Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

Dell Networking W-

ClearPass Guest 6.0

Deployment Guide

Summary of content (320 pages)

PAGE 1
Dell Networking WClearPass Guest 6.
PAGE 2
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wire® less Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
PAGE 3
Contents About this Guide 13 Audience 13 Conventions 13 Contacting Support Dell Networking W-ClearPass Guest Overview 14 15 About Dell Networking W-ClearPass Guest 15 Visitor Access Scenarios 16 Reference Network Diagram 16 Key Interactions 17 AAA Framework 18 Key Features 19 Visitor Management Terminology 20 ClearPass Guest Deployment Process 21 Operational Concerns 21 Network Provisioning 21 Site Preparation Checklist 22 Security Policy Considerations 23 AirGroup Deploym
PAGE 4
Managing Multiple Guest Accounts 38 Importing Guest Accounts 40 Exporting Guest Account Information 43 About CSV and TSV Exports 43 About XML Exports 43 MAC Authentication in ClearPass Guest 44 MAC Address Formats 44 Managing Devices 44 Changing a Device’s Expiration Date 46 Disabling and Deleting Devices 47 Activating a Device 47 Editing a Device 47 Viewing Current Sessions for a Device 49 Viewing and Printing Device Details 49 MAC Creation Modes 49 Creating Devices Manually i
PAGE 5
Revoking Credentials to Prevent Network Access 70 Re-Provisioning a Device 71 Network Requirements for Onboard 71 Using Same SSID for Provisioning and Provisioned Networks 71 Using Different SSID for Provisioning and Provisioned Networks 71 Configuring Online Certificate Status Protocol 72 Configuring Certificate Revocation List (CRL) 72 Network Architecture for Onboard Network Architecture for Onboard when Using ClearPass Guest The ClearPass Onboard Process 72 74 75 Devices Supporting Over-
PAGE 6
Configuring Reconnect Behavior for iOS and OS X 111 Configuring Provisioning Settings for Legacy OS X Devices 112 Configuring Provisioning Settings for Windows Devices 113 Configuring Provisioning Settings for Android Devices 114 Configuring Options for Legacy OS X, Windows, and Android Devices 116 Configuring Network Settings for Device Provisioning 117 Configuring Basic Network Access Settings 118 Configuring 802.
PAGE 7
Example: Customizing Forms and Views 149 150 Editing Forms and Views 151 Duplicating Forms and Views 151 Editing Forms 152 Form Field Editor 152 Form Validation Properties 162 Examples of Form field Validation 163 Advanced Form Field Properties 165 Form Field Validation Processing Sequence 166 Editing Views 169 View Field Editor 169 Customizing Self-Provisioned Access 171 Self-Registration Sequence Diagram 171 Creating a Self-Registration Page 172 Editing Self-Registration Pages
PAGE 8
Configuring Access Code Logins Customize Random Username and Passwords 199 Create the Print Template 199 Customize the Guest Accounts Form 201 Create the Access Code Guest Accounts 201 Hotspot Manager 203 Accessing Hotspot Manager 203 About Hotspot Management 203 Managing the Hotspot Sign-up Interface 204 Captive Portal Integration 205 Web Site Look-and-Feel 206 SMS Services 206 Managing Hotspot Plans Editing or Creating a Hotspot Plan Managing Transaction Processors 206 207 209 Crea
PAGE 9
About SMS Guest Account Receipts 233 SMS Receipt Options 234 Working with the SMTP Carrier List 234 Support Services 236 Viewing the Application Log 237 Exporting the Application Log 238 Contacting Support 239 Viewing Documentation 239 Operator Logins 241 Accessing Operator Logins 241 About Operator Logins 241 Role-Based Access Control for Multiple Operator Profiles Operator Profiles Creating an Operator Profile 242 242 242 Configuring the User Interface 245 Customizing Forms and V
PAGE 10
Comments 264 Variable Assignment 264 Conditional Text Blocks 264 Script Blocks 265 Repeated Text Blocks 265 Foreach Text Blocks 265 Modifiers 266 Predefined Template Functions 266 dump 266 nwa_commandlink 267 nwa_iconlink 267 nwa_icontext 268 nwa_quotejs 269 nwa_radius_query 269 ChangeToRole() 270 GetCallingStationCurrentSession() 270 GetCallingStationSessions() 270 GetCallingStationTime() 270 GetCallingStationTraffic() 271 GetCurrentSession() 271 GetIpAddressCurrentS
PAGE 11
nwa_youtube Date/Time Format Syntax 279 279 nwadateformat Modifier 279 nwatimeformat Modifier 280 Date/Time Format String Reference 281 Programmer’s Reference 282 NwaAlnumPassword 282 NwaBoolFormat 282 NwaByteFormat 283 NwaByteFormatBase10 283 NwaComplexPassword 283 NwaCsvCache 283 NwaDigitsPassword($len) 283 NwaDynamicLoad 283 NwaGeneratePictureString 283 NwaGenerateRandomPasswordMix 284 NwaLettersDigitsPassword 284 NwaLettersPassword 284 NwaMoneyFormat 284 NwaParseCsv
PAGE 12
| Dell Networking W-ClearPass Guest 6.
PAGE 13
Chapter 1 About this Guide Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access. Audience This deployment guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.
PAGE 14
The following informational icons are used throughout this guide: NOTE: Indicates helpful suggestions, pertinent information, and important things to remember. CAUTION: Indicates a risk of damage to your hardware or loss of data. WARNING: Indicates a risk of personal injury or death. Contacting Support Web Site Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 14 | Contacting Support Dell Networking W-ClearPass Guest 6.
PAGE 15
Chapter 2 Dell Networking W-ClearPass Guest Overview This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
PAGE 16
ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, ClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network security framework, but gives operational staff the user interface they require. Visitor Access Scenarios The following figure shows a high-level representation of a typical visitor access scenario.
PAGE 17
Figure 2: Reference network diagram for visitor access The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.
PAGE 18
ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network.
PAGE 19
l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name and password of their guest account. l The NAS authenticates the user with the RADIUS protocol [5]. l ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].
PAGE 20
Feature Refer to… Creation" on page 141 Define unlimited custom fields "Customizing Fields " on page 145 Username up to 64 characters "GuestManager Standard Fields" on page 287 Customization Features Create new fields and forms for visitor management "Customizing Forms and Views " on page 150 Use built-in data validation to implement visitor survey forms "Form Validation Properties" on page 162 Create print templates for visitor account receipts "Editing Guest Receipt Page Properties" on page 178
PAGE 21
Term Explanation Field In a user interface or database, a single item of information about a user account. Form In a user interface, a collection of editable fields displayed to an operator. Network Access Server Device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS.
PAGE 22
l Physical location – rack space, power and cooling requirements; or deployment using virtualization l Network connectivity – VLAN selection, IP address, and hostname l Security infrastructure – SSL certificate Site Preparation Checklist The following is a checklist of the items that should be considered when setting up ClearPass Guest.
PAGE 23
Security Policy Considerations To ensure that your network remains secure, decisions have to be made regarding guest access: l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network infrastructure to be used by your guests? l What resources are you going to make available to guests (for example, type of network access; permitted times of day; bandwidth allocation)? l Will guest access be separated into different roles? If so, what roles are needed? l How wi
PAGE 24
Documentation and User Assistance This section describes the variety of user assistance available for ClearPass Guest. Deployment Guide and Online Help This Deployment Guide provides complete information for all ClearPass Guest features. The following quick links may be useful in getting started. Table 6: Quick Links For information about... Refer to...
PAGE 25
Field Help The ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the application without further assistance or training. Quick Help In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list.
PAGE 26
| Use of Cookies Dell Networking W-ClearPass Guest 6.
PAGE 27
Chapter 3 Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process.
PAGE 28
About Guest Management Processes There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in the next sections. Sponsored Guest Access The following figure shows the process of sponsored guest access. Figure 5: Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account.
PAGE 29
The NAS performs authentication and authorization for the guest in ClearPass Guest. Once authorized, the guest is then able to access the network. See"Customizing Self-Provisioned Access " on page 171 for details on creating and managing self-registration pages.
PAGE 30
You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of account the visitor should have. A random password is created for each visitor account. This is displayed on this form, but will also be available on the guest account receipt. You must mark the Terms of Use check box in order to create the visitor account. Click the Create Account button after completing the form.
PAGE 31
NOTE: The Create Guest Accounts form (create_multi) may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Self-Provisioned Access " on page 171 for details about the customization process. The default settings for this form are described below. To complete the form, you must enter the number of visitor accounts you want to create. A random username and password will be created for each visitor account.
PAGE 32
To print the receipts, select an appropriate template from the Open print window using template… drop-down list. A new browser window opens with the Print dialog displayed. To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file.
PAGE 33
To include the Password field on the Create Multiple Guest Accounts form: 1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions. At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_multi) has not yet been customized to include it.
PAGE 34
Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guest > List Accounts. The Guests Manager Accounts view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields " on page 145 for details about this customization process. The default settings for this view are described below.
PAGE 35
The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created: l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the account will expire within the next hour.
PAGE 36
NOTE: When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user account. Use the Create tab to create new visitor accounts using the New Visitor Account form. See "Creating a Guest Account " on page 29 for details about this form. Use the More Options tab for additional functions, including import and export of guest accounts and the ability to customize the view. Click a user account’s row to select it.
PAGE 37
Select the appropriate Action radio button, and click Make Changes to disable or delete the account. If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify this in the Configuration module. See"Configuring ClearPass Guest Authentication " on page 134. l Activate – Re-enables a disabled guest account, or specifies an a ctivation time for the guest account. Select an option from the drop-down list to change the activation time of the guest account.
PAGE 38
Click Update Account to update the properties of the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Sessions – Displays the active sessions for a guest account. See "Active Sessions Management " on page 59 in this chapter for details about managing active sessions. l Print – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons, the guest’s password is not displayed on this receipt.
PAGE 39
Table 8: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
PAGE 40
The Edit Guest Accounts form may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Self-Provisioned Access " on page 171 for details about this customization process. This is the guest_multi_form form. The Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information.
PAGE 41
l n Automatically detect format (This default option recognizes guest accounts exported from ClearPass Policy Manager in XML format) n XML n Comma separated values n Tab separated values n Pipe (|) separated values n Colon (:) separated values n Semicolon (;) separated values Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected.
PAGE 42
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account. Click the Next Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens and shows a preview of the import operation.
PAGE 43
l Click the Existing link to select all existing user accounts in the list. Click the Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts. See "Creating Multiple Guest Account Receipts " on page 31 in this chapter for more information. Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats.
PAGE 44
tagValue="ff" tagName="Company Name"/> tagValue="2012-12-04 12:39:14" tagName="Create Time"/> tagValue="fff@df" tagName="Email"/> tagValue="ff" tagName="first_name"/> tagValue="plan0" tagName="hotspot_plan_id"/> tagValue="Free Access" tagName="hotspot_plan_name"/> tagValue="ff" tagName="last_name"/> tagValue="ff ff" tagName="Visitor Name"/> tagValue="ff" tagNam
PAGE 45
The Guest Manager Devices page opens. All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information.
PAGE 46
Table 9: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
PAGE 47
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the Expire Action row is added to the table.
PAGE 48
1. You can change the device’s address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication plugin. 2. If you need to change the activation time, choose one of the options in the Account Activation drop-down list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time.
PAGE 49
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 4. To change the maximum usage allowed for the account, choose an option from the Total Allowed Usage dropdown list.
PAGE 50
Creating Devices Manually in ClearPass Guest If you have the MAC address, you can create a new device manually. You do this on the New MAC Authentication form. To create a new device: 1. Go to Guest > List Devices and click the Create link, or you can go to the Guest navigation page and click the Create Device command. The New MAC Authentication page opens. 2. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 3. Enter the name for the device in the Device Name row. 4.
PAGE 51
6. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time. l If you choose any time in the future, the Expire Action row is added to the form. Use this drop-down list to indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out.
PAGE 52
Figure 9: Modify fields l l Edit the receipt form fields: n Edit username to be a Hidden field n Edit password to be a Hidden field Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means. The account will only be visible on the List Devices page.
PAGE 53
NOTE: If you delete the base account, all of its pairings will also be deleted. If RFC-3576 has been configured, all pairs will be logged out. AirGroup Device Registration AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them.
PAGE 54
l AP FQLNs should be configured in the format ... l Floor names should be in the format floor l The should not include periods ( . ) Example: AP105-1.Floor 1.TowerD.Mycompany 5. In the Shared With field, enter the usernames of your organization’s staff or students who are allowed to use the device. Use commas to separate usernames in the list. l If the Share With field is left blank, this device can be accessed by all devices.
PAGE 55
3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and shared roles. 4. When your edits are complete, click Save Changes. Registering Personal Devices This functionality is available to AirGroup operators. To register your personal devices and define a group who can share them: 1. Log in as the AirGroup operator and go to Guest > Create Device.
PAGE 56
1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all your personal AirGroup devices. You can remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device. 2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and Print options. 3.
PAGE 57
3. In the Policy Manager row, mark the check box to register the guest’s MAC address with ClearPass Policy Manager. The Advanced row is added to the form. 4. In the Advanced row, mark the check box to enable advanced options in ClearPass Policy Manager. The Endpoint Attributes row is added to the form. 5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed. 6.
PAGE 58
This can be expanded if you create multiple MAC fields. Navigate to Customize > Fields and duplicate mac. Rename it as mac_byod and then add it to the 'create_user and guest_edit forms. In this example the account has a registered employee device under mac, and a registered BYOD device under mac_byod.
PAGE 59
and the first line of the footer be: {if !$guest_receipt.u.username}

{/if} Active Sessions Management The RADIUS server maintains a list of active visitor sessions. If your NAS equipment has RFC 3576 support, the RADIUS dynamic authorization extensions allow you to disconnect or modify an active session. To view and manage active sessions for the RADIUS server, go to Guest > Active Sessions. The Active Sessions list opens.

PAGE 60

l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions. See "RFC 3576 Dynamic Authorization" on page 61 for more information. n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete. n To reauthorize a session that was disconnected, click the session’s row in the list, then click its Reauthorize link.

PAGE 61

RFC 3576 Dynamic Authorization Dynamic authorization describes the ability to make changes to a visitor account’s session while it is in progress. This includes disconnecting a session, or updating some aspect of the authorization for the session.

PAGE 62

Table 11: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).

PAGE 63

Sending Multiple SMS Alerts The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number. An SMS alert during an active session can be used to send a group of visitors information you might want them to have immediately—for example, a special offer that will only be available for an hour, a change in a meeting’s schedule or location, or a public safety announcement. To create an SMS message: 1. Click the SMS tab on the Active Sessions page.

PAGE 64

| About SMS Guest Account Receipts Dell Networking W-ClearPass Guest 6.

PAGE 65

Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and VPNs.

PAGE 66

Onboard Deployment Checklist Table 12 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard deployment. Onboard events are stored in the Application Log for seven days by default. After seven days, significant runtime events are listed in the Audit Viewer in Dell Networking W-ClearPass Policy Manager’s Monitoring module.

PAGE 67

Deployment Step Reference l Configure device provisioning settings. Select certificate options for device provisioning. Select which device types should be supported. "Configuring Provisioning Settings " on page 106 Configure network settings for device provisioning. Set network properties. l Upload 802.1X server certificates. Set device-specific networking settings. "Configuring Network Settings for Device Provisioning " on page 117 Configure networking equipment for non-provisioned devices.

PAGE 68

Feature Uses Android devices. l l l l l Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.

PAGE 69

a certificate authority (CA). The following sections explain how the certificate authority works, and which certificates are used in this process. Certificate Hierarchy In a public key infrastructure (PKI) system, certificates are related to each other in a tree-like structure.

PAGE 70

Certificate Configuration in a Cluster When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM server certificate is valid during EAP-PEAP or EAP-TLS authentication. In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node.

PAGE 71

Re-Provisioning a Device Because “bring your own” devices are not under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device. For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device.

PAGE 72

l Configure the provisioning SSID to use PEAP, or another suitable authentication method. l When a user connects to the provisioning SSID, place them into a provisioning role. n l The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page. When a user connects to the provisioned SSID, authenticate based on the type of credentials presented.

PAGE 73

Figure 11: ClearPass Onboard Network Architecture The sequence of events shown in Figure 11 is: 1. Users bring their own device to the enterprise. 2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. 3. Once provisioned, the device re-authenticates to the network using a set of unique device credentials. These credentials uniquely identify the device and user and enable management of provisioned devices. 4.

PAGE 74

1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. The provisioning method used depends on the type of device. a.

PAGE 75

The ClearPass Onboard Process Devices Supporting Over-the-Air Provisioning Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for iOS devices is shown in Figure 14. Figure 14: ClearPass Onboard Process for iOS Devices The Onboard process is divided into three stages: 1. Pre-provisioning.

PAGE 76

1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate. Installing the enterprise’s root certificate enables the user to establish the authenticity of the provisioning server during device provisioning. 3.

PAGE 77

Figure 17: ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device. 2. Provisioning. The device provisioning page detects the device type and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server.

PAGE 78

2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type: a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this file will launch the QuickConnect app on the device. b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes both the QuickConnect app and the Onboard configuration settings. 3.

PAGE 79

2. To upload applications, click the Content Manager link above the form. 3. To select applications to install, mark their check boxes, then click Save Changes. Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways: l Customizing the Web login page used for device provisioning. All devices will reach the device provisioning Web login page as the first step of the provisioning process.

PAGE 80

To modify the instructions provided to users on the device provisioning page, edit the contents of the Header HTML text area. The default instructions are displayed to the user as: This corresponds to the following text prepopulated in the Header HTML text area:

Please configure security and network settings on your device to allow secure
access to the internal network. Please follow the instructions listed below:

1.

PAGE 81

Name Description wifi_ssid Name of the wireless network. See "Configuring Basic Network Access Settings " on page 118. Example: Connect to the network named {nwa_mdps_config name=wifi_ssid} organization_name The organization name. See "Configuring Basic Provisioning Settings " on page 107.

PAGE 82

The Name and Description fields are used internally to identify this certificate authority for the network administrator. These values are never displayed to the user during device provisioning. Select the appropriate mode for the certificate authority: l Root CA – The Onboard certificate authority issues its own root certificate. The certificate authority issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate.

PAGE 83

NOTE: If you intend to change any of the root certificate's distinguished name properties, and you have previously created any client or server certificates or performed device provisioning using the existing root certificate, these certificates will be invalidated and deleted because the root certificate's distinguished name has changed.

PAGE 84

l The Key Type drop-down list specifies the type of private key that should be created for the certificate. You can select one of these options: n 1024-bit RSA – not recommended for a root certificate n 2048-bit RSA – recommended for general use n 4096-bit RSA – higher security In the Self-Signed Certificate section: l Use the CA Expiration field to specify the lifetime of the root certificate in days. The default value of 3653 days is a 10-year lifetime.

PAGE 85

In the Identity section of the form: l Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that correspond to your organization. These values form part of the distinguished name for the certificate authority. l Enter a descriptive name for the certificate authority in the Common Name text field. This value will be used to identify the intermediate certificate as the issuer of client and server certificates from this certificate authority.

PAGE 86

Click the Create Certificate Request button to save the settings and generate a new certificate signing request. Obtaining a Certificate for the Certificate Authority The Intermediate Certificate Request page displays the certificate signing request for the certificate authority’s intermediate certificate. This page is also used to renew the certificate authority’s intermediate certificate when it is close to expiring. You can copy the certificate signing request in text format using your Web browser.

PAGE 87

Click the link to submit a request using a base-64-encoded CMC or PKCS #10 file. The Submit a Certificate Request or Renewal Request page is displayed. Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate.

PAGE 88

If the Certificate Pending page is displayed, follow the directions on the page to retrieve the certificate when it is issued. Figure 21: The Certificate Issued Page If the Certificate Issued page is displayed, select the Base 64 encoded option and then click the Download certificate chain link. A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system.

PAGE 89

3. Select one of the radio buttons to either copy and paste the certificate as encoded text or browse to the file to upload. The form expands to include options for that method. 4. If you selected Copy and paste certificate as text: l To upload a single certificate, copy and paste the certificate into the Certificate text field. The text must include the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines. Leave the passphrase fields blank.

PAGE 90

6. Click the Upload Certificate button to save your changes. If additional certificates are required, you will remain at the same page. Check the message displayed above the form to determine which certificate or type of file must be uploaded next. When the trust chain is complete, it will be displayed. This completes the initialization of the certificate authority. Renewing the Certificate Authority’s Certificate When a root certificate is close to expiration, it must be renewed.

PAGE 91

In the Onboard Device Certificates section of the form, specify a value in the Minimum Period and Maximum Period fields that is appropriate for your organization’s retention policy. NOTE: Use a blank value for Minimum Period to enable the Delete Certificate and Delete Request actions in the Certificate Management list view. This is useful for testing and initial deployment.

PAGE 92

To export a certificate: 1. Click the Download Bundle link. The Export Certificate form opens. 2. In the Format row, choose the certificate format. The form expands to include configuration options for that format. 3. Complete the fields with the appropriate information, then click Export Certificate. 92 | Uploading Certificates for the Certificate Authority Dell Networking W-ClearPass Guest 6.

PAGE 93

Creating a Certificate From the Certificate Management page, click the Certificate Request form. Generate a new certificate signing request link to access the To create a new certificate or certificate signing request, first select the type of certificate you want to create from the Certificate Type drop-down list: l TLS Client Certificate—Use this option when the certificate is to be issued to a client, such as a user or a user’s device.

PAGE 94

l Organizational Unit l Common Name – this is the primary name used to identify the certificate l Email Address The Key Type drop-down list specifies the type of private key that should be created for the certificate.

PAGE 95

Name Description Device Serial Serial number of the device. MAC Address IEEE MAC address of this device. Product Name Product string identifying the device and often including the hardware version information. Product Version Software version number for the device. User Name Username of the user who provisioned the device. Issuing the Certificate Request Mark the Issue this certificate immediately check box to automatically create the certificate.

PAGE 96

Table 17: Types of Certificate Supported by Onboard Certificate Management Certificate Type “Type” Column Notes Root certificate ca Self-signed certificate for the certificate authority Intermediate certificate ca Issued by the root CA or another intermediate CA Profile signing certificate profile-signing Issued by the certificate authority Certificate signing request tls-client or trusted The type shown depends on the kind of certificate requested Rejected certificate signing request tls-cl

PAGE 97

Working with Certificates in the List Click on a certificate to select it. You can then select from one of these actions: l View certificate – Displays the properties of the certificate. Click the certificate properties. Cancel button to close the Export certificate – Displays the Export Certificate form. l Use the Format drop-down list to select the format in which the certificate should be exported. The following formats are supported: l PKCS#7 Certificates (.

PAGE 98

Mark the Revoke this client certificate check box to confirm that the certificate should be revoked, and then click the Revoke Certificate button. Once the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid. NOTE: Due to the way in which certificate revocation lists work, a certificate cannot be un-revoked. A new certificate must be issued if a certificate is revoked in error.

PAGE 99

The Delete Certificate form is displayed. Mark the Delete this client certificate check box to confirm the certificate’s deletion, and then click the Delete Certificate button. Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view. This allows for server certificates, subordinate certificate authorities, and other client certificates not associated with a device to be issued by the Onboard certificate authority.

PAGE 100

ClearPass Policy Manager as the server certificate (ClearPass Policy Manager does not accept PKCS#7). To include the trust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager, mark the Include certificate trust chain check box, then click the Export Certificate button. Click the Export Request button to download the certificate signing request file in the selected format. l Sign request – Displays the Sign Request form.

PAGE 101

Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. l Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. See "Configuring Data Retention Policy for Certificates" on page 90. The Delete Request form is displayed.

PAGE 102

An operator’s profile must include the Import Code-Signing Certificate privilege in order to access this feature. To import a code-signing certificate: 1. Go to Onboard > Certificate Management or Onboard > Provisioning Settings and click the Upload a codesigning certificate link at the top of the page. The Code-Signing Certificate Import form opens. 2. In the Certificate Type drop-down list, choose the file type—either SPC, PFX, PKCS-7, or PKCS-12.

PAGE 103

3. Complete the rest of the form with your information. Mark the Issue this certificate immediately check box, then click Create Certificate Request. The test certificate is displayed in the list on the Certificate Management page, and can be selected on the Provisioning Settings form. Importing a Trusted Certificate Onboard’s Certificate Management page supports importing trusted certificates. Certificates may be uploaded in PEM format (*.pem). To import a trusted certificate: 1.

PAGE 104

3. You can use the following additional options in the upper-right corner of the Import Trusted Certificate page: l Click the Upload another trusted certificate link to upload additional certificates. l Click the Edit trust settings link to open the Trust tab of the Network Settings form. Requesting a Certificate From the Certificate Management page, click the Certificate Signing Request form.

PAGE 105

Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines.

PAGE 106

NOTE: The file should be a base-64 encoded (PEM format) PKCS#10 certificate signing request. Specifying Certificate Properties Select the type of certificate from the Certificate Type drop-down list. Choose from one of the following options: l TLS Client Certificate – Use this option when the certificate is to be issued to a client, such as a user or a user’s device.

PAGE 107

Configuring Basic Provisioning Settings To configure basic provisioning settings: 1. Go to Onboard > Provisioning Settings and click the General tab. The first part of the Device Provisioning Settings form’s General tab is used to specify basic information about Onboard provisioning. 2. The Name and Description fields are used internally to identify this set of Onboard settings for the network administrator. These values are never displayed to the user during device provisioning. 3.

PAGE 108

l The “not valid before” time is set to the current time, less the clock skew allowance. l The “not valid after” time is first calculated as the earliest of the following: l The current time, plus the maximum validity period. l The expiration time of the user account for whom the device certificate is being issued. l The “not valid after” time is then increased by the clock skew allowance. 5.

PAGE 109

Name Description OID characters, respectively). MAC Address IEEE MAC address of this device. This element may be present multiple times, if a device has more than one MAC address (for example, an Ethernet port and a Wi-Fi adapter). mdpsMacAddress (.5) Product Name Product string identifying the device and often including the hardware version information. mdpsProductName (.6) Product Version String containing the software version number for the device. mdpsProductVersion (.

PAGE 110

3. In the Unsupported Device text box, enter instructions to be displayed to the user if they attempt to provision an unsupported device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the following default text will be displayed: “Your operating system is not supported. Please contact your network administrator.” 4.

PAGE 111

4. In the Profile Security row, select one of the following options from the drop-down list to control how a device provisioning profile may be removed: l Always allow removal – The user may remove the device provisioning profile at any time, which will also remove the associated device configuration and unique device credentials. l Remove only with authorization – The user may remove the device provisioning profile if they also provide a password.

PAGE 112

3. In the Allow Manual Reconnect row, mark the check box if you want to allow the device to be manually reconnected to the provisioned network. Manual reconnect only applies when automatic reconnect is not allowed or not applicable. 4. In the Manual Reconnect Interface row, enter the text that will be shown to the user if manual reconnect is allowed and applicable. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 5.

PAGE 113

2. To enable provisioning OS X 10.5 and 10.6 devices, mark the check box in the OS X 10.5/6 Devices row. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device.

PAGE 114

2. To enable provisioning Windows devices, mark the check box in the Windows Devices row. 3. In the Code-Signing Certificate drop-down list, select a certificate for signing the provisioning application, or leave the default setting of None-Do not sign the application. 4. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions.

PAGE 115

2. To enable provisioning Android devices, mark the check box in the Android Devices row. 3. In the Android Rootkit Detection drop-down list, choose one of the following options: l Provision all devices— All Android devices will be provisioned. l Do not provision rooted devices—Onboard will detect a jailbroken Android device and will not provision the network if the device has been compromised. 4.

PAGE 116

6. In the Before Profile Install text box, enter the instructions that are shown to the user before they install the network profile on their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 7. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions.

PAGE 117

l Other IP address or hostname… – Select this option to override the hostname or IP address to be specified during device provisioning. The administrator must enter the hostname or IP address in the “Address” text field. Use this option when special DNS or NAT conditions apply to devices that are in a provisioning role. 3. If you chose Other IP address or hostname in the Provisioning Address drop-down list, use the Address field to enter a hostname or IP address. 4.

PAGE 118

All networks that have been provisioned are included in the list. To view details for a network, or to configure a network, click the network’s row in the list. The row expands to include the Show Details, Edit, Disable or Enable, and Delete options. Configuring Basic Network Access Settings 1. To configure the network settings that will be provisioned to devices, click the network’s Edit link. To create a new network, click the Create new network link in the upper-right corner.

PAGE 119

2. To edit the network’s basic and wireless network access options, click the Access tab. 3. If you need to edit the network’s name, enter the new name in the Name field. 4. You can use the check box in the Enabled row to enable or disable the network in the device profile. 5. (Optional) You may enter additional identifying information in the Description field. 6.

PAGE 120

l The drop-down list in the OS X Profile row allows you to select the type of profile to create when an OS X 10.7 (or later) device is provisioned. To create a per-user profile, select the User option. To create a system profile, select the System option. The System option can be used in settings where the device has several users and a single profile might be preferred to individual user profiles—for example, where an iMac in a high school classroom is used by all the students.

PAGE 121

l Configure PEAP with MSCHAPv2 for Onboard devices – Android, Windows, and legacy OS X (10.5/10.6). l Configure EAP-TLS for iOS devices and OS X (10.7 or later). l Other EAP methods, while possible, are limited in their applicability and should only be used if you have a specific requirement for that method.

PAGE 122

l Machine Only – Use computer-only credentials. l User Only – Use user-only credentials l Machine Or User – Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication. l Guest – Use guest-only credentials. 3. Do one of the following: l Click the Previous button to return to the Protocols tab.

PAGE 123

Configuring Trust Settings Manually 1. To change the recommended default setting and configure trust settings manually, choose Manually configure certificate trust settings in the Configure Trust drop-down list. The form expands to include configuration options. 2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted.

PAGE 124

7. In the Windows Trust area, mark the Validate the server certificate check box. This ensures that the provisioned device will check the server certificate is valid before using the server for authentication. If this check box is unmarked, the configuration will not be secure. An attacker could provide another server certificate which the client would not verify. 8. Do one of the following: l Click the Previous button to return to the Authentication tab.

PAGE 125

n Click the Create Network button to make the new network configuration settings take effect n Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Configuring Proxy Settings Click the Proxy tab to display the Proxy Settings form. Select one of these options in the Proxy Type drop-down list: l None – No proxy server will be configured. l Manual – A proxy server will be configured, if the device supports it.

PAGE 126

This page is used to automatically configure virtual private networking (VPN) settings on the iOS device. Use this option when you have deployed a VPN infrastructure and want to automatically provide the secure connection settings to users at the time of device provisioning. NOTE: ClearPass Onboard VPN settings can only be used with iOS 4 and iOS 5 devices. Other platforms are not supported. Mark the Add this VPN to the device profile check box to enable provisioning of VPN settings.

PAGE 127

n Shared Secret / Group Name – An optional group name may be specified. A shared secret (pre-shared key) is used to establish the IPSec VPN. Authentication is performed with a username and password. The Proxy Settings section of the form specifies a proxy server that is used when the VPN connection is active. Select one of these options in the Proxy Setup drop-down list: l None – No proxy server will be configured with this VPN profile.

PAGE 128

Mark the Add this ActiveSync configuration to the device profile check box to enable email account provisioning. The Account Name text field specifies the name for this email account. This will be displayed on the device in the Settings app, and also within the Mail app to identify the mailbox. To help the user identify this mailbox easily, include your organization’s name in the Account Name field. For example, use “ACME Sprockets Mail”.

PAGE 129

In the Sync Settings group, choose one of the following options from the Days of Mail drop-down list: l No Limit l 1 day l 3 days l 1 week l 2 weeks l 1 month Click the Save Changes button to save the Exchange ActiveSync profile and return to the main Onboard configuration user interface. Configuring an iOS Device Passcode Policy To make changes to the Passcode Policy configuration that will be sent to a device, go to Onboard > Passcode Policy, or click the Passcode Policy command link.

PAGE 130

To enable the passcode policy on all iOS devices, mark the Enable passcode policy check box and configure the remaining options according to your enterprise’s security requirements. Click the Save Changes button to save the passcode policy settings and return to the main Onboard configuration user interface.

PAGE 131

Select one of the following options in the Reset Type drop-down list: l Delete all client certificates – Removes all client certificates from Certificate Management. The certificate authority’s root certificate, intermediate certificate, profile signing certificate, and any server certificates are not affected. The provisioning settings for iOS and Onboard-capable devices are not modified.

PAGE 132

Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate. Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”. A workaround for this issue is to install an appropriate root certificate on the iOS device.

PAGE 133

Chapter 5 Configuration Dell Networking W-ClearPass Guest’s built-in Configuration editor lets you customize many aspects of the appearance, settings, and behavior of the application.

PAGE 134

Configuring ClearPass Guest Authentication You can use the Configuration module to modify authentication settings for the Dell Networking W-ClearPass Guest application. To configure ClearPass Guest’s authentication settings: 1. Go to Configuration > Authentication. The Authentication Settings form opens. 2. To send automatic disconnect or re-authorization messages when enabled or role values change, mark the check box in the Dynamic Authorization row.

PAGE 135

To use a content item, you can insert a reference to it into any custom HTML editor within the application. To do this, select the content item you want to insert from the drop-down list located in the lower right corner of the editor. The item will be inserted using HTML that is most suited to the type of content inserted. To manually reference a content item, you can use the URL of the item directly. For example, an item named logo.jpg could be accessed using a URL such as: http://192.168.88.

PAGE 136

After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server. You are then able to reference this file when creating custom HTML templates. Additional Content Actions To work with your content items: 1. Go to Configuration > Content Manager, then click the item’s row in the list. The row expands to include the Properties, Delete, Rename, Download, View Content, and Quick View options. 2.

PAGE 137

Customizing Guest Manager Guest Manager allows the entire guest account provisioning process to be customized. This is useful in many different situations, such as: l Self-registration – Allow your guests to self-register and create their own temporary visitor accounts. l Visitor surveys – Define custom fields to store data of interest to you, and collect this information from guests using customized forms. l Branded print receipts – Add your own branding images and text to print receipts.

PAGE 138

Figure 23: Sample Guest Receipt Showing Aruba as the Default Site SSID l Site WPA Key—The encryption key used to secure the wireless network. If a value is entered in this field, it will appear on guest print receipts. l Username Type—The default method used to generate random account usernames (when creating groups of accounts). This may be overridden by using the random_username_method field.

PAGE 139

n At least one digit n At least one letter and one digit n At least one of each: uppercase letter, lowercase letter, digit n At least one symbol n At least one of each: uppercase letter, lowercase letter, digit, and symbol l Minimum Password Length—The minimum acceptable password length for guests changing their account passwords. l Disallowed Password Characters—Special characters that should not be allowed in a guest password. Spaces are not allowed by default.

PAGE 140

Figure 25: Customize Guest Manager Page, Continued (lower section) l Terms of Use URL—URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager (See "Content Manager " on page 134). If this file is called terms.html then the Terms of Use URL should be public/terms.html. l Active Sessions—Default maximum number of active sessions that should be allowed for a guest account.

PAGE 141

l About Guest Network Access—Allows the text displayed to operators on the Guest Manager start page to be customized, or removed (if a single hyphen “-” is entered). About Fields, Forms, and Views l A field is a named item of information. It may be used to display information to a user as static text, or it may be an interactive field where a user can select an option or enter text. l A form is a group of fields that is used to collect information from an operator.

PAGE 142

l role_id: This field is the role to assign to the visitor account and may be specified directly. If this field is not specified, then determine the role ID from the role_name field. If no valid role ID is able to be determined, the visitor account is not created. l simultaneous_use: This field determines the maximum number of concurrent sessions allowed for the visitor account. If this field is not specified, the default value from the GuestManager configuration is used.

PAGE 143

n If expire_after is set and not zero and the account will be activated immediately, then add the value in hours to the current time to determine the expiration time. n If expire_after is set and not zero and account activation is set for a future time (schedule_time) instead of the current time, then the expiration time is calculated relative to the activation time instead of the current time.

PAGE 144

Table 19: Visitor Management Forms and Views Name Type Visitor Management Function Editable? change_expiration Form Change Expiration Yes create_multi Form Create Multiple Yes create_user Form Create Account Yes guest_edit Form Edit Account Yes guest_export View Export Accounts Yes guest_multi View Edit Multiple Accounts Yes guest_multi_form Form Edit Multiple Accounts Yes guest_receipt Form Print Receipt No guest_register Form Guest Self-Registration Yes guest_regist

PAGE 145

Customizing Fields Custom fields are fields that you define yourself to cater for areas of interest to your organization. You are able to define custom fields for your guest accounts as well as edit the existing fields. In addition you can delete and duplicate fields. For your convenience you are also able to list any forms or views that use a particular field. NOTE: Fields that have a lock symbol cannot be deleted.

PAGE 146

You can specify the default properties to use when adding this field to a view. See "View Field Editor" on page 169 for a description of the view display fields, including the Column Type and Column Format fields. You can specify the default properties to use when adding the field to a form. See "View Field Editor" on page 169 for a list of the available user interface types. You can specify the default validation rules that should be applied to this field when it is added to a form.

PAGE 147

Click the Save Changes button to complete the creation of a new field. The new field is added at the top of the field list. To change the position of the new field, you can re-sort the list or you can reload the page. Duplicating a Field To duplicate a field, click the field to be duplicated, then click the Duplicate link. The field is copied and a number appended to the end of the field name—for example, if you were to duplicate the card_code field, the duplicated field would be card_code_1.

PAGE 148

1. Go to Configuration > Fields and click the airgroup_shared_location or airgroup_shared_role row. The form expands to include the Edit, Duplicate, Show Forms, and Show Views links. 2. Click the Edit link. The Define Custom Field form opens. Scroll to the Default Form Display Properties section. 3. In the User Interface drop-down list, select Checklist. 4. In the Description text box, delete the existing text, then enter Select the location IDs where this device will be shared.

PAGE 149

1. Scroll to the Advanced Properties section of the form and mark the check box in the Advanced row. The form expands to include the advanced options. 2. In the Conversion drop-down list, select NwaImplodeComma. The form expands to include the Type Error row. 3. In the Display Function drop-down list, select NwaExplodeComma. The form expands to include the Display Param and Display Arguments rows. 4. In the Display Param text field, enter the value _self.

PAGE 150

Customizing Forms and Views You are able to view a list of forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field. To view or customize forms and views, go to Configuration > Forms & Views. The Customize Forms and Views page opens. You can open a form or view directly from the Forms and Views page.

PAGE 151

Editing Forms and Views You can change the general properties of a form or view such as its title and description. To edit the form or view, go to Configuration > Forms & Views, click the form’s or view’s row in the list, then click its Edit link. The row expands to include the Edit Properties form. The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used.

PAGE 152

Click the Delete link for a duplicated form or view to remove the copy. A duplicated item cannot be removed if it is referenced by an operator login account or an operator profile. Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Configuration > Forms & Views, click the form’s row in the Customize Forms & Views list, and then click the Edit Fields link. The Customize Form Fields view opens.

PAGE 153

Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form. The remainder of the form field editor is split into three sections: l Form Display Properties l Form Validation Properties l Advanced Properties See "Form Display Properties" on page 153 for detailed descriptions of these form sections. Form Display Properties The form display properties control the user interface that this field will have.

PAGE 154

l Check box – A check box is displayed for the field, as shown below: The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1). If the check box is not selected, the field is not submitted with the form. l Checklist – A list of check boxes is displayed, as shown below: The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected.

PAGE 155

The “Vertical” and “Horizontal” layout styles control whether the check boxes are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified. When using these options, you may also specify the desired number of columns or rows to adjust the layout appropriately. For example, suppose the first two check boxes are selected (in this example, with keys “one” and “two”).

PAGE 156

The text value typed is submitted with the form. If using a date/time picker, you should validate the field value to ensure it is a date. Certain guest account fields, such as expire_time and schedule_time, require a date/time value to be provided as a UNIX time value. In this case, the conversion and display formatting options should be used to convert a human-readable date and time to the equivalent UNIX time and vice versa.

PAGE 157

form is submitted. If the value should be forced, use the Force Value setting under Advanced Properties to ensure the value cannot be overridden. For more information, see "Advanced Form Field Properties" on page 165. To set the value to submit for this field, use the Initial Value option in the form field editor. l Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field.

PAGE 158

The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified. l Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted.

PAGE 159

l Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk.

PAGE 160

To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string. An icon image may optionally be displayed before the field’s value.

PAGE 161

l Submit button – The field is displayed as a clickable form submit button, with the label of the field as the label of the button. The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form.

PAGE 162

Form Validation Properties The form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.

PAGE 163

All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list. See "Form Field Validation Functions" on page 298 for a description of the built-in validators. The Validator Param is the name of a field on the form, the value of which should be passed to the validator as its argument.

PAGE 164

The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties.

PAGE 165

Advanced Form Field Properties The Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor. The Conversion, Value Format, and Display Function options can be used to enable certain form processing behavior.

PAGE 166

and phone numbers was imported for pre-registration, each visitor’s entries for those fields at registration must match. Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on the form and the various conversion and display options. Figure 26: Steps involved in form field processing . The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field.

PAGE 167

In this case, the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field (for example, “2008-01-01”) to UNIX time (for example, 1199145600). The Validator for the expire_time field is IsValidFutureTimestamp, which checks an integer argument against the current time. The Value Formatter is applied after validation.

PAGE 168

See "Form Field Conversion Functions" on page 301 for a detailed list of the options available to you for the Conversion and Value Format functions. The Display Param is the name of a form field, the value of which will be passed to the Display Function. In almost all cases this option should contain the name of the form field. Display Arguments are available for use with a form field and are used to control the conversion process.

PAGE 169

Editing Views A view consists of one or more columns, each of which contains a single field. You can change which fields are displayed and how each field is displayed. You can also define your own fields using the Customize Fields page, and then add them to a view by choosing appropriate display options for each new column. To add a new field to a view, reorder the fields, or make changes to an existing field in a view, select the view in the Customize Forms & Views list and click the Edit Fields link.

PAGE 170

. Each column in a view displays the value of a single field. To use the default view display properties for a field, you only need to select the field to display in the column and then click the Save Changes button. To customize the view display properties, click the Advanced view options… check box. The column type must be one of the following: l Text – The column displays a value as text. l Sortable text – The column displays a value as text, and may be sorted by clicking on the column heading.

PAGE 171

The Display Expression is a JavaScript expression that is used to generate the contents of the column. Generally, this is a simple expression that returns an appropriate piece of data for display, but more complex expressions can be used to perform arbitrary data processing and formatting tasks. Customizing Self-Provisioned Access Guest self-registration allows an administrator to customize the process for guests to create their own visitor accounts.

PAGE 172

Figure 27: Sequence diagram for guest self-registration The captive portal redirects unauthorized users [1] to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account. If NAS login is enabled, submitting the form on this page will display a login message [5] and automatically redirect the guest to the NAS login [6].

PAGE 173

The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_ register” page is accessed using the URL guest_register.php. Click the displayed. Save Changes button to save the self registration page. A diagram of the self registration process is Click the Save and Continue button to proceed to the next step of the setup.

PAGE 174

Figure 28: Guest Self-Registration Workflow Diagram . A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration.

PAGE 175

Paying for Access If you select a standalone self -registration, (No parent- standalone) option you can also configure the Hotspot option. You can configure this setting so that registrants have to pay for access. Requiring Operator Credentials If you want to require an operator to log in with their credentials before they can create a new guest account, select the Require operator credentials prior to registering guest check box.

PAGE 176

As another example, the network address 192.168.2.0/24 is less specific than a smaller network such as 192.168.2.192/26, which in turn is less specific than the IP address 192.168.2.201 (which may also be written as 192.168.2.201/32). To determine the result of the access control list, the most specific rule that matches the client’s IP address is used. If the matching rule is in the Denied Access field, then the client will be denied access.

PAGE 177

Click the Save Changes button to return to the process diagram for self-registration. Click the Save and Continue button to update the self-registration page and continue to the next editor. Editing the Default Self-Registration Form Settings Click the Form link for the Register Page to edit the fields on the self-registration form. The default settings for this form are as follows: l The visitor_name and email fields are enabled.

PAGE 178

To create the multiple accounts that all use the same password, see "Creating Multiple Guest Accounts " on page 30. Editing Guest Receipt Page Properties To edit the properties of the guest receipt page: 1. Navigate to Configuration > Guest Self-Registration 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3.

PAGE 179

. Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self-registered account. To enable role selection by the sponsor: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens.

PAGE 180

3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6. Complete the rest of the form with the appropriate information, then click Save Changes.

PAGE 181

9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button. Editing Download and Print Actions for Guest Receipt Delivery To enable the template and display options to deliver a receipt to the user as a downloadable file, or display the receipt in a printable window in the visitor’s browser: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens.

PAGE 182

When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration. l Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address.

PAGE 183

l Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration. l Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected options, and will be sent to the visitor’s phone number. l Auto-send guest receipts by SMS with a special field set – If the Auto-Send Field is set to a non-empty string or a non-zero value, an SMS receipt will be generated and sent to the visitor’s phone number.

PAGE 184

If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. Editing Login Page Properties The login page is displayed if automatic guest login is enabled and a guest clicks the submit button from the receipt page to log in. To edit the properties of the login page: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link.

PAGE 185

The login page consists of two separate parts: the login form page, and a login message page. The login form page contains a form prompting for the guest’s username and password. The title, header and footer of this page can be customized. If the Provide a custom login form option is selected, then the form must also be provided in either the Header HTML or Footer HTML sections.

PAGE 186

The login delay can be set; this is the time period, in seconds, for which the login message page is displayed. Click the Save Changes button to return to the process diagram for self-registration. Self-Service Portal Properties To edit the properties of the self-service portal: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2.

PAGE 187

To adjust the user interface, use the override check boxes to display additional fields on the form. These fields allow you to customize all text and HTML displayed to users of the self-service portal. The behavioral properties of the self-service portal are described below: l The “Enable self-service portal” check box must be selected for guests to be able to access the portal.

PAGE 188

Clicking the I’ve forgotten my password link displays a form where the user password may be reset: Entering a valid username will reset the password for that user account, and will then display the receipt page showing the new password and a login option (if NAS login has been enabled). This feature allows the password to be reset for any guest account on the system, which may pose a security risk.

PAGE 189

Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked. These fields should be part of the registration form. For example, selecting the visitor_name field as the “Required Field” results in a Reset Password form like this: Email Receipts and SMTP Services With SMTP Services, you can configure ClearPass Guest to send customized guest account receipts to visitors and sponsors by email. Email receipts may be sent in plain text or HTML format.

PAGE 190

3. Scroll to the Email Delivery section of the form and choose one of the options from the Enabled drop-down list. The form expands to include configuration options for email delivery. The following options are available in the Enabled drop-down list to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration.

PAGE 191

Figure 30: Customize Email Receipt page 1. The Subject Line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field. See "Smarty Template Syntax" on page 264 for more information on template syntax. 2. The Skin drop-down list allows you to specify a skin to be used to provide the basic appearance of the email.

PAGE 192

l Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available). l Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt (even if no guest account email address is available). l Use ‘cc:’ if sending to a visitor – If a guest account email address is available, the email addresses in the Copies To list will be copied.

PAGE 193

l smtp_template_id – This field specifies the print template ID to use for the email receipt. If blank or unset, the default value from the email receipt configuration is used. l smtp_receipt_format – This field specifies the email format to use for the receipt. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default” (Use the default skin), or the plugin ID of a skin plugin to specify that skin.

PAGE 194

l smtp_warn_before_cc_action – This field overrides how copies are sent as indicated under Logout Warnings on the email receipt. to send copies of email receipts. It may be one of “never”, “always_cc”, “always_bcc”, “conditional_cc”, or “conditional_bcc”. If blank or unset, the default value from the email receipt configuration is used.

PAGE 195

This section is followed by three other sections: the body, the header and the footer. Each section must be written in HTML. There is provision in each section for the insertion of multiple content items such as logos. You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 264 for further information on Smarty template syntax.

PAGE 196

Print Template Wizard The Create new print template using wizard link provides a simplified way to create print templates by selecting a basic style and providing a logo image, title and content text, and selecting the guest account fields to include. A real-time preview allows changes made to the design to be viewed immediately. To use the Print Template Wizard, first select a style of print template from the Style list. Small thumbnail images are shown to indicate the basic layout of each style.

PAGE 197

NOTE: If you use the wizard to edit a print template after changes have been made to it outside the wizard, those changes will be lost. This is indicated with the warning message “The print template code has been modified. Making changes using the wizard will destroy any changes made outside of the wizard.

PAGE 198

n Update access – the print template is visible in the list, and may be edited. The print template cannot be deleted and the permissions for the print template cannot be modified. n Update and delete access – the print template is visible in the list, and may be edited or deleted. The permissions for the print template cannot be modified. n Full access (ownership) – the print template is visible in the list, and may be edited or deleted.

PAGE 199

SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields. You can override global settings by setting these fields. l sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the default value is true. l sms_handler_id – This field specifies the handler ID for the SMS service provider. If blank or unset, the default value from the SMS plugin configuration is used.

PAGE 200

an existing scratch card template. 1. Navigate to Configuration > Print Templates. 2. Select Two-column scratch cards and click Duplicate. 3. Select the Copy of Two-column scratch cards template, then click Edit. 4. In the Name field, substitute Access Code for Username as shown below. 5. Remove extraneous data from the User Account HTML field. Example text is shown below.

PAGE 201

Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Navigate to Configuration > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3. In the Edit Fields list, look for a field named username_auth. If the field exists, but is not bolded and enabled, select it and click Enable Field.

PAGE 202

3. Click Create Accounts to display the Finished Creating Guest Accounts page. If you create a large number of accounts, they are created at one time but might not all be displayed at the same time. (This will not affect the printing action in the following step.) 4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5.

PAGE 203

Chapter 6 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, click the Configuration link in the left navigation, then click Hotspot Manager.

PAGE 204

Figure 33: Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created. l On page 2, the customer enters their personal details, including credit card information if purchasing access.

PAGE 205

The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 264 in the Reference chapter for details about the template syntax you may use to format this message.

PAGE 206

hotspot_plan.php">Hotspot Sign-Up However, in this situation the MAC address of the customer will not be available, and no automatic redirection to the customer's home page will be made. You may want to recommend to your customers that JavaScript be enabled for best results. Web Site Look-and-Feel The skin of a Web site is its external look and feel.

PAGE 207

l To create or edit an existing plan, see "Editing or Creating a Hotspot Plan " on page 207. l To delete a plan, click the the deletion. Delete button in the plan’s row.

PAGE 208

2. In the Plan Details area, enter a name for the plan and descriptions to display in the UI and the customer invoice. 3. To enable the plan, leave the Enabled check box marked. To disable the plan, unmark this check box. Disabled plans are not displayed to customers. 4. In the User Account Details area, you can specify the usage of numbers, letters, and symbols in the generated username and password. To use only digits, leave the value in the Generated Username and Generated Password fields set to ######.

PAGE 209

5. Complete the rest of the fields appropriately for your organization’s needs, then click Create Plan or Edit Plan. The Manage Hotspot Plans list opens with the new plan displayed. Managing Transaction Processors Your hotspot plan must also identify the transaction processing gateway used to process credit card payments. Dell Networking W-ClearPass Guest supports plugins for the following transaction processing gateways: l Authorize.

PAGE 210

l Production Environment URL l Shared Secret l Signature l Test Environment URL l Test WSDL l Transaction Key l Transaction Password l Transactions Timeout If your transaction processor requires visitors to enter their address, ClearPass Guest will automatically include address fields in the guest self-registration forms that use that transaction processor. Managing Existing Transaction Processors Once you define a transaction processor, it will appear in the transaction processor list.

PAGE 211

title shown on the invoice and how the invoice number is created. You can also customize the currency displayed on the invoice. To customize the hotspot invoice: 1. Go to Configuration > Hotspot Manager > Manage Hotspot Invoice. The Manage Hotspot Invoice form opens. 2. The Invoice Title must be written in HTML. See "Basic HTML Syntax" on page 261 for details about basic HTML syntax. 3. Complete the rest of the fields appropriately. You can use Smarty functions on this page.

PAGE 212

Customizing Visitor Sign-Up Page One Page one of the guest self-provisioning process asks the guest to select a plan. An example of the default “Choose Plan” page is shown below. To customize how this page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 1 (Choose Plan) link in the upper-right corner. The Edit Hotspot Plan Selection Page form opens.

PAGE 213

Page two of the guest self-provisioning process asks the guest to provide their personal details and payment method. The example below shows the default “Your Details” page if the customer chooses to pay for the Hourly Access plan. Although it is not shown in this illustration, the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page.

PAGE 214

To customize how the “Your Details” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 2 (Customer Details) link in the upper-right corner. The Edit Hotspot User Details Page form opens. You can use this form to edit the content displayed when the customer enters their personal details, including credit card information if purchasing access. The progress of the user’s transaction is also shown on this page.

PAGE 215

See "Smarty Template Syntax" on page 264 for details about the template syntax you may use to format the content on this page. Customizing Visitor Sign-Up Page Three Page three of the guest self-provisioning process provides the customer an invoice containing confirmation of their transaction and the details of their newly created wireless account. An example of the default “Your Receipt” page is shown below. Dell Networking W-ClearPass Guest 6.

PAGE 216

To customize how the “Your Receipt” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 3 (Invoice or Receipt) link in the upper-right corner. The Edit Hotspot User Receipt Page form opens. You can use this form to edit the title, introductory text, and footer text of the receipt page. 216 | Customizing Visitor Sign-Up Page Three Dell Networking W-ClearPass Guest 6.

PAGE 217

See "Smarty Template Syntax" on page 264 for details about the template syntax you may use to format the content on this page. Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self-provisioning pages, as well as log in to and view the Hotspot self-service portal that allows customers to view their current account expiration date, purchase time extensions, log out of the Hotspot, or change their user password.

PAGE 218

| Viewing the Hotspot User Interface Dell Networking W-ClearPass Guest 6.

PAGE 219

Chapter 7 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W-ClearPass Guest. Accessing Administration To access Dell Networking W-ClearPass Guest’s administration features, click the Administration link in the left navigation. Figure 34: The Administration Module’s Left Navigation Dell Networking W-ClearPass Guest 6.

PAGE 220

AirGroup Services This section describes configuration options for the AirGroup Services plugin, and provides links to other AirGroup steps performed in Dell Networking W-ClearPass Guest. For an overview of AirGroup functionality, see "AirGroup Deployment Process " on page 23. For complete AirGroup deployment information, refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation.

PAGE 221

6. In the Attempts row, enter the maximum number of times the system should attempt to send an AirGroup message. 7. Click Save Configuration. Creating AirGroup Administrators AirGroup Administrators are users of Dell Networking W-ClearPass Guest who can define and manage their organization’s shared devices. Devices can be shared globally, or shared with restrictions based on the username, role, or location of the user trying to access the device.

PAGE 222

Figure 35: Data Retention Policy page Select Enable to enable the data retention policy option and enter how many weeks in the Log Rotation field to indicated how many weeks you want log files kept before they are deleted. For mobile device certificates, select the minimum delay, in weeks, required before an expired certificate or rejected request can be deleted. The maximum period is the number of weeks after which an expired certificate is automatically deleted.

PAGE 223

To use the Upload File form, click the Browse button in the Backup File row to navigate to and select the backup file you want to restore. To use the Specify Backup File form, enter the URL for the backup file. Click Continue. The Import Configuration: Step 2 page opens. l The red X icon means the item is not available. l The blue arrow icon means part of the item’s configuration will restored. l The green check mark means the item’s full configuration will be restored. 3.

PAGE 224

To access the Available Plugins list, navigate to Administration > Plugin Manager.The Available Plugins page opens.

PAGE 225

To undo any changes to the plugin’s configuration, click the plugin’s Restore default configuration link. The plugin’s configuration is restored to the factory default settings. In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.

PAGE 226

5. Review the differences between the current settings and the default configuration. To commit the change to the default settings. click the Restore Default Configuration link. Configuring the Dell W-ClearPass Skin Plugin A Web application’s skin determines its visual style—the colors, menus, and graphics.

PAGE 227

click its Enable link. If you prefer to use the standard Dell ClearPass skin, navigate to it in the Available Plugins list and click its Enable link. The default skin is displayed on all visitor pages, and on the login page if no other skin is specified for it. However; you can override this for a particular operator profile, an individual operator, or give the login page a different appearance than the rest of the application. You can also specify a skin for guest self-registration pages.

PAGE 228

l Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value, will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.

PAGE 229

2. To work with a gateway, click its row in the list. The gateway’s row expands to include the Edit, Duplicate, Delete, Make Default, and Send SMS options. l Edit—To make changes to the gateway in this row, click its Edit link. The Edit SMS Gateway form opens. See "Editing an SMS Gateway " on page 231. l Duplicate—To make a copy of the gateway to use as a base for a new gateway, click the Duplicate link. A new gateway is added to the list with the name “Copy of ”.

PAGE 230

3. In the SMS Gateway field, if you choose Custom HTTP Handler from the drop-down list, you may specify the HTTP method to use. The form expands to include options for configuring that gateway type, and the Service Method row includes the GET and POST options. 4. If you selected the POST option in the SMS Gateway field, the HTTP Headers and HTTP Post rows are added. You can use the text fields in these rows to override HTTP headers and enter the text to post. 5.

PAGE 231

8. In the Mobile Settings area, if your country uses a national dialing prefix such as “0”, you may enter this in the National Prefix row. When sending an SMS to a number that starts with the national dialing prefix, the prefix is removed and replaced with the country code instead. The second part of the form includes the Connection Settings, Debug, Credits, and Test SMS Settings areas.

PAGE 232

4. In the Service Settings area, you may edit the Display Name. 5. When you duplicate an SMS over SMTP gateway, the Carrier Selection configuration options are included. In the Carrier Selection drop-down list, choose one of the following options: l Registration form will have the visitor_carrier field—The visitor will supply the carrier information when they register. l Select a carrier—The form includes the Mobile Carrier field. Choose the carrier from the Mobile Carrier drop-down list.

PAGE 233

. 2. Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. The maximum length for the message is 160 characters. If multiple services are available, you may also choose the service to use when sending the message. 3. Click Send Message. About SMS Credits Most SMS providers use a system of credits when for sending messages. In Dell Networking W-ClearPass Guest SMS Services, one credit is used for each sent message.

PAGE 234

Dell Networking W-ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt: 1. Navigate to the Guest > List Accounts and click to expand the row of the guest to whom you want to send a receipt. 2. Click Print to display the Account Details view, then click the Send SMS receipt link. The SMS Receipt form opens.

PAGE 235

2. To filter the list, click the Display Lists tab above the form. The form expands to include the Carrier Lists options. Use this drop-down list to specify the SMS or MMS carrier. NOTE: To be available in the drop-down lists on this Carrier Lists form, a carrier must first be enabled. 3. To enable, disable, or delete a carrier, click the carrier in the list. The carrier’s row expands to include the Edit, Enable or Disable, and Delete options. l To enable a carrier, click the Enable link in its row.

PAGE 236

7. (Optional) In the Country field, enter the country where the carrier’s service is offered. If appropriate, you may also indicate an area within the country, such as a city, county, or state. 8. In the SMS Address drop-down list, choose one of the following options: l Use a template to determine the email address— When this option is chosen, the next field’s name becomes SMS Template. l Use a fixed email address—Use this option if all SMS messages are to be sent to the same address.

PAGE 237

Viewing the Application Log To view events and messages generated by the application, go to Administration > Support > Application Log. The Application Log view opens. To view in-depth information about an event, click the event’s row. The form expands to show details. Click the event’s row again to close it. To search for a particular log record, use the Keywords field above the table to enter search terms.

PAGE 238

The Application Log lists the events, messages, and configuration changes for the past seven days. To view events and messages for a different period, or to limit the search items: 1. Click the Filter tab. The Filter Settings form opens. 2. You can use the Times drop-down list to specify a time period to filter for. 3.

PAGE 239

Contacting Support To view contact information for Dell Support, go to Administration > Support > Contact Support. The Contact Support page opens.

PAGE 240

6. Click a result link. The online help opens in a separate browser tab with the destination displayed. 240 | Viewing Documentation Dell Networking W-ClearPass Guest 6.

PAGE 241

Chapter 8 Operator Logins An operator is a company’s staff member who is able to log in to Dell Networking W-ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in ClearPass Guest, or externally in an LDAP directory server.

PAGE 242

Your profile may only allow you to create guest accounts, or your profile might allow you to create guest accounts as well as print reports. What your profile permits is determined by the network administrator. Two types of operator logins are supported: local operators and operators who are defined externally in your company’s directory server. Both types of operators use the same login screen.

PAGE 243

The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the Access area of the form define permissions for the operator profile: 1. In the Enabled row, the Allow Operator Logins check box is selected by default. To disable a profile, unmark the Allow Operator Logins check box.

PAGE 244

If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles. If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available. This is the default option. 4. The Operator Filter may be set to limit the types of accounts that can be viewed by operators.

PAGE 245

6. In the Account Limit row, you can enter a number to specify the maximum number of accounts an operator can create. Disabled accounts are included in the account limit. To set no limit, leave the Account Limit field blank. When you create or edit an AirGroup operator, the value you enter in the Account Limit field specifies the maximum number of devices an AirGroup operator with this profile can create.

PAGE 246

To specify that an operator profile should use a different form when creating a new visitor account: 1. (Optional) In the Customization row, select the Override the application’s forms and views check box. The form expands to show the forms and views that can be modified. If alternative forms or views have been created, you may use the drop-down lists to specify which ones to use. 2. When you have selected the custom forms and views to use, click the operator profile.

PAGE 247

l Importing guest accounts l Listing guest accounts l Managing customization of guest accounts l Managing print templates l Removing or disabling guest accounts l Resetting guest passwords Refer to the description of each individual operator privilege to determine what the effects of granting that permission will be. Managing Operator Profiles Once a profile has been created you are able to view, to edit and to create new profiles.

PAGE 248

Creating a New Operator To create a new operator or administrator for ClearPass Guest or AirGroup, some steps are performed in ClearPass Policy Manager (CPPM), and some steps are performed in ClearPass Guest, as described below: 1. Create an operator profile in ClearPass Guest, or use an existing one. See "Operator Profiles " on page 242. To create AirGroup users, choose either the AirGroup Administrator or AirGroup Operator profile, as appropriate.

PAGE 249

Manage LDAP Operator Authentication Servers Dell Networking W-ClearPass Guest supports a flexible authentication mechanism that can be readily adapted to any LDAP server’s method of authenticating users by name. There are built-in defaults for Microsoft Active Directory servers, POSIX-compliant directory servers, and RADIUS servers. When an operator attempts to log in, each LDAP server that is enabled for authentication is checked, in order of priority from lowest to highest.

PAGE 250

Table 21: Server Type Parameters Server Type Required Configuration Parameters l l Microsoft Active Directory l l l l POSIX Compliant: l l l l l l Custom l l l l l l l l RADIUS l l Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or empty for an anonymous bind. Bind Password: If your LDAP server does not use anonymous bind, you must supply the required credentials to bind to the directory. (Leave this field blank to use an anonymous bind.

PAGE 251

authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed. See "LDAP Operator Server Troubleshooting " on page 252 for information about common error messages and troubleshooting steps to diagnose the problem. Click the Save Changes button to save this LDAP Server. If the server is marked as enabled, subsequent operator login attempts will use this server for authentication immediately.

PAGE 252

l Ping—Sends a ping message (echo request) to the LDAP server to verify connectivity between the LDAP server and the ClearPass Guest server. l Test Auth—Adds a Test Operator Login area in the LDAP servers form that allows you to test authentication of operator login values. l Test Lookup—Adds a Test Operator Lookup form in the LDAP servers list that allows you to look up sponsor names.

PAGE 253

You can also verify operator authentication when you create a new LDAP server configuration using the Test Settings button on the LDAP Configuration form (See "Creating an LDAP Server " on page 249 for a description). Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page. 1. To look up a sponsor, select a server name in the LDAP Server table, then click the Test Operator Lookup area is added to the LDAP servers list.

PAGE 254

Error Data Reason 701 Account has expired 773 User must reset password 775 User account is locked Other items to consider when troubleshooting LDAP connection problems: l Verify that you are using the correct LDAP version – use ldap:// for version 2 and ldap3:// to specify LDAP version 3. l Verify that you are using an SSL/TLS connection – use ldaps:// or ldap3s:// as the prefix of the Server URL.

PAGE 255

3. Select the Enabled check box to enable this rule once you have created it. If you do not select this check box, the rule you create will appear in the rules list, but will not be active until you enable it. 4. Click the Matching rule drop-down list and select a rule.

PAGE 256

Translation rules are processed in order, until a matching rule is found that does not have the Fallthrough field set.

PAGE 257

The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip} Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups. The operator field “enabled” will determine if the user is permitted to log in or not. The custom template uses the {strip} block function to remove any whitespace, which makes the contents of the template easier to understand.

PAGE 258

You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen. Options related to operator passwords may also be specified, including the complexity requirements to enforce for operator passwords. Navigate to Administration > Operator Logins and click the Operator Logins Configuration command link to modify these configuration parameters.

PAGE 259

requires a username and password.

If you don’t have a login,
contact Aruba Networks to obtain one.
{/if}
In the Login Footer field, enter any HTML information that you want displayed in the Operator Login form. Select the login skin from the Login Skin drop-down menu. Options include the default skin or a customized skin.

PAGE 260

| Automatic Logout Dell Networking W-ClearPass Guest 6.

PAGE 261

Chapter 9 Reference This chapter includes the following sections: l "Basic HTML Syntax" on page 261 l "Standard HTML Styles" on page 262 l "Smarty Template Syntax" on page 264 l "Date/Time Format Syntax" on page 279 l "Programmer’s Reference" on page 282 l "Field, Form, and View Reference " on page 287 l "LDAP Standard Attributes for User Class" on page 304 l "Regular Expressions" on page 305 Basic HTML Syntax Dell Networking W-ClearPass Guest allows different parts of the user interface to

PAGE 262

Item HTML Syntax

List item text

Text Formatting words to be made bold equivalent syntax words to be made italic equivalent syntax words to underline Shown in fixed-width font Uses CSS formatting Uses predefined style
Uses CSS formatting

Uses predefined style
Hypertext Link text to click on

PAGE 263

Table 25: Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the material looking as if it is in a table; in other words, without borders nwaContent Tables Class used for a standard table with borders nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at

PAGE 264

Smarty Template Syntax Dell Networking W-ClearPass Guest’s user interface is built using the Smarty template engine. This template system separates the program logic and visual elements, enabling powerful yet flexible applications to be built. When customizing template code that is used within the user interface, you have the option of using Smarty template syntax within the template. Using the programming features built into Smarty, you can add your own logic to the template.

PAGE 265

{/if} The condition tested in the {if} … {/if} block should be a valid PHP expression. The {else} tag does not require a closing tag. Script Blocks The brace characters { and } are specially handled by the Smarty template engine.

PAGE 266

The content after a {foreachelse} tag is included only if the {foreach} block would otherwise be empty. Modifiers Smarty provides modifiers that can be used to gain greater control over the formatting of data. Modifiers can be included by following a variable with a vertical bar | and the name of the modifier. Any arguments to the modifier can be specified using a colon : followed by the arguments.

PAGE 267

Smarty registered template function. Displays the value of a variable. Use the following Smarty syntax to print a variable’s contents: {dump var=$var_to_dump export=html} The contents of the variable are printed in a

 block. Use the attribute “export=1” to use PHP’s var_ export() format, or omit this attribute to get the default behavior – PHP’s var_dump() format. Use the attribute “html=1” to escape any HTML special characters in the content.

PAGE 268

l The “icon” parameter is the SRC to the image of the icon. This should normally be a relative path. l The “text” parameter is the text to display next to the icon. This will also be used as the alternate text (that is, a tooltip) for the icon image. l The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image.

PAGE 269

The “struct” parameter, if specified, uses a standard result type. If the “error” key is set and non-zero, the “type” parameter is set to the value error, and the “message” key is converted to a HTML formatted error message for display. nwa_quotejs {nwa_quotejs} … {/nwa_quotejs} Smarty registered block function. Quotes its content in a string format suitable for use in JavaScript.

PAGE 270

This template function does not generate any output if the _assign parameter is set. The methods that are available for use with this function are listed below. The $criteria array consists of one or more criteria on which to perform a database search. The array is used for advanced cases where pre-defined helper functions do not provide required flexibility. ChangeToRole() ChangeToRole($username, $role_name) Changes the RADIUS role assigned to the user.

PAGE 271

See "GetTraffic() " on page 274 for details on how to specify the time interval. GetCallingStationTraffic() GetCallingStationTraffic($callingstationid, $from_time, $to_time = null, $in_out = null, $mac_format = null) Calculate sum of traffic counters in a time interval. Sessions are summed if they have the same Calling-Station-Id attribute as that specified in the RADIUS Access-Request. If no Calling-Station-Id attribute was included in the request, returns zero.

PAGE 272

'nasportid' => '', 'nasporttype' => '', 'calledstationid' => '', 'callingstationid' => '', 'acctstarttime' => '1249258943', 'connectinfo_start' => '', 'acctstoptime' => NULL, 'connectinfo_stop' => NULL, 'acctsessiontime' => 0, 'acctinputoctets' => 0, 'acctoutputoctets' => 0, 'acctterminatecause' => NULL, 'servicetype' => '', 'framedipaddress' => '192.168.2.

PAGE 273

processing a HTTP request, the current client IP address is assumed (from $_SERVER['REMOTE_ADDR']). Specifying an empty value for the IP address (such as null, false, or empty string) also causes the current client IP address to be used. See "GetTraffic() " on page 274 for details on how to specify the time interval. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database.

PAGE 274

As well as the criteria specified, the time interval specified by $from_time and optionally $to_time is also used to narrow the search. If $to_time is not specified, $from_time is a “look back” time, that is, the time interval in seconds before the current time. If $to_time is specified, the interval considered is between $from_time and $to_time. Returns the total session time for all matching accounting records in the time interval specified.

PAGE 275

Looks up the first login time for the specified username. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). GetUserSessions() GetUserSessions($username, $from_time, $to_time = null) Calculate the number of sessions for accounting records matching a specific user-name. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). See "GetTraffic() " on page 274 for details on how to specify the time interval.

PAGE 276

Smarty registered template function. Adds various kinds of visual effects to the page. Usage example: {nwa_bling id=$some_id type=fade} The “id” parameter is the ID of the HTML element to which you will add ‘bling’ effects The “type” parameter is the kind of bling desired: l “fade”: element smoothly fades in and out l “blink”: element blinks slowly nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable.

PAGE 277

When used with the “block” parameter, the {nwa_nav} control does not generate any HTML. When used with the “type” parameter, the {nwa_nav} control uses the previously defined blocks to generate the HTML navigation area.

PAGE 278

l The ‘name’ parameter specifies a plugin name, or plugin filename. l The ‘page’ parameter specifies a page name provided by the plugin. l The ‘privilege’ parameter specifies a privilege defined by the plugin. If none of the above is specified, the default is the same as specifying the ‘page’ parameter with the current script name as argument (that is, the current page).

PAGE 279

l The numbered parameters are expanded in the translated string with the positional arguments %1, %2 and so forth. nwa_userpref {nwa_userpref …} Smarty template function.

PAGE 280

such as Spanish that use non-ASCII characters.

PAGE 281

{$u.expire_postlogin|nwatimeformat:"minutes_to_natural"} The other formats accepted for this modifier are the same as those described for the nwadateformat modifier. See "nwadateformat Modifier" on page 279.

PAGE 282

%X Preferred time representation for the current locale, without the date %y Year as a decimal number without the century (00 to 99) %Y Year as a decimal number %% A literal % character Programmer’s Reference This section describes the following: l "NwaAlnumPassword" on page 282 l "NwaBoolFormat" on page 282 l "NwaByteFormat" on page 283 l "NwaByteFormatBase10" on page 283 l "NwaComplexPassword" on page 283 l "NwaCsvCache" on page 283 l "NwaDigitsPassword($len)" on page 283 l "NwaDyna

PAGE 283

l If an array, the 0 and 1 index values are used for false and true values. l Otherwise, the string values “true” and “false” are returned. NwaByteFormat NwaByteFormat($bytes, $unknown = null) Formats a non-negative size in bytes as a human readable number (bytes, KB, MB, GB, etc.) Assumes that 1 KB = 1024 bytes, 1 MB = 1024 KB, etc. If a negative value is supplied, returns the $unknown string. If a non-numeric value is supplied, that value is returned directly.

PAGE 284

Creates a password based on a format string. For details on the special characters recognized in $string, see "Format Picture String Symbols" on page 297. NwaGenerateRandomPasswordMix NwaGenerateRandomPasswordMix($password_len, $lower = 1, $upper = 1, $digit = 1, $symbol = -1) Generates a random password that meets a certain minimum complexity requirement. l $password_len specifies the total length in characters of the generated password.

PAGE 285

$options may be specified to control additional parsing options described in the table below. Table 30: Parsing Options Function Description fs The field separator character (default is comma “,”) rs The record separator character (default is newline “\n”) quo The quote character (default is double quote ") excel_compatible If true, recognize ="..." syntax as well as "...

PAGE 286

Generates a random password of at least $len characters in length, based on one of the standard complexity requirements specified in $mode. If $mode is false or the empty string, the default password complexity is taken from the Guest Manager plugin configuration.

PAGE 287

Option Description $range_lookup Specifies whether to find an exact or approximate match. If true (default), assumes the table is sorted and returns either an exact match, or the match from the row with the next largest value that is less than $value. If false, only an exact match is returned; NULL is returned on no match value_column Specifies the column index in the table that contains the values; the default is 0; in other words, the first column.

PAGE 288

Field Description change_expiration and guest_enable forms. The value is generated from the do_schedule and schedule_time fields, and may be one of the following: l Account will be enabled at date and time l Account is currently active l No account activation auto_update_account Boolean flag indicating that an already existing account should be updated, rather than failing to create the account.

PAGE 289

Field Description that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See "RFC 3576 Dynamic Authorization" on page 61 for more information. do_schedule Boolean flag indicating if the account should be enabled at schedule_time. Set this field to 0 to disable automatic activation of the account at the activation time.

PAGE 290

Field Description http_user_agent String. Identifies the Web browser that you are using. This tracks user’s browsers when they are registering. This is stored with the user’s account. id String. Internal user ID used to identify the guest account to the system. ip_address String. The IP address to assign to stations authenticating with this account. This field may be up to 20 characters in length. The value of this field is not currently used by the system.

PAGE 291

Field Description “password” to use the value from the password field; Any other value leaves the password unmodified. This field controls account creation and modification behavior; it is not stored with created or modified visitor accounts. l l modify_schedule_time String. Value indicating how to modify the schedule_time field.

PAGE 292

Field Description length. num_accounts Integer. The number of accounts to create when using the create_multi form. This field controls account creation behavior; it is not stored with created visitor accounts. password String. Password for the account. This field may be up to 64 characters in length. password2 String. Password for the account. If this field is set, its value must match the value of the password field for the account to be created or updated.

PAGE 293

Field Description l l l l l l digits (a through z and 0 through 9). The length of the password is specified by the random_password_length field. nwa_alnum_password to create a password using a combination of random digits, uppercase letters and lowercase letters (a-z, A-Z and 0-9). The length of the password is specified by the random_password_length field. nwa_strong_password to create a password using a combination of digits, uppercase letters, lowercase letters, and some punctuation.

PAGE 294

Field Description random_username_picture String. The format string to use when creating a username, if the random_username_ method field is set to nwa_picture_password. See "Format Picture String Symbols" on page 297 for a list of the special characters that may be used in the format string. remote_addr String. The IP address of the guest at the time the guest account was registered.This field may be up to 20 characters in length. The value of this field is not currently used by the system.

PAGE 295

Table 33: Hotspot Standard Fields Field Description address String. The visitor’s street address. card_code String. The 3 or 4 digit cardholder verification code printed on the credit card. This field is only used during transaction processing. card_expiry String. Credit card expiry date. This field is only used during transaction processing. card_name String. Name shown on the credit card. This field is only used during transaction processing. card_number String. Credit card number.

PAGE 296

Field Description sms_auto_send_field String. This field specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the SMS plugin configuration is used. Additionally, the special values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively. sms_enabled Boolean. This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the default value is true. sms_handler_id String.

PAGE 297

Field Description smtp_enabled String. This field may be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used. The special values _Auto (Always auto-send guest receipts by email), _AutoField (Auto-send guest receipts by email with a special field set), _Click (Display a link enabling a guest receipt via email), and _Cc (Send an email to a list of fixed addresses) may also be used. smtp_receipt_format String.

PAGE 298

password_picture field.

PAGE 299

l IsNonEmpty – Checks that the value is a non-empty string (length non-zero and not all whitespace), or a nonempty array. l IsNonNegative – Checks that the value is numeric and non-negative. l IsRegexMatch – Checks that the value matches a regular expression supplied as the argument the validator. The regular expression should be a Perl-compatible regular expression with delimiters. For example, the validator argument /^a/i will match any value that starts with an “a”, case-insensitively.

PAGE 300

l IsValidLdapAttribute – Checks that the value is a valid LDAP attribute name; that is, a string that starts with a letter, and which contains only letters, numbers, underscore (_) and hyphen (-). l IsValidNetmask – Checks that the value is a valid network mask in dotted-quad notation; that is, an IP address such as 255.255.255.128 that contains a single string of N 1 bits followed by (32 – N) 0 bits. l IsValidNumber – Checks that the value is numeric; that is, an integer or a decimal value.

PAGE 301

l NwaCaptchaIsValid – Checks that the value matches the security code generated in the CAPTCHA image. This validator should only be used with the standard captcha field. l NwaGuestManagerIsValidRoleId – Checks that the value is a valid role ID for the current operator and user database. l NwaIsValidExpireAfter – Checks that the value is one of the account expiration time options specified in the Guest Manager configuration.

PAGE 302

Function Description defined as 1,024 bytes, 1 MB as 1,024 KB (1,048,576 bytes), and 1 GB as 1,024 MB (1,073,741,824 bytes). l If a negative value is supplied, returns the argument (or null if no argument was supplied). l If a non-numeric value is supplied, that value is returned directly. NwaCurrencyFormat Formats a numeric value that indicates a monetary amount as a string. If the argument is null or not supplied, the current locale’s settings are used to format the monetary value.

PAGE 303

Function Description negative_sign – sign for negative values n_sign_posn – position of sign for negative values (0..

PAGE 304

Value Description value, if_true, if_false[, if_undefined]) value evaluates to a Boolean true or false, respectively. If the value has an undefined type (in other words. has not been set), and the if_undefined parameter was provided, returns if_undefined. Nwa_DateFormat(value, format) Converts a numerical value (UNIX time) to a string using the date and time format string format. The format string uses similar syntax to the NwaDateFormat() function.

PAGE 305

l logonCount: The logonCount property counts the number of successful times the user tried to log on to this account. l mail: The mail property is a single-valued property that contains the SMTP address for the user (such as demo@example.com). l memberOf: The memberOf property is a multi-valued property that contains groups of which the user is a direct member.

PAGE 306

Regex Matches \d Any decimal digit \D Any character that is not a decimal digit The regular expression syntax used is Perl-compatible. For further details on writing regular expressions, consult a tutorial or programming manual. 306 | Regular Expressions Dell Networking W-ClearPass Guest 6.

PAGE 307

Chapter 10 Glossary 802.1X IEEE standard for port-based network access control. Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. Access-Request RADIUS packet sent to a RADIUS server requesting authorization. Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information.

PAGE 308

Disconnect-Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected. distinguished name Series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a distinguished name include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. DN See distinguished name.

PAGE 309

PKI Public-key infrastructure. Security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key. print template Formatted template used to generate guest account receipts. private key The part of a public/private key pair that is always kept private. The private key is used to encrypt a message’s signature to authenticate the sender (only the sender knows the private key).

PAGE 310

| Glossary Dell Networking W-ClearPass Guest 6.

PAGE 311

Index application log 237 1 filtering 238 1024-bit RSA 108 searching 237 viewing 237 2 applications, installing 78 2048-bit RSA 108 authentication 18, 20, 29, 44 authorization 18, 20, 29 A access, role-based 18 AAA 18 dynamic 61 access control, print templates 197 account filters, creating 244 B accounting 18, 20 Base-64 encoded 97 accounts binary certificate 97 passwords, multiple 177 visitor account 21 Active Directory LDAP authentication 249 active sessions 59-60 administration 219, 2

PAGE 312

device limit in AirGroup 247 SMS gateway 229 device provisioning 79 credits, SMS 233 iOS and OS X provisioning 110 CSV Kernel plugin 225 caching 283 legacy OS X provisioning 112 customer support 239 operator logins 258 customizing plugins 224 content 134 provisioning settings 106 email receipt 190 receipts 234 fields 145 revocation checks 109 Guest Manager 137 self-service portal, display functions 301 hotspot invoice 210 shared_location field 147 hotspot receipt 216 shared_role fiel

PAGE 313

importing 57 expiration personal, AirGroup 55 provisioning configuration 106 guest accounts, editing 36 exporting shared 53 certificates 97 viewing 55 guest accounts 43 disabling SMTP carrier 234 disconnecting session 60-61 F fields 21, 141 documentation, viewing 239 account_activation 287 downloading content 135-136 address 295 duplicating auto_send_sms 295 fields 147 auto_update_account 141 forms and views 151 card_code 295 SMS gateways 228 creating 145 dynamic authorization 59, 61

PAGE 314

expire_postlogin 143 sms_handler_id 199, 296 expire_time 142, 289 sms_phone_field 199, 296 expire_usage 143, 289 sms_template_id 199, 296 first_name 295 sms_warn_before_message 296 hotspot_plan_id 295 smtp_auto_send_field 193 hotspot_plan_name 295 smtp_cc_action 193 id 290 smtp_email_field 193 ip_address 290 smtp_enabled 192 last_name 295 smtp_receipt_format 193 modify_expire_postlogin 290 smtp_subject 192, 297 modify_password 141, 290 smtp_template_id 193, 297 modify_schedule_time 291

PAGE 315

Validation properties 162 change expiration 36 Value conversion 166 creating 29 Value formatter 167 creating multiple 30, 43 Visible If 168 delete 36 form fields disable 36 advanced properties 165 edit 37 CAPTCHA 153 editing expiration 36 check box 154 email receipt 30 checklist 154 export 43 conversion functions 301 exporting 43 Date/time picker 155 filtering 35, 38 display functions 152, 301 importing 40 group heading 160 list 34 initial value 162 manage multiple 38 validator f

PAGE 316

hotspot management 203 locations, AirGroup 53 captive portal 205 log files 237 creating plan 207 logging customer information 210 customizing invoice 210 passwords 140 customizing receipt 216 M customizing selection interface 212, 214, 216 MAC editing plan 207 address formats 44 invoice 210 advanced features 57 plans 206 authentication 44 Hotspot Manager 203 HTML Smarty templates 264 registering devices 56 message, sending SMS 232 MMS standard styles 262 syntax 261 SMS template for 236

PAGE 317

password options 243 user roles 243 Operator logins LDAP 248 operator profiles 21, 241-242 automatic logout 259 creating 242 Q quick start, Smarty template syntax 264 quick view, content 136 R RADIUS server 18 accounting query 269 privileges 246 active sessions 59 operators 21 creating 248 disconnecting session 60-61 local 247 reauthorizing session 60-61 login message 258 reauthorizing session 60-61 P receipt page 171 passcode policy 129 passwords editing 178 receipts 233 configuring 234 gene

PAGE 318

selecting literal block 265 mobile carrier 232 modifiers 266 self-registration Onboard 80 creating device 51 section block 265 editing 177 self-service portal 186 variables 264 SMS auto login 187 alert for session 63 password generation 187 alerts 63 resetting passwords 187 character limit 194 secret question 188 credits 233 self registration guest account receipts 30 creating page 172 guest self-registration receipts 182 sending receipts 63 SMS alert 63 SMS message 232 subject line

PAGE 319

troubleshooting application integrity check 224 Onboard 131 TSV 43 X XML guest account list 43 parsing 285 U uploading code-signing certificate 101 content 135 user database 21 V viewing application log 237 content 136 devices 55 documentation 239 plugins 223 sessions, device 49 SMS gateways 228 SMTP carriers 234 views 21, 141, 144 column format 170 customization 150 duplicating 151 editing 151, 169 field editor 170 guest_export 43, 144 guest_multi 38, 144 guest_sessions 60, 144 guest_users 34, 144 visit

PAGE 320

| Index Dell Networking W-ClearPass Guest 6.