Dell Networking W-ClearPass Guest 6.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wire® less Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About this Guide 17 Audience 17 Conventions 17 Contacting Support W-ClearPass Guest Overview 18 19 About Dell Networking W-ClearPass Guest 19 Visitor Access Scenarios 20 Reference Network Diagram 20 Key Interactions 21 AAA Framework 22 Key Features 23 Visitor Management Terminology 24 W-ClearPass Guest Deployment Process 25 Operational Concerns 25 Network Provisioning 25 Site Preparation Checklist 26 Security Policy Considerations 27 AirGroup Deployment Process 2
Managing Multiple Guest Accounts 42 Importing Guest Accounts 44 Import Accounts, Step One: Uploading the Data 44 Import Accounts, Step Two: Matching Data Configuration 45 Import Accounts, Step Three: Create the Accounts 46 Exporting Guest Account Information 47 About CSV and TSV Exports 47 About XML Exports 47 MAC Authentication in ClearPass Guest 48 MAC Address Formats 48 Managing Devices 49 Changing a Device’s Expiration Date 50 Disabling and Deleting Devices 51 Activating a Devi
Certificate Hierarchy 73 Certificate Configuration in a Cluster 74 Revoking Unique Device Credentials 74 Revoking Credentials to Prevent Network Access 74 Re-Provisioning a Device 75 Network Requirements for Onboard 75 Using Same SSID for Provisioning and Provisioned Networks 75 Using Different SSID for Provisioning and Provisioned Networks 76 Configuring Online Certificate Status Protocol 76 Configuring Certificate Revocation List (CRL) 76 Network Architecture for Onboard Network Archit
Creating and Editing ActiveSync Settings 115 Network Settings 117 Configuring Basic Network Access Settings 118 Configuring 802.
Creating a Custom Field 157 Duplicating a Field 159 Editing a Field 159 Deleting a Field 159 Displaying Forms that Use a Field 159 Displaying Views that Use a Field 159 Customizing AirGroup Registration Forms 160 Configuring the Shared Locations and Shared Role Fields Example: Customizing Forms and Views 160 162 162 Editing Forms and Views 163 Duplicating Forms and Views 163 Editing Forms 164 Form Field Editor 164 Form Validation Properties 176 Examples of Form field Validation 17
About Customizing SMTP Email Receipt Fields Customizing Print Templates 207 Creating New Print Templates 207 Print Template Wizard 209 Modifying Wizard-Generated Templates 209 Setting Print Template Permissions 210 Customize SMS Receipt 211 SMS Receipt Fields 211 Configuring Access Code Logins 212 Customize Random Username and Passwords 212 Create the Print Template 212 Customize the Guest Accounts Form 214 Create the Access Code Guest Accounts 214 Web Logins Creating and Editing Web
Creating MACTrac Operators 241 Managing MACTrac Devices 241 Registering MACTrac Devices 243 About MAC Addresses 244 Automatically Supplying the MACTrac Device Address 244 Data Retention 245 3.9 Configuration Import 245 Uploading the 3.
Data Retention 254 Database Configuration 254 Installed Plugin List 255 Network Hostname 255 Network Hosts 255 Network Interface Configuration 255 Security Audit Settings 255 Server Time Setup 255 SNMP Configuration 255 SSL Certificate Setup 255 Subscription IDs 255 System HTTP Proxy 255 System Kernel Configuration 255 System Log Setup 256 Web Application Configuration 256 Web Server Configuration 256 Import Information: SMS Services 256 Import Information: SMTP Services 2
About the SOAP API 276 Architecture Overview 276 Authentication and Access Control 277 HTTP headers 277 Character Set Encoding 277 SOAP Faults 277 Using the SOAP API 278 Accessing SOAP Web Services 278 Configuring SOAP Web Services 278 SOAP Debugging 278 Creating a SOAP API Operator 279 Accessing the WSDL 280 Integration Example 281 Create a New Project 281 Add Service Reference 281 Configuring HTTP Basic Authentication 283 Performing an API Call 283 Securing Web Services U
Customizing Forms and Views Operator Profile Privileges 302 Managing Operator Profiles 303 Configuring AirGroup Operator Device Limit 303 Local Operator Authentication 303 Creating a New Operator 304 External Operator Authentication 304 Manage LDAP Operator Authentication Servers 305 Creating an LDAP Server 305 Advanced LDAP URL Syntax 307 Viewing the LDAP Server List 307 LDAP Operator Server Troubleshooting 308 Testing Connectivity 308 Testing Operator Login Authentication 308 Loo
Return Values 323 Access Control 323 Example Usage 323 Method amigopod.guest.create 323 Parameters 324 Return Values 324 Access Control 324 Example Usage 324 Method amigopod.guest.delete 325 Parameters 325 Return Values 326 Access Control 326 Example Usage 326 Method amigopod.guest.edit 326 Parameters 327 Return Values 327 Access Control 328 Example Usage 328 Method amigopod.guest.
Comments 338 Variable Assignment 338 Conditional Text Blocks 338 Script Blocks 339 Repeated Text Blocks 339 Foreach Text Blocks 339 Modifiers 340 Predefined Template Functions 340 dump 340 nwa_commandlink 341 nwa_iconlink 341 nwa_icontext 342 nwa_quotejs 343 nwa_radius_query 343 ChangeToRole() 344 GetCallingStationCurrentSession() 344 GetCallingStationSessions() 344 GetCallingStationTime() 344 GetCallingStationTraffic() 345 GetCurrentSession() 345 GetIpAddressCurrentS
nwa_youtube Date/Time Format Syntax 353 353 nwadateformat Modifier 353 nwatimeformat Modifier 354 Date/Time Format String Reference 355 Programmer’s Reference 356 NwaAlnumPassword 356 NwaBoolFormat 356 NwaByteFormat 357 NwaByteFormatBase10 357 NwaComplexPassword 357 NwaCsvCache 357 NwaDigitsPassword($len) 357 NwaDynamicLoad 357 NwaGeneratePictureString 357 NwaGenerateRandomPasswordMix 358 NwaLettersDigitsPassword 358 NwaLettersPassword 358 NwaMoneyFormat 358 NwaParseCsv
| Dell Networking W- ClearPass Guest 6.
Chapter 1 About this Guide Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access. Audience This deployment guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.
The following informational icons are used throughout this guide: NOTE: Indicates helpful suggestions, pertinent information, and important things to remember. CAUTION: Indicates a risk of damage to your hardware or loss of data. WARNING: Indicates a risk of personal injury or death. Contacting Support Web Site Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 18 | About this Guide Dell Networking W- ClearPass Guest 6.
Chapter 2 W-ClearPass Guest Overview This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
Visitor Access Scenarios The following figure shows a high-level representation of a typical visitor access scenario. Figure 1: Visitor access using ClearPass Guest In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password.
Figure 2: Reference network diagram for visitor access The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.
ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network.
l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name and password of their guest account. l The NAS authenticates the user with the RADIUS protocol [5]. l ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].
Feature Refer to… Independent activation time, expiration time, and maximum usage time "Business Logic for Account Creation" on page 153 Define unlimited custom fields "Customizing Fields" on page 157 Username up to 64 characters "GuestManager Standard Fields" on page 361 Customization Features Create new fields and forms for visitor management "Customizing Forms and Views" on page 162 Use built-in data validation to implement visitor survey forms "Form Validation Properties" on page 176 Create
Term Explanation Field In a user interface or database, a single item of information about a user account. Form In a user interface, a collection of editable fields displayed to an operator. Network Access Server Device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS.
l Physical location – rack space, power and cooling requirements; or deployment using virtualization l Network connectivity – VLAN selection, IP address, and hostname l Security infrastructure – SSL certificate Site Preparation Checklist The following is a checklist of the items that should be considered when setting up ClearPass Guest.
Security Policy Considerations To ensure that your network remains secure, decisions have to be made regarding guest access: l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network infrastructure to be used by your guests? l What resources are you going to make available to guests (for example, type of network access; permitted times of day; bandwidth allocation)? l Will guest access be separated into different roles? If so, what roles are needed? l How wi
Documentation and User Assistance This section describes the variety of user assistance available for ClearPass Guest. Deployment Guide and Online Help This Deployment Guide provides complete information for all ClearPass Guest features. The following quick links may be useful in getting started. Table 6: Quick Links For information about... Refer to...
Field Help The ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the application without further assistance or training. Quick Help In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list.
| W-ClearPass Guest Overview Dell Networking W- ClearPass Guest 6.
Chapter 3 W-ClearPass Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process.
About Guest Management Processes There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in the next sections. Sponsored Guest Access The following figure shows the process of sponsored guest access. Figure 5: Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account.
The NAS performs authentication and authorization for the guest in ClearPass Guest. Once authorized, the guest is then able to access the network. See "Customizing Self-Provisioned Access" on page 185 for details on creating and managing self-registration pages.
The Account Role specifies what type of account the visitor should have. A random password is created for each visitor account. This is displayed on this form, but will also be available on the guest account receipt. You must mark the Terms of Use check box in order to create the visitor account. Click the Create Account button after completing the form. Creating a Guest Account Receipt After you click the Create Account button on the New Visitor Account form, the details for that account are displayed.
To complete the form, you must enter the number of visitor accounts you want to create. A random username and password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The visitor accounts cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of accounts to create. Click the Create Accounts button after completing the form.
To print the receipts, select an appropriate template from the Open print window using template… drop-down list. A new browser window opens with the Print dialog displayed. To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file.
To include the Password field on the Create Multiple Guest Accounts form: 1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions. At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_multi) has not yet been customized to include it.
Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guest > List Accounts. The Guests Manager Accounts view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields" on page 157 for details about this customization process. The default settings for this view are described below.
The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created: l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the account will expire within the next hour.
NOTE: When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user account. Use the Create tab to create new visitor accounts using the New Visitor Account form. See "Creating a Guest Account " on page 33 for details about this form. Use the More Options tab for additional functions, including import and export of guest accounts and the ability to customize the view. Click a user account’s row to select it.
Select the appropriate Action radio button, and click Make Changes to disable or delete the account. If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify this in the Configuration module. See "Configuring ClearPass Guest Authentication " on page 146. l Activate – Re-enables a disabled guest account, or specifies an activation time for the guest account. Select an option from the drop-down list to change the activation time of the guest account.
Click Update Account to update the properties of the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Sessions – Displays the active sessions for a guest account. See "Active Sessions Management" on page 63 in this chapter for details about managing active sessions. l Print – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons, the guest’s password is not displayed on this receipt.
Table 8: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
The Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information. See "Creating Multiple Guest Account Receipts" on page 35 in this chapter for more information. The More Options tab includes the Choose Columns command link. You can click this link to open the Configuration module’s Customize View Fields form, which may be used to customize the Edit Guest Accounts view.
l l Import format: The format of the accounts file is automatically detected. You may specify a different encoding type if automatic detection is not suitable for your data.
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account. Click the Next Step button to preview the final result. The Import Accounts form opens.
l Click the ThisPage link to select all entries on the current page. l Click the All link to select all entries on all pages l Click the None link to deselect all entries l Click the New link to select all new entries l Click the Existing link to select all existing user accounts in the list. Click the Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts.
PAGE 49Figure 8: MAC Authentication Profile Managing Devices To view the list of current MAC devices, go to Guest > List Devices. The Guest Manager Devices page opens. All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information.
Table 9: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the Expire Action row is added to the table.
1. You can change the device’s address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication plugin. 2. If you need to change the activation time, choose one of the options in the Account Activation drop-down list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time.
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 4. To change the maximum usage allowed for the account, choose an option from the Total Allowed Usage dropdown list.
Creating Devices Manually in ClearPass Guest If you have the MAC address, you can create a new device manually. You do this on the New MAC Authentication form. To create a new device: 1. Go to Guest > List Devices and click the Create link, or you can go to the Guest navigation page and click the Create Device command. The New MAC Authentication page opens. 2. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 3. Enter the name for the device in the Device Name row. 4.
6. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time. l If you choose any time in the future, the Expire Action row is added to the form. Use this drop-down list to indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out.
Figure 9: Modify fields l l Edit the receipt form fields: n Edit username to be a Hidden field n Edit password to be a Hidden field Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means. The account will only be visible on the List Devices page.
NOTE: If you delete the base account, all of its pairings will also be deleted. If RFC-3576 has been configured, all pairs will be logged out. AirGroup Device Registration AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them.
l AP FQLNs should be configured in the format ... l Floor names should be in the format floor l The should not include periods ( . ) Example: AP105-1.Floor 1.TowerD.Mycompany 6. In the Shared With field, enter the usernames of your organization’s staff or students who are allowed to use the device. Use commas to separate usernames in the list. l If the Share With field is left blank, this device can be accessed by all devices.
3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and shared roles. 4. When your edits are complete, click Save Changes. Registering Personal Devices This functionality is available to AirGroup operators. To register your personal devices and define a group who can share them: 1. Log in as the AirGroup operator and go to Guest > Create Device.
l If the Shared With field is left blank, this device can only be accessed by devices registered by the same operator or with a dot1x username that matches the operator’s name. l If users are entered in the Shared With field, the device can be accessed by the device owner and by the specified users. 7. Click Register Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options.
4. When your edits are complete, click Save Changes. Automatically Registering MAC Devices in ClearPass Policy Manager If ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically registered as an endpoint record in ClearPass Policy Manager when the guest uses a Web login page or a guest self-registration workflow. This customization option is available if a valid Local or RADIUS pre-authentication check was performed.
included in the account as long as mac is passed in the URL. Relying on self-registration may defeat the purpose of two-factor authentication, however. The 2-factors are performed as follows: 1. Regular RADIUS authentication using username and password 2. Role checks the user account mac against the passed Calling-Station-Id. Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from Always to Enter conditional expression.
Navigate to Administration > Plugin Manager > Manage Plugins: MAC Authentication: Configuration and enable MAC Detect. Create a Web Login l Authentication: Anonymous l Anonymous User: _mac (_mac is a special secret value) l Pre-Auth Check: Local l Terms: Require a Terms and Conditions confirmation Set the Web login as your landing page and test. Using a registered device the 'Log In' button should be enabled, otherwise it will be disabled.
l To view details for an active session, click the session’s row in the list, then click its Show Details link. The form expands to include the Session Details view. l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions. See "RFC 3576 Dynamic Authorization" on page 65 for more information. n To disconnect an active session, click the session’s row in the list, then click its Disconnect link.
l You can use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.
Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search” option was selected for the field within the view. To control this option, use the Choose Columns command link on the More Options tab.
l To close all active sessions, leave the Start Time and End Time fields empty and click Make Changes. All active sessions are closed and are removed from the Active Sessions list. You can specify sessions in a time range. 1. To close all sessions that started after a particular time, click the button in the Start Time row. The calendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes.
About SMS Guest Account Receipts You can send SMS receipts for guest accounts that are created using either sponsored guest access or self-provisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt. ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt: 1.
Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and VPNs.
About ClearPass Onboard This section provides important information about Dell Networking W-ClearPass Onboard. Onboard Deployment Checklist Table 12 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard deployment. Onboard events are stored in the Application Log for seven days by default. After seven days, significant runtime events are listed in the Audit Viewer in Dell Networking W-ClearPass Policy Manager’s Monitoring module.
Deployment Step Reference Configure the Onboard certificate authority. Decide whether to use the Root CA or Intermediate CA mode of operation. Create the certificate for the certificate authority. "Certificate Authority Settings " on page 84 l Configure device provisioning settings. Select certificate options for device provisioning. Select which device types should be supported. "About Configuring Provisioning Settings " on page 133 Configure network settings for device provisioning.
Table 13: Onboard Features Feature Uses l Automatic configuration of network settings for wired and wireless endpoints. l l l l Secure provisioning of unique device credentials for BYOD and IT-managed devices. Support for Windows, Mac OS X, iOS, and Android devices. l l l l l l l l Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.
Platform Example Devices Version Required for Onboard Support Notes Android Samsung Galaxy S Samsung Galaxy Tab Motorola Droid Android 2.2 (or higher) 2 Microsoft Windows Laptop Netbook Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 2 Note 1: Uses the “Over-the-air provisioning” method. Note 2: Uses the “Onboard provisioning” method. Note 3: Onboard may also be used to provision VPN settings, Exchange ActiveSync settings, and passcode policy on these devices.
l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices. n l One or more Server Certificates may be issued for various reasons – typically, for an enterprise’s authentication server. n l The identity information in the profile signing certificate is displayed during device provisioning. The identity information in the server certificate may be displayed during network authentication.
This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the device, the revoked certificate must be deleted. If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access.
l Configure the network to use both PEAP and EAP-TLS authentication methods. l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role. l The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page. l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.
Network Architecture for Onboard The high-level network architecture for the Onboard solution is shown in the following figure. Figure 11: ClearPass Onboard Network Architecture The sequence of events shown in Figure 11 is: 1. Users bring their own device to the enterprise. 2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. 3.
1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. The provisioning method used depends on the type of device. a.
The ClearPass Onboard Process Devices Supporting Over-the-Air Provisioning Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for iOS devices is shown in Figure 14. Figure 14: ClearPass Onboard Process for iOS Devices The Onboard process is divided into three stages: 1. Pre-provisioning.
1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate. Installing the enterprise’s root certificate enables the user to establish the authenticity of the provisioning server during device provisioning. 3.
Figure 17: ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device. 2. Provisioning. The device provisioning page detects the device type and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server.
2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type: a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this file will launch the QuickConnect app on the device. b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes both the QuickConnect app and the Onboard configuration settings. 3.
The provisioning process for Windows, Mac OS X and Android devices uses a separate app, which has a customizable user interface. See "Configuring Options for Legacy OS X, Windows, and Android Devices" on page 142 to make changes to the user interface. Customizing the Device Provisioning Web Login Page Onboard creates a default Web login page that is used to start the device provisioning process. To edit this page, navigate to Configuration > Start Here, then click the Web Logins command link.
name=organization_name} credentials
3. Install the certificate when prompted
4. Go to your Wi-Fi settings and connect to SSID: {nwa_mdps_config name=wifi_ssid}
Using the {nwa_mdps_config} Template Function Certain properties can be extracted from the Onboard configuration and used in the device provisioning page. To obtain these properties, use the {nwa_mdps_config} Smarty template function.l To view details for a certificate authority, click its Show Details link. The form expands to show a summary of the settings defined for it, including information for certificate issuing, retention policy, identity, private key, and self-signed certificate. l To edit any of a certificate authority's attributes and configure certificate issuing options, click its Edit link. The edit page of the Certificate Authority Settings form opens. See "Editing Certificate Authority Settings" on page 88.
Setting Up the Certificate Authority The initial setup page of the Certificate Authority Settings form is used to create the Onboard certificate authority (CA) and to configure some basic properties: l Give it a name and description l Specify root CA, intermediate CA, or local CA mode l Configure the identity, private key, and self-signed certificate attributes To create an Onboard certificate authority: 1.
4. The mode is used to set up the mode of operation for the certificate authority.In the Mode area, click one of the descriptions to specify the type of certificate authority: l Root CA—The Onboard certificate authority issues its own root certificate. The certificate authority issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate.
9. In the Private Key area, use the Key Type drop-down list to specify the type of private key that should be created for the certificate: l 1024-bit RSA – not recommended for a root certificate l 2048-bit RSA – recommended for general use l 4096-bit RSA – higher security 10. In the Self-Signed Certificate area, for a root certificate the CA Expiration field is included in the form. Use this field to specify the lifetime of the root certificate in days. The default value is 365 days. 11.
2. You may edit the certificate's Name. The certificate should have a short name that identifies it clearly. Certificate authority names can include spaces. 3. You may edit the Description. Briefly describe the CA. This description is shown in the Certificate Authorities list. The Name and Description fields are used internally to identify this certificate authority for the network administrator. These values are never displayed to the user during device provisioning. 4.
l The “not valid after” time is first calculated as the earliest of the following: l The current time, plus the maximum validity period. l The expiration time of the user account for whom the device certificate is being issued. l The “not valid after” time is then increased by the clock skew allowance. 8. In the Subject Alternative Name field, to include additional fields in the TLS client certificate issued for a device, mark the Include device information in TLS client certificates check box.
9. In the Retention Policy area, specify values in the Minimum Period and Maximum Period fields that are appropriate for your organization’s retention policy. The default data retention policy specifies a minimum period of 12 weeks and a maximum period of 52 weeks. NOTE: To enable the Delete Certificate and Delete Request actions in the Certificate Management list view, use a blank value for Minimum Period. This is useful for testing and initial deployment. 10.
2. Select one of the radio buttons to either copy and paste the certificate as encoded text or browse to the file to upload. The form expands to include options for that method. 3. If you selected Copy and paste certificate as text: l To upload a single certificate, copy and paste the certificate into the Certificate text field. The text must include the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines. Leave the passphrase fields blank.
5. Click Upload Certificate to save your changes. If additional certificates are required, you will remain at the same page. Check the message displayed above the form to determine which certificate or type of file must be uploaded next. When the trust chain is complete, it will be displayed. This completes the initialization of the certificate authority.
To export a certificate: 1. Click the Download Bundle link. The Export Certificate form opens. 2. In the Format row, choose the certificate format. The form expands to include configuration options for that format. 3. Complete the fields with the appropriate information, then click Export Certificate. 94 | Onboard Dell Networking W- ClearPass Guest 6.
Considerations for iOS Devices The server certificate is used by ClearPass to secure Web (HTTPS) and authentication (RADIUS) traffic. It can be configured in ClearPass Policy Manager under Administration > Certificates > Server Certificate. The optimal configuration for Onboard is a server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012.
Click the link to submit a request using a base-64-encoded CMC or PKCS #10 file. The Submit a Certificate Request or Renewal Request page is displayed. Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate.
If the Certificate Pending page is displayed, follow the directions on the page to retrieve the certificate when it is issued. Figure 21: The Certificate Issued Page If the Certificate Issued page is displayed, select the Base 64 encoded option and then click the Download certificate chain link. A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system.
n l Trusted Certificate—Use this option when the certificate is to be issued to a network server, such as a Web server or as the EAP-TLS authentication server. n l When this option is selected, the issued certificate’s extended key usage property will contain a value of “Server Auth”, indicating that the certificate may be used to identify a server. Certificate Authority—Use this option when the certificate is for a subordinate certificate authority.
If you have selected TLS Client as the certificate type, the Subject Alternative Name section is also shown. The alternative name can be used to specify additional identification details for the certificate’s subject. If one or more of these options are provided, the issued certificate will contain a subject AltName extension with the specified values. Table 17 explains the fields that may be included as part of the subject alternative name.
The Certificate Management list view opens. This list displays all of the certificates and certificate requests in the Onboard system. Information provided in the Certificate Management list includes common name, certificate authority, serial number (if available), certificate type, validity date range, and device type—iOS, Android, Windows, or None (if not associated with a device type). Table 18 lists the types of certificate that are displayed in this list.
Searching for Certificates in the List The Filter field can be used to quickly search for a matching certificate. Type a username into this field to locate all certificates matching that username quickly. The filter is applied to all columns displayed in the list view. To search by another field, such as MAC address, device type, or device serial number, click the Columns tab, select the appropriate column(s), and then click the Save and Reload button.
Click the l Export Certificate button to download the certificate file in the selected format. Revoke certificate – Displays the Revoke Certificate form. Mark the Revoke this client certificate check box to confirm that the certificate should be revoked, and then click the Revoke Certificate button. Once the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid.
The Delete Certificate form is displayed. Mark the Delete this client certificate check box to confirm the certificate’s deletion, and then click the Delete Certificate button. Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view. This allows for server certificates, subordinate certificate authorities, and other client certificates not associated with a device to be issued by the Onboard certificate authority.
ClearPass Policy Manager as the server certificate (ClearPass Policy Manager does not accept PKCS#7). To include the trust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager, mark the Include certificate trust chain check box, then click the Export Certificate button. Click the Export Request button to download the certificate signing request file in the selected format. l Sign request – Displays the Sign Request form.
Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. l Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. The Delete Request form is displayed.
To import a code-signing certificate: 1. Go to Onboard > Certificate Management or Onboard > Provisioning Settings and click the Upload a codesigning certificate link at the top of the page. The Code-Signing Certificate Import form opens. 2. In the Certificate Type drop-down list, choose the file type—either SPC, PFX, PKCS-7, or PKCS-12. The form expands to include the Certificate area, with fields for uploading the certificate, uploading the private key, and entering the passphrase.
The test certificate is displayed in the list on the Certificate Management page, and can be selected on the Provisioning Settings form. Importing a Trusted Certificate Onboard’s Certificate Management page supports importing trusted certificates. Certificates may be uploaded in PEM format (*.pem). To import a trusted certificate: 1. Go to Onboard > Certificate Management and click the Upload a trusted certificate link in the upper-right corner. The Import Trusted Certificate form opens. 2.
3. You can use the following additional options in the upper-right corner of the Import Trusted Certificate page: l Click the Upload another trusted certificate link to upload additional certificates. l Click the Edit trust settings link to open the Trust tab of the Network Settings form. Requesting a Certificate From the Certificate Management page, click the Certificate Signing Request form.
Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines.
Specifying Certificate Properties Select the type of certificate from the Certificate Type drop-down list. Choose from one of the following options: l TLS Client Certificate – Use this option when the certificate is to be issued to a client, such as a user or a user’s device. n l TLS Server Certificate – Use this option when the certificate is to be issued to a network server, such as a Web server or as the EAP-TLS authentication server.
Profiles To work with configuration profiles, go to Onboard > Configuration Profiles > Profiles. The Configure Profiles list view opens. All configuration profiles that have been created are included in the list. You can click a profile's row in the list for additional options: l To view details for a configuration profile, click its Show Details link.
2. In the Name field, give the configuration profile a short name that identifies it clearly. Configuration profile names can include spaces. If you are duplicating a profile, the original name has a number appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the profile. 4. In the Applications field, choose an application set from the drop-down list.
Application sets let you specify either individual applications or groups of applications that should be installed during device provisioning, and indicate whether they should be restarted when the device is provisioned. Each application set you define is a "configuration unit" that you can include in a configuration profile. To create and work with application sets, go to Onboard > Configuration Profiles > Applications. The Applications list view opens.
2. In the Name field, give the application set a short name that identifies it clearly. Application set names can include spaces. If you are duplicating an application set, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the application set. 4. Applications you have downloaded through the Content Manager are listed in the Installers field.
l To view details for an Exchange ActiveSync unit, click its Show Details link.The form expands to show its name and description, ActiveSync host, whether SSL is enabled, account details, and number of days of mail. l To edit any of an ActiveSync unit's attributes, click its Edit link. The Exchange ActiveSync Settings form opens. l To create a copy of an ActiveSync unit to use as a basis for a new configuration unit, click its Duplicate link.
2. In the Name field, give the ActiveSync configuration a short name that identifies it clearly. ActiveSync configuration names can include spaces. If you are duplicating a configuration, the original name has a number appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the ActiveSync setting. 4.
5. In the Sync Settings group, choose one of the following options from the Days of Mail drop-down list: l No Limit l 1 day l 3 days l 1 week l 2 weeks l 1 month 6. Click Save Changes. The Exchange ActiveSync setting is available as a configuration unit on the Configuration Profile form. Network Settings You can define multiple network settings that can be sent to provisioned devices. Each network you configure is also a "configuration unit" that you can include in a configuration profile.
All networks that have been provisioned are included in the list. You can click a network's row in the list for additional options: l To view details for a network, click its Show Details link. The form expands to show its name, description, and configuration values for network access, wireless networks, enterprise protocols, enterprise authentication, enterprise trust, Windows networking, and proxy settings. l To edit any of a network's attributes, click its Edit link. The Network Settings form opens.
2. To edit the network’s basic and wireless network access options, click the Access tab. 3. If you need to edit the network’s name, enter the new name in the Name field. 4. (Optional) You may enter additional identifying information in the Description field. 5. The options available in the Network Type drop-down list are: l Both — Wired and Wireless – Configures both wired (Ethernet) and wireless network adapters. Use this option when you have 802.1X configured for all types of network access.
l In the Auto Join row, you can mark the Automatically join network check box to specify that the device should be automatically connected to the network when it is provisioned. If only one network is available to the user, the device will be connected automatically. If multiple networks are available, the user will be able to choose the network to connect to. If the Automatically join network option is not selected on this form, an option to manually connect to the network will be shown to the user. 9.
l Configure EAP-TLS for iOS devices and OS X (10.7 or later). l Other EAP methods, while possible, are limited in their applicability and should only be used if you have a specific requirement for that method. The Windows EAP options that may be specified include: l Enable Fast Reconnect – Fast Reconnect is a PEAP property that enables wireless clients to move between wireless access points on the same network without being re-authenticated each time they associate with a new access point.
l Machine Or User – Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication. l Guest Only – Use guest-only credentials. 3. Do one of the following: l Click Previous to return to the Protocols tab.
2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted. Enter each server name on a separate line. You can use wildcards. 3. In the Trusted Certificates row, the recommended certificate is selected by default. You may click the field to open the drop-down list and select a different certificate the client should trust.
l Click Save Changes to make the new network configuration settings take effect l Click Cancel to discard your changes and return to the main Onboard configuration user interface. Configuring Windows-Specific Network Settings Click the Windows tab to display the Windows Network Settings form. Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy.
Select one of these options in the Proxy Type drop-down list: l None– No proxy server will be configured. l Manual– A proxy server will be configured, if the device supports it. Specify the proxy server settings in the Server and Server Port fields. l Automatic– The device will configure its own proxy server, if the device supports it. Specify the location of a proxy auto-config file in the PAC URLtext field. l Do one of the following: n Click Previous to return to the Windows tab.
l To view details for a passcode policy, click its Show Details link. The form expands to show its name, description, and other configuration settings. l To edit any of a passcode policy's attributes, click its Edit link. The Passcode Policy Settings form opens. l To create a copy of a passcode policy configuration to use as a basis for a new configuration, click its Duplicate link. The Passcode Policy Settings form opens with all attributes prepopulated and "Copy" appended to its name.
2. In the Name field, give the passcode policy a short name that identifies it clearly. Passcode policy names can include spaces. If you are duplicating a passcode policy, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the passcode policy. 4. To require the user to create a passcode, mark the check box in the Force PIN field. 5.
10. To specify a maximum duration for the passcode, use the counter in the Max PIN Age field. After the specified number of days, the device is locked and the user must change their passcode. 11. To require that the passcode include complex characters, use the counter in the Min Complex Chars field to specify how many complex characters it must contain. Complex, or special, characters are non-alphanumeric, such as &%$#. 12.
All VPN configurations that have been created are included in the list. You can click a VPN configuration's row in the list for additional options: l To view details for a VPN configuration, click its Show Details link. The form expands to show its name, description, and other configuration settings. l To edit any of a VPN configuration's attributes, click its Edit link. The VPN Settings form opens.
2. In the Name field, give the VPN configuration a short name that identifies it clearly. VPN configuration names can include spaces. If you are duplicating a VPN configuration, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the VPN configuration. 4.
6. In the Machine Authentication area, you may enter a value in the Shared Secret fields, or leave them blank to prompt the user to create the shared secret. 7. In the User Authentication area of the form, you may enter a value in the Account field, or leave them blank to prompt the user to enter the account. 8. In the User Authentication field, select either Password or RSA SecurID as the authentication type for the connection. 9. You can specify a proxy server to use when the VPN connection is active.
1. Go to Onboard > Device Management. The Device Management list view opens. This list displays all currently provisioned devices. Information shown for each device includes its device type, MAC address, device ID, user, and access status. 2. The Device Type filter lets you filter for All, Android, iOS, OS X, or Windows device types. 3. You can use the Keywords field to filter by a username or MAC address. 4.
You can click a provisioning set's row in the list for additional options: l To view details for a provisioning set, click its Show Details link. The form expands to show a summary of the settings defined for it, including information for identity, authorization, supported devices, Web login page, device provisioning, profile signing, and reconnect behavior. l To edit any of a provisioning set's attributes, click its Edit link. The Device Provisioning Settings tabbed form opens.
l iOS and OS X – Specifies options for Apple iOS and OS X device provisioning such as display text, profile security, certificate source, and reconnect behavior. See "Configuring Provisioning Settings for iOS and OS X" on page 137. l Legacy OS X – Specifies text displayed during legacy OS X device provisioning. See "Configuring Provisioning Settings for Legacy OS X Devices " on page 142.
l 2048-bit RSA – created by device: Recommended for general use. Uses SCEP to provision the EAP-TLS certificate. l 1024-bit RSA – created by server: Lower security. l 2048-bit RSA – created by server: Recommended for general use. l 4096-bit RSA – created by server: Higher security. NOTE: Using a private key containing more bits will increase security, but will also increase the processing time required to create the certificate and authenticate the device.
2. In the Page Name field, enter the page name for the Web login page. 3. In the Login Form area: l Mark the Custom Form check box to use your own HTML login form in the header and footer areas. l To modify the login form's labels and error messages, mark the Custom Labels check box. The form expands to include the Username Label, Password Label, and Log In Label fields. Complete these fields with your customized label text.
Configuring Provisioning Settings for iOS and OS X To specify provisioning settings related to iOS and OS X devices: 1. On the Device Provisioning Settings form, click the iOS & OS X tab. 2. Use the Display Name and Profile Description text fields to control the user interface displayed during device provisioning. 3.
When an iOS device receives a new configuration profile that has the same profile ID as an existing profile, the existing profile will be replaced with the new profile. NOTE: Changing the profile ID will affect any device that has already been provisioned with the existing profile ID. The default value is automatically generated and is globally unique. You should only change this value during initial configuration of device provisioning. 6.
4. In the Connect Success row, enter the text that will be shown to the user after successful reconnect. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. In the Connect Failure row, enter the text that will be shown to the user after a failed reconnect or if the device does not support reconnection (for example, for iOS 4 and earlier devices). Enter the text as HTML code. You can use Smarty template functions.
2. In the Code-Signing Certificate drop-down list, select a certificate for signing the provisioning application, or leave the default setting of None-Do not sign the application. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4.
2. In the Android Rootkit Detection drop-down list, choose one of the following options: l Provision all devices— All Android devices will be provisioned. l Do not provision rooted devices—Onboard will detect a jailbroken Android device and will not provision the device if it has been compromised. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions.
6. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 7. You may use the Insert content item drop-down list to add an image file or other content item. 8. When your entries are complete in this tab, click Save Changes.
2. In the Provisioning Address drop-down list, choose the hostname or IP address to use for device provisioning: l The system’s hostname (requires DNS resolution) – Select this option to use the system hostname for device provisioning. NOTE: This option requires that the device be able to resolve the listed hostname at the time the device is provisioned. l The system’s IP address (network adapter name) – Select this option to use the IP address of the system for device provisioning.
6. To display your enterprise’s logo, select an image from the list in the Logo Image field. Navigate to Administration > Content Manager to upload new images to use as the logo. The native size of the logo used in the QuickConnect client is 188 pixels wide, 53 pixels high. You may use an image of a different size and it will be scaled to fit, but for the best quality results it is recommended that you provide an image that is already the correct size. 7.
Chapter 5 Configuration Dell Networking W-ClearPass Guest’s built-in Configuration editor lets you customize many aspects of the appearance, settings, and behavior of the application.
Configuring ClearPass Guest Authentication You can use the Configuration module to modify authentication settings for the Dell Networking W-ClearPass Guest application. To configure ClearPass Guest’s authentication settings: 1. Go to Configuration > Authentication. The Authentication Settings form opens. 2. To send automatic disconnect or re-authorization messages when enabled or role values change, mark the check box in the Dynamic Authorization row.
To use a content item, you can insert a reference to it into any custom HTML editor within the application. To do this, select the content item you want to insert from the drop-down list located in the lower right corner of the editor. The item will be inserted using HTML that is most suited to the type of content inserted. To manually reference a content item, you can use the URL of the item directly. For example, an item named logo.jpg could be accessed using a URL such as: http://192.0.2.23/public/logo.
After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server. You are then able to reference this file when creating custom HTML templates. Additional Content Actions To work with your content items: 1. Go to Configuration > Content Manager, then click the item’s row in the list. The row expands to include the Properties, Delete, Rename, Download, View Content, and Quick View options. 2.
Customizing Guest Manager Guest Manager allows the entire guest account provisioning process to be customized. This is useful in many different situations, such as: l Self-registration – Allow your guests to self-register and create their own temporary visitor accounts. l Visitor surveys – Define custom fields to store data of interest to you, and collect this information from guests using customized forms. l Branded print receipts – Add your own branding images and text to print receipts.
Figure 23: Sample Guest Receipt Showing Aruba as the Default Site SSID l Site WPA Key—The encryption key used to secure the wireless network. If a value is entered in this field, it will appear on guest print receipts. l Username Type—The default method used to generate random account usernames (when creating groups of accounts). This may be overridden by using the random_username_method field.
n At least one digit n At least one letter and one digit n At least one of each: uppercase letter, lowercase letter, digit n At least one symbol n At least one of each: uppercase letter, lowercase letter, digit, and symbol l Minimum Password Length—The minimum acceptable password length for guests changing their account passwords. l Disallowed Password Characters—Special characters that should not be allowed in a guest password. Spaces are not allowed by default.
Figure 25: Customize Guest Manager Page, Continued (lower section) l Terms of Use URL—URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager (See "Content Manager" on page 146). If this file is called terms.html then the Terms of Use URL should be public/terms.html. l Active Sessions—Default maximum number of active sessions that should be allowed for a guest account.
l About Guest Network Access—Allows the text displayed to operators on the Guest Manager start page to be customized, or removed (if a single hyphen “-” is entered). About Fields, Forms, and Views l A field is a named item of information. It may be used to display information to a user as static text, or it may be an interactive field where a user can select an option or enter text. l A form is a group of fields that is used to collect information from an operator.
l role_id: This field is the role to assign to the visitor account and may be specified directly. If this field is not specified, then determine the role ID from the role_name field. If no valid role ID is able to be determined, the visitor account is not created. l simultaneous_use: This field determines the maximum number of concurrent sessions allowed for the visitor account. If this field is not specified, the default value from the GuestManager configuration is used.
n If expire_after is set and not zero and the account will be activated immediately, then add the value in hours to the current time to determine the expiration time. n If expire_after is set and not zero and account activation is set for a future time (schedule_time) instead of the current time, then the expiration time is calculated relative to the activation time instead of the current time.
Table 19: Visitor Management Forms and Views Name Type Visitor Management Function Editable? change_expiration Form Change Expiration Yes create_multi Form Create Multiple Yes create_user Form Create Account Yes guest_edit Form Edit Account Yes guest_export View Export Accounts Yes guest_multi View Edit Multiple Accounts Yes guest_multi_form Form Edit Multiple Accounts Yes guest_receipt Form Print Receipt No guest_register Form Guest Self-Registration Yes guest_regist
Customizing Fields Custom fields are fields that you define yourself to cater for areas of interest to your organization. You are able to define custom fields for your guest accounts as well as edit the existing fields. In addition you can delete and duplicate fields. For your convenience you are also able to list any forms or views that use a particular field. NOTE: Fields that have a lock symbol cannot be deleted.
You can specify the default properties to use when adding this field to a view. See "View Field Editor" on page 183 for a description of the view display fields, including the Column Type and Column Format fields. You can specify the default properties to use when adding the field to a form. See "View Field Editor" on page 183 for a list of the available user interface types. If you select Text or Password as the User Interface type, the Placeholder row is added to this form.
You can specify the default validation rules that should be applied to this field when it is added to a form. See "Form Validation Properties" on page 176 in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See "View Field Editor" on page 183 in this chapter for more information about advanced properties.
Customizing AirGroup Registration Forms AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. If AirGroup Services is enabled, AirGroup administrators can provision their organization’s shared devices and manage access, and AirGroup operators can register and provision a limited number of their own personal devices for sharing.
The values you enter in the Options text box control both the values stored in the shared_location field in the database as well as the text displayed to the user in the checklist. Use the following format: tag1=value1 | Option 1 tag2=value2 | Option 2 ...where the tag=value pair tag1=value1 represents the value stored in the shared_location field in the database, the pipe character ( | ) is a separator, and Option 1 represents the text displayed in the checklist. 8.
Example: If the layout is set to vertical and the following options are specified: AP-Group=Location-1 | Location One AP-Group=Location-2 | Location Two AP-Location-3 | Location Three The user interface appears as follows: Customizing Forms and Views You are able to view a list of forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field.
An asterisk (*) shown next to a form or view indicates that the form or view has been modified from the defaults. You can click the Reset to Defaults link to remove your modifications and restore the original form. Resetting a form or view is a destructive operation and cannot be undone. You will be prompted to confirm the form or view reset before it proceeds. Editing Forms and Views You can change the general properties of a form or view such as its title and description.
The name of the duplicated form or view is the same as the original with a number appended. This name cannot be changed. Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view. Click the Show Usage link for a duplicated form or view to see the operator profiles that are referencing it. Click the Delete link for a duplicated form or view to remove the copy.
Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form. The remainder of the form field editor is split into three sections: l Form Display Properties l Form Validation Properties l Advanced Properties See "Form Display Properties" on page 165 for detailed descriptions of these form sections. Form Display Properties The form display properties control the user interface that this field will have.
The image may be regenerated, or played as an audio sample for visually impaired users. When using the recommended validator for this field (NwaCaptchaIsValid), the security code must be matched or the form submit will fail with an error. l Check box – A check box is displayed for the field, as shown below: The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1).
The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box. Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type.
For example, suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
If the “Hide when no options are selectable” check box is selected, and there is only a single option in the dropdown list, it will be displayed as a static text item rather than as a list with only a single item in it. l File upload – Displays a file selection text field and dialog box (the exact appearance differs from browser to browser). File uploads cannot be stored in a custom field.
l Multiple Selection List -- A list of selectable options will be displayed. The text displayed for each check box or radio button is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box.
l Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected, as shown below: The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified. Dell Networking W-ClearPass Guest 6.
l Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted. If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static group heading – The label and description of the field is used to display a group heading on the form, as shown below. The field’s value is not used, and the field is not submitted with the form.
The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form. l Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as the value for the field.
If you select Text or Password as the User Interface type, the Placeholder row is added to this form. You may use this field to enter a temporary value, such as a hint for how to complete the field, that can later be overridden by the user completing the form that uses this field. Form Validation Properties The form validation properties control the validation of data entered into a form.
All values supplied for a required field are always validated, including blank values. Validation errors are displayed to the user by highlighting the field(s) that are in error and displaying the validation error message with the field: All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list.
Furthermore, be aware that blank values, or non-numeric values, will result in a different error message: The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties.
Advanced Form Field Properties The Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor. The Conversion, Value Format, and Display Function options can be used to enable certain form processing behavior.
and phone numbers was imported for pre-registration, each visitor’s entries for those fields at registration must match. Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on the form and the various conversion and display options. Figure 26: Steps involved in form field processing . The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field.
In this case, the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field (for example, “2008-01-01”) to UNIX time (for example, 1199145600). The Validator for the expire_time field is IsValidFutureTimestamp, which checks an integer argument against the current time. The Value Formatter is applied after validation.
See "Form Field Conversion Functions" on page 377 for a detailed list of the options available to you for the Conversion and Value Format functions. The Display Param is the name of a form field, the value of which will be passed to the Display Function. In almost all cases this option should contain the name of the form field. Display Arguments are available for use with a form field and are used to control the conversion process.
Editing Views A view consists of one or more columns, each of which contains a single field. You can change which fields are displayed and how each field is displayed. You can also define your own fields using the Customize Fields page, and then add them to a view by choosing appropriate display options for each new column. To add a new field to a view, reorder the fields, or make changes to an existing field in a view, select the view in the Customize Forms & Views list and click the Edit Fields link.
. Each column in a view displays the value of a single field. To use the default view display properties for a field, you only need to select the field to display in the column and then click the Save Changes button. To customize the view display properties, click the Advanced view options… check box. The column type must be one of the following: l Text – The column displays a value as text. l Sortable text – The column displays a value as text, and may be sorted by clicking on the column heading.
The Display Expression is a JavaScript expression that is used to generate the contents of the column. Generally, this is a simple expression that returns an appropriate piece of data for display, but more complex expressions can be used to perform arbitrary data processing and formatting tasks. Customizing Self-Provisioned Access Guest self-registration allows an administrator to customize the process for guests to create their own visitor accounts.
Figure 27: Sequence Diagram for Guest Self-Registration In this diagram, the stages in the self-registration process are identified by the numbers in the brackets, as follows: 1. The captive portal redirects unauthorized users [1] to the register page [2]. 2. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account. 3.
The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_ register” page is accessed using the URL guest_register.php. Click the displayed. Save Changes button to save the self registration page. A diagram of the self registration process is Click the Save and Continue button to proceed to the next step of the setup.
Figure 28: Guest Self-Registration Workflow Diagram . A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration.
Paying for Access If you select a standalone self -registration, (No parent- standalone) option you can also configure the Hotspot option. You can configure this setting so that registrants have to pay for access. Requiring Operator Credentials If you want to require an operator to log in with their credentials before they can create a new guest account, select the Require operator credentials prior to registering guest check box.
As another example, the network address 192.168.2.0/24 is less specific than a smaller network such as 192.168.2.192/26, which in turn is less specific than the IP address 192.168.2.201 (which may also be written as 192.168.2.201/32). To determine the result of the access control list, the most specific rule that matches the client’s IP address is used. If the matching rule is in the Denied Access field, then the client will be denied access.
Click the Save Changes button to return to the process diagram for self-registration. Click the Save and Continue button to update the self-registration page and continue to the next editor. Editing the Default Self-Registration Form Settings Click the Form link for the Register Page to edit the fields on the self-registration form. The default settings for this form are as follows: l The visitor_name and email fields are enabled.
To create the multiple accounts that all use the same password, see "Creating Multiple Guest Accounts" on page 34. Editing Guest Receipt Page Properties To edit the properties of the guest receipt page: 1. Navigate to Configuration > Guest Self-Registration 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3.
. Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self-registered account. To enable role selection by the sponsor: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens.
3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6. Complete the rest of the form with the appropriate information, then click Save Changes.
9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button. Editing Download and Print Actions for Guest Receipt Delivery To enable the template and display options to deliver a receipt to the user as a downloadable file, or display the receipt in a printable window in the visitor’s browser: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens.
When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration. l Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address.
l Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration. l Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected options, and will be sent to the visitor’s phone number. l Auto-send guest receipts by SMS with a special field set – If the Auto-Send Field is set to a non-empty string or a non-zero value, an SMS receipt will be generated and sent to the visitor’s phone number.
Editing Login Page Properties The login page is displayed if automatic guest login is enabled and a guest clicks the submit button from the receipt page to log in. To edit the properties of the login page: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2.
The login message page is displayed after the login form has been submitted, while the guest is being redirected to the NAS for login. The title and message displayed on this page can be customized. The login delay can be set; this is the time period, in seconds, for which the login message page is displayed. Click the Save Changes button to return to the process diagram for self-registration. Self-Service Portal Properties To edit the properties of the self-service portal: 1.
The self-service portal is accessed through a separate link that must be published to guests. The page name for the portal is derived from the registration page name by appending “_portal”. When the self-service portal is enabled, a Go To Portal link is displayed on the list of guest self-registration pages, and may be used to determine the URL that guests should use to access the portal.
Click the Save Changes button to return to the process diagram for self-registration. Resetting Passwords with the Self-Service Portal The self-service portal includes the ability to reset a guest account’s password.
Next, enable the Required Field option in the Self-Service Portal properties. Setting this to (Secret Question) will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value. With these settings, the user interface for resetting the password now includes a question and answer prompt after the username has been determined: Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked.
1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2. In the Receipt Page area, click the Actions link. The Receipt Actions form opens. 3. Scroll to the Email Delivery section of the form and choose one of the options from the Enabled drop-down list. The form expands to include configuration options for email delivery.
Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. To configure email receipt options, go to Configuration > Email Receipt. The Customize Email Receipt form opens. Figure 30: Customize Email Receipt page 1. The Subject Line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field.
4. Choose a value from the Send Copies drop-down list to specify how copies of the email receipts will be sent to the additional email addresses listed in the Copies To field: l Do not send copies – The Copies To list is ignored and email is not copied. l Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available).
l smtp_subject – This field specifies the subject line for the email message. Template variables appearing in the value will be expanded. If the value is “default”, the default subject line from the email receipt configuration is used. l smtp_template_id – This field specifies the print template ID to use for the email receipt. If blank or unset, the default value from the email receipt configuration is used. l smtp_receipt_format – This field specifies the email format to use for the receipt.
l smtp_warn_before_cc_list – This overrides the list of additional email addresses that receive a copy of the visitor account receipt under Logout Warnings on the email receipt.If the value is “default”, the default carboncopy list under Logout Warnings from the email receipt configuration is used. l smtp_warn_before_cc_action – This field overrides how copies are sent as indicated under Logout Warnings on the email receipt. to send copies of email receipts.
each. This section is followed by three other sections: the body, the header and the footer. Each section must be written in HTML. There is provision in each section for the insertion of multiple content items such as logos. You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 338 for further information on Smarty template syntax.
Print Template Wizard The Create new print template using wizard link provides a simplified way to create print templates by selecting a basic style and providing a logo image, title and content text, and selecting the guest account fields to include. A real-time preview allows changes made to the design to be viewed immediately. To use the Print Template Wizard, first select a style of print template from the Style list. Small thumbnail images are shown to indicate the basic layout of each style.
NOTE: If you use the wizard to edit a print template after changes have been made to it outside the wizard, those outside changes will be lost. This is indicated with the warning message "The print template code has been modified. Making changes using the wizard will destroy any changes made outside of the wizard.
n Update access – the print template is visible in the list, and may be edited. The print template cannot be deleted and the permissions for the print template cannot be modified. n Update and delete access – the print template is visible in the list, and may be edited or deleted. The permissions for the print template cannot be modified. n Full access (ownership) – the print template is visible in the list, and may be edited or deleted.
l sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the default value is true. l sms_handler_id – This field specifies the handler ID for the SMS service provider. If blank or unset, the default value from the SMS plugin configuration is used. l sms_template_id – This field specifies the print template ID for the SMS receipt. If blank or unset, the default value from the SMS plugin configuration is used.
an existing scratch card template. 1. Navigate to Configuration > Print Templates. 2. Select Two-column scratch cards and click Duplicate. 3. Select the Copy of Two-column scratch cards template, then click Edit. 4. In the Name field, substitute Access Code for Username as shown below. 5. Remove extraneous data from the User Account HTML field. Example text is shown below.
Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Navigate to Configuration > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3. In the Edit Fields list, look for a field named username_auth. If the field exists, but is not bolded and enabled, select it and click Enable Field.
3. Click Create Accounts to display the Finished Creating Guest Accounts page. If you create a large number of accounts, they are created at one time but might not all be displayed at the same time. (This will not affect the printing action in the following step.) 4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5.
To view the list of your Web login pages and work with them, go to Configuration > Web Logins. The Web Logins list view opens. All Web login pages you have created are included in the list. Information shown for each page includes its name for internal identification, title as displayed in the user interface, filename, and the skin assigned to it. You can click a page's row in the list for additional options: l To edit any of a Web login page's attributes, click its Edit link.
2. (Required) Enter a name for the page in the Name field. 3. In the Page Name field, enter the identifier page name that will appear in the URL -- for example, "/guest/page_ name.php". 4. In the Description field, you may enter additional information or comments about the page. 5. Use the drop-down list in the Vendor Settings field to select vendor-specific settings for network configuration. 6. In the Address field, enter the IP address or hostname of the vendor's product. 7.
3. To be able to alter the default labels and error messages, mark the check box in the Custom Labels field. The form includes the Pre-Auth Error field. Complete this field with your customized label text to display if username and password lookup fails. 4. Use the drop-down list in the Pre-Auth Check field to indicate how the username and password should be checked before authentication.
Chapter 6 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, go to Configuration > Hotspot Manager.
Figure 33: Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created. l On page 2, the customer enters their personal details, including credit card information if purchasing access.
The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 338 in the Reference chapter for details about the template syntax you may use to format this message.
l To create or edit an existing plan, see "Editing or Creating a Hotspot Plan" on page 223. l To delete a plan, click the the deletion. Delete button in the plan’s row.
2. In the Plan Details area, enter a name for the plan and descriptions to display in the UI and the customer invoice. 3. To enable the plan, leave the Enabled check box marked. To disable the plan, unmark this check box. Disabled plans are not displayed to customers. 4. In the User Account Details area, you can specify the usage of numbers, letters, and symbols in the generated username and password. To use only digits, leave the value in the Generated Username and Generated Password fields set to ######.
5. Complete the rest of the fields appropriately for your organization’s needs, then click Create Plan or Edit Plan. The Manage Hotspot Plans list opens with the new plan displayed. Managing Transaction Processors Your hotspot plan must also identify the transaction processing gateway used to process credit card payments. Dell Networking W-ClearPass Guest supports plugins for the following transaction processing gateways: l Authorize.
l Mode l Production Environment URL l Shared Secret l Signature l Test Environment URL l Test WSDL l Transaction Key l Transaction Password l Transactions Timeout If your transaction processor requires visitors to enter their address, ClearPass Guest will automatically include address fields in the guest self-registration forms that use that transaction processor.
title shown on the invoice and how the invoice number is created. You can also customize the currency displayed on the invoice. To customize the hotspot invoice: 1. Go to Configuration > Hotspot Manager > Manage Hotspot Invoice. The Manage Hotspot Invoice form opens. 2. The Invoice Title must be written in HTML. See "Basic HTML Syntax" on page 335 for details about basic HTML syntax. 3. Complete the rest of the fields appropriately. You can use Smarty functions on this page.
Customizing Visitor Sign-Up Page One Page one of the guest self-provisioning process asks the guest to select a plan. An example of the default “Choose Plan” page is shown below. To customize how this page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 1 (Choose Plan) link in the upper-right corner. The Edit Hotspot Plan Selection Page form opens.
Page two of the guest self-provisioning process asks the guest to provide their personal details and payment method. The example below shows the default “Your Details” page if the customer chooses to pay for the Hourly Access plan. Although it is not shown in this illustration, the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page.
To customize how the “Your Details” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 2 (Customer Details) link in the upper-right corner. The Edit Hotspot User Details Page form opens. You can use this form to edit the content displayed when the customer enters their personal details, including credit card information if purchasing access. The progress of the user’s transaction is also shown on this page.
See "Smarty Template Syntax" on page 338 for details about the template syntax you may use to format the content on this page. Customizing Visitor Sign-Up Page Three Page three of the guest self-provisioning process provides the customer an invoice containing confirmation of their transaction and the details of their newly created wireless account. An example of the default “Your Receipt” page is shown below. Dell Networking W-ClearPass Guest 6.
To customize how the “Your Receipt” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 3 (Invoice or Receipt) link in the upper-right corner. The Edit Hotspot User Receipt Page form opens. You can use this form to edit the title, introductory text, and footer text of the receipt page. 232 | Hotspot Manager Dell Networking W- ClearPass Guest 6.
See "Smarty Template Syntax" on page 338 for details about the template syntax you may use to format the content on this page. Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self-provisioning pages, as well as log in to and view the Hotspot self-service portal that allows customers to view their current account expiration date, purchase time extensions, log out of the Hotspot, or change their user password.
| Hotspot Manager Dell Networking W- ClearPass Guest 6.
Chapter 7 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W-ClearPass Guest. Accessing Administration To access Dell Networking W-ClearPass Guest’s administration features, click the Administration link in the left navigation. Figure 34: The Administration Module’s Left Navigation Dell Networking W-ClearPass Guest 6.
AirGroup Services This section describes creating and managing AirGroup controllers and configuring the AirGroup plugin, and provides links to other AirGroup steps performed in Dell Networking W-ClearPass Guest. For an overview of AirGroup functionality, see "AirGroup Deployment Process" on page 27. For complete AirGroup deployment information, refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation.
l To edit any of an AirGroup controller's attributes, click its Edit link. The Edit AirGroup Controller form opens. For more information, see "Creating and Editing AirGroup Controllers " on page 237. l To disable an AirGroup controller, click its Disable link. To enable it again at any time, click its Enable link. l To delete an AirGroup controller, click its Delete link. You are asked for confirmation before it is deleted.
2. In the Name field, give the controller a short name that identifies it clearly. AirGroup controller names can include spaces. 3. In the Description field, you may record additional useful information about the controller. 4. To enable Policy Manager's AirGroup notification service for the controller, mark the check box in the Enabled row. With this service enabled, the controller receives change of authorization (CoA) Requests for sharing events from associated MAC addresses and the events are logged. 5.
2. In the Exclusions text field, you may enter any role names, AP group names, or AP names that should not be displayed in the AirGroup user interface. Enter each item on a separate line. Entries are not case-sensitive. To add a comment, enter it on a separate line that begins with the "#" character. 3. To schedule automatic polling of AirGroup controller configuration, mark the check box in the Polling row. The form expands to include scheduling options.
l Extended—Log additional information l Debug—Log debug information l Trace—Log all debug information 7. Click Save Changes. Creating AirGroup Administrators AirGroup Administrators are users of Dell Networking W-ClearPass Guest who can define and manage their organization’s shared devices. Devices can be shared globally, or shared with restrictions based on the username, role, or location of the user trying to access the device.
l There is no additional license fee for these devices: Although MACTrac is part of ClearPass Guest, MACTrac device registrations do not count against the ClearPass Guest license. l As with other ClearPass Guest forms and views, the MACTrac user interface can be customized by adding a custom skin or options such as an "Add Another Device" button.
MACTrac operators can create and manage multiple device accounts. Options include editing, printing details, disabling, and deleting accounts. To work with MACTrac devices, log in to ClearPass Guest as a MACTrac operator and go to Guest > List Devices. The MACTrac Devices list view opens. All MACTrac devices that have been registered are included in the list. You can click a device account's row in the list for additional options: l To edit any of a device account's attributes, click its Edit link.
l To disable or delete a device account, click its Remove link. A confirmation dialog opens. You may specify either Disable or Delete, then click Make Changes. To enable a disabled account, click its Activate link. Registering MACTrac Devices The Register Device form is used by MACTrac operators to create their device accounts on their local network. There is no limit to the number of accounts an operator can create, and no expiration time is set on device accounts. To register a MACTrac device: 1.
3. (Optional) Enter a name for the device in the Device Name field. 4. (Optional) The Device Type field is prepopulated if detected, and indicates whether it is a computer, printer, or other type of device. 5. (Optional) The Device Platform field is prepopulated if detected, and indicates whether it is a Windows, Mac, Linux, or Android platform, and whether it is a mobile phone. 6.
Data Retention The Data Retention Policy page (Administration > Data Retention) lets you manage historical data by archiving or deleting it. For a data retention policy to take effect, you must schedule and enable database maintenance. To do so, refer to the Dell Networking W-ClearPass Policy Manager documentation.
l Upload a 3.9 configuration backup file to your 6.1 file system, making the items in it available for import. See "Uploading the 3.9 Backup File " on page 246. l Select items from it to import, restoring those configurations in your 6.1 system. See "Restoring Configuration Items " on page 247 l Review details for configuration items after import, including anything that might be different between 3.9 and 6.1 and any actions you might need to take.
This form shows every configuration item in your backup file, and provides options for restoring items or excluding them from the restoration. For more information, see the next section, "Restoring Configuration Items " on page 247. Restoring Configuration Items This section describes how to use the Import Configuration: Step 2 form to import 3.9 configuration items to your 6.1 system after you upload them. To select and restore your configuration items: 1.
l To exclude an item from the import, click the X in the item's row. The X turns red to indicate it will be excluded. You can click the X for a category to exclude all items in that category. l To make it easier to select just a few items, you can scroll to the bottom of the list and click the Unselect All link. All items are then marked with a red X and will be excluded from the import. You can then select the green check marks for just the items you want.
The Import Notices list provides information about items that were handled during the last import. This list includes the following columns: l Status -- The import status of the item in the same row. Possible statuses include Imported, Migrated, Obsolete, Action Required, Error, Processed, Unsupported, and Warning. These statuses are described more fully in the table below. l Operation/Notice -- This column shows the operation performed on the item, and the name of the item.
Status Description Migrated The item was successfully imported but some aspects were modified for 6.1, as described in Show Details for the item. For example, if a field imported in a 3.9 configuration has a different name in 6.1 but was successfully matched and updated, the change is indicated by an arrow: Migrated field: schedule_time --> start_time Processed The item was processed for the import but was not applicable and was ignored, as described in Show Details for the item.
l "Import Information: Reporting Manager Definitions" on page 254 l "Import Information: Server Configuration" on page 254 l "Import Information: SMS Services" on page 256 l "Import Information: SMTP Services" on page 256 Import Information: Advertising Services l Advertising Services is unsupported. Import Information: AirGroup Services l The following AirGroup 3.9 fields are renamed: 3.9 Name 6.
Custom Forms and Views: l Forms and views that referenced renamed fields are updated to reference the new field name. l Forms and views that referenced obsolete fields have those fields removed from the definition. Print Templates: l Print templates are flagged as Action Required. Print templates might require changes where defaults have changed or fields have been renamed. Review the templates and correct as necessary to fix fields that have been changed.
Import Information: Operator Logins Operator Login Configuration l A client-side cookie check (nwa_cookiecheck) is added to the Login Message setting. Operator Logins l Operator logins are obsolete. Operator Profiles l If the IT Administrators profile is imported, it is updated to keep existing privileges and is migrated. l Any non-default Password Change Policy is removed and the profile is migrated. l Any non-default user skins are reset to the default skin and the profile is migrated.
RADIUS Dictionary The RADIUS dictionary is unsupported. l RADIUS NAS List l Each RADIUS network access server (NAS) is imported as a CPPM network access device (NAD) client. RADIUS Server Configuration l Non-default RADIUS Server Number settings are obsolete. l Non-default RADIUS Server Port settings are obsolete. l Default RADIUS Server Options are not applicable; they are processed and ignored. l For any non-default RADIUS Server Options, an authentication source must be created in CPPM.
Installed Plugin List l For imported plugins that were not up-to-date (e.g. pre-3.9), you must review the version numbers provided in Show Details, upgrade those plugins in your 3.9 system, and import the plugins again. Network Hostname The network hostname must be set in CPPM. l Network Hosts l Default hosts files (references to localhost only) are obsolete. l For a non-default hosts file, the DNS must be properly configured. Network Interface Configuration Network interfaces are unsupported.
System Log Setup l System log setup is obsolete. l If a local collector was enabled, it is unsupported. Web Application Configuration l Default Application Configuration settings are processed and ignored. For non-default Application Configuration settings, PHP settings must be configured in CPPM. l Web Server Configuration Web server configuration is obsolete. l Import Information: SMS Services l SMS gateways are imported as service handlers.
for example, clicking the name of the SMTP Services plugin opens the Customize Email Receipt page in the Configuration module. Viewing Available Plugins To access the Available Plugins list, navigate to Administration > Plugin Manager.The Available Plugins page opens.
Configuring Plugins You can configure most standard, kernel, and skin plugins. Skin plugins can also be enabled or disabled, letting you choose which skin to use. To view or change a plugin’s configuration, go to the Administration > Plugin Manager page and click the List Available Plugins command. To view or change the configuration settings for a plugin, click the plugin’s Configuration link.
1. To change the application’s title, enter the new name in the Application Title field (for example, your company name) to display that text as the title of your Web application. Click Save Configuration. 2. The Kernel plugin’s Debug Level and Application URL options should not be modified unless you are instructed to do so by Dell support. 3. To turn off autocomplete on forms, mark the check box in the Form Auto Complete row. This disables credentials caching. 4.
skin plugins that let you configure the colors, navigation, logo, and icons. 1. To modify the standard Dell ClearPass skin plugin, click its Configuration link on the Available Plugins page. 2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page. 4.
To view or configure SMS services and receipt options: 1. Go to Administration > Plugin Manager. The Available Plugins list opens. 2. Scroll to the SMS Services row and click its Configuration link. The Configure SMS Services form opens. Figure 36: Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format.
n Always include the country code: When you select this option, the SMS gateway will always send the SMS message using the global country code and default phone number length specified in the Default Country Code and Default Phone Length fields. For example, consider an Australian mobile phone number with a default number length of 9 plus a leading zero, and a country code of 61.
2. To work with a gateway, click its row in the list. The gateway’s row expands to include the Edit, Duplicate, Delete, Make Default, and Send SMS options. l Edit—To make changes to the gateway in this row, click its Edit link. The Edit SMS Gateway form opens. See "Editing an SMS Gateway" on page 265. l Duplicate—To make a copy of the gateway to use as a base for a new gateway, click the Duplicate link. A new gateway is added to the list with the name “Copy of ”.
3. In the SMS Gateway field, if you choose Custom HTTP Handler from the drop-down list, you may specify the HTTP method to use. The form expands to include options for configuring that gateway type, and the Service Method row includes the GET and POST options. 4. If you selected the POST option in the SMS Gateway field, the HTTP Headers and HTTP Post rows are added. You can use the text fields in these rows to override HTTP headers and enter the text to post. 5.
7. In the Message Format row, if needed for custom SMS handlers, you can specify that the message format should be converted to hex-encoded UTF-16 (Unicode). 8. In the Mobile Number Settings area, if your country uses a national dialing prefix such as “0”, you may enter this in the National Prefix row. When sending an SMS to a number that starts with the national dialing prefix, the prefix is removed and replaced with the country code instead.
3. The SMS Gateway field displays the gateway service that was selected when the gateway was created. This cannot be edited after creation. 4. In the Service Settings area, you may edit the Display Name. 5. When you duplicate an SMS over SMTP gateway, the Carrier Selection configuration options are included. In the Carrier Selection drop-down list, choose one of the following options: l Registration form will have the visitor_carrier field—The visitor will supply the carrier information when they register.
. 2. Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. The maximum length for the message is 160 characters. If multiple services are available, you may also choose the service to use when sending the message. 3. Click Send Message. About SMS Credits Most SMS providers use a system of credits when for sending messages. In Dell Networking W-ClearPass Guest SMS Services, one credit is used for each sent message.
Dell Networking W-ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt: 1. Navigate to the Guest > List Accounts and click to expand the row of the guest to whom you want to send a receipt. 2. Click Print to display the Account Details view, then click the Send SMS receipt link. The SMS Receipt form opens.
2. To filter the list, click the Display Lists tab above the form. The form expands to include the Carrier Lists options. Use this drop-down list to specify the visitor carrier or MMS carrier. NOTE: To be available in the drop-down lists on this Carrier Lists form, a carrier must first be enabled. 3. To enable, disable, or delete a carrier, click the carrier in the list. The carrier’s row expands to include the Edit, Enable or Disable, and Delete options.
l Use a fixed email address—Use this option if all SMS messages are to be sent to the same address. When this option is chosen, the next field’s name becomes Address. 9. Configure the option you chose in the previous step: l l If you chose Use a template... in the SMS Address field, enter an example email address in the SMS Template field. This provides the pattern for the address format.
Viewing the Application Log To view events and messages generated by the application, go to Administration > Support > Application Log. The Application Log view opens. To view in-depth information about an event, click the event’s row. The form expands to show details. Click the event’s row again to close it. To search for a particular log record, use the Keywords field above the table to enter search terms.
The Application Log lists the events, messages, and configuration changes for the past seven days. To view events and messages for a different period, or to limit the search items: 1. Click the Filter tab. The Filter Settings form opens. 2. You can use the Times drop-down list to specify a time period to filter for. 3.
Contacting Support To view contact information for Dell Support, go to Administration > Support > Contact Support. The Contact Support page opens. Viewing Documentation To view Dell Networking W-ClearPass Guest documentation: 1. Go to Administration > Support > Documentation. The Documentation page opens. 2. To view this Deployment Guide in your browser, click Browse Documentation. The document opens in a separate browser tab. 3. To search the Deployment Guide, click Search Documentation.
SOAP Web Services and API SOAP Web services provide a way of transferring data across the Internet to integrate Web-based applications. Web services let businesses share data and processes programmatically, and can be added to a user interface to provide functionality. To access this feature in Dell Networking W-ClearPass Guest, you must have the SOAP Web Services plugin installed. Viewing Available Web Services To view the Web services available in Dell Networking W-ClearPass Guest: 1.
3. The Service Info field briefly describes the processes this Web service provides.In the Service URL field, you can click the link to view the Web Service Description Language (WSDL) that defines that service. The WSDL opens in a new tab. 4. When you have finished reviewing the available Web services, click Done. Configuring Web Services To configure the SOAP Web Services plugin: 1. Go to Administration > Web Services > Configure Web Services. The Configure Web Services form opens. 2.
Audience This API is intended for developers of applications that must interoperate with a ClearPass Guest-based visitor management solution. Solution developers are assumed to be familiar with HTTP-based Web services and the associated concepts and technologies related to these services, including Extensible Markup Language (XML), XML Schemas, Web Service Definition Language (WSDL), and the Simple Object Access Protocol (SOAP).
l At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. l The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the appliance. l The services layer provides one or more implementations of application services that are used by the layers above.
Table 21: Fault Codes and Descriptions Fault Reason for Fault Client.BadRequest Request exceeds the maximum allowable size. Increase the maximum SOAP request size, or reduce the size of the request. Client.Authentication Invalid username or password. Check that the credentials supplied are correct. Client.MethodNotFound The SOAP method request was not found. Client.Error Another non-specific client error occurred. Check the for more details. Server.
To access the application log, go to Administration > Plugin Manager > Application Log. At the highest debugging level of 4, every SOAP request and response will be logged including full HTTP headers and contents, which may be useful when trying to identify the exact cause of a problem. Creating a SOAP API Operator The SOAP API requires both authentication and authorization components. l Authentication means that suitable credentials must be provided via the HTTP “basic” access authentication method.
After you have created a suitable operator profile, create the operator login. See "Local Operator Authentication" on page 303 and "External Operator Authentication" on page 304, or refer to the "Configuring LDAP Operator Logins" article on Arubapedia. Accessing the WSDL Use the List Web Services command link to browse the available Web services and obtain additional details about each one. 280 | Administration Dell Networking W- ClearPass Guest 6.
In the Web Service field, click the icon for GuestManager Web Services to view the Service URL and additional information about the service. NOTE: If the "Allow anonymous access to WSDL" option is specified in the SOAP Web Services configuration, accessing the WSDL through the specified Service URL does not require logging in to the ClearPass Guest user interface. For more information, see "Configuring Web Services " on page 275.
The Add Service Reference dialog box appears. Enter the Service URL for the GuestManager Web Services into the Address box, and click the Go button. The WSDL is downloaded, and a list of the Web services and operations found is displayed. In the Namespace text field, type in a name. This name is used to organize the automatically generated code that interfaces with the Web service. Click the OK button to create the Web service reference.
Configuring HTTP Basic Authentication Performing a simple API call, such as the “Ping” operation described in "Operations" on page 288, can be used to verify that the Web service is correctly configured and ready for use. Because the SOAP API requires HTTP Basic authentication, ensure that you have a suitable operator profile and operator login credentials, as explained in"Using the SOAP API" on page 278. Configuring the Web service reference to use authentication requires editing the app.
When invoked, this performs the Ping operation and displays the following output: Securing Web Services Using HTTPS Because HTTP Basic authentication is insecure, it is strongly recommended that the HTTPS transport be used for all SOAP API calls. To use HTTPS as the transport for SOAP API requests, the following changes should be made to the application configuration file: l The mode attribute of the tag must be changed to “Transport”.
NOTE: In a production environment, it is strongly recommended that you deploy an SSL certificate that is signed by a trusted root CA known to all parties, and use the built-in server certificate validation procedures. This will ensure the security of the transaction cannot be compromised by a man-in-the-middle attack.
EmptyType This type must be empty, that is, containing zero child elements. l Example: ErrorFlagType The error flag indicates if the operation completed successfully. Only the values zero (0) and one (1) are supported. l A successful operation is indicated with: l A failed operation is indicated with: IdResultType Standard result type), with an optional element. l Example: l Example: IdType Specifies a user ID. The user ID is a positive integer value, starting at 1.
l Example of an unsuccessful operation: UserResultType Standard result type, with an optional element. l Example of a successful operation: l Example of an unsuccessful operation: UserType The User type defines a visitor account, which consists of a number of fields. The fields available may be customized in Guest Manager. Navigate to Guest Manager > Configuration > Fields to create new fields or modify existing fields.
Operations CreateUser Creates a new user account. l The standard business logic for visitor account creation applies to visitor accounts created with the SOAP API. For details, refer to the section “Business logic for account creation” in the ClearPass Guest Deployment Guide, or search for this term in the online help. l The creator_accept_terms field must be set to the Boolean value “true” in order to create an account. l A value for the role_id field must be specified to create a visitor account.
Example request for CreateUser: Successful response: Failure response: DeleteUser Deletes a user account by ID or matching fields Dell Networking W-ClearPass Guest 6.
l This operation deletes a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned and no visitor accounts will be deleted. Example code implementing visitor account deletion: Example request for DeleteUser: Successful response: 290 | Administration Dell Networking W- ClearPass Guest 6.
Failure response: EditUser Modifies properties of a user account by ID. l This operation modifies the properties of a visitor account to match the field values specified in the user parameter. l The id field must be specified to indicate the ID of the visitor account to modify. This field is assigned by the system when the visitor account is created and cannot be changed. Example code implementing visitor account modification: Dell Networking W-ClearPass Guest 6.
Example request for EditUser: Successful response: Failure response: FindUser Returns properties of a user account by matching fields. 292 | Administration Dell Networking W- ClearPass Guest 6.
l This operation locates a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned. l If a visitor account was found, its properties will be returned in the element of the result. Example code implementing search for a visitor account based on a username.
Failure response: GetUser Returns properties of a user account by ID. l Returns a element corresponding to the visitor account with the specified ID. l If the specified ID is invalid, no element is returned and the flag is set to 1. 294 | Administration Dell Networking W- ClearPass Guest 6.
Example code implementing a guest lookup operation: Example request for GetUser: Successful response: Failure response -- for example, user ID not found: Dell Networking W-ClearPass Guest 6.
Ping Checks that the SOAP server is alive. l Returns a standard result type with the message set to "pong". Example code implementing a Ping test operation. Example request for Ping: Successful response: 296 | Administration Dell Networking W- ClearPass Guest 6.
Chapter 8 Operator Logins An operator is a company’s staff member who is able to log in to Dell Networking W-ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in ClearPass Guest, or externally in an LDAP directory server.
Your profile may only allow you to create guest accounts, or your profile might allow you to create guest accounts as well as print reports. What your profile permits is determined by the network administrator. Two types of operator logins are supported: local operators and operators who are defined externally in your company’s directory server. Both types of operators use the same login screen.
The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the Access area of the form define permissions for the operator profile: 1. In the Enabled row, the Allow Operator Logins check box is selected by default. To disable a profile, unmark the Allow Operator Logins check box.
If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles. If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available. This is the default option. 4. The Operator Filter may be set to limit the types of accounts that can be viewed by operators.
6. In the Account Limit row, you can enter a number to specify the maximum number of accounts an operator can create. Disabled accounts are included in the account limit. To set no limit, leave the Account Limit field blank. When you create or edit an AirGroup operator, the value you enter in the Account Limit field specifies the maximum number of devices an AirGroup operator with this profile can create.
To specify that an operator profile should use a different form when creating a new visitor account: 1. (Optional) In the Customization row, select the Override the application’s forms and views check box. The form expands to show the forms and views that can be modified. If alternative forms or views have been created, you may use the drop-down lists to specify which ones to use. 2. When you have selected the custom forms and views to use, click the operator profile.
l Importing guest accounts l Listing guest accounts l Managing customization of guest accounts l Managing print templates l Removing or disabling guest accounts l Resetting guest passwords Refer to the description of each individual operator privilege to determine what the effects of granting that permission will be. Managing Operator Profiles Once a profile has been created you are able to view, to edit and to create new profiles.
Creating a New Operator To create a new operator or administrator for ClearPass Guest or AirGroup, some steps are performed in ClearPass Policy Manager (CPPM), and some steps are performed in ClearPass Guest, as described below: 1. Create an operator profile in ClearPass Guest, or use an existing one. See "Operator Profiles" on page 298. l To create an AirGroup user, choose either the AirGroup Administrator or AirGroup Operator profile, as appropriate.
NOTE: The operator management features, such as creating and editing operator logins, apply only to local operator logins defined in ClearPass Guest. You cannot create or edit operator logins using LDAP. Only authentication is supported. Manage LDAP Operator Authentication Servers Dell Networking W-ClearPass Guest supports a flexible authentication mechanism that can be readily adapted to any LDAP server’s method of authenticating users by name.
In the top area of the form, select the Enabled option (below the Name field) if you want this server to authenticate operator logins. This form allows you to specify the type of LDAP server your system will use.
When you have completed the form, you can check your settings. Use the Test Username and Test Password fields to supply a username and password for the authentication check, then click the Test Settings button. If the authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed.
l Disable—Temporarily disables a server while retaining its entry the server list. l Enable—Reenables a disabled LDAP server. l Ping—Sends a ping message (echo request) to the LDAP server to verify connectivity between the LDAP server and the ClearPass Guest server. l Test Auth—Adds a Test Operator Login area in the LDAP servers form that allows you to test authentication of operator login values.
You can also verify operator authentication when you create a new LDAP server configuration using the Test Settings button on the LDAP Configuration form (See "Creating an LDAP Server" on page 305 for a description). Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page. 1. To look up a sponsor, select a server name in the LDAP Server table, then click the Test Operator Lookup area is added to the LDAP servers list.
Error Data Reason 701 Account has expired 773 User must reset password 775 User account is locked Other items to consider when troubleshooting LDAP connection problems: l Verify that you are using the correct LDAP version – use ldap:// for version 2 and ldap3:// to specify LDAP version 3. l Verify that you are using an SSL/TLS connection – use ldaps:// or ldap3s:// as the prefix of the Server URL.
3. Select the Enabled check box to enable this rule once you have created it. If you do not select this check box, the rule you create will appear in the rules list, but will not be active until you enable it. 4. Click the Matching rule drop-down list and select a rule.
Translation rules are processed in order, until a matching rule is found that does not have the Fallthrough field set.
The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip} Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups. The operator field “enabled” will determine if the user is permitted to log in or not. The custom template uses the {strip} block function to remove any whitespace, which makes the contents of the template easier to understand.
You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen. Options related to operator passwords may also be specified, including the complexity requirements to enforce for operator passwords. Navigate to Administration > Operator Logins and click the Operator Logins Configuration command link to modify these configuration parameters.
-
If you don’t have a login,
contact Aruba Networks to obtain one.
{/if}
In the Login Footer field, enter any HTML information that you want displayed in the Operator Login form. Select the login skin from the Login Skin drop-down menu. Options include the default skin or a customized skin. l System administrators of the ClearPass Guest application. System Requirements: l ClearPass Guest 6.1.0 l XML-RPC client For more details about XML-RPC, or to read the XML-RPC specification, visit http://xmlrpc.scripting.com/.
The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the VMA. The services layer provides one or more implementations of application services that are used by the layers above. Examples of these services include managing a user database used for AAA, handling the authentication of operators, and providing translated text resources.
Parameter Types The XML-RPC specification supports a wide range of data types.
Table 29: XML-RPC Faults Code Description 401 Authentication problem -- invalid username or password 404 File implementation of XML-RPC method not found 501 XML-RPC implementation not found 502 XML-RPC method registration failed 503 XML-RPC server creation failed 504 Access denied 505 No XML-RPC implementation for this page Accessing the API Accessing the API requires an operator account with a profile that has the XML-RPC API privilege, plus any privileges required for the API calls.
7. Click Save Changes. The profile is added to the Operator Profiles list. Creating the Role After you create the profile, the next step is to create the role: 1. In ClearPass Policy Manager, go to Configuration > Identity > Roles and click the Add User link. The Add New Role form opens. 2. Enter a name and description that clearly identify the role. 3. Click Save. The role is added to the Roles list.
1. In ClearPass Policy Manager, go to Configuration > Identity > Local Users and click Add User. The Add Local User form opens. 2. In the Role drop-down list, choose the XML-RPC Operator role you created. 3. Complete the rest of the fields appropriately, then click Add. The new XML-RPC operator is added the Local Users list. Creating the Translation Rule After you have created the profile, role, and local user (operator), create a translation rule to map the role name to the operator profile. 1.
l at https://amigopod/xmlrpc.php SSL Security Different levels of certificate validation checks may be necessary, depending on the SSL certificate that has been installed. This corresponds to the user interface provided by Web browsers for certificate trust and verification. The examples presented in this document assume a self-signed certificate has been installed, and reduce the level of SSL verification accordingly.
Parameters Name Type Description uid Scalar ID of the guest account to update guestaccountexpiry Scalar Amount of time in hours before the guest account will expire Name Type Description error Flag 0 if successful, 1 if an error occurred message String Status message describing the operation item Struct Updated user information record *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Return Values Access Control Requires
Parameters Name Type Description sponsor_name String Name of the person sponsoring the guest account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email addresss. This will become their username to log in to the network. expire_after Numeric Amount of time before the account will expire. Specified in hours. expire_time String Optional date and time at which the account will expire.
'role_id' => 2, 'visitor_phone' => '0', 'creator_accept_terms' => 1, Result returned by a successful operation: 'username' => 'demo@example.com', 'password' => '73067792', 'role_id' => 2, 'role_name' => 'Guest', 'simultaneous_use' => '1', 'do_schedule' => 0, 'enabled' => true, 'expire_time' => 1196769257, 'do_expire' => 4, 'expire_postlogin' => 0, 'sponsor_name' => 'Sponsor Name', 'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.
Return Values NOTE: This function might return a Boolean false value if some input parameters are invalid.
Parameters Name Type Description uid Integer ID of the guest account to edit username String Name of the guest account password String May be: random_password to indicate the account's password should be set to a random password password_value to indicate the account's password should be set to the value in the password_value field The empty string to leave the password unmodified password_value String Optional password to set the guest account's password (if the password field is password_val
Name Type Description uid Integer ID of the guest account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control). Example Usage Sample parameters for the call: 'uid' => 162, 'username' => 'demo@example.
'enabled_error_flag' => 1, 'simultaneous_use_error' => 'Please enter a non-negative integer value.
'message' => 'Guest account has been re-enabled', 'item' => array ( 'id' => 162, 'enabled' => 1, 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Method amigopod.guest.get List one or more guest accounts.
'enabled' => '1', 'role_id' => '2', 'email' => '', 'notes' => 'GuestManager account 22 of 30 created by root from 192.168.2.3', 'do_expire' => '0', 'expire_time' => '', 'simultaneous_use' => '1', 'expire_postlogin' => '0', 'do_schedule' => '0', 'schedule_time' => '', 'ip_address' => '', 'netmask' => '', ), 1 => array ( 'id' => '162', 'username' => 'demo@example.com', 'enabled' => '1', 'role_id' => '2', 'email' => 'demo@example.
Return Values Name Type Description ids Array Array of guest account IDs (if details was 0) users Array Array of guest account structures (if details was 1) Access Control Requires the guest_users privilege (Guest Manager > List Guest Accounts). Example Usage Sample parameters: 'details' => 0, Sample successful call: 'ids' => array ( 0 => '37', 1 => '141', 2 => '40', ... ), Method amigopod.guest.reset.password Reset a guest account's password to a random value.
Access Control Requires the reset_password privilege (Reset Password). Example Usage Sample parameters for the call: 'uid' => 162, Sample successful call: 'error' => 0, 'message' => 'Guest account password reset for Password changed to 37172833', 'item' => array ( 'id' => 162, 'password' => '37172833', 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Dell Networking W-ClearPass Guest 6.
| The XML-RPC Interface and API Dell Networking W- ClearPass Guest 6.
Chapter 9 Reference This chapter includes the following sections: l "Basic HTML Syntax" on page 335 l "Standard HTML Styles" on page 336 l "Smarty Template Syntax" on page 338 l "Date/Time Format Syntax" on page 353 l "Programmer’s Reference" on page 356 l "Field, Form, and View Reference" on page 361 l "LDAP Standard Attributes for User Class" on page 380 l "Regular Expressions" on page 381 Basic HTML Syntax Dell Networking W-ClearPass Guest allows different parts of the user interface to
Item HTML Syntax
- List item text
Text Formatting words to be made bold equivalent syntax words to be made italic equivalent syntax words to underline Shown in fixed-width font Uses CSS formatting Uses predefined style Uses CSS formatting
Uses predefined style
Hypertext Link text to click on Table 32: Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the material looking as if it is in a table; in other words, without borders nwaContent Tables Class used for a standard table with borders nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at
Smarty Template Syntax Dell Networking W-ClearPass Guest’s user interface is built using the Smarty template engine. This template system separates the program logic and visual elements, enabling powerful yet flexible applications to be built. When customizing template code that is used within the user interface, you have the option of using Smarty template syntax within the template. Using the programming features built into Smarty, you can add your own logic to the template.
{/if} The condition tested in the {if} … {/if} block should be a valid PHP expression. The {else} tag does not require a closing tag. Script Blocks The brace characters { and } are specially handled by the Smarty template engine.
The content after a {foreachelse} tag is included only if the {foreach} block would otherwise be empty. Modifiers Smarty provides modifiers that can be used to gain greater control over the formatting of data. Modifiers can be included by following a variable with a vertical bar | and the name of the modifier. Any arguments to the modifier can be specified using a colon : followed by the arguments.
Smarty registered template function. Displays the value of a variable. Use the following Smarty syntax to print a variable’s contents: {dump var=$var_to_dump export=html} The contents of the variable are printed in a
block. Use the attribute “export=1” to use PHP’s var_ export() format, or omit this attribute to get the default behavior – PHP’s var_dump() format. Use the attribute “html=1” to escape any HTML special characters in the content.
l The “icon” parameter is the SRC to the image of the icon. This should normally be a relative path. l The “text” parameter is the text to display next to the icon. This will also be used as the alternate text (that is, a tooltip) for the icon image. l The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image.
The “struct” parameter, if specified, uses a standard result type. If the “error” key is set and non-zero, the “type” parameter is set to the value error, and the “message” key is converted to a HTML formatted error message for display. nwa_quotejs {nwa_quotejs} … {/nwa_quotejs} Smarty registered block function. Quotes its content in a string format suitable for use in JavaScript. This function also translates UTF-8 sequences into the corresponding JavaScript Unicode escape sequence (\uXXXX) Usage example
This template function does not generate any output if the _assign parameter is set. The methods that are available for use with this function are listed below. The $criteria array consists of one or more criteria on which to perform a database search. The array is used for advanced cases where pre-defined helper functions do not provide required flexibility. ChangeToRole() ChangeToRole($username, $role_name) Changes the RADIUS role assigned to the user.
See "GetTraffic()" on page 348 for details on how to specify the time interval. GetCallingStationTraffic() GetCallingStationTraffic($callingstationid, $from_time, $to_time = null, $in_out = null, $mac_format = null) Calculate sum of traffic counters in a time interval. Sessions are summed if they have the same Calling-Station-Id attribute as that specified in the RADIUS Access-Request. If no Calling-Station-Id attribute was included in the request, returns zero.
'nasportid' => '', 'nasporttype' => '', 'calledstationid' => '', 'callingstationid' => '', 'acctstarttime' => '1249258943', 'connectinfo_start' => '', 'acctstoptime' => NULL, 'connectinfo_stop' => NULL, 'acctsessiontime' => 0, 'acctinputoctets' => 0, 'acctoutputoctets' => 0, 'acctterminatecause' => NULL, 'servicetype' => '', 'framedipaddress' => '192.168.2.
processing a HTTP request, the current client IP address is assumed (from $_SERVER['REMOTE_ADDR']). Specifying an empty value for the IP address (such as null, false, or empty string) also causes the current client IP address to be used. See "GetTraffic()" on page 348 for details on how to specify the time interval. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database.
As well as the criteria specified, the time interval specified by $from_time and optionally $to_time is also used to narrow the search. If $to_time is not specified, $from_time is a “look back” time, that is, the time interval in seconds before the current time. If $to_time is specified, the interval considered is between $from_time and $to_time. Returns the total session time for all matching accounting records in the time interval specified.
Looks up the first login time for the specified username. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). GetUserSessions() GetUserSessions($username, $from_time, $to_time = null) Calculate the number of sessions for accounting records matching a specific user-name. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). See "GetTraffic()" on page 348 for details on how to specify the time interval.
Smarty registered template function. Adds various kinds of visual effects to the page. Usage example: {nwa_bling id=$some_id type=fade} The “id” parameter is the ID of the HTML element to which you will add ‘bling’ effects The “type” parameter is the kind of bling desired: l “fade”: element smoothly fades in and out l “blink”: element blinks slowly nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable.
When used with the “block” parameter, the {nwa_nav} control does not generate any HTML. When used with the “type” parameter, the {nwa_nav} control uses the previously defined blocks to generate the HTML navigation area.
l The ‘page’ parameter specifies a page name provided by the plugin. l The ‘privilege’ parameter specifies a privilege defined by the plugin. If none of the above is specified, the default is the same as specifying the ‘page’ parameter with the current script name as argument (that is, the current page). Specifying the output: l The ‘notfound’ parameter specifies the return value, if the plugin was not found (default is the empty string).
l The numbered parameters are expanded in the translated string with the positional arguments %1, %2 and so forth. nwa_userpref {nwa_userpref …} Smarty template function.
The full list of special formats is: Table 35: Date and Time Formats Preset Name Date/Time Format Example hhmmss %H%M%S 141345 hh:mm:ss %H:%M:%S 14:13:45 iso8601 %Y%m%d 20080407 iso8601t %Y%m%d%H%M%S 20080407141345 iso-8601 %Y-%m-%d 2008-04-07 iso-8601t %Y-%m-%d %H:%M:%S 2008-04-07 14:13:45 longdate %A, %d %B %Y, %I:%M %p Monday, 07 April 2008, 2:13 PM rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %l:%M %p 2:13 PM recent – 2 minutes ago The % ite
The other formats accepted for this modifier are the same as those described for the nwadateformat modifier. See "nwadateformat Modifier" on page 353.
Format Result %X Preferred time representation for the current locale, without the date %y Year as a decimal number without the century (00 to 99) %Y Year as a decimal number %% A literal % character Programmer’s Reference This section describes the following: l "NwaAlnumPassword" on page 356 l "NwaBoolFormat" on page 356 l "NwaByteFormat" on page 357 l "NwaByteFormatBase10" on page 357 l "NwaComplexPassword" on page 357 l "NwaCsvCache" on page 357 l "NwaDigitsPassword($len)" on page
l If a string containing a “|” character, the string is split at this separator and used as the values for false and true respectively. l If an array, the 0 and 1 index values are used for false and true values. l Otherwise, the string values “true” and “false” are returned. NwaByteFormat NwaByteFormat($bytes, $unknown = null) Formats a non-negative size in bytes as a human readable number (bytes, KB, MB, GB, etc.) Assumes that 1 KB = 1024 bytes, 1 MB = 1024 KB, etc.
Creates a password based on a format string. For details on the special characters recognized in $string, see "Format Picture String Symbols" on page 373. NwaGenerateRandomPasswordMix NwaGenerateRandomPasswordMix($password_len, $lower = 1, $upper = 1, $digit = 1, $symbol = -1) Generates a random password that meets a certain minimum complexity requirement. l $password_len specifies the total length in characters of the generated password.
$options may be specified to control additional parsing options described in the table below. Table 37: Parsing Options Function Description fs The field separator character (default is comma “,”) rs The record separator character (default is newline “\n”) quo The quote character (default is double quote ") excel_compatible If true, recognize ="..." syntax as well as "..." (default true) dos_compatible If true, convert \r\n line endings to \n (default true) encoding If set, specifies the input
Generates a random password of at least $len characters in length, based on one of the standard complexity requirements specified in $mode. If $mode is false or the empty string, the default password complexity is taken from the Guest Manager plugin configuration.
Option Description $range_lookup Specifies whether to find an exact or approximate match. If true (default), assumes the table is sorted and returns either an exact match, or the match from the row with the next largest value that is less than $value. If false, only an exact match is returned; NULL is returned on no match value_column Specifies the column index in the table that contains the values; the default is 0; in other words, the first column.
Table 39: GuestManager Standard Fields Field Description account_activation String. The current account activation time in long form. This field is available on the change_expiration and guest_enable forms.
Field Description do_expire Integer that specifies the action to take when the expire time of the account is reached. See "expire_time" on page 364. l 0—Account will not expire l 1—Disable l 2—Disable and logout l 3—Delete l 4—Delete and logout “Disable” indicates that the enabled field will be set to 0, which will prevent further authorizations using this account. “Logout” indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username.
Field Description expire_time Integer. Time at which the account will expire. The expiration time should be specified as a UNIX timestamp. Setting an expire_time value also requires a non-zero value to be set for the do_expire field; otherwise, the account expiration time will not be used. Set this field to 0 to disable this account expiration timer.
Field Description modify_expire_time String. Value indicating how to modify the expire_time field. This field may be provided when creating or editing a visitor account.
Field Description modify_schedule_time String. Value indicating how to modify the schedule_time field.
Field Description password String. Password for the account. This field may be up to 64 characters in length. password2 String. Password for the account. If this field is set, its value must match the value of the password field for the account to be created or updated. This can be used to verify that a password has been typed correctly. This field controls account creation and modification behavior; it is not stored with created or modified visitor accounts. password_action String.
Field Description random_password_method String. Identifier specifying how passwords are to be created. It may be one of the following identifiers: l nwa_digits_password to create a password using random digits. The length of the password is specified by the random_password_length field. l nwa_letters_password to create a password using random lowercase letters (a through z). The length of the password is specified by the random_password_length field.
Field random_username_method Description String. Identifier specifying how usernames are to be created. It may be one of the following identifiers: l nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field. l nwa_picture_password to create a random username using the format string specified by the random_username_picture field.
Field Description simultaneous_use Integer. Maximum number of simultaneous sessions allowed for the account. sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator. sponsor_name String. Name of the sponsor of the account. The default value of this field is the username of the current operator.
Field Description password2 String. Password for the account (used to confirm a manually typed password). personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing. purchase_details No Type. Field attached to a form label. state String. The visitor’s state or locality name. submit_free No Type. Field attached to a form submit button. visitor_accept_terms Boolean.
Table 42: SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.
Field Description smtp_warn_before_receipt_format String. This field overrides the format in the Email Receipt field under Logout Warnings. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default” (Use the default skin), or the plugin ID of a skin plugin to specify that skin. If blank or unset, the default value in the Email Receipt Field under the Logout Warnings on the email receipt configuration is used.
Table 44: Picture String Example Passwords Picture String Sample Password #### 3728 user#### user3728 v^^#__ vQU3nj @@@@@ Bh7Pm Form Field Validation Functions See "Form Validation Properties" on page 176, and "Examples of Form field Validation" on page 177 for details about using validation functions for form fields. The built-in validator functions are: l IsArrayKey – Checks that the value is one of the keys in the array supplied as the argument to the validator.
array( 'min' => '1 day', 'max' => '90 days', ) l IsValidEmail – Checks that the value appears to be a valid RFC 822-compliant email address. When using the IsValidEmail validator, the validator argument may be specified with a whitelist/blacklist of domain names. Use the syntax: array( 'allow' => array( 'corp-domain.com', 'other-domain.com', ), 'deny' => array( 'blocked-domain.com', 'other-blocked-domain.
array( 'min' => '1 day', 'max' => '90 days', ) l IsValidHostname – Checks that the value is a valid IP address or a hostname that resolves to an IP address. l IsValidHostnameCidr – Checks that the value is a valid IP address or hostname, which may also have an optional /N suffix indicating the network prefix length in bits (CIDR notation). l IsValidHostnamePort – Checks that the value is a valid IP address or hostname, which may optionally include a port number specified with the syntax hostname:port.
l IsValidSentence – Checks that the value is considered to be a ‘sentence”; that is, a string which starts with an upper-case letter and ends in a full stop. l IsValidTimestamp – Checks that the value is a numeric UNIX timestamp (which measures the time in seconds since January 1, 1970 at midnight UTC). l IsValidTimeZone – Checks that the value is a valid string describing a recognized time zone. l IsValidUrl – Checks that the value appears to be a valid URL that includes a scheme, hostname and path.
Table 46: Form Field Display Functions Function Description NwaBoolFormat Formats a Boolean value as a string. l If the argument is 0 or 1, a 0 or 1 is returned for false and true, respectively. l If the argument is a string containing a “|” character, the string is split at the | separator and used for false and true values. l If the argument is an array, the 0 and 1 index values are used for false and true values. Otherwise, the string values “false” and “true” are returned.
Function Description NwaNumberFormat Formats a numeric value as a string. If the argument is null or not supplied, the current locale’s settings are used to format the numeric value. The argument may be an array or a numerica value. If the argument is an array, it will override the current locale’s settings (see below for the list of settings that are used).
Value Description data.role_name Displays the name of the role. Nwa_BooleanText(data.enabled, "Enabled", "Disabled") Displays either “Enabled” or “Disabled” depending on the value of the enabled field. (parseInt(data.do_expire) != 0) ? Nwa_DateFormat (data.expire_time, "%Y-%m-%d %H:%M") : "N/A" Displays “N/A” if the account has no expiration time, or a date and time string if an expiration time has been set.
l badPwdCount: The badPwdCount property specifies the number of times the user tried to log on to the account using an incorrect password. l codePage: The codePage property specifies the code page for the user's language of choice. This value is not used by Windows 2000. l countryCode: The countryCode property specifies the country code for the user's language of choice. This value is not used by Windows 2000. l lastLogoff: The lastLogoff property specifies when the last logoff occurred.
Regex Matches a|b Alternate matches: Matches an “a” or “b” (a.*z) Grouping: matches sequentially within parentheses a*? “Non-greedy” zero or more matches \ooo The character with octal code ooo \040 A space \d Any decimal digit \D Any character that is not a decimal digit The regular expression syntax used is Perl-compatible. For further details on writing regular expressions, consult a tutorial or programming manual. 382 | Reference Dell Networking W- ClearPass Guest 6.
Chapter 10 Glossary 802.1X IEEE standard for port-based network access control. Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. Access-Request RADIUS packet sent to a RADIUS server requesting authorization. Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information.
Disconnect-Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected. distinguished name Series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a distinguished name include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. DN See distinguished name.
PKI Public-key infrastructure. Security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key. print template Formatted template used to generate guest account receipts. private key The part of a public/private key pair that is always kept private. The private key is used to encrypt a message’s signature to authenticate the sender (only the sender knows the private key).
| Glossary Dell Networking W- ClearPass Guest 6.
Index application log 271 1 filtering 272 1024-bit RSA 134 searching 271 viewing 271 2 authentication 22, 24, 33, 48 2048-bit RSA 135 authorization 22, 24, 33 access, role-based 22 A dynamic 65 AAA 22 access control, print templates 210 B account filters, creating 300 Base-64 encoded 101 accounting 22, 24 binary certificate 101 accounts passwords, multiple 191 visitor account 25 Active Directory LDAP authentication 305 active sessions 63, 65 administration 235, 270 plugin management 257 Ad
device provisioning 82 CSV iOS and OS X provisioning 137 caching 357 Kernel plugin 258 parsing 358 legacy OS X provisioning 142 customer support 273 operator logins 314 customizing plugins 258 content 146 provisioning settings 133 email receipt 203-204 receipts 268 fields 157 self-service portal, display functions 377 Guest Manager 149 shared_location field 160 hotspot invoice 226 shared_role field 160 hotspot receipt 232 skin 259 hotspot selection interface 228, 230, 232 skin plugin
provisioning configuration 133 shared 57 viewing 60 disabling SMTP carrier 268 guest accounts 47 F fields 25, 153 account_activation 362 disconnecting session 64-65 address 370 documentation, viewing 273 auto_send_sms 371 downloading content 147-148 auto_update_account 153 duplicating card_code 370 fields 159 creating 157 forms and views 163 creator_accept_terms 153 SMS gateways 262 customizing 157 dynamic authorization 63, 65 deleting 159 duplicating 159 E importing matching 45 editing
hotspot_plan_id 370 smtp_auto_send_field 206 hotspot_plan_name 370 smtp_cc_action 206 id 364 smtp_email_field 206 ip_address 364 smtp_enabled 205 last_name 370 smtp_receipt_format 206 modify_expire_postlogin 364 smtp_subject 206, 372 modify_password 153, 365 smtp_template_id 206, 372 modify_schedule_time 366 smtp_warn_before_cc_action 207, 373 multi_initial_sequence 366 smtp_warn_before_cc_list 207, 373 multi_prefix 152, 366 smtp_warn_before_receipt_format 206 netmask 366 smtp_warn_befo
form fields disable 40 advanced properties 179 editing expiration 40 CAPTCHA 165 email receipt 34 check box 166 export 47 checklist 166 exporting 47 conversion functions 377 filtering 39, 42 Date/time picker 168 importing 44 display functions 164, 377 list 38 group heading 174 paging 39 initial value 176 print 42 validator functions 374 receipts 34 value format functions 377 reset password 40 formats, certificate 101 selection row 43 forms 25, 153, 156 SMS receipt 34 change_expir
customizing receipt 232 customizing selection interface 228, 230, 232 editing plan 223 M MAC address formats 48 invoice 226 advanced features 61 plans 222 authentication 48 Hotspot Manager 219 HTML Smarty templates 338 standard styles 336 syntax 335 registering devices 61 message, sending SMS 266 MMS SMS template for 270 mobile carrier selecting 264, 266 I importing mobile settings country code 265 certificate, code-signing 105 national prefix 265 devices 61 guest accounts 44 matching fields 45
privileges 302 disconnecting session 64-65 operators 25 creating 304 reauthorizing session 64-65 reauthorizing local 303 login message 314 session 64-65 receipt page 185 editing 192 P receipts 267 configuring 268 passwords generating 150 email 202 logging 152 SMS 68 multiple accounts 191 reference 335 recovery 144 Register page 185 resetting 40 registering MAC devices 61 picture string 373 regular expressions 381 PKCS#12 101 renaming content 148 PKCS#7 101 plugin management 257 resett
sending receipts 68 SMS alert 67 SMS message 266 subject line 204 SMS gateway sequence diagram AAA 22 editing 265 SMS gateways guest self-registration 186 creating 263 servers editing 262 LDAP, creating 305 session filters, creating 300 viewing 262 SMS services 262 sessions configuring 262 active 63, 65 credits available 267 closed 65 guest receipts 68, 267 closing 66 low credit warning 267 device 53 receipt options 268 disconnecting 64-65 send 266 filtering 65 sending message 266
V viewing application log 271 content 148 devices 60 documentation 273 plugins 257 sessions, device 53 SMS gateways 262 SMTP carriers 268 views 25, 153, 156 column format 184 customization 162 duplicating 163 editing 163, 183 field editor 184 guest_export 47, 156 guest_multi 42, 156 guest_sessions 64, 156 guest_users 38, 156 visitors 25 account 25 VPN settings 129 W Web logins 25 WiFi network 149 wizards print template 209 WPA key 150 X XML guest account list 47 parsing 359 Dell Networking W-ClearPass Gu
| Index Dell Networking W- ClearPass Guest 6.