox Login endpoint context server action. The Endpoint Context Server Details dialog for the selected action is displayed. For descriptions of the parameters in the Endpoint Context Servers Details tabs, refer to Configuring Endpoint Context Server Actions on page 614. Figure 625: Selecting the Infoblox Server for the Endpoint Context Server Action 3. Server Name: Select the IP address of the Infoblox server. 4.
Figure 626: Attributes Sent to Infoblox Server 7. Click Cancel. Creating an Infoblox Enforcement Profile This section describes how to create a simple HTTP-based enforcement profile named "Infoblox Notify" that acts against the Infoblox Login action. For additional details on configuring enforcement profiles, see Configuring Enforcement Profile on page 373. To create an Infoblox enforcement profile: 1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens.
Figure 628: Adding the Infoblox Enforcement Profile 3. Configure the Add Enforcement Profile page as follows: a. Template: Select HTTP Based Enforcement. For details on configuring HTTP-based enforcement profiles, see HTTP Based Enforcement Profile on page 406. b. Name: Enter Infoblox Notify. c. Description: Optionally, enter a description of this enforcement profile. d. Click Next. The Enforcement Profiles Attributes page appears. Figure 629: Specifying the Target Server and Enforcement Action 4.
This section describes how to define a RADIUS Enforcement type profile for Infoblox. This profile configures parameters to define tunnel parameters, VLAN ID, and the termination action. This configuration is specific to the lab environments in which this feature has been tested. The RADIUS: IETF attributes can take any values, depending on the lab environment. For details on configuring a RADIUS-based enforcement policy, see RADIUS Based Enforcement Profile on page 407.
Figure 631: Adding Attributes to the RADIUS Enforcement Profile Tunnel-Private_Group-Id 4. Click Click to add.... a. Type: Select Radius:IETF. b. Name: Select Tunnel-Private_Group-Id. c. Value: Enter the value configured for the Tunnel-Private_Group-Id attribute on the controller. Session-Timeout 5. Click Click to add.... a. Type: Select Radius:IETF. b. Name: Select Session-Timeout. c. Value: Enter 21600 (which equals six hours in seconds). Tunnel-Type 6. Click Click to add.... a. Type: Select Radius:IETF.
1. Navigate to Configuration > Enforcement > Policies. The Enforcement Policies page opens. 2. Click Add. The Add Enforcement Policies page appears. Figure 632: Adding the Infoblox Enforcement Policy 3. Enter the following information: a. Name: Enter Infoblox Policy. b. Description: Optionally, enter a description of this profile. c. Enforcement Type: Set by default to RADIUS. d. Default Profile: Select Allow Access Profile. e. Click Next. The Rules page appears. 4. Click Add Rule.
You must add the enforcement profies in the order specified here. b. Select [RADIUS] Infoblox RADIUS Enforcement. c. Click Select to Add. d. Select [HTTP] Infoblox Notify. 7. Click Save. 8. To view the Infoblox enforcement policy summary, click the Summary tab. Figure 634: Summary of the Infoblox Enforcement Policy 9. Check the summary information to make sure the policy is correct, make any changes if necessary, then click Save.
a. Type: Select 802.1X Wireless. b. Name: Enter Infoblox Wireless Service. c. Description: Optionally, enter a description of this service. d. In the Service Rule panel, set Matches to ANY, then click Next. The Authentication page appears. Figure 636: Specifying Wireless Service Authentication Settings 4. Enter the following information: a. Authentication Methods: Select the authentication method. This example uses EAP MSCHAPv2. b. Authentication Sources: Select the authentication source(s).
Authenticating External Devices Against the Infoblox Service This section defines the configuration on the Infoblox server to receive the MAC address and username context from W-ClearPass. The following procedure adds an IPv4 network that is used as a DHCP pool to assign IP addresses to the external devices that must be authenticated. To configure an Infoblox server to authenticate external devices: 1. Log into the Infoblox server. The Infoblox IPAM Tasks page opens.
Figure 640: Adding an IPv4 Network 4. With Add Network selected by default, click Next. The following screen appears. Figure 641: Specifying the Netmask 5. In the Netmask field, specify the netmask for the new network. The netmask is set by default to /24 (that is, a Class C IP address), but you can set the netmask to any appropriate netmask value for your network. 6. To add an IPv4 network, in the Networks panel, click the Plus sign (see Figure 641). 7.
Figure 642: Adding Members 8. Click the Plus sign. While adding members for the DHCP pool, the members group from Data Management > DHCP > Members is populated automatically. 9. Click Next. The following screen appears. Figure 643: Specifying the Lease Time (Session-Timeout Value) 10.In the Lease Time Override panel, click Override. 11.In the Lease Time field, enter 21600; from the drop-down, select Seconds. Then click Next.
Figure 644: Scheduling Date and Time for Creating the IPv4 Network 13.Specify when you choose to create the IPv4 network, then click Save & Close. The new network is created. Figure 645: New IPv4 Network Created Creating a Filter to Accept Information from the W-ClearPass Server To create a filter to accept information from the W-ClearPass server: 1. From the Data Management > DHCP tab, select the newly created network. The Networks page opens. 2. Select the IPv4 Filters tab. 3.
Figure 646: Specifying Lease Time in the IPv4 MAC Address Filter The Lease Time value entered here must correspond to the Session-Timeout value defined under Infoblox RADIUS Enforcement Profile (see Session-Timeout on page 636). Step 3 of the IPv4 MAC Address Filter wizard appears. Figure 647: Specifying the MAC Address Expiration in the IPv4 MAC Address Filter 7. For the Default MAC Address Expiration setting: a. Select the Automatically Expires in button. b. Specify 21600 Seconds. c. Then click Next.
Figure 648: 8. Specify the Schedule Change settings: a. If you wish to run the MAC address filter now, select Now. b. If you wish to schedule the MAC address filter for later, select Later and specify the Start Date and Start Time. c. When finished with the Schedule Change settings, click Save & Close.
Figure 649: Adding a Juniper Networks SRX Endpoint Context Server > Server Dialog You can add multiple endpoint context servers of the same type. 4. Enter the appropriate values for each of the Juniper Networks SRX Add Endpoint Context Server parameters described in Table 346. 5. When satisfied with the settings, click Save. Table 346: Specifying Juniper Networks SRX Endpoint Context Server - Server Page Parameters Parameter Action/Description Select Server Type Choose Juniper Networks SRX.
Adding a Context Server Action to the Juniper SRX Server Figure 650 displays the Juniper Network SRX Add Endpoint Context Server > Actions page: Figure 650: Adding a Juniper Networks SRX Endpoint Context Server > Actions Page Table 347 describes the Endpoint Context Server Actions that are available: Table 347: Juniper Networks SRX Endpoint Context Server Actions Action Description Juniper Networks SRX Login Endpoint Context Server action to send a user or device login context to a Juniper SRX server.
Figure 651: Endpoint Context Server Details for the Juniper SRX Action For descriptions of the parameters in the Endpoint Context Servers Details pages, refer to Configuring Endpoint Context Server Actions on page 614. 3. If necessary, modify the parameters in the Action page, then click Save. 4. To specify a content type and add non-default context server attributes, select the Content tab.
Figure 653: Content for the Juniper Networks SRX Logout Action 5. Make any necessary changes to the Content page, then click Save. You return to the Endpoint Context Servers page, where the endpoint context server you added is now listed. Creating a Juniper SRX Enforcement Profile This section describes how to create a a session-notification enforcement profile named "Juniper SRX Notify" that acts against the Juniper SRX Login action.
Figure 655: Adding the Juniper SRX Enforcement Profile 3. Configure the Add Enforcement Profile page as follows: a. Template: Select Session Notification Enforcement. For details on configuring session notification enforcement profiles, see Session Notification Enforcement Profile on page 411 b. Name: Enter Juniper SRX Notify. c. Description: Optionally, enter a description of this enforcement profile. d. Click Next. The Enforcement Profiles Attributes page appears.
c. Value: Select the IP address of the Juniper SRX server. Login Action 6. Click Click to add.... a. Type: Select Session-Notify. b. Name: Select Login Action. c. Value: Select Juniper Networks SRX Login. Logout Action 7. Click Click to add.... a. Type: Select Session-Notify. b. Name: Select Logout Action. c. Value: Select Juniper Networks SRX Logout. 8. Click Save. You return to the Enforcement Profiles page, where the Juniper Networks SRX Notify enforcement profile is now listed.
The Rules Editor dialog opens. Figure 658: Configuring Juniper SRX Enforcement Policy Rules Specify Conditions 5. In the Conditions panel, click Click to add, then enter the following information: a. Type: Select Tips. b. Name: Select Role. c. Operator: Select EQUALS. d. Value: Select User Authenticated. Specify the Enforcement Profile 6. In the Enforcement Profiles panel: a. Click Select to Add. b. Select [Post Authentication] Juniper SRX Notify. 7. Click Save. 8.
Defining a Juniper SRX Wireless Service This section describes how to create a n 802.1X wireless service named "Juniper SRX Wireless Service" to be applied to the policy "Juniper SRX Policy." To create the Juniper SRX wireless service: 1. Navigate to Configuration > Services. The Services page appears. 2. Click Add. The Add Services page appears. Figure 660: Adding a Juniper SRX Wireless Service 3. Specify the following information: a. Type: Select 802.1X Wireless. b.
Figure 661: Specifying the Wireless Service Authentication Settings 4. Specify the following information: a. Authentication Methods: Select the authentication method. This example uses EAP MSCHAPv2 as the authentication method. b. Authentication Sources: Select the authentication source(s). This example uses [Local User Repository] [Local SQL DB].as the authentication source. 5. Select the Enforcement tab. Figure 662: Specifying the Enforcement Policy for the Juniper SRX Wireless Service 6.
Adding a JAMF Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. The following figure displays the Add Endpoint Context Server - Server (JAMF) tab: Figure 663: Add Endpoint Context Server - Server (JAMF) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 348: Add Endpoint Context Server - Server (JAMF) Tab Parameters (Continued) Parameter Description Validate Server Enable to validate the server certificate. Checking this option enables the Certificate tab. Enable Server Enable to fetch endpoints from the server. Bypass Proxy Enable to bypass proxy server. Adding a MaaS360 Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
The following table describes the Add Endpoint Context Server - Server (MaaS360) tab parameters: Table 349: Add Endpoint Context Server - Server (MaaS360) Tab Parameters Parameter Description Select Server Type Choose MaaS360 from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or hostname. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Actions Tab The following figure displays the Add Endpoint Context Server - Actions (MaaS360) tab: Figure 665: Add Endpoint Context Server - Actions (MaaS360) Tab The following table describes the Add Endpoint Context Server - Actions (MaaS360) tab parameters: Table 350: Add Endpoint Context Server - Actions (MaaS360) Tab Parameters Parameter Description Approve Device in Messaging System Approve the device in Messaging System. Block Device in Messaging System Block the device in Messaging System.
Table 350: Add Endpoint Context Server - Actions (MaaS360) Tab Parameters (Continued) Parameter Description Revoke Selective Wipe Cancel Selective Wipe executed on the device. Search Action History Search action history by Device ID. Selective Wipe Device Execute a Selective Wipe on a device. Wipe Device Delete all information stored on a device.
4. Enter the appropriate values for each of the MobileIron Add Endpoint Context Server parameters described in Table 351. 5. When satisfied with the settings, click Save. Table 351: Adding a MobileIron Endpoint Context Server - Server Page Parameters Parameter Description Select Server Type 1. Choose MobileIron from the drop-down list. Server Name 2. Enter a valid server name. You can enter an IP address or host name. Server Base URL 3. Enter the full URL for the server.
Table 352 describes the Endpoint Context Server Actions that are available: Table 352: Adding a MobileIron Endpoint Context Server - Actions Page Parameters Parameter Description Get Labels Get label information of the device. Lock Device Lock the device. Remote Wipe Delete all information stored on the device. Send Message Send message to the device. Unlock Device Unlock the device. 9. When satisfied with the Action settings, click Save.
You can add multiple endpoint context servers of the same type. 4. Enter the appropriate values for each of the Palo Alto Networks Firewall > Add Endpoint Context Server parameters described in Table 353. 5. When satisfied with the settings, click Save. Table 353: Add Endpoint Context Server > Palo Alto Networks Firewall Parameters Parameter Action/Description Select Server Type Choose Palo Alto Networks Firewall from the drop-down list. Server Name Enter a valid server name.
Adding a Palo Alto Networks Panorama Endpoint Context Server Consult Palo Alto Networks' documentation for more information about the parameters that you must enter to configure this endpoint context server. To add a Palo Alto Networks Panorama endpoint context server: 1. Navigate to Administration > External Servers > Endpoint Context Servers. The Endpoint Context Servers page opens. 2. Click Add. The Add Endpoint Context Server dialog opens. 3.
Table 354: Add Endpoint Context Server > Palo Alto Networks Panorama Parameters (Continued) Parameter Description Username Enter the username. Password Enter and verify the password. Verify Password Username Transformation Choose one of the following options: None: Do not use any username transformation. l Prefix NETBIOS name: Prefix NetBIOS name in UID updates. l Use Full Username: Use full username in UID updates. l GlobalProtect Enable to send HIP report to firewall.
Server Tab The following figure displays the Add Endpoint Context Server - Server (SAP Afaria) tab: Figure 670: Add Endpoint Context Server - Server (SAP Afaria) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Actions Tab The following figure displays the Add Endpoint Context Server - Actions (SAP Afaria) tab: Figure 671: Add Endpoint Context Server - Actions (SAP Afaria) Tab The following table describes the Add Endpoint Context Server - Actions (SAP Afaria) tab parameters: Table 356: Add Endpoint Context Server - Actions (SAP Afaria) Tab Parameters Parameter Description Enterprise Wipe Delete corporate information related data. Lock Device Lock the associated device.
Figure 672: Adding a SOTI Endpoint Context Server > Server (SOTI) Dialog You can add more than one endpoint context server of the same type. The following table describes the SOTI Add Endpoint Context Server > Server parameters: Table 357: Adding a SOTI Endpoint Context Server > Server Parameters Parameter Action/Description Select Server Type 1. Choose SOTI from the Select Server Type drop-down list. Server Name 2. Enter a valid server name. You can enter an IP address or a hostname.
Table 357: Adding a SOTI Endpoint Context Server > Server Parameters (Continued) Parameter Action/Description Enable Server 8. Enable Enable Server to fetch endpoints from the server. Bypass Proxy 9. Enable Bypass Proxy to bypass the proxy server. 10. To save your changes, click Save. Adding a XenMobile Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 358: Add Endpoint Context Server - Server (XenMobile) Tab Parameters (Continued) Parameter Description /api/?type=keygen&user={username}&password={password} Username Enter the username. Password Enter and verify the password. Verify Password Validate Server Enable to validate the server certificate. Checking this option enables the Certificate tab. Enable Server Enable to fetch endpoints from the server. Bypass Proxy Enable to bypass proxy server.
The following figure displays the Add File Backup Server page: Figure 674: File Backup Servers - Add File Backup Server Page The following table describes the Add File Backup Server page parameters: Table 359: Add File Backup Server Page Parameters Parameter Description Host Enter the name or IP address of the host. Description Enter the description that provides additional information about the File Backup server.
Table 359: Add File Backup Server Page Parameters (Continued) Parameter Description Password Enter the user name of the host server. Verify Password Enter the password of the host server. Timeout Specify the timeout value in seconds. The default value is 30 seconds. Remote Directory Specify the location in this field to which the files to be copied. A folder will be automatically created in the file path that you specify based on the selected ClearPass servers in the ClearPass Servers field.
Table 360: Server Certificate Parameters Parameter Action/Description Create SelfSigned Certificate Opens the Create Self-Signed Certificate page where you can create and install a Self-Signed Certificate. For more information, see Creating and Installing a Self-Signed Certificate on page 676. Create Certificate Signing Request Opens the Create Certificate Signing Request page where you can create and install a Certificate Signing Request.
The following table describes the RADIUS Server Certificate parameters: Table 361: RADIUS Server Certificate Parameters Parameter Description Subject Displays Organization and Common Name. Issued by Displays Organization and Common Name. Issue Date Displays the date the self-signed certificate is installed. Expiry Date Displays the date (in days) when the self-signed certificate expires. Validity Status Displays the validity status of the self-signed certificate.
The following table describes the HTTPS Server Certificate parameters: Table 362: HTTPS Server Certificate Parameters Parameter Action/Description Subject Displays Organization and Common Name. Issued by Displays Organization and Common Name that issued the server certificate. Issue Date Displays the date the self-signed certificate is installed. Expiry Date Displays the date when the self-signed certificate expires. Validity Status Displays the validity status of the self-signed certificate.
Figure 678: Create Certificate Signing Request Dialog 4. Specify the Create Certificate Signing Request parameters as described in Table 363, then click Submit. Table 363: Create Certificate Signing Request Parameters Parameter Action/Description Common Name (CN) Enter the name associated with this entity. This can be a host name, IP address, or other name. The default is the fully-qualified domain name (FQDN). This field is mandatory. Organization (O) Enter the name of the organization.
Table 363: Create Certificate Signing Request Parameters (Continued) Parameter Action/Description n rid: id Private Key Password Verify Private Key Password Enter the private key password, then verify it. Private Key Type Select the length for the generated private key types from the following options: n 1024-bit RSA n 2048-bit RSA. This is the default. n 4096-bit RSA n X9.
Figure 679: Create Self-Signed Certificate Page 4. Configure the Create Self-Signed Certificate parameters as described in Table 364. Table 364: Create Self-Signed Certificate Parameters Parameter Action/Description Selected Server Displays the name of the selected server on the Server Certificate page. Selected Type Displays the selected certificate type for the server on the Server Certificate page. Common Name (CN) Enter the name associated with this entity.
Table 364: Create Self-Signed Certificate Parameters (Continued) Parameter Action/Description URI: uri n IP: ip_address n dns: dns_name n rid: id This field is optional. n Private Key Password Enter the Private Key password, then verify the password. Verify Private Key Password Private Key Type Select the length for the generated private key types from the following options: n 1024-bit RSA n 2048-bit RSA n 4096-bit RSA n X9.
Figure 680: Create Self-Signed Certificate Page 2. Click Install. After you click Install, Policy Manager generates a message about the status of the certificate installation. If the installation is successful the page displays the message: Server Certificate updated successfully. 3. Because all services are restarted after a successful certificate installation, you must click Logout, then log in to the W-ClearPass client to continue.
Figure 681: Import Server Certificate Dialog For security reasons, certificates signed using SHA1RSA are not recommended. Importing certificates signed with stronger keys, such as RSA with a length of more than 1024 bits, is recommended. 3. Specify the Import Server Certificate parameters as described in the following table: Table 365: Import Server Certificate Parameters Parameter Action/Description Selected Server Displays the name of the selected W-ClearPass server.
Certificate Trust List The Certificate Trust List page displays a list of trusted Certificate Authorities (CA). On this page, you can add, view, or delete a certificate.
The following table describes the Certificate Trust List parameters: Table 366: Certificate Trust List Parameters Parameter Description Subject Displays the Distinguished Name (DN) of the subject field in the certificate. Validity Indicates whether the CA certificate is valid or expired. Enabled Indicates whether the CA certificate is enabled or disabled. Adding a Certificate 1. Navigate to Administration > Certificates > Trust List. 2. Click the Add link on the top right section of the page. 3.
Certificate Revocation Lists This section provides the following information: l About Certificate Revocation Lists l Updating All Certificate Revocation Lists l Adding a Certificate Revocation List l Deleting a Certificate Revocation List About Certificate Revocation Lists A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.
Figure 685: Add Certificate Revocation List Dialog 3. Configure the Add Certificate Revocation List parameters as described in Table 368, then click Save. Table 368: Add Certificate Revocation List Parameters Parameter Action/Description File Enable the File button to use a distribution file as the Certificate Revocation List distribution point. File is enabled by default.
RADIUS Dictionary This page includes the list of available vendor dictionaries. To configure RADIUS dictionaries, navigate to Administration > Dictionaries > RADIUS. The following figure displays the RADIUS Dictionaries page: Figure 686: RADIUS Dictionaries Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type.
The following table describes the RADIUS Attributes parameters: Table 369: RADIUS Dictionary Attributes Parameters Parameter Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into Policy Manager. Enable/Disable Enable or disable this dictionary. Enabling a dictionary makes it appear in the Policy Manager rules editors (Service rules, Role mapping rules, etc.).
Import link. To add or modify attributes in an existing service dictionary, select the dictionary, export it, make edits to the XML file, and import it back into Policy Manager. The following figure displays the TACACS+ Services Dictionaries page: Figure 689: TACACS+ Services Dictionaries Page The following table describes the TACACS+ Services Dictionaries parameters: Table 371: TACACS+ Services Dictionaries Parameters Parameter Description Import Click to open the Import Dictionary pop up.
The following figure displays the TACACS+ Service Dictionary Attributes pop-up: Figure 690: TACACS+ Service Dictionary Attributes Pop-up Device Fingerprints Dictionary The Device Fingerprints page shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell W-ClearPass Updates Portal (see Software Updates and OnGuard Settings on page 693 for more information). To view the contents of the Device Fingerprints Dictionary: 1.
Figure 692: Device Fingerprint Dictionary Attributes Page Dictionary Attributes This section contains the following information: l Introduction l Adding a Dictionary Attribute l Modifying Dictionary Attributes l Importing Dictionary Attributes l Exporting All Dictionary Attributes l Exporting Selected Dictionary Attributes Introduction The Attributes dictionary page allows you to specify unique sets of criteria for local users, guest users, endpoints, and devices.
Figure 693: Dictionary Attributes Page Table 372 describes the dictionary Attributes parameters: Table 372: Dictionary Attributes Parameters Parameter Action/Description Filter Use the Filter drop-down list to create a search based on the Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Indicates whether the attribute applies to a Local User, Guest User, Device, or Endpoint.
Figure 694: Add Attribute Dialog 2. Specify the Add Attribute parameters as described in the following table, then click Add. Table 373: Attribute Setting Parameters Parameter Action/Description Entity Specify whether the attribute applies to a Device, Endpoint, Guest User, Local User, or Onboard. Name Enter a unique ID for this dictionary attribute. Data Type From the drop-down, specify the data type. Is Mandatory Specify whether the attribute is required for a specific entity.
Figure 695: Importing Dictionary Attributes 2. Enter the Import from File parameters as described in Table 374. Table 374: Import From File Parameters Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. 3. When finished, click Import. The imported file is in XML format.
Table 375: Export to File Parameters Parameter Action/Description Export file with password protection The Yes option is enabled by default. If you wish to disable password protection when exporting a file, select No. Secret Key If the file that you want to import is password protected, enter the secret here. Then verify the secret key. 3. When finished, click Export. The TagDictionary.xml file is created. 4. Download the file.
About Software Updates This section describes the W-ClearPass Policy Manager server software update process.
Table 376 describes the Software Updates parameters: Table 376: Software Updates Parameters Parameter Action/Description Subscription ID Subscription ID 1. Enter the Subscription ID provided to you. This text box is enabled only on a Publisher node. You can opt out of automatic downloads at any time by saving an empty Subscription ID. Save 2. To save the Subscription ID, click Save. This button is enabled only on a Publisher node.
Table 376: Software Updates Parameters (Continued) Parameter Action/Description Uninstall 8. To uninstall a skin, click Uninstall (for details, see Uninstalling a Skin). NOTE: You cannot uninstall cumulative or point patch updates. Needs Restart The Needs Restart link appears when an update needs a reboot of the server in order to complete the installation. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the installation.
The following figure displays the Install Update dialog box: Figure 698: Install Update Dialog Box The following table describes the Install Update parameters: Table 377: Install Update Parameters Parameter Action/Description Reboot 1. To initiate a reboot of the server, click Reboot. The Reboot button appears only for updates that require a reboot to complete the installation. Clear & Close 2. To delete the log messages and close the dialog, click Clear & Close.
The Webservice itself is refreshed with the Antivirus and Antispyware data hourly, with Windows Updates daily. Fingerprint data and Firmware & Patches are refreshed as and when new ones are available. An event is generated and displayed in the Event Viewer with the list of new updates that are available. If the event affects an SMTP server, Alert Notification email addresses are configured, and an email from the Publisher node is sent with the list of downloaded images.
Figure 700: Install Update Dialog 4. To uninstall the skin, click Uninstall. The Install Update screen closes and the software is uninstalled. OnGuard Settings and OnGuard Custom Web Pages This section provides the following information: l Introduction l About the OnGuard Custom Interface and the Remediation Process l Configuring OnGuard Settings l Creating OnGuard Custom Web Pages Introduction Use the OnGuard Settings page to configure the agent deployment packages.
the user choose whether to execute the remedial script or not. While the script is being executed and new health checks are run, progress messages are displayed. The pages of the wizard are created using W-ClearPass Guest’s Web Pages configuration forms, and can be customized with logo, text, and images (for details, refer to the Custom User Interface parameter in Table 378 and Creating OnGuard Custom Web Pages).
Table 378: OnGuard Settings Parameters Parameter Action/Description Global Agent Settings Configure the global agent settings parameters for OnGuard agents. For more information, see OnGuard Global Agent Settings on page 708. Policy Manager Zones Configure the network (subnet) for a Policy Manager Zone. For more information on configuring Policy Manager zones, see Managing Policy Manager Zones on page 541. Agent Version Indicates the current version of the OnGuard agent.
Table 378: OnGuard Settings Parameters (Continued) Parameter Action/Description Authenticate - no health checks: OnGuard collects username/password but does not perform health checks on the endpoint. l Check health - no authentication: OnGuard does not collect username/password. l Authenticate with health checks: OnGuard collects username/password and also performs health checks on the endpoint. l Username/Password Text: n The label for the Username and Password fields on the OnGuard agent.
To create the OnGuard custom web pages: 1. Navigate to Administration > Agents and Software Updates > OnGuard Settings. The OnGuard Settings page opens. 2. Scroll down to the Agent Remediation User Interface Customization section. 3. To enable the Custom User Interface configuration dialog, click (enable) the Configure check box. Figure 702: Agent Remediation User Interface Customization Dialog 4. Click the Create link for the OnGuard custom web page you want to create.
Figure 703: Configuring a New OnGuard Custom Web Page 5. Specify the required parameters (Name, Page Name, and Skin, as well as Title if desired), then click Create Page. The OnGuard custom web page is created. 6. Window Behavior: n n n Always on Top: The custom user interface window will always be on top of any other windows present. Allow Minimize: When set to True, the custom user interface window can be minimized. Allow Close: Prevents users from closing the custom user interface window.
HTML Content for OnGuard Custom Web Pages l OnGuard Start Page l OnGuard Progress Page l OnGuard Finish Success Page l OnGuard Finish Error Page l OnGuard Finish Reboot Page This section provides the required names for each OnGuard custom web page as well as the recommended HTML content. Be sure to use the Page Names specified here as W-ClearPass Policy Manager and OnGuard Agent look for pages with these names. Text in italics should not be changed.
We will now rescan your system to verify that it meets Minimum Security Specifications and then connect you to the Network.
If you are not connected in five minutes, please contact 12334 or click here .
Close
OnGuard Finish Error Page The OnGuard Finish Error Page is shown if at least one of the scripts returns Failure and a reboot is not required. This page includes a Close button.6. Administrators will have to refresh or open the OnGuard Settings page again after creating web pages in W-ClearPass Guest (Administration > Agents and Software Updates > OnGuard Settings). 7. If the W-ClearPass Server Certificate is not validated when W-ClearPass loads the web page for the first time, the custom user interface displays the following security alert: Figure 704: Server Certificate Not Validated Security Alert 8.
l Failed to download script file = 262 (0x106) l Execution level is set to “User” but the user is not logged on, so OnGuard was not able to launch the script = 263 (0x107) OnGuard Global Agent Settings This section provides the following information: l About Global Agent Settings l Global Agent Settings Parameters for OnGuard Agents l Global Agent Settings: Run OnGuard As Parameter About Global Agent Settings Use the Global Agent Settings page to configure the global parameters for OnGuard agents.
Global Agent Settings Parameters for OnGuard Agents Table 379 describes the Global Agent Settings parameters for OnGuard agents: Table 379: Configure Global Settings Parameters Parameter Action/Description Name Allowed Subnets for Wired access: Add a comma-separated list of IP addresses or subnet addresses. Allowed Subnets for Wireless access: Add a comma-separated list of IP addresses or subnet addresses.
Table 379: Configure Global Settings Parameters (Continued) Parameter Action/Description > Enforcement > Profiles > Add) to create different Agent Enforcement Profiles for different users. Run OnGuard As: For details, see the next section, Global Agent Settings: Run OnGuard As Parameter. Server Certificate Validation: Enables the W-ClearPass OnGuard Unified Agent to validate the W-ClearPass Server Certificate when it sends a WebAuth health request to W-ClearPass.
5. Value: Select the appropriate option as described in Table 380. Table 380 describes the available values for the Run OnGuard As parameter. 6. Click Save. Table 380: Global Agent Settings: Run OnGuard As Parameters Value Description Agent Health checks are performed by the OnGuard Agent after the user logs in to the client. Service OnGuard Agent performs health checks as soon as the client boots up, that is, even before the user logs in to the client.
| Administration Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Cluster Upgrade/Update Tool This chapter contains the following information: l About the Cluster Update Tool l About the Cluster Upgrade Tool About the Cluster Update Tool This section provides instructions for updating a W-ClearPass cluster with Patch and Skin releases using the Cluster Update tool. The Cluster Update tool automates the process of updating your W-ClearPass cluster. The cluster Publisher node is updated first.
Before Updating the Cluster Before updating the W-ClearPass cluster, complete the following tasks: 1. Before starting the Cluster Update, plan for sufficient downtime and review the Release Notes for the current W-ClearPass Policy Manager release. 2. Confirm that Relevant Patch updates are available under software updates before starting the cluster update. Please download the patches either from Webservice or by uploading directly to Software Updates.
Figure 708: Cluster Update Page This page includes the information described below in Table 381. Table 381: Information on the Cluster Update Page Field Description Update Info Describes the patch update details, provides a link to the Release Notes, includes release-specific comments, and specifies if a reboot is required for the patch. Database Info Shows the size of the Configuration database. Publisher Details Information for the Publisher and for all Subscriber nodes in the cluster.
Figure 709: The Start Cluster Update Window You can update the entire cluster or just a subset of Subscriber nodes. 6. In the Start Cluster Update window, use the check boxes to select the Subscriber nodes to update. 7. To force the update, select Force install patch update under Install Option. 8. Click Update. This initiates the automated update process. No further manual steps are required until all selected Subscriber nodes have been updated. The Publisher is always updated and rebooted first.
Figure 710: Status Indicators in the Update Steps Area If you navigate to another page, and then navigate back to the Software Updates page, a status link will be provided. Figure 711: In Progress Status Link Clicking the link takes you back to the Cluster Update page. 2. For detailed progress information, click the View Logs button in the Publisher’s or Subscriber’s row. The Logs window opens. This window includes tabs for the Download, Upgrade, Reboot, and Onboot logs.
Figure 712: Details Displayed on the Logs Window About the Cluster Upgrade Tool This section includes the following information: l Cluster Upgrade Process Overview l Before You Upgrade l Installing the Cluster Upgrade Tool l Launching the Cluster Upgrade Tool l Upgrading the W-ClearPass Cluster 718 | Cluster Upgrade/Update Tool Dell Networking W-ClearPass Policy Manager 6.
l Viewing Upgrade Status l Steps in the Upgrade Tool’s Automated Workflow l Troubleshooting Tips Introduction This section provides instructions for upgrading a W-ClearPass cluster using the Cluster Upgrade Tool. The Cluster Upgrade Tool is a simple user interface that automates the upgrade procedure for a W-ClearPass cluster. When the Upgrade is initiated, no manual actions are required until the Publisher and all selected Subscribers have been upgraded.
n Port 443 (HTTPS) n Port 22 (SSH) 7. Confirm that the Publisher node and all Subscriber nodes in the cluster are in sync before starting the upgrade. 8. On the Software Updates page, enter the Subscription ID. 9. On the Publisher node, download the W-ClearPass 6.6 upgrade image from the Software Updates portal (see Software Updates and OnGuard Settings on page 693). The Upgrade tool automates the process of copying over the upgrade image to the selected subscribers in the cluster. 10.
Figure 713: The Link to the Cluster Upgrade Tool Release Notes If the Publisher Is Not Set Up To install the Upgrade Tool if the Publisher is not set up to display available updates: 1. On the Dell Support Site (https://download.dell-pcw.com), manually download the Cluster Upgrade Tool. 2. On the Publisher’s Software Updates portal, use the Import Updates link to upload it. 3. Install the Upgrade Tool as described above.
Opening the Tool Via Your Web Browser To open the Cluster Upgrade Tool directly through your Web browser: 1. Enter https:///upgrade in your browser’s address bar. 2. If you are prompted to log in, use your W-ClearPass Policy Manager administrator credentials. The Cluster Upgrade Utility page opens. Figure 715: The Cluster Upgrade Utility Page This page includes the information described below in Table 382.
Figure 716: Special Characters Note Figure 717: More Information > Special Characters Note Upgrading the W-ClearPass Cluster To upgrade the W-ClearPass cluster: 1. Navigate to Administration > Agents and Software Updates > Software Updates > Cluster Upgrade. 2. Before you start the upgrade, verify that the W-ClearPass 6.6 Upgrade Image is downloaded and available in the Software Updates portal. If the upgrade image is not available, the Cluster Upgrade page displays a message advising you to download it.
Figure 718: The Message Advising that the Upgrade Image Must Be Downloaded 3. When you open the Cluster Upgrade Tool, it immediately prepares the subscribers for upgrade by automatically installing the required additional API support. This is a background process and does not require any actions from the user. A progress indicator is shown during this stage.
Figure 719: The Start Cluster Upgrade Window You can upgrade the entire cluster or just a subset of Subscriber nodes. 5. In the Start Cluster Upgrade window, use the check boxes to select the Subscriber nodes to upgrade. 6. In the LogDB backup and restore options drop-down list: a. If you need a backup of the Access Tracker records to potentially restore after upgrade, select Access tracker records are backed up but will not be restored. This option will increase the overall upgrade time. b.
Viewing Upgrade Status After the Publisher Upgrade is complete, you can monitor the Upgrade status of the Subscriber nodes at Administration > Agents and Software Updates > Software Updates > Cluster Upgrade. The tool provides two ways to monitor the upgrade’s progress: 1. On the Cluster Upgrade page, progress indicators in the Upgrade Steps area show the status of some of the main steps.
Figure 722: Details Displayed on the Logs Window Steps in the Upgrade Tool’s Automated Workflow This section describes the steps that are automatically completed by the Cluster Upgrade Tool. 1. To prepare the Subscriber nodes for upgrade, a patch that provides required API support is automatically installed by the Upgrade Tool on every Subscriber. The Cluster Upgrade Tool uses remote API calls to control and monitor upgrade progress on the Subscriber nodes.
7. During the parallel upgrade process, upgrade of the first Subscriber node begins five minutes after the Publisher upgrade is completed. 8. Upgrade of the second Subscriber node begins five minutes after the upgrade of the first Subscriber begins. This pattern continues sequentially for all Subscriber nodes in the cluster, with a five-minute delay between each start time. 9. When each Subscriber is rebooted, it is added back into the cluster. Insight data is migrated and restored. 10.
Be aware that all status and progress information will be reset when the Publisher is reverted to a previous version. You can initiate the upgrade again from the Cluster Upgrade Tool. Dell Networking W-ClearPass Policy Manager 6.
| Cluster Upgrade/Update Tool Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Configuring Processing for Ingress Events This chapter includes the following information: l Enabling Ingress Event Dictionaries l Configuring the Ingress Event Sources l Configuring an Event-Based Enforcement Service l Configuring the Ingress Receiving Ports l Enabling Ingress Events Processing Overview This chapter provides the procedures for configuring W-ClearPass Policy Manager to process ingress threatrelated events.
Figure 724: Enabling an Ingress Events Dictionary 3. To enable the selected ingress events dictionary, click Enable. You return to the Ingress Events Dictionaries page. The dictionary information is no longer displayed in red and the Status column is set to Enabled. Configuring the Ingress Event Sources The Event Source is the device that sends Syslog events to W-ClearPass. Any events sent that are not from configured event sources are ignored.
Figure 725: Adding an Event Source 3. Specify the Add Event Source parameters as described in Table 384. Table 384: Configuring the Event Source Parameters Parameter Action/Description Name 1. Enter the IP address of the device that will send Syslog events to W-ClearPass. Description Optionally, enter a description of this Event Source. IP Address 2. Enter the IP address of the device that will send Syslog events to W-ClearPass. Type 3. From the drop-down, select the Event Source Type. Vendor 4.
Configuring the Ingress Receiving Ports The ingress receiving ports are the TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) ports on the W-ClearPass server where the events source sends threat-related events. By default, the ingress receiving port is 514 for both TCP and UDP. You can modify the ingress receiving ports to a custom value as necessary. To confirm or change the ingress receiving ports on the W-ClearPass server: 1.
Adding an Event-Based Enforcement Service To add an event-based enforcement service: 1. Navigate to Configuration > Services. The Services page opens. The Services page provides options to add, modify, and remove a service. 2. To add the event-based enforcement service, click Add. The Add Services dialog opens. 3. From the Type drop-down list, select Event-based Enforcement (see Figure 728).
Figure 729: Specifying the Event-Based Enforcement Policy From the Add Services > Enforcement page, you can either select an existing enforcement policy or create a new one. 2. From the Enforcement Policy drop-down list, select the appropriate Event Enforcement policy. 3. If you have not configured Event-type Enforcement policies, click Add New Enforcement Policy to create a new enforcement policy. 4. Specify the values for the remaining parameters as described in Table 385, then click Save.
The Server Configuration dialog appears. Figure 730: Enabling Ingress Event Processing 4. Click the Enable Ingress Events Processing check box. The following warning dialog is displayed, alerting you to the impact on system performance that may occur when you enable ingress events processing. Figure 731: Warning Dialog for Enabling Ingress Events Processing 5. To proceed with ingress events processing on this server, click Yes.
| Configuring Processing for Ingress Events Dell Networking W-ClearPass Policy Manager 6.
Chapter 14 OnGuard Dissolvable and Native Agents This appendix includes the following information: l Introduction l Accessing the OnGuard Support Charts l Upgrading From OnGuard Plugin Version 1.0 to 2.
Figure 732: OnGuard Agent Support Charts for Plugin Versions 1.0 and 2.0 Upgrading From OnGuard Plugin Version 1.0 to 2.0 This section contains the following information: l l Overview Creating a New Enforcement Profile to Set the SDK Type l Modifying an Existing Enforcement Policy for OnGuard Plugin v2.0 l Creating a New Posture Policy for OnGuard Plugin v2.0 Agents l Creating a WebAuth Service for OnGuard Plugin v2.
The Enforcement Profiles page opens. 2. Click the Add link. The Add Enforcement Profile dialog opens. Figure 733: Adding a V4 Agent Enforcement Profile 3. Specify the Add V4 Agent Enforcement Profile parameters as described in the following table: Table 386: Add V4 Agent Enforcement Profile Parameters Parameter Action/Description Template Select Agent Enforcement. Name Enter a name for this enforcement profile. Description Optionally (but recommended), add a description of this enforcement profile.
5. Optionally (but recommended), specify a message in the Message attribute. 6. Select Click to add, then make the following selections: n Attribute Name: SDK Type n Attribute Value: V4 7. Click Save. The new enforcement profile is added. Modifying an Existing Enforcement Policy for OnGuard Plugin v2.0 If you have an existing enforcement policy of the WebAuth service that is being used for OnGuard plugin version 1.0: V3 SDK, you must modify the enforcement policy to support OnGuard plugin version 2.0.
Figure 737: Changing the SDK Type Attribute to V4 7. Change the SDK Type > Attribute Value to V4, then click Save. The Enforcement Policy has been updated to support the OnGuard plugin version 2.0: V4 SDK. When the agent next performs a health check, it picks OnGuard plugin version 2.0. Creating a New Posture Policy for OnGuard Plugin v2.0 Agents The supported posture policy for the OnGuard plugin version 2.
Table 387: Adding V4 Posture Policy Parameters Parameter Action/Description Policy Name Enter the name of this posture policy. Description Optionally (but recommended), add a description of this posture policy. Posture Agent Specify OnGuard Agent (the default). Host Operating System Specify Windows (the default). Plugin Version Plugin version 2.0 is specified by default. This is the plugin version required by the V4 SDK. Restrict by Roles Configure the roles as required by your installation.
Figure 740: Configuring the V4 Posture Plugin 5. Specify the W-ClearPass Windows Universal System Health Validator parameters as described in the following table: Table 388: Add V4 Posture Plugin Parameters Parameter Action/Description Windows OS list Select the Windows version of choice. Enable checks for Windows Select the check box for Enable checks for the selected version of Windows. Firewall From the list of Windows checks, select Firewall.
Figure 741: Configuring OnGuard Plugin Version 2.0 Posture Policy Rules 8. Specify the Rules Editor parameters as described in the following table, then click Save: Table 389: Rules Editor Parameters Parameter Action/Description Conditions Select Plugin Checks Select Passes all SHV checks (the default setting).
Figure 742: Summary of V4 SDK Agents Posture Policy Creating a WebAuth Service for OnGuard Plugin v2.0 Agents The final task is to create a WebAuth service for OnGuard plugin version 2.0 V4 SDK Agents. To do so: 1. Navigate to Configuration > Services. 2. Click Add. The Add Services page opens. 3. Type: Select Web-based Authentication. 4. Name: Enter the name for this service. 5. Service Rule: a. Matches: Leave the default setting, ALL of the following conditions. b. Select Click to add...
9. From the Services page, click Reorder, then place the service for the V4 SDK before the service for the V3 SDK. This ensures that WebAuth requests with the V4 SDK are evaluated by the service configured for the V4 SDK. Important Points 1. After installing W-ClearPass 6.6.7, OnGuard Agent is configured to use the OnGuard plugin version 2.0: OESIS V4 SDK by default. Thus, to fully configure the OnGuard plugin version 2.
15.You can check the value of the Host:SDKType attribute in Monitoring > Access Tracker > Input > Computed Attributes. Native Agents Only Mode The Native Dissolvable Agent communicates with W-ClearPass Guest portal to send information about endpoints, such as status, health status, remediation messages, and so on. This communication is independent of the operating systems and browsers.
Figure 743: Policy-Initiated Log-in Method 2. Select the Require a successful OnGuard health check option in the Health Check field. If you select this field, the guest needs to pass a health check before accessing the network. Select the Native agents only mode in the Client Agents field: Figure 744: Native Agents Only Mode End-to-End Flow in Native Agents Only Mode The following steps describe the end-to-end flow of the OnGuard Dissolvable Agent running on Native agents only mode: 1.
The Terms specified in the Login page are optional. You can configure this optionally by selecting the Require a Terms and Conditions confirmation check box in the Terms field in the W-ClearPass Guest Login Form. 3. The figure similar to the following OnGuard Agent download prompt appears when you log in for the first time to the Native Dissolvable Agent: Figure 746: Native Dissolvable Agent Installer Prompt The download options are available only when you log in for the first time.
Figure 748: Native Dissolvable Agent Installation If you are running Windows OS, Internet Explorer provides options to Run or Save. FireFox and Chrome browsers provide option to save the .exe files. If you are running Mac OS X, FireFox provides options to open the binary with DiskImageMounter or save the .DMG files. Safari and Google Chrome browsers provide the option to Save only. 7. From the Launch Application page, select the W-ClearPass OnGuard Web Agent application. 8.
Figure 750: Native Dissolvable Agent Installation Progress 10.After the successful installation, the health check scanning is initiated. The following figure shows an example of the progress indicator: Figure 751: Health Check Progress 11.After the health check scanning is completed, the figure similar to the following example appears with the health check results if the client is unhealthy: Figure 752: Health Check Results 12.
The Auto-launch feature works in the Native agents only and Java Only modes without user intervention to click pop-ups and options that are described in the complete end-to-end flow above, except configuring Terms in the W-ClearPass Guest Login page. Auto-Login The Native Dissolvable Agent supports the Auto-Login method, which eliminates the Require a Terms and Conditions confirmation check box in the Guest Web Login page by avoiding the web page and submitting automatically.
2. In the Health Check field, select the Require a successful OnGuard health check option. If you select this field, the guest needs to pass a health check before accessing the network. 3. In the Client Agents field, select the Native agents with Java fallback mode: Figure 755: Native Agents with Java Fallback Mode End-to-End Flow in Native Agents with Java Fallback Mode The posture assessment is performed based on your selection.
Figure 757: Web Agent Flow - 802.1X Service 2. Create a service named Web-based Health Check Only on the W-ClearPass Policy Manager server. The following figure shows an example of the Web Agent Flow - Health Only page: Figure 758: Web Agent Flow - Health Only 3. Create a simple Web Auth service to authenticate users against W-ClearPass Guest user database to accept or perform App authentication request after completing a sandwich flow.
1. Click Create a new web login page on the right corner of the W-ClearPass Guest UI. The following figure shows an example of the Web Login Editor page: Figure 760: Web Login Editor 2. Select the Anonymous - Do not require a username or password option from the drop-down. 3. Check the Enable bypassing the Apple Captive Network Assistant option in the Prevent CNA field. 4. Select the Local - match a local account option in the Pre-Auth Check field. 5.
Figure 761: Web Login - Login Form 7. Select the Local - match a local account option in the Post Authentication field. The following figure shows an example of the Web Login - Post-Authentication page: Figure 762: Web Login - Post-Authentication The following figure shows an example of the final web agent flow: For more information, refer to W-ClearPass Guest Online Help. 758 | OnGuard Dissolvable and Native Agents Dell Networking W-ClearPass Policy Manager 6.
Native Dissolvable Agent Supported Operating Systems and Browsers This section provides information on the supported operating systems and browsers for the Native Dissolvable Agent. The versions given in the following table are tested and are up-to-date at the time of this release: Table 391: Native Dissolvable Agent Supported Browsers and Java Versions Operating System Browser Test Results Known Issues Tested Versions Windows Operating System Support Windows 10 64-bit Windows 10 32-bit Windows 8.
Table 391: Native Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Test Results Known Issues Tested Versions 6.6.0.79875 , Firefox 44.X Windows 8 32-bit Windows 2008 64-bit Windows XP SP3 Windows 2003 32-bit Windows Vista Internet Explorer Passed W-ClearPass Policy Manager 6.6.0.79875 , IE-10.X Chrome Passed W-ClearPass Policy Manager 6.6.0.79875 , Chrome 48.X Firefox Passed W-ClearPass Policy Manager 6.6.0.79875 , Firefox 44.
Table 391: Native Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Test Results Known Issues Tested Versions Mac OS X Support Mac OS X 10.11 Mac OS X 10.10 Mac OS X 10.9 Mac OS X 10.8 Mac OS X 10.7.5 Mac OS X 10.11 Safari 9.x Passed W-ClearPass Policy Manager 6.6.0.79875, Safari 9.X Firefox 44.x Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Chrome 48.x Passed W-ClearPass Policy Manager 6.6.0.79875, Chrome-48.x Safari 9.
Table 391: Native Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Test Results Known Issues Tested Versions Firefox Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Chrome Passed W-ClearPass Policy Manager 6.6.0.79875, Chrome-48.X Unbuntu Operating System Support Ubuntu 12.04 32-bit LTS Ubuntu 12.04 64-bit LTS Ubuntu 14.04 32-bit LTS Ubuntu 14.04 64-bit LTS Firefox Passed W-ClearPass Policy Manager6.6.0.79875, Firefox-38.
Table 392: OnGuard Dissolvable Agent Supported Browsers and Java Versions Operating System Browser Java Version Test Results Chrome 8u73 Failed Firefox 44.x 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Internet Explorer 11.x 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, IE11.x Chrome 8u73 Failed Firefox 44.x 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Internet Explorer 11.x 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, IE11.
Table 392: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Windows 8 64bit Windows 8 32bit Windows 8.1 64-bit Windows 8.1 32-bit Browser Java Version Test Results Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X IE 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, IE11.X Chrome 8u73 Failed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X IE 32-bit 8u73 Passed W-ClearPass Policy Manager 6.
Table 392: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Windows 2008 64-bit Windows Vista Windows 2003 32-bit Windows XP 32-bit Browser Java Version Test Results Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.80940, Firefox 45.X IE 8u73 Passed W-ClearPass Policy Manager 6.6.0.80940, IE11.x Chrome 8u73 Failed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X IE 8u73 Passed W-ClearPass Policy Manager6.6.0.
Table 392: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Known Issues Tested Versions Chrome 35.X Firefox 8u73 Not supported W-ClearPass Policy Manager 6.6.0.79875, Firefox 30.X IE 8u73 Not supported W-ClearPass Policy Manager 6.6.0.79875, IE8.x Safari 8u73 Passed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Chrome 8u73 Failed W-ClearPass Policy Manager 6.6.0.79875, Chrome-44.
Table 392: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Chrome 8u73 Failed Safari 8u73 Passed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Chrome 8u73 Failed W-ClearPass Policy Manager 6.6.0.79875, Chrome-44.x Unbuntu Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Fedora Firefox 8u73 Failed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.
| OnGuard Dissolvable and Native Agents Dell Networking W-ClearPass Policy Manager 6.
Chapter 15 W-ClearPass Insight Reports This chapter describes how to use the W-ClearPass 6.6 Insight Reporting tool. This chapter includes the following information: l About W-ClearPass Insight l About the Insight Dashboard l Searching the Insight Database l Creating Alerts l Creating Reports l Insight Report Categories Reference l Administration Operations l Managing Insight Admin Privileges About W-ClearPass Insight This section presents an overview of W-ClearPass Insight.
l Finally, this chapter provides information on how to configure operational elements about file transfers, as well as database and report data retention (see Administration Operations on page 813). Browsers Supported W-ClearPass Insight uses a Web-based management interface. The following browsers are supported: l Apple Safari 6.2.x, 7.1.x, 8.0 l Google Chrome 47.x, 48.x l Microsoft Edge 25.x l Microsoft Internet Explorer 11.
Launching Insight To launch W-ClearPass Insight: 1. Use one of the following methods to launch W-ClearPass Insight. n Log in to Policy Manager, and then select Insight in the Dashboard > Applications widget. This opens Insight in a new tab. n Access Policy Manager by pointing the browser to https:///tips, then select the ClearPass Insight link (see Figure 764). n Point the browser to https:///insight. 2.
About the Insight Dashboard This section provides the following information: l Dashboard Overview l Adding a Report Widget to the Dashboard Landing Page l Removing a Report Widget from the Dashboard Landing Page l Creating a Report or Alert From the Dashboard l Specifying the Date Range for Data Collection l Authentication Dashboard l Endpoints Dashboard l Guest Dashboard l Network Dashboard l Posture Dashboard l System Dashboard l System Monitor Dashboard Dashboard Overview The Dash
Adding a Report Widget to the Dashboard Landing Page When you add a report widget to the Dashboard Landing page, that widget will appear in the Landing page, and the widget will also continue to be available on its Dashboard category page (for example, if you added the Top 10 Restarted Services widget from the System Dashboard, the Top 10 Restarted Services widget would be present in both the Dashboard Landing page and the System Dashboard). To add a report widget to the Dashboard Landing page: 1.
Figure 767: Removing a Widget From the Dashboard When you refresh the page, that widget will disappear from the Dashboard. Creating a Report or Alert From the Dashboard The widgets on the Dashboard include links to the Creat Reports and Create Alerts pages. To define and to receive a regular report of data for that Dashboard: l To open the Create Reports wizard from the Dashboard, click the down-arrow icon in the widget title bar and select Create Report.
Figure 768: Opening the Reports or Alerts Wizard from the Dashboard For detailed procedures to create reports and alerts, see Creating Reports on page 789 and Creating Alerts on page 783. Specifying the Date Range for Data Collection By default, the Insight widgets, including those on the Dashboard page as well as all the other Insight widgets, such as Endpoints, Guest, Posture, and so on, display information collected over the previous seven days.
Figure 769: Specifying a Custom Date Range 3. Select the Start Date and End Date from the calendar, then click Apply. The Dashboard widgets then display the information for the specified range of dates. Authentication Dashboard Authentication Dashboard widgets focus on authentication analytics and include widgets on trends, distribution, status, service, alerts, and statistics. To access the Authentication Dashboard, navigate to Dashboard > Authentication.
l Authentication Service l Authentication Status l Top 10 MAC Address Authentications l Top 20 NAD Authentications l Top 10 Authentication Errors l Latest 10 Authentication Alerts For more information about the Authentication reports and the widgets provided for each report, see Authentication Category Reports on page 798. Endpoints Dashboard The Endpoints Dashboard widgets provide analytics that focus on Endpoint trends, distribution, device profile, and bandwidth usage.
Guest Dashboard To access the Guest Dashboard, navigate to Dashboard > Guest. Figure 772: Guest Dashboard The following widgets are included by default on the Guest Dashboard: l Guests Authentication Trend l Unique Guest Authentication l Guests Provisioned l Guest Device Category l Guest Device Family l Guest Device Name l Top 20 Bandwidth Guest Users For more information about the Guest reports and the widgets provided for each report, see Guest Authentication Category Reports on page 802.
Network Dashboard To access the Network Dashboard, navigate to Dashboard > Network. Figure 773: Network Dashboard: NAD Vendor Distribution The following widget is included on the Network Dashboard: l NAD Vendor Distribution This widget displays the list of all the NAD (Network Access Device) vendors, including the number of NADs by each vendor.
The following widgets are included by default on the Posture Dashboard: l Health Status l Unhealthy Devices For more information about the Posture-related reports, see OnGuard Category Reports on page 806. System Dashboard To access the System Dashboard, navigate to Dashboard > System.
Figure 776: System Monitor Dashboard The following widgets are included by default on the System Monitor Dashboard: l Authentication Health l End-to-End Request Processing Time l Memory Usage l Swap Memory Usage l Disk Usage l CPU Usage l CPU Load The System Monitor Dashboard differs from the other Dashboard pages in that it can show data for two hours only (2h). To define a custom two-hour time slot: 1. Click the Custom drop-down list.
This section provides the following information: l About Insight Search l Search Example About Insight Search Use the Insight Search feature to query the Insight database. You can search for the following entities: l Endpoint IP address (Framed-IP-Address) l Clients by MAC address, hostname, or IP address l User name l W-ClearPass servers by name or IP address l Network access devices by name or IP address You can add clients and users to the Watchlist from Search results.
Figure 780: Locating and Identifying the Search Object 3. Select the search object. The Endpoint MAC Address report is automatically displayed (see Figure 781).
l Irregular network device access activity l Users attempting privileged commands on network devices l Irregular activity on the W-ClearPass servers Reports and alerts include templates for easy configuration. These templates allow you to quickly configure and monitor network activity. In addition to email notifications, you can also send alerts to mobile devices via SMS, providing the capability to receive mission-critical information on the go.
Table 393: Create New Alert Parameters Alert Field Action/Description Alert Name 1. Enter the name of the alert. Description 2. Optionally, enter a summary description of the alert. Category 3. Select the alert Category, then specify the desired alert type in the selected category: n Authentication a. Failed Authentication b. Total Authentication n n System TACACS a. TACACS Commands b. TACACS Failures Notifications 4. Specify report notifications. n Notify by Email.
or to mobile devices via SMS. This allows the authentication failure to be resolved proactively before the problem is reported by the user. The Watchlist generates an alert only when an unsuccessful authentication for a specific device occurs. Default Watchlist Trigger Settings The default Watchlist trigger settings are as follows: l Severity = Critical l Threshold = 1 l Interval = 30 seconds You cannot edit the The Watchlist trigger settings. To modify the User Watchlist: 1.
Figure 785: Modifying the User Watchlist 3. Enter the desired settings for each User Watchlist parameter as described in Table 394. Table 394: Modify User Watchlist Parameters Alert Field Action/Description Alert Name 1. Optionally, you can modify the name of the User Watchlist. Description 2. Optionally (and recommended), enter a summary description of the User Watchlist. Category The Category is set to Alert > User Watchlist. This is not an editable field. Notifications 3.
Table 394: Modify User Watchlist Parameters (Continued) Alert Field Action/Description Alert Summary When you have configured the Watchlist settings, the Alert Summary displays the settings for your review. Save your changes 5. Click Save. Adding or Removing Users from the Watchlist You can use the Insight Search function to add users to or remove users from the Watchlist. Adding a User to the Watchlist To add a user to the Watchlist: 1. In the Insight Search window, enter the name of the user.
2. To add a user to the Watchlist, click the star icon next to the username as shown in Figure 786. The User Information page now displays the following information: Figure 787: User Successfully Added to Watchlist The star icon color is now set to orange, indicating the user has been added to the Watchlist. The following message is displayed: added to User Watchlist successfully. Please configure SMS and email notifications.
This section provides the following information: l Overview l Settings Configuration l Report Filters Configuration l Specifying the Logo and Branding l Report Summary Page l Configured Reports Page l Viewing Reports Overview The Reports page provides a method for creating reports with data filters and customized time ranges up to the previous two months.
Settings Configuration To create a new report: 1. From the Insight navigation panel, click Reports. 2. Select Create New Report. The Settings page of the Create New Report Wizard opens. Figure 790: Create New Report Wizard: Settings 3. Enter the appropriate information as described in Table 395. Table 395: Specifying the Report Settings Parameters Report Parameter Action/Description Report Name 1. Enter the name of the report. Description 2. Optionally, enter a summary description of the report.
Table 395: Specifying the Report Settings Parameters (Continued) Report Parameter Action/Description NOTE: For detailed information about what report types are provided for each report category, see Insight Report Categories Reference on page 798. Notifications 4. Optionally, specify report notifications. n Notify by Email. When you select this option, enter the list of email addresses to be notified. n Notify by SMS.
Report Filters Configuration When you complete the Settings page in the Create New Report wizard and click Next, the page that opens allows you to configure the filters for your report. Each type of report has a specific set of filters available. Report filters apply the data fetched from the database, then Insight displays the result in the report. The filters that are available depend on the report category you specify.
Figure 793: Logo and Branding Section To specify the logo and branding information: 1. Enter the information as described in Table 396, then click Next. Table 396: Specifying Logo and Branding Parameters Report Parameter Action/Description Select Template 1. From the drop-down, select the logo and branding template. Page Title 2. Enter the page title. Top Section 3. Enter the header for the top of the page. Logo Image 4. To browse to the appropriate logo image, click Replace Image.
Report Summary Page When you complete the Logo and Branding section, the Report Summary is displayed. Figure 794: Report Summary 1. Review the Report Summary. a. If you wish to change any aspect of the report, click Edit Report. The Report Summary dialog opens. You can edit the current report settings as needed. b. Make any necessary changes, then click Save. 2. When the report settings are satisfactory, click Save. Insight generates the report. You return to the Configured Reports page.
Configured Reports Page To see the set of configured reports, select Reports > Configuration. The Configured Reports page opens. Figure 795: Configured Reports Page The blue dot next to a report name indicates that the report generation is complete. From this view, you can edit, copy, or delete a configured report. This page also provides two report widgets: l Top 10 Reports Time to Run 30 Days This widget lists the ten reports that took the longest (in seconds) to run over the last 30 days.
Figure 796: Created Reports 3. To download the zip file that contains the reports in PDF and CSV formats, click the Download icon (as shown in Figure 796). 4. To view the desired report in HTML format (which opens in new tab), click the name of the report. The generated report is displayed (see Figure 797). Figure 797: Report Displayed in HTML Format Dell Networking W-ClearPass Policy Manager 6.
Insight Report Categories Reference This section provides the following information: l Introduction l Authentication Category Reports l Endpoint Category Reports l Guest Authentication Category Reports l Network Category Reports l OnGuard Category Reports l Onboard Category Report l RADIUS Authentication Category Reports l System Category Reports l TACACS Category Reports Introduction This section provides detailed information about each of the report types and their associated widgets a
Table 397: Authentication Category Reports Report Type Report Widgets Accounting—Bandwidth and Session This report type includes the following bandwidth and session information: l Bandwidth Statistics: Total Bandwidth, Average Bandwidth, Maximum Bandwidth, Maximum Upstream Bandwidth, Maximum Downstream Bandwidth, Sessions, Maximum Duration, Users, Endpoints l Upstream Bandwidth and Downstream Bandwidth Trend l Total Bandwidth and Average Bandwidth Trend l Average Session Time Trend l Unique Session Trend
Table 397: Authentication Category Reports (Continued) Report Type Authentication Overview Report Widgets This report type includes the following information: Authentication Statistics l Total Authentication Trend l Authentication Status Trend l Unique Devices Authentication Trend l Unique Users Authentication Trend l Authentication Distribution Across Auth Status l Authentication Distribution Across Cluster l Authentication Distribution Across Service l Authentication Distribution Across VLAN l Authentica
Table 397: Authentication Category Reports (Continued) Report Type Report Widgets Top 10 Endpoints with Most Failed Authentications Top 10 Services with Most Failed Authentications NOTE: This report allows you to filter the report data by W-ClearPass Policy Manager host name, Network Access Device (NAD) IP address, SSID, and Error Code. l l Endpoint Category Reports The Endpoint category provides information on endpoints discovered during the report duration.
Table 398: Endpoint Category Reports (Continued) Report Type Report Widgets NOTE: This report also allows you to filter the report data by Network Access Device (NAD) IP address, Device Category, Device Family, Device name, and SSID.
Table 399: Guest Authentication Category Reports Report Type Guest—Auth Overview Report Widgets This report includes the following report widgets: Authentication Statistics l Total Authentication Trend l Authentication Status Trend l Unique Devices Authentication Trend l Unique Guests Authentication Trend l Authentication Distribution Across Authentication Status l Authentication Distribution Across Cluster l Authentication Distribution Across Service l Authentication Distribution Across VLAN l Authenticat
Table 399: Guest Authentication Category Reports (Continued) Report Type Report Widgets NOTE: This report also allows you to filter the report data by W-ClearPass Policy Manager host name.
Network Category Reports The reports available in the Network category described in Table 400 contain data about network access devices and ives details on authentication trends such as successful and failed authentications on a per-day basis. Similar information can also be found in the Network widgets on the Network Dashboard. For additional information, see Network Dashboard on page 779.
OnGuard Category Reports The reports available in the OnGuard category provide analysis on the devices' posture and health status. These widgets contain data that can also be found in the Posture widgets on the Posture Dashboard. For additional information, see Posture Dashboard on page 779. 806 | W-ClearPass Insight Reports Dell Networking W-ClearPass Policy Manager 6.
Table 401: OnGuard Category Reports Report Type Report Widgets Apple Mac Endpoint Posture This report type includes the following posture information for Apple/Macintosh endpoints: l OnGuard Statistics l OnGuard Device Authentication Trend l OnGuard Device Distribution Across Health Status l Antispyware Product Name l Antspyware Dat File Version l Antispyware Engine Version l OnGuard Device Distribution Across Antispyware Real-Time Protection Status l Antispyware Version l Antivirus Product Name l Antivi
Table 401: OnGuard Category Reports (Continued) Report Type Report Widgets OnGuard Device Distribution Across Health Status Antivirus Product Name l Antivirus Dat File Version l Antivirus Engine Version l OnGuard Device Distribution Across Antivirus RealTimeProtection Status l Antivirus Version NOTE: This report also allows you to filter the report data by System Posture Token (SPT).
Onboard Category Report The reports available in the Onboard category provides analysis on onboarded devices during the report period, such as the active users and devices count, revoked devices count, onboarded devices distribution based on device type, and Onboard enrollment details.
RADIUS Authentication Category Reports The reports available in the RADIUS Authentication provide detailed analysis on authentication trends on successful and failed RADIUS authentication. Additional authentication statistics are displayed on the Authentication Dashboard. For additional information, see Authentication Dashboard on page 776.
Table 403: RADIUS Authentication Category Reports (Continued) Report Type Report Widgets Authentication Distribution Across Enforcement Profiles Authentication Distribution Across Role l Authentication Distribution Across Auth Source l Top 10 Users with Most Authentications l Top 10 MACs with Most Authentications l Top 10 Services with Most Authentications l Top 10 W-ClearPass Roles Assigned l Top 10 Authorization Sources l Top 20 NADs with Most Authentications l Top 10 Enforcement Profiles Used NOTE: This
Table 404: System Category Reports Report Type Report Widgets Configuration Audit This report type includes the following information for each configuration audit record: l Name of change l Action (for example, modify, add, or delete) l Category l Updated by l Update timestamp License Usage This report type includes the following licensing information: License Statistics, including the total licenses and used licenses for Policy Manager, Guest, W-ClearPass Enterprise, Onboard, and OnGuard l Endpoints T
Table 405: TACACS Reports Content Report Type TACACS—Authentication Report Widgets This report type includes the following licensing information TACACS statistics, including the numbers and percentages of successful and failed authentications, and the numbers of users, W-ClearPass servers, and network devices.
Figure 798: Administration Page Support Information l Insight database migration is supported. l Configuration migration is not supported. l Database retention default: 30 days l Report retention default: 60 days l CSV report limit: 50,000 rows File Transfer Settings Configuration You can specify the file transfer settings for uploading generated Insight reports to a FileStore. To configure the File Transfer settings: 1. Navigate to the Administration page.
Figure 799: Specifying the Insight File Transfer Settings 2. In the File Transfer Settings section, enter the appropriate values as described in Table 406. 3. When finished, click Save. Table 406: Insight File Transfer Parameters Parameter Action/Description Host 1. Specify the IP address of the destination host FTP server. Protocol 2. Specify the protocol to be used to upload the generated reports to a FileStore.
Then the following screen appears: Figure 800: Successful File Transfer Test You are now ready to commence transferring Insight files to the FTP server as needed. Database Settings Configuration To configure the Insight database parameters: 1. Navigate to the Administration page. The Database Settings section is at the bottom of the Administration page. Figure 801: Specifying the Insight Database Settings 2. In the Database Settings section, enter the appropriate values as described in Table 407. 3.
Managing Insight Admin Privileges This section provides the following information: l Overview l Viewing the Default Insight Admin Privileges l Defining Custom Insight Admin Privileges l Insight UI Differences for Read-Only Users Overview W-ClearPass supports multilevel Insight administrators, each with a different level of administrative access to Insight. W-ClearPass provides a default Admin Privileges Read-only Administrator. The default sets of admin privileges cannot be modified.
Figure 803: Insight Read-Only Administrator Admin Privileges As shown in Figure 803, the default admin privileges for the Insight Read-only Administrator specifies Readonly access to all of the Insight modules—Dashboard, Reports, Alerts, and Administration. Defining Custom Insight Admin Privileges As described above, W-ClearPass provides a default Read-only Administrator. The default sets of admin privileges cannot be modified.
Figure 804: Add Admin Privileges Dialog: Basic Information Tab 3. Specify the parameters in the Basic Information tab as described in Table 408. Table 408: Add Admin Privileges Parameters: Basic Information Tab Parameter Action/Description Name 1. Enter the name of the Admin Privileges administrator. Description 2. Provide a description of this new admin privileges administrator. Access Type 3.
Figure 805: Add Admin Privileges > Insight Dialog You must configure the admin privileges for Policy Manager also, otherwise the changes to the Insight admin privileges cannot be saved. 2. Specify the desired admin privileges for each of the Insight modules, then click Save.
Appendix A Command Line Interface Refer to the following sections to perform various tasks using the Command Line Interface (CLI): l Cluster Commands on page 821 l Configure Commands on page 824 l Miscellaneous Commands on page 836 l Network Commands on page 830 l Service Commands on page 845 l Show Commands on page 847 l SSH Timed Account Lockout l System Commands on page 856 Cluster Commands The Policy Manager command line interface includes the following cluster commands: l cluster drop
Example The following example removes the IP address 192.xxx.1.1 from the cluster: [appadmin]# cluster drop-subscriber -f -i 192.xxx.1.1 -s cluster list Use the cluster list command to list all the nodes in the cluster. Syntax cluster list Example The following example lists all the nodes in a cluster: [appadmin]# cluster list cluster make-publisher Use the cluster make-publisher command to promote a specific subscriber node to be the publisher node in the same cluster.
Table 410: Cluster Make-Subscriber Command Parameters Parameter/Flag Action/Description -b Generates a backup of the publisher before you make it a subscriber in the event the make-subscriber process fails and you need to restore the Publisher. -i Specify the Publisher's IP address. This field is mandatory. -l Restores the local log database after this operation. This field is optional. Example The following example converts the node with IP address 192.xxx.1.
Example The following example changes the cluster password on publisher nodes: [appadmin]# cluster set-cluster-passwd cluster set-cluster-passwd Continue? [y|n]: y Enter Cluster Passwd: college.162 Re-enter Cluster Passwd: college.162 INFO - Password changed on local (publisher) node Cluster password changed cluster sync-cluster-passwd Use the cluster sync-cluster-passwd command to synchronize the cluster (appadmin) password currently set on the publisher with all the subscriber nodes in the cluster.
node. The Audit Viewer (Monitoring > Audit Viewer) tracks NTP configuration changes.
Example 1 The following example configures the key-index, key-value, and encryption type for the primary and secondary NTP servers: [appadmin]# configure date -p ntp1.cppm.main -a 24 -v cp1234567890 -t SHA -s ntp2.cppm.main -a 16 -v cp53.56 -t SHA1 Example 2 The following example synchronizes with the primary NTP server. Note that in this example, the key-value is a hex code. Using a hex code for the key-value is supported only in the CLI, not in the user interface. [appadmin]# configure date -p ntp1.cppm.
Table 412: Configure fips-mode Command Parameters Flag/Parameter Action/Description 0 To disable FIPS mode, enter 0. Read the warning message carefully before enabling or disabling FIPS mode. 1 To enable FIPS mode, enter 1.
Table 413: Configure IP Command Parameters Flag/Parameter Action/Description ip Specify the network interface type: management port interface or data point interface. specifies the IPv4 address of the host. netmask Specify the netmask for the IP address. gateway Specify the IP address for the network gateway.
Syntax configure mtu The following table describes the configure mtu command parameters: Table 415: Configure mtu Command Parameters Flag/Parameter Action/Description mtu Specify the network interface types: management port interface or data port interface. Specify the MTU value in bytes. The default value is 1500 bytes.
Hardware Address : 00:0C:29:70:27:40 MTU : 1499 =========================================== Device Type : Data Port ------------------------------------------IPv4 Address : Subnet Mask : Gateway : IPv6 Address : fe80:0000:0000:0000:020c:29ff:fe70:274a Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000 Gateway : fe80:0000:0000:0000:020c:29ff:fe70:2741 Hardware Address : 00:0C:29:70:27:4A MTU : 1498 =========================================== DNS Informati
network ip6 Use the network ip6 command to add, delete, or list custom routes to the data or management interface routing table in IPv6 networks. Syntax: network ip6 add network ip6 add [-i ] <[-s ] [-d ]> [-g ] The following table describes the required and optional parameters for the network ip6 command: Table 416: Network IP6 Add Command Parameters Flag/Parameter Description Specifies the management or the data interface.
----------------------------------------------0: from all lookup local 13000: from all to fe82::20c:99ff:fe7e:d3e1 lookup mgmt 13001: from all to fe82::20c:99ff:fe7e:d3e4 lookup mgmt 13002: from all to fe82::20c:99ff:fe7e:d3e7 lookup mgmt 13003: from all to fe82::20c:99ff:fe7e:d3e8 lookup mgmt 13004: from all to fe82::20c:99ff:fe7e:d3e9 lookup mgmt 13005: from all to fe82::20c:99ff:fe7e:d3ea lookup static 32766: from all lookup main =============================================== Syntax: network ip6 reset
Table 418: Network IP Del Command Parameters Flag/Parameter Description -i Specifies the ID of the rule to delete. Syntax: network ip list network ip list This command lists all routing rules. Example: Adding a Custom Route The following example adds a custom route: [appadmin]# network ip add data -s 192.168.xx.
Example: Obtaining Address of Host or Domain The following examples obtain the IPv4 and IPv6 addresses of the host or domain using DNS: [appadmin]# nslookup sun.us.dellnetworks.com [appadmin]# network nslookup 2001:4860:4860::8888 Example: Querying for SRV Records The following example queries a host or domain for SRV records: [appadmin]# nslookup -q SRV dellnetworks.com Syntax Use the AAAA flag with the -q option to perform network nslookup with IPv6 destinations.
[appadmin]# network ping6 –i fe82::20c:29ff:fe7e:d3e1 –t sun.us. dellnetworks .com network ping Use the network ping command to test the reachability of the network host. Syntax: network ping network ping [-i ] [-t] The following table describes the required and optional parameters for the network ping command: Table 421: Network Ping Command Parameters Flag/Parameter Description -i Specifies the originating IP address for the ping. This field is optional.
network traceroute6 Use the network traceroute6 command to print the route taken to reach the IPv6 network host. Syntax: network traceroute6 network traceroute6 The following table describes the required and optional parameters for the network traceroute6 command: Table 423: Network Traceroute6 Command Parameters Flag/Parameter Description Specifies the name of network host. You can specify the host with an IPv6 address.
l dump logs on page 841 l dump servercert on page 842 l exit on page 842 l help on page 842 l krb auth on page 843 l krb list on page 843 l ldapsearch on page 843 l quit on page 844 l restore on page 844 ad auth Use the ad auth command to authenticate the user against Active Directory.
Table 426: AD Netjoin Command Parameters Parameter Action/Description Specify the complete Fully Qualified Domain Name (FQDN) of the domain controller, including its hostname. For example, if atlas.org is the Domain FQDN and DC01.atlas.org is one of its domain controllers, then this argument would be correctly expressed as DC01.atlas.org This field is mandatory. [domain NetBIOS name] Specify the NetBIOS name of the domain (optional argument).
Reset the password servers. l Syntax ad passwd-server Table 428: AD passwd-server Command Parameters Flag/Parameter Description set Sets the password servers. The -n parameter specifies the domain name. The -s parameter specifies one or more password server names. l l -n -s [Server2 Server3 Server4 ...] list -n Lists the configured password servers. reset -n Resets the password servers.
Table 430: Alias Command Parameters Flag/Parameter Description = Sets as the alias for . = Removes the association. Example 1 This example set the alias "sh" for the show command: [appadmin]# alias sh=show Example 2 This example removes the alias "sh": [appadmin]# alias sh= backup Use the backup command to create a backup of Policy Manager configuration data.
dump certchain Use the dump certchain command to remove the certificate chain of any SSL-secured server. Syntax dump certchain The following table describes the parameter for the dump certchain command: Table 432: Dump Certchain Command Parameter Flag/Parameter Description Specifies the hostname and SSL port number. Example 1 The following example dumps the certificate chain of an SSL-secured server: [appadmin]# dump certchain ldap.acme.
dump servercert Use the dump servercert command to remove the server certificate of an SSL-secured server. Syntax dump servercert The following table describes the parameter for the dump servercert command: Table 434: Dump Servercert Command Parameter Flag/Parameter Description Specifies the hostname and SSL port number. Example The following example removes the server certificate of the specified SSL-secured server: [appadmin]# dump servercert ldap.acme.
system System commands krb auth User the krb auth command to perform a Kerberos authentication against a Kerberos server (such as Microsoft Active Directory). Syntax krb auth The following table describes the parameter for the krb auth command: Table 435: Kerberos Authentication Command Parameter Flag/Parameter Description Specifies the username and domain.
Example The following example finds objects in an LDAP directory: [appadmin]# ldapsearch -B admin@corp-ad.acme.com quit Use the quit command to exit the shell. Syntax quit Example The following command quits the shell: [appadmin]# quit restore Use the restore command to restore Policy Manager configuration data from the backup file.
Table 437: Restore Command Parameters (Continued) Flag/Parameter Description optional. -n Retains local node configuration data, such as certificates, after the restore operation (default). -N Does not retain local node configuration data after the restore operation. -r Restores Insight data if it exists in the backup. -s Restores cluster server/node entries from the backup file. Node entries are in a disabled state upon restore. This field is optional.
Table 438: Service Action Command Parameters Service Parameter Description action 1. Choose an action: n list n restart n start n status n stop service-name 2.
Micros Fidelio FIAS [ fias_server ] Ingress logger service [ cpass-igslogger-server ] Ingress syslog service [ cpass-igssyslog-server ] Show Commands The Policy Manager command line interface includes the following show commands: l show all-timezones l show date l show dns l show domain l show fipsmode l show fipsmode l show hostname l show ip l show license l show ntp l show sysinfo l show timezone l show version show all-timezones Use the show all-timezones command to view all a
show dns Use the show dns command to view DNS (Domain Name System) servers. Syntax show dns Example The following example of show dns command output displays the DNS servers configured for the current W-ClearPass server: [appadmin]# show dns =========================================== DNS Information ------------------------------------------Primary DNS : 192.xxx.5.
show fipsmode Use the show fipsmode command to find whether FIPS (Federal Information Processing Standard) mode is enabled or disabled. Example The following example shows that FIPS mode is enabled: [appadmin]# show fipsmode FIPS Mode: Enabled show hostname Use the show hostname command to view the hostname of the current W-ClearPass server. Syntax show hostname Example The following displays an example of the show hostname command: [appadmin]# show hostname cppm.chicago.
Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000 Gateway : fe80:0000:0000:0000:020c:29ff:fe70:2741 Hardware Address : 00:0C:29:70:27:4A MTU : 1498 =========================================== DNS Information ------------------------------------------Primary DNS : 10.2.xx.30 Secondary DNS : 10.1.xx.50 Tertiary : 10.1.xx.200 DNS =========================================== show license Use the show license command to view the Policy Manager license information.
show ntp Use the show ntp command to view the IP addresses of the primary and secondary Network Time Protocol (NTP) servers configured for the current W-ClearPass server. Syntax show ntp Example The following displays an example of the show ntp command output: [appadmin]# show ntp =========================================== NTP Server Information ------------------------------------------Primary NTP : 10.xx.x.
Example The following displays an example of the show timezone command output: [appadmin]# show timezone Timezone is set to 'Asia/Kolkata' show version Use the show version command to view the Policy Manager software version and the hardware model. Syntax show version Example The following displays an example of the show version command output: [appadmin]# show version ======================================= Policy Manager software version : 6.6(4).
Account Lockout Persistence n The SSH timed account lockout feature configuration persists across reboots, updates and upgrades. n The account lock status persists across reboots. SSH Account Lockout Configuration The SSH Timed Lockout options are exposed as a part of the ssh command set. Figure 807: SSH Command Set SSH Lockout The ssh lockout command set provides ability to configure SSH lockout configuration options.
Example ssh lockout count 3 SSH Lockout Duration Sets the amount of time in minutes that the account will remain locked after the number of SSH password login attempts exceeds the SSH lockout count. Figure 810: SSH Lockout Duration Command Syntax ssh lockout duration Example ssh lockout duration 3 SSH Lockout Reset Resets the SSH lockout count and duration to factory defaults and disables this feature. The SSH timed account lockout feature is disabled by default.
Show SSH Shows the SSH lockout configuration settings and the active SSH client sessions. Figure 813: Show SSH Command SSH Account Lockout Alerts Alerts for SSH lockout events are logged in to the Event Viewer when any of the following conditions are present: n SSH lockout configurations are performed n Account is locked n Account is unlocked n Failed SSH login attempts SSH Account Lockout Behavior The SSH account lockout feature is disabled by default. 1.
System Commands The Policy Manager command line interface (CLI) includes the following system commands: l system apps-access-reset l system boot-image l system cleanup l system create-api-client l system gen-recovery-key l system gen-support-key l system install-license l system morph-vm l system refresh-license l system reset-server-certificate l system restart l system shutdown l system sso-reset l system start-rasession l system status-rasession l system terminate-rasession
Table 439: Boot-Image Command Parameters Flag/Parameter Description -l Lists the boot images installed on the system. -a Sets the active boot image version in A.B.C.D syntax. This field is optional.
INFO - Starting system cleanup INFO - Purging diagnostic dumps INFO - Detected empty core directory INFO - Performing system cleanup tasks INFO - Purging platform logs INFO - Purging application logs INFO - Performing database cleanup tasks INFO - Completed system cleanup system create-api-client Use the system create-api-client command create a new API client.
Table 441: System Install-License Command Parameter Flag/Parameter Description Specifies the newly issued license key. This field is mandatory. Example The following example replaces the current license key with a new one: [appadmin]# system install-license API11-3117-90982-007 system morph-vm Use the system morph-vm command to convert an evaluation virtual machine (VM) to a production virtual machine .
[appadmin]# system morph-vm CP-VA-25K system refresh-license Use the system refresh-license command to refresh the license count information.
Syntax system restart Example The following example restarts the system with a confirmation before proceeding: [appadmin]# system restart system restart ********************************************************* * WARNING: This command will shut down all applications * * and reboot the system * ******************************************************** Are you sure you want to continue? [y|Y]: y system shutdown Use the system shutdown command to shut down the current W-ClearPass server.
Table 443: System Start Remote Assistance Session Command Parameters Flag/Parameter Action/Description duration_hours 1. Specify the session duration in hours. You can specify values from 0 to 12. duration_mins 2. Specify the session duration in minutes. You can specify values from 0 to 59. contact_id 3. Enter the username ID part of the Dell TAC or Engineering contact. cppm_server_ip 4. Specify the W-ClearPass Policy Manager server IP address.
Table 444: System Update Command Parameters Flag/Parameter Description -i user@hostname:/ | http://hostname/ Installs the specified patch on the system. This field is optional. -f Reinstalls the patch in the event of a problem with the initial installation attempt. This field is optional. -l Lists the patches installed on the system. This field is optional. This command supports Secure Copy (SCP), HTTPS, HTTP, and local uploads.
Table 445: System Upgrade Command Parameters Flag/Parameter Description -w Restores last (one) week of access tracker records after the upgrade. -l Restores all access tracker records from this version. -L Does not backup or restore access tracker records from this version. Enter the filepath using the syntax provided in the two examples below. This field is mandatory. This command supports Secure Copy (SCP), HTTPS, HTTP, and local uploads.
5. In the Firmware & Patch Updates section of the Software Updates page, click the Import Updates button. The Import from File dialog appears. 6. Browse to the location of the upgrade file on your system, then click Import. The selected upgrade file is uploaded to the W-ClearPass Policy Manager. 7. Log in to the Policy Manager command line interface (CLI) with the following user name: appadmin. 8.
| Command Line Interface Dell Networking W-ClearPass Policy Manager 6.
Appendix B SNMP Private MIB, SNMP Traps, System Events, Error Codes This appendix contains the following information: l W-ClearPass SNMP Private MIB l SNMP Trap Details l Important System Events l Error Codes W-ClearPass SNMP Private MIB This section contains the following information: l Introduction l System MIB Entries l RADIUS Server MIB Entries l Policy Server MIB Entries l Web Authentication Server MIB Entries l TACACS+ Server MIB Entries l Network Traffic MIB Entries Introductio
Table 446: CPPMSystemTableEntry System MIB Objects (Continued) MIB Object Description cppmNwMgmtPortMACAddress W-ClearPass server management port MAC address cppmSystemDiskSpaceFree Amount of disk space free (in bytes) in the W-ClearPass server cppmSystemDiskSpaceTotal Total amount of disk space available (in bytes) in the W-ClearPass server cppmSystemHostname W-ClearPass server host name cppmSystemMemoryFree Amount of memory free (in bytes) in the W-ClearPass server cppmSystemMemoryTotal Total
RadiusServerAuthTableEntry RadiusServerAuthTableEntry exposes the following counters that refer to authSourceName wherever applicable (see Table 448). Counters and delays reflect details that are logged into Graphite.
Table 449: PolicyServerTableEntry Objects (Continued) MIB Object Description psRolemappingPolicyEvalTime Role mapping policy evaluation time psPosturePolicyEvalTime Posture policy evaluation time psRestrictionPolicyEvalTime Restriction policy evaluation time psServicePolicyEvalCount Service policy evaluation count psServicePolicyEvalTime Service policy evaluation time psSessionlogTime Policy Server session logging time PolicyServerProtoTableEntry PolicyServerProtoTableEntry exposes MIB objects
Web Authentication Server MIB Entries WebAuthProtoTableEntry exposes MIB objects for the WebLogin, AppLogin, SamlIdp, and SamlSp web authentication protocols.
TacacsAutzTableEntry exposes MIB objects for TACACS+ authorization counters.
Introduction This section describes the traps that W-ClearPass Policy Manager supports as part of the W-ClearPass SNMP Private MIB. Table 456 provides the description and OID (Object Identifier) for each W-ClearPass SNMP trap. OIDs uniquely identify managed objects in a MIB hierarchy.
Table 456: SNMP Traps Supported by the SNMP Private MIB (Continued) SNMP Trap Description and OID indicates the IP address of the node promoted to Publisher. OID: .1.3.6.1.4.1.14823.1.6.1.1.200.
W-ClearPass Policy Manager leverages native SNMP support from the UC Davis ‘net-SNMP’ MIB package to send trap notifications for the following events. In these trap OIDs, the value of X varies from 1 through N, depending on the number of process states that are being checked. Details about specific OIDs associated with the processes are listed in this section.
.1.3.6.1.6.3.1.1.5.3 ==> Indicates the linkdown trap with the 'ifAdminStatus' and 'ifOperStatus' values set to 2. .1.3.6.1.6.3.1.1.5.4 ==> Indicates the linkup trap with the 'ifAdminStatus' and 'ifOperStatus' values set to 1. In each case, the 'ifIndex' value is set to 2 for management interface and 3 for the data port interface. Figure 815: Network interface status traps example W-ClearPass Processes Stop and Start Events OIDs: .1.3.6.1.4.1.2021.8.1.2.X ==> Process Name .1.3.6.1.4.1.2021.2.1.101.
.1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is stopped RADIUS server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.2: cpass-system-auxiliary-server .1.3.6.1.4.1.2021.8.1.101.2: System auxiliary service [ cpass-system-auxiliary-server ] is stopped System Auxiliary server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.
Async DB write service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 1 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.3.6.1.4.1.2021.8.1.101.6: Async DB write service [ cpass-dbwrite-server ] is stopped Async DB write service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.7 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.7: cpass-repl-server .1.3.6.1.4.1.2021.8.1.101.7: DB replication service [ cpass-repl-server ] is running DB Change Notification server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.8: cpass-dbcn-server .1.3.
Async netd service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.9 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.9: cpass-async-netd .1.3.6.1.4.1.2021.8.1.101.9: Async netd service [ cpass-async-netd ] is stopped Async netd service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.
.1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.10: cpass-multi-master-cache-server .1.3.6.1.4.1.2021.8.1.101.10: Multi-master cache [ cpass-multi-master-cache-server ] is stopped Multi-master Cache service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.11 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.11: airgroup-notify .1.3.6.1.4.1.2021.8.1.101.11: AirGroup notification service [ airgroup-notify ] is stopped AirGroup Notification service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.11 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.
.1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is stopped Micros Fidelio FIAS service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.
.1.3.6.1.4.1.2021.8.1.101.4: TACACS server [ cpass-tacacs-server ] is stopped TACACS server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.4 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.4: cpass-tacacs-server .1.3.6.1.4.1.2021.8.1.101.4: TACACS server [ cpass-tacacs-server ] is running Virtual IP service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .
snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.3.6.1.4.1.2021.8.1.101.13: ClearPass Virtual IP service [ cpass-vip-service ] is running Stats Collection service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.
.1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.15 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.15: cpass-statsd-server .1.3.6.1.4.1.2021.8.1.101.15: Stats collection service [ cpass-statsd-server ] is running Stats Aggregation service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.
.1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.14: cpass-carbon-server .1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is running. CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds OIDs .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.6.1.4.1.2021.9.1.2.1 ==> Name of the partition CPU Load Average Traps OIDs .1.3.6.1.4.1.2021.10.1.100.1 ==> Error flag on the CPU load-1 average.
Figure 819: CPU load-15 average example Important System Events This section provides the following information: l Admin User Interface Events l Admin Server Events l Async Service Events l W-ClearPass/Domain Controller Events l W-ClearPass System Configuration Events l W-ClearPass Update Events l Cluster Events l Command Line Events l Database Replication Services Events l Licensing Events l Policy Server Events l RADIUS/TACACS+ Server Events l Service Names l SNMP Events l Su
Info Events "Admin UI", "INFO", "Logged out" "Admin UI", "INFO", "Session destroyed" "Admin UI", "INFO", "Logged in", description "Admin UI", "INFO", "Clear Authentication Cache", “Cache is cleared for authentication source " "Admin UI", "INFO", "Clear Blacklist User Cache", “Blacklist Users cache is cleared for authentication source " "Admin UI", "INFO", "Server Certificate", "Subject:“, "Updated" "Install Update", "INFO", "Installing Update", "File: ", "Success" "Admin UI", “INFO” “Email Succe
Info Events “Cluster”, “INFO”, “Setup”, “Database initialized” “hostname”, “INFO”, “configuration”, “Hostname set to ” “ipaddress”, “INFO”, “configuration”, Management port information updated to - IpAddress = , Netmask = , Gateway = ” “IpAddress”, “INFO”, "Data port information updated to - IpAddress = , Netmask = , Gateway = " “DNS”, “INFO”, “configuration”, “Successfully configured DNS servers - ” “Time Config”, “INFO”, “Remote Time Server”, “Old List: \nNew List: ” “timezon
“DB replication service”, “INFO”, “Performed action start on DB replication service” Licensing Events Critical Events “Admin UI”, “WARN”, “Activation Failed”, “Action Status: This Activation Request Token is already in use by another instance\nProduct Name: Policy Manager\nLicense Type: \nUser Count: ” Info Events “Admin UI”, “INFO”, “Add License”, “Product Name: Policy Manager\nLicense Type: \nUser Count: ” Policy Server Events Info Events “Policy Server”, “INFO”, “Performed action start on
l System auxiliary services l System monitor service l TACACS server l Virtual IP service l [YourServerName] Domain service SNMP Events Critical Events “SNMPService”, “ERROR”, “ReadDeviceInfo”, “SNMP GET failed for device with error=No response received\nReading sysObjectId failed for device=\nReading switch initialization info failed for ” "SNMPService","ERROR", "Error fetching table snmpTargetAddr. Request timed out. Error reading SNMP target table for NAD=10.1.1.
Error Codes Table 457 describes the W-ClearPass Policy Manager error codes: Table 457: W-ClearPass Policy Manager Error Codes Code Description Type 0 Success Success 101 Failed to perform service classification Internal Error 102 Failed to perform policy evaluation Internal Error 103 Failed to perform posture notification Internal Error 104 Failed to query authstatus Internal Error 105 Internal error in performing authentication Internal Error 106 Internal error in RADIUS server Inter
Table 457: W-ClearPass Policy Manager Error Codes (Continued) Code Description Type 218 Authentication source timed out Authentication failure 219 Bad search filter Authentication failure 220 Search failed Authentication failure 221 Authentication source error Authentication failure 222 Password change error Authentication failure 223 Username not available in request Authentication failure 224 CallingStationID not available in request Authentication failure 225 User account disable
Table 457: W-ClearPass Policy Manager Error Codes (Continued) Code Description Type 6101 Not enough inputs to perform authentication TACACS Authentication 6102 Authentication privilege level mismatch TACACS Authentication 6103 No enforcement profiles matched to perform authentication TACACS Authentication 6201 Authorization failed as session is not authenticated TACACS Authorization 6202 Authorization privilege level mismatch TACACS Authorization 6203 Command not allowed TACACS Authoriza
Table 457: W-ClearPass Policy Manager Error Codes (Continued) Code Description Type 9015 Client does not support configured EAP methods RADIUS Protocol 9016 Client did not send Cryptobinding TLV RADIUS Protocol 9017 Failed to contact OCSP Server RADIUS Protocol 9018 RADIUS protocol error RADIUS Protocol 9019 Client sent conflicting identities RADIUS Protocol Dell Networking W-ClearPass Policy Manager 6.
| SNMP Private MIB, SNMP Traps, System Events, Error Codes Dell Networking W-ClearPass Policy Manager 6.
Appendix C Use Cases This appendix contains several specific W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l 802.1X Wireless Use Case on page 899 l Web Based Authentication Use Case on page 905 l MAC Authentication Use Case on page 912 l TACACS+ Use Case on page 915 l Single Port Use Case on page 917 802.
Policy Manager ships with fourteen preconfigured services. In this use case, you select a service that supports 802.1X wireless requests. Follow the steps below to configure this basic 802.1X service that uses [EAP FAST], one of the pre-configured Policy Manager authentication methods, and Active Directory Authentication Source (AD), an external authentication source within your existing enterprise.
To create a new Role Mapping policy: 1. Click the Roles tab. 2. Click Add new Role Mapping Policy. The Role Mappings page opens. Figure 821: Role Mapping Navigation and Settings 3. Add a new role, navigate to the Policy tab. Enter the Policy Name, For example, ROLE_ENGINEER and click Save. Repeat the same step for ROLE_FINANCE. The following figure displays the Policy tab: Figure 822: Policy Tab 4. Click the Next button in the Rules Editor. 5. Create rules to map client identity to a role.
Figure 823: Mapping Rules Tab 6. Select the Select all matches radio button. 7. Match the conditions with the role name. Click the Add Rule button. The Rules Editor pop-up opens. Upon completion of each rule, click the Save button in the Rules Editor. 8. Click the Save button. 9. Add the new role mapping policy to the service from the Roles tab. The following figure displays the Roles tab: Figure 824: Roles Tab 902 | Use Cases Dell Networking W-ClearPass Policy Manager 6.
10.Select Role Mapping Policy, for example, RMP_DEPARTMENT. Click Next. 11.Add an Micrsoft NPS external posture serverto the 802.1X service. Click the Posture tab. The following figure displays the Posture tab: Figure 825: Posture Tab 12.Click Add new Posture Server to add a new posture server. 13.
Figure 827: Primary Server Tab 16.Click Next from primary server to backup server. Click Save. 17.Add the new posture server to the service. From the Posture tab, enter the Posture Servers, for example, PS_NPS, then click the Add button. The following figure displays the Posture tab: Figure 828: Posture Tab 18.Click the Next button. Assign an enforcement policy. 19.Enforcement policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to evaluation profiles.
20. From the Enforcement tab, select the Enforcement Policy. For instructions about how to build an enforcement policy, refer to Configuring Enforcement Policies on page 371. 21.Save the service. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service.
Table 459: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l l Name/Descriptio n (freeform) > Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 460: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 461: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab 908 | Use Cases Dell Networking W-ClearPass Polic
Table 461: Posture Policy Navigation and Settings (Continued) Navigation Setting Select a Validator: l Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > Save (button) > Dell Networking W
Table 461: Posture Policy Navigation and Settings (Continued) Navigation l Setting When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished work
Table 461: Posture Policy Navigation and Settings (Continued) Navigation Setting Add the new Posture Policy to the Service: Back in Posture (tab) > Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button The following fields deserve special mention: n Default Posture Token. Value of the posture token to use if health status is not available. n Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. n Remediation URL.
MAC Authentication Use Case This service supports Network Devices, such as printers or hand-helds. In this service, an audit is initiated on receiving the first MAC Authentication request. A subsequent MAC Authentication request (triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine the posture and role(s) for the device. The following diagram illustrates the overall flow of control for this Policy Manager service.
2. Click the Add link. The Add Services dialog opens. Figure 831: MAC Authentication Service Configuration Dialog 3. Table 463: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 4. Set up Authentication.
Table 464: Authentication Method Navigation and Settings Navigation Settings Select an Authentication Method and two authentication sources—one of type Static Host List and the other of type Generic LDAP server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (This method is automatically selected for this type of service): [MAC AUTH] > l Add > l Sources (Select dropdown list): Handhelds [Static Host List] and Policy Manager Clients White List [Generic LDAP] > l Add
which follows the same path until it reaches Role Mapping/Posture/Audit; this appends cached information for this client to the request for passing to Enforcement. 6.
Figure 832: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Navigate to Configuration > Services. 2. Click the icon to add a service. The Configuration > Services > Add window opens. 3. If it is not already selected, click the Service tab and define basic service information. a. Enter a name for the service in the Name field. b.
b. Select AD (Active Directory). For this use case example, Network Access Device authentication data will be stored in the Active Directory. 5. Click the Enforcement tab and select an Enforcement Policy. a. Click the Enforcement Policy drop-down list and select the Enforcement Policy [Admin Network Login Policy] that distinguishes the two allowed roles (Net Admin Limited and Device SuperAdmin). 6. Click Save. The Service now appears at the bottom of the Services list.
| Use Cases Dell Networking W-ClearPass Policy Manager 6.
Appendix D Rules Editing and Namespaces The Policy Manager administration User Interface allows you to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular interface with the same column hea
l Authentication Namespaces on page 921 l Authorization Namespaces on page 923 l Certificate Namespaces on page 924 l Connection Namespaces on page 925 l Date Namespaces on page 926 l Device Namespaces on page 926 l Endpoint Namespaces on page 927 l Guest User Namespaces on page 927 l Host Namespaces on page 927 l Local User Namespaces on page 927 l Posture Namespaces on page 928 l RADIUS Namespaces on page 928 l TACACS Namespaces on page 929 l Tips Namespaces on page 929 Applica
l Page-Name l Provisioning-Settings-ID l SAMLRequest l SAMLResponse l Session-Timeout l User-Email-Address Audit Namespaces The dictionaries in the audit namespace come pre-packaged with the product. The Audit namespace has the notation Vendor:Audit, where Vendor is the name of the company that has defined attributes in the dictionary. Examples of dictionaries in the audit namespace are AvendaSystems:Audit or Qualys:Audit. The Audit namespace appears when editing post-audit rules.
Authentication Namespace Editing Context The following table describes the Authentication Namespace Attributes parameters: Table 468: Authentication Namespace Attributes Attribute Name InnerMethod Values CHAP EAP-GTC l EAP-MD5 l EAP-MSCHAPv2 l EAP-TLS l MSCHAP l PAP NOTE: The EAP-MD5 authentication type is not supported if you use the W-ClearPass Policy Manager in the FIPS mode.
Table 468: Authentication Namespace Attributes (Continued) Attribute Name MacAuth Values l AuthSource-Unreachable - The authentication source was unreachable l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source l l Username The username as received from the client (after the strip user name rules are applied).
RSAToken Instance Namespace For each instance of an RSA Token Server authentication source, there is an RSA Token Server instance namespace that appears in the rules editing interface. The RSA Token Server instance namespace consists of attributes names defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience. Sources This is the list of the authorization sources from which attributes were fetched for role mapping.
Table 469: Certificate Namespace Attributes (Continued) Attribute Name l l l l l l l l l l l l l l l l l Values Issuer-DC Issuer-DN Issuer-emailAddress Issuer-GN Issuer-L Issuer-O Issuer-OU Issuer-SN Issuer-ST Issuer-UID Subject-AltNameDirName Subject-AltName-DNS Subject-AltNameEmailAddress Subject-AltNameIPAddress Subject-AltName-msUPN Subject-AltNameRegisterdID Subject-AltName-URI Attributes associated with the subject (user or machine, in this case) alternate name.
Table 470: Connection Namespace Pre-defined Attributes (Continued) Attribute Description NAD-IP-Address IP address of the network device from which the request originated. Client-Mac-Address MAC address of the client. l l l l Client-Mac-Address-Colon Client-Mac-Address-Dot Client-Mac-Address-Hyphen Client-Mac-Address-Nodelim Client-IP-Address Client MAC address in different formats. IP address of the client (if known).
Endpoint Namespaces Use these attributes to look for attributes of authenticating endpoints, which are present in the Policy Manager endpoints list. The Endpoint namespace has the following attributes: l Disabled By l Disabled Reason l Enabled By l Enabled Reason l Info URL Guest User Namespaces The GuestUser namespace has the attributes associated with the guest user (resident in the Policy Manager guest user database) who authenticated in this session.
The LocalUser namespace has four pre-defined attributes: l Designation l Email l Phone l Sponsor Custom attributes also appear in the attribute list if they are defined as custom tags for the local user. These attributes can be used only if you have pre-populated the values for these attributes when a local user is configured in Policy Manager. Posture Namespaces The dictionaries in the posture namespace are pre-packaged with the product.
RADIUS Namespace Editing Contexts l Filter rules for Access Tracker and Activity Reports l Policy simulation attributes l Post-proxy attribute pruning rules l RADIUS Enforcement profiles: All RADIUS namespace attributes that can be sent back to a RADIUS client (the ones marked with the OUT or INOUT qualifier) l Role mapping policies l Service rules: All RADIUS namespace attributes that can appear in a request (the ones marked with the IN or INOUT qualifier) TACACS Namespaces The TACACS (Terminal
Policy Manager does in-place substitution of the value of the variable during run-time rule evaluation. The following built-in variables are supported in Policy Manager: Table 471: Policy Manager Variables Variable Description %{attributename} attribute-name is the alias name for an attribute that you have configured to be retrieved from an authentication source. See Adding and Configuring Authentication Sources on page 207.
The following table lists the operators presented for common attribute data types: Table 472: Attribute Operators Attribute Type String Operators l l l l l l l l l l l l l l l l Integer l l l l l l l l l l Time or Date l l l l l l l Dell Networking W-ClearPass Policy Manager 6.
Table 472: Attribute Operators (Continued) Attribute Type Operators Day l l List (Example: Role) l l l l l l l l Group (Example: Calling-Station-Id, NAS-IPAddress) l l BELONGS_TO NOT_BELONGS_TO EQUALS NOT_EQUALS MATCHES_ALL NOT_MATCHES_ALL MATCHES_ANY NOT_MATCHES_ANY MATCHES_EXACT NOT_MATCHES_EXACT BELONGS_TO_GROUP NOT_BELONGS_TO_GROUP and all string data types The following table describes all operator types: Table 473: Operator Types Operator Description BEGINS_WITH For string data type, t
Operator Description Printers. CONTAINS For string data type, true if the run-time value of the attribute is a substring of the configured value. Example: RADIUS:IETF:NAS-Identifier CONTAINS "VPN" ENDS_WITH For string data type, true if the run-time value of the attribute ends with the configured value. Example: RADIUS:IETF:NAS-Identifier ENDS_WITH "DEVICE" EQUALS True if the run-time value of the attribute matches the configured value. For string data type, this is a case-sensitive comparison.
Operator Description the run-time values of Tips:Role are HR,ENG,FINANCE,MGR,ACCT the condition evaluates to true. MATCHES_ANY For list data types, true if any of the run-time values in the list match one of the configured values. Example: Tips:Role MATCHES_ANY HR,ENG,FINANCE MATCHES_EXACT For list data types, true if all of the run-time values of the attribute match all of the configured values. Example: Tips:Role MATCHES_ALL HR,ENG,FINANCE.
Figure 835: Application Attributes Dialog Deleting an Application Dictionary In general, there is no need to delete an application dictionary. They have no effect on Policy Manager performance. To delete an application dictionary: 1. Navigate to Administration > Dictionaries > Applications. 2. Click the check box next to an application name. 3. Click Delete. Dell Networking W-ClearPass Policy Manager 6.
| Rules Editing and Namespaces Dell Networking W-ClearPass Policy Manager 6.