Getting Started Guide Dell Networking W-ClearPass Policy Manager
Copyright Information © 2015 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Powering Up and Configuring Policy Manager Hardware 5 Overviews 5 Server Port Overview 5 Initial Server Configuration 5 Before you Begin 5 Initial Setup Procedure 6 Powering Off the System 7 Resetting the Passwords to Factory Default 7 Generating a Support Key for Technical Support 8 A Subset of Useful CLI Commands 9 Accessing Policy Manager Accessing Help Checking Basic Services Use Cases 11 12 13 15 802.
| Contents Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Chapter 1 Powering Up and Configuring Policy Manager Hardware Overviews This Getting Started Guide for the Dell Networking W-ClearPass Policy Manager System (Policy Manager) describes the steps for installing the appliance using the Command Line Interface (CLI) and using the User Interface (UI) to ensure that the required services are running. Server Port Overview The back of the Policy Manager appliance contains three ports.
Table 2: Required Information Requirement Value for Your Installation Hostname (Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) NOTE: The Data Port IP Address must not be in the same subnet as the Management Port IP Address.
Follow the prompts, replacing the placeholder entries in the following illustration with the information you entered in Table 2: Enter hostname: Enter Management Port IP Address: Enter Management Port Subnet Mask: Enter Management Port Gateway: Enter Data Port IP Address: Enter Data Port Subnet Mask: Enter Data Port Gateway: Enter Primary DNS: Enter Secondary
1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit. 4. To generate a password recovery key, select option 1. 5. After the password recovery key is generated, email the key to Dell technical support. A unique password will be generated from the recovery key and emailed back to you. 6.
A Subset of Useful CLI Commands The CLI provides a way to manage and configure Policy Manager information. Refer to Appendix A: Command Line Interface in the User Guide for more detailed information on the CLI. The CLI can be accessed from the console using a serial port interface or remotely using SSH: ***************************************************************************************** * Dell W-ClearPass Policy Manager * * Software Version : 6.4.0.
| Powering Up and Configuring Policy Manager Hardware Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Chapter 2 Accessing Policy Manager Use Firefox 3.0 (or higher) or Internet Explorer 7.0.5 (or higher) to perform the following steps: 1. Open the administrative interface. Navigate to https:///tips, where is the hostname you configured during the initial configuration. 2. Enter License Key. 3. Click the Activate Now link. 4. Activate the product. If the appliance is connected to the Internet, click on the Activate Now button.
6. Change the password. Navigate to Administration > Admin Users, then use the Edit Admin User popup to change the administration password. Accessing Help The Policy Manager User Guide (in PDF format) is built within the help system here: https:///tipshelp/html/en/ (where is the hostname you configured during the initial configuration.) All Policy Manager user interface screens have context-sensitive help.
Chapter 3 Checking Basic Services To check the status of service, navigate to Administration > Server Manager > Server Configuration, then click on a row to select a server: l The System tab displays server identity and connection parameters. l The Service Control tab displays all services and their current status. If a service is stopped, you can use its Start/Stop button (toggle) to restart it.
| Checking Basic Services Dell Networking W-ClearPass Policy Manager | Getting Started Guide
Appendix A Use Cases This appendix contains several specific W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l 802.1X Wireless Use Case on page 15 l Web Based Authentication Use Case on page 21 l MAC Authentication Use Case on page 28 l TACACS+ Use Case on page 31 l Single Port Use Case on page 32 802.
Policy Manager ships with fourteen preconfigured services. In this use case, you select a service that supports 802.1X wireless requests. Follow the steps below to configure this basic 802.1X service that uses [EAP FAST], one of the pre-configured Policy Manager authentication methods, and Active Directory Authentication Source (AD), an external authentication source within your existing enterprise.
Creating a New Role Mapping Policy To create a new Role Mapping policy: 1. Click the Roles tab. 2. Click Add new Role Mapping Policy. The Role Mappings page opens. Figure 3: Role Mapping Navigation and Settings 3. Add a new role, navigate to the Policy tab. Enter the Policy Name, For example, ROLE_ENGINEER and click Save. Repeat the same step for ROLE_FINANCE. The following figure displays the Policy tab: Figure 4: Policy Tab 4. Click the Next button in the Rules Editor. 5.
Figure 5: Mapping Rules Tab 6. Select the Select all matches radio button. 7. Match the conditions with the role name. Click the Add Rule button. The Rules Editor pop-up opens. Upon completion of each rule, click the Save button in the Rules Editor. 8. Click the Save button. 9. Add the new role mapping policy to the service from the Roles tab.
10.Select Role Mapping Policy, for example, RMP_DEPARTMENT. Click Next. 11.Add an Micrsoft NPS external posture serverto the 802.1X service. Click the Posture tab. The following figure displays the Posture tab: Figure 7: Posture Tab 12.Click Add new Posture Server to add a new posture server. 13.
Figure 9: Primary Server Tab 16.Click Next from primary server to backup server. Click Save. 17.Add the new posture server to the service. From the Posture tab, enter the Posture Servers, for example, PS_NPS, then click the Add button. The following figure displays the Posture tab: Figure 10: Posture Tab 18.Click the Next button. Assign an enforcement policy. 19.Enforcement policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to evaluation profiles.
20. From the Enforcement tab, select the Enforcement Policy, for example, Role_Based_Allow_Access_ Policy. For instructions about how to build such an enforcement policy, refer to "Configuring Enforcement Policies" in the W-ClearPass Policy Manager User Guide. 21.Save the service. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service.
Table 4: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l l Name/Descriptio n (freeform) > Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 5: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 6: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab 24 | Use Cases Dell Networking W-ClearPass Policy M
Table 6: Posture Policy Navigation and Settings (Continued) Navigation Setting Select a Validator: l Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > Save (button) > Dell Networking W-C
Table 6: Posture Policy Navigation and Settings (Continued) Navigation l Setting When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l l l l l 26 | Use Cases Add Rule (button opens popup) > Rules Editor (popup) > Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> In the Rules Editor, upon completion of each rule, click the Save button >
Table 6: Posture Policy Navigation and Settings (Continued) Navigation Setting Add the new Posture Policy to the Service: Back in Posture (tab) > Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button The following fields deserve special mention: n Default Posture Token. Value of the posture token to use if health status is not available. n Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. n Remediation URL.
MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device.
Table 8: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an audit. An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity.
TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 13: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Navigate to Configuration > Services. 2. Click the icon to add a service. The Configuration > Services > Add window opens. 3.
4. Define the Authentication settings for the service. Authentication methods can be left to their default values, as the Policy Manager TACACS+ service authenticates TACACS+ requests internally. a. In the Authentication Sources section, click the Select to Add drop-down list. b. Select AD (Active Directory). For this use case example, Network Access Device authentication data will be stored in the Active Directory. 5. Click the Enforcement tab and select an Enforcement Policy. a.
