User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © 2015 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager About this Document 25 25 Getting Started 25 Feature Overview 26 Dell Networking W-ClearPass Policy Manager Service Components 26 Services Architecture and Flow 29 Authentication and Authorization Architecture and Flow 30 Authentication Method 30 Authentication Source 30 Enforcement Architecture and Flow 31 Posture Architecture and Flow 33 Posture Policy 33 Posture Server 33 Audit Server 33 Audit Servers Common Tasks in Pol
TACACS+ Accounting Record Details - Request Tab 59 TACACS+ Accounting Details 60 TACACS+ Accounting Record Details - Auth Sessions Tab 61 TACACS+ Accounting Record Details - Details Tab 62 Live Monitoring: OnGuard Activity 62 Bouncing an Agent Using Non-SNMP 63 Bouncing a Client Using SNMP 66 Broadcast Message 67 Send Message 67 Live Monitoring: Analysis and Trending 68 Live Monitoring: Endpoint Profiler 69 Live Monitoring: System Monitor 70 System Monitor Tab 71 Process Monitor Ta
Guest Access 112 Guest MAC Authentication 113 Guest Social Media Authentication 115 OAuth2 API User Access 117 Onboard 117 User Authentication with MAC Caching 119 Policy Manager Service Types Dell 802.1X Wireless 122 122 Service Tab 123 Authentication Tab 125 Authorization Tab 126 Roles Tab 127 Posture Tab 128 Enforcement Tab 129 Audit Tab 130 Profiler Tab 131 Accounting Proxy Tab 132 Summary Tab 133 802.1X Wireless 133 802.
EAP-GTC 152 EAP-MSCHAPv2 154 EAP-PEAP 154 General Tab 155 Inner Methods Tab 156 EAP-PEAP-Public General 158 Inner Methods 159 EAP-PWD 160 EAP-TLS 161 EAP-TTLS 163 General Tab 164 Inner Methods Tab 165 MAC-AUTH 166 MSCHAP 166 PAP 167 Adding and Modifying Authentication Sources Generic LDAP and Active Directory 169 170 General Tab 170 Primary Tab 172 Attributes Tab 174 Summary Tab 183 Generic SQL DB 183 General Tab 184 Primary Tab 185 Attributes Tab 186 Summary
Primary Tab 202 Attributes Tab 203 Summary Tab 204 Static Host List 204 General Tab 205 Static Host Lists Tab 205 Summary Tab 206 Token Server 206 General Tab 207 Primary Tab 208 Attributes Tab 208 Summary Tab 209 Identity Configuring Single Sign-On 211 211 SAML Service Provider (SP) Configuration 211 Identity Provider (IdP) Configuration 212 Managing Local Users 212 Adding a Local User 213 Modifying a Local User Account 214 Importing and Exporting Local Users 215 Setti
ClearPass Linux Universal System Health Validator Plugin 264 ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 266 Configuring Posture Policy Rules 279 Configuring Posture for Services 280 Configuring Posture Servers 282 Posture Server Tab 283 Primary Server and Backup Server Tabs 284 Summary Tab 285 Configuring Audit Servers 285 Built-In Audit Servers 285 Adding Auditing to a Policy Manager Service 285 Modifying Built-In Audit Servers 288 Custom Audit Servers 288
CLI Based Enforcement 325 Profile Tab 326 Attributes Tab 326 Summary Tab 327 Filter ID Based Enforcement 327 Profile Tab 327 Attributes Tab 328 Generic Application Enforcement 329 Profile Tab 329 Attributes Tab 330 Summary Tab 331 HTTP Based Enforcement 331 Profile Tab 331 Attributes Tab 332 RADIUS Based Enforcement 332 Profile Tab 332 Attributes Tab 333 RADIUS Change of Authorization (CoA) 334 Profile Tab 334 Attributes Tab 336 Session Notification Enforcement 336
Additional Tasks Adding and Modifying Device Groups 353 Adding and Modifying Proxy Targets 356 Adding a Proxy Target ClearPass Policy Manager Profile 356 359 Device Profile 359 Collectors 359 DHCP 360 Sending DHCP Traffic to CPPM 360 ClearPass Onboard 360 HTTP User-Agent 360 MAC OUI 360 ActiveSync Plugin 361 CPPM OnGuard 361 SNMP 361 Subnet Scan 362 SNMP Configuration 363 Fingerprint Dictionaries 364 Profiling 365 The Profiler User Interface 365 Post Profile Actions 36
NAS Type: Aruba Wired Switch Controller 380 NAS Type: Cisco Wireless Switch 381 Results Tab 381 Role Mapping 382 Simulation Tab 382 Attributes Tab 383 Results Tab 384 Service Categorization 384 Simulation Tab 385 Attributes Tab 385 Results Tab 386 Import and Export Simulations 386 Export Simulations 387 Administration 389 ClearPass Portal 390 Admin Users 391 Adding an Admin User 392 Importing and Exporting Admin Users 392 Setting Password Policy for Admin Users 392 Admi
Virtual IP Settings 437 Clear Machine Authentication Cache 438 Make Subscriber 439 Upload Nessus Plugins 440 Cluster-Wide Parameters 440 General 441 Cleanup Intervals 443 Notifications 445 Standby Publisher 446 Virtual IP Configuration 447 Mode 448 Database 451 Collect Logs 452 Backup 453 Restore 454 Cleanup 455 Shutdown/Reboot 457 Drop Subscriber 457 Log Configuration 457 Service Log Configuration 458 System Level 459 Local Shared Folders 460 License Management
Exporting All Syslog Target 473 Exporting a Syslog Target 474 Deleting a Syslog Target 475 Syslog Export Filters 475 Syslog Export Filters Main Page 476 Adding a Syslog Export Filter 477 General Tab 477 Filter and Columns Tab 481 Summary Tab 484 Importing a Syslog Filter 484 Exporting All Syslog Filter 485 Exporting a Syslog Filter 486 Deleting a Syslog Filter 487 Messaging Setup 487 Endpoint Context Servers 489 Endpoint Context Servers Main Page 490 Adding an Endpoint Contex
Actions Tab Adding a Palo Alto Networks Firewall Endpoint Context Server 514 Adding a Palo Alto Networks Panorama Endpoint Context Server 515 Adding an SAP Afaria Endpoint Context Server 517 Server Tab 517 Actions Tab 518 Adding an SOTI Endpoint Context Server 519 Adding a XenMobile Endpoint Context Server 520 File Backup Servers 522 Server Certificate 523 Server Certificate Main Page 523 Server Certificate Type 524 RADIUS Server Certificate 524 HTTPS Server Certificate 525 Creatin
Action Tab 550 Header Tab 551 Content Tab 552 Attributes Tab 553 OnGuard Settings OnGuard Settings Main Page Software Updates 553 554 556 Software Updates Main Page 556 Install Update Dialog Box 558 Reinstalling a Patch 559 Uninstalling a Skin, Translation, or Plugin 559 Updating the Policy Manager Software 560 Upgrade the Image on a Single Policy Manager Appliance 560 Upgrade the Image on all Appliances 560 Contact Support 561 Remote Assistance 561 Remote Assistance Process Flow
date Syntax 570 Example 1 570 Example 2 570 dns 571 Syntax 571 Example 1 571 Example 2 571 Example 3 571 fips-mode 571 Syntax 571 Example 1 571 hostname 572 Syntax 572 Example 572 ip 572 Syntax 572 Example 572 ip6 572 Syntax 572 Example 573 mtu 573 Syntax 573 Example 1 573 Example 2 573 Example 3 574 timezone 574 Syntax 574 Example 574 Network Commands ip 575 575 Syntax 575 Syntax 575 Syntax 575 Syntax 576 Example 1 576 Example 2 576 ip6
Example 2 577 nslookup 577 Syntax 577 Example 1 578 Example 2 578 Syntax 578 Example 578 ping 578 Syntax 578 Example 578 ping6 578 Syntax 579 Example 579 reset 579 Syntax 579 Example 579 traceroute 579 Syntax 579 Example 580 traceroute6 580 Syntax 580 Example 580 Service Commands 580 580 Syntax 581 Example 1 581 Example 2 581 Example 3 581 Show Commands 581 all-timezones 581 Syntax 582 Example 582 date 582 Syntax 582 Example 582
hostname 583 Syntax 583 Example 583 ip 583 Syntax 583 Example 583 license Syntax 584 Example 584 sysinfo 584 Syntax 584 Example 584 timezone 585 Syntax 585 Example 585 version 585 Syntax 585 Example 585 System Commands 585 apps-access-reset 586 Syntax 586 Example 586 boot-image 586 Syntax 586 Example 586 cleanup 586 Syntax 586 Example 587 gen-recovery-key Example gen-support-key 587 587 587 Syntax 587 Example 587 install-license 587 Syntax 588 E
Syntax 589 Example 589 shutdown 589 Syntax 589 Example 589 sso-reset 589 Syntax 590 start-rasession Syntax status-rasession 590 590 590 Syntax 590 Example 590 terminate-rasession 590 Syntax 590 Example 590 update 590 Syntax 590 Example 591 upgrade 591 Syntax 591 Example 1: Upgrading from a Linux server 592 Example 2: Upgrading from a Web server 592 Example 3: Performing an offline upgrade 592 Miscellaneous Commands ad auth 593 593 Syntax 593 Example 593 ad net
dump certchain Syntax 595 Example 1 596 dump logs 596 Syntax 596 Example 1 596 Example 2 596 dump servercert 596 Syntax 596 Example 597 exit 597 Syntax 597 Example 597 help 597 Syntax 597 Example 597 krb auth 597 Syntax 597 Example 598 krb list 598 Syntax 598 Example 598 ldapsearch 598 Syntax 598 Example 598 quit 598 Syntax 598 Example 598 restore 599 Syntax 599 Example 599 system start-rasession Syntax system terminate-rasession Syntax system stat
Authorization Namespaces 605 Authorization editing context 605 AD Instance Namespace 605 Authorization 605 LDAP Instance Namespace 605 RSAToken Instance Namespace 605 Sources 606 SQL Instance Namespace 606 Certificate Namespaces Certificate Namespace Editing Context Connection Namespaces Connection Namespace Editing Contexts Date Namespaces Date Namespace Editing Contexts 606 606 607 607 608 608 Device Namespaces 608 Endpoint Namespaces 609 Guest User Namespaces 609 Host Namespaces
Admin Server start SNMP trap 622 System Auxiliary server stop SNMP trap 622 System Auxiliary server start SNMP trap 623 Policy server stop SNMP trap 623 Policy server start SNMP trap 623 Async DB write service stop SNMP trap 623 Async DB write service start SNMP trap 624 DB replication service stop SNMP trap 624 DB replication service start SNMP trap 624 DB Change Notification server stop SNMP trap 624 DB Change Notification server start SNMP trap 625 Async netd service stop SNMP trap
Info Events ClearPass Update Events 632 632 Critical Events 632 Info Events 632 Cluster Events 632 Critical Events 632 Info Events 632 Command Line Events Info Events DB Replication Services Events 632 632 633 Info Events 633 Licensing Events 633 Critical Events 633 Info Events 633 Policy Server Events Info Events RADIUS/TACACS+ Server Events 633 633 633 Critical Events 633 Info Events 633 SNMP Events 634 Critical Events 634 Info Events 634 Support Shell Events Info Events
Configuring Workflow in Native Agents Only Mode 655 End-to-end flow in Native Agents Only Mode 656 Auto-Login 660 Troubleshooting 660 Native Agents with Java Fallback Mode 660 Configuring Native Agents with Java Fallback Mode 660 End-to-end flow in Native Agents with Java Fallback Mode 661 Configuring Web Agent Flow - Java Only Mode Configuring Web Agent Flow in Dell Networking W-ClearPass Policy Manager 661 Configuring Web Agent Flow in ClearPass Guest 662 Native Dissolvable Agent - Suppo
Chapter 1 About Dell Networking W-ClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager (CPPM) platform provides role and device-based network access control across wired, wireless, and Virtual Private Network (VPN) networks. Dell Networking W-ClearPass Policy Manager provides device registration, device profiling, endpoint health assessments, and comprehensive reporting.
To learn more about the specific configurations, fields, and forms available in these sections, refer to the appropriate sections of the following chapters: l Monitoring on page 1 l Configuration on page 85 l Administration on page 389 Feature Overview The following sections give a general overview of some of 's features: l Dell Networking W-ClearPass Policy Manager Service Components on page 26 l Services Architecture and Flow on page 29 l Authentication and Authorization Architecture and Flow o
The following figure and table illustrate the basic Policy Manager flow of control and its underlying architecture: Figure 1: Generic Policy Manager Service Flow of Control Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Policy Manager service components: Table 1: Policy Manager Service Components Component Service: Component Ratio Description A - Authentication Method Zero or more per service Specifies the EAP or non-EAP method for client authentication.
Table 1: Policy Manager Service Components (Continued) Component Service: Component Ratio Description l For MAC-based authentication services, where role information is not available from an authentication source, an audit server can determine the role by applying post-audit rules against the client attributes gathered during the audit. D - Internal Posture Policies Zero or more per service An internal posture policy tests requests against internal posture rules to assess health.
l Children of Policy Manager, which test requests against their rules to find a matching service for each request. The flow-of-control for requests follows this hierarchy: l Policy Manager tests for the first request-to-service-rule match. l The matching service coordinates execution of its policy components. l Those policy components process the request to return enforcement profiles to the network access device and, optionally, posture results to the client.
l Where no authentication source is specified (for example, for unmanageable devices), Policy Manager passes the request to the next configured policy component for this service. l If Policy Manager does not find the connecting entity in any of the configured authentication sources, it rejects the request.
occurs inside of a black box called an enforcement policy. Each enforcement policy contains a rule or set of rules for matching conditions (role, posture and time) to actions (enforcement profiles). For each request, it yields one or more matches, in the form of enforcement profiles, from which Policy Manager assembles access-control attributes for return to the originating NAD, subject to the following disambiguation rules: l If an attribute occurs only once within an enforcement profile, transmit as is.
Posture Architecture and Flow Policy Manager supports three types of posture checking: posture policies, posture servers, and audit servers. Posture Policy Policy Manager supports four pre-configured posture plug-ins for Windows, one plug-in for Linux®, and one plug-in for Mac OS® X, against which administrators can configure rules that test for specific attributes of client health and correlate the results to return application posture tokens for processing by enforcement policies.
Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer-to-Peer (P2P) application checks l Services to be running or not running l Processes to be running or not running Each configured health check returns an application token represen
Figure 5: Flow of Control of Policy Manager Auditing Common Tasks in Policy Manager When you use Dell Networking W-ClearPass Policy Manager, you may observe many common fields with similar functions in different locations. For example, the option to import or export is available from a list of items such as services, authentication methods, authentication sources, and enforcement policies.
In the configuration pages, you can view the option that is similar to the following: 1. Click the Import link at the top right corner of the configuration page. The Import from file dialog box appears. Figure 6: Import from file Page 2. Click Choose File. 3. Select the file you want to import. You must select an XML file in the correct format. If you have exported files from different places from Policy Manager, ensure that you are selecting the correct file.
Figure 7: Export to File 2. If you want the file password protected, select Yes and enter a password in the Secret Key and Verify Secret fields. If you do not want the file password protected, select No. 3. Click Export. Depending on the browser you use, the file is either automatically saved to your hard drive, or you are prompted to save it in a specific location. To export multiple items, select the check boxes in the rows of the specific items that you want to export.
| About Dell Networking W-ClearPass Policy Manager Dell Networking W-ClearPass Policy Manager 6.
Chapter 2 Policy Manager Dashboard The Policy Manager Dashboard organizes and presents the key information about various elements on status, performance, and summary. The Dashboard information is illustrated in interactive bar chart, graph, and table formats and you can click them to view the respective pages.
Table 2: Dashboard Layout Parameters (Continued) Drag and drop the Device Category widget to Dashboard to view the chart that shows the graph of all profiled devices categorized into the following built-in categories: l SmartDevices l Access Points l Computer l VOIP phone l Datacenter Appliance l Printer l Physical Security l Game Console l Routers l Unknown l Conflict Unknown devices are the devices that are not profiled by the profiler.
Table 2: Dashboard Layout Parameters (Continued) Drag and drop the System Summary widget to Dashboard to view the Percentage Used statistics for the following: l Main Memory l Swap Memory l Disk l Swap Disk Drag and drop the Successful Authentications widget to Dashboard to view a table with the latest successful authentications. Clicking on a row in the table drills down to the Access Tracker page and shows successful requests sorted by timestamp with the latest request displayed on the top.
Table 2: Dashboard Layout Parameters (Continued) Drag and drop the Quick Links widget to Dashboard to view the links to the following common configuration tasks: l Start Configuring Policies links to the Start Here page under the Configuration menu. You can start configuring Policy Manager services from here. l Manage Services links to the Services page under the Configuration menu. This page shows a list of configured services.
Chapter 3 Monitoring The Monitoring features in Policy Manager provide access to live monitoring of components and other functions.
The following table describes the information in the Access Tracker table: Table 3: Access Tracker Table Parameters Parameter Description Server Displays the IP address of the server. Source Displays the authentication source for the session. For example, TACACS or web authentication. Username Displays the username or MAC address of the user. Service Displays the name of the service. For example, Health Only, MAC authentication, or AirGroup Authorization.
The table below describes the configuration parameters on the Access Tracker Edit page: Table 4: Access Tracker Edit Page Parameters Parameter Description Select Server/Domain Displays information for the selected server or domain on the Access Tracker page. Select all the servers to display transactions from all nodes in the Policy Manager cluster. Select Filter Select a filter category to filter the displayed data. For a description of available filters, see Data Filters on page 79.
Summary tab. The following figure displays the Summary tab: Figure 10: Request Details - Summary Tab Input Tab This tab shows protocol-specific attributes that Policy Manager received in a transaction request, including authentication and posture details (if available). The Input tab also shows computed attributes that Policy Manager derived from the request attributes. Click any table row in the Monitoring > Live Monitoring > Access Tracker page to view the Input tab.
The following figure displays the Request Details - Input tab: Figure 11: Request Details - Input tab Dell Networking W-ClearPass Policy Manager 6.
Output Tab This tab shows the attributes that were sent to the network device (switch or controller) and the posturecapable endpoint (For example, MAC devices). Click any table row in the Monitoring > Live Monitoring > Access Tracker page to view the Output tab. The following figure displays the Request Details - Output tab: Figure 12: Request Details - Output tab Access tracker shows an alert if more than two anti-malware products are installed on a client.
Alerts Tab This tab shows information about a session with an error. The Alerts tab only appears in the Request Details window when you access the Monitoring > Live Monitoring > Access Tracker page. Click a table row for a session that has an error to view the Alerts tab. For example, if you select a row where the Login status displays a TIMEOUT or REJECT status.
The following figure displays the Request Details - Configuration tab: Figure 14: Request Details - Configuration Tab Access Control Capabilities This page shows a summary view of the transaction, including policies that are applied and protocol-specific attributes. You can use the Access Control Capabilities page to view or change the access control type. The Access Control Capabilities page is displayed if you click the Change Status button in the Request Details screen.
The following table describes the Request Details - Access Control Capabilities page parameters: Table 5: Request Details - Access Control Capabilities Page Parameters Parameter Change Status Description You can view or change to any of the following access control types: . Agent - This control is available for a session where the endpoint has the OnGuard Agent installed.
Table 5: Request Details - Access Control Capabilities Page Parameters (Continued) Parameter Description Server Type Displays the server type configured when the server action was configured. Action Description Specifies the description of the action. For example, the description can be "Delete all information stored" if the configured action is Remote Wipe.
3. Click the Contains drop-down list and indicate whether the table should display data that contains or does not contain the text string in the adjacent field. 4. Enter an alphanumerical string into the filter text box. 5. Click Go.
RADIUS Accounting Record Details - Summary Tab The Accounting Record Details - Summary tab shows a summary view of the transaction including session IDs, timestamp, and network details for the RADIUS protocol.
Table 8: RADIUS Accounting Record Details Summary Tab Parameters (Continued) Parameter Description Username Username associated with this record. Termination Cause Specifies the reason for termination of this session. Service Type Shows the value of the standard RADIUS attribute service type. Network Details NAS IP Address Shows the IP address of the network device. NAS Port Type Shows the access methods. For example, Ethernet, or 802.11 Wireless.
Figure 19: RADIUS Accounting Record Details - Auth Sessions Tab The following table describes the RADIUS Accounting Record Details- Auth Sessions parameters: Table 9: RADIUS Accounting Record Details Auth Sessions Tab Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session. Authentication Sessions Details Session ID Displays the Policy Manager session ID.
RADIUS Accounting Record Details - Utilization Tab This section describes the parameters of the Accounting Record Details - Utilization tab for the RADIUS protocol.
Table 10: RADIUS Accounting Record Details - Utilization Tab Parameters (Continued) Parameter Description Account Output Octets Account Input Packets Specifies the packets sent and received from the device port during the session. Account Output Packets RADIUS Accounting Record Details - Details Tab This section describes the parameters of the Accounting Record Details - Details tab for the RADIUS protocol.
The following table describes the configuration parameters on the RADIUS Accounting Record Details Details tab: Table 11: RADIUS Accounting Record - Details Tab Parameters Parameter Description Accounting Packet Details Shows details of RADIUS attributes sent and received from the network device during an initial authentication and subsequent re-authentications (each section in the Details tab corresponds to a 'session' in Policy Manager).
The following table describes the configuration parameters on the TACACS+ Accounting Record - Request tab: Table 12: TACACS+ Accounting Record Request Tab Parameters Parameter Description Session ID Specifies the Session ID, a unique ID, associated with a request. User Session ID Specifies a session ID that correlates authentication, authorization, and accounting records. Start and End Timestamp Shows the start and end time of the session. Username Shows the username associated with this record.
TACACS+ Accounting Record Details - Auth Sessions Tab This section describes the parameters of the Accounting Record Details - Auth Sessions tab for the TACACS+ protocol.
TACACS+ Accounting Record Details - Details Tab This section describes the parameters of the Accounting Record Details - Details tab for the TACACS+ protocol.
Figure 25: OnGuard Activity Page The following table describes the configuration parameters on the OnGuard Activity page: Table 15: OnGuard Activity Parameters Parameter Description User Displays the name of the user. Host MAC Displays the MAC address of the host. Host IP Displays the IP address of the host. Host OS Displays the operating system that runs on the host. Status Displays the online status of the host. Green indicates online and red indicates offline.
To bounce an agent, click a row on the OnGuard Activity page. After clicking a row, the Agent and Endpoint details window opens. The following figure is an example of the Agent and Endpoint details screen: Figure 26: Agent and Endpoint Details The following table describes the configuration parameters on the Agent and Endpoint details page: Table 16: Agent and Endpoint Details Parameters Parameter Description User Displays the name of the user. Host MAC Displays the MAC address of the user.
Table 16: Agent and Endpoint Details Parameters (Continued) Parameter Description Last Seen Health Status Displays the health status of the endpoint. For example, QUARANTINED or HEALTHY. Unhealthy Health Classes Displays the health classes that are unhealthy. For example, AntiVirus and PatchAgent. Description Status Displays the status of the endpoint. Added by Displays the server name. Click Bounce and the Bounce Agents window opens.
Bouncing a Client Using SNMP This page is used to initiate a bounce operation using SNMP with wired Ethernet switches. Requirements To bounce a client using SNMP successfully, the following conditions are mandatory: l The network device must be added to Policy Manager and SNMP read and write parameters must be configured. l SNMP traps (link up and/or MAC notification) have to be enabled on the switch port.
Table 18: Bounce Client (Using SNMP) Page Parameters (Continued) Parameter Description Description Displays the description of the client. Status Displays the status of the client. Added by Displays the name of the user who added the client. Broadcast Message After you click the Broadcast Message link on the top right of the OnGuard Activity page, a page appears that allows you to write and send a message to all active endpoints.
Figure 30: Send Notifications to Agents The following table describes the configuration parameters on the Send Notifications to Agents page: Table 20: Send Notifications to Agents Page Parameters Parameter Description Display Message Enter the message that needs to be sent to the active endpoints. Web link for more details (Optional) A clickable URL that is displayed along with the Display Message. This field is optional.
Figure 31: Analysis and Trending Use the following components in the WebUI to customize and filter the Analysis and Trending page: Component Description Select Server Select a node from the cluster for which data will be displayed. Update Now! Click to update the display with the latest available data. Customize This! Click to customize the display by adding filters. You can add a maximum of 4 filters. Toggle Chart Type Click to toggle chart display between line and bar type.
Figure 32: Endpoint Profiler Click a device in the table below the graphs to view endpoint details about a specific device. Select the Cancel button to return to the Endpoint Profiler page. Figure 33: Endpoint Profiler Details Live Monitoring: System Monitor The System Monitor page has four tabs. Each tab provides one or more charts or graphs that give real-time information about various components. Auto refresh ensures that the System Monitor page is updated for every 2 minutes.
time in the Last updated at field in the System Monitor page. l System Monitor Tab on page 71 l Process Monitor Tab on page 71 l Network Tab on page 73 l ClearPass Tab on page 74 System Monitor Tab This tab displays charts and graphs that include information about CPU load and usage, memory usage, and disk usage.The System Monitor tab on the Monitoring > Live Monitoring > System Monitor page displays information about component usage and load.
l System monitor service l Tacacs server l Virtual IP service Monitoring CPU Usage This graph shows the CPU usage in time and percentage. Figure 34: CPU Usage Graph Example Monitoring Main Memory Usage This graph shows the main memory usage in time and Kilobytes. 72 | Monitoring Dell Networking W-ClearPass Policy Manager 6.
Figure 35: Main Memory Usage Graph Example Network Tab This tab displays a graph about any selected network parameters such as web traffic and SSH. The Network tab on the Monitoring > Live Monitoring > System Monitor page displays network activity (in bytes) for the following traffic types: l OnGuard l Database l Web Traffic l RADIUS l TACACS l SSH l NTP Dell Networking W-ClearPass Policy Manager 6.
Figure 36: Network Monitor Tab Graph Example - Web Traffic ClearPass Tab The ClearPass tab on the Monitoring > Live Monitoring > System Monitor page displays performance monitoring counters and timers for the last 30 minute of activity for the following components: l Service Categorization l Authentication (RADIUS, TACACS, or WebAuth) l Authorization l Role Mapping l Posture Evaluation l Audit Scan l Enforcement l End to End request processing (RADIUS, TACACS, or WebAuth) l Advanced When
The following figure displays the Advanced components: Figure 37: System Monitoring - ClearPass Tab Audit Viewer The Audit Viewer table on the Monitoring > Audit Viewer page provides a dynamic report on actions, device name, category of policy component, user, and timestamp. Table 22 describes the information displayed in the Audit Viewer page.
Click any row in the audit viewer to display detailed information about the selected event. The content in the Audit Row Details window varies, depending upon type of event you select. l Add events: Click a row with the Add action type to display additional details that are specific to the new policy component. For example, if a TACACS enforcement profile is added, the Audit Row Details window displays detailed information about that profile.
Event Viewer The Event Viewer table on the Monitoring > Event Viewer page provides reports about system-level events. Table 24 describes the information displayed in this table. Figure 39: Event Viewer Page - Default Values The following table describes the Event Viewer parameters: Table 24: Event Viewer Page Parameters - Default Values Parameter Description Source Displays the source of the event. For example, AdminUI, RADIUS, or SnmpService.
5. Enter ERROR in the text field. 6. In the second Filter field, select Source as the Filter value. 7. Change the search field to equals. 8. Enter SYSMON in the text field. 9. Change the Show records value to 20. 10.Click Go. The following figure displays the Event Viewer report with custom values: Figure 40: Event Viewer Report Example - Custom Values Viewing Report Details Click a row in the Event Viewer page to display the System Event Details page.
The following table describes the System Event Details parameters: Table 25: System Event Details Page Parameters Parameter Description Source Displays the source of the event. For example, AdminUI, RADIUS, and SnmpService. Level Displays the level of the event from the following options: INFO l WARN l ERROR l Category Displays the category of the event. For example, Request, Authentication, and System. Action Displays the action of the events. For example, Success, Failed, Unknown, and None.
The following figure displays the Data Filters page: Figure 42: Data Filters Page The following table describes the configuration parameters on the Data Filters page: Table 26: Data Filters Page Parameters Parameter Description Name Displays the name of the data filter. Description Displays the description about the data filter. Adding a Filter To add a filter, click the Add link in the top-right corner of the Data Filters page. Define a name and description for the filter the Filter tab.
The following table describes the Filter tab parameters: Table 27: Add Filter - Filter Tab Parameters Parameter Description Name/Description Specify a name and a description of the filter. Configuration Type l Custom SQL Choose one of the following configuration types: Specify Custom SQL - Specify a custom SQL entry for the filter. If this is specified, the Rules tab disappears and a SQL template displays in the Custom SQL field. NOTE: This option is not recommended.
When you click on Add Rule or Edit Rule, the Dashboard Filter rules editorwindow appears. Figure 45: Dashboard Filters - Rules Editor The following table describes the Dashboard Filters parameters: Table 29: Dashboard Filters Configuration Parameters Parameter Description Matches ANY matches one of the configured conditions. ALL indicates to match all of the configured conditions. Type This indicates the namespace for the attribute.
limit or session duration limits were exceeded by each blacklisted user. To delete a user from this blacklist, select the user row and click Delete. After a user entry is removed from the blacklisted users table, the user is eligible to access the network again. The following figure displays the Blacklisted Users page: Figure 46: Blacklisted Users Page Dell Networking W-ClearPass Policy Manager 6.
| Monitoring Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Configuration All configuration tasks including configuring servers, authenticating user or device against an authentication source, storage of user records, configuring posture policies, posture servers, and audit servers, configuring enforcement policies, and configuring Network Access Devices (NADs) are done from the Configuration menus.
l Network - The Network page provides options to configure the Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Chapter 5 Services The Policy Manager policy model groups policy components that serve a specific type of request into the Services page, which is at the top of the policy hierarchy.
The following figure displays the Service Templates page: Figure 47: Service Templates page The following service templates are supported when the High Capacity Guest (HCG) mode is enabled: l ClearPass Admin Access (Active Directory) l ClearPass Admin SSO Login (SAML SP Service) l ClearPass Identity Provider (SAML IdP Service) l Encrypted Wireless Access via 802.
l RADIUS Authorization l RADIUS Enforcement l RADIUS Proxy l Dell Application Authentication l Dell Application Authorization l TACACS+ Enforcement l Web-based Authentication l Web-based Open Network Access The following authentication methods are used in service templates in the HCG mode: l PAP l CHAP l MSCHAP l EAP_MD5 l MAC_AUTH l AUTHORIZE l EAP_PEAP_PUBLIC Viewing Existing Services You can view all configured services in a list or drill down to individual services in the S
Figure 49: Details for an individual service Adding and Removing Services You can modify a list of services on the Configuration > Services page by creating a new service, modifying, or deleting an existing service. l Create a new service: In the Services page, click Add, then follow the configuration wizard by clicking Next as you complete each tab. To create a service template by making a copying an existing service, select the check box by a service, then click Copy.
Figure 50: Add Service Page (all options enabled) Table 30: Service Page (General Parameters) Label Description Type Select the desired service type from the drop-down list. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Table 30: Service Page (General Parameters) (Continued) Label Description allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement. In Monitor Mode, no enforcement profiles (and associated attributes) are sent to the network device. Policy Manager also allows Policy Simulation (Monitoring > Policy Simulation), where the administrator can test the results of a particular configuration of policy components.
with this request. To change the order in which service rules are processed, you can change the order of services. 1. To reorder services, navigate to the Configuration > Services page. 2. Click the Reorder button located on the lower-right portion of the page to open the Reorder Services page. The following figures display the Services page and the Reorder Services page. Table 31 describes the configuration settings on this page.
Table 31: Reordering Services (Continued) Label Description Template Displays the name of the service template used to create the service. Type Displays the type of authentication used to create the service. Description Shows additional information about the service. Status Shows the status of the service from the options: Enabled or Disabled. Service Rule Displays the rules used to create the service. 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless The 802.
Once you add a new service to the service template, the service denoted by the Name Prefix appears in the Select Prefix dropdown. Selecting a prefix from the dropdown populates the existing configuration for the service. Edit the changes and click Edit Service to save the changes. To delete a service, select the appropriate service from the Select Prefix dropdown and click Delete.
Table 32: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Description Attribute Name The attributes defined in the Authentication Source are listed here.
Table 32: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Description Shared Secret receive RADIUS requests. Enable RADIUS CoA Select to enable RADIUS initiated CoA on the network device. RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. Change this value only if you defined a custom port on the network device.
The following figure displays the Dell VPN Access with Posture Checks service template: Figure 54: Dell VPN access with Posture checks Service Template The following table describes the Dell VPN Access with Posture Checks service template parameters: Table 33: Dell VPN Access with Posture Checks Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 33: Dell VPN Access with Posture Checks Service Template Parameters (Continued) Parameter Description Wireless controller name Enter the name given to the wireless controller. Controller IP Address Enter the wireless controller's IP address. Vendor Name Select the manufacturer of the wireless controller. RADIUS Shared Secret Enter the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS requests.
The following table describes the Aruba Auto Sign-On service template parameters: Table 34: ClearPass Aruba Auto Sign-On Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This field populates the pre-configured information in the Authentication, SP details, and Enforcement Details sections. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
Table 34: ClearPass Aruba Auto Sign-On Service Template Parameters (Continued) Parameter Description SP Details SP URL Enter the Service Provider (SP) URL. Attribute Name Enter attribute names and assign values to those names. These name/value pairs are included in SAML responses. Attribute Value Certificate/Two-factor Authentication for ClearPass Application Login This template is designed to allow the administrators and operators to log in to CPPM using smart card and TLS certificates.
Table 35: ClearPass Certificate/Two-factor Authentication Service Template Parameters (Continued) Parameter Description Select Authentication Source Select an authentication source from the list. The information provided in the Authentication, Enforcement Details, and SP details tabs are auto-populated. Active Directory Name Enter the hostname or the IP address of the Active Directory server. This field is mandatory.
Table 35: ClearPass Certificate/Two-factor Authentication Service Template Parameters (Continued) Parameter Description Certificate Attribute Super Admin Condition Select the certificate attribute from the drop-down list. Enter the value in the Super Admin Condition field that matches the Certificate Attribute value to provide the super administrator access. Certificate Attribute Read Only Admin Condition Select the certificate attribute from the drop-down list.
Table 36: ClearPass Admin Access Service Template Parameters (Continued) Parameter Description Source Active Directory Name Enter the hostname or the IP address of the Active Directory server. This field is mandatory. Description Enter a description that helps to identify the characteristics of this template. This field is mandatory. Server Enter the hostname or the IP address of the Active Directory server. This field is mandatory. Identity Enter the DN of the administrator account.
The following table describes the ClearPass Admin SSO Login service template parameters: Table 37: ClearPass Admin SSO Login Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Service Rule tab. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template. Use this to identify services that use templates.
Table 38: ClearPass Identity Provider (SAML IdP Service) Service Template Parameters (Continued) Parameter Description Active Directory Name Enter the hostname or the IP address of the Active Directory server. This field is mandatory. Description Enter a description that helps you to identify the characteristics of this template. This field is mandatory. Server Enter the hostname or the IP address of the Active Directory server. This field is mandatory.
The following table describes the parameters used in the Device Mac Authentication service template: Table 39: Device Mac Authentication Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Authentication and SP Details sections. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
You cannot view the EDUROAM service template if the HCG mode is enabled in the cluster. The following figure displays the EDUROAM service template: Figure 61: EDUROAM Service Template The following table describes the parameters used in the EDUROAM service template: Table 40: EDUROAM Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 40: EDUROAM Service Template Parameters (Continued) Parameter Description Base DN Enter the DN of the administrator account. This field is mandatory. Password Enter the account password. This field is mandatory. Port Enter the TCP port where the server is listening for a connection. This field is mandatory. Wireless Network Settings Select wireless controller Select a wireless controller from the drop-down list. Wireless controller name Enter the name given to the wireless controller.
Encrypted Wireless Access via 802.1X Public PEAP method This template is designed for providing encrypted wireless access to users using fixed 802.1X PEAP credentials. This template configures an EAP PEAP Public type authentication method and creates enforcement policy for network access. The following figure displays the Encrypted Wireless Access via 802.1X Public PEAP method service template: Figure 62: Encrypted Wireless Access via 802.
Table 41: Encrypted Wireless Access via 802.1X Public PEAP Method Service Template Parameters (Continued) Parameter Description Public Password Enter password for EAP PEAP Public type authentication method. Access Restrictions Days allowed for access Select the days on which network access is allowed. Guest Access Web Login This service authenticates guests logging in using the Guest portal.
Guest Access This template is designed for authenticating guest users who log in using captive portal. Guests must reauthenticate after session expiry. Guest access can be restricted based on day of the week, bandwidth limit, and number of unique devices used by the guest user.
Table 43: Guest Access Service Template Parameters (Continued) Parameter Description RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. Change this value only if you defined a custom port on the network device. Posture Settings Enable Posture Checks Select the check box to perform health checks post authentication. This enables the Host Operating System and Quarantine Message fields. Host Operating System Select the operating system: Windows, Linux, or Mac OS X.
The following table describes the Guest MAC Authentication service template parameters: Table 44: Guest MAC Authentication Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Wireless Network Settings, MAC Caching Settings, and Guest Access restrictions tabs. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
Table 44: Guest MAC Authentication Service Template Parameters (Continued) Parameter Description Checks Operating System and Quarantine Message fields. Host Operating System Select the operating system: Windows, Linux, or Mac OS X. Quarantine Message Specify the quarantine message that will appear on the client. Initial Role/VLAN Enter the initial role of the client before posture checks are performed. Quarantine Role/VLAN Enter the role of clients that fail posture checks.
The following figure displays the Guest Social Media Authentication service template: Figure 66: Guest Social Media Authentication Service Template The following table describes the Guest Social Media Authentication service template parameters: Table 45: Guest Social Media Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 45: Guest Social Media Service Template Parameters (Continued) Parameter Description Social login Provider Select the social media network options: Google, Facebook, LinkedIn, and Twitter. Days allowed for access Select the duration in number of days to enable on which the guest users are allowed network access. Maximum bandwidth allowed per user Enter a number to set an upper limit for the amount of data in megabytes to which a user is allowed per day.
You cannot view the Onboard service template if the High Capacity Guest mode is enabled in the cluster. The following figure displays the Onboard Authorization service template: Figure 68: Onboard Authorization Service Template The following table describes the Onboard Authorization service template parameters: Table 47: Onboard Authorization Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 47: Onboard Authorization Service Template Parameters (Continued) Parameter Description Device Access Restrictions Days allowed for access Select the duration in number of days to enable on which the guest users are allowed network access. Provisioning Wireless Network Settings Wireless SSID for Onboard Provisioning Enter the SSID of your network. Add new Onboard Network settings Click the Add new Onboard Network settings link to launch the Web UI to modify the Onboard Network settings.
The following figure displays the User Authentication with MAC Caching service template: Figure 69: User Authentication with MAC Caching Service Template The following table describes the User Authentication with MAC Caching service template parameters: Table 48: User Authentication with MAC Caching Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 48: User Authentication with MAC Caching Service Template Parameters (Continued) Parameter Description MAC Caching Settings Cache duration for Employee Enter the duration from the options: One day, One week, One month, or Six months to which the MAC account will remain valid for the Employee role. After this the guest must re-authenticate using captive portal.
Policy Manager Service Types The following service types are available in Policy Manager: l Dell 802.1X Wireless on page 122 l 802.1X Wireless on page 133 l 802.1X Wired on page 134 l MAC Authentication on page 134 l Web-based Authentication on page 135 l Web-based Health Check Only on page 136 l Web-based Open Network Access on page 137 l 802.1X Wireless - Identity Only on page 138 l 802.
The following figure displays the Dell 802.1X Wireless service configuration fields: Figure 70: Dell 802.1X Wireless Service Service Tab The Service tab includes basic information about the service. The Service Rules section defines a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. You can click on a service rule to modify any of its options. The following figure displays the Service tab: Figure 71: Dell 802.
The following table displays the Service tab parameters: Table 49: Dell 802.1X Wireless Service - Service Tab Parameters Parameter Description Type Select a service from the drop-down list that defines what type of service can be configured. Name Enter the name of the service. Description Provide additional information that helps to identify the service. Monitor Mode Check this box to exclude enforcement. More Options Check these boxes to access the additional configuration tabs.
Authentication Tab The Authentication tab contains options for configuring authentication methods and authentication sources. The following figure displays the Authentication tab: Figure 72: Dell 802.1X Wireless Service - Authentication Tab Dell Networking W-ClearPass Policy Manager 6.
The following table displays the Authentication tab parameters: Table 50: Dell 802.1X Wireless Service - Authentication Tab Parameters Parameter Description Authentication Methods Select authentication methods using the Select to Add field used for this service depend on the 802.1X supplicants and the type of authentication methods you choose to deploy. Policy Manager automatically selects the appropriate method for authentication, when a user attempts to connect.
The following figure displays the Authorization tab: Figure 73: Dell 802.1X Wireless Service - Authorization Tab The following table displays the Authorization tab parameters: Table 51: Dell 802.1X Wireless Service - Authorization Tab Parameters Parameter Description Authentication Source Displays the authorization sources from which role mapping attributes are fetched for each authentication source. Attributes Fetched From Displays the source of attributes.
The following table displays the Roles tab parameters: Table 52: Dell 802.1X Wireless Service - Roles Tab Parameters Parameter Description Role Mapping Policy Policy Manager ships a number of preconfigured roles. Select a role mapping policy from the drop-down list. NOTE: A service can be configured without a role mapping policy, but only one role mapping policy can be configured for each service.
The following table displays the Posture tab parameters: Table 53: Dell 802.1X Wireless Service - Posture Tab Parameters Parameter Description Posture Policies Posture Policies Select the posture policy from the Select to Add drop-down list. If you do not have any pre-configured posture policies, click Add new Posture Policy to create a new posture policy. Only NAP agent type posture policies are applicable for this service.
The following table displays the Enforcement tab parameters: Table 54: Dell 802.1X Wireless Service - Enforcement Tab Parameters Parameter Description Use Cached Results Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy Select the pre-configured enforcement policy from the drop-down list. This is mandatory. If you do not have any pre-configured enforcement policies, click Add new Enforcement Policy to create a new enforcement policy.
The following table displays the Audit tab parameters: Table 55: Dell 802.1X Wireless Service - Audit Tab Parameters Parameter Audit Server Description Select the audit server from the following options: Nessus Server - Interfaces with Policy Manager primarily to perform vulnerability scanning l Nmap Audit - Performs specific audit functions You can click the View Details button to view the Policy Manager Entity Details pop-up with the summary of audit server details.
The following table displays the Profiler tab parameters: Table 56: Dell 802.1X Wireless Service - Profiler Tab Parameters Parameter Description Endpoint Classification Select one or more endpoint classification items from the drop-down list. RADIUS CoA Action Select the RADIUS CoA action from the drop-down list. Click the View Details button to view the Policy Manager Entity Details page with the summary of enforcement profile details.
Table 57: Dell 802.1X Wireless Service - Accounting Proxy Tab Parameters (Continued) Parameter Description Type Select the RADIUS attribute type from the drop-down list. Name Select the name of the RADIUS attribute from the drop-down list. Value Select the value: parameter, static, or role from the drop-down list. The values displayed here is depend on the name of the RADIUS attribute selected.
Posture checks are not performed if the High Capacity Guest mode is enabled in the cluster. The following figure displays the 802.1X Wireless service configuration page: Figure 81: 802.1X Wireless Service If you want to administer the same set of policies for wired and wireless access, you can combine the service rules to define a single service.
MAC authentication request to Policy Manager. Policy Manager can look up the client in a white list or a black list, authenticate and authorize the client against an external authentication/authorization source, and optionally perform an audit on the client. You cannot configure posture for this type of service. The following figure displays the MAC Authentication service: Figure 83: MAC Authentication Service The Posture tab is not available for the MAC-based authentication service.
Figure 84: Web-based Authentication Service The Audit End-hosts and Profile Endpoints options are not available for the Web-based Authentication service. Configuring the Web-based Authentication service for guests or agentless hosts is similar to configuring the Dell 802.1X Wireless service. For more information on configuration tabs, see Dell 802.1X Wireless on page 122.
The following figure displays the Web-Based Health Check Only service: Figure 85: Web-Based Health Check Only Service For more information on configuration tabs, see Dell 802.1X Wireless on page 122 Web-based Open Network Access Configuration for this service is the same as Web-based Authentication service except that a health check is not performed on the endpoints. A Terms of Service page (as configured on the Dell Networking WClearPass Policy Manager Guest Portal page) is presented to the user.
For more information on configuration tabs, see Dell 802.1X Wireless on page 122. 802.1X Wireless - Identity Only Configuration for this type of service is the same as the Dell 802.1X Wireless service except that Posture and Audit policies are not configurable, when you use this template. For more information, see 802.1X Wireless on page 133. The following figure displays the 802.1X Wireless - Identity Only service: Figure 87: 802.1X Wireless - Identity Only Service 802.
standard RADIUS dictionaries, or through other dictionaries imported into Policy Manager). The following figure displays the RADIUS Enforcement (Generic) service: Figure 89: RADIUS Enforcement (Generic) Service Configuring a service for RADIUS requests is similar to configuring the Dell 802.1X Wireless service. For more information on configuration tabs, see Dell 802.1X Wireless on page 122.
The following figure displays the RADIUS Proxy service: Figure 90: RADIUS Proxy Service For more information, see RADIUS Enforcement (Generic) on page 138. RADIUS Authorization Configure the RADIUS Authorization service type for services that perform authorization using RADIUS. When this service is selected, the Authorization tab is enabled by default.
TACACS+ Enforcement Configure the TACACS+ Enforcement service for any kind of TACACS+ request. TACACS+ users can be authenticated against any of the supported authentication source types: Local DB, SQL DB, Active Directory, LDAP Directory, or Token Servers with a RADIUS interface. Similarly, service level authorization sources can be specified from the Authorization tab. Note that this tab is not enabled by default. Select the Authorization check box from More Options on the Service tab to enable this tab.
Figure 93: Dell W-Series Application Authentication Configuring the Dell W-Series Application Authentication service is similar to configuring the Dell 802.1X Wireless service except that the Posture Compliance, Audit End-hosts, and Profile Endpoints options are not available. For more information on configuration tabs, see Dell 802.1X Wireless on page 122.
Cisco Web Authentication Proxy This service is a web-based authentication service for guests or agent-less hosts. The Cisco switch hosts a captive portal and the portal web page that collects username and password information. Subsequently, the switch sends a RADIUS request in the form of a password authentication protocol (PAP) authentication request to Policy Manager. By default, this service uses the PAP authentication method.
| Services Dell Networking W-ClearPass Policy Manager 6.
Chapter 6 Authentication and Authorization As a first step in the service-based processing, Policy Manager uses an authentication method to authenticate the user or device against an authentication source. After the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the authorization sources associated with this authentication source.
The following figure displays the Add Authentication Method page: Figure 96: Add Authentication Method Page The EAP-MD5 authentication type is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS tab) mode.
Authorize Authentication Method This is an authorization-only method that you can add with a custom name. The General tab labels the authentication method and defines session details. The following figure displays the Authorization - General tab: Figure 97: Add Authentication - General Tab The following table describes the Authorize General parameters: Table 58: Authorize General Tab Parameters Parameter Description Name Specify the label of the authentication method.
The EAP-MD5 authentication type is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS tab) mode. The following figure is an example of the General tab for the CHAP authentication method: Figure 98: General Tab (CHAP) The following table describes the CHAP and EAP-MD5 - General parameters: Table 59: CHAP and EAP-MD5 - General Tab Parameters Parameter Description Name Specify the name of the authentication method.
Figure 99: EAP-FAST - General Tab Table 60: EAP_FAST - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select EAP_FAST. Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-FAST method. The following figure displays the EAP-FAST - Inner Methods tab: Figure 100: EAP-FAST Add Authentication Method - Inner Methods Tab The EAP-MD5 authentication method is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS tab) mode.
PACs Tab The PACs tab enables or disables Protected Access Credential (PAC) types. The following figure displays the EAP-FAST - PACs tab: Figure 101: EAP_FAST PACs Tab PAC Provisioning Tab The PAC Provisioning tab controls anonymous and authenticated modes. The following figure displays the EAP-FAST PAC - Provisioning tab: Figure 102: EAP_FAST PAC Provisioning Tab Dell Networking W-ClearPass Policy Manager 6.
Table 62: EAP_FAST PAC Provisioning Tab Parameters Parameter Description Considerations In-Band PAC Provisioning Allow anonymous mode When in anonymous mode, phase 0 of EAP_FAST provisioning establishes an outer tunnel without endhost/Policy Manager authentication (not as secure as the authenticated mode). After an outer tunnel is established, end-host and Policy Manager perform mutual authentication using MSCHAPv2, then Policy Manager provisions the endhost with an appropriate PAC (tunnel or machine).
The following figure displays the EAP-GTC - General tab: Figure 103: EAP-GTC - General Tab The following figure displays the EAP-GTC General parameters: Table 63: EAP-GTC General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select EAP-GTC. Method Details Challenge Specify an optional password.
EAP-MSCHAPv2 The EAP-MSCHAPv2 method contains the General tab that labels the method and defines session details. The following figure is an example of the EAP-MSCHAPv2 - General tab: Figure 104: EAP-MSCHAPv2 - General Tab The following table describes the EAP-MSCHAPv2 - General parameters: Table 64: EAP-MSCHAPv2 - General Tab Parameters Parameter Description Name Specify the name of the authentication method.
The EAP-PEAP authentication method contains the following two tabs: l General Tab on page 155 l Inner Methods Tab on page 156 General Tab The General tab labels the authentication method and defines session details. The following figure is an example of the EAP-PEAP General tab: Figure 105: EAP-PEAP - General Tab The following table describes the EAP-PEAP - General parameters: Table 65: EAP-PEAP - General Tab Parameters Parameter Description Name Specify the name of the authentication method.
Table 65: EAP-PEAP - General Tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. If session timeout value is set to 0, the cached sessions are not purged.
The following table describes the EAP-PEAP Inner Methods parameters: Table 66: EAP-PEAP Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the Select a method drop-down list.
General The General tab labels the authentication method and defines session details. The following figure is an example of the EAP-PEAP-Public - General tab: Figure 107: EAP-PEAP-Public - General Tab The following table describes the EAP-PEAP-Public - General parameters: Table 67: EAP-PEAP-Public - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method.
Table 67: EAP-PEAP-Public - General Tab Parameters (Continued) Parameter Description Fast Reconnect Enable this check box to allow fast reconnect. When fast reconnect is enabled, the inner method that happens inside the server authenticated outer tunnel is also bypassed. This makes the process of re-authentication faster. For the fast reconnect to work, session resumption must be enabled. Public Username Enter the Guest username. In this context, enter 'public'.
Table 68: EAP-PEAP-Public Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select the inner authentication method available from the drop-down list. In this context, only the EAP-MSCHAPv2 method is available. The following functions are available in this tab: l To append an inner method to the displayed list, select it from the drop-down list.
The following table describes the EAP-PWD - General parameters: Table 69: EAP-PWD - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Specify the type of authentication. In this context, select EAP-PWD. Method Details Group Select the group from the drop-down list.
Figure 110: EAP-TLS - General Tab The following table describes the EAP_TLS - General parameters: Table 70: EAP_TLS - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Specify the type of authentication. In this context, select EAP_TLS.
Table 70: EAP_TLS - General Tab Parameters (Continued) Parameter Description l l l To skip the certificate comparison, choose Do not compare. To compare specific attributes, choose Compare Common Name (CN), Compare Subject Alternate Name (SAN), or Compare CN or SAN. To perform a binary comparison of the stored (in the client record in Active Directory or another LDAP-compliant directory) and presented certificates, choose Compare Binary.
General Tab The General tab labels the method and defines session details. The following figure is an example of the EAPTTLS - General tab: Figure 111: EAP-TTLS - General Tab The following table describes the EAP-TTLS - General parameters: Table 71: EAP-TTLS - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-TTLS method. The following figure is an example of the EAP-TTLS - Inner Methods tab: Figure 112: EAP_TTLS - Inner Methods Tab The following table describes the EAP-TTLS - Inner Methods parameters: Table 72: EAP-TTLS - Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list.
MAC-AUTH The MAC-AUTH method contains the General tab that labels the authentication method and defines session details. The following figure is an example of the MAC-AUTH - General tab: Figure 113: MAC-AUTH - General Tab The following table describes the MAC-Auth - General parameters: Table 73: MAC-Auth - General Tab Parameters Parameter Description General Name Specify the name of the authentication method.
The following figure is an example of the MSCHAP - General tab: Figure 114: MSCHAP - General Tab The following table describes the MSCHAP - General parameters: Table 74: MSCHAP - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select MSCHAP.
The following figure is an example of the PAP - General tab: Figure 115: PAP - General Tab The following table describes the PAP - General parameters: Table 75: PAP - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select PAP.
Table 75: PAP - General Tab Parameters (Continued) Parameter Description Method Details Encryption Scheme Select the PAP authentication encryption scheme from the drop-down list. The following encryption schemes are supported: l Clear l Crypt l MD5 l SHA1 l SHA256 l NT Hash l LM Hash l Aruba-SSO NOTE: The MD5 encryption scheme is not supported if you use Dell Networking W-ClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS tab) mode.
Figure 117: Add Authentication Source Page You can configure the following authentication sources: l Generic LDAP and Active Directory l Generic SQL DB l HTTP l Kerberos l Okta l RADIUS Server l Static Host List l Token Server Generic LDAP and Active Directory Policy Manager can perform NTLM/MSCHAPv2, PAP/GTC, and certificate-based authentications against Microsoft Active Directory and against any LDAP-compliant directory. For example, Novell eDirectory, OpenLDAP, or Sun Directory Server.
Figure 118: Generic LDAP or Active Directory - General Tab The following table describes the Generic LDAP or Active Directory - General parameters: Table 76: Generic LDAP or Active Directory - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of authentication source. In this context, select General LDAP or Active Directory.
Table 76: Generic LDAP or Active Directory - General Tab Parameters (Continued) Parameter Description Server Timeout Specifies the duration in number of seconds that Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the duration in number of seconds that Policy Manager waits before attempting to fail over from the primary to backup servers in the order in which they are configured.
The following table describes the Generic LDAP or Active Directory - Primary parameters: Table 77: Generic LDAP or Active Directory - Primary Tab Parameters Parameter Description Hostname Specify the hostname or the IP address of the LDAP or Active Directory server. Connection Security l l l Select None for default non-secure connection (usually port 389). Select StartTLS for secure connection that is negotiated over the standard LDAP port.
Table 77: Generic LDAP or Active Directory - Primary Tab Parameters (Continued) Parameter Description Bind User Enable this checkbox to authenticate users by performing a bind operation on the directory using the credentials (user name and password) obtained during authentication. For clients to be authenticated by using the LDAP bind method, Policy Manager must receive the password in cleartext.
Figure 120: Active Directory Attributes Tab (with Default Data) Figure 121: Generic LDAP Directory - Attributes Tab The following table describes the AD/LDAP Attributes Tab - Filter Listing Screen parameters: Table 78: AD/LDAP Attributes Tab - Filter Listing Screen Parameters Parameter Description Filter Name Specify the name of the filter. Attribute Name Specify the name of the LDAP/AD attributes defined for this filter.
The following table describes the available directories: 176 | Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Table 79: AD/LDAP Default Filters Directory Active Directory Default Filters l l l l l Generic LDAP Directory Authentication: This filter is used for authentication. The query searches in the objectClass of the type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) After a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 79: AD/LDAP Default Filters (Continued) Directory Default Filters n Add More Filters This query fetches all group records (of objectClass groupOfNames), where the member field contains the DN of the user record (UserDN, which is populated after the authentication filter query is executed. The attribute fetched with this filter query is cn, which is the name of the group (this is aliased to a more readable name: groupName)).
Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. You can define the attributes used in the filter query using this interface. The following image is an example of the AD/LDAP Create Filter Page - Filter tab: Figure 123: AD/LDAP Create Filter Page - Filter Tab Policy Manager is pre-configured with filters and selected attributes for Active Directory and generic LDAP directory.
The following table describes the Configure Filter Page - Filter tab parameters: Table 81: Configure Filter Page - Filter Tab Parameters Parameter Description Find Node Find a node by entering the DN and clicking the Go button. Select the attributes for filter This table has a name and value column. You can enter the attribute name in the following two ways: l By selecting a node, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add... in the table row.
The following figure displays the AD/LDAP Configure Filter - Attributes tab: Figure 124: AD/LDAP Configure Filter - Attributes Tab The following table describes the AD/LDAP Configure Filter Page - Attributes tab parameters: Table 82: AD/LDAP Configure Filter Page - Attributes Tab Parameters Parameter Description Enter values for parameters Policy Manager parses the filter query (created in the Filter tab and shown at the top of the Attributes tab) and prompts to enter the values for all dynamic session
Configuration Tab The Configuration tab shows the filter and attributes configured in the Filter and Attributes tabs respectively. From this tab, you can also manually edit the filter query and attributes to be fetched. The following figure displays the Configure Filter - Configuration tab: Figure 125: Configure Filter Popup - Configuration Tab Modify Default Filters When you add a new authentication source of type Active Directory or LDAP, a few default filters and attributes are populated.
The attributes that are defined for the authentication source display as attributes in role mapping policy rules editor under the authorization source namespace. Then, on the Role Mappings - Rules Editor page, the operator values that display are based on the Data type specified here. For example, if you modify the Active Directory department to be an integer rather than a string, then the list of operator values populate with values that are specific to integers.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Generic SQL DB - General tab: Figure 128: Generic SQL DB - General Tab The following table describes the General SQL DB - General parameters: Table 83: General SQL DB - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 83: General SQL DB - General Tab Parameters (Continued) Parameter Description Authorization Sources Specify additional sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list and click Add to add to the list of authorization sources. Click Remove to remove the authorization source from the list.
The following table describes the Generic SQL DB - Primary parameters: Table 84: Generic SQL DB - Primary Tab Parameters Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value to override the default port. Database Name Enter the name of the database from which records can be retrieved. Login Username Enter the name of the user used to log into the database.
Figure 130: Generic SQL DB - Attributes Tab The following table describes the Generic SQL DB - Attributes (Filter List) parameters: Table 85: Generic SQL DB - Attributes Tab (Filter List) Parameters Tab Parameter/Description Filter Name Specifies the name of the filter. Attribute Name Specifies the name of the SQL DB attributes defined for this filter. Alias Name Specifies an alias name for each attribute name selected for the filter.
The following table describes the Generic SQL DB - Configure Filter parameters: Table 86: Generic SQL DB Configure Filter Page Parameters Parameter Description Filter Name Enter the name of the filter. Filter Query Specify an SQL query to fetch the attributes from the user or device record in DB. Name Specify the name of the attribute. Alias Name Specify the name for the attribute. By default, this is the same as the attribute name.
l Summary Tab on page 193 General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the HTTP - General tab: Figure 133: HTTP - General Tab The following table describes the HTTP - General tab parameters: Table 87: HTTP - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 87: HTTP - General Tab Parameters (Continued) Parameter Description Use for Authorization Enable this option to request Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source if the Use for Authorization field is enabled. This check box is enabled by default.
The following table describes the HTTP - Primary tab parameters: Table 88: HTTP - Primary Tab Parameters Parameter Description Base URL Enter the base URL (host name) or IP address of the HTTP server. For example, http:// or :xxxx, where xxxx is the port to access the HTTP Server. Login Username Enter the name of the user used to log into the database. This account must have read access to all the attributes that need to be retrieved by the specified filters.
Add More Filters The Configure Filter page defines a filter query and the related attributes to be fetched from the SQL DB store. The following figure displays the HTTP Filter Configure page: Figure 136: HTTP Filter Configure Page The following table describes the HTTP Configure - Filter parameters: Table 90: HTTP Configure Filter Page Parameters Parameter Description Filter Name Displays the name of the selected filter.
Summary Tab You can use the Summary tab to view configured parameters. The following figure is an example of the HTTP - Summary tab: Figure 137: HTTP - Summary Tab Kerberos Policy Manager can perform standard PAP/GTC or tunneled PAP/GTC (for example, EAP-PEAP[EAP-GTC]) authentication against any Kerberos 5 compliant server such as Microsoft Active Directory server. It is mandatory to pair this source type with an authorization source (identity store) containing user records.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Kerberos - General tab: Figure 138: Kerberos - General Tab The following table describes the Kerberos - General parameters: Table 91: Kerberos - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 91: Kerberos - General Tab Parameters (Continued) Parameter Description Use for Authorization Disable in this context. Authorization Sources Specify one or more authorization sources from which role mapping attributes to be fetched. Select a previously configured authentication source from the drop-down list and click Add to add it to the list of authorization sources. Click Remove to remove the selected authentication source from the list.
The following table describes the Kerberos - Primary parameters: Table 92: Kerberos - Primary Tab Parameters Parameter Description Hostname Specify the name of the host or the IP address of the kerberos server. Port Specify the port at which the token server listens for kerberos connections. The default port is 88. Realm Specify the domain of authentication. In the case, specify Kerberos domain. Service Principal Name Enter the identity of the service principal as configured in the Kerberos server.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure is an example of the Okta - General tab: Figure 141: Okta - General Tab The following table describes the Okta - General parameters: Table 93: Okta - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source.
Table 93: Okta - General Tab Parameters (Continued) Parameter Description Server Timeout Specify the duration in number of seconds that Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the duration in number of seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured.
Attributes Tab The Attributes tab defines the Okta query filters and the attributes to be fetched by using those filters. The following figure displays the Okta - Attributes tab: Figure 143: Okta - Attributes Tab The following table describes the Okta - Attributes parameters: Table 95: Okta - Attributes Tab Parameters Parameter Description Filter Name Displays the name of the filter. You can configure only Group for Okta.
Add More Filters The Configure Filter page defines a filter query and the related attributes to be fetched from the SQL DB store. The following figure displays the Okta - Configure Filter page: Figure 144: Okta - Configure Filter Page The following table describes the Okta Configure Filter parameters: Table 96: Okta Configure Filter Page Parameter Description Filter Name Enter the name of the filter. Filter Query Specifies an SQL query to fetch attributes from the user or device record in DB.
Summary Tab You can use the Summary tab to view configured parameters. The following figure displays the Okta Summary tab: Figure 145: Okta - Summary Tab RADIUS Server You can use the RADIUS Server as an authentication source to allow ClearPass to query a third-party RADIUS Server for authentication.
The following table describes the Radius Server - General parameters: Table 97: Radius Server - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of source. In this context, select RADIUS Server.
The following table describes the Radius Server - Primary parameters: Table 98: RADIUS Server - Primary Tab Parameters Parameter Description Connection Details Server Names Enter the name of the RADIUS Server. Port The default port number is 1812. You may enter a different port number if required. Secret Enter the secret key for authentication. Attributes Tab The Attributes tab defines the Okta query filters and the attributes to be fetched by using those filters.
Summary Tab You can use the Summary tab to view configured parameters. The following figure displays the RADIUS Server - Summary tab: Figure 149: RADIUS Server - Summary Tab Static Host List An internal relational database stores the Policy Manager configuration data and locally configured user and device accounts.
General Tab The General tab labels the authentication source. The following figure displays the Static Host List General tab: Figure 150: Static Host List - General Tab The following table describes the Static Host List - General parameters: Table 100: Static Host List - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source.
The following table describes the Static Host List - Static Host Lists parameters: Table 101: Static Hosts List - Static Host Lists Tab Parameters Parameter Description MAC Address Host Lists Select a static host list from the drop-down list and click Add to add it to the list. Click Remove to remove the selected static host list. Click on View Details to view the contents of the selected static host list. Click on Modify to modify the selected static host list.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Token Server - General tab: Figure 153: Token Server - General Tab The following table describes the Token Server - General parameters: Table 102: Token Server - General Tab Parameters Parameter Description Name Specify the label of the authentication source.
Table 102: Token Server - General Tab Parameters (Continued) Parameter Description NOTE: As described in Services on page 87, you can specify additional authorization sources at the service level. Policy Manager fetches role mapping attributes irrespective of which authentication source the user or device was authenticated against.
The following figure is an example of the Token Server - Attributes tab: Figure 155: Token Server - Attributes Tab See Configuring a Role and Role Mapping Policy on page 224 for more information. The following table describes the Token Server - Attribute parameters: Table 104: Token Server - Attribute Tab Parameters Parameter Description Type Select the type of authentication source from the drop-down list. Name Specifies the name of the token server attributes.
| Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Chapter 7 Identity The internal Policy Manager database supports storage of user records, when a particular class of users is not present in a central user repository (for example, neither Active Directory nor any other database). To authenticate local users from a particular service, include local user repository among authentication sources.
Table 105: SAML Service Provider Configuration Settings (Continued) Parameter Description Issuer DN Issue Date/Time l Expiry Date/Time l Validity Status l Signature Algorithm l Public Key Format l Serial Number l Enabled This field only displays certificates that are enabled in the certificate trust list.
The following figure displays the Local Users page: Figure 157: Local Users Listing Adding a Local User To add a local user in the Local Users table: 1. Click Add link at the top-right corner the page. The Add Local User window is displayed. 2. In the User ID and Name fields, specify a user ID and name for the local user. 3. In the Password and Verify Password fields, specify a password for the local user. 4. Select the Enable User check box to enable the user account.
The following figure displays the Add Local User page: Figure 158: Add Local User Modifying a Local User Account To modify a local user account in the Local Users table: 1. Click the User ID row that you want to edit. The Edit Local User window is displayed. 2. Modify any values in the Edit Local User window. For more information on editing the fields, see Adding a Local User on page 213. 3. Click Save. 214 | Identity Dell Networking W-ClearPass Policy Manager 6.
Figure 159: Modify Local User Importing and Exporting Local Users You can import or export the admin user accounts by using the Import and Export All links at the top-right corner of the Local Users page. You can also export specific user accounts by using the Export button that appears after selecting one or more user accounts from the list. For more information on importing and exporting local users, see Importing on page 35 and Exporting on page 36.
4. Specify the characters not to be allowed in the password in the Disallowed Characters field. 5. Specify the words not to be allowed in the password in the Disallowed Words (CSV) field. 6. Select any additional checks, if required. The options are: l May not contain User ID or its characters in reversed order l May not contain repeated character four or more times consecutively 7. Set the password expiry time for the local users. The allowed range is 0–500 days. The default value is 0.
Table 107: Endpoint Page Parameters Parameter Description MAC Address Displays the MAC address of the endpoint. Hostname Specifies the hostname of the policy server. Device Category Specifies the built-in category of the profiled device belongs to. For example, Smartdevices, Access Points, Computer, VOIP phone, and so on. Device OS Family Specifies the operating system that the device is configured with.
Figure 163: Endpoints - Trigger Server Action Page The following figure displays the Trigger Server Action page parameters: Table 108: Trigger Server Action Page Parameters Parameter Server Action Description Select the server action from the drop-down list. The list includes the following options: Check Point Login l Check Point Logout l Fortinet Login l Fortinet Logout l Handle AirGroup Time Sharing l Nmap Scan l SNMP Scan l Context Server Enter a valid server name.
The following figure displays the Update Device Fingerprint page: Figure 164: Update Device Fingerprint The following table describes the Update Device Fingerprint page: Table 109: Update Device Fingerprint parameters Parameter Description Device Category Select the built-in category of the profiled device belongs to. For example, Smartdevices, Access Points, Computer, VOIP phone, and so on. Device OS Family Select the operating system configured on the device.
Click Add to view the Add Endpoint page to manually add an endpoint. The following figure displays the Add Endpoint page. Figure 165: Add Endpoint Page The following table describes the Add Endpoint page parameters: Table 110: Add Endpoint Page Parameters Parameter Description MAC Address Specifies the MAC address of the endpoint. Description Specifies the description that provides additional information about the endpoint. Status Mark the status as Known, Unknown, or Disabled client.
Figure 166: Edit Endpoint Page The following table describes the Edit Endpoint page parameters: Table 111: Edit Endpoint Page Parameters Parameter Description MAC Address Displays the MAC address of the endpoint. Description Specifies the description that provides additional information about the endpoint. Status Mark the status as Known client, Unknown client, or Disabled client. The Known and Unknown status can be used in role mapping rules using the Authentication:MacAuth attribute.
Table 111: Edit Endpoint Page Parameters (Continued) Parameter Description Hostname Enter the hostname or the IP address of the endpoint. Device Category Specifies the built-in category of the endpoint belongs to. For example, SmartDevices, Access Points, Computer, VOIP phone, and so on. Device OS Family Specifies the operating system that the endpoint is configured with. For example, when the category is Computer, ClearPass Policy Manager shows a Device OS Family of Windows, Linux, or Mac OS X.
Adding and Modifying Static Host Lists A static host list comprises a named list of MAC or IP addresses, which can be invoked in the following ways: l In service and role-mapping rules as a component. l For non-responsive services on the network (for example, printers or scanners), as an authentication source. Only static host lists of type MAC address are available as authentication sources. A static host list often functions, in the context of the service, as a whitelist or a blacklist.
Table 112: Add Static Host List Page Parameters (Continued) Parameter Description Host Type Select a host type: IP Address or MAC Address (radio buttons). List Use the Add Host and Remove Host widgets to maintain membership in the current Static Host List. Additional Available Tasks l To edit a static host list from the Static Host Lists listing page, click on the name to display the Edit Static Host List pop-up.
Adding and Modifying Roles Policy Manager lists all available roles in the Configuration > Identity > Roles page. The following figure displays the Roles page: Figure 169: Roles Page You can configure a role from within a role mapping policy (Add New Role), or independently from the Configuration > Identity > Roles > Add page. In either case, roles exist independently of an individual service and can be accessed globally through the role mapping policy of any service.
The following figure displays the Role Mappings page: Figure 171: Role Mappings Page When you click Add role mapping from any of these locations, Policy Manager displays the Role Mappings page, which contains the following three tabs: l Policy Tab on page 226 l Mapping Rules Tab on page 227 Policy Tab The Policy tab labels the method and defines the default role. The default role is the role to which Policy Manager defaults if the mapping policy does not produce a match for a given request.
Table 114: Role Mappings - Policy Tab Parameters (Continued) Parameter Description a match. View Details Click on View Details to view the details of the default role. Modify Click on Modify to modify the default role. Add new Role Click on Add new Role to add a new role. Mapping Rules Tab The Mapping Rules tab selects the evaluation algorithm to add, edit, remove, and reorder rules.
The following table describes the Role Mappings Page - Rules Editor page parameters: Table 115: Role Mappings Page - Rules Editor Page Parameters Parameter Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to Namespaces on page 601.
Chapter 8 Posture Dell Networking W-ClearPass Policy Manager evaluates the health of the clients that request access using posture policies, posture servers, and an audit server. These methods all return Posture Tokens (For example, Healthy and Quarantine) for use by Policy Manager as input for into an enforcement policy. One or more posture methods can be associated with a service.
Configuring Posture Policy Agents and Hosts Navigate to the Policy tab on the Configuration > Posture > Posture Policies > Add page to configure the policy name and description, select a posture agent and host operating system, and specify role restrictions.
Table 117: NAP Agent Posture Plug-ins for Windows Operating System Operating System Versions Plug-in Name Description Windows 8 Windows 7 Windows Vista Windows XP Service Pack 3 Windows Server 2008 Windows Server 2008R2 Windows System Health Validator The Windows System Health Validator parameters permit or deny client computers to connect to your network, and to restrict client access to computers that have a service pack less than service pack x.
Table 118: NAP Agent Posture Plug-ins for Linux Operating Systems LINUX Operating Systems Plug-in Name Description CentOS Fedora RedHat Enterprise Linux SUSE Linux Enterprise Ubuntu ClearPass Linux Universal System Health Validator Services, which allows you to enable or disable health checks, set auto remediation checks, select or insert available services, and set which services to run and which to stop.
Table 119: OnGuard Agent Validator Supported Windows Operating Systems Supported Operating System Versions Posture Plug-in Name Description Windo ws 2003 Windo ws 8 Windo ws 7 Windo ws Vista Windo ws XP Service Pack 3 Windo ws Server 2008 Windo ws Server 2008R2 ClearPassWindo ws Universal System Health Validator The configurable parameter categories for this validator are Services, Processes, Registry Keys, AntiVirus, AntiSpywar e, Firewall, Peer To Peer, Patch Manageme nt, Windows HotFixes, USB D
Table 119: OnGuard Agent Validator Supported Windows Operating Systems (Continued) Supported Operating System Versions network, and clients that are restricted from your network. Access is determined by a check of the service pack level. You can determine the service pack level.
Table 120: OnGuard Agent (Persistent or Dissolvable) Posture Plug-ins for Mac OS X Name of the Plug-in Description ClearPass Mac OS X Universal System Health Validator The configurable parameter categories for this validator are: l Services l Processes l AntiVirus l AntiSpyware l Firewall l Patch Management l Peer To Peer l USB Devices l Virtual Machines l Network Connections l Disk Encryption l Installed Applications Table 121: OnGuard Agent (Persistent or Dissolvable) Posture Plug-ins for Linux Name o
Configuring NAP Agent Plugins If your posture policy is using a NAP agent, the Posture Plugins tab allows you to configure the following plug-in types: l Windows System Health Validator - NAP Agent on page 236 l Windows Security Health Validator - NAP Agent on page 237 The following figure displays the NAP Agent - Posture Plugins tab: Figure 178: NAP Agent - Posture Plugins Options Windows System Health Validator - NAP Agent The Windows System Health Validator - NAP Agent checks for the level of Window
Windows Security Health Validator - NAP Agent This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types.
The following figure displays the Posture Policies - Posture Plugins tab: Figure 181: OnGuard Agent Plugin Options for Mac OS X ClearPass Windows Universal System Health Validator - OnGuard Agent Select OnGuard Agent and the Windows host operating system in the Posture Plugins tab (Configuration > Posture > Posture Policies > Add) to view the ClearPass Windows Universal System Health Validator page.
l Virtual Machines on page 255 l Network Connections on page 256 l Disk Encryption on page 258 l Installed Applications on page 258 l File Check on page 259 Services The Services page provides a set of widgets for specifying services to run or stop.
Processes The Processes page provides a set of parameters to specify which processes to be explicitly present or absent on the system.
Table 124: Process to be Present Page (Detail) Parameter Description Process Location Choose from Applications: UserBin, UserLocalBin, UserSBin, or None. Enter the Process name Specifies the path name containing the process executable name. Enter the Display name Enter a user friendly name for the process. This is displayed in end-user facing messages. After you save your Process details, the key information appears in the Processes to be present page list.
The following table describes the Process to be Absent parameters: Table 125: Process to be Absent Page (Detail) Parameter Check Type Description Select the type of process check to perform. The agent can look for: Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is specified, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 188: Registry Keys Page (Overview) The following table describes the Registry Keys page parameters: Table 126: Registry Keys Page (Overview - Pre-Add) Parameter Description Auto Remediation Enable auto remediation for registry checks. Use this page to automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent fields. User Notification Enable user notifications for registry check policy violations.
Figure 189: Registry Keys Page (Detail) The following table describes the Registry Keys - Detail parameters: Table 127: Registry Keys Page (Detail) Parameter Description Select the Registry Hive Specify the registry hive from the following options: l HKEY_CLASSES_ROOT l HKEY_CURRENT_USER l HKEY_LOCAL_MACHINE l HKEY_USERS l HKEY_CURRENT_CONFIG Enter the Registry key Specify the registry key using the examples given in the GUI. Enter the Registry value name Specify the name of the registry value.
Figure 190: Registry Keys Page (Overview - Post Add) AntiVirus In the Antivirus page, you can turn on an Antivirus application. Click An anti-virus application is on to configure the Antivirus application information. Figure 191: Antivirus Page (Overview - Before) When enabled, the Antivirus detail page appears. Figure 192: Antivirus Page (Detail 1) Click Add to specify product, and version check information. Dell Networking W-ClearPass Policy Manager 6.
Figure 193: Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list.
Table 128: Antivirus Page (Continued) Interface Parameter l l l l l Engine version check Datafile version check Data file has been updated in Last scan has been done before Real-time Protection Status Check Description the UI. l Select the antivirus product - Select a vendor from the list. l Product version check - No Check, Is Latest (requires registration with ClearPass portal), At Least, In Last N Updates (requires registration with ClearPass Portal).
Figure 197: AntiSpyware Page (Detail 2) Figure 198: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiSpyware configuration instructions. Firewall In the Firewall page, you can specify that a Firewall application must be on and specify information about the Firewall application.
Figure 201: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list.
The following figure displays the Peer To Peer health class configuration page: Figure 203: Peer to Peer Page The following table describes the Peer to Peer parameters: Table 130: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration).
Figure 205: Patch Management Page (Detail 1) Click Add to specify PM Product Name, Product Version, Status Check, and Install Level Check information. Figure 206: Patch Management Page (Detail 2) When you save your patches configuration, it appears in the Patch Management page list. Figure 207: Patch Management Page (Overview - After) Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Patch Management parameters: Table 131: Patch Management Page Parameters Interface Parameter Patch Management Page l l l l A patch management application is on Auto Remediation User Notification Uncheck to allow any product Description l l l l Patch Management Page (Detail 1) l l Add Trashcan icon l l Patch Management Page (Detail 2) 252 | Posture Product/Version Check the A patch management application is on to enable testing of health data for configured
Table 131: Patch Management Page Parameters (Continued) Interface Parameter Description Notify Before Install - Patch Agent is turned on and will notify user before installing updates. NOTE: The values specific to the selected product are displayed in the Status Check Type field. For example, all the 5 values are displayed for Microsoft Windows Automatic Update. For SCCM, only No Check, Disabled, and Notify Before Install are displayed.
Table 131: Patch Management Page Parameters (Continued) Interface Parameter Description l Scan Interval: Configure the time interval after which OnGuard Agent should check for missing patches. You can configure the time period in hours, days, weeks, or months. The default scan interval is 1 hour. This field is disabled if you selected No Check from the Install Level Check Type field.
Figure 209: USB Devices The following table describes the USB Devices parameters: Table 133: USB Devices Parameter Description Auto Remediation Enable to allow auto remediation for USB mass storage devices attached to the endpoint (Automatically stop or eject the drive). User Notification Enable to allow user notifications for USB devices policy violations. Remediation Action for USB Mass Storage Devices l l l No Action - Take no action; do not eject or disable the attached devices.
The following table describes the Virtual Machines parameters: Table 134: Virtual Machines Parameter Description Auto Remediation Enable to allow auto remediation for virtual machines connected to the endpoint. User Notification Enable to allow user notifications for virtual machine policy violations. Allow access to clients running on Virtual Machine Enable to allow clients that running a VM to be accessed and validated.
Figure 212: Network Connection Type Configuration The following table describes the Network Connection Type Configuration parameters: Table 135: Network Connection Type Configuration Page Parameter Allow Network Connections Type Description l l l Allow Only One Network Connection Allow One Network Connection with VPN Allow Multiple Network Connections Network Connection Types Click the >> or << to add or remove Others, Wired, and Wireless connection types.
Disk Encryption Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage.
l Specify installed applications that are never monitored. l Specify that only the mandatory and optional applications are monitored. The following table describes the Installed Applications Configuration parameters: Table 138: Installed Applications Configuration Page Parameters Parameter Description Remediation checks Auto-remediation for Installed Applications health class is not supported.
The following figure displays the File Check health class configuration page: Figure 214: Windows File Check Health Class The following table describes the File Check Configuration parameters: Table 139: File Check Configuration Parameters Parameter Description Remediation checks Auto-remediation for the File Check health class is not supported. User Notification A remediation message having a list of files to present/absent will be displayed to end user.
The following table describes the File Group to be Present - Add parameters: Table 140: File Group to be Present - Add Parameters Parameter Description Enter the File Group Name Enter the name of the file group. File Group Evaluation Rule Pass All - Select this evaluation rule if you want the File Check health class to be deemed as 'healthy' only if all the configured file groups are present.
The following table describes the File to be Present - Add parameters: Table 141: File to be Present - Add Parameters Parameter File Location Description Select any location of the file from the drop-down list: SystemDrive l Systemroot l ProgramFiles l ProgramFiles (x86) l HOMEDRIVE l HOMEPATH l None l Enter the File Path Enter the file path as described in the examples from the GUI. Enter the File Name Enter the name of the file.
support of specific operating systems and to restrict access based on service pack level. Figure 217: Windows System Health Validator - OnGuard Agent (Overview) Windows Security Health Validator - OnGuard Agent This validator checks for the presence of specific types of security applications. An administrator can use the options to restrict access based on the absence of the selected security application types.
ClearPass Linux Universal System Health Validator Plugin The ClearPass Linux Universal System Health Validator plugin appears on the Posture Plugins (Configuration > Posture > Posture Policies > Add) tab. Select the Linux host operating system and OnGuard Agent posture agent from the Policy tab in the Posture Policy page. Click Configure to configure antivirus settings and service types.
Click Add to configure the Antivirus product specific checks. The values configured in the Antivirus Product configuration pop-up will be displayed in the Antivirus page.
Services The Services page provides a set of widgets for specifying services to run or stop. The following figure displays the Services page: Figure 221: Services Page The following table describes the Services page parameters: Table 144: Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop or start services based on the entries in Service to run and Services to stop configuration).
l Antivirus on page 269 l AntiSpyware on page 269 l Firewall on page 270 l Patch Management on page 271 l USB Devices on page 272 l Virtual Machine on page 272 l Network Connections on page 273 l Disk Encryption on page 273 l Installed Applications on page 274 The following figure displays the ClearPass Mac OS X Universal System Health Validator page: Figure 222: ClearPass Mac OS X Universal System Health Validator - OnGuard Agent Services From the Services page, you can configure which s
Figure 223: Services Health Class Configuration Page Processes From the Processes page, you can view and add processes. Clicking Enable checks for Mac OS X provides a set of components to specify the processes that need to be explicitly present or absent on the system. Figure 224: Processes Page Click Add to open the page with options to configure the name, location, and display name of the processes.
Antivirus In the Antivirus page, you can specify information about the antivirus application. Click on An antivirusapplication is on to configure the anti-virus application information. The following figure displays the Antivirus page: Figure 226: Antivirus Page (Detail 1) Click Add to specify product and version check information in the antivirus configuration page. Figure 227: Antivirus Configuration Page (Detail 2) When you save your antivirus configuration, it appears in the Antivirus page list.
In the Antispyware page, click An Antispyware Application is On to configure different configuration elements specific to the antispyware product that you select. When you save the antispyware configuration, it appears in the Antispyware page list. Figure 229: Anti-Spyware Add Page The configuration elements are the same for antivirus and antispyware products. Firewall From the Firewall page, click A Firewall Application is On to configure the firewall application information.
Figure 231: Firewall Add Page When enabled, the Firewall detail page appears. See ClearPass Windows Universal System Health Validator OnGuard Agent on page 238 for firewall page and field descriptions. Patch Management From the Patch Management page, you can view and add the patch management product. Select A patch management application is on to configure auto remediation and user notification features.
The following figure displays the Peer To Peer page: Figure 234: Peer To Peer Page USB Devices Use this page to configure the Auto Remediation and User Notification parameters. You can also configure the options to take remediation action for USB mass storage devices or to remove USB mass storage devices from the Remediation Action for USB Mass Storage Devices drop-down.
Network Connections The Network Connections page provides configuration options to control network connections based on connection type. Enabling the Network Connection Check is on check box provides the options to specify the remediation checks or user notification.
Click A disk encryption application is on from the Disk Encryption page to configure the remediation options. Click Add to configure the product specific encryption checks. You can select the Uncheck to allow any product check box from the Product-specific checks field to not to allow any encryption product to check disk encryption.
Figure 241: Installed Applications Page Click Add in the Installed Applications page to configure the mandatory application that needs to be checked. Figure 242: Installed Applications Add Page File Check Use the File Check page to verify the group of files to present or absent. In the File Check page, you can turn on the file check and specify information about which the files you want to check. Dell Networking W-ClearPass Policy Manager 6.
The following figure is an example of the File Check health class configuration pop-up: Figure 243: Mac OS X File Check Health Class The following table describes the File Check Configuration parameters: Table 145: File Check Configuration Parameters 276 | Posture Parameter Description Remediation checks Auto-remediation for the File Check health class is not supported. User Notification A remediation message having a list of files to present/absent will be displayed to end user.
Click Add to open the File Group to be Present - Add page in which you can configure the name of the file group and evaluation rule for the file group. The following figure displays the File Group to be Present - Add pop-up: Figure 244: MacOSX - File Group to be Present - Add Pop-up The following table describes the File Group to be Present - Add parameters: Table 146: File Group to be Present - Add Parameters Parameter Description Enter the File Group Name Enter the name of the file group.
Click Add from File Groups to be Present to configure the name of the file group and evaluation rule for the file group.
The parameters configured in the File to be Present - Add pop-up will reflect in the File Groups to be Present pop-up as described in the following figure: Figure 246: File Group to be Present Pop-up Configuring Posture Policy Rules Once you have defined the posture hosts, agents, and plugins, you must configure the rules for the posture policy. To configure posture policy rules, navigate to Configuration > Posture > Posture Policies > Add, and click the Rules tab on the Posture Policies window.
Figure 247: Posture Policy Rules Tab and Rules Editor The following table describes the Rules Editor configuration parameters: Table 148: Posture Policy Rules Editor Parameters Parameter Select Plugin Checks Description Click select one of the following plugin check types for System Health Validators (SHVs): Passes all SHV checks l Passes one or more SHV checks l Fails all SHV checks l Fails one or more SHV checks l Select Plugins Select the plug-in to which the plug-in checks should apply.
l Dell hosted captive portal that performs posture checks through a dissolvable agent The following figure displays an example on how to configure a posture at the service level: The Posture Compliance check box must be selected on the Service tab in order for posture to be enabled.
Table 149: Posture Features at the Service Level (Continued) Configurable Component How to Configure Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a posture server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured posture server, select from the Select dropdown list, then click Add.
Posture Server Tab When you click Add Posture Server, Policy Manager displays the Posture Servers configuration page. The tabs and fields that appear on the Configuration > Posture > Posture Servers > Add page may vary depending upon the protocol and credentials defined for that server.
Primary Server and Backup Server Tabs Use the Primary Server and Backup Server tabs to configure the RADIUS server name and port.
Summary Tab The Summary tab summarizes the parameters configured in the Posture Server, Primary Server, and Backup Server tabs. The following figure displays the Summary tab: Figure 252: Posture Servers - Summary Tab Configuring Audit Servers The Policy Manager server contains built-in Nessus (version 2.X) and NMAP servers. For enterprises with existing audit server infrastructure, or with external audit servers, Policy Manager supports these servers externally.
Figure 253: Audit Tab 286 | Posture Dell Networking W-ClearPass Policy Manager 6.
Table 152: Audit tab Parameter Description Audit Server Select a built-in server profile from the list: l The [Nessus Server] performs vulnerability scanning and returns a Healthy/Quarantine result. l The [Nmap Audit] performs network port scans. The health evaluation always returns a Healthy result. The port scan gathers attributes that allow determination of role(s) through post-audit rules. For Policy Manager to trigger an audit on an end-host, it needs to get the IP address of the end-host.
Modifying Built-In Audit Servers To reconfigure a default Policy Manager audit servers: 1. Open the audit server profile. Navigate to Configuration > Posture > Audit Servers, then select an audit server from the list of available servers. Figure 254: Audit Servers Listing 2. Modify the profile, plugins, and/or preferences. l In the Audit tab, you can modify the In Progress Posture Status and Default Posture Status.
n NMAP Audit Server on page 294 Nessus Audit Server Policy Manager uses the Nessus audit server interface primarily to perform vulnerability scanning. It returns a Healthy/Quarantine result. The Audit tab identifies the server and defines configuration details. Figure 256: Nessus Audit Server - Audit Tab Table 153: Nessus Audit Server - Audit Tab Parameter Description Name Specify the name of the audit server.
Figure 257: Nessus Audit Server - Primary and Backup Tabs Table 154: Nessus Audit Server - Primary and Backup Server Tabs Parameter Description Server Name and Port/ Username/ Password Specifies the standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box.
Figure 258: Nessus Scan Profile Configuration Page You can refresh the plugins list (after uploading plugins into Policy Manager, or after refreshing the plugins on your external Nessus server) by clicking Refresh Plugins List.
Figure 259: Nessus Scan Profile Configuration - Profile Tab l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. 292 | Posture Dell Networking W-ClearPass Policy Manager 6.
Figure 260: Nessus Scan Profile Configuration Profile Tab - Plugin Synopsis Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin, click on the link to change the level to one of HOLE, WARN, or INFO. This action tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields. Figure 263: Nessus Scan Profile Configuration - Preferences Tab After saving the profile, plugin, and preference information for your new (or modified) plugin, you can go to the Primary/Backup Servers tabs and select it from the Scan Profile drop-down list.
Figure 264: Audit Tab - NMAP Audit Server The following table describes the parameters configured in the Audit tab: Table 155: Audit Tab Parameters Parameter Description Name Enter the name of the NMAP audit server. Description Enter the description of the NMAP audit server that provides some additional information. Type Specify the type of an NMAP audit server. In this context, select NMAP. In Progress Posture Status Posture status during audit. Select a status from the drop-down list.
Figure 265: NMAP Options Tab Table 156: NMAP Options Tab Parameter Description TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to NMAP documentation for more information on these options. NMAP option -scanflags. UDP Scan To enable, check the UDP Scan check box. NMAP option -sU. Service Scan To enable, check the Service Scan check box. NMAP option -sV. Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option -A.
Figure 266: All Audit Server Configurations - Rules Tab Table 157: All Audit Server Configurations - Rules Tab Parameter Description Rules Evaluation Algorithm Select first matched rule and return the role or Select all matched rules and return a set of roles. Add Rule Add a rule. Brings up the rules editor. See below. Move Up/Down Reorder the rules. Edit Rule Brings up the selected rule in edit mode. Remove Rule Remove the selected rule.
Table 158: All Audit Server Configurations - Rules Editor 298 | Posture Parameter Description Conditions The Conditions list includes five dictionaries: Audit-Status, Device-Type, Output-Msgs, Mac-Vendor, Network-Apps, Open-Ports, and OS-Info. Refer to Namespaces on page 601. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save. Dell Networking W-ClearPass Policy Manager 6.
Chapter 9 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an enforcement policy associated with the service. Each enforcement policy contains a rule or set of rules for matching conditions (role, posture, and time) to actions (enforcement profiles).
Figure 269: Add Enforcement Policy - Enforcement tab The following table describes the Add Enforcement Policy - Enforcement tab parameters: Table 159: Add Enforcement Policy - Enforcement Tab Parameters Parameter Description Name/Description Freeform label and description. Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI)/CoA or Application. Based on this selection, the Default Profile list shows the right type of enforcement profiles in the dropdown list (See Below).
The following table describes the Add Enforcement Policy - Rules tab parameters: Table 160: Add Enforcement Policy (Rules tab) Field Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 161: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (enforcement profile).
l Session Restrictions Enforcement on page 338 l SNMP Based Enforcement on page 340 l TACACS+ Based Enforcement on page 341 l VLAN Enforcement on page 343 To configure an enforcement profile: 1. Navigate to Configuration > Enforcement > Profiles. 2. Click Add at the top-right corner of the Enforcement Policies page and use the wizard. You can modify an existing enforcement profile directly from Configuration > Enforcement > Profiles page and then click a name in the Enforcement Profile listing.
Table 162: Default Enforcement Profiles (Continued) Profile Available for the following Enforcement Types [Cisco - Bounce-Host-Port] RADIUS_CoA [Cisco - Disable Host-Port] RADIUS_CoA [Cisco - Reauthenticate-Session] RADIUS_CoA [Cisco - Terminate-Session] RADIUS_CoA [Deny Access Profile] RADIUS [Deny Application Access Profile] Application [Drop Access Profile] RADIUS [Handle AirGroup Time Sharing] HTTP [HP - Terminate Session] RADIUS_CoA [Juniper Terminate Session] RADIUS_CoA [Motorola
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Agent Enforcement - Profile tab: Figure 272: Agent Enforcement - Profile Tab The following table describes the Agent Enforcement - Profile tab parameters: Table 163: Add Agent Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Agent Enforcement. Name Enter the name of the profile.
Attributes Tab Use the Attributes tab to configure the attribute name and attribute value. The following figure displays the Agent Enforcement- Attributes tab: Figure 273: Agent Enforcement - Attributes Tab Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Agent Enforcement - Attributes tab parameters: Table 164: Agent Enforcement - Attributes Tab Parameters Attribute Attribute Name Parameter Select one of the following attribute names: Bounce Client - Set the value to true by checking the box to terminate the network connection. l Message - Enter the message that needs to be notified on the endpoint. l Enable to hide Retry button - Set the value to true to hide the Retry button in the OnGuard Agent.
Summary Tab The Summary tab summarizes the parameters configured in the Profile and Attribute tabs. The following figure displays the Agent Enforcement - Summary tab: Figure 274: Agent Enforcement - Summary Tab Aruba Downloadable Role Enforcement Use this page to configure profile and role configuration attributes for the Aruba Downloadable Role Enforcement profile.
Table 165: Aruba Downloadable Role Enforcement - Profile Tab Parameters (Continued) Parameter Description Type Specifies the type of authentication. In this context, RADIUS. This field is automatically populated. Action Click Accept, Reject, or Drop to define the action taken on the request. The default action is Accept. Device Group List Select a device group from the drop-down list. The list displays all configured device groups.
The following table describes the Role Configuration - Attributes parameters: Table 166: Role Configuration - Attributes Page Parameters Parameters Configuration Captive Portal Profile Select the captive portal profile from the drop-down list if already configured. Click Add Captive Portal Profile link to add a new captive portal profile. For more information, seeCaptive Portal Profile on page 310. Policer Profile Select the policer profile from the drop-down list if already configured.
Captive Portal Profile Click the Add Captive Portal Profile link. Enter a name of the profile and configure the required attributes. The following figure displays the Add Captive Portal Profile pop-up: Figure 277: Add Captive Portal Profile Pop-up 310 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
Policer Profile Click the Add Policer Profile link. Enter a name of the profile and configure the required attributes. The following figure displays the Add Policer Profile pop-up: Figure 278: Add Policer Profile Pop-up Dell Networking W-ClearPass Policy Manager 6.
QOs Profile Click the Add QoS Profile link. Enter a name of the profile and configure the required attributes. The following figure displays the Add QoS Profile pop-up: Figure 279: Add QosProfle Pop-up 312 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
VoIP Profile Click the Add VoIP Profile link. Enter a name for the profile and configure the required attributes. The following figure displays the Add VoIP Profile pop-up: Figure 280: Add VoIP Profile Pop-up NetService Configuration Click the Manage NetServices link and configure the required attributes. The following figure displays the Manage NetServices pop-up: Figure 281: Manage NetServices Pop-up Dell Networking W-ClearPass Policy Manager 6.
NetDestination Configuration Click the Manage NetDestinations link and configure the required attributes. The following figure displays the Manage NetDestinations pop-up: Figure 282: Manage NetDestinations Pop-up Time Range Configuration Click the Manage Time Ranges link and configure the required attributes. The following figure displays the Manage Time Ranges pop-up: Figure 283: Time Range Configuration Pop-up 314 | Enforcement Dell Networking W-ClearPass Policy Manager 6.
NAT Pool Configuration Use the NAT Pool Configuration page to configure the start and end of the source NAT range and associate them with session ACLs. The following figure displays the NAT Pool Configuration pop-up: Figure 284: NAT Pool Configuration Pop-up ACL Click the Add Stateless Access Control List link. Enter a name for the Stateless ACL. Click the Add Rule link on the General tab. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel.
down list. For example, if you select the dual-nat action type, you can view the Dual NAT Pool field additionally to specify the action. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel. The following figure displays the Session Access Control List Attributes pop-up: Figure 286: Session Access Control List Attributes Pop-up Click the Add Ethernet/MAC Access Control List link. Enter a name for the Ethernet/MAC ACL.
The following figure displays the Ethernet/MAC Access Control List Attributes pop-up: Figure 287: Ethernet/MAC Access Control List Attributes Pop-up Summary Tab The Summary tab summarizes the parameters configured in the Profile and Role Configuration tabs.
l Summary Tab on page 319 Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Aruba RADIUS Enforcement - Profile tab: Figure 289: Aruba RADIUS Enforcement - Profile Tab The following table describes the Aruba RADIUS Enforcement - Profile tab parameters: Table 167: Aruba RADIUS Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
Attributes Tab Use the Attribute tab to configure the attribute type, name, and value for the enforcement profile.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Cisco Downloadable ACL Enforcement - Profile tab: Figure 292: Cisco Downloadable ACL Enforcement - Profile Tab The following table describes the Cisco Downloadable ACL Enforcement - Profile parameters: Table 169: Cisco Downloadable ACL Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
The following table describes the Cisco Downloadable ACL Enforcement - Attributes parameters: Table 170: Cisco Downloadable ACL Enforcement - Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 610 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Cisco Web Authentication Enforcement - Profile tab: Figure 295: Cisco Web Authentication Enforcement - Profile Tab The following table describes the Cisco Web Authentication Enforcement - Profile tab parameters: Table 171: Cisco Web Authentication Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
The following table describes the Cisco Web Authentication Enforcement - Attribute parameters: Table 172: Cisco Web Authentication Enforcement - Attribute Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 610 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the ClearPass Entity Update Enforcement - Profile tab: Figure 298: ClearPass Entity Update Enforcement - Profile Tab The following table describes the ClearPass Entity Update Enforcement - Profile tab parameters: Table 173: ClearPass Entity Update Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
The following table describes the ClearPass Entity Update Enforcement - Attributes tab parameters: Table 174: ClearPass Entity Update Enforcement - Attributes Tab Parameters Attribute Type Description Select one of the following attribute types: Endpoint l Expire-Time-Update l GuestUser l Status-Update l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the CLI Based Enforcement - Profile tab: Figure 301: CLI Based Enforcement - Profile Tab The following table describes the CLI Based Enforcement - Profile tab parameters: Table 175: CLI Based Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select CLI Based Enforcement.
The following table describes the CLI Based Enforcement - Attributes tab parameters: Table 176: CLI Based Enforcement - Attributes Tab Parameters Attribute Parameter Attribute Name Select Command or Target Device. Attribute Value Displays the options for the Attribute Value depend on the selected Attribute Name. Summary Tab The Summary tab summarizes the parameters configured in the Profile and Attributes tab.
The following table describes the Filter ID Based Enforcement Profile tab parameters: Table 177: Filter ID Based Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Filter ID Based Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
The following table describes the Filter ID Based Enforcement - Attributes tab parameters: Table 178: Filter ID Based Enforcement Profile - Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 610 l Name The options displayed for the Name attribute depend on the attribute that was selected.
The following table describes the Generic Application Enforcement - Profile tab parameters: Table 179: Generic Application Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Generic Application Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Summary Tab The Summary tab summarizes the parameters configured in the Profile and Attributes tab. The following figure displays the Generic Application Enforcement - Summary tab: Figure 308: Generic Application Enforcement - Summary Tab HTTP Based Enforcement Use this page to configure profile and attribute parameters for the HTTP based enforcement profile.
Table 181: HTTP Based Enforcement Profile tab Parameters (Continued) Parameter Description Action Disabled. Device Group List Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
The following table describes the RADIUS Based Enforcement Profile tab parameters: Table 183: RADIUS Based Enforcement Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select RADIUS Based Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
The following table describes the RADIUS Based Enforcement - Attributes tab parameters: Table 184: RADIUS Based Enforcement - Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 610 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
The following table describes the Radius Change of Authorization (CoA) - Profile tab parameters: Table 185: Radius Change of Authorization (CoA) Profile Tab Parameters Parameter Template Description Select from: Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l HP - Generic-CoA l Aruba - Change-User-Role l IETF - Terminate-Session-IETF l Aruba - Change-VPN-User-Role l IETF- Generic-CoA-IETF l Type Select one of the following attribute types: l Radius
Attributes Tab The following figure displays the Radius Change of Authorization (CoA) - Attributes tab: Figure 314: Radius Change of Authorization (CoA) - Attributes Tab The following table describes the Radius Change of Authorization (CoA) - Attributes tab parameters: Table 186: Radius Change of Authorization (CoA) Attributes Tab Parameters Parameter RADIUS CoA Template Type Description Select from: Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l
l Summary Tab on page 338 Profile Tab The following figure displays the Session Notification Enforcement - Profile tab: Figure 315: Session Notification Enforcement - Profile Tab The following table describes the Session Notification Enforcement - Profile tab parameters: Table 187: Session Notification Enforcement Profile Tab Parameters Parameter Description Template Select Session Notification Enforcement. Name Enter the name of the profile.
The following table describes the Session Notification Enforcement - Attributes tab: Table 188: Session Notification Enforcement - Attributes Tab Parameter Type Description Select from: Session-Check l Session-Notify Palo Alto integration is extended to Guest MAC Caching use cases. Configure the following: Session-Check::Username = %{Endpoint:Username} NOTE: Post Auth sends the Guest username instead of the MAC Address in the user id updates.
Profile Tab The following figure displays the Session Restrictions Enforcement - Profile tab: Figure 318: Session Restrictions Enforcement Profile Tab The following table describes the Session Restrictions Enforcement - Profile tab parameters: Table 189: Session Restrictions Enforcement Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Session Restrictions enforcement. Name Enter the name of the profile.
The following table describes the Session Restrictions Enforcement - Attributes parameters: Table 190: Session Restrictions Enforcement Attributes Tab Parameter Type Description Select from: Bandwidth-Check l Expire-Check l Post-Auth-Check l Session-Check l Name The options displayed for the Name attribute depend on the Type attribute that was selected. Value The options displayed for the Value attribute depend on the Type and Name attributes that were selected.
Table 191: SNMP Based Enforcement - Profile Tab Parameters (Continued) Parameter Description Action Disabled. Device Group List Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile Tab The following figure displays the TACACS+ Based Enforcement - Profile tab: Figure 322: TACACS+ Based Enforcement Profile Tab The following table describes the TACACS+ Based Enforcement Profile - Profile tab parameters: Table 193: TACACS+ Based Enforcement Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select TACACS+ Based Enforcement. Name Enter the name of the profile.
Services Tab The following figure displays the TACACS+ Based Enforcement - Services tab: Figure 323: TACACS+ Based Enforcement Services Tab The following table describes the TACACS+ Based Enforcement Profile - Service tab parameters: Table 194: TACACS+ Based Enforcement Services Tab Parameters Parameter Description Privilege Level Select a level between 0 and 15. Selected Services Select a service from the list and add it to the Selected Services: field.
The following table describes the VLAN Enforcement - Profile tab parameters: Table 195: VLAN Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select VLAN Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
The following table describes the RADIUS Based Enforcement - Attributes tab parameters: Table 196: VLAN Enforcement Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 610 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
| Enforcement Dell Networking W-ClearPass Policy Manager 6.
Chapter 10 Network Access Devices A Policy Manager device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol. You can add or modify a device or a device group from the Policy Manager server.
The following figure displays the Network Devices page: Figure 326: Network Devices page This page includes the following additional tasks: l Adding a Device on page 348 l Additional Tasks on page 353 Adding a Device To add a device, navigate to the Configuration > Network > Devices page and click Add link at the top-right corner. The Add Device page appears.
The following table describes the Device tab parameters: Table 197: Device Tab Parameters Parameter Description Name Enter the name of the device. Description Enter the description that provides additional information to identify the device. IP Address or Subnet Specify the IP address or the subnet of the device. You can use a hyphen to indicate the range of device IP addresses following the format a.b.c.d-e. For example, 192.168.1.1-20.
Figure 328: SNMP Read Settings Tab The following table describes the SNMP Read Settings tab parameters: Table 198: SNMP Read Settings Parameters Parameter Description Allow SNMP Read Toggle to enable or disable SNMP read. SNMP Read Setting Specify the SNMPrRead settings for the device.
Table 198: SNMP Read Settings Parameters (Continued) Parameter Description Username (SNMP v3 only) Specify the Admin user name to use for SNMP read operations. Authentication Key (SNMP v3 only) Specify the SNMP v3 with authentication option (SHA or MD5). NOTE: The EAP-MD5 authentication type is not supported if you run Dell Networking WClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS) mode.
The following table describes the SNMP Write Settings parameters: Table 199: SNMP Write Settings Tab Parameters Parameter Description Allow SNMP Write Toggle to enable or disable SNMP write. Default VLAN Specify the VLAN port setting after SNMP-enforced session expires. SNMP Write Settings Specify the SNMP Write settings for the device.
The following table describes the CLI Settings tab parameters: Table 200: CLI Settings Tab Parameters Parameter Description Allow CLI Access Toggle to enable or disable CLI access. Access Type Select SSH or Telnet. Policy Manager uses the selected access method to log into the device CLI. Port Specify the SSH or Telnet TCP port number. Username Enter the username to log into the CLI. Password Enter the password to log into the CLI.
attributes associated with these profiles only if the request originated from a device belong to the device groups. Administrators configure device groups at the global level. Device groups can contain the members of the IP address of a specified subnet, regular expression-based variation, or devices that are previously configured in the Policy Manager database. Policy Manager lists all configured device groups in the Device Groups ( Configuration > Network > Device Groups) page.
To add a device group, click Add at the top-right corner of the Network Device Groups page. Complete the fields in the Add New Device Group page as described in the following figure: Figure 332: Add New Device Group Page The following table describes the Add New Device Group page parameters: Table 201: Add New Device Group Page Parameter Description Name Enter the name of the device group. Description Enter the description that provides additional information about the device group.
Table 201: Add New Device Group Page (Continued) Parameter Description Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation). For example, 192.168.5.0/24. Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression. For example, ^192(.[0-9]*){3}$. List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected.
The following figure displays the Add Proxy Target pop-up: Figure 334: Add Proxy Target Pop-up The following table describes the Add Proxy Target pop-up parameters: Table 202: Add Proxy Target pop-up Parameter Description Name Enter the name of the proxy target. Description Enter the description that provides additional information about the proxy target. Hostname/Shared Secret Specify the RADIUS hostname and shared secret.
| Network Access Devices Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 ClearPass Policy Manager Profile Profile is a Dell Networking W-ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. You can use Profile to implement “Bring Your Own Device” (BYOD) flows, where access must be controlled, based on the type of the device and the identity of the user.
l CPPM OnGuard on page 361 l SNMP on page 361 l Subnet Scan on page 362 * Acquired through various authentication mechanisms such as 802.1X, and MAC authentication. DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class), and options list from the DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network.
ActiveSync Plugin You can install the ActiveSync plugin on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes such as device-type and user-agent. These attributes are collected by the plug-in software and are sent to the CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes. CPPM OnGuard The ClearPass OnGuard agent performs advanced endpoint posture assessment.
Figure 335: SNMP Read/Write Settings Tabs In large or geographically spread cluster deployments, you do not want all CPPM nodes to probe all SNMP configured devices. The default behavior is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node. Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network.
4. Click the On-demand Subnet Scan link. The Initiate On-Demand Subnet Scan pop-up opens. Specify the IP subnets to be scanned in the Subnets to scan field for discovering hosts. 5. Click Submit. The subnet scan progress is shown on the Profile Settings page. You can view the subnet scan events in the Event Viewer (Monitoring > Event Viewer) page.
Figure 338: Profile Settings - SNMP Configuration 2. Enter the IP subnet in the IP Subnet field. 3.
Profiling The Profile module uses a two-stage approach to classify endpoints using input attributes. Stage 1 Stage 1 tries to derive device profiles using static dictionary lookups. Based on the available attributes available, Stage 1 looks up DHCP, HTTP, ActiveSync, MAC OUI, and SNMP dictionaries and derives multiple matching profiles. After multiple matches are returned, the priority of the source that provided the attribute is used to select the appropriate profile.
The following figure displays the Profiler tab: Figure 339: Profiler tab The following table describes the Profiler tab parameters: Table 203: Profiler tab Parameters Parameter Description Endpoint Classification Select the classification after which an action must be triggered. You can select a new action, or remove a current action. RADIUS CoA Action Select an action. Click View Details to view details about the selected action. Click Modifyto change the values of the selected action.
Chapter 12 Policy Simulation After creating the policies, use the Policy Simulation utility in the Configuration > Policy Simulation page to evaluate those policies before deployment. The Policy Simulation utility applies a set of request parameters as input against a given policy component and displays the outcome.
Simulation Tab The figure below displays the Active Direction Authentication policy simulation settings available on the Configuration > Policy Simulation > Add page.
Application Authentication This simulation tests authentication requests generated from ClearPass Guest.
Application Authentication Results tab: Figure 345: Application Authentication Results Tab Table 209: Application Authentication Results Tab Parameters Parameter Description Summary Displays the results of the Active Directory Authentication simulation. Application Authentication Output Attributes Displays the output attributes, such as Super Administrator. Audit This simulation allows you to specify an audit against a Nessus Server or Nmap Server with its IP address.
Results Tab The following figure displays the Audit Simulation - Results tab: Figure 347: Audit Simulation Results Tab The following table describes the Audit Simulation - Results tab parameters: Table 211: Audit Results Tab Parameters Parameter Description Summary Displays information about the Audit Status, Temporary Status, and Audit Timeout. Audit Output Attributes Displays the Audit-Status such as AUDIT_INPROGRESS.
The following table describes the Chained Simulation - Results tab parameters: Table 212: Chained Simulation Tab Parameters Parameters Service Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Authentication Source Default Value = [Local User Repository] if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service]
Attribute Parameter Application See Application Namespace on page 602 Certificate See Certificate Namespaces on page 606 l l l l l l l l l l l See RADIUS Namespaces on page 610 Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba Trend:AV Cisco: HIPS Cisco:HOST Cisco:PA NAI:AV Symantec:AV Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Enforcement Policy Given the service name (and the associated enforcement policy), a role or a set of roles, the system posture status, and an optional date and time, the enforcement policy simulation evaluates the rules in the enforcement policy and displays the resulting enforcement profiles and their contents. Authentication Source and User Name inputs are used to derive dynamic values in the enforcement profile that are retrieved from the authorization source. These inputs are optional.
The following table describes the Enforcement Policy Simulation tab parameters: Table 215: Enforcement Policy Simulation tab Parameters Parameter Service Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Enforcement Policy l l l l l l Authentication Source Autofilled with [Admin Network Login Policy] if you select [Policy Manager Admin Net
Table 215: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description l l l l l l l l l Dynamic Roles System Posture Status [Onboard Windows] [Onboard Mac OS X] Onboard iOS] [Aruba TACACS root Admin] [Aruba TACACS read-only Admin] [Device Registration] [BYOD Operator] [AirGroup V1] [AirGroup v2] Add Role: Enter the name of a dynamic role in the Add Role field and click the Add Role button to populate the Dynamic Roles list.
Table 216: Enforcement Policy Attributes tab Parameters (Continued) Attribute Description Application See Application Namespace on page 602 l l l l l Radius:IETF Radius:Cisco Radius:Microsoft Radius:Avenda Radius:Aruba See RADIUS Namespaces on page 610 Name The options displayed for the Name attribute depend on the Type attribute that was selected. Value The options displayed for the Value attribute depend on the Type and Name attributes that were selected.
Figure 354: RADIUS Authentication Simulation Tab (Remote Server selected) The following table describes the RADIUS Simulation tab parameters: Table 218: RADIUS Simulation Tab Parameters Parameter Description Server Select Local or Remote. CPPM IP Address or FQDN NOTE: This field is only displayed if Remote Server is selected. Enter the IP Address or FQDN of the remote CPPM server. Port NOTE: This field is only displayed if Remote Server is selected. Enter the port number of the remote CPPM server.
Table 218: RADIUS Simulation Tab Parameters (Continued) Parameter Description EAP-GTC n EAP-TLS l TTLS -Authentication inner method field: is enabled. The selections are: n PAP n CHAP n MSCHAPv2 n EAP-MSCHAPv2 n EAP-GTC n EAP-TLS l TLS - Authentication inner method: field is disabled. For more information, see Authentication Namespaces on page 603 n Client MAC Address (optional) Enter the client MAC address to be populated in the request. Username Enter the username. Password Enter the password.
NAS Type: Aruba Wireless Controller Figure 355: Aruba Wireless Controller Type - Attributes Tab Table 219: Aruba Wireless Controller Required - Attribute Settings Attribute Parameter Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Wireless-802.
NAS Type: Cisco Wireless Switch Figure 357: NAS Type: Cisco Wireless Switch Attributes Tab Table 221: [NAS Type: Cisco Wireless Switch Required Attribute Settings Attribute Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = 802.11(19) l Line 2: Type = Radius:IETF l Name = Service-Type l Value = Framed-User(2) l Results Tab The followin figure displays the Policy Simulation RADIUS - Results tab: Figure 358: Results Tab Dell Networking W-ClearPass Policy Manager 6.
Table 222: RADIUS Authentication Results Tab Parameters Parameter Description Summary Displays a summary of the simulation. Authentication Result Displays the outcome of the Authentication test. Details Click this link to open a popup that provides details about the Authentication test. You can take the following actions: l Click the Summary, Input, and Output tabs l Click the Change Status, Show Logs, Export, or Close buttons. Status Message(s) Displays the status messages resulting from the test.
Table 223: Role Mapping Simulation Tab Parameters Parameter Description Service Select from: l [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching Role Mapping Policy Field is disabled if you select: l [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Field is auto-filled with [AirGroup Version Match] if you select [A
Table 224: Role Mapping Simulation Attributes Tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
Simulation Tab The following figure displays the Service Categorization Simulation - Simulation tab: Figure 362: Service Categorization Simulation Tab Table 226: Service Categorization Simulation Tab Parameter s Parameter Type Namespace Details Test Date and Time Click calendar widget and select: Test start date l Test start time l Attributes Tab Enter the attributes of the policy component to be tested.
Table 227: Service Categorization Simulation Attributes Tab Parameters (Continued) Attribute l l l l Radius:IETF Radius:Cisco Radius:Microsoft Radius:Aruba Parameter See RADIUS Namespaces on page 610 Name The options displayed for the Name attribute depend on the Type attribute that was selected. Value The options displayed for the Value attribute depend on the Type and Name attributes that were selected.
Table 229: Import from file page Parameters Parameter Description Select file Browse to select name of simulations to import. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Export Simulations Click the Export All link to export all simulations. The browser displays the Save As dialog box in which you can enter the name of the XML file to export all simulations. The following image shows an example of the Export page to file page.
| Policy Simulation Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the following Administration menus: l ClearPass Portal n l l l l l l l ClearPass Portal on page 390 Users and privileges n Admin Users on page 391 n Admin Privileges on page 393 Server Manager n Server Configuration on page 399 n Log Configuration on page 457 n Local Sha
n Documentation on page 564 ClearPass Portal Navigate to the Administration > Agents and Software Updates > ClearPass Portal page. Using this page you can customize the content for your enterprise. The following figure displays the ClearPass Portal page: Figure 367: ClearPass Portal 390 | Administration Dell Networking W-ClearPass Policy Manager 6.
The following table describes the ClearPass Portal parameters: Table 231: ClearPass Portal Parameters Parameter Select Option Description Select the page that the user first sees after logging in to ClearPass: Default Landing Page l Application Login Page: n ClearPass Policy Manager n ClearPass Guest n ClearPass Insight n ClearPass Onboard l Guest Portal l Page Title Click and type the text to appear as the page title in the default landing page.
l Setting Password Policy for Admin Users Adding an Admin User To add a new admin user to the Admin Users table: 1. Click the Add link at the top right corner the page. The Add Admin User pop-up is displayed. 2. In the User ID and Name fields, specify a user ID and name for the admin user. 3. In the Password and Verify Password fields, specify a password for the admin user. 4. Select a privilege level from the Privilege Level drop down list. 5. Click Add.
l At least one of each: uppercase letter, lowercase letter, digit, and symbol 4. Specify the characters not to be allowed in the password in the Disallowed Characters field. 5. Specify the words not to be allowed in the password in the Disallowed Words (CSV) field. 6. Select any additional checks, if required. The options are: l May not contain User ID or its characters in reversed order l May not contain repeated character four or more times consecutively 7.
The following figure displays the Admin Privileges page: Figure 371: Admin Privileges Page For more information about the admin privileges file structure, refer to the following topics: l Creating Custom Administrator Privileges on page 394 l Administrator Privilege XML File Structure on page 394 l Administrator Privileges and IDs on page 395 l Sample Administrator Privilege XML File on page 398 Creating Custom Administrator Privileges To create a custom admin privilege XML file, you must use a pla
An optional TipsHeader tag can follow the TipsContents tag. The actual admin privileges information is defined with the AdminPrivilege and AdminTask tags. You can use one AdminPrivilege tag for each admin privilege you want to define. The AdminPrivilege tag contains the following two attributes: l name l description You can have one or more AdminTask tags inside the AdminPrivilege tag.
Table 232: Administrator Privileges and IDs (Continued) Area (Dell Networking W-ClearPass Policy Manager Menu) n System Monitor Task ID mon.li.sy l Audit Viewer mon.av l Blacklisted Users mon.bl l Event Viewer mon.ev l Data Filters mon.df Configuration con l Start Here (Services Wizard) con.sh l Services con.se l Service Templates con.st l Authentication con.au l l l n Methods con.au.am n Sources con.au.as Identity con.id n Single Sign-On con.id.
Table 232: Administrator Privileges and IDs (Continued) Area (Dell Networking W-ClearPass Policy Manager Menu) n l Profiles Network Task ID con.en.epr con.nw n Devices con.nw.nd n Device Groups con.nw.ng n Proxy Targets con.nw.pr Policy Simulation con.ps Profile Settings con.prs Administration adm l l l l User and Privileges adm.us n ClearPass Portal adm.po.cp n Admin Users adm.us.au n Admin Privileges adm.us.ap Server Manager adm.mg n Server Configuration adm.mg.
Table 232: Administrator Privileges and IDs (Continued) Area (Dell Networking W-ClearPass Policy Manager Menu) l l l Task ID n Server Certificate adm.cm.mc n Trust List adm.cm.ctl n Revocation List adm.cm.crl Dictionaries adm.di n RADIUS adm.di.rd n Posture adm.di.pd n TACACS+ Services adm.di.td n Fingerprints adm.di.df n Attributes adm.di.at n Applications adm.di.ad Agents and Software Updates adm.po n Onguard Settings adm.po.aas n Software Updates adm.po.
//Refers to DashBoard //Refers to Monitoring //Refers to Administration The following sample provides Read/Write access only to Guest, Local and Endpoint Repository:
The following figure displays the Server Configuration page: Figure 372: Server Configuration Page This section describes the following server configuration tasks: l Edit Server Configuration Settings on page 400 l Set Date & Time on page 432 l Change Cluster Password on page 434 l Policy Manager Zones on page 435 l NetEvents Targets on page 436 l Virtual IP Settings on page 437 l Clear Machine Authentication Cache on page 438 l Make Subscriber on page 439 l Upload Nessus Plugins on page 4
Setting Date and Time Use the Set Time Zone link at the top-right corner of the Server Configuration (Administration > Server Manager > Server Configuration) page to set the date and time specific to the selected node in a cluster. To set the date and time, select a time zone from the areas listed. The selected time zone is displayed in the Current time zone field.
Figure 375: Promote to publisher Joining a Server Back to Cluster Use the Join server back to cluster link to join server back to cluster. You can use this option only to a server that is in the Disabled state in the Server Configuration (Administration > Server Manager > Server Configuration) page. The following figure displays the Server Configuration page: Figure 376: Server Configuration Page with Disabled Node For more information on the Service Configuration, see Server Configuration on page 399.
Figure 377: Server configuration - Join server back to cluster 2. Click the Join server back to cluster link at the top-right corner. A warning message appears with a prompt to promote the node to ‘Publisher’. This option can only be triggered from a node that is currently active in the cluster. The following message displays the warning message: Figure 378: Join server back to cluster 3. Click Yes from the warning message pop-up. A progress indicator shows the progress with log entries.
The following figure displays the Join server back to cluster progress indicator: Figure 379: Join server back to cluster - Progress 4. For a failed publisher node, the following message will be displayed in the Dashboard page: Figure 380: Publisher Warning Message System Tab By default, the Server Configuration page opens on the System tab. 404 | Administration Dell Networking W-ClearPass Policy Manager 6.
The following figure displays the System tab: Figure 381: System Tab The following table describes the System tab parameters: Table 233: Server Configuration System Tab Parameters Parameter Description Hostname Specify the hostname of Policy Manager appliance. You need not enter the fully qualified domain name in this field. Policy Manager Zone Select a previously configured timezone from the drop-down list. Click on the Policy Manager Timezone link to add and edit timezones.
Table 233: Server Configuration System Tab Parameters (Continued) Parameter Description Span Port Select a port for DHCP spanning. This field is optional. On selecting a port, the Enable TCP/ARP Fingerprinting checkbox appears. Enable TCP/ARP Fingerprinting Select the check-box to enable TCP/ARP fingerprinting. This feature allows the Netbridge service to capture TCP and ARP packets and post the derived inputs to the device profiler. NOTE: This option appears only when you select a Span Port .
If you need to authenticate users belonging to multiple AD forests or domains in your network, and there is no trust relationship between these entities, then you must join CPPM to each of these untrusted forests or domains. CPPM does not require to join multiple domains belonging to the same AD forest because a one-way trust relationship exists between those domains. In this case, CPPM can join the root domain.
The following table describes the Join AD Domain parameters: Table 234: Join AD Domain Parameters Parameter Description Domain Controller Fully qualified name of the Active Directory domain controller. NETBIOS name (optional) The NETBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name. If this is different from your domain name (usually a shorter name), enter that name here. Contact your AD administrator about the NETBIOS name.
The Following figure displays the Configure AD Password Servers window: Figure 384: Configure AD Password Servers Services Control Tab From the Services Control tab, you can view a service status and control (stop or start) various Policy Manager services, including any AD Domains that the server joins. Dell Networking W-ClearPass Policy Manager 6.
The following figure displays the Services Control tab: Figure 385: Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of a variety of services. The options on this page vary based on the selected service. Determine the service that you want to edit.
The following figure displays the Async network services parameters in the Service Parameters tab: Figure 387: Async Network Services The following table describes the Async network services parameters in the Service Parameters tab: Table 235: Service Parameters - Async Network Services Parameter Description Post Auth Number of request processing threads Set the number of request processing threads. The default value is 20 threads, and the allowed values are between 20 and 100.
The following figure displays the ClearPass network services parameters in the Service Parameters tab: Figure 388: ClearPass Network Services - Service Parameters Tab The following figure displays the ClearPass network services parameters in the Service Parameters tab in FIPS mode: Figure 389: ClearPass Network Services - Service Parameters Tab FIPS Mode 412 | Administration Dell Networking W-ClearPass Policy Manager 6.
The following table describes the parameters for ClearPass network services parameters in the Service Parameters tab : Table 236: Service Parameters - ClearPass Network Services Service Parameters Description DhcpSnooper MAC to IP Request Hold time Specifies the number of seconds to wait before responding to a query to get an IP address corresponding to a MAC address. Any DHCP message received in this time period refreshes the MAC to IP binding.
Table 236: Service Parameters - ClearPass Network Services (Continued) Service Parameters Description NOTE: The EAP-MD5 authentication type is not supported if you use the Dell Networking WClearPass Policy Manager in the FIPS mode. SNMP v3 Trap Privacy Protocol Specifies the SNMP v3 Privacy protocol for traps. Must be one of DES_CBC, AES_128, or empty (to disable privacy). NOTE: The DES_CBC privacy protocol is not supported if you use the Dell Networking WClearPass Policy Manager in the FIPS mode.
The following figure displays the ClearPass system services parameters in the Service Parameters tab: Figure 390: ClearPass System Services Parameters (partial view) The following table describes the ClearPass system services parameters in the Service Parameters tab: Table 237: Service Parameters - ClearPass System Services Service Parameter Description PHP System Configuration Memory Limit Maximum memory that can be used by the PHP applications.
Table 237: Service Parameters - ClearPass System Services (Continued) Service Parameter Description HTTP Proxy Proxy Server Hostname or IP address of the proxy server. Port Port at which the proxy server listens for HTTP traffic. Username Username to authenticate with proxy server. Password Password to authenticate with proxy server. Database Configuration Maximum connections Specify a number between 300 and 2000 for a maximum number of allowed connections.
Table 237: Service Parameters - ClearPass System Services (Continued) Service Parameter Description Maximum Requests Specify a number between 0 and 3000 for the maximum number of requests allowed. The default value is 500. Enable Host Header check Specify TRUE or FALSE. The default value is TRUE. When you set this value to TRUE, the Host Header Restriction check is enabled and only the allowed or whitelisted host headers are allowed.
Table 238: Service Parameters - Policy Server service (Continued) Service Parameter Description primary server again. External Posture Server Thread Pool Size This specifies the number of threads to use for posture servers. External Posture Server Primary Retry Interval After a primary posture server is down, Policy Manager connects to one of the backup servers. This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again.
The following table describes the RADIUS server parameters in the Service Parameters tab: Table 239: Service Parameters - Radius Server Service Service Parameter Description Proxy Maximum Response Delay Time delay before retrying a proxy request, if the target server has not responded. Maximum Reactivation Time Time to elapse before retrying a dead proxy server. Maximum Retry Counts Maximum number of times to retry a proxy request if the target server doesn't respond.
Table 239: Service Parameters - Radius Server Service (Continued) Service Parameter Description Source Connection Count SQL DB Authentication Source Connection Count Maximum number of SQL DB. Kerberos Authentication Source Connection Count Maximum number of Kerberos connections opened. EAP - TLS Fragment Size Maximum allowed size for the EAP-TLS fragment. Use Inner Identity in Access-Accept Reply Specify TRUE to use the inner identity in the Access-Accept replies. Else, specify FALSE.
Table 239: Service Parameters - Radius Server Service (Continued) Service Parameter Description Thread Pool Maximum Number of Threads Maximum number of threads in the RADIUS server thread pool to process requests. Number of Initial Threads Initial number of thread in the RADIUS server thread pool to process requests. AD (Active Directory) Errors AD (Active Directory) Errors Window Size Enter a duration during which Active Directory errors are accumulated for possible action.
Stats Collection Service Options The following figure displays the Stats Collection service parameters in the Service Parameters tab: Figure 393: Stats Collection Service Parameters The following table describes the Stats collection service parameters in the Service Parameters tab: Table 240: Service Parameters - Stats Collection Service Service Parameter Enable Stats Collection Description This option enables or disables Stats Collection and Stats Aggregation.
The following table describes the System monitor service parameters in the Service Parameters tab: Table 241: Services Parameters - System Monitor Service Service Parameter Description Free Disk Space Threshold This parameter monitors the available disk space. If the available disk free space falls below the specified threshold (default 30%), then system sends SNMP traps to the configured trap servers.
The following figure displays the System Monitoring tab: Figure 396: System Monitoring Tab The following table describes the System Monitoring tab parameters: Table 243: System Monitoring tab Parameters Parameter Description System Location Specify the location of the Dell Networking W-ClearPass Policy Manager appliance. System Contact Specify the contact information of the Dell Networking W-ClearPass Policy Manager appliance.
Table 243: System Monitoring tab Parameters (Continued) Parameter Description AUTH _PRIV (authenticate and keep the communication private) - If you select this security level, the MD5 and SHA authentication protocols are available. This field is available only if you selected V3 as the SNMP version in the Version field. l Authentication Protocol Select the authentication protocol from MD5 or SHA. These protocols vary depends on the security level that you selected in the Security Level field.
The following figure displays the Create Tunnel pop-up: Figure 398: Create Tunnel The following table describes the Create Tunnel parameters: Table 244: Create Tunnel Parameters Parameter Description Display Name Specify the name for the tunnel interface. This name is used to identify the tunnel in the list of network interfaces. Local Inner IP Local IP address of the tunnel network interface. Remote Outer IP IP address of the remote tunnel endpoint.
Create IPSec Tunnel Navigate to the Network tab and click Create VLAN to create VLAN interfaces. The following figure displays the Create IPSec Tunnel pop-up: Figure 399: Create IPSec Tunnel The following table describes the Create IPSec Tunnel parameters: Table 245: Create IPSec Tunnel Parameters Parameter Description Local Interface Specify the local (management) port. Remote IP Address Shows the IP address of the remote host. IPSec Mode Select the IPSec mode from the options: Tunnel or Transport.
Table 245: Create IPSec Tunnel Parameters (Continued) Parameter Description l l l l Encryption Algorithm PRF-HMAC-MD5 PRF-HMAC-SHA1 PRF-HMAC-SHA256 PRF-HMAC-SHA384 Select encryption algorithm to use from the following: 3DES l AES128 l AES192 l AES256 l Hash Algorithm Select hash algorithm to use from the following: HMAC SHA l HMAC-SHA256 l HMAC-SHA384 l HMAC-MD5 l Diffie Hellman Group Select the Diffie Hellman group from the following: Group 1 l Group 2 l Group 5 l Group 14 l Group 19 l Group 20 l
The following figure displays the Create VLAN pop-up: Figure 400: Create VLAN The following table describes the Create VLAN parameters: Table 246: Create VLAN Parameters Parameter Description Physical Interface The physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. VLAN Name Name for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 802.1Q VLAN identifier.
The following figure displays the Restrict Access pop-up: Figure 401: Restrict Access dialog box The following table describes the Restrict Access parameters: Table 247: Restrict Access Parameters Parameter Description Resource Name Select the application to which you want to allow or deny access. Access Select one of the access control options: l Allow— Allows access to the selected application. l Deny—Denies access to the selected application.
See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 for details on the FIPS 140-2 validated cryptographic module. You can enable FIPS mode in ClearPass Policy Manager during installation using the CLI or post-installation using the Web UI. The following figure displays the prompt to enable FIPS Mode using the CLI: Figure 402: Enabling FIPS Mode After enabling FIPS mode using the CLI commands, you can verify whether FIPS mode is enabled or not in the Configuration Summary page.
Alternatively, you can enable or disable the FIPS mode in the Administration > Server Manager > Server Configuration > FIPS tab.
l Time Zone on Publisher Tab on page 433 Date & Time Tab You can set the date and time for the server using this tab. The following figure displays the Date & Time tab of the Change Date and Time pop-up: Figure 406: Change Date and Time - Date & Time tab The following table describes the Date and Time tab parameters: Table 248: Change Date and Time - Date & Time tab Parameters Parameter Description Date in yyyy-mmdd format To specify date and time, use the indicated syntax.
The following figure displays the Time zone on publisher tab of the Change Date and TIme pop-up: Figure 407: Time zone on publisher tab Change Cluster Password To change the cluster-wide password, follow the procedure below: 1. Navigate to the Administration > Server Manager > Server Configuration page and click the Change Cluster Password link. The Change Cluster password pop-up appears. 2. Enter the new password, then verify the password. 3. Click Save.
The following figure displays the Change Cluster Password pop-up: Figure 408: Change Cluster Password Dialog Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster. These runtime states include: l Roles and Postures of connected entities l Connection status of all endpoints running OnGuard l Endpoint details gathered by OnGuard Agent CPPM uses this runtime state information to make policy decisions across multiple transactions.
The following figure displays the Policy manager Zones pop-up: Figure 409: Policy Manager Zones NetEvents Targets NetEvents are a collection of details for various Dell Networking W-ClearPass Policy Manager users, endpoints, guests, authentications, accounting details, and so on. This information is periodically posted to a server that is configured as the NetEvents target.
The following table describes the NetEvents Targets parameters: Table 249: NetEvents targets Parameter Description Target URL HTTP URL for the service that support POST and requires Authentication using Username / Password. NOTE: To specify an external Insight server, use http://:4231/netwatch/netevents in Target URL. Username/Password Credentials configured for authentication for the HTTP service that is provided in the Target URL. Reset Resets the values entered in the pop-up.
The following table describes the Virtual IP Settings parameters: Table 250: Virtual IP Settings Parameters Parameter Description Virtual IP Enter the IP address you want to define as the virtual IP address. Primary Node Select the servers to use as the primary node. Secondary Node Select the servers to use as the secondary node. Interface Select an interface on each server to which the virtual IP address is bound. Subnet This value is automatically filled after selecting the interface.
The following figure displays the message displayed after clearing the Machine authentication cache successfully : Figure 414: Clear Machine Authentication Cache Success Message Make Subscriber In the Policy Manager cluster environment, the publisher node acts as master. A Policy Manager cluster can contain only one publisher node. Administration, configuration, and database write operations may occur only on this master node.
The following table describes the Add Subscriber Node parameters: Table 251: Add Subscriber Node Parameter Description Publisher IP Publisher Password Specify publisher address and password. NOTE: The password specified here is the password for the CLI user appadmin Restore the local log database after this operation Select the check box to restore the log database following addition of a subscriber node.
The Cluster-Wide Parameters pop-up contains the following tabs: l General on page 441 l Cleanup Intervals on page 443 l Notifications on page 445 l Standby Publisher on page 446 l Virtual IP Configuration on page 447 l Mode on page 448 l Database on page 451 General The following figure displays the General tab of Cluster-Wide Parameters: Figure 417: Cluster-Wide Parameters - General Tab Dell Networking W-ClearPass Policy Manager 6.
The following table describes the General tab parameters of Cluster-Wide Parameters: Table 253: Cluster-Wide Parameters - General Tab Parameters Parameter Description Policy result cache timeout Specifies the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation.
Table 253: Cluster-Wide Parameters - General Tab Parameters (Continued) Parameter Description available software updates. Login Banner Text Customize the banner text that appears on the ClearPass login screen and CLI access. You may use the banner to warn users of restrictions to access the website. Admin Session Idle Timeout Specify the maximum idle time permitted for the admin users beyond which the session times out. The default value is 30 minutes. The allowed range is 5– 1440 minutes.
The following table describes the Cleanup Interval tab parameters of Cluster-Wide Parameters: Table 254: Cluster-Wide Parameters - Cleanup Interval Tab Parameters Parameter Description Maximum inactive time for an endpoint Specifies the duration in number of days to which an endpoint is retained in the endpoints table since its last authentication. If the endpoint is not authenticated for this period, the entry is removed from the endpoint table. 0 specifies no time limit configured.
Table 254: Cluster-Wide Parameters - Cleanup Interval Tab Parameters (Continued) Parameter Description Static IP endpoints cleanup option Specify whether to enable the option to cleanup static IP endpoints. You can select TRUE or FALSE. The default options is FALSE. Old Audit Records cleanup interval Specify the cleanup interval in number of days that ClearPass uses to determine when to start deleting old audit records from the Audit Viewer page. The default value is 7 days.
The following table describes the Notifications tab parameters of Cluster-Wide Parameters: Table 255: Cluster-Wide Parameters - Notifications Tab Parameters Parameter Description System Alert Level Specify the alert notifications that are generated for system events logged at this level or higher. If you select INFO, alerts for INFO, WARN, and ERROR messages are generated. If you select WARN, alerts for WARN and ERROR messages are generated.
The following table describes the Standby Publisher tab parameters of Cluster-Wide Parameters: Table 256: Cluster-Wide Parameters - Standby Publisher Tab Parameters Parameter Description Enable Publisher Failover Select TRUE to authorize a node in a cluster on the system to act as a publisher if the primary publisher fails. The default value is FALSE. Designated Standby Publisher Select the server in the cluster to act as the standby publisher. The default value is 0.
Mode The Mode tab in Cluster-Wide Parameters pop-up allows you to enable or disable High Capacity Guest mode. The High Capacity Guest mode addresses the high volume licensing requirements in the Public Facing Enterprises (PFE) environment, where a large volume of unique endpoints need wireless access.
l OnGuard and OnBoard access are restricted. l Default cleanup interval values are reset. l Only guest application licenses are allowed. The following figure displays the Mode tab of Cluster-Wide Parameters: Figure 422: Cluster-Wide Parameters - Mode Tab The following table describes the Mode tab parameters of Cluster-Wide Parameters: Table 258: Cluster-Wide Parameters - Mode Tab Parameter Description High Capacity Guest Mode Select TRUE or FALSE to enable or disable the High Capacity Guest mode.
Table 259: Cleanup Interval Values in the High Capacity Guest Mode (Continued) Parameter Description Expired guest accounts cleanup interval The default value of the Expired guest accounts cleanup interval is 10 days. Profiled endpoints cleanup interval The default value of the Profiled endpoints cleanup interval is 3 days. Old Audit Records cleanup interval The default value of the Old Audit Records cleanup interval is 10 days.
Database The following figure displays the Database tab of Cluster-Wide Parameters: Figure 423: Cluster-Wide Parameters - Database Tab The following table describes the Database tab parameters of Cluster-Wide Parameters: Table 260: Cluster-Wide Parameters - Database Tab Parameters Parameter Description Auto backup configuration options Select any of the following auto backup configuration options: l Off - Select this to not to perform periodic backups.
Table 260: Cluster-Wide Parameters - Database Tab Parameters (Continued) Parameter Description synchronize with the publisher. The default value is 5 seconds. The allowed range is 1–60 seconds. Store Password Hash for MSCHAP authentication Set this to TRUE to store passwords for admin and local users to Hash and NTLM hash formats which enables RADIUS MSCHAP authentications against admin or local repositories.
If you are attempting to open a capture file (.cap or .pcap) using WireShark, untar or unzip the file (based on the file extension). When the entire file is extracted, navigate to the PacketCapture folder. In this folder, you will find a file with a .cap extension. WireShark can be used to open this file and study the network traffic.
The following table describes the Backup Policy Manager Database parameters: Table 261: Backup Policy Manager Database Parameter Description Generate filename Select the check box to enable Policy Manager to generate a filename; otherwise, specify a filename. Backup files are in the gzipped tar format (tar.gz extension). The backup file is automatically placed in the Shared Local Folder under folder type Backup Files (See Local Shared Folders).
The following table describes the Restore Policy Manager Database parameters: Table 262: Restore Policy Manager Database Parameter Description Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file. NOTE: This option is available only when the Upload file to server option is selected. Shared backup files present on the server If the files is on a server, select a file from the files in the local shared folders.
1. Navigate to the Administration > Server Manager > Server Configuration page and click the Cleanup button. The Force Cleanup Files pop-up is displayed. 2. Enter a number to cleanup files that are older than the specified number of days. The allowed range is 0-15. 3. Click Start to initiate the cleanup process.
The following figure displays the cleanup progress: Figure 429: Cleanup Progress Screen Shutdown/Reboot Navigate to the Administration > Server Manager > Server Configuration page and click the Shutdown or Reboot buttons to shutdown or reboot the node. Drop Subscriber Navigate to the Administration > Server Manager > Server Configuration page and click the Drop Subscriber button to drop a subscriber from the cluster. This option is not available in a single node deployment.
Service Log Configuration The following figure displays the Service Log Configuration tab: Figure 430: Log Configuration - Service Log Configuration Tab The following table describes the Service Log Configuration tab parameters: Table 263: Log Configuration - Service Log Configuration tab Parameters Parameter Description Select Server Specify the server for which you want to configure logs. All nodes in the cluster appear in the drop-down list.
Table 263: Log Configuration - Service Log Configuration tab Parameters (Continued) Parameter Description NOTE: Set this option first, and then override any modules as necessary. Module Name & Log Level: If the Module Log Level Settings option is enabled, select log levels for each available module (listed in decreasing level of verbosity): l DEBUG l INFO l WARN l ERROR l FATAL Restore Defaults/Save Click Save to save changes or Restore Defaults to restore default settings.
The following table describes the System Level tab parameters: Table 264: Log Configuration - System Level tab Parameters Parameter Description Select Server Specify the server for which you want to configure logs. Number of log files Specify the number of log files of a specific module to keep at any given time.
License Management The Licensing page shows all the licenses that is activated for the entire Dell Networking W-ClearPass Policy Manager cluster. You must have a Dell Networking W-ClearPass Policy Manager base license for every instance of the product. If the number of licenses used exceeds the number of licenses purchased, you will see a warning four months after the number is exceeded. The number of used licenses is based on the daily moving average.
Figure 434: Servers Tab Applications Tab The Applications tab displays the Dell Networking W-ClearPass Policy Manager application license details like product type, license type, license activation status, and many more. The following figure displays the Applications tab: Figure 435: Applications Tab Adding an Application License To add an application license: 1. Navigate to Administration > Server Manager > Licensing. 2. Click the Add License link on the top right section of the page.
Activating a Server License You must activate a server license only once, when you first install Policy Manager on a server. To activate a server license: 1. Navigate to Administration > Server Manager > Licensing. 2. Click the Servers tab. Servers that are not activated have the keyword Activate next to the red dot in the Activation Status field heading. 3. Click Activate next to the red dot in the Activation Status field heading. The Activate License pop-up appears. 4.
If you are not connected to the Internet, follow the instructions in the Offline Activation section. Download an activation request token from the Policy Manager server and email the file to Dell support. You will receive an activation key that you can upload.
The following figure displays the Update License pop-up: Figure 439: Update License Pop-up Updating an Application License Licenses typically require updating after they expire, for example, after the evaluation license expires, or when capacity exceeds its licensed amount. To update an application license: 1. Navigate to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click anywhere on an application entry except the Activation Status field entry.
The following figure displays the Update License pop-up: Figure 440: Update License Pop-up SNMP Trap Receivers Policy Manager sends SNMP traps that expose the following server information: l System up-time— Provides information about how long the system is running. l Network interface statistics [up/down]— Provides information if the network interface is up or down. l Process monitoring information— Check for the processes that should be running. Maximum and minimum number of allowed instances.
SNMP Trap Receivers Main Page To view a list of SNMP trap receivers configured on the Dell Networking W-ClearPass Policy Manager server, navigate to Administration > External Servers > SNMP Trap Receivers. The following figure displays the SNMP Trap Receivers page: Figure 441: SNMP Trap Receivers Page Adding an SNMP Trap Server To add an SNMP trap server: 1. Navigate to Administration > External Servers > SNMP Trap Receivers. 2. Click the Add link on the top right section of the page.
Table 265: Add SNMP Trap Server Parameters (Continued) Parameter Description Community String / Verify Enter and re-enter the community string for sending the traps. Server Port Port number for sending the traps. By default, the port number is 162. NOTE: Configure the trap server firewall for traffic on this port. Importing an SNMP Trap Server To import an SNMP trap server: 1. Navigate to Administration > External Servers > SNMP Trap Receivers. 2.
Exporting All SNMP Trap Servers This link exports all configured SNMP Trap Receivers. To export all SNMP trap servers: 1. Navigate to Administration > External Servers > SNMP Trap Receivers. 2. Click the Export All link on the top right section of the page. Enter the details based on Table 267. 3. Click Export. 4. Enter the XML file name in the Save As dialog box. 5. Click Save.
The following figure displays the Export to file pop-up: Figure 445: Export to file Pop-up The following table describes the Export to file parameters: Table 268: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting an SNMP Trap Server To delete a single SNMP trap server: 1.
Syslog Targets Main Page The following figure displays the Syslog Targets page: Figure 446: Syslog Targets Page The following table describes the Syslog Targets parameters: Table 269: Syslog Targets Parameters Parameter Description Add Opens the Add Syslog Target pop-up. Import Opens the Import from file pop-up. You can import the syslog target from a file. Export All Opens the Export to file pop-up. You can export all the syslog target entries to a file. Export Opens the Export to file pop-up.
The following figure displays the Add Syslog Target pop-up: Figure 447: Add Syslog Target Pop-up The following table describes the Add Syslog Target parameters: Table 270: Add Syslog Target Parameters Parameter Description Host Address Syslog server hostname or IP address. Description Enter a short description of the syslog server. Protocol Select one of the following options: l UDP: This option reduces overhead and latency. l TCP: this option provides error checking and packet delivery validation.
The following figure displays the Import from file pop-up: Figure 448: Import from file Pop-up The following table describes the Import from file parameters: Table 271: Import from file Parameters Parameter Description Select File Browse to the Syslog Target configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Exporting All Syslog Target To export all syslog targets: 1.
The following figure displays the Export to file pop-up: Figure 449: Export to file Pop-up The following table describes the Export to file parameters: Table 272: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Exporting a Syslog Target To export a syslog target: 1. Navigate to Administration > External Servers > Syslog Targets. 2.
The following table describes the Export to file parameters: Table 273: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting a Syslog Target To delete a syslog target: 1. Navigate to Administration > External Servers > Syslog Targets. 2. Click the check box next to the Host Address entry and click Delete. 3. Click Yes.
Syslog Export Filters Main Page The following figure displays the Syslog Export Filters page: Figure 451: Syslog Export Filters Page The following table describes the Syslog Export Filters parameters: Table 274: Syslog Export Filters Page Parameters Parameter Description Add Add a syslog export filter. Import Opens Import from file pop-up. You can import the syslog export filters from a file. Export All Opens Export to file pop-up. You can export all the syslog export filter entries to a file.
Adding a Syslog Export Filter To add a syslog export filter, follow the instructions described below. General Tab This section describes the parameters in the General tab of the Administration > External Servers > Syslog Export Filters > Add page.
Table 275: Syslog Export Filters - General Tab Parameters (Continued) Parameter Description Export Event Format Type Select any one of the export event formats from the following options: l Standard – Select this event format type to send the event types in raw syslog format. This is the default event format type. l LEEF - Select this event format type to send the event types in Log Enhanced Event Format (LEEF). l CEF - Select this event format type to send the event types in Common Event Format (CEF).
service',Category=start,Action=Failed,Level=WARN,src=10.17.5.228,Component=ClearPass Virtual IP service,Timestamp=Jan 20, 2015 16:48:53 IST 2015-01-20 16:50:05,210 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.syslog.Syslogger - 201501-20 16:50:05,210 10.17.5.228 System Events 2 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description=Performed action stop on cpass-domain-server_ CPATS,Category=stop,Action=Success,Level=INFO,src=10.17.5.
Authentication Rules,Auth.NAS-IPAddress=10.17.4.7,src=10.17.5.211,Auth.CalledStationId=000B8661CD70,Auth.NASIdentifier=ClearPassLab3600 Mar 21 16:57:24 10.17.5.228 2015-01-20 16:58:18,909 10.17.5.228 Test Syslogs 0 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Endpoint.Status=null,Endpoint.Device-Name=Mac OS X,Endpoint.Device-Family=Apple Mac,Endpoint.Device-Category=Computer,Endpoint.MACAddress=e0f8471a5450,src=10.17.5.228,Endpoint.Hostname=apples-air,Endpoint.Added-At=2015-01-19 17:06:51+05:30,Endpoint.
The following example describes the CEF event format type for the Session Logs syslog export filter template: Dec 01 2014 15:28:40.540 IST 10.17.4.206 CEF:0Dell|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IPAddress=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.
The following table describes the Syslog Export Filters - Filter and Columns (Insight Logs) tab parameters: Table 276: Syslog Export Filters - Filter and Columns (Insight Logs) Tab Parameters Parameter Description Columns Selection Determine the group of reports that you want to include in the syslog filters. The column selection limits the type of records sent to the syslog filters. NOTE: You can add only the Insight reports that are already created in Insight.
The following figure displays the Syslog Export Filters - Filter and Columns (Session Logs) tab. Figure 454: Syslog Export Filters - Filter and Columns (Session Logs) Tab The following table describes the Syslog Export Filters - Filter and Columns (Session Logs) tab parameters: Table 277: Syslog Export Filters - Filter and Columns (Insight Logs) Tab Parameters Parameter Description Data Filter Specify the data filter. The data filter limits the type of records sent to the syslog target.
Summary Tab This section describes the parameters in the Summary tab of the Administration > External Servers > Syslog Export Filters > Add page. The following figure displays the Syslog Export Filters - Summary tab. Figure 455: Syslog Export Filters - Summary Tab The following table describes the Syslog Export Filters - Summary tab parameters: Table 278: Syslog Export Filters - Summary Tab Parameters Parameter Description General Name Displays the name of the syslog export filter.
1. Navigate to Administration > External Servers > Syslog Export Filters. 2. Click the Import link on the top right section of the page. Enter the details based on Table 279. 3. Click Import. The following figure displays the Import from file pop-up: Figure 456: Import from file Pop-up The following table describes the Import from file parameters: Table 279: Import from file Parameters Parameter Description Select File Browse to the Syslog Filter configuration file to be imported.
The following figure displays the Export to file pop-up: Figure 457: Export to file Pop-up The following table describes the Export to file parameters: Table 280: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Exporting a Syslog Filter To export a syslog filter: 1. Navigate to Administration > External Servers > Syslog Export Filters.
The following table describes the Export to file parameters: Table 281: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting a Syslog Filter To delete a syslog filter: 1. Navigate to Administration > External Servers > Syslog Export Filters. 2. Click the check box next to the syslog filter entry and click Delete. 3. Click Yes.
The following table describes the Messaging - SMTP Server tab parameters: Table 282: Messaging - SMTP Server Tab Parameters Parameter Description Server name Enter the Fully Qualified Domain Name (FQDN) or the IP address of the SMTP server. User Name Enter the username if your email server requires authentication for sending email messages. Password Enter the password for the specified username. Verify Password Re-enter the password.
Figure 461: Send Test SMS Pop-up The recipient's mobile number must be entered in the international format consisting of a + sign, followed by the country code and the mobile phone number (without the first ‘0′ of the number). Number must be entered without spaces and only numbers (with an exception of the + sign) are allowed. For example, the US number (248) 123-7654 is entered as +12481237654. The number 1 is the country code for the US.
Endpoint Context Servers Main Page The following figure displays the Endpoint Context Servers page: Figure 462: Endpoint Context Servers Page The following table describes the Endpoint Context Servers parameters: Table 283: Endpoint Context Servers Parameters Parameter Description Server Name Displays the name of the endpoint context server. Server Type Displays the type of the endpoint context server. For example, Generic HTTP, airwatch, or SAP Afaria.
The following table describes the Add Endpoint Context Servers parameters: Table 284: Add Endpoint Context Servers Parameters Parameter Description Select Server Type Choose one of the server types from the following options. The server type you select determines the configuration parameters. For example, if you select the airwatch server type, you must enter an API Key parameter. Click each server type link below for more information on configuration parameters.
Figure 463: Import from file Pop-up The following table describes the Import from file parameters: Table 285: Import from file Parameters Parameter Description Select File Browse to the Endpoint Context Server configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Exporting All Endpoint Context Servers To export all endpoint context servers: 1.
The following figure displays the Export to file pop-up: Figure 464: Export to file Pop-up The following table describes the Export to file parameters: Table 286: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Modifying an Endpoint Context Server To modify an endpoint context server: 1.
Figure 465: Modify Endpoint Context - Server Pop-up The following table describes the Modify Endpoint Context - Server parameters: Table 287: Modify Endpoint Context - Server Parameters Parameter Description Server Type Select the type of the endpoint context server. For example, airwatch, MobileIron, or SAP Afaria. Server Name Enter the name of the server or host. Server Base URL Enter the full URL for the server. The default is the name you entered above with "https://" prepended.
Table 287: Modify Endpoint Context - Server Parameters (Continued) Parameter Description Validate Server Select the Enable to validate the server certificate check box to validate. By default, this field is disabled. Checking this option enables the Certificate tab. Enable Server Select the Enable to fetch endpoints from the server check box to enable the endpoint context server. By default, this field is disabled. The Bypass Proxy field will be enabled only if you enable this field.
The following table describes the Modify Endpoint Context - Poll Status parameters with the 'Success' polling status: Table 288: Modify Endpoint Context - Poll Status Parameters with Success Status Parameter Description Last Poll Status Displays the last polling status: Success or Failure. In this case, Success. Last Successful Poll At Displays the date and time at which the polling was triggered. Poll time Specifies the time duration in seconds to complete the polling.
The following table describes the Modify Endpoint Context - Poll Status parameters with the 'Failure' polling status: Table 289: Modify Endpoint Context - Poll Status Parameters Parameter Description Last Poll Status Displays the last polling status: Success or Failure. In this case, Failure. Last Successful Poll At Displays the date and time at which the polling was triggered. Failure URL Specifies the URL in which the failure occurred. Status Displays the error code for the failure.
The following table describes the Modify Endpoint Context - Actions parameters: Table 290: Modify Endpoint Context - Actions Parameters Parameter Description Clear Passcode Reset passcode on the device. Enterprise Wipe Deletes only stored corporate information. Get Apps Gets Apps related information for the device. Lock Device Locks the associated device. Remote Wipe Deletes all stored information. Send Message Sends message to the device.
1. Navigate to Administration > External Servers > Endpoint Context Servers. 2. In the Endpoint Context Servers main page, click the check box next to the server name entry. 3. Click Trigger Poll. Deleting an Endpoint Context Server Deleting an endpoint context server removes the configuration information from the Policy Manager server. To add it again, export the servers before you delete it and save the configuration so that you can import it in future. To delete an endpoint context server: 1.
The following table displays the Add Endpoint Context Server - Server (AirWatch) tab parameters: Table 291: Add Endpoint Context Server - Server (AirWatch) Tab Parameters Parameter Description Select Server Type Choose AirWatch from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or a hostname. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Actions Tab The following figure displays the Add Endpoint Context Server - Actions (AirWatch) tab: Figure 471: Add Endpoint Context Server - Actions (AirWatch) Tab The following table describes the Add Endpoint Context Server - Actions (AirWatch) tab parameters: Table 292: Add Endpoint Context Server - Actions (AirWatch) Tab Parameters Parameter Description Clear Passcode Reset passcode on the device. Enterprise Wipe Delete only stored corporate information.
Server Tab The following figure displays the Add Endpoint Context Server - Server (Aruba Activate) tab: Figure 472: Add Endpoint Context Server - Server (Aruba Activate) Tab The following table describes the Add Endpoint Context Server - Server (Aruba Activate) tab parameters: Table 293: Add Endpoint Context Server - Server (Aruba Activate) Tab Parameter Parameter Description Select Server Type Choose Aruba Activate from the drop-down list. Server Name Enter a valid server name.
Table 293: Add Endpoint Context Server - Server (Aruba Activate) Tab Parameter (Continued) Parameter Description Server more information on certificate, see Certificates Tab on page 503. Enable Server Enable to fetch endpoints from the server. Bypass Proxy Enable to bypass proxy server.
Adding an AirWave Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. The following figure displays the Add Endpoint Context Server - Server (AirWave) tab: Figure 474: Add Endpoint Context Server - Server (AirWave) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Adding a Google Admin Console Endpoint Context Server Consult Google Developer documentation for information about the parameters that you must enter to configure this endpoint. Server Tab The following figure displays the Add Endpoint Context Server - Server (Google Admin Console) tab: Figure 475: Add Endpoint Context Server - Server (Google Admin Console) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 295: Add Endpoint Context Server - Server (Google Admin Console) Tab Parameters (Continued) Parameter Description Validate Server Enable to validate the server certificate. Checking this option enables the Certificate tab. For more information on certificate, see Certificates Tab on page 506. Enable Server Enable this field to fetch endpoints from the server. Bypass Proxy Select the Enable to bypass proxy server check box to bypass the proxy server.
Adding a Generic HTTP Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. The following figure displays the Add Endpoint Context Server - Server (Generic HTTP) tab: Figure 477: Add Endpoint Context Server - Server (Generic HTTP) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Adding a JAMF Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. The following figure displays the Add Endpoint Context Server - Server (JAMF) tab: Figure 478: Add Endpoint Context Server - Server (JAMF) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 297: Add Endpoint Context Server - Server (JAMF) Tab Parameters (Continued) Parameter Description Validate Server Enable to validate the server certificate. Checking this option enables the Certificate tab. Enable Server Enable to fetch endpoints from the server. Bypass Proxy Enable to bypass proxy server. Adding a MaaS360 Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
The following table describes the Add Endpoint Context Server - Server (MaaS360) tab parameters: Table 298: Add Endpoint Context Server - Server (MaaS360) Tab Parameters Parameter Description Select Server Type Choose MaaS360 from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or hostname. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Actions Tab The following figure displays the Add Endpoint Context Server - Actions (MaaS360) tab: Figure 480: Add Endpoint Context Server - Actions (MaaS360) Tab The following table describes the Add Endpoint Context Server - Actions (MaaS360) tab parameters: Table 299: Add Endpoint Context Server - Actions (MaaS360) Tab Parameters Parameter Description Approve Device in Messaging System Approve the device in Messaging System. Block Device in Messaging System Block the device in Messaging System.
Table 299: Add Endpoint Context Server - Actions (MaaS360) Tab Parameters (Continued) Parameter Description Revoke Selective Wipe Cancel Selective Wipe executed on the device. Search Action History Search action history by Device ID. Selective Wipe Device Execute a Selective Wipe on a device. Wipe Device Delete all information stored on a device.
The following table describes the Add Endpoint Context Server - Server (MobileIron) tab parameters: Table 300: Add Endpoint Context Server - Server (MobileIron) Tab Parameters Parameter Description Select Server Type Choose MobileIron from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or hostname. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
The following table describes the Add Endpoint Context Server - Actions (MobileIron) tab parameters: Table 301: Add Endpoint Context Server - Actions (MobileIron) Tab Parameters Parameter Description Get Labels Get label information of the device. Lock Device Lock the device. Remote Wipe Delete all information stored on the device. Send Message Send message to the device. Unlock Device Unlock the device.
The following table describes the Add Endpoint Context Server - Server (Palo Alto Networks Firewall) tab parameters: Table 302: Add Endpoint Context Server - Server (Palo Alto Networks Firewall) Tab Parameters Parameter Description Select Server Type Choose Palo Alto Networks Firewall from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or hostname.
Figure 484: Add Endpoint Context Server - Server (Palo Alto Networks Panorama) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 303: Add Endpoint Context Server - Server (Palo Alto Networks Panorama) Tab Parameters (Continued) Parameter Description Send Posture Data Enable to send posture data on Palo Alto Networks firewall after authentication. This option can be resource-intensive, the eager handlerpolling interval must be two minutes or more. Enabling this field verifies whether the polling frequency is set to 2 minutes and then send the posture data to Palo Alto Networks firewall.
The following table describes the Add Endpoint Context Server - Server (SAP Afaria) tab parameters: Table 304: Add Endpoint Context Server - Server (SAP Afaria) Tab Parameters Parameter Description Select Server Type Choose SAP Afaria from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or a hostname. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
The following table describes the Add Endpoint Context Server - Actions (SAP Afaria) tab parameters: Table 305: Add Endpoint Context Server - Actions (SAP Afaria) Tab Parameters Parameter Description Enterprise Wipe Delete corporate information related data. Lock Device Lock the associated device. Remote Wipe Delete all stored information. Send Message Send message to the device.
The following table describes the Add Endpoint Context Server - Server (SOTI) tab parameters: Table 306: Add Endpoint Context Server - Server (SOTI) Tab Parameters Parameter Description Select Server Type Choose SOTI from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or hostname. Server Base URL Enter the server base URL in the following format: https://{server_ip} /api/?type=keygen&user={username}&password={password} Username Enter the username.
Figure 488: Add Endpoint Context Server - Server (XenMobile) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server. The following table describes the Add Endpoint Context Server - Server (XenMobile) tab parameters: Table 307: Add Endpoint Context Server - Server (XenMobile) Tab Parameters Parameter Description Select Server Type Choose XenMobile from the drop-down list. Server Name Enter a valid server name.
File Backup Servers Dell Networking W-ClearPass Policy Manager provides the ability to push scheduled data securely to an external server. You can push the data using the SFTP and SCP protocols. Navigate to the Administration > External Servers > File Backup Servers page and click the Add link at the top-right corner. The Add File Backup Server page opens.
Table 308: Add File Backup Server Page Parameters (Continued) Parameter Description Port Specify the port number. The default port is 22. Username Enter the user name and password of the host server. Password Enter the user name of the host server. Verify Password Enter the password of the host server. Timeout Specify the timeout value in seconds. The default value is 30 seconds. Remote Directory Specify the location in this field to which the files to be copied.
The following table describes the Server Certificate parameters: Table 309: Server Certificate Parameters Parameter Description Create SelfSigned Certificate Opens the Create Self-Signed Certificate page where you can create and install a Self-Signed Certificate. For more information, see Creating a Self-Signed Certificate on page 529. Create Certificate Signing Request Opens the Create Certificate Signing Request page where you can create and install a Certificate Signing Request.
The following table describes the RADIUS Server Certificate parameters: Table 310: RADIUS Server Certificate Parameters Parameter Description Subject Displays Organization and Common Name. Issued by Displays Organization and Common Name. Issue Date Displays the date the self-signed certificate is installed. Expiry Date Displays the date (in days) when the self-signed certificate expires. Validity Status Displays the validity status of the self-signed certificate.
Table 311: HTTPS Server Certificate Parameters (Continued) Parameter Description Expiry Date Displays the date (in days) when the self-signed certificate expires. Validity Status Displays the validity status of the self-signed certificate. Details Click the View Details button to view details about the certificate, such as Signature Algorithm, Subject Public Key Info, and more.
The following figure displays the Create Certificate Signing Request page in the FIPS mode pop-up: Figure 494: Create Certificate Signing Request - FIPS Mode Pop-up The following table describes the Create Certificate Signing Request parameters: Table 312: Create Certificate Signing Request Parameters Parameter Description Common Name (CN) Enter the name associated with this entity. This can be a host name, IP address, or other name. The default is the fully-qualified domain name (FQDN).
Table 312: Create Certificate Signing Request Parameters (Continued) Parameter Description Name (SAN) l email: email_address l URI: uri l IP: ip_address l dns: dns_name l rid: id This field is optional. Private Key Password Enter and re-enter the Private Key password. Verify Private Key Password Private Key Type l Select the length for the generated private key types from the following options: 1024-bit RSA l 2048-bit RSA l 4096-bit RSA l X9.
Figure 495: Create Certificate Signing Request Pop-up Creating a Self-Signed Certificate After you select a server and a certificate type, you can create and install a self-signed certificate. To create a self-signed certificate: 1. Navigate to Administration > Certificates > Server Certificate. 2. Select a server, for example, localhost. 3. Click the Create Self-Signed Certificate link. Configure the parameters based on Table 313. 4. Click Submit. 5.
The following figure displays the Create Self-Signed Certificate pop-up: Figure 496: Create Self-Signed Certificate Pop-up 530 | Administration Dell Networking W-ClearPass Policy Manager 6.
The following figure displays the Create Self-Signed Certificate page in the FIPS mode pop-up: Figure 497: Create Self-Signed Certificate Page - FIPS Mode Pop-up The following table describes the Create Self-Signed Certificate parameters: Table 313: Create Self-Signed Certificate Parameters Parameter Description Selected Server Displays the name of the selected server on the Server Certificate page. Selected Type Displays the selected certificate type for the server on the Server Certificate page.
Table 313: Create Self-Signed Certificate Parameters (Continued) Parameter Description Location (L) Enter the name of the location, state, country, and/or other meaningful name. These fields are optional. State (ST) Country (C) Subject Alternate Name (SAN) Enter the alternative names for the specified Common Name. NOTE: Enter the SAN in the following formats: l email: email_address l URI: uri l IP: ip_address l dns: dns_name l rid: id This field is optional.
The following figure displays the Create Self-Signed Certificate pop-up. Figure 498: Create Self-Signed Certificate Pop-up The following table describes the Create Self-Signed Certificate parameters configured: Table 314: Self-Signed Certificate Parameters Parameter Description Selected Server Displays the name of the server selected on the Server Certificate page. Selected Type Displays the selected certificate type for the server.
Table 314: Self-Signed Certificate Parameters (Continued) Parameter Description Validity Status Displays the validity status of the certificate. Signature Algorithm Displays the Digest Algorithm and Private Key Type selected during certificate configuration. Public Key Format Displays the public key format in use for the self-signed server certificate. Exporting a Server Certificate Navigate to Administration > Certificates > Server Certificates, and click the Export Server Certificate link.
Table 315: Import Server Certificate Parameters (Continued) Parameter Description Private Key File Browse to the private key file to be imported. Private Key Password Specify the private key password that was entered when the server certificate was configured. Certificate Trust List The Certificate Trust List page displays a list of trusted Certificate Authorities (CA). On this page, you can add, view, or delete a certificate.
The following table describes the Certificate Trust List parameters: Table 316: Certificate Trust List Parameters Parameter Description Subject Displays the Distinguished Name (DN) of the subject field in the certificate. Validity Indicates whether the CA certificate is valid or expired. Enabled Indicates whether the CA certificate is enabled or disabled. Adding a Certificate 1. Navigate to Administration > Certificates > Trust List. 2. Click the Add link on the top right section of the page. 3.
Certificate Revocation Lists To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete.
The following table describes the Add Certificate Revocation List parameters: Table 318: Add Certificate Revocation List Parameters Parameter Description File File enables the Distribution File option. Distribution File Specify the distribution file (e.g., C:/distribution/crl.verisign.com/Class3InternationalServer.crl) to fetch the certificate revocation list. URL URL enables the Distribution URL option. Distribution URL Specify the distribution URL (e.g., http://crl.verisign.
Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type. The following figure displays the RADIUS IETF dictionary attributes pop-up: Figure 505: RADIUS Attributes Pop-up The following table describes the RADIUS Attributes parameters: Table 319: RADIUS Dictionary Attributes Parameters Parameter Description Export Click to save the dictionary file in XML format.
The following figure displays the Import from file pop-up: Figure 506: Import RADIUS Dictionary Pop-up The following table describes the Import from file parameters: Table 320: Import from file Parameters Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. Posture Dictionary To add a vendor posture dictionary, click on Import.
The following table describes the Posture Dictionaries parameters: Table 321: Posture Parameter Description Import Click to open the Import Dictionary pop up. Click a vendor row to see all the attributes and their data type. For example, click on vendor Microsoft/System SHV to see all the associated posture attributes and their data type. The following figure displays the Posture Attributes pop-up.
TACACS+ Services Dictionary To view the contents of the TACACS+ service dictionary, navigate to Administration > Dictionaries > TACACS+ Services and sort by Name or Display Name. To add a new TACACS+ service dictionary, click the Import link. To add or modify attributes in an existing service dictionary, select the dictionary, export it, make edits to the XML file, and import it back into Policy Manager.
The following figure displays the TACACS+ Service Dictionary Attributes pop-up: Figure 510: TACACS+ Service Dictionary Attributes Pop-up Fingerprints Dictionary The Device Fingerprints page shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell W-ClearPass Update Portal (see Software Updates on page 556 for more information). To view the contents of the fingerprints dictionary, navigate to Administration > Dictionaries > Fingerprints.
You can click on a line in the Device Fingerprints list to drill down and view additional details about the category. The following figure displays the Device Fingerprint Dictionary Attributes pop-up. Figure 512: Device Fingerprint Dictionary Attributes Pop-up Attributes The Attributes dictionary page allows you to specify unique sets of criteria for Local Users, Guest Users, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
The following table describes the Attributes dictionary parameters: Table 324: Attributes Dictionary Parameters Parameter Description Filter Use the drop-down list to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Shows whether the attribute applies to a Local User, Guest User, Device, or Endpoint.
Enter the information in the fields described in the following table. Click Add when you are done. To modify attributes in an existing service dictionary, select the attribute, make any necessary changes, and then click Save. The following table describes the Add Attribute parameters: Table 325: Attribute Setting Parameters Parameter Description Entity Specify whether the attribute applies to a Local User, Guest User, Device, or Endpoint. Name Enter a unique ID for this attribute.
The following table describes the Import from file parameters: Table 326: Import From File Setting Parameters Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file If the file that you want to import is password protected, enter the secret here. Export Attributes Select Export All on the upper right section of the page to export all attributes. The Export Attributes button saves the Attributes.zip file.
2. Click the name of an application. The Application Attributes dialog box appears. Deleting an Application Dictionary In general, there is no need to delete an application dictionary. They have no effect on Policy Manager performance. To delete an application dictionary: 1. Go to Administration > Dictionaries > Applications. 2. Click the check box next to an application name. 3. Click Delete.
The following figure displays the Endpoint Context Server Actions page: Figure 516: Endpoint Context Server Actions Page The following table describes the Endpoint Context Server Actions parameters: Table 327: Endpoint Context Server Actions Parameters Parameter Description Server Type Specifies the server type configured when the server action was configured. Action Name Specifies the name of the action such as Enterprise Wipe, Lock Device, and so on.
Action Tab Use the Action tab to specify the server type, action name, HTTP method, and URL for the server action. The following figure displays the Endpoint Context Server Details - Action tab: Figure 517: Endpoint Context Server Details - Action Tab Table 328: Endpoint Context Server Details - Action Tab Parameters Parameter Description Server Type Specifies the server type configured when the server action was configured. You can select the server type from the drop-down list.
Header Tab Use the Header tab to specify the key-value pairs to be included in the HTTP header. The following figure displays the Header tab: Figure 518: Endpoint Context Server Details - Header Tab The following table describes the Endpoint Context Server Details - Header parameters: Table 329: Endpoint Context Server Details - Header Tab Parameters Parameter Description Header Name Specify the name of the header to be included in the HTTP header.
Content Tab Use the Content tab to specify a content type. The following figure displays the Endpoint Context Server Details - Content tab: Figure 519: Endpoint Context Server Details - Content Tab The following table describes the Endpoint Context Server Details - Content parameters: Table 330: Endpoint Context Server Details - Content Tab Parameters Parameter Content-Type Description Specify the type of the content.
Attributes Tab Use Attributes tab to specify the mapping for attributes used in the content to parametrized values from the request.
OnGuard Settings Main Page Navigate to Administration > Agents and Software Updates > OnGuard Settings. The following figure displays the OnGuard Settings page: Figure 521: OnGuard Settings The following table describes the OnGuard Settings parameters: Table 332: OnGuard Settings Parameters Parameter Description Global Agent Settings Configure the global parameters for OnGuard agents. For more information on configuring global agent settings, see Global Agent Settings on page 1.
Table 332: OnGuard Settings Parameters (Continued) Parameter Description Ubuntu Use the download link to download Ubuntu Agent for Linux. This binary file is in .tar.gz format. Native Dissolvable Agent Apps Windows Click the URL to download Native Dissolvable Agent for Windows. Mac OS X Click the URL to download Native Dissolvable Agent for Mac OS X. Ubuntu Click the URL to download Native Dissolvable Agent for Ubuntu. You can download the .tar.gz files specific to 32-bit and 64-bit systems.
Software Updates This section describes the Dell Networking W-ClearPass Policy Manager server software update process.
The following table describes the Software Updates parameters: Table 333: Software Updates Parameters Parameter Description Subscription ID Subscription ID Enter the Subscription ID provided to you. This text box is enabled only on a Publisher node. You can opt out of automatic downloads at any time by saving an empty Subscription ID.
Table 333: Software Updates Parameters (Continued) Parameter Description Install Error This link appears when an update install encounters an error. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the install. Other Check Status Now Click this button to perform an on-demand check for available updates. Check Status Now applies to updates only on a publisher node, as well as Firmware & Patch Updates.
The following table describes the Install Update parameters: Table 334: Install Update Parameters Parameter Description Reboot The Reboot button appears only for updates that require a reboot to complete the installation. To initiate a reboot of the server, click Reboot. Clear & Close Click this button to delete the log messages and close the popup. Clear & Close also removes the corresponding row from the Firmware & Patch Updates table. Close Click this button to close the dialog box.
2. In the Firmware & Patch Updates section, observe the Status column. 3. To bring up the dialog that shows the logs, click the Installed link. 4. To uninstall the patch or software update, click Uninstall. The Install Update screen closes and the software is uninstalled. Updating the Policy Manager Software In the background, the Policy Manager Publisher node acts as master. Administration, configuration, and database write operations are allowed only on this master node.
2. On the first boot after upgrade, all old configuration data is restored. Verify that all configuration and services are intact. In the cluster servers screen, all subscriber node entries are present but marked as Cluster Sync=false (disabled for replication). Any configuration changes performed in this state do not replicate to subscribers until the subscribers are also upgraded. In short, no configuration changes are possible on subscribers in this state.
This section describes the following topics: l Remote Assistance Process Flow on page 562 l Adding a Remote Assistance Session on page 563 Remote Assistance Process Flow This topic describes the Remote Assistance process flow. 1. Administrator schedules a Remote Assistance session for a specific duration. 2. The Aruba Networks support contact receives an email with instructions and credentials to login to the remote system. 3. The session is terminated at the end of the specified duration. 4.
Table 335: Remote Assistance Session Parameters (Continued) Parameter Description NOTE: A session in any of Scheduled, Terminated, and Failed states can be edited and saved. Only a session in Running state can be terminated by selecting that session and clicking Terminate. A session in any of Scheduled, Terminated and Failed states can be deleted by selecting that session and clicking Delete. If a session fails, the Event Viewer indicates the cause of the failure.
Table 337: Add Session Parameters (Continued) Parameter Description Support Contact (‘@arubanetworks.com’ is appended to the ID). The figure below is an example of an email that a support technician may receive after a Remote Assistance session is scheduled. Figure 526: Example of a Remote Assistance Session Notification Email Documentation The Administration > Support > Documentation page includes links to various sections of the Dell Networking W-ClearPass Policy Manager Online Help system.
The following figure displays the Documentation page: Figure 527: Documentation Page Dell Networking W-ClearPass Policy Manager 6.
| Administration Dell Networking W-ClearPass Policy Manager 6.
Appendix A Command Line Interface Refer to the following sections to perform various tasks using the Command Line Interface (CLI): l Available Commands l Cluster Commands on page 567 l Configure Commands on page 570 l Network Commands on page 575 l Service Commands on page 580 l Show Commands on page 581 l System Commands on page 585 l Miscellaneous Commands on page 593 Cluster Commands The Policy Manager command line interface includes the following cluster commands: l drop-subscriber on
[appadmin]# cluster drop-subscriber -f -i 192.xxx.1.1 -s list Use the list command to list the cluster nodes. Syntax cluster list Example The following example lists all the cluster nodes: [appadmin]# cluster list cluster list Publisher : Management port IP=192.xxx.5.227 Data port IP=None [local machine] make-publisher Use the make-publisher command to makes a specified node as a publisher.
Example The following example makes 192.xxx.1.1 as a subscriber node: [appadmin]# cluster make-subscriber –i 192.xxx.1.1 –p !alore -l reset-database Use the reset-database to reset the local database and erases its configuration.
Re-enter Password: !alore Configure Commands The Policy Manager command line interface includes the following configuration commands: l date on page 570 l dns on page 571 l fips-mode l hostname on page 572 l ip on page 572 l ip6 l mtu l timezone on page 574 date Use the date command to set System Date, Time, and Time Zone.
dns Use the dns command to configure DNS servers. Specify minimum of one DNS server and you can specify a maximum of three DNS servers. Syntax configure dns [secondary] [tertiary] Example 1 The following example configures a DNS server: [appadmin]# configure dns 192.168.xx.1 Example 2 The following example configures primary and secondary DNS servers: [appadmin]# configure dns 192.168.xx.1 2001:4860:4860::8888 You can configure IPv6 address as described in this example.
* Do not close the shell or interrupt this command execution. * * * ****************************************************************** Continue? [y|n]: y Click y to disable the FIPS mode. hostname Use the hostname command to configure the hostname. Syntax configure hostname Example The following example configures a hostname: [appadmin]# configure hostname sun.us.dellnetworks.com ip Use the ip command to configure IP address, netmask, and gateway.
Table 343: ip6 Command Parameters Flag/Parameter Description ip6 Specifies the Network interface type: management or data. NOTE: specifies the IPv6 address of the host. netmask Specifies the netmask address. For example, ffff:ffff:ffff:ffff:0000:0000:0000:0000. gateway Specifies the gateway address. For example, fe90:0000:0000:0000:020c:29ff:fe7e:d3a2.
* * ******************************************************** Continue? [y|Y]: y INFO: Restarting network services INFO: Successfully applied MTU settings Example 3 The following example displays the settings of the mtu management and data port interfaces: [appadmin]# show ip =========================================== Device Type : Management Port ------------------------------------------IPv4 Address : 10.2.xx.86 Subnet Mask : 255.255.255.0 Gateway : 10.2.xx.
Network Commands The Policy Manager command line interface includes the following network commands: l ip on page 575 l ip6 l nslookup on page 577 l ping l ping6 l reset on page 579 l traceroute on page 579 l traceroute6 ip Use the ip command to add, delete, or list custom routes to the data or management interface routing table.
This command lists all routing rules. Syntax network ip reset This command reset routing table to factory default setting. All custom routes are removed. The following examples add and list the custom routes: Example 1 The following example adds a custom route: [appadmin]# network ip add data -s 192.168.xx.
Syntax network ip6 del <-i > This command deletes a custom route. Syntax network ip6 list This command lists all custom routing rules. Syntax network ip6 reset This command reset routing table to factory default setting and all custom routes are removed. The following examples add and list the custom routes: Example 1 The following example adds a custom route: [appadmin]# network ip6 add data -s fe82::20c:29ff:fe7e:d3e1/d3e24 You can use IPv6 address when adding a custom route.
Example 1 The following examples obtain the IPv4 and IPv6 addresses of the host or domain using DNS: [appadmin]# nslookup sun.us.dellnetworks.com [appadmin]# network nslookup 2001:4860:4860::8888 Example 2 The following example queries a host or domain for SRV records: [appadmin]# nslookup -q SRV dellnetworks.com Use the AAAA flag with the -q option to perform network nslookup with IPv6 destinations.
Syntax network ping6 [-i ] [-t] The following table describes the required and optional parameters for the ping command: Table 350: Ping6 Command Parameters Flag/Parameter Description -i Specifies the originating IPv6 address for ping. This field is optional. -t Use this parameter to ping indefinitely. This field is optional. Specifies the host to be pinged.
Table 352: Traceroute Command Parameters Flag/Parameter Description Specifies the name of network host. Example The following example prints the route taken to reach the network host: [appadmin]# network traceroute sun.us.dellnetworks.com traceroute6 Use the traceroute6 command to print the route taken to reach the network host.
Syntax service Where: Table 354: Action Command Parameters Flag/Parameter Description action Choose an action: activate, deactivate, list, restart, start, status, or stop. service-name Choose a service: tips-policy-server, tips-admin-server, tips-system-auxiliary-server, tipsradius-server, tips-tacacs-server, tips-dbwrite-server, tips-repl-server, or tips-sysmonserver.
Syntax show all-timezones Example The following example displays all available timezones: [appadmin]# show all-timezones Africa/Abidjan Africa/Accra ..... WET Zulu date Use the date command to view the System Date, Time, and Time Zone information. Syntax show date Example The following example displays the System Date, Time, and Time Zone information: [appadmin]# show date Wed Oct 31 14:33:39 UTC 2012 dns Use the dns command to view DNS servers.
fipsmode Use the fipsmode command to find whether the FIPS mode is enabled or disabled. Example The following example displays that the FIPS mode is enabled: [appadmin]# show fipsmode FIPS Mode: Enabled hostname Use the hostname command to view hostname. Syntax show hostname Example The following example displays the hostname: [appadmin]# show hostname show hostname wolf ip Use the ip command to view the IPv4, IPv6, and DNS information of the host.
=========================================== DNS Information ------------------------------------------Primary DNS : 10.2.xx.3 Secondary DNS : 10.1.xx.50 Tertiary : 10.1.xx.200 DNS =========================================== license Use the license command to view the license key.
=========================================== Memory Utilization ------------------------------------------Total : 4.00 GB Free : 1.36 GB (36%) timezone Use the timezone command to view the current system timezone. Syntax show timezone Example The following example displays the system timezone: [appadmin]# show timezone show timezone Timezone is set to 'Asia/Kolkata' version Use the Version command to view the Policy Manager software version and the hardware model.
l status-rasession l System Commands l update on page 590 l upgrade on page 591 apps-access-reset Use the apps-access-reset command to reset the access control restrictions for Policy Manager. Syntax system apps-access-reset Example The following example reset the access control restrictions for Policy Manager: [appadmin]# system apps-access-reset Policy Manager application access is restored boot-image Use the boot-image to set system boot image control options.
Example The following example performs cleanup operation for the system: [appadmin]# system cleanup ERROR - Insufficient arguments to proceed System Cleanup (CLI) Usage: system cleanup Where, -- Cleanup interval specifying the number of days to retain the data [appadmin]# system cleanup 4 ******************************************************** * * * WARNING: This command will perform system cleanup * * operation that will result in purging of: * * [*] system and application log files
Syntax system install-license The following table describes the required and optional parameters for the install-license command: Table 356: Install-License Command Parameters Flag/Parameter Description Specifies the newly issued license key. This field is mandatory.
refresh-license Use the refresh-license command to refresh the license count information. Syntax system refresh-license Example The following example refreshes the license count information: [appadmin]# system refresh-license INFO: Refreshing license count information INFO: Successfully refreshed license count information restart Use the restart command to restart the system.
Syntax system sso-reset start-rasession Use the start-rasession command to start a RemoteAssist (RA) session. Syntax system start-rasession [duration_hours | duration_mins | contact_id | cppm_server_ip] The following table describes the required and optional parameters for the start-rasession command: Table 358: Start RemoteAssist Session Command Parameters Flag/Parameter Description duration_hours Specify session duration in hours. You can specify values between 0 to 12.
The following table describes the required and optional parameters for the update command: Table 359: Update Commands Flag/Parameter Description -i user@hostname:/ | http://hostname/ Installs the specified patch on the system. This field is optional. -f Re-installs the patch in the event of a problem with the initial installation attempt. This field is optional. -l Lists the patches installed on the system. This field is optional.
This command supports Secure Copy (SCP), HTTP, and local uploads. If none of these Upgrade command options are provided, access tracker records are backed up, but they are not restored by default. Example 1: Upgrading from a Linux server To upgrade the Policy Manager image from a Linux server: 1. Upload the upgrade image to a Linux server. 2. Use the following syntax to upload the upgrade image: system upgrade user@hostname:/ [-w] [-l] [-L] For example: [appadmin]# system upgrade admin@sun.us.
The Policy Manager restarts and boots up to the most recent version of Dell Networking W-ClearPass Policy Manager.
Syntax ad netjoin [domain NETBIOS name] The following table describes the required and optional parameters for the ad netjoin command: Table 362: Ad Netjoin Command Parameters Flag/Parameter Description Specifies the host to be joined to the domain. This field is mandatory. [domain NETBIOS name] Specifies the domain name. This field is optional. Example The following example joins host to the domain: [appadmin]# ad netjoin atlas.us.
Table 363: Alias Commands Flag/Parameter Description = Sets as the alias for . = Removes the association. Example 1 [appadmin]# alias sh=show Example 2 [appadmin]# alias sh= backup Use the backup command to create backup of Policy Manager configuration data. If no arguments are entered, the system auto-generates a filename and backs up the configuration to this file.
Example 1 The following example dumps certificate chain of a SSL secured server: [appadmin]# dump certchain ldap.acme.com:636 dump certchain dump logs Use the dump logs command to dump Policy Manager application log files.
Example The following example dumps server certificate of SSL secured server: [appadmin]# dump servercert ldap.acme.com:636 exit Use the exit command to exit shell.
Table 368: Kerberos Authentication Command Parameters Flag/Parameter Description Specifies the username and domain. Example The following example performs a kerberos authentication against a kerberos server: [appadmin]# krb auth mike@corp-ad.acme.com krb list Use the krb list command to list the cached kerberos tickets.
[appadmin]# quit restore Use the restore command to restore Policy Manager configuration data from the backup file. Syntax restore user@hostname:/ [-l] [-i] [-c|-C] [-p] [-s] The following table describes the required and optional parameters for the restore command: Table 370: Restore Command Parameters Flag/Parameter Description user@hostname:/ Specify filepath of restore source. -c Restores configuration database (default).
Table 371: Start Remote Session Command Parameters Flag/Parameter Description Defines the duration in hours of the Remote Assistance Session. Defines the duration in minutes of the Remote Assistance Session. Specifies the name of the TAC engineer. Specifies the IP address of a Dell Networking W-ClearPass Policy Manager in the cluster.
Appendix B Rules Editing and Namespaces The Policy Manager administration User Interface allows you to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular interface with the same column hea
l Authentication Namespaces on page 603 l Authorization Namespaces on page 605 l Certificate Namespaces on page 606 l Connection Namespaces on page 607 l Date Namespaces on page 608 l Device Namespaces on page 608 l Endpoint Namespaces on page 609 l Guest User Namespaces on page 609 l Host Namespaces on page 609 l Local User Namespaces on page 609 l Posture Namespaces on page 610 l RADIUS Namespaces on page 610 l Tacacs Namespaces on page 611 l Tips Namespaces on page 611 Applica
l Page-Name l Provisioning-Settings-ID l SAMLRequest l SAMLResponse l Session-Timeout l User-Email-Address Audit Namespaces The dictionaries in the audit namespace come pre-packaged with the product. The Audit namespace has the notation Vendor:Audit, where Vendor is the name of the company that has defined attributes in the dictionary. Examples of dictionaries in the audit namespace are AvendaSystems:Audit or Qualys:Audit. The Audit namespace appears when editing post-audit rules.
Authentication Namespace Editing Context The following table describes the Authentication Namespace Attributes parameters: Table 375: Authentication Namespace Attributes Attribute Name InnerMethod Values CHAP EAP-GTC l EAP-MD5 l EAP-MSCHAPv2 l EAP-TLS l MSCHAP l PAP NOTE: The EAP-MD5 authentication type is not supported if you use the Dell Networking WClearPass Policy Manager in the FIPS mode.
Table 375: Authentication Namespace Attributes (Continued) Attribute Name MacAuth Values l AuthSource-Unreachable - The authentication source was unreachable l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source l l Username The username as received from the client (after the strip user name rules are applied).
attributes names defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience. Sources This is the list of the authorization sources from which attributes were fetched for role mapping. Authorization namespaces appear in Role mapping policies. SQL Instance Namespace For each instance of an SQL authentication source, there is an SQL instance namespace that appears in the rules editing interface.
Table 376: Certificate Namespace Attributes (Continued) Attribute Name l l l l l l l l l l l l Values Issuer-O Issuer-OU Issuer-SN Issuer-ST Issuer-UID Subject-AltNameDirName Subject-AltName-DNS Subject-AltNameEmailAddress Subject-AltNameIPAddress Subject-AltName-msUPN Subject-AltNameRegisterdID Subject-AltName-URI Attributes associated with the subject (user or machine, in this case) alternate name. Not all of these fields are populated in a certificate.
Table 377: Connection Namespace Pre-defined Attributes (Continued) Attribute Description Client-Mac-Address MAC address of the client. l l l l Client-Mac-Address-Colon Client-Mac-Address-Dot Client-Mac-Address-Hyphen Client-Mac-Address-Nodelim Client-IP-Address Client MAC address in different formats. IP address of the client (if known).
Endpoint Namespaces Use these attributes to look for attributes of authenticating endpoints, which are present in the Policy Manager endpoints list. The Endpoint namespace has the following attributes: l Disabled By l Disabled Reason l Enabled By l Enabled Reason l Info URL Guest User Namespaces The GuestUser namespace has the attributes associated with the guest user (resident in the Policy Manager guest user database) who authenticated in this session.
l Email l Phone l Sponsor Custom attributes also appear in the attribute list if they are defined as custom tags for the local user. These attributes can be used only if you have pre-populated the values for these attributes when a local user is configured in Policy Manager. Posture Namespaces The dictionaries in the posture namespace are pre-packaged with the product.
l RADIUS Enforcement profiles: All RADIUS namespace attributes that can be sent back to a RADIUS client (the ones marked with the OUT or INOUT qualifier) l Role mapping policies l Service rules: All RADIUS namespace attributes that can appear in a request (the ones marked with the IN or INOUT qualifier) Tacacs Namespaces The Tacacs namespace has the attributes associated with attributes available in a TACACS+ request.
The following built-in variables are supported in Policy Manager: Table 378: Policy Manager Variables Variable Description %{attributename} attribute-name is the alias name for an attribute that you have configured to be retrieved from an authentication source. See Adding and Modifying Authentication Sources on page 169.
The following table lists the operators presented for common attribute data types: Table 379: Attribute Operators Attribute Type String Operators l l l l l l l l l l l l l l l l Integer l l l l l l l l l l Time or Date BEGINS_WITH NOT_BEGINS_WITH CONTAINS NOT_CONTAINS ENDS_WITH NOT_ENDS_WITH EQUALS NOT_EQUALS EQUALS_IGNORE_CASE NOT_EQUALS_IGNORE_CASE EXISTS NOT_EXISTS MATCHES_REGEX NOT_MATCHES_REGEX BELONGS_TO NOT_BELONGS_TO EQUALS NOT_EQUALS EXISTS NOT_EXISTS GREATER_THAN GREATER_THAN_OR_EQ
Table 379: Attribute Operators (Continued) Attribute Type Operators l LESS_THAN LESS_THAN_OR_EQUALS l IN_RANGE l BELONGS_TO NOT_BELONGS_TO l Day l List (Example: Role) l l l l l l l l Group (Example: Calling-Station-Id, NAS-IP-Address) l l EQUALS NOT_EQUALS MATCHES_ALL NOT_MATCHES_ALL MATCHES_ANY NOT_MATCHES_ANY MATCHES_EXACT NOT_MATCHES_EXACT BELONGS_TO_GROUP NOT_BELONGS_TO_GROUP and all string data types 614 | Rules Editing and Namespaces Dell Networking W-ClearPass Policy Manager 6.
The following table describes all operator types: Table 380: Operator Types Operator Description BEGINS_WITH For string data type, true if the run-time value of the attribute begins with the configured value. Example: RADIUS:IETF:NAS-Identifier BEGINS_WITH "SJ-" BELONGS_TO For string data type, true if the run-time value of the attribute matches a set of configured string values.
Operator Description GREATER_THAN For integer, time and date data types, true if the run-time value of the attribute is greater than the configured value. Example: RADIUS:IETF:NAS-Port GREATER_THAN 10 GREATER_THAN_OR_EQUALS For integer, time and date data types, true if the run-time value of the attribute is greater than or equal to the configured value.
Appendix C Error Codes, SNMP Traps, and System Events This appendix contains listings of Dell Networking W-ClearPass Policy Manager error codes, SNMP traps, and important system events.
Table 381: CPPM Error Codes (Continued) Code Description Type 211 Client certificate not valid Authentication failure 212 Client certificate has expired Authentication failure 213 Certificate comparison failed Authentication failure 214 No certificate in authentication source Authentication failure 215 TLS session error Authentication failure 216 User authentication failed Authentication failure 217 Search failed due to insufficient permissions Authentication failure 218 Authenticat
Table 381: CPPM Error Codes (Continued) Code Description Type 5006 Query - No supported actions Command and Control 5007 Query - Cannot fetch MAC address details Command and Control 5008 Request - MAC address not online Command and Control 5009 Request - No MAC address record found Command and Control 6001 Unsupported TACACS parameter in request TACACS Protocol 6002 Invalid sequence number TACACS Protocol 6003 Sequence number overflow TACACS Protocol 6101 Not enough inputs to perfor
Table 381: CPPM Error Codes (Continued) Code Description Type 9008 Phase2 PAC not found RADIUS Protocol 9009 Unknown Phase2 PAC RADIUS Protocol 9010 Invalid Phase2 PAC RADIUS Protocol 9011 PAC verification failed RADIUS Protocol 9012 PAC binding failed RADIUS Protocol 9013 Session resumption failed RADIUS Protocol 9014 Cached session data error RADIUS Protocol 9015 Client does not support configured EAP methods RADIUS Protocol 9016 Client did not send Cryptobinding TLV RADIUS Pr
.1.3.6.1.6.3.1.1.5.2 ==> Warm Start Network Interface up and Down Events OIDs: .1.3.6.1.6.3.1.1.5.3 ==> Link Down .1.3.6.1.6.3.1.1.5.4 ==> Link Up CPPM Processes Stop and Start Events OIDs: .1.3.6.1.4.1.2021.8.1.2.X ==> Process Name .1.3.6.1.4.1.2021.2.1.101.X ==> Process Status Message Disk Utilization Threshold Exceed Events OIDs: .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.6.1.4.1.2021.9.1.2.
.1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is stopped RADIUS server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is running Admin Server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.
.1.3.6.1.4.1.2021.8.1.101.2: System auxiliary service [ cpass-system-auxiliary-server ] is stopped System Auxiliary server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.2: cpass-system-auxiliary-server .1.3.6.1.4.1.2021.8.1.101.
.1.3.6.1.4.1.2021.8.1.101.6: Async DB write service [ cpass-dbwrite-server ] is stopped Async DB write service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.3.6.1.4.1.2021.8.1.101.
.1.3.6.1.4.1.2021.8.1.101.8: DB change notification server [ cpass-dbcn-server ] is stopped DB Change Notification server start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.8: cpass-dbcn-server .1.3.6.1.4.1.2021.8.1.101.
.1.3.6.1.4.1.2021.8.1.101.10: Multi-master cache [ cpass-multi-master-cache-server ] is stopped Multi-master Cache service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.10: cpass-multi-master-cache-server .1.3.6.1.4.1.2021.8.1.101.
.1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is stopped Micros Fidelio FIAS service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is running TACACS server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.
.1.3.6.1.4.1.2021.8.1.101.13: ClearPass Virtual IP service [ cpass-vip-service ] is stopped Virtual IP service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.3.6.1.4.1.2021.8.1.101.
.1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is stopped stats Aggregation service start SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.3 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.14: cpass-carbon-server .1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is running. Network Interface Status Traps .1.3.6.
.1.3.6.1.4.1.2021.10.1.100.1 ==> Error flag on the CPU load-1 average. Value of 1 indicates the load-1 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.1 ==> Name of CPU load-1 average Figure 531: CPU load-1 average example .1.3.6.1.4.1.2021.10.1.100.2 ==> Error flag on the CPU load-5 average. Value of 1 indicates the load-5 has crossed its threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.10.1.2.2 ==> Name of CPU load-5 average Figure 532: CPU load-5 average example .1.
“Admin UI”, “WARN”, “Login Failed”, “User:” "Admin UI", "WARN", "Login Failed", description Info Events "Admin UI", "INFO", "Logged out" "Admin UI", "INFO", "Session destroyed" "Admin UI", "INFO", "Logged in", description "Admin UI", "INFO", "Clear Authentication Cache", “Cache is cleared for authentication source " "Admin UI", "INFO", "Clear Blacklist User Cache", “Blacklist Users cache is cleared for authentication source " "Admin UI", "INFO", "Server Certificate", "Subject:“, "Updated" "Admi
“ipaddress”, “ERROR”, “Testing cluster node connectivity failed” “System TimeCheck “, “ WARN ,” , “Restarting CPPM services as the system detected time drift , Current system time= 2013-07-27 17:00:01, System time 5 mins back = 2013-01-25 16:55:01” Info Events “Cluster”, “INFO”, “Setup”, “Database initialized” “hostname”, “INFO”, “configuration”, “Hostname set to ” “ipaddress”, “INFO”, “configuration”, Management port information updated to - IpAddress = , Netmask = , Gateway = ” “IpAddress”, “
DB Replication Services Events Info Events "DB replication service”, “INFO”, “Performed action start on DB replication service” "DB replication service”, “INFO”, “Performed action stop on DB replication service” “DB change notification server”, “INFO”, “Performed action start on DB change notification server” “DB replication service”, “INFO”, “Performed action start on DB replication service” Licensing Events Critical Events “Admin UI”, “WARN”, “Activation Failed”, “Action Status: This Activation Request T
SNMP Events Critical Events “SNMPService”, “ERROR”, “ReadDeviceInfo”, “SNMP GET failed for device with error=No response received\nReading sysObjectId failed for device=\nReading switch initialization info failed for ” "SNMPService","ERROR", "Error fetching table snmpTargetAddr. Request timed out. Error reading SNMP target table for NAD=10.1.1.1 Maybe SNMP target address table is not supported by device? Allow NAD update. SNMP GET failed for device 10.1.1.
l Multi-master cache l Policy server l RADIUS server l System auxiliary services l System monitor service l TACACS server l Virtual IP service l [YOURSERVERNAME] Domain service Dell Networking W-ClearPass Policy Manager 6.
| Error Codes, SNMP Traps, and System Events Dell Networking W-ClearPass Policy Manager 6.
Appendix D Use Cases This appendix contains several specific Dell Networking W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure Policy Manager for that use case. l 802.1X Wireless Use Case on page 637 l Web Based Authentication Use Case on page 643 l MAC Authentication Use Case on page 650 l TACACS+ Use Case on page 653 l Single Port Use Case on page 654 802.
Policy Manager ships with fourteen preconfigured services. In this use case, you select a service that supports 802.1X wireless requests. Follow the steps below to configure this basic 802.1X service that uses [EAP FAST], one of the pre-configured Policy Manager authentication methods, and Active Directory Authentication Source (AD), an external authentication source within your existing enterprise.
Creating a New Role Mapping Policy To create a new Role Mapping policy: 1. Click the Roles tab. 2. Click Add new Role Mapping Policy. The Role Mappings page opens. Figure 535: Role Mapping Navigation and Settings 3. Add a new role, navigate to the Policy tab. Enter the Policy Name, For example, ROLE_ENGINEER and click Save. Repeat the same step for ROLE_FINANCE. The following figure displays the Policy tab: Figure 536: Policy Tab 4. Click the Next button in the Rules Editor. 5.
Figure 537: Mapping Rules Tab 6. Select the Select all matches radio button. 7. Match the conditions with the role name. Click the Add Rule button. The Rules Editor pop-up opens. Upon completion of each rule, click the Save button in the Rules Editor. 8. Click the Save button. 9. Add the new role mapping policy to the service from the Roles tab. The following figure displays the Roles tab: Figure 538: Roles Tab 640 | Use Cases Dell Networking W-ClearPass Policy Manager 6.
10.Select Role Mapping Policy, for example, RMP_DEPARTMENT. Click Next. 11.Add an Micrsoft NPS external posture serverto the 802.1X service. Click the Posture tab. The following figure displays the Posture tab: Figure 539: Posture Tab 12.Click Add new Posture Server to add a new posture server. 13.
Figure 541: Primary Server Tab 16.Click Next from primary server to backup server. Click Save. 17.Add the new posture server to the service. From the Posture tab, enter the Posture Servers, for example, PS_NPS, then click the Add button. The following figure displays the Posture tab: Figure 542: Posture Tab 18.Click the Next button. Assign an enforcement policy. 19.Enforcement policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to evaluation profiles.
20. From the Enforcement tab, select the Enforcement Policy, for example, Role_Based_Allow_Access_ Policy. For instructions about how to build such an enforcement policy, refer to "Configuring Enforcement Policies " on page 1. 21.Save the service. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service.
Table 383: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l l Name/Descriptio n (freeform) > Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 384: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 385: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab 646 | Use Cases Dell Networking W-ClearPass Polic
Table 385: Posture Policy Navigation and Settings (Continued) Navigation Setting Select a Validator: l Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > Save (button) > Dell Networking W
Table 385: Posture Policy Navigation and Settings (Continued) Navigation l Setting When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l l l l l 648 | Use Cases Add Rule (button opens popup) > Rules Editor (popup) > Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> In the Rules Editor, upon completion of each rule, click the Save butto
Table 385: Posture Policy Navigation and Settings (Continued) Navigation Setting Add the new Posture Policy to the Service: Back in Posture (tab) > Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button The following fields deserve special mention: n Default Posture Token. Value of the posture token to use if health status is not available. n Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. n Remediation URL.
MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device.
Table 387: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an audit. An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity.
TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 545: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Navigate to Configuration > Services. 2. Click the icon to add a service. The Configuration > Services > Add window opens. 3.
4. Define the Authentication settings for the service. Authentication methods can be left to their default values, as the Policy Manager TACACS+ service authenticates TACACS+ requests internally. a. In the Authentication Sources section, click the Select to Add drop-down list. b. Select AD (Active Directory). For this use case example, Network Access Device authentication data will be stored in the Active Directory. 5. Click the Enforcement tab and select an Enforcement Policy. a.
Appendix E OnGuard Dissolvable Agent You can configure the OnGuard Dissolvable Agent flow in different modes to perform health scan on endpoints. This section provides information on configuring OnGuard Dissolvable Agent in the following modes and the end-to-end flow: l Native agents only - Native Dissolvable Agent communicates with ClearPass Guest to send information about endpoints such as status, health status, remediation messages and so on.
Use the following steps to configure the OnGuard Dissolvable Agent in Native agents only mode: 1. Select the Policy-initiated - An enforcement policy will control a change of authorization option from the drop-down list in the Login Method field. The following figure displays the policy-initiated login method in the Web Login Editor page: Figure 547: Policy-initiated Login Method 2. Select the Require a successful OnGuard health check option in the Health Check field.
The following figure shows an example of the Native Dissolvable Agent Login page: Figure 549: Native Dissolvable Agent - Login Page The Terms specified in the Login page is optional. You can configure this optionally by selecting the Require a Terms and Conditions confirmation check box in the Terms field in ClearPass Guest Login Form. 2.
Figure 552: Native Dissolvable Agent Installation If you are running Windows OS, Internet Explorer provides options to Run or Save. FireFox and Chrome browsers provide option to save the .exe files. If you are running Mac OS X, FireFox provides options to open the binary with DiskImageMounter or Save the .DMG files. Safari and Google Chrome browsers provide the option to Save only. 5. Select the ClearPass OnGuard Web Agent application in the Launch Application page.
Figure 554: Native Dissolvable Agent Installation Progress 7. After the successful installation, the health check scanning is initiated. The following figure shows an example of the progress indicator: Figure 555: Health Check Progress 8. After the health check scanning is completed, the figure similar to the following example appears with the health check results if the client is unhealthy: Figure 556: Health Check Results 9.
Figure 557: Access Tracker Page The Auto-launch feature works in the Native agents only and Java Only modes without user intervention to click pop ups and options that are described in the complete end-to-end flow above except configuring Terms in the ClearPass Guest Login page. Auto-Login The Native dissolvable agent supports Auto-Login method which eliminates the Require a Terms and Conditions confirmation check box in the Guest Web Login page by avoiding the web page and submitting automatically.
2. Select the Require a successful OnGuard health check option in the Health Check field. If you select this field, the guest needs to pass a health check before accessing the network. Select the Native agents with Java fallback mode in the Client Agents field: Figure 559: Native Agents with Java Fallback Mode End-to-end flow in Native Agents with Java Fallback Mode The posture assessment is performed based on your selection.
Figure 561: Web Agent Flow - 802.1X Service 2. Create a service named Web-based Health Check Only on the Dell Networking W-ClearPass Policy Manager server. The following figure shows an example of the Web Agent Flow - Health Only page: Figure 562: Web Agent Flow - Health Only 3. Create a simple Web Auth service to authenticate users against ClearPass Guest user database to accept or perform App authentication request after completing a sandwich flow.
1. Click Create a new web login page on the right corner of the ClearPass Guest UI. The following figure shows an example of the Web Login Editor page: Figure 564: Web Login Editor 2. Select the Anonymous - Do not require a username or password option from the drop-down. 3. Check the Enable bypassing the Apple Captive Network Assistant option in the Prevent CNA field. 4. Select the Local - match a local account option in the Pre-Auth Check field. 5.
Figure 565: Web Login - Login Form 7. Select the Local - match a local account option in the Post Authentication field. The following figure shows an example of the Web Login - Post-Authentication page: Figure 566: Web Login - Post-Authentication The following figure shows an example of the final web agent flow: For more information, refer to ClearPass Guest Online Help. 664 | OnGuard Dissolvable Agent Dell Networking W-ClearPass Policy Manager 6.
Native Dissolvable Agent - Supported Browsers This section provides information on supported browsers for the Native Dissolvable Agent. The versions given in the following table are tested and are up to date at the time of this release: Table 392: Supported Browsers and Java Versions Operating System Windows 7 64-bit Windows 7 32-bit Windows 8 64-bit Windows 8 32-bit Windows 8.
Table 392: Supported Browsers and Java Versions (Continued) Operating System Windows XP SP3 Windows 2003 32-bit Windows Vista MAC 10.9 MAC 10.8 MAC 10.7.5 Browser Test Results IE 8.X 32-bit Passed #24766 Dell Networking W-ClearPass Policy Manager 6.5.0.69430 and IE-9.x Chrome Not supported None Dell Networking W-ClearPass Policy Manager 6.5.0.70143 and Chrome 34.X Firefox Not supported None Dell Networking W-ClearPass Policy Manager 6.5.0.70143 and Firefox 30.X IE 8.
Table 392: Supported Browsers and Java Versions (Continued) Operating System Ubuntu 12.04 32-bit LTS Ubuntu 12.04 64-bit LTS Ubuntu 14.04 32-bit LTS Ubuntu 14.04 64-bit LTS Browser Test Results Chrome Passed #24986 Dell Networking W-ClearPass Policy Manager 6.5.0.70143 and Chrome 39.X Firefox Passed None Dell Networking W-ClearPass Policy Manager 6.5.0.69931 and Firefox-34.X Chromium Failed #27264 Dell Networking W-ClearPass Policy Manager 6.5.0.69931 and Chromium 39.
| OnGuard Dissolvable Agent Dell Networking W-ClearPass Policy Manager 6.
